They actually described that he was sat in his living room watching alien movies on TV, dressed in a t-shirt and pajama bottoms. This sounds like you, Dave. Is this you, Dave?

Oh yeah, right, sure, right now. I mean, you're describing me to a tee. Yeah, except I'm not wearing pajama bottoms.

Are you munching away on corn snacks in your slippers?

My keyboard is covered with Dorito dust.

Yep. Smashing Security, Episode 261: North Korea Hacked, DEA Cosplay, and Horizon Worlds Drama with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 261. My name's Graham Cluley.

And I'm Carole Theriault.

And this week, Carole, we are joined by friend of the show and podcast supremo. It's Dave Bittner from the CyberWire. Hello, Dave.

Hello, hello. Good to be back.

The crowd goes wild.

D-Dog is in the house.

Yeah. First time in 2022.

Yes, very exciting. You guys take those nice long winter breaks. I'm jealous of your European vacation modes.

Do you have an editor and a producer at your side?

I do, yes, actually.

Nice.

Interesting. We don't.

All right, so we all have our things.

Exactly. How about we thank this week's sponsor, 1Password and Baramundi. It's their support that helps us give you this show for free. Now coming up in today's show, Graham, what do you got?

I'm gonna be explaining why Kim Jong-un isn't happy with a particular US hacker.

Okay, 'cause he loves all the other ones. Okay, Dave, what about you?

I have the story of a woman who was scammed into believing that she was a DEA agent.

Oh, wow.

And I'm gonna tell you guys to don your tinfoil hats because we are entering the metaverse. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, the end of last month, something rather curious happened. Our friends in North Korea began to experience some problems regarding their connection to the outside world.

Okay.

On several different days, practically all of North Korea's websites were inaccessible, which I don't know about you, but I found really frustrating.

Didn't notice, Dave?

Yeah, that one slipped by me, oddly, yeah.

You don't have a favourite North Korean website in your bookmarks as your homepage or anything like that? You don't do that?

Not in the top 10, certainly, no.

Right, okay.

Graham, was it inaccessible to the people of North Korea?

Ah, no, it wasn't. No, it appears that if you were inside North Korea, you were all right and you could access them. But if you were outside, you couldn't. Of course, the outside world had no way of really knowing that because you couldn't really ask anyone inside North Korea, hey, can you get to your website or not? Because the internet was down. But you wouldn't have been able to get to, for instance, Naenara. Now, Naenara is, how can I describe it? It's basically Kim Jong-un's Tumblr page. It's where he's posting up GIFs of Steven Seagal and Slash Fiction and missives from his government. No, he's not. He is, yes. It's like a LiveJournal site. Yes, it's where they communicate with the other people in North Korea about what's going on over there. And when they looked a little bit more into what was going on with all these North Korean websites, it appears that there was a router at the heart of the country's internet infrastructure that had been paralyzed. And as a consequence, North Korea's ability to communicate digitally with the outside world was cut off.

That's gotta be really, really scary if an entire country is cut off like that.

Well, let's, come on, look, it's North Korea, right? North Korea's internet is probably a little bit like the travel agent down the bottom of your street. Oh, I don't know. It's not going to be, no, but seriously.

Somebody hanging out a window with a Pringles can antenna, right?

It's not like, it's not like, you know, everyone has got a smartphone is accessing the internet all the time. It's not like there are hundreds of tech firms out there who have to be connected to the internet. It's yeah, I don't know. I don't know. But I do know that South Korea is like, you know, top dog when it comes to it. Well, it is. Yeah. Okay. South Korea, very sophisticated, very into the internet and all the rest of it.

Quite—

North Korea, not so much.

North Korea, not so much. If you look at a satellite picture, this is the thing that people do is they show you a satellite picture of the Korean peninsula at night. And you see all these lights in South Korea, because it's lit up and emblazoned. And then there's this weird gap, which is of course North Korea, because no one's got the lights on.

Yeah. Okay. Fair enough. I'm—

Yeah. Right. Right. So if you do manage to hack North Korea and take it off the internet, it might be a little bit like, you know, taking down the local newsagents.

Are you suggesting that the world wouldn't notice because it's such a small blip in terms of traffic?

Oh, well, I think people would notice because of course there's lots of people who are watching North Korea, right? Rather like criminology, you would have Kim Jong-unology. You want to know what's going on inside North Korea because North Korea quite often does things which draws attention to itself. For instance, last month.

Really?

Oh, yes. So last month they ran a series of missile tests. Seen how far they could fling these things. The latest thing they have are hypersonic missiles that, according to the experts, are harder for targeted countries to detect and intercept in a timely fashion. So this is what Kim Jong-un is saber rattling about at the moment. He's like, now I've got some really, really quick missiles to send out. So you might think—

Not quite the flex he thinks it is.

And so you might think that, well, who could have been responsible for this attack on North Korea's internet? And a possible culprit might be US Cyber Command or maybe another country's state-backed hacking agency.

Or anybody anywhere?

Exactly.

Right.

Because as an article in Wired explains, the truth is rather stranger because they say that it wasn't state-backed hacking agency who did this. They say it was one American dude. They actually described that he was sat in his living room watching alien movies on TV, dressed in a t-shirt and pajama bottoms. This sounds like you, Dave. Is this you, Dave? Oh yeah, right, sure. Right now, that's, yeah, I mean, you're describing me to a tee. Are you munching away on corn snacks in your slippers? Absolutely. Absolutely.

I've just, my keyboard is covered with Dorito dust.

Yep.

Is your online handle P4X?

Well, I can't reveal that.

Okay. Well, we are looking for P4X because why I'd say that, by the way, P4X is not his real name. In case you're wondering.

How did they know he wasn't wearing pants? He was wearing pants. Oh, well, how did they know that? Okay.

Okay. No, I understand.

How do we know what he was wearing, this hacker, he or she, whatever?

Well, this hacker has told Wired magazine. And Wired, I'm sure, have confirmed and verified all of these facts. They probably went on a webcam with him and said, "Well, let's see your trousers."

You claim to be in pajama bottoms. He got up for a bathroom break and the jig was up.

Yeah. Journalist's saying, "Finally, a human angle." Now, what has P4X?

By the way, P4X, I think that's hacker speak for Pax. I think the 4 is an A, and Pax, of course, means peace, doesn't it? So I think they've tried to be a bit clever there with the leet speak. But P4X, P4X.

You're like Columbo when it comes to that stuff.

I am. Exactly. So, old school. Now. Why has P4X done this? Well, if you think back to January 2021, it was widely reported that North Korea had targeted cybersecurity researchers in the rest of the world. What North Korean spies had done is they reached out to experts in the community via email, Twitter, they created LinkedIn profiles, they posed as security researchers and they said, "Hey, hey, hey, we're doing a bit of investigation into a zero-day vulnerability. Can we work with you? Can we join forces to do this?" You know, maybe you did. Maybe you got a message from James Willy.

I wouldn't know. I wouldn't know.

James Willy was one of these LinkedIn profiles and he reached out to people saying, "No, let's work on this zero-day vulnerability." And if you weren't careful, you would not notice that the proof of concept code that Willy shared with you to test a vulnerability actually contained a backdoor that would install itself onto your computer and allow North Korean-backed hackers to see what else you were working on and what else you might discover in the future. 'Cause if you are working on vulnerabilities normally, if that's your thing, if you're a bug hunter, yeah, yeah, yeah. That's really valuable information to the spies in North Korea? They would love to get their paws on those and maybe exploit the zero days you found against other nations.

My knowledge of this is that this, I mean, it doesn't happen for North Korea all the time, but there's a lot of people that shouldn't have their mitts on this kind of source code and not collaborate, that try to collaborate often with bona fide researchers. So it's a constant vetting process of, yes, we're able to share this information with these people.

Yeah. So P4X says he was one of the researchers who was targeted in this way. There he was, sat in his pajamas, eating his corn snacks and presumably recording a new episode of the Cyber Wire. And although—

Oh, don't get me started, Graham. Don't get me started. Shots fired. Don't make me do another cooking segment. I'll do it. I'll do it.

And although he claims he didn't fall for the attack, he was really frustrated. He was like, "Ooh, ooh." And you know what he was frustrated about? He was annoyed that the US powers that be hadn't done more in reaction to the North Korean attack. He thought they should have done more publicly or privately in response to this attack against security researchers. And so he took it upon himself to take out North Korea's internet.

Little international vigilante justice.

The scary thing is, is that he actually succeeded.

Well, scary for North Korea. He said it was quite an elementary penetration test. He's like the sort you do against the small or medium-sized firm. So like I was saying, it's not necessarily the most sophisticated. He says he found numerous known but unpatched vulnerabilities. In North Korean computer systems. And that's why he's able to launch this denial of service attack and mess around.

Can I have a conspiracy theory?

Mm-hmm.

So, I imagine the CIA now are super pissed off because of course they've known about all these vulnerabilities and have been secretly snarfling information from them just to keep everything calm and cool and keep an eye on everything. And now he's sounded the alarm bell, so North Korea's gonna lock down everything and they won't have any visibility. Well, I think that actually is a really valid viewpoint. I think that is quite possible.

It's plausible.

I am quite surprised. Well done, Carole. Oh my God. No, I do think that's a genuine problem. And that is a problem generally with vigilantism on the internet, isn't it? Is that if loads of people go wading in who normally shouldn't be, they might damage existing operations which have been put in place to investigate criminal groups or to gather information on terrorists or on rogue nations. And evidence could be destroyed as a result, or indeed investigations impeded. So I think you're absolutely right. Now he says he hasn't published details of the vulnerabilities, but I think you're right. He has basically waved a flag to the North Koreans going, "Yoohoo, Kim Jong-un!"

I might recommend that he not travel to North Korea anytime soon.

Well, I think—

It's not a hotspot destination, okay?

Good, good, good, Carole. Good tip. Good travel tip, Carole. Great. Make sure his travel agent will take note of that. That's good. It's a destination. Yeah.

I think people aren't traveling much anyway.

Honey, honey, what do you think? Is it Disney World this year or North Korea? The travel agent needs an answer.

So this chap, this chap, he says he wants to recruit more people to the cause. Right. And cause trouble for North Korea. So he's launched a site on the darkweb called Funk.

Oh.

And the FUNK project, F-U-N-K, stands for F.U. North Korea. Maybe I'm just too risk-averse. I mean, do we know how old this guy is? Well, you're risk-averse. You're saying don't go to North Korea. I would actually argue that maybe someone could be paid by North Korea to come to you, Carole, if they knew who you were. They're not gonna wait for you to show up at the airport.

They don't need to come meet me, okay?

No.

Unless they just wanna be nice and friendly and share recipes.

And Dave has said he's not P4X, so not saying anything.

So we're none the wiser. Sorry, listeners.

We love North Korea. Can we just stress that at this point? In fact, we're sponsored this week by North Korea.

By the North Korean Tourism Board. Come for the peaceful nights where you can get lots of sleep because there are no lights.

Dave, what have you got for us this week?

So my story this week is actually a social engineering story. Sergeant Matthew Jacobson, he is an officer with the Portland, Oregon Police Bureau, and he was out and about in the course of his day as a professional police officer, and he saw a man and a woman. They were standing near a silver Dodge Charger, and he noticed that this Charger had red and blue lights like a police car does, like an undercover police car would have. And the trunk was open, and inside the trunk he saw a tactical vest that had a patch on it that said DEA Police. So Sergeant Jacobson says, "Ah, these are my people." He goes over and introduces himself. Butt bumps.

Yeah, exactly. Butt bumps.

Yeah, you know.

Boing. Yeah, they exchange a doughnut or two.

I don't think that's reached my part of Oxford.

So he asks them if they are indeed federal agents with the DEA. And the man, this is a man and a woman, the man whose name is Robert Golden, said that they were indeed feds. Well, something didn't sit quite right with Sergeant Jacobson. So he reached out to the DEA, and they verified that there was no one named Robert Golden who was a DEA agent.

It's because he didn't do the right butt bump, right? He just said, "We're feds," and the other guy was like, "That's not how we do it, actually, guy." Right.

Instead of a secret handshake, it's a cheek brushing. So, turns out that this gentleman, Mr. Golden, was an imposter. He had been pretending to be a DEA agent, and he had all kinds of stuff in the car here. They found handcuffs, badges, holsters. I love this part. They found an AR-15 style rifle.

Crikey.

Because America. But it turned out that it wasn't actually an AR-15. It was a BB gun.

Oh, I thought you were gonna say water pistol.

Yeah, so it was gonna be Nerf gun or something, right?

Right. So, he told the authorities, once the jig was up, he told the authorities that he had purchased all of this stuff on eBay and Amazon, because you can buy DEA patches and things like that. But he claimed that he and his female companion were into cosplay. Cosplaying as federal agents.

Jesus.

Yeah.

I actually believe it. I believe it.

That is plausible. Well, yeah, of course. You know, it's a little bit of fun, isn't it?

He told the investigators that he used the red and blue lights on his car simply to get through traffic faster. And that— as you do, right? I mean, who wouldn't do that? And also—

It's not my fault they get out of my way and think I'm in an emergency. It's not my fault.

No, no.

Yeah.

And also, he wanted his neighbors to think that he was a DEA agent so that they would leave him alone, so that he'd be safer. So they would think that he was this. Now, here's where it really gets interesting because—

What? Yeah, because it's been totally dull so far, Dave. Yeah.

Yeah, I told you that to tell you this. So the woman who was with him, who is not named here because evidently she is a victim, she believed that he was a DEA agent.

Oh, so he suckered her.

Yeah, she had been going to school studying law enforcement. And he had taken her under his wing and claimed to be training her to be an agent. She went out on ride-alongs.

In his fake cop car.

In his fake cop car. They went and evidently they talked to, allegedly, they talked to homeless people who he said were informants.

Oh, I thought you were going to say the homeless people were in cosplay as well. They were just cosplay homeless people.

No. Well, by all accounts.

Hundreds of people around the city were in on it.

And she was hook, line, and sinker, went along with this.

How long was she going along with this for? How long was she duped?

Over a year.

A year? Yep.

You know what? I can see that. I can see that. She liked him, she believed his job, and why would he lie about that? And why would he have so much stuff if he was lying? Because it makes him a psycho. What? What?

So what was he gaining from this? What was he—

Well, you're moving too quick.

Think of all the fake phone calls he was faking in front of her. Gotta go, Mike needs me.

You know, well, and they talk about that in the article here. They say that he would talk about his DEA colleagues like Anderson and Luis, and there was no Anderson, there was no Luis.

You wouldn't believe Luis today had another 14 sandwiches. I keep telling him to go on a diet.

Right.

Yeah, gosh.

So no charges have been placed against her. He's rung up on charges of impersonating a federal officer. And as many questions as I have about her being strung along for a year, I really want to be careful not to blame the victim here.

Yeah, I agree. But?

Well, so the question I have is, how did this begin? How did he lead her into this? It doesn't seem to be any romance angle to this, which, you know, is— I was thinking about the scene from the movie True Lies where the guy pretends to be a secret agent to attract the woman. So there's that. I thought maybe this had that angle, but none of the reporting seems to indicate that. It seems she was just sincerely thought she was on a career path to being a DEA agent, and this guy strung her along. And I suppose was just sort of getting off on the power of it all, the feeling like an important person who hadn't done the work.

You know what? I think maybe— I think it's a bit wrong that they're actually charging the guy. Here's what I think actually happened. I think, and this is completely plausible.

I'm listening.

We've all had awkward conversations, right? Where there's been a breakdown in communication, one person has made an assumption, and after a while, through sheer politeness, you can't correct them anymore. So for instance, someone in a conversation with me, if I was at a party or something, they might get the impression that I was a ballet dancer or a lion tamer. And after, you know, there's a bit of confusion for a while. And after a while, it's almost too embarrassing to correct them and say, actually, no, I'm a podcaster instead, right? Similarly—

Are you walking around though with a lion taming outfit everywhere? With your fists? And lions behind you?

He's just cosplaying. I mean, as you do.

Exactly. I've got a wooden chair in my hand. Exactly.

Wearing a leather vest.

A whip. No, I'm just thinking that maybe, maybe she came to him and sort of said, "Oh, I wish I bumped into a DEA guy. You know, he could take me for rides along." What do you know? And he just out of a bit of fun, just out of a bit of cosplay said, "Why don't we just pretend that I am for a bit?" And she didn't quite hear that bit of the conversation. And his roleplay began. Before you know it, you're both out there doing it. I mean, you're both innocent. You're both guilty. I just— it's not he's done anything wrong. It's just a bit of fun, isn't it? Okay.

So, wow.

I don't know. I don't—

impersonating a police officer is—

Yeah, and packing heat, I think, is a good start.

Even in BB gun form.

Right.

BB gun form.

But all he's doing is going out and chatting to the homeless and talking about Anderson and Lewis occasionally. You know, I just, it feels she's kind of got permission. Do you want to be his mate? Hmm?

You sound interested. Do you want to be his mate? We could probably hook him up.

I'm just thinking if there's a vacancy in his car now, maybe I could go for the ride-along. Right on.

Yeah, you're happy to play the game.

Perfect buddy cop movie right here.

If it gets through the traffic quicker, turn the lights on.

So the magistrate judge, interestingly, has released Mr. Golden.

Thank you.

He has a number of conditions imposed on him.

He has to have a full-time job.

He has to maintain a full-time job. He has to limit his Yeah. That's not with the DEA.

Yeah, yeah. Right. Carole, what have you got for us this week?

travel to Oregon and participate in counseling and a mental health evaluation.

We enter the land of Mark Zuckerberg, known as the Metaverse.

Oh, goodies.

So the simulated digital environment is a place where people can meet, play games, flirt. I don't know, do whatever. I'm not really clear. I haven't been in. And in December, Meta, the umbrella company formerly known as Facebook— people are going to have tattoos. Remember when Prince changed his name? RIP Prince. But he changed his name to a symbol. Yeah, that's going to happen here. I'm seeing it. So they opened up access to their virtual reality social media platform for 18+, right? Called Horizon Worlds. And in this world, up to 20 avatars can get together at a time and explore, hang out, build stuff within the virtual space. Again, I have no idea what they do in there.

It's all over my— Dave, you're the young one amongst us. Is this all resonating with you?

I have kids and the oldest of my two kids does have an Oculus, which I have tried out. So I have experienced a little bit of this. I haven't done this sort of free metaverse kind of thing, but I've done some of the virtual things.

And have you gone into the digital avatar of a DEA agent, for instance? Have you sort of— is it cosplay?

I have done the lion tamer. One, and I have to say it's a lot of fun. No, actually, the most interesting one I did was one where you could sit on stage next to Elton John while he was doing a concert. Just sit next to his piano and look around, and you look into the wings and there's the tech people, and you look out in the audience, and it's really something.

Wow.

See, this is not what this story is about, sadly, because things don't seem to be warm and fuzzy according to MIT's Technology Review. So this all started with during a testing for Horizon World, a beta tester reported that she'd been groped by a stranger.

I'm a bit confused. So this is groped in the metaverse? So you're digitally groped, but not digitally as in fingers, but it's sort of, right. So do you feel that? Or are you just told on the screen someone has just patted your bottom?

I imagine you'd see someone come up to you in this virtual world and you'd see their little hands slapping against parts of your body that you didn't want them slapping, I would imagine.

So you could have spanked Elton's piano, for instance, or something like that, or played some bum notes.

Yeah, started playing and get him really upset.

Yes. Right.

Yeah.

Right.

Yes. Yes.

Mm-hmm.

So after this incident, The Verge reported that she said on Facebook, sexual harassment is no joke on the regular internet, but being in VR adds another layer that makes the event more intense. Not only was I groped last night, but there are other people there who supported this behavior. So she's not happy. Meta's internal review of this digital groping incident found that the beta tester should have used a tool called Safe Zone. That's part of the suite of safety features built into Horizon Worlds, they say.

So it's her fault.

Well, that's what I hear too. It says safe zone—safe zone is a protective bubble that users can activate when feeling threatened. You know, within it, no one can touch them, talk to them, or interact with them in any way until they signal that they would like the safe zone lifted. The thing is—okay, so keep that in your pocket. The thing is, obviously, this woman is not the solo victim to reported problems. Other women complained of abusive harassment on the platform, one being Nina Jain Patel, a psychotherapist who conducts research on the metaverse. She wrote a post on Medium late last December saying, talking about the surreal nightmare of being gang raped in Horizon Venues.

Oh my goodness.

And she said it happened so fast and was so shocking that she didn't have time to switch on any of the safety features. She froze. Now, 3 days ago, okay, months after the first instances were reported, the Independent says that Meta has been forced to add a 4-foot-wide personal boundary that's on by default in order to stop avatars coming in close contact with each other.

Okay.

And my thought was, why wouldn't you do that at beta launch? Why wouldn't you just have everyone has a 5-foot, you know, radius around them so you can interact and chat, but you know, we're going to keep it, we're going to go in slow.

Especially during a global pandemic, it should really be a couple of meters, shouldn't it?

Well, you just need permission to touch each other. Just same thing. Is it okay if I hug you? No. All right. I mean, just like in real life.

I mean, there's a lot of people that maintain that porn built the internet, right? That without porn, we wouldn't have developed so many technologies. I just wonder if they're trying to say, you know, leave that door a little bit ajar saying it's 18+, you know, let's just try and let people figure out what they can do with this. It'll be fun.

Well, there's a big difference between a bit of flirtation and kinkiness, isn't there? And unwanted attention and assault. I tend to agree with you. I think if anything is going to make the metaverse popular, it probably is going to be something a bit saucy. But this isn't saucy. This is just violence and aggression, isn't it?

Exactly.

Right. It's assault.

Yeah.

I mean, mutually consenting adults is one thing, but if you go to visit this place to just check it out and you get dogpiled by a bunch of people, how is that?

Yeah.

Yeah, totally.

But yeah, but I think you make a very good point, which is how come Facebook— I refuse to call them Meta, stupid name— how come the company formerly known as Facebook didn't predict that their systems would be abused in this way.

I know, and I wonder why anyone's even worried because, you know, our metaverse overlord, he's rarely, if ever, been in hot water for mishandling data or PII or looking the other way when people screamed about disinformation or propaganda or targeting vulnerable users with inappropriate ads. I mean, right? I trust the Zuckster.

Conspiracy theory, conspiracy theory. Ding, ding, ding, ding, ding, conspiracy theory. So what if the metaverse is just such an obviously diabolically dumb idea anyway. Who on earth would possibly want to log into it? That they think, oh, well, the way to get us lots and lots of coverage is to allow, you know, no holds barred messing around and naughtiness up there and aggression and all the rest of it, because then we get loads of column inches and maybe more people will check us out. End of conspiracy theory. Ding, ding, ding, ding. End of conspiracy theory.

Okay, well, can I just take this one step further? Right?

Right.

So there's a lot of talk about people going on Horizon Worlds and interacting with what seems to be definitely children. Young children, as young as one of them said, as young as 9.

What?

Yes. So one 56-year-old user of Oramus says, every session I've seen kids who sound very young. A lot of them are being rude, waving their hands in people's faces and jumping around. So they're just being dicks, basically.

Yeah, kids.

Right, right, right.

But the problem with all this is the key difference that Horizon Worlds is it's labeled as adults only. So as a result, Meta can forego parental controls and guardrails that they normally use for younger users, like disabling chat functions that Minecraft or Roblox have implemented. Instead, it focuses on empowering adults to control their own experience by muting, blocking, and reporting bad actors. But the thing is, is once the headset is tied to an adult's Facebook account, anyone who puts on the headset gets access to all the apps and the experiences regardless of their age rating, because it's free to download and there's no additional age verification. And one last problem, this is all according to Washington Post, great article, all in the show notes, is the tech, right? How many parents are familiar with Horizon Worlds or VR headsets? And unlike phones, computers, or gaming consoles, VR headsets have no external display so parents can see what their kids are up to. And there's no record of their kids' interactions on them. So effectively, they're not enforcing an age limit, they're declaring one. And our friend Zuckster is turning the other cheek, a bit like a digital Jesus.

Isn't it the same as access to porn in that I don't think kids who are under 18 have any real meaningful challenge to seeing the things they want to see online, even though technically, you know, they're supposed to click through and say, yes, I'm 18, and in they go.

I think that actually just yesterday I was reading that I think it's in the UK, all porn sites now have to do age verification before accessing any of the content. So basically ID, and there's a whole issue on that one, right? But interesting.

Carole, I don't know anything about the metaverse, but I've learned a lot from this session. And it feels to me like the biggest incentive for getting on the metaverse would actually be to do the kind of thing that these kids are doing. They're going on and they're acting like dicks, right? Waving your hand. I mean, that is the only fun you can probably have on the metaverse. But what happens is older middle-aged people are the ones who shell out all the money for these headsets, like Dave, who there he was enjoying himself, just tickling Elton John's ivories. And after he's got over that thrill, it's then his children who think, "Oh yeah, I want to try that on because then I can dick around and waste some time and just be rude with my mates."

Yes.

Oh goodness, you're right.

It sounds so fun. Can't wait. Can't wait for the metaverse. So great.

Good times.

It's almost like we script the show.

Good times.

It all worked out. No matter what kind of love you're celebrating, you and yours deserve a place to keep your secrets safe, from love letters to passwords. Now, from now until February 28th, when you sign up for or upgrade to a 1Password Families account, you'll get $20 off the entire year. 1Password Families makes sharing passwords, logins, credit cards, and more a romantic walk in the park. Get alerts about password breaches and security issues. Choose which logins you share with your family and store more than just passwords. Make your move. Get started with 1Password Families today. Find out more about this special offer and 1Password Families at smashingsecurity.com/love1password. That's love, number 1, and then password. And thanks to 1Password for supporting the show.

We welcome our brand new sponsor, Barramundi, to Smashing Security. Barramundi offer unified endpoint management from a single platform. Think of it as an all-in-one solution, consolidated endpoint management under a single interface. For example, with baramundi JOBS, you can control and monitor all tasks in the management suite, including software deployment, automation, and operating system installation. baramundi also offer vulnerability detection and patch management, so you're ready to deploy updates and patches for Microsoft and third-party applications. And you can centrally manage any number of devices, no matter where they're located. And that means you can distribute all the necessary updates to smartphones, tablets, notebooks. Excited to check it out? Well, we don't blame you. Our pals at Barramundi are offering Smashing Security listeners a 30-day full version free trial. Check it out at barramundi.com/smashing. That's barramundi.com/smashing.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever you wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my Pick of the Week this week is not security-related.

Excellent.

It is a YouTube video. It is a video of a TV program which was broadcast in 1995. Called Talking Telephone Numbers with two stars of British TV, Phillip Schofield and Emma Forbes.

And what was the show?

It's called Talking Telephone Numbers. It's like a— you ring in, you answer questions, you can win a prize. Yeah, you can win thousands on this competition. Now, this isn't just a recording of the TV show, because what they've actually done is they've put up on YouTube a version of the TV show, including the talkback from the gallery. So what's happening where the director and the vision mixer and other people are?

Yep, in the control room.

Yep, yep. In the control room during this live TV show. And if you check out the link which I'm putting in the show notes, you'll see a link to YouTube. And what I'm asking people to do is just scroll forward. You can watch the regular show as it went out because something bad happens during the show. But at about, I think it's about 14 minutes and 59 seconds or something, things go badly wrong and all hell breaks loose.

Yeah, let me tell you, this hit home for me. I've been in this world. I've been in the control rooms. And the person who really screwed this up is the VTOP. That's the videotape operator. I have worked professionally as a videotape operator.

You have screwed up?

You know, I was trying to think, have I ever— I think the biggest screw-up I ever did as a VT operator was forgetting to roll record at the beginning of a show. So typically, a VT operator has two jobs. One is to record the program, and the other is to do the playback, which is what was screwed up in this case. And I think there have been times when we've been 30 seconds into the show and I said, oh crap, I didn't hit record. So that's bad, but I don't recall ever screwing up playback as badly as this person did. I've seen it happen, and the reactions in the control room really ring true. It is pandemonium. I have a little PTSD watching this, because it's— I mean, when you're live, when you're live and something bad happens, it's— how do you recover? It's all just out there.

So even on the live TV, just to explain to people who haven't yet seen it, even in a live TV program, there may be segments which are pre-recorded on videotape, as it was then. And so they're trying to play a segment which is about 5 minutes, including a comedian and a little skit. And for some reason it does a blub blub blub. It just instantly goes through.

I'll tell you what the reason is. The VT operator hit the wrong button or leaned on the machine or something. A lot of times you'd have multiple machines going and you would think you're doing something on one machine and you would hit the wrong button on the wrong machine, just not thinking. And that's— Wow. And there you go.

Well, it really struck home to me what an incredibly difficult job it is to be the people up in that gallery who are shouting out all the cuts for the cameras, you know, go to the— At one point you get a music performance by the group, The Human League, and this woman who's sort of counting the beat and telling the cameras when to change, when to change. It's astonishing how stressful this job is.

Really?

Do you think it's more difficult than being an air traffic controller?

I'd say they're comparable.

Really?

I mean, you could probably play poker.

I would never want to be

I would never want you to be an air traffic controller.

No.

That would be disastrous.

I'd be like, I'm just going for lunch. an air traffic controller.

There's a phenomenal video like this of a successful one of these where someone is directing the opening number of the Academy Award. I can't remember if it's the Academy Awards or the Tonys.

I would happily, happily be a poker player.

And it is a phenomenal bit of live TV choreography in the control room itself. And yeah, it's amazing. When you're part of this, and it's going well, it is exhilarating. When it goes bad, it is just heart-wrenching.

And I also thought the actual presenters who obviously didn't hear everything that was going on in the gallery, although they were being communicated to occasionally, you know, to cover some of the problems. They're very good at looking professional and covering up all the goofs and apologizing. You actually hear them swearing at the end of this video after they're off air.

That's how I knew it was authentic. Yeah.

But anyway, I enjoyed it very much. So I've put links in the show notes and you can go and check out Philip Schofield and talking telephone numbers from 1995.

A good Pick of the Week, Greg.

Thank you. Dave, what's your Pick of the Week?

My Pick of the Week is a television programme. This is actually a production of the BBC and it's called Ghosts. For my friends in the US, CBS recently made their own version of this, an American version of Ghosts. I would say go with the BBC version. I'd say that pretty much, that's generally good advice no matter what.

Is it a bit like when America remade Fawlty Towers? And they also remade Sherlock Holmes. No, they didn't. Did they really? They did. No. Oh yes, go and remake it. Oh, I'll say, links in the show notes.

I mean, it doesn't always go bad. We remade The Office and that stood on its own.

Yeah, that was all right. That was all right. Yeah, the American Fawlty Towers is an abomination.

So this show is about a young couple who inherit a mansion from a long-lost relative, and they decide that they're going to try to fix this place up and turn it into a bed and breakfast or something like that. But it turns out that this mansion is teeming with ghosts. And one of the funny things about the ghosts is that it's a variety of ghosts from all different periods of history. One of them is a Neanderthal. Up until modern day. And through a series of events, one of the two of the young couple can see the ghosts and can interact with them and the other can't. And she has to convince him that she's not crazy, that she can see the ghosts and the ghosts don't like each other generally. It's a fun, funny comedy, interesting setup. So I recommend it. It's a clever show. It's on the BBC. Here in the US, it's on HBO Max, and it's called Ghosts. And that is my pick of the week.

Yeah, I've watched quite a few episodes, maybe 3 or 4. Yeah. I think so. I think one of the ghosts is a politician who got— his demise came from a sex scandal, but it's nothing explicit.

Yeah, yeah, exactly. Anyway, worth checking out, Graham, especially you might enjoy it.

Oh, okay. Yeah, no, I've never heard of it. Carole, what's your pick of the week?

Well, interestingly enough, mine is also something that's currently airing on the BBC on iPlayer. It's a Showtime docuseries production called Couples Therapy.

Mau as in Mao Zedong?

Have any of you guys watched it or heard of it?

I've heard of it. I haven't seen it. As in Chairman Mao?

Oh, well, obviously the show is right up my street. I mean, A, sticky pickles. I mean, I have my own fictional dilemmas every week.

Is that true?

And the structure is part like fly-on-the-wall documentary. So there's like a therapist with a couple and they're going through their dramas. And you're kind of like, you know, sitting in the background eating popcorn, watching all of this. But there's also a kind of the constructed premise of a typical reality show. So you're kind of following couples through the whole series.

Because this is real people with real relationships who've chosen to go on a TV show to talk about, right? Okay.

But it's not— see, it's beyond that. So there's that, but then there's also like these scenes where they're in their house kind of just acting, you know, doing their stuff. And there's obviously a cameraman in there or camera person in there with a screen. So I'm kind of like, are they acting? Are they not acting? But the dilemmas seem very very real, and the couple's relationships feel real. So, but I'm totally easily duped by this kind of stuff. So, you know, listeners, you tell me. But you're following several couples, and they're stuck in whatever yucky relationship situation they're facing. And over many weeks with this therapist, you learn about all kinds of personal stuff with them, but you also see how the therapist nudges them into different ways of thinking effectively to get them unstuck. Like any good story, there's something that hooked me here completely. At actually 2 minutes and 33, I stopped it and then texted a bunch of girlfriends saying, "Oh my God, I'm hooked. I'm hooked already."

As in M-A-U. So I sent you guys a clip, which he's in. So I'll put that in the show notes as well. So no one can— you can dip your toe. What did you think of that character?

Graham, you first.

Well, I thought he was entirely reasonable with his requests for sex 3 times a day.

Seemed like a nice guy.

Every single day.

I mean, who among us hasn't been in a relationship hasn't shared that frustration, right?

I thought he was a very understanding, empathetic individual. And very—

Do you know the clip that plays at 2 minutes 33 in is actually worse than the clip that's on YouTube as the trailer.

Oh, right.

It literally is just like, oh my God. But I think it's a kind of twisted logic. If you watch this stuff, and you either go, oh my God, thank God I'm not in that situation. Oh, we're not so bad, honey. And you have a little kiss. Yeah, I mean, everything's great. Right? Or you're in a really horrific situation and you're watching this and go, Jesus, peas and pickles, I need therapy pronto.

So you think, oh, I wish I was dating Mau instead of my current partner. You think, oh my God, he's better than you.

Well, if he keeps going the way he is, I'm sure he'll be free very soon.

So what is this? What is Mau's specific problem with his wife here, Carole?

She has a problem with him just saying, can you just stop ignoring and disrespecting me constantly and ignoring me and treating me like I'm a piece of shit? And he's like, "Look, this is the way I am.

I'm a dismissive kind of guy." And you are a piece of shit.

And I just want more sex. So, you know, so yeah, he's fun. So Couples Therapy, BBC iPlayer, also wherever you get Showtime stuff. I'm finding it quite popcorn munchy worthy. So that's my pick of the week.

Wow. How's about that?

I can't do those kinds of shows. I just have too much, I don't know, too much empathy, I guess. I just can't do it. It makes me anxious.

I think that's why you should do it. You should expose yourself to become less anxious about these things.

Sorry, are you suggesting that Dave appears on the show? Is that what you're saying?

Well, he can. He'd be great. I would definitely watch if Dave was on the show.

That's what every relationship needs is to be broadcast.

Yeah, 3 terrific picks of the week this week. Well done, everybody. And it just about wraps up the show. Dave, I'm sure lots of our listeners would love to follow you online, find out what you're up to. What's the best way for folks to do that?

You can find me on Twitter. It's @Bittner, B-I-T-T-N-E-R. And aside from that, just go to thecyberwire.com and everything's there.

Marvelous. And you can follow us on Twitter @SmashingSecurity, no G. Twitter @LastPass, and we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Overcast, Apple Podcasts, and Google Podcasts.

A ginormous shout out to this episode's sponsors, 1Password and Baramundi, and to our wonderful Patreon community. It's thanks to them all the show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 260 ish episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye-bye.

Bye-bye.

Well, there you go, gentlemen.

Thanks, Dave. No bother.

My pleasure.

Always a pleasure.

Great stories, Dave.

Great stories.

Great, great pick of the week. Great story.

Marvelous.

I'm going to stop recording. Click.