This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

MIKKO HYPPONEN. This is Mikko Hypponen. I'm an infosec rock star and I listen to Smashing Security podcast every time I go to a sauna. And I go to a sauna a lot.

---

ROBOT. Smashing Security, episode 253. Cybercrime unicorns, HVAC hacks, and NFT piracy with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 253. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And this week we're joined by a special guest, a name familiar to all of us who work in cybersecurity, is Mikko Hypponen. Hello, Mikko.

---

MIKKO HYPPONEN. Thank you very much, and thank you for having me.

---

CAROLE THERIAULT. Thank you for being here. You're a hard man to get a hold of. You're our busy, busy man.

---

MIKKO HYPPONEN. Well, I'm planning on the rest of the things I have to do before I leave for my summer holiday. And I've actually restarted traveling. I've done 18 flights this year already.

---

CAROLE THERIAULT. Oh, traveling. I heard trolling. I was like, whoa.

---

GRAHAM CLULEY. Yes, I thought you were trolling on the internet. Yeah. 18 already this year. That's rather impressive.

---

MIKKO HYPPONEN. Yeah. Yeah. But, you know, I can't wait for this year to be over with. I can't wait for normalcy to return.

---

CAROLE THERIAULT. Yeah. I'm going on my first plane ride in a few weeks and I'm nervous. I'm nervous. Were you nervous the first time you went on a plane after all this stuff?

---

MIKKO HYPPONEN. I forgot my passport on the first flight. That's pretty bad. As someone who used to fly 140 flights a year, that's pretty bad.

---

CAROLE THERIAULT. Yeah, I'm going to make a note. I'll make a note. Okay. Now let's thank this week's sponsors, 1Password, Perimeter 81, and Thinkst. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Oh, well, I've got a boiling, bubbling question for you all about cybersecurity and heating systems.

---

CAROLE THERIAULT. Uh, okay. Mikko, what about you?

---

MIKKO HYPPONEN. Well, I've got cybercrime unicorns and what they mean for offensive artificial intelligence and machine learning.

---

CAROLE THERIAULT. Oh my God.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. I'm going to be learning a lot there. And I'm doing NFTs meets Pirate Bay and has a love child. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, order, order, because the podcast today is coming to you from the echoey halls of the Royal Courts of Justice in London, where in the past judges have ruled on all kinds of cybercrime cases. The likes of Julian Assange, Lori Love, Gary McKinnon. They've all had their day in front of the beak.

---

MIKKO HYPPONEN. So that's a fellow Finn, Lori Love.

---

GRAHAM CLULEY. Well, yes, he got off it, didn't he, in the end?

---

MIKKO HYPPONEN. That's what I remember. I actually don't know him personally, but I do think he got off. Yeah.

---

GRAHAM CLULEY. You don't know everyone who's from Finland?

---

MIKKO HYPPONEN. Well, only most of them.

---

GRAHAM CLULEY. Okay. Until very recently, if you had a reason to visit the Royal Courts of Justice in London and you took your laptop out or your smartphone and thought, oh, I'll just go and check Twitter or, you know, just go and read my email or something, you might try and connect to the Wi-Fi and you would find a variety of Wi-Fi hotspots available.

---

CAROLE THERIAULT. Like anywhere, like a Costa or a Pret or a Mickey D's.

---

GRAHAM CLULEY. Yeah, exactly. Anywhere like that. And amongst the Wi-Fi hotspots you would find would be ones called Boiler Pump 1, Boiler Pump 2, Boiler Pump 3. And can you guess?

---

CAROLE THERIAULT. How many boiler pumps do they have?

---

GRAHAM CLULEY. 4 boiler pumps, all with Wi-Fi. And According to The Register, that scurrilous rag beloved by IT followers everywhere and aficionados. And yes, yeah, we love the, we love The Register. Those wireless networks were unsecured and passwordless. So you could connect to those wireless networks if you wanted to.

---

MIKKO HYPPONEN. Surely those were honeypots. Tell me they were honeypots.

---

GRAHAM CLULEY. Well, it may surprise you. I mean, that would, that would make sense, wouldn't it? That maybe some security researchers set that up in case some criminals come in and try and access their email. And, you know, maybe that'd be some way of intercepting their messages as they're about to have their day in court. But no, it appears not. Because if you did connect to them, you would find yourself at the login page of the Royal Courts of Justice HVAC system. Carole, do you know what HVAC is? I'm sure Mikko does.

---

CAROLE THERIAULT. Yeah, it's like vacuum stuff, isn't it? Like heating?

---

GRAHAM CLULEY. Isn't it?

---

CAROLE THERIAULT. Yeah. Air conditioning.

---

GRAHAM CLULEY. Ventilation.

---

CAROLE THERIAULT. Ventilation.

---

GRAHAM CLULEY. Air conditioning.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. That's it. That's exactly it. Okay.

---

CAROLE THERIAULT. But I don't know what it stands for. It must stand for something.

---

GRAHAM CLULEY. Yeah, well, I just told you. Heating, ventilation, air conditioning.

---

HVAC. Oh, goodness sake.

---

CAROLE THERIAULT. Oh, this is going to be a good show. It's going to be a great show.

---

GRAHAM CLULEY. Anyway, so—

---

CAROLE THERIAULT. I'm blushing.

---

GRAHAM CLULEY. Big buildings or big organizations will have an HVAC system to keep everything, you know, tickety-boo, make sure there's air circulating so no one corks it.

---

CAROLE THERIAULT. Particularly important post-COVID that we have a lot of that stuff.

---

GRAHAM CLULEY. Right. Yeah. Well, a lot of theatres I know in London sort of ramped up the ventilation system. So air was moving more quickly.

---

CAROLE THERIAULT. Your hair is going, you can hardly hear the artist on stage.

---

GRAHAM CLULEY. So in other words, you were now just one password away because you're at the login page of these boilers from accessing the industrial control system that these courts Top Courts in London run to control its heating and air conditioning, as supplied by a company called Armstrong Fluid Technology. Now, if you knew that password, you would be able to access the admin system, which would let you, for instance, I don't know, what sort of mischief could you cause by meddling with a ventilation system or heating system?

---

MIKKO HYPPONEN. I think the biggest problem probably wouldn't be the ventilation system themselves, but using these as a vector to gain access to something even more interesting.

---

GRAHAM CLULEY. Yeah. And I think we saw that before, didn't we? Because when Target, for instance, was hacked back in 2013, I think it was, they used a password which they'd stolen from the HVAC supplier to the big retailer in order to gain access to Target systems. So that can be a problem, especially if default passwords have been used. But you could, even if you just meddled with the heating system, imagine you turned off the heating pumps. Yeah.

---

CAROLE THERIAULT. Or stop the ventilation, so all the air gets all stagnant. People start getting headaches and, you know.

---

GRAHAM CLULEY. Right. You could have that. Or maybe the water pipes might freeze. It's terribly cold here. You wouldn't believe how cold it is in England.

---

CAROLE THERIAULT. It's not cold at all. I'm Canadian, Mikko. It's ridiculous. They're whining like you wouldn't believe.

---

MIKKO HYPPONEN. It's actually snowing outside right now, so just shut up.

---

GRAHAM CLULEY. Luxury. Luxury. I reckon it's too cold here to snow. You've got the balmy heights of Helsinki there. But imagine your water pipes freeze over overnight and burst, that could cause the building to close and court cases to be delayed. Or what if the heat was raised? So the judges, there they are in their great big British wigs, sweating and sweltering. Oh, I can't cope. People are beginning to put their bikinis on. It would just be, you know, so if you were maybe someone who didn't want to be extradited, or you knew someone who didn't want to be extradited, then maybe you might hack into this system. But of course, You wouldn't know the password to log into the boilers, would you say?

---

CAROLE THERIAULT. I think I can guess. I would like to guess.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. I've done no research on this. I'm going to guess.

---

GRAHAM CLULEY. Alright, go on then. Go on, let's try it. Let's try the cruel brain. Let's try it.

---

CAROLE THERIAULT. Number 1. Is it 'boilerpump1'?

---

GRAHAM CLULEY. No. No.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. That would be a password with both letters and numbers in it.

---

CAROLE THERIAULT. Yes, but the same as the username or the Wi-Fi port. So I thought that would be fine.

---

GRAHAM CLULEY. Yeah, it's not a bad guess. It's not a bad guess. I think you've gone a bit sophisticated on the password though.

---

CAROLE THERIAULT. Okay, so, okay, 1111. Okay, then the third, 1234.

---

GRAHAM CLULEY. Well, I can neither confirm nor deny, but if you happened to visit the Armstrong Fluid Technology, remember, they're the people who make these boilers. If you visit their website, you can download some very helpful PDFs which detail the default passwords which they use. Or you could just use Google because Google has indexed those PDFs as well. So now, no one obviously is dumb enough to never change the default password, right? Everyone always changes the default passwords, right? They would. Of course they would. Of course they would. Someone at the Royal Courts of Justice, especially if it was accessible from a public place or from the street outside, maybe the Royal Courts of Justice, where often you get protesters. Who are campaigning for someone not to be extradited or someone, you know, to be let off whatever they're being charged with.

---

CAROLE THERIAULT. I feel so bad for the IT intern that was the guy who set this up.

---

MIKKO HYPPONEN. And this does remind me of like Hollywood movies, because when you think about like Die Hard 2 or Mission: Impossible, it's always John McClane or Ethan Hunt crawling through the ventilation systems to hack the systems. So isn't it the same thing basically? It's just a more more digital version of the same idea.

---

GRAHAM CLULEY. Yeah, you'd have to be quite so flexible. You don't have to have wires which can support your weight if you use Wi-Fi.

---

CAROLE THERIAULT. You don't need a harness.

---

GRAHAM CLULEY. So thankfully, the Register tipped off the Royal Courts of Justice about this snafu, and they say that they've taken immediate action to secure the systems. However, interestingly, the Register also points out that just yesterday, a journalist reported that the temperature at the court was ludicrously cold, and the jurors had been told they could keep their hands, coats, and gloves on if they want.

---

CAROLE THERIAULT. Surely they can if they want anyway, no?

---

GRAHAM CLULEY. Well—

---

CAROLE THERIAULT. I have to go do jury duty soon, so I'm a little nervous about this. What, there's a dress code?

---

GRAHAM CLULEY. Well, I'm a little bit surprised they tell people that they could leave their hands on if they wanted. So that's an option. Now, it's not new, as Mikko has already said, it's not new for HVAC systems to be the weak link in the chain. We saw the Target breach, for instance, where they managed to then sort of spread laterally through the organization by the HVAC. And I also remember earlier than that, in 2009, a security guard at a Dallas hospital hacked into computers as well as the HVAC system in order to launch DDoS attacks. There was a guy, Jesse McGraw, he called himself Ghost Exodus or Phantom Exodismo, and he was the self-proclaimed leader of the Electronic Tribulation Army. And he used his knowledge as a security guard to bypass physical security, and he ran a password cracker on the HVAC computer. And he had the ability to change the temperature at this hospital and its environmental controls, which could obviously have affected people's treatment. He also had potentially access to patients' medical records and all kinds of impacts it could have had. He ended up being sentenced to 9 years in jail, but the most notable thing about him, it's funny you mentioned Mission: Impossible, actually, Mikko, because he made a video of himself doing this so-called botnet infiltration where he made no attempt to hide his face, but he did wear a hoodie. And while doing this, he had the Mission: Impossible theme playing on a CD player in the background.

---

MIKKO HYPPONEN. Brilliant. Hey, what's up everybody? It's Ghost Exodus.

---

GRAHAM CLULEY. You're on a mission with me, infiltration.

---

MIKKO HYPPONEN. I just happen to be the only person here, and you know what? We're going for a spin in the elevator with a card that only I have right now. Good old Phantom Exodus moment.

---

GRAHAM CLULEY. Yeah, just Yeah, Phantom Exodismo was a bit of a diss, wasn't he?

---

CAROLE THERIAULT. Never mind.

---

GRAHAM CLULEY. Mikko, what story have you got for us this week?

---

MIKKO HYPPONEN. Well, artificial intelligence and machine learning has been all the rage for quite a while already. And I've been thinking about this a lot lately. You see, I've spent the pandemic downtime writing a book. I had my book come out last month.

---

CAROLE THERIAULT. Oh, we didn't even talk. Can you give us the name of the book?

---

GRAHAM CLULEY. It's called Internet, isn't it? Is that right?

---

MIKKO HYPPONEN. It's called The Internet, which is a great name for a book, especially since nobody had written a book called Internet before. So I did it.

---

GRAHAM CLULEY. Mikko, you say it's a great name for a book. I have to tell you that if you Google The Internet, you're probably—

---

CAROLE THERIAULT. I was just going to say the SEO be expensive.

---

GRAHAM CLULEY. To be honest, it's rubbish. It's a rubbish name for a book.

---

MIKKO HYPPONEN. Yeah, okay, but it's too late to change it. So, so, you know, nevertheless, nevertheless, I mean, I'm happy to tell you about the book, but you can't read it because it's only been published in my native language of Finnish so far. But Finnish isn't that hard. Even small children speak Finnish, so you can easily learn it. It's true. You come to Helsinki, you'll see small kids speaking fluent Finnish. So if you can't learn it, you must be thick. However, however, it will be published internationally in 2022. So you will be able to check it out. In that book, one of the topics I cover is everything that we've been doing with machine learning and artificial intelligence on the defense side, like how security companies use machine learning, which then brings us to the obvious question, which is that how are we going to see and when will we see the attackers using machine learning for offensive use. And when I was thinking about this, I actually went back to my notes from 2016 because in 2016 I invented a new term, which was cybercrime unicorns. And here unicorns is a reference to unicorn companies.

---

CAROLE THERIAULT. Oh, well, I was going to say my niece would be in love with you if you actually could personify them in some way.

---

MIKKO HYPPONEN. No, no, it means unicorn company. Do you know what unicorn companies are?

---

CAROLE THERIAULT. Aren't they companies that get a lot of investment very quickly and become a huge bet with very little sustained growth?

---

MIKKO HYPPONEN. That's a pretty good definition. I guess the way they officially define it is that it's a private technology company, which is valued at over $1 billion, which typically are exactly what you described, early stage companies with massive funding or huge growth wishes.

---

CAROLE THERIAULT. Like Theranos, for example.

---

MIKKO HYPPONEN. Yeah. Except it's no longer a unicorn because it's no longer valued like that. Today, let's say SpaceX would be a unicorn company or Reddit.

---

CAROLE THERIAULT. Really?

---

MIKKO HYPPONEN. Reddit? Yeah, absolutely. It's the third most common or popular website in the world or fourth most popular website in the world. Of course it's a unicorn and it's a private company. So it's a unicorn. Airbnb and Uber used to be unicorns, but now they're public, so they're no longer unicorn companies. So What I was thinking in 2016 is that I wonder if we one day will see cybercrime unicorns, organized, organized online crime gangs, which should be considered to be unicorns because they have wealth of over $1 billion. And 5 years ago, it was sort of like a gag or a word to chuckle. We didn't actually have them 5 years ago. Unfortunately, they have become a reality and they've become a reality for two different reasons. Reason number one, the amount of money being made with business email compromise attacks and with ransomware has just skyrocketed, which is a big part of this. But even more importantly, these online crime gangs keep their wealth in bitcoin or in Monero or in Zcash. And 5 years ago, we knew of several online crime gangs which had like $10 million of wealth. Well, If you had $10 million 5 years ago in bitcoin, if you still have them in bitcoin, you've become a unicorn automatically because today, I mean, the value of bitcoin has grown 100-fold in 5 years.

---

CAROLE THERIAULT. Yeah.

---

MIKKO HYPPONEN. The question becomes, if we really have cybercrime unicorns as our enemies today, how are the attacks changing? When the enemy can afford to invest money into their attacks, how will we see the change? And some things we've already seen include that these guys, the professional crime gangs, are becoming more and more organized. In some senses, they start to resemble traditional real-world crime gangs, organized crime gangs. We know they run professional data centers. We know they hire lawyers and business analysts. And I think an especially eye-opening case was the case with FIN7 crime gang, which has now twice created these fake front-end companies to hire pentesters, basically recruiting from our side proposing as a security company hiring security researchers to do penetration tests against companies which have not ordered a pen test. So of course they will then find ways in which will then be used by the criminals.

---

GRAHAM CLULEY. It's astonishing that. So those penetration testers, they aren't aware that they're part of a criminal gang or that they're pen testing companies without the company's permission, I guess.

---

MIKKO HYPPONEN. Yeah, well, this was the idea. I mean, Smashing Security and Bastion Secure are the two companies we know of that have been set up like this. And I suppose the whole point of setting up a fake company is that you're trying to recruit professionals without them realizing that you're working for criminal organizations.

---

GRAHAM CLULEY. Makes it a bit easier though for law enforcement maybe to shut down some of those operations. You can just go to LinkedIn. I imagine if you're working for them, you don't worry about saying, oh yes, I work for this company.

---

CAROLE THERIAULT. Yeah, but the company can just dissolve, right? So if the company dissolves and suddenly you're left holding the, well, I was a consultant for, you know, blah, blah, blah company. And I, yeah, no, I did do that and the company told me to, you know, and here's some write-ups, but the addresses go nowhere. 404, 404, 404.

---

MIKKO HYPPONEN. Yep.

---

GRAHAM CLULEY. Doesn't look that good on the CV either, does it?

---

MIKKO HYPPONEN. And of course the pandemic has worked great to help all of this happening. You can work remotely, just do pen testing from your home. And of course these companies pay really well. They are unicorns.

---

CAROLE THERIAULT. Fascinating.

---

MIKKO HYPPONEN. Now I believe the main reason why we haven't seen AI attacks yet is that there's such a lack of skill. I mean, if there's a, if it's It's hard to hire security experts. It's even harder to hire AI and ML experts, artificial intelligence, machine learning experts, and even harder to hire artificial intelligence, machine learning experts who work in cybersecurity.

---

CAROLE THERIAULT. Yeah. Smaller pool.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. There you go.

---

MIKKO HYPPONEN. So, so criminals haven't been able to do this, but now as they are starting to be able to compete with salaries with these small pool of skills that it could happen. And this is what worries me. And this is why I believe we are on the verge of starting to see the enemy start to use machine learning in their attacks.

---

CAROLE THERIAULT. Totally. Hey, you want healthcare? You want dental? Come here. We've got you. You want a pension? We've got you covered. You know?

---

MIKKO HYPPONEN. Yeah. And then the question becomes, what will the first attacks using machine learning look like? And of course, we don't know, but I've been like throwing this idea back and forth here at our labs. And I think a pretty common consensus would be that the easiest thing for them to do first would be to replace the humans that operate the malware campaigns that we are seeing today. So if you think about a typical malware campaign, let's say ransomware campaign, there's multiple moving parts. It's made by multiple different persons, but there's an operator. So let's say they want to send out emails with a malicious link to a website which has an exploit, which then drops a ransomware binary on your Windows computers. There's an operator which prepares the email and selects the address list which to target and start sending out the emails and then monitors how well do the emails go through spam filters, adjusting as needed so they will go through better and then monitoring how well the exploit works. Is it being detected by IDS systems at the companies? And if so, they modify it and then monitoring how well the binary goes through endpoint protection system and compiling and changing it as needed. All of that could easily be replaced with a short Python script which would do all of this and adjust accordingly and learn how the situation changes. And I believe this is what will be the first step. I mean, the humans running the operations will be replaced by learning systems which will run these systems automated.

---

GRAHAM CLULEY. I'm worried that these poor old cybercriminals are going to be put out of a job. There'll be many of them who used to run these malware campaigns who are going to be kicking around now looking for something else to do.

---

CAROLE THERIAULT. Well, maybe we should add a section to Smashing Security where we can have confessions and then they can kind of say how they feel remorse for their actions and we could have like a little, you know, like a little, I don't know.

---

MIKKO HYPPONEN. Will anybody think about the criminals?

---

CAROLE THERIAULT. Yeah, exactly. We'll boohoo for them.

---

MIKKO HYPPONEN. And when I've been Like speaking about this, I've been surprised how many people have been surprised about the fact that we haven't seen this yet. A lot of people assume AI attacks are happening already and they're not. I mean, when something like this would happen, of course it would be very visible to us and we haven't seen it yet.

---

CAROLE THERIAULT. But why would it be visible?

---

GRAHAM CLULEY. Yeah. How would we know if they were doing this or not?

---

MIKKO HYPPONEN. Yeah, we would know because they would be much faster in their reaction time. It's basically a game of ping pong where our end, the pong part of this, would be automated, like all security companies automatically feed us samples, automatically analyze, detect them, create detections and ship them automatically. So there comes a pong from the criminals and the ping comes right away. Then there's a delay and a pong again. So it's a game of ping pong. Ping pong. When they automate their end, then it's going to be ping pong, ping pong, ping pong, ping pong. The only thing which will stop a bad AI will be a good AI. And this change will be so obvious that, you know, we would detect it.

---

GRAHAM CLULEY. I can't believe we're talking about the pong of cybercriminals. It feels like we need to improve the ventilation. Maybe it doesn't sound that good, does it? Carole, what have you got for us this week?

---

CAROLE THERIAULT. Okay, I'm going to start with a question. Have you heard of the term tulip mania?

---

GRAHAM CLULEY. Is it something to do with the tulip craze when everyone went bonkers buying tulips?

---

MIKKO HYPPONEN. Like in the 16th or 17th century?

---

GRAHAM CLULEY. Yeah, before cryptocurrency existed.

---

CAROLE THERIAULT. 1634, Golden Dutch Age, when contract prices for some bulbs of the new and fashionable tulips reached super high levels. And then there was a major acceleration that started in 1634 and then collapsed 3 years later. And some are referring to the whole NFT as a similar blip. Have you got views, Mikko, on NFTs?

---

MIKKO HYPPONEN. Well, I've been following the whole thing around NFTs. I don't own any NFTs myself. And of course, there's a massive amount of hype around it. Who knows? There might be some real innovation there as well?

---

CAROLE THERIAULT. Hmm, I've covered a number of stories on this. But at the moment, my view is those that are investing are playing a risky game, right? Because the bubble will maybe pop, likely to pop is my gut. But there's this one guy by the name of Geoffrey Huntley. And he has pointed the finger at what I was going to call a ginormous fly in the NFT ointment. So if you're thinking of dabbling with NFTs or you already have dabbled, this might be some food for thought. Okay. So NFTs, should we do a quick refresher for some listeners? Because it is a crazy term. It's hard to get your head around, I think.

---

GRAHAM CLULEY. Okay. Yeah, no, good idea.

---

CAROLE THERIAULT. So non-fungible tokens, and it's an identification of ownership, not a copyright, of something that's in the digital or physical realm. Like, think of it as a unique token that designates ownership of a digital good. Would that be fair?

---

MIKKO HYPPONEN. Basically, it's a way of creating artificial scarcity. Well, I mean, digital things typically can be copied and you won't be able to tell the copy from the original one. If you make a copy of an MP3, it's going to be the same thing as the original. An NFT makes it different from the original.

---

CAROLE THERIAULT. And this can be like a video clip, an image, a tweet, an article, and it goes up for auction and the transaction results are recorded in the blockchain. A blockchain eBay of sorts, and the winner or the purchaser of the NFT or of said digital good has a contract coded and then minted in a blockchain network. And this is a permanent part of the blockchain. So effectively, there's like a receipt of purchase. Is that fair? Like, you know, a digital receipt of purchase.

---

GRAHAM CLULEY. I think anyone who's going to understand it will understand it now.

---

CAROLE THERIAULT. No, because there's not a lot of people who get it.

---

GRAHAM CLULEY. Oh no, I agree. No, that's what I'm saying. Anyone who will understand it.

---

CAROLE THERIAULT. Yeah, like it is hard.

---

GRAHAM CLULEY. The other day I had a listener contact me who said, you were talking about IoT, but I never really understood what IoT was. So it's always difficult with these terms, isn't it? To know how much detail to go into and try and explain these things.

---

CAROLE THERIAULT. But I think IoT is a lot easier.

---

GRAHAM CLULEY. Yeah, well, we forgot to do it. One of our listeners wasn't happy.

---

CAROLE THERIAULT. Okay. Okay. I'm sorry, listener. We'll do that better in future. Basically, artists, content creators, some of them out there see this as the natural evolution of art collecting. Also, there's a glut of peeps out there with dollar signs for eyes, you know, jumping on the bandwagon to make a really quick buck. Buy low, sell high, yada yada yada. Because there's been some articles of huge amounts of money being transferred for digital pictures and digital images.

---

GRAHAM CLULEY. Lots of hype.

---

CAROLE THERIAULT. Yeah, lots of hype. And also lots of money.

---

GRAHAM CLULEY. Yeah. Oh yeah.

---

CAROLE THERIAULT. Seriously, lots of money.

---

GRAHAM CLULEY. Yep.

---

CAROLE THERIAULT. So I actually was asked by someone if I wanted to do an NFT of some of my work. So I do art, right? And so we went and had a chat so they could pitch me the idea. And so I'm listening and the main takeaways were that people want digital things. So the fact that I have a physical original wasn't that exciting to them. They wanted digital art, but I don't do that. So, and they also a series of collectibles. So each of them original, but also related to each other so that you can kind of build a whole team of stuff and it's worth more value.

---

GRAHAM CLULEY. Oh, yes. Someone will want the entire set, or if there's one missing, they will pay over the odds to complete the set.

---

CAROLE THERIAULT. Exactly. It's like baseball cards almost, right?

---

GRAHAM CLULEY. Right.

---

MIKKO HYPPONEN. Hold on, hold on. Carole, tell me about your art. Do you paint?

---

CAROLE THERIAULT. I do paint. And I will give you a link. You can check it out at carole.wtf.

---

MIKKO HYPPONEN. For real? NFT WTF?

---

CAROLE THERIAULT. Not NFT. Well, this is interesting that you've said this. What are some of the problems as far as you guys have heard of NFTs? Do you see any issues with the kind of concept or things that make you feel a bit like, this seems— this is where I don't feel like it sits comfortably for me?

---

GRAHAM CLULEY. Well, you can't hang it on the wall.

---

CAROLE THERIAULT. You could print it.

---

GRAHAM CLULEY. Well, but you could print it anyway. I mean, you could go to an art museum and take a photograph and then print it out and shove it on your wall if you wanted, but wouldn't—

---

CAROLE THERIAULT. Right. So it's, yeah, it's impossible to regulate, right? Because you can't enforce someone not to do a save as of a JPEG or a print, you know, a PNG.

---

MIKKO HYPPONEN. Yeah. Whenever someone posts about NFTs, the first comments always are that I made a copy of your, you know, million-dollar NFT. I just clicked, right-click and saved it. Although you could always argue that, sure, you have a copy of the original NFT, but your copy is not worth $1 million and the original is.

---

CAROLE THERIAULT. Okay. Other problems. Climate impact, of course, right? Because it takes a huge amount of energy to do all the calculations required to generate the certificate for the blockchain ownership of this NFT. Also the valuation, right? The cryptocurrency is like, people are like, oh, that was bought for £69 million. And it's like, well, that was yesterday. You know, the prices are at the value, you know, at the time of sale. If you leave it in there and it devalues, then obvious what happens.

---

MIKKO HYPPONEN. The funny thing about bitcoin valuation is that if you go to bitcoin subreddits, you'll find plenty of people who used to use bitcoin to buy drugs from Silk Road 5 years ago. So they paid like 50 bitcoins for 2 grams of hash. Yeah.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Most expensive product in the universe now. And then of course there's like liquidity issues because just because you've bought something, there's a lot of shady stuff out there and you may not be able to realize the cash from the purchase because there's lots of new kind of players on the market. Not all are shipshape. But the thing that surprised me the most is that ownership, of course, is not required. So just like Mikko is on my website looking at my art right now, he could save as, slap it up for an NFT for sale. Now, here's the thing. There's no guarantee that the artist knows if someone has done this. And if they do happen to find out by going looking or someone telling them, they have to go through the whole rigmarole of trying to prove that they actually own it and it was taken from them. So a takedown notice, effectively. All in all, a huge pain in the butt. So, hmm, here is walking with Geoffrey Huntley. Okay, now he's got this FAQ page about him. It's like my press page, and it says a little bit about me. He says, my full name is Geoffrey Huntley. Please do not use Geoff Huntley. Then he goes, hi, I'm Geoff.

---

GRAHAM CLULEY. Well, no, he doesn't mind being called Geoff. He doesn't want to be called Geoff Huntley. I think there is a difference.

---

CAROLE THERIAULT. He is calling his work an art project.

---

GRAHAM CLULEY. He's a nutter.

---

CAROLE THERIAULT. The name being called The Billion Dollar Torrent. Okay.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. And he says, hey, I'm Geoff. After many previous adventures involving cycling through many countries on a unicycle—

---

GRAHAM CLULEY. I think you've told me enough.

---

CAROLE THERIAULT. Now live a minimalist lifestyle in a van that is slowly working its way around Australia.

---

GRAHAM CLULEY. Oh boy.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. But he's come up with a brilliantly simple idea.

---

GRAHAM CLULEY. Has he?

---

CAROLE THERIAULT. And I think it does underline the massive problem in the NFT thing is that most of these are hyperlinks to images hosted on Google Drive or Web 2.0 web hosts. The images in lots of cases are not being stored within the blockchain. The image, he writes, these images are not stored on the blockchain contract. Anyone who finds them can save and have an exact digital copy of what you're trying to buy to sell. So he has basically created this website, a site of 17 terabytes, all available from a single source. And he is showing that you are buying the notification of owning a worthless piece of crap, in my view. Ah, on his FAQ page, it says, did you know an NFT is just a hyperlink to an image that is usually hosted on Google Drive, other Web 2.0 web hosts? People are dropping millions on instructions on how to download images. That's why you can right-click, save as, because they're just standard images. The image is not stored in the blockchain contract. And the problem is, is obviously web hosts are known to go offline, 404 errors, right? So this handy torrent contains all of the NFTs.

---

GRAHAM CLULEY. How many terabytes?

---

CAROLE THERIAULT. 17 terabytes.

---

GRAHAM CLULEY. Handy. Handy.

---

MIKKO HYPPONEN. It's basically a backup.

---

CAROLE THERIAULT. Yeah, it's basically a web archive. And he's saying at the end of this, he says, the reason I'm doing this is so future generations can study this generation's tulip mania. And collectively go, what the fuck? We destroyed our planet for this. Signed, Jeffrey Huntley. Not Geoff. So, well, interesting.

---

GRAHAM CLULEY. Extraordinary.

---

MIKKO HYPPONEN. However, there is something about NFTs I want to mention since we mentioned my book. Plenty of the people here in Finland who has bought the book have bought the ebook, not the paper book. Some of them asked me, could you sign my book? And of course, physical book, I sign it, I'm happy to sign it. But how do you sign an ebook? There doesn't seem to be any solution to this. And I'm sort of waiting for someone to come up with something, something along the lines of NFTs, where I could actually somehow sign it with a public key and have the ebook be wrapped up in a contract, which would be stored in blockchain or something like that. That actually wouldn't be as stupid as many of the things we have here. If you're next to an order of something you have, and he could somehow sign it for you. So it would actually, you know, show that you actually did meet this person. And since NFTs are contracts, it could even work so that if someone would then sell a copy of the signed good, part of the price of that resale would go back to the original artist or original author. So maybe something like that could actually be useful.

---

GRAHAM CLULEY. Yeah, that's a very interesting idea. Mikko, do you Do you ride a unicycle at all? Have you driven a camper van around Australia?

---

MIKKO HYPPONEN. Right, right.

---

CAROLE THERIAULT. No, no, but I am with you because, you know, like doing art and stuff, it would be really nice that if you sold your piece of art to someone and they went, oh, I love it. Oh, actually I don't love it, I'm gonna sell it on, that you get a kind of tiny bit of that Wonga. And I think this is probably a foray into that. I just don't think they've got it down pat yet. So just one last thing. If users wanna check whether their NFT is really on the blockchain, chain as opposed to being hosted on Web 2.0. I have no NFTs, but this was recommended by Jeffrey Huntley himself, so make of that what you will. The site is checkmynft.com. It now effectively looks at the contract definition, so you can also just look at the freaking contract and read the T&Cs before you get involved. Love you all.

---

GRAHAM CLULEY. Perimeter 81 is the first ever cybersecurity experience a VPN experience platform designed around instant deployment, unified management, integrated security, and full visibility. Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust tools to secure and manage your global network with one unified platform. Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 81 provides unified solutions such as zero-trust network access, firewall as a service, device posture check, and more. Learn more and request a demo at perimeter81.com. That's perimeter81.com. Most companies discover they've been breached way too late. Well, Thinkst Canary fixes this. Just 3 minutes of setup no ongoing overhead, nearly zero false positives, and you can detect attackers long before they dig in. Simply go to canary.tools to find out why its physical, VM, and cloud-based canaries are deployed and loved on all 7 continents. And what's more, listeners who mail in referencing Smashing Security get a 10% discount on their order. Can't say fairer than that. So go and check it out now, canary.tools. 1Password 8 for Windows is out right now. 1Password 8 for Windows has been reimagined to feel right at home on the world's most popular desktop operating system. From dark mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life. Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11. 1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before. So what are you waiting for? Find out more. Try 1Password free for 14 days at 1password.com. And thanks to the folks at 1Password for supporting the show. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

MIKKO HYPPONEN. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. A computer program for the Apple Macintosh, for macOS, which I use umpteen times a day, and it's probably the best program I have on my computer.

---

CAROLE THERIAULT. I don't even know if, okay, it's gonna be fascinating to know when you say it, if I recognize it, go.

---

GRAHAM CLULEY. The program is called Mailmate.

---

CAROLE THERIAULT. I didn't know about it.

---

GRAHAM CLULEY. And Mailmate, I probably shouldn't mention this on a security-related podcast, to be honest. I shouldn't really tell you what my email client is, Too late.

---

MIKKO HYPPONEN. Click on the link I just mailed to you.

---

GRAHAM CLULEY. Let me attach a zip bomb or something malicious. Mailmate is, yeah, it's what I use for email. And I have used just about every ruddy email client that exists for Apple Macs. And I couldn't find one which I really got on with until a few years ago, I discovered Mailmate. And in its own description, it says, He says, Mailmate isn't the most widespread, the cheapest, or the greatest looking email client, but I have no aspiration to make Mailmate ever be one of those. Instead, it aspires to be the most powerful, the most flexible, the most efficient, the most standards compliant, and the most secure email client. And I have to say, I love it.

---

CAROLE THERIAULT. Okay, what does it do?

---

GRAHAM CLULEY. It's so powerful, Carole. It's so easy.

---

CAROLE THERIAULT. Okay, what does it do?

---

GRAHAM CLULEY. It can do anything.

---

MIKKO HYPPONEN. Can it make me coffee?

---

CAROLE THERIAULT. Yes. No, it can't. No, it can't. You're lying. God.

---

GRAHAM CLULEY. But it can do anything with email.

---

CAROLE THERIAULT. Like?

---

GRAHAM CLULEY. And it organises my email and it has rules and smart filters and folders. So it's IMAP compliant. So if your email's in like Gmail or something like that, it can connect to that and you'll be able to meddle with it on your thing. I'm trying to think of other really clever stuff it can do. I'll tell you one thing clever that it can do is if, for instance, so I have a form on my website, right, where people can ask me to go and speak at an event, right? And I get an email to myself from a particular address on my website. And if I accidentally reply to myself rather than the person I was meant to reply to, it will pop up and say, whoa, whoa, whoa, Graham, you've CC'd this internal address, which you didn't mean to. So there's all kinds of little itsy bitsy configurations. Or I've got another thing which says every time I send an email, because sometimes I'm, I'm a little bit curt in my emails. I'm not as polite as I should be.

---

CAROLE THERIAULT. Really?

---

GRAHAM CLULEY. Yeah, I know, hard to believe. Sometimes, well, so what my email client does is it puts any email I send into a 90-second limbo and I could make that 3 minutes. I could make it an hour if I wanted. And so I can go back to my email.

---

CAROLE THERIAULT. I love the idea of it being an hour. Graham's in the bath. Doop-a-doop-doop-doop-doop. Holy shit!

---

GRAHAM CLULEY. Exactly. Or I can schedule an email. So if I think, I want to reply, but I don't want them to, I don't want people to think I'm too keen. I'll send it to them in 90 minutes' time. So then it does it. And anyway, it is developed by just one Danish guy. You can buy it for a one-off fee of $49, but it is so essential to my work life that I actually give him cash every 3 months. I pay the equivalent of subscription, which is entirely optional, but I choose to do it because I would be screwed if Mailmate ever went away. Excellent software should be supported, so I'm happy to pay for it.

---

CAROLE THERIAULT. Question.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Would you be screwed if our friendship dissolved? Because I'm thinking a quarterly fee paid to me would be really useful.

---

GRAHAM CLULEY. You know, I think we'll have to discuss who's going to pay who. Anyway, Mailmate for macOS is my pick Pick of the Week. Links in the show notes. Cool one.

---

CAROLE THERIAULT. Cool one.

---

GRAHAM CLULEY. Mikko, what's your pick of the week?

---

MIKKO HYPPONEN. Well, since we are in a podcast, of course I am going to recommend a competing podcast. So stop listening to Smashing Security right now. Look for the Ted Dabney Experience podcast and hit play. Well, it's another podcast. It's an English language podcast, but it's not really about cybersecurity or InfoSec or any of the fun stuff. It's about retro gaming.

---

CAROLE THERIAULT. Ah, your passion.

---

MIKKO HYPPONEN. I bought a brand new 1993 Judge Dredd pinball machine, which is the best thing ever. So, you know, yeah, they're great. Nevertheless, this one is not about pinball. It's about old video arcade games. This is a podcast made in UK by Paul Drury, Tony Temple, and Richard May. Tony Temple is the world record holder in Missile Command. He actually just wrote a book about Missile Command history and how he made the world record.

---

GRAHAM CLULEY. Oh, that sounds good.

---

MIKKO HYPPONEN. It's really good. I recommend the book. The book is called Missile Commander. And the podcast interviews people who were involved in the early days of the arcade gaming revolution, especially people involved in the early days of Atari. The name Ted Dabney Experience comes from Ted Dabney, who was one of the guys who started Atari together with Nolan Bushnell. It is really well done. Production qualities are there, really good interviews, and they have access to people who typically don't give interviews. So if you are into old gaming, classic gaming, or retro gaming, check out teddappneyexperience.com.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And trust Mikko because he really takes gaming seriously.

---

GRAHAM CLULEY. Yeah, no, that sounds great. I'll definitely check that out. That sounds a lot of fun.

---

MIKKO HYPPONEN. Cool.

---

GRAHAM CLULEY. Terrific. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Okay. I got a truly special, special, special one, not compared to yours, but compared to the previous ones maybe that I've maybe dabbled with. And it's a movie currently available on my instance of Netflix called Ruben Brant Collector. Have either of you seen it?

---

GRAHAM CLULEY. I have seen the trailer. You have recommended it to me. I haven't had a chance to watch the actual movie yet.

---

MIKKO HYPPONEN. I don't have Netflix, but I have heard of it.

---

CAROLE THERIAULT. Okay, it's that— I would say buy it. I would say like, don't walk, run, run, run.

---

GRAHAM CLULEY. Okay, it looked wonderful from the trailer. It looks wonderful.

---

CAROLE THERIAULT. So beautiful. So it's basically the story is 4 expert thieves attempt to steal every famous piece of artwork that is haunting their mutual psychotherapist. Okay, so the psychotherapist suffers violent nightmares inspired by these legendary works of art, and 4 of his patients, expert thieves all of them, offer to steal the works since the psychotherapist, of course, as one would, believes that once he owns them, the nightmares will disappear. And he becomes a wanted criminal known as the Collector. And there is a detective attempting to find out who this Collector is. Okay? That's basically the premise of the whole thing. It is so beautifully illustrated. Oh my God. And the animation is to die for. I mean, I—

---

GRAHAM CLULEY. How would you describe some of the characters? I saw a lot of them seem to have 3 eyes or 2 faces. It is a bit sort of Picasso-like.

---

CAROLE THERIAULT. Well, yes. It's so beautiful to watch because it's a bit meta in that sense. So you can literally watch it and try to—

---

GRAHAM CLULEY. Hang on, you have to be careful with the word meta these days.

---

MIKKO HYPPONEN. It's copyrighted.

---

GRAHAM CLULEY. That fucker. Yeah, yeah. He is an ass, isn't he?

---

CAROLE THERIAULT. You can kind of find pastiches or elements of art. So you can actually watch and go, oh, there, there, there's the Venus de Milo. Or there, there's the, you know, that's from Warhol. And you can try and spot them. And some of them are quite obvious, but some are very hidden within the fabric of this. Wonderful, beautiful, just stunning piece of work. So without delay, get your hands on Ruben Brandt Collector, and, uh, it's the best thing I have seen all year and maybe in the last 5 years. I just absolutely love it, love it. There you go, can't get higher than that. That is seriously a Pick of the Year. There you go.

---

GRAHAM CLULEY. Oh wow, oh wow, we haven't got a— we haven't got a jingle for Pick of the Year.

---

CAROLE THERIAULT. Well, maybe I'll find one.

---

GRAHAM CLULEY. Boom! Whoa, Pick of the Year! Wow, okay, well, that just about wraps up the show for this week. Mikko, I'm sure lots of our listeners love to follow you online, find out more about what you are up to. What's the best way for folks to do that?

---

MIKKO HYPPONEN. Well, they can find me on Twitter as Mikko, that's M-I-K-K-O, or on my website, which is mikko.com.

---

GRAHAM CLULEY. Fantastic. And you can follow us on Twitter at Smashing Security, no G. Twitter doesn't allow us to have a G. And we also have a Smashing Security subreddit where you can chat about the latest episodes. And don't forget to ensure you never Never miss another episode. Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Google Podcasts.

---

CAROLE THERIAULT. And massive shout out to this episode's sponsors, the fabulous 1Password, the great Thinx, and the wonderful Perimeter 81. And to our tremendous Patreon community, it's thanks to them all this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 253 episodes, check out smashingsecurity.com/podcast.

---

GRAHAM CLULEY. Smashingsecurity.com. Until next time, cheerio. Bye-bye.

---

MIKKO HYPPONEN. Bye-bye. I'm making an NFT of this episode already.

---

CAROLE THERIAULT. Um, Mikko, would you buy, uh, mikko.wtf?

---

MIKKO HYPPONEN. No, I have the best domain already.

---

CAROLE THERIAULT. I have the.com, so I don't want But that could be for all your, like, I don't want to have this on my legit, legit site.

---

MIKKO HYPPONEN. But I have nothing to hide.

---

CAROLE THERIAULT. Sure, they all say that. They all say that.

-- TRANSCRIPT ENDS --