Pygmy hippopotamus bugs, DEF CON's data slip-up, and phishing fraudsters have their collars felt.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Naked Security's Paul Ducklin.
Visit https://www.smashingsecurity.com/238 to check out this episode’s show notes and episode links.
We're going to be taking a holiday for a couple of weeks, but will be back with a regular show later in August.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Paul Ducklin.
Sponsored By:
- 1Password: Cybercrime is at an all-time high, and it’s not slowing down, so why should you? This August, you’re invited to Security Summer School, a brand new webinar series hosted by the 1Password team.
- Learn from security experts at top organizations, hear about sizzling security trends, and get quick tips for building a culture of security at home and work.
- Get exclusive perks like 1Password swag for attending events, enjoy the chance to network with top security leaders, and much much more. Find out more and enroll now.
- Offensive Security: With the skills gap increasing, it’s more important than ever to train your staff effectively and efficiently. Industry-leading Offensive Security provides training for your organization designed by the same minds behind Kali Linux and the OSCP.
- Visit smashingsecurity.com/offsec to learn more!
Links:
- DEF CON masks and vaccination FAQ.
- Hacking DEF CON 29 — Reznok.
- Tweet by Jeff Moss (Dark Tangent) thanking Reznok.
- PetitPotam proof-of-concept tool — GitHub.
- Windows “PetitPotam” network attack – how to protect against it — Naked Security.
- Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands — Bitdefender.
- The Trigan Empire — Wikipedia.
- The Rise and Fall of The Trigan Empire: Volume 1 — Treasury British Comics Shop.
- Tangle Teezer — If you want to be a Fashion Captain, like Duck.
- Modern Love trailer — YouTube.
- Modern Love (TV series) — Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. I've got an admission to make, Doug. I don't think I've combed my hair since I was about 8 years old.
PAUL DUCKLIN. Graham, I don't—
GRAHAM CLULEY. am I missing out, or are other people just very polite about me not?
CAROLE THERIAULT. How's life going for you, Graham?
UNKNOWN. Either you're the fashion captain or you're not. And so if you're not, you just don't have to comb your hair. Don't let it bother you. Smashing Security, episode 203. 238, Fashion Captain, Fraud Family, and DEF CON, do with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 238. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And this week on the show, we're joined by a returning guest. Someone hasn't been on the show for far, far, far, far, far, far, far better thing than that. Anyway, far too long. Paul Ducklin.
PAUL DUCKLIN. Hello folks. Thanks for having me back.
CAROLE THERIAULT. Paul, what do you want people to know about you? Remind them of 3 things about you.
PAUL DUCKLIN. My barnet is coming along a treat. I couldn't go to the barber when lockdown started.
CAROLE THERIAULT. That means his hair, folks.
PAUL DUCKLIN. Yeah, barnet, fair, hair. Yeah, and so I just didn't go to the barber. And then it got to the point where I thought, golly, I have to go to the barber. And then it got to the point when lockdown ended and I could have gone to the barber that I'd got past the point of thinking, this is annoying, I need to go to the barber. And I figured, I'm going to see what happens. So all I can say is, Dr. Brian May, I'm a big fan of yours. I love your hair, but watch out, my friend. Oh, I'm not bragging, but maybe that's enough for our listeners.
GRAHAM CLULEY. Would you send us a new photograph for your—
PAUL DUCKLIN. a nude photograph?
CAROLE THERIAULT. No, no, that's what I heard as well. Thanks to this week's sponsors, 1Password and Offensive Security. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. DefCon is what I'm going to be talking about.
CAROLE THERIAULT. Duck, what about you?
PAUL DUCKLIN. I have one of the world's cutest aquatic mammals, the pygmy hippopotamus bug.
CAROLE THERIAULT. This is perfect. And for the trifecta, I am going to the birthplace of the late, the great Eddie Van Halen. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, Yes, chums, DEF CON, the world-famous hacking conference held annually in the seething hell that is Las Vegas. Who's been to DEF CON before? Duck, have you ever been to DEF CON?
PAUL DUCKLIN. No, I've been to Black Space Hat, but not to DEF Space CON. I, you know, I like my time in Vegas, but a few days was enough.
CAROLE THERIAULT. I've never been to Vegas.
GRAHAM CLULEY. You've never been to Las Vegas? No.
PAUL DUCKLIN. Super weather.
CAROLE THERIAULT. I have very little interest in going unless someone can change it for me and say, this is why you need to go.
GRAHAM CLULEY. I rather like Las Vegas.
CAROLE THERIAULT. Yes, well, that's one reason why I'm not.
PAUL DUCKLIN. I always wanted to go to the Hoover Dam because Art Deco, but it's like running out of water. It's terrible.
GRAHAM CLULEY. Oh, is it?
PAUL DUCKLIN. They've got real drought. Yeah, lowest ever, I think. Wow.
GRAHAM CLULEY. I did go to the Hoover Dam once. I saw a man having an enormous mega slurp.
CAROLE THERIAULT. You sent me that picture.
PAUL DUCKLIN. Yes.
CAROLE THERIAULT. That's awful.
PAUL DUCKLIN. That's— I don't want to know what that means.
CAROLE THERIAULT. They are huge drinks.
GRAHAM CLULEY. Anyway, DEF CON brings together security professionals, researchers, journalists, students, anyone else interested in the weird world of hacking, and they come together each year. There are multiple tracks of talks, hacking challenges, competitions, capture the flag, fun for all of the family. Well, the nerdy ones at least, in the heat of Nevada. And yes, DEF CON is happening in Las Vegas next week. And when I say it's happening in August, so they put it in August. Yes, this is when it happens.
PAUL DUCKLIN. They do have air conditioning, you know, they're kind of famous.
CAROLE THERIAULT. Yeah, but people like to go outside as well and not melt.
PAUL DUCKLIN. Hackers like to go outside. Okay. I'll take your word for it.
GRAHAM CLULEY. Well, DEF CON really is happening in person this year. Last year, the in-person element was canceled. It was only virtual. So there are plenty of folks this year who are keen to attend. And there are of course some rules. DEF CON's telling people they need to bring proof that they are fully vaccinated and they must wear a proper mask at all times. Would that be enough to lure you to go to DEF CON in Las Vegas this year?
PAUL DUCKLIN. Would an Anonymous mask, a Guy Fawkes mask, be good enough? No, no, no.
GRAHAM CLULEY. I see what you're thinking. No, they've got quite strict rules. According to the FAQ, that kind of thing isn't acceptable, and neither are scarves, ski masks, balaclavas, bandanas apparently won't suffice.
PAUL DUCKLIN. Bandanas can actually go across the head, don't they? Not the mouth.
GRAHAM CLULEY. Or a gag, you know, a ball gag. That's not going to be good enough either, even if you plug up your nostrils.
CAROLE THERIAULT. If you ever see someone Def Con with a ball gag.
GRAHAM CLULEY. I'd be surprised if you didn't see that. But neither will— you know how some people pull up their shirts or their jumpers across their mouth and nose? That specifically is not— oh, I've seen that. I've seen that.
CAROLE THERIAULT. Like, oh, someone picking up their shirt and putting their face down there.
PAUL DUCKLIN. Yeah, they sort of dip their face into it. It's quite bizarre. That's all because they're all hunched up. It looks like they've suffered some kind of absurd rictus.
GRAHAM CLULEY. Anyway, I don't know whether I would be comfortable attending a big conference like DEF CON at the moment. People have been asking me, are you going to be there, Graham? And I'm like—
CAROLE THERIAULT. I should hope not.
GRAHAM CLULEY. Well, of course not.
CAROLE THERIAULT. You went to RSA in 2020. I couldn't believe it.
GRAHAM CLULEY. Yeah, that was 2020, Carole.
PAUL DUCKLIN. Yeah, but that was when he was young and foolish.
GRAHAM CLULEY. Yeah, exactly.
PAUL DUCKLIN. Yeah. Well, he's grown up a lot since then, I'd say.
GRAHAM CLULEY. I have. A huge amount. But maybe you don't want to attend DEF CON in person, in which case there is a virtual ticket available. You can attend it via a Discord channel, which is what all the kids love these days.
CAROLE THERIAULT. Very cool.
GRAHAM CLULEY. And I think that's probably sensible. I think that's a lot more sensible.
PAUL DUCKLIN. You still get the badge, the famous hackable badge.
GRAHAM CLULEY. I think you can, yes, because that's what they sell, isn't it?
PAUL DUCKLIN. No, they sold out.
GRAHAM CLULEY. Oh, have they?
PAUL DUCKLIN. It says you can't even buy online tickets anymore, online tickets because they've sold out. How do you sell out of space in a Discord channel? And I'm guessing it's because They only made so many badges and they're all gone. Ah, smart. And what would DEF CON be without the badge, eh?
GRAHAM CLULEY. Because the badge is really nerdy, isn't it?
PAUL DUCKLIN. Yeah, you can hack it and—
GRAHAM CLULEY. Yeah.
PAUL DUCKLIN. They're the— I was going to say they're the reason people go, but of course they're not. They're one of the excuses that give people a good reason to go, I suspect.
GRAHAM CLULEY. So if you wanted to go to DEF CON, which is happening next week, you—
PAUL DUCKLIN. You have left it a bit late.
GRAHAM CLULEY. Well, you've probably left it a bit late, but the place where you would have purchased your ticket would have been on the DEF CON site.
PAUL DUCKLIN. Right.
GRAHAM CLULEY. And you would imagine that wouldn't pose any problems.
PAUL DUCKLIN. Well, you imagine it would not pose any problems to them. You imagine it might pose a lot of problems to you, like that they might try and hack you, not the other way around.
GRAHAM CLULEY. Yeah, exactly. Whether you trust their website or not as to whether something nasty may happen. They've been holding DEF CON since the early 1990s. You would think it's a fairly slick operation, how you get your tickets and all the rest of it. But a security wonk called Brandon Forbes, who goes by the name Reznock, He found a problem when he registered for his DEF CON ticket.
PAUL DUCKLIN. Okay.
GRAHAM CLULEY. Because he found a bug in the online registration system.
CAROLE THERIAULT. Of course he did.
GRAHAM CLULEY. And that bug made it possible for anybody to find out the names and email addresses of anyone else who had bought a ticket online.
CAROLE THERIAULT. Ooh, zut alors, that's a little embarrassing for DEF CON, isn't it?
GRAHAM CLULEY. Well, you would think. You'd like to think that's the kind of thing that they've got properly under control.
PAUL DUCKLIN. Or maybe they quite like the idea of saying, you see? Like, hacking shall be free.
CAROLE THERIAULT. Or is it a fake list of names and email addresses just to see who would report it and then give him a big prize, or her a big prize?
GRAHAM CLULEY. Oh, what a lovely competition that would be. Yes. Sounds like an awful lot of effort to go to, but—
CAROLE THERIAULT. Well, it would be a good marketing campaign.
GRAHAM CLULEY. I like the way you're spinning this, Crow. You're thinking of—
CAROLE THERIAULT. TM Crowther.
GRAHAM CLULEY. —like a PR person. So, what did Reznok do? He purchased his ticket online, and he said it was really simple. He went to a web page where the ticket shop was located. He didn't have to log in. There's no sort of registration involved in terms of an account. He made his purchase.
PAUL DUCKLIN. Good, good, good. Like the sound of that so far. I hate these sites where you have to create an account to buy one thing, and then you can never delete it afterwards. Yeah. Yeah.
GRAHAM CLULEY. So, he made his purchase, and a few moments later, he received in his email the order confirmation with a link to view his order details and tickets.
CAROLE THERIAULT. Sounds all normal. Normal so far.
GRAHAM CLULEY. Right. And the link was something like, DEF CON Merchandise, blah, blah, blah, blah, blah, blah, blah. Orders 3791. And he thought, oh, that was really easy. And he looked at that link, I know, curious. And he thought, 3791. Is that my ticket number?
CAROLE THERIAULT. Is that how many people are attending? Let me try another number. No. Yeah. No! Oh no!
PAUL DUCKLIN. So let's see who booked just before me.
GRAHAM CLULEY. Exactly. So the first step he took was he took that, he took that URL, put it into an incognito window in his browser. So there are no cookies or tokens in play and saw he could still view his ticket details. So anyone who put in that URL would see his ticket details. Yeah. So then just like you've said, He changed the number from 3791 to 3790.
PAUL DUCKLIN. But be fair, Graham, 4 digits, it's a big ask to guess. I mean, how many 4-digit numbers are there? There are loads. Must be possibly as many as 10,000.
GRAHAM CLULEY. So this is what is known, as I'm sure many of our listeners know, an insecure direct object reference vulnerability, also known as I door.
PAUL DUCKLIN. No, I think you say duh, because it should be D-O-H really, shouldn't it?
GRAHAM CLULEY. So this isn't just one of the most commonly encountered problems on poorly designed websites. It's also, of course, really easy for attackers to exploit. And we've seen quite a few of these over the years. I remember EasyJet and—
CAROLE THERIAULT. Okay, but this is DEF CON. So, so are we kind of thinking, oh, we should be holding them to a little bit of a higher standard? How the heck did this happen?
PAUL DUCKLIN. I think they went out to a third party to do the ticketing and, you know, didn't look at it.
GRAHAM CLULEY. Well, that's it.
PAUL DUCKLIN. Didn't look at it, kind of, or didn't know, or did— yeah, you know how it is. Ink the deal, ticket purchasing website. It's just a ticket. You don't need an account. Meh. But it turns out that, you know, maybe when you get the ticket, there is a certain amount of personal information you have to put in there, isn't there? Your name and email address to get the ticket back. Yeah. Maybe DEF CON are thinking, you know, who comes to DEF CON under their real name with a real email address? I mean, come on. This is an indirect non-object reference, and I know. So I'd love to know how many of those names were Mr. Mickey Mouse. So you're quite right, Doug. Mr. Dead President. Mrs. So-and-so. Mr. Bobby Tables. Yes, little Bobby Tables to you.
GRAHAM CLULEY. In their defense, DEF CON had farmed out the running of the booking system to a third-party firm called Guest Manager, which, you know, in some ways sort of says, well, that's not their fault, but it kind of also is their fault because you think, well, how did they choose this company and did they actually try it out for themselves. And with their kind of mindset, wouldn't they have spotted a problem like this? But also, any other online service which has used Guest Manager as their booking system presumably was vulnerable to the same flaw as well and is likely to be suffering from the same snafu. Mm-hmm.
PAUL DUCKLIN. Well, unless it's a special DEF CON only bug. Yeah. Like, it could be— Carole may be on to something. Well, maybe they were waiting to see who would get the data and where it would resurface.
GRAHAM CLULEY. Well, the good news is Reznock isn't a bad guy. He informed DEF CON, who reached out to Guest Manager, and the problem was fixed within about 48 hours. They put in some kind of token system which made it a bit more secure.
PAUL DUCKLIN. Ah. That suggests that maybe it wasn't a deliberate—
CAROLE THERIAULT. Yeah. I'm surprised it took— So how quickly did they respond once they were told publicly? Like, so once they were told, yeah.
GRAHAM CLULEY. The founder of DEF CON, Geoff Moss, also known as Dark Tangent, he replied to the initial report within 30 minutes. Good for him. Which is pretty impressive, I would say. And the problem was fixed within 48 hours. And they then just asked the researcher, can you keep quiet about it for a while until we're ready for the public disclosure to happen?
CAROLE THERIAULT. So basically we don't have to disclose everyone's private details. So no one's details were actually shown to anyone but Reznock.
GRAHAM CLULEY. Well, according to Dark Tangent, he said it's lucky for everyone it was determined that he was the first to discover it and other people, they believe, weren't. And I actually think that doesn't really paint a very good picture of the typical person who goes to DEF CON because—
PAUL DUCKLIN. Yeah, he was the 3,700 and however many. What was it? 3,791. Yeah. Unless they, you know, they could have started at 1,000 or they could, but they're not random, are they? They're sequential because he was going backwards. Yeah, because when he went forwards, he didn't get the next person hadn't signed up yet and he got nothing. But when he went backwards, right? Yeah. The other good thing is, as far as I know, he didn't get— he didn't do what some researchers can't resist doing and say, oh, I'll write a quick Python script that downloads them all. He kind of did a few and then figured, I think I can infer from this. Yes. And he didn't go and leech all the data to prove that he could leech some of it.
GRAHAM CLULEY. Seems like he was a decent chap. He wasn't doing it to show off particularly or, you know, to draw attention to himself. But Yeah, it does cast all those other people who've signed up for DEF CON in rather a bad light that none of them spotted the problem.
PAUL DUCKLIN. So, um, well, no, no. All you can say is none of them reported the problem. Yeah.
GRAHAM CLULEY. Well, that's pretty bad as well. Yeah.
PAUL DUCKLIN. No, no, no. I'm not just saying that. Yeah. I don't know which is worse actually. Now you mention it.
GRAHAM CLULEY. So, Duck, what have you got to talk to us about this week?
PAUL DUCKLIN. I have a little hippopotamus, a pygmy hippo. I need to look one of these up. They're very cute. They're from West Africa. They're sadly very endangered. But there's a security researcher whose real name I believe is Gilles Lionel, but he goes on Twitter by Topotam77. And as in topotam, that's like he obviously likes hippopotami and He found this flaw, another Windows flaw. This one didn't get the Nightmare handle like PrintNightmare and HiveNightmare. He decided to call it PetitPotam, which I presume is a nod to the pygmy hippo because he seems to love hippos.
GRAHAM CLULEY. I like it when vulnerabilities get named. Do you remember the Poodle bug? I thought that was very cute as well. I think that's much better than these bugs which suggest some kind of Eternal Hell or something, you know, really dark and horrible.
PAUL DUCKLIN. Yes, like in the way that we had PrintNightmare, and maybe it was a bit of a nightmare. So when the next one came along that involved insecure ACLs on registry hives, instead of just calling it Hivebug, well, let's use Nightmare again. So at least we didn't get here, SmallNightmare, we got PetitPotam. And it's sort of not a bug, it's kind of a Miss feature that sadly could affect many networks because lots of Windows networks still use NTLM, the LAN Manager Authentication System, which Microsoft itself basically deprecated more than a decade ago saying don't use it anymore, folks. It was an older, less wise cryptographic age when we designed NTLM. And in particular, the way it does password hashing makes them vulnerable to brute force attacks because there's no salting. And it's also vulnerable to, I guess for a similar reason, to manipulate or what used to be called man-in-the-middle attacks, where you trick someone into authenticating with you instead of the real authentication system. And then you can use the information the client has naively shared with you to kind of —finish the login in their name and they don't realize. And the more modern authentication system in Windows is Kerberos 5, which is what you're supposed to use. You're supposed to turn off NTLM altogether. But there are so many legacy apps and tools and administration things that need it that kind of a lot of people sort of never got round to it.
CAROLE THERIAULT. What's interesting is it gives a kind of argument for software as a service a bit, right? Because if you were hosting this, you could say, look, we are pulling this offline. This will no longer work in whatever year X. And so, you don't get legacy systems operating.
PAUL DUCKLIN. Yes, I think that's an argument that a lot of cloud services do and have used, but even that doesn't always work. Remember recently when the pandemic really got going, a whole load of government portals in the US, it turned out they hadn't upgraded the encryption algorithms they were using on their websites. And they were supporting a hash function that had been deprecated and it was about to be blocked by all the major browsers. And they said, "Oh, golly, we haven't done those updates. We're sorry. It's like we're a few years out of date." But if you implement this blocking in your browser, which obviously then users just won't be able to get to services that aren't up to scratch, people won't be able to get to government portals. Yeah. And they're more important than ever. And they had to delay for a while. I don't even know whether they've got here yet. So that's the problem. It's sometimes it's the kind of client side that shouts loudly. Yeah. And you say, I am going to refuse any connection unless it uses TLS 1.3. You think that websites would be in a position to do that now. And then it turns out that actually a significant proportion either of your paying customers or of people in general would take umbrage at that and say, no, I want to— I'm still using Windows XP and Internet Explorer and I won't be able to get to your website. And sadly, when those people are a significant enough minority, unfortunately, even a cloud service sometimes can't pull the plug on outdated cryptographic technology and has to let it linger on as a sort of necessary evil.
GRAHAM CLULEY. So going back to the pygmy hippopotamus, because I quite like the idea of that.
PAUL DUCKLIN. I don't get why it's a pygmy hippo, but I do love the idea.
GRAHAM CLULEY. Right. So this French chap, Gilles Lionel, he's published some code which exploits this misfeature. Is that what you called it? A misfeature of—
PAUL DUCKLIN. Well, it's not really a vulnerability because Microsoft kind of can't patch it because they've already said, don't use NTLM if you possibly can avoid it. Yeah. Because 10 years ago, it's still We said stop using it because the way it was designed, it has these kind of implicit built-in weaknesses about things like how hard it is to hack or crack passwords and protection against manipulator-in-the-middle attacks. So is it a vulnerability? Well, sort of. I guess what Microsoft has done over the years to keep NTLM alive, make it ever safer, is they keep adding protections into various protocols on the network that might use NTLM authentication at some point. But the problem is they obviously haven't been able to go and identify every little place in the network or every protocol where an authentication using the outmoded cryptographic style might be possible.
GRAHAM CLULEY. So if you're a system administrator worried about pygmy hippopotami racing around on your network, the real answer is to remove any legacy apps that are still reliant on NTLM and replace them.
PAUL DUCKLIN. But that's a big ask. Well, more importantly, what you need to do, because of course a crook could use what's called BYOB, bring your own bug, and bring an application that's still— or malware that uses NTLM authentication to achieve this result. Really, you need to stop accepting NTLM authentication attempts anywhere on your network. Right. And Microsoft has a little article that shows you how to do that. It's surprisingly easy. You just, you, you, you know, you can go to your domain controller and say, I don't want NTLM at all. But for many networks, good luck with that because something somewhere is going to break, might snap, and you might not notice for a little while. And then suddenly, you know, people can buy tickets to your fantastic conference, but maybe they can't get them issued afterwards, and then you're really stuck.
CAROLE THERIAULT. Yeah, and the big takeaway for all the listeners that may not even have this problem is think about the legacy stuff that you might have on your home network or on your phone and stuff you don't use anymore that is just sitting pretty, and you could just get rid of it, right? Delete it.
PAUL DUCKLIN. And have a little house cleaning. That's easier said than done though, isn't it? Because there's always that thing of, well, I never, I never know when I'll need this app again. Or you can redownload it.
CAROLE THERIAULT. You can download it again.
PAUL DUCKLIN. Well, you know, maybe if it's— the problem is if it's a legacy app, you might not be able to. It's like if you suddenly decided, I know, I'll just go back. I want to download Office 97 because I love that more than this ribbon Office.
CAROLE THERIAULT. Good luck. You need to get help if that's the situation. Did that have the paperclip?
GRAHAM CLULEY. You definitely wouldn't want to download that one.
CAROLE THERIAULT. I heard they were coming back, the paperclip.
PAUL DUCKLIN. I heard about that. Right. Me too. And I, it was just so—
CAROLE THERIAULT. Maybe you can come on the podcast.
PAUL DUCKLIN. Is this supposed to be a family-friendly podcast? Because I think by mentioning Clippy, you've kind of, you're going to create a lot of anxiety. Clippy. I forgot his name.
GRAHAM CLULEY. Everything's gone wrong. Long since David Bowie died, and it feels to me like the re-emergence of Clippy would prove that. Clippy.
CAROLE THERIAULT. Carole, what have you got for us this week? Okay, so we're gonna head to the birthplace of Eddie Van Halen. Do you know where this is?
PAUL DUCKLIN. Somewhere in the Netherlands.
CAROLE THERIAULT. Yes, the land of gouda and clogs and tulips. And, uh, I've never been to this particular town of Arnhem. I've been to Amsterdam. I love it, actually. I've always wanted to live there for a bit. I think it'd be a cool place to live for a while.
PAUL DUCKLIN. A bridge too far.
CAROLE THERIAULT. Uh, but we're going to Arnhem, and the reason we're going there is because Dutch police have arrested a 24-year-old man last week for developing and distributing a phishing framework, or phishing frameworks. According to Hacker News report, cybersecurity group IB said that This young guy seemed to be tied to the cybercrime syndicate codenamed Fraud Family. Now, coming back to names and names that we, you know, will assign— what was that?
PAUL DUCKLIN. Frog? Fraud. Fraud. Oh, so they were kind of telling it like it was.
GRAHAM CLULEY. Not Freud. Not Freud.
CAROLE THERIAULT. No, not frog. Fraud.
PAUL DUCKLIN. Right. Fraud. Yeah, I think we, we should have, we should have anticipated that given their business venture. They're more likely— cybercriminals are more likely to be into fraud than into aquatic reptiles, aren't they?
CAROLE THERIAULT. I imagine. I imagine as well. It's not like the hippopotam. So, uh, fraud family frameworks are said to include phishing kits, tools designed to steal information, and web panels. And the whole point is to allow fraudsters to interact with actual phishing sites in real time in order to try and steal banking authentication details. So here is how it's said to work. So you get an email, an SMS, a WhatsApp message impersonating a well-known local bank, and it contains malicious links that when clicked redirect expecting recipient to an adversary-controlled payment info-stealing phishing website. Can you tell it was from the Dutch press release from the, from the cops?
PAUL DUCKLIN. This is Google Translate. Yes, exactly.
CAROLE THERIAULT. So basically it seems to work very similar to any phishing. You have a, you have a malicious link that you don't recognize, you click through, everything looks hunky-dory, and you start entering your information, and someone's grabbing all that from the other side. They'd also go to classifieds, Dutch classified advertising platforms, to contact sellers, because they obviously want— this is a service that they're providing. So they create these phishing kits and then want people to buy them. I mean, I don't know how that conversation goes. How does that work?
PAUL DUCKLIN. Like, hey, psst. Yeah. Would you like to make money? Yes. Do you really care where it comes from? No. You might like us. Yeah.
CAROLE THERIAULT. So give me 200 quid a month or whatever. Give me whatever their fee structure is. Yeah.
GRAHAM CLULEY. I think that really is how it works, isn't it? I mean, obviously it may be happening on sort of underground websites and there are darkweb marketplaces where that kind of thing is discussed. Okay, but what?
CAROLE THERIAULT. But why isn't the question like, dudes, if it's so lucrative and you're gonna make so much cash, why aren't you guys doing this? Why are you selling it?
GRAHAM CLULEY. Because you can only do so much, can't you? I mean, it may be a manpower issue. They may not have enough personnel for the, you know, it's like, we're doing as much as we can.
CAROLE THERIAULT. Oh yeah, we'll take a cut of anything you do as well. Right, exactly. Right, right, of course.
PAUL DUCKLIN. Well, it's sort of like the ransomware, the big-time ransomware crooks, isn't it? We're seeing ransoms of millions of dollars that actually get paid. Now, the core crooks don't get the millions. They get, iTunes/Google Play-esque 30%. As Graham said, they get 30% of every ransom. And they don't have to take the risk of being the people who actually have to infiltrate the network, actually have to stay up late, actually have to sweet-talk the admins. They just, they go, you do the network hacking, we'll give you the malware, so you don't need those skills. We'll handle the bitcoins. And I guess, as Graham said, it's the same idea that maybe these guys— it's not quite like those, you know, do you want to learn how to make money selling online? Buy my training course. It's more like, I don't want to be the in-the-face crook, but I'll sit in the background and take— you take the risk, I'll take some of the money. And I guess the people involved don't even really have to know each other. So they can't, even if they want to turn informer, it's kind of quite hard for them to give away the other guys because they're just, you know.
CAROLE THERIAULT. Yeah, they've met them on Telegram or whatever and they only have a username.
PAUL DUCKLIN. GiantHippopotamus1294@some random email dot example.
GRAHAM CLULEY. And from what I've seen, Carole, these phishing frameworks produced by the Fraud Family, they're They're quite sophisticated. It's not like they're just giving you a phishing web page, is it?
CAROLE THERIAULT. Group IB says the real-time element is what makes these attacks much more believable. Right. So to quote them here, it says when victims submit their banking credentials, the phishing site sends them to the fraudster-controlled web panel. This one actually notifies the, you know, the baddies that a new victim is online and the scammers can then request additional information that will help them gain access to the bank accounts, so including the two-factor authentication tokens.
PAUL DUCKLIN. Yes, I was going to say, that's where they'll jump in, right?
CAROLE THERIAULT. Yes, and any PII.
PAUL DUCKLIN. I mean, you see some of these hacking sites, they even have an 'I need help' button. Yes, like the ransomware guys do, and you click it and you actually, you talk to someone in Jolly Tech support. Yeah, are you having trouble buying bitcoins? I can advise you, and they can. It's like insane.
CAROLE THERIAULT. Yes, exactly. It's the guy sitting on the couch right next to the first guy.
GRAHAM CLULEY. But in this particular example, that where they're putting up these like banking pages. You're right. If you're having trouble logging in or can't work out what the 3 digits are on the back of your card or wherever, you can begin an online chat with someone who you think is in the bank support department and is actually the phishing person.
CAROLE THERIAULT. And you're like, I don't know where my 3-digit— what 3 digits? On the back of your card.
GRAHAM CLULEY. What do they say? Exactly. And they will talk you through that. But it's really clever. And of course, the real-time element of this is interesting. So it actually displays this sort of 'Please wait, we're connecting you.' Yeah, interstitial dialogue while the phishing person is being woken up by some bleeper saying, 'We've got another one who's just come in.' Ingenious.
CAROLE THERIAULT. You can see how people would fall for this, because if you've already been duped into kind of falling at the first hurdle, I think then if you feel like you're in the bona fide world of your bank, you know, you'd be like, 'Oh God,' even if it was a bit crap, you might think, 'Well, it's the bank.' Um, anyway, this 24-year-old chap apparently was not working alone, alleged the Dutch police, right, they also arrested a second individual who they believe to be responsible for selling the frameworks, these phishing frameworks, a 15-year-old kid. Oh dear. Now he has been since released, but I found it interesting in the police press release, okay, thanks to Google Translate, so forgive, uh, but they say, they say, quote, the developer is the most important link in the phishing process. No phishing without a developer. Phishing panels, by which I think they mean that these frameworks allow other malicious parties to set up phishing websites. So they're basically saying the developer is the key in this whole kind of market. And I wanted to know what you guys thought about that.
GRAHAM CLULEY. It sounds like phishing for dummies to me. It sounds like they've made it really simple for anyone who wants to make a quick buck to put together quite a sophisticated phishing campaign because normally— yeah, phishers don't manage to get your two-factor authentication code, or if they do, it's already expired. But this particular system, it would get that and it would be able to bypass multifactor authentication in many cases.
PAUL DUCKLIN. And I guess those people at the core, they're the ones that the cops want to take down anyway because they're the ones with the big reach, just like the people at the core of the ransomware gangs. They're the ones who are— without them, they wouldn't be the ransomware that got distributed and everyone would have to invent their own. And also, I guess, means that somebody who has never coded in their life wouldn't know what HTML looks like, doesn't care, but fancies a go at cybercriminality. They don't even have to learn how you put a logo on a web page. The developers at the core of the phishing scamming system will provide that for you in the same way that, you know, in real life you think, oh, I want to build a website. I'm not going to learn how to to load Apache and how to set up httpd.conf files and write HTML and JavaScript. I'll go to a hosting provider and I'll pick a template from a list of 12. That's a nice one. I'd like the green tinge. I'd like the dropdown menus from the left. Thank you very much. Consider this analogy though, right?
CAROLE THERIAULT. Okay, so I have a car. Let's say my car is busted and I'm gonna take it to the car shop to get fixed. And I know the car shop people are scammers. Like literally they are scamming everyone and they're proud of it. And that is why I've gone there. Do I trust them to actually I'm going to fix my car for the agreed deal that we're making when I know sweet F.A. about the business?
PAUL DUCKLIN. Well, it depends. Like, if you're going there because they might issue you an MOT certificate without actually looking at the car, for example, then you kind of figure, okay, I don't care. I'm going in with my eyes wide open. And I guess here, for the people joining in, you're paying this amount each month. If the guys screw you over and you don't make your €200 back in the first month, you're just not going to do it again. But if you do and you actually cash the money out—
CAROLE THERIAULT. Then it's a win-win for everybody involved, therefore carry on.
PAUL DUCKLIN. The thing is that it's not like these cryptocurrency scams where you buy something that genuinely doesn't exist, that's just this mythical pseudo-crypto coin. You're buying into the phishing campaign you can see that you get woken up. You get, yeah, there's someone online and you, you know, you can see whether it's working.
CAROLE THERIAULT. Well, it seems to be working because, um, Softpedia reported that at the point of writing— so this was two days ago, their article— no less than 8 Telegram channels run by Fraud Family have been uncovered, and with the channels collectively having 2,000 subscribers between them. So this is all directed at just Dutch, uh, residents and Dutch banks. So this is, uh, really people living outside the The Netherlands may not encounter this problem, but I think it just goes to show that phishing is still rife. You kind of feel like it's so old hat.
PAUL DUCKLIN. Yeah. And it's not all about the huge-scale gangs either, right? Yeah. The mistake people make with ransomware, oh, no one cares about little old me. It's like the REvil guys, they're only interested in $70 million ransoms, like as happened in that Kaseya hack. And it isn't. There are plenty of smaller-time crooks who figure they don't want to be in that massive spotlight. They're just— and, you know, if you're a 15-year-old kid, you're just thinking, I want some new trainers.
GRAHAM CLULEY. You know what I liked about this story, Krow? What? Was that the Dutch police infiltrated the Telegram groups where they were chatting, you know, where the fraud family and their affiliates were working, and they posted their press release about the arrest of the gang members so everyone would see that they were on to them. Them. Maybe they'll get some details as to who else has been buying stuff from them as well. I guess we'll have to wait and see whether more arrests will be made.
PAUL DUCKLIN. Yeah, there may be people, some of them who aren't very old, who suddenly realize that actually, worse than the cops knowing, someone's going to tell their mum. Yes. And then it's going to be really bad. Don't tell mummy!
GRAHAM CLULEY. Cybercrime is at an all-time high and it's not slowing down. So why should you? This August, you are invited to Security Summer School, a brand new webinar series hosted by the 1Password team. Learn from security experts at top organizations, hear about sizzling security trends, and get quick tips for building a culture of security at home and at work. You can get exclusive perks like 1Password swag for attending events, the chance to network with top security leaders, and much, much more. Find out more and enroll now at www.onepasswordsummerschool.com. That's www.onepasswordsummerschool, all one word,.com.
CAROLE THERIAULT. Smashing Security's new sponsors, Offensive Security, are industry leaders in providing training for your organization. The training is designed by the same minds behind Kali Linux and OSCP. Oh, now you're paying attention. So Offensive Security offer a number of different programs. There's the OffSec Flex program, which allows you to train on your own schedule. There's the OffSec Academy offering industry-leading OSCP certification through dedicated one-to-one mentoring and virtual training. Or if you want to develop your team's pentesting skills in highly realistic simulated networks, Offensive Security experts experts have got your back. See, it comes down to this: the skills gap is increasing, meaning it's more important than ever to train your staff effectively and efficiently. Learn more about offensive security at smashingsecurity.com/offsec. That's smashingsecurity.com/offsec.
GRAHAM CLULEY. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. A product.
PAUL DUCKLIN. Come on. I'm pitching myself here. Yours are nothing compared to mine. Mine will revolutionize people's lives.
GRAHAM CLULEY. Excuse me. Let me finish my spiel. It doesn't have to be security-related necessarily. Shouldn't be. That's a relief. Now, my pick of the week this week is not security-related. It is something rather wonderful, which started as a comic strip, and now you can buy it in volumes and read all the tales in one book or a series of books. It is the rise and fall of the Trigon Empire.
CAROLE THERIAULT. Oh, I've never heard of this ever.
GRAHAM CLULEY. I've never heard of this.
PAUL DUCKLIN. Oh, it's just a Whovian thing, Graham.
GRAHAM CLULEY. It's nothing Whovian. It's not Trekkie. It's not even Columbo. The Trigon Empire was a comic strip that first came out in the mid-1960s. Words and Pictures by Mike Butterworth and Don Lawrence. I remember it fondly when I was reading the pages of Look and Learn magazine in the 1970s. Look and Learn was a weekly educational magazine which my parents thought— That's what your mum allowed you. The best bit was the Trigon Empire, where things went a bit crazy and wasn't about how helicopters work and things like that. So the Trigon Empire stories, they're based on the distant planet of Electon, It's a strange mixture on Electron. They have like futuristic technology, like anti-gravity ships and ray guns, but they also have Roman and Greek architecture and legionnaires and great big battles. I absolutely adored this comic strip as a young boy, and my son, who's 10 years old, loves it as well.
PAUL DUCKLIN. Does he love it because it's great, or does he love it because he knows what's good for him?
GRAHAM CLULEY. He loves it because it's great. All the things which he knows are good for him.
CAROLE THERIAULT. Dad, it's really wonderful, Dad.
GRAHAM CLULEY. I like Trigon, Dad. He thinks it's great fun. There's lots of battles and good stuff. The Trigon Empire, the rights to it are now owned by Oxford-based Rebellion, who also own—
CAROLE THERIAULT. Oh, that's cool.
GRAHAM CLULEY. I know some people who do that. Oh, don't you? But they also own Judge Dredd, I think. And they make video games and all sorts of stuff. Judge Dredd will never catch on.
PAUL DUCKLIN. Like, who would need a society like that?
CAROLE THERIAULT. What's very cool about comic strips from the '60s and before is that they were done by hand, right? So literally done by hand, like painted rather than hammered and watercolored, not on computers, right? Like it's all hand-drawn and all hand-painted. And then like there's just— it's a lot of work, the amount of times you can't just adjust things, right? You got to redo them and, uh, you got to make the final one has to be super clean. So a lot of work.
GRAHAM CLULEY. Well, you are so artistic, I think you would appreciate this. I will bring around a volume of the Trigon Empire for you to peruse.
CAROLE THERIAULT. I wouldn't mind it. Actually.
GRAHAM CLULEY. It's rather lovely, beautiful art, great stories. There are now 3 volumes. Basically, I think it's been popular in the Netherlands and in Germany, but it's been quite hard to get hold of in English. It's been quite expensive. Now Rebellion have brought out 3 volumes of The Traigen Empire, affordable. You get all of these stories. It's terrific. So I will put some links in the show notes, and I strongly recommend The Rise and Fall of the Traigen Empire. Great And that is my pick of the week. Duck, what's your pick of the week? It better be good.
PAUL DUCKLIN. Of course it's good, Graham. My pick of the week, and I've featured it already, I gave them a shout out on the Naked Security podcast and I want to advertise this company again. I have no connection with them. I don't get any commission. And if I did, I could have earned as much as £8.50. It is the world's World's best hairbrush. And, you know, with my, with my big, I'm challenging Dr. Brian May hair, I need a good hairbrush. And my wife had one of these, and I took to using it when I thought she wasn't looking. And of course, she figured out what was going on. And one day she said, I'm just nipping out to the shops. And when she came back with the groceries for the day, she said, I bought you a present. And she presented me me with my very own Tangle Teezer. Oh, and is the best hairbrush you'll ever buy. It's called a Tangle— Tangle Teezer.
CAROLE THERIAULT. My niece has one and I regularly, uh, de-comb her hair. She's the finest hair in the universe and it's—
PAUL DUCKLIN. it does work. It's got bristles of two different lengths, I presume, because they— although it's a British-made product and it's festooned with a Union flag and all of good, proud jingoistic stuff. I guess they want to appeal to a market that's not English-speaking, so they didn't want to spell the word teaser like you spell it in English because the pronunciation isn't obvious. So you have to search for tangle, which is spelled as normal, and teaser is T-E-E-Z-E-R. And tangle— oh yeah, it's just— it's great.
CAROLE THERIAULT. Now, do you have the one with the handle or just the one that you grip?
PAUL DUCKLIN. No, I have the one with the handle. Right. I have pitched this to people who said, I nearly bought one, but I didn't like the grip it like a comb. I wanted a handle. And now they have. And my wife didn't realize this. She just bought— they only had one in stock where she bought it. So the one she bought me without realizing it is actually different colors, different sizes. And she bought the turbo, the large-sized one. That's the one to go for. Absolutely cool. You don't get sparks, you don't get static electricity, your hair doesn't come out. It's just like— if you thought that's how a hairbrush should work, take it from me, I'm the fashion captain now.
CAROLE THERIAULT. Is it pink?
PAUL DUCKLIN. Uh, technically, I believe that's the only one they had. They do a blue one and a black one. Uh, it's actually called salmon, I think. Oh yeah, so the color is a little odd. It kind of is.
CAROLE THERIAULT. There's nothing wrong with a bit of salmon in your life.
PAUL DUCKLIN. That's the only thing I don't like. It does look like a rather peculiar set of dentures.
GRAHAM CLULEY. Oh, I've seen one you can get with unicorns on it. I've got an admission to make, Doug. I don't think I've combed my hair since I was about 8 years old. Graham, am I missing out, or are other people just very polite about Well, me not.
CAROLE THERIAULT. How's life going for you, Graham?
PAUL DUCKLIN. Either you're the fashion captain or you're not. And so if you're not, you just don't have to comb your hair. Don't let it bother you. Like, be what you want to be. But if you decide that you want to look as cool as I do, the Tangle Teezer is your friend. But my wife's one is off limits now. I'm not allowed to touch that. Now I've got my own. We keep them separate. And I'm— because hers is like, it's Or not allowed to use it.
CAROLE THERIAULT. I'm just gonna kick all your big head fuzz out of my thing.
PAUL DUCKLIN. So I suppose it has a sort of a cybersecurity angle in that you can keep your hair free from tangles. So if you have to rush out to fight a virus out into the street and out to somebody else's computer, and you won't catch your hair on something and trip over, perhaps. Yes. Yes. It's full on, like, if you like that bouffant full 1960s, '70s coiffed look. Or a bit like Jason King. No?
GRAHAM CLULEY. He had big hair.
PAUL DUCKLIN. I'll post a photo, maybe. Ooh!
CAROLE THERIAULT. What about Rik from Rik and Morty?
PAUL DUCKLIN. Like Robert Plant of old, or Iain Gillan, or someone like that. Yes. That wavy— the hair that it doesn't hang long, it just kind of goes out. It goes— there's enough grab, there's enough weight for gravity to pull it down, so it doesn't just stick out. Like a geranium.
CAROLE THERIAULT. Can you comb it into a man bun?
GRAHAM CLULEY. Would you comb it into a man bun? Of course he would.
PAUL DUCKLIN. I am going to pretend that neither of those questions were asked because they do not deserve an answer.
CAROLE THERIAULT. I love— I'm loving the mental image.
PAUL DUCKLIN. Just because I wear checked shirts and ride a bicycle with a fixed gear does not make me a hipster. To okay. I didn't come on this show to be insulted. Actually, no, that's not strictly true. That wasn't in the—
CAROLE THERIAULT. I love all those things too.
PAUL DUCKLIN. I love it. It wasn't on the list. What, you like, you like man buns?
CAROLE THERIAULT. Sure, they provide much entertainment. Yes.
PAUL DUCKLIN. Did you see there was, there was a big Twitter thing that went viral a year or so ago about some guys in Cape Town in South Africa who would drive— they were driving around in like a high-powered BMW BMW and jumping out when seeing like hipsters at pavement cafes and running up to them and like cutting off their man buns. And the guys would chase after them and fight was on, and they jump in the car and speed off. No. And they got this huge reaction and they had to post a video saying, guys, they were our buddies, it was just for fun. Oh, because I got—
CAROLE THERIAULT. see, we protect the man. Yeah, threats. Good. Well, not death threats for cutting off men buns. You— what if someone came along and cut off all your locks?
PAUL DUCKLIN. Well, it's not quite as easy as with a man bun. It's all gathered into one place, isn't it? So it's like one snip. Just a quick snip. No, I think you'd— I'd fight my corner. I'll tell you what, I'd wield that Tangle Teezer. Like, lash 'em back with it.
GRAHAM CLULEY. Rescue us, Crow. What's your pick of the week? Oh, mine?
CAROLE THERIAULT. I don't even know if I can follow this. So mine is an Amazon Prime series called Modern Love. And this is based on a New York Times column by the same name. And the column is where people write in essays about their love strikes or fails or something in between the two. Season 1 has been out since 2019. But Season 2 is just about to land in early August, which is why I'm covering it today. So there's like all types of stories. Maybe there's one about an unlikely friendship, or, you know, past love resurfaces, or a marriage is at its turning point, or a good date or a bad date or anything like that. And I just like the way the stories are told. And I, I sent Graham one. I pointed my favorite one in your direction. Season 1, Episode 3. That's right, Take Me As I Am, Whoever I Am with Anne Hathaway. What did you think?
GRAHAM CLULEY. What'd you think? I thought it was delightful, right? Yes, I thought it was really good.
CAROLE THERIAULT. It's like it fakes its cheesiness. You think it might be cheesy, but it's not.
GRAHAM CLULEY. Yeah, there was a— yeah, the twist came about a third of the way through, and you kind of think, oh, 'This isn't quite gonna be what I expected.' Yeah. But it, but it's great. Great. I'm keen to watch some more episodes, I have to say.
CAROLE THERIAULT. Cool. Well, they're great and you're gonna have a whole new series to enjoy. And I think they're, I think it's really good. The acting's good. The storytelling is good. And they, the whole premise of it is nice because we need a bit of love in our lives.
GRAHAM CLULEY. And it's an anthology show, isn't it? So it's not the same people in it each week. Yeah, exactly.
CAROLE THERIAULT. So yeah, you can just dip in, dip out, and that's a nice freedom as well, isn't it?
PAUL DUCKLIN. Can I ask, what are the coiffures like? Like, how's the hair in the show?
CAROLE THERIAULT. Well, Anne Hathaway in that particular episode that we were just talking about looks like Rita Hareworth. You're welcome. Quit while you're ahead. Yep, I'm not going to say another word.
GRAHAM CLULEY. Nice one. Well, That just about wraps it up, but we have some important news for our listeners, haven't we, Carole, before we tie things up for this week? Yes, we're taking a fricking break. Yeah, we're going to take a few weeks off for a little holiday. Of each other as well. Yeah, most importantly. But we will be coming back. So it'll only be a couple of weeks, but yeah, it's August, so we thought we'd have a little vacation.
CAROLE THERIAULT. Now that the sun's now decided to go back in and it starts to rain, we're going to take a few weeks up.
GRAHAM CLULEY. And if you're missing us, just go back through the back catalogue and choose a random episode. You've probably forgotten it all by now, whatever we did in 2018. Go and listen to one of them.
PAUL DUCKLIN. So to put not too fine a point upon it, you're all going on a summer holiday. Just for a week or two. Yes. Have a good time.
GRAHAM CLULEY. Duck, I'm sure lots of our listeners would love to follow you online or find out what you're up to. What's the best way for folks to do that?
PAUL DUCKLIN. Uh, you can just wander along to nakedsecurity.sophos.com, or you can catch me on Twitter. I am @duckblog.
GRAHAM CLULEY. Fantastic. And you can follow us on Twitter at Smashing Security, no G, Twitter doesn't allow us to have a G. And we've also got a subreddit for Smashing Security as well. So check us out there and make sure that you never miss another episode, including when we come back in a few weeks' time, by following Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, and Google Podcasts.
CAROLE THERIAULT. Thanks to this episode's sponsors, 1Password and Offensive Security, and to our wonderful Patreon community. It's thanks to them all this show is free. And for episode show notes, sponsorship information, guest list, and the entire back catalog of more than 237 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye. See you in a few weeks, Graham.
CAROLE THERIAULT. No one's crying. No one's gonna cry. They are.
GRAHAM CLULEY. They're gonna— they're gonna be bereft.
CAROLE THERIAULT. They're gonna be happy to have a fact. We deserve a holiday. Everyone's cool with that. They're all like, guys, have a good time. You've worked hard this year. You deserve a break. Break. They're going to be at their cabin. They're going to be, you know, camping somewhere. It's all cool.
GRAHAM CLULEY. All right, mask up everyone. Stay safe. Don't go to DEF CON.
CAROLE THERIAULT. Okay, Dad. Hey everybody, it's Carole here. Before our little holiday, I just wanted to say a huge thank you to everybody. You listeners, You sponsors, you Patreon supporters, you reviewers. But you know what? I've forgotten somebody very important. And that is all the guests that have come on the show and given us their time. These are the people that present story, have a few laughs with us, and generally manage it so that Graham and I don't kill each other. Which, you know, is a bonus, 'cause that would be the end of the show. So let's see if I can do this. Thank you, Adrian, Alan, Alex, Andrew, Anna, BJ, Barry, Brian, Charles, Chris, Claire, Dahlia, Dan, Danielle, Dave, Gary, Geoff, Greg, Helen, Iain, Jack, James, Jamie, Javad, Jenny, Jessica, Joe, John, Kevin, Levi, Lisa, Mary, Maria, Mark, Martin, Max, Michael, Michelle, Miko, Nick, Nina, Ollie, Paul, Peter, Phil, Philippe, Rachel, Ran, Ray, Rik, Rich, Robert, Roger, Ron, Rory, Scott, Simon, Steve, Thom, Tim, Tommy, Troy, Vanessa, Vanja, Yvonne, and Zoe. And you, dear listeners, can see their bios at smashingsecurity.com/guests. See you in a few weeks.
-- TRANSCRIPT ENDS --