All right, hi everyone. Carole Theriault here with the shout out to our incredible Patreon community. These are the people that are backing us every show, helping us pay for all the things that a show like this requires. Today's special mentions go to Ragnar Sigurdsson, Mike Hallett, Sharon, Jason Barbier, Christian Unger, Skidun, Martin Rogers, Lucy Adams, Cypherpunk, and Michael Nizalak.

What can I say?

You guys are awesome. You know, I'm dreading when one of you gives me a really rude or uncomfortable to say username that I need to read out on one of these shows. I mean, it's bound to happen. And if one of you want to be that person, visit smashingsecurity.com/patreon. Now let's get this show on the road. You're supposed to use the clock. It works way better. So you imagine you're at 12 o'clock, right? They're sitting at 4 o'clock.

Okay.

You swivel all the way to 7 o'clock and then back to 4 o'clock, having two quick views of that person and therefore commit to it.

Because you're kind of looking at a corner of the restaurant thinking, oh, very nice. And then you go, vroom, and you go past them.

Very smart. That's some good spying skills.

If you ever see me and Carole doing that in a restaurant, you know that we're secretly spying on you. Smashing Security, Episode 194, Carry On Droning, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 194. My name's Graham Cluley.

And I'm Carole Theriault.

And we're joined once again by ransomware returning guest, it's Jessica Barker, everybody.

Hello. Hello. Wonderful to be here.

The new author, Jessica Barker.

Indeed. It's exciting times for me. Exciting and terrifying.

So where are you at in the whole process?

Confident Cybersecurity is going to be published in just over a week in the UK, in most of the world, and then for the US and Canada, publication date is a little bit later, so that's the 29th of September.

And the name is Confident Cybersecurity. What's it all about?

So it is a comprehensive guide to cybersecurity, looking at the human, the physical, and the technical sides. And it's aimed at really anyone who wants to know more about this field. So it might be someone who's considering cybersecurity as a career, maybe a board member who wants to get up to speed, maybe someone who's just starting out in security or works in one domain. Maybe an awareness-raising wants to know more about the technical side or vice versa. This is a comprehensive guide that covers everything from social engineering to CVEs to geopolitics and cyberwar.

And I believe that someone close to this podcast actually appears in the book.

Indeed.

Gets a mention.

Indeed. I was very honored when I reached out to Carole Theriault to ask her, would she give me some background on her? Would she be featured in the book? As one of the professionals that I write about, and she very kindly agreed. One chapter shows the diversity of jobs in cybersecurity.

It's an exposé. It's an exposé of Carole, isn't it? And her background.

I have a much more important question.

Okay. Yes.

Jessica, when you were deciding on the cover for the book, did you have to fight for your name to be in a particular font size?

No, that's an interesting question. The publishers decide a lot of things, so they pick the color and it's part of a series of Confident books, Confident Coding, Confident Web Design, et cetera. But no, so no, should I have?

Oh, I hope it's not like to point, right? Because that would be a really shit move on their part, but I'm sure they're amazing, so they probably did it right. Maybe it could be an old GeoCities website. It could have a marquee scrolling or the blink tag in HTML. Yeah.

Draw attention to it. It's by me. Ding, ding, ding, ding, ding.

Anyway, congratulations. I cannot wait to get my hands on a copy. First, let's thank this week's sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free.

Marvellous. Carole, what's

Coming up on today's show, Graham tells us the tale of a bitcoin robbery. Jessica tells us what can happen when the strongest link is the insider link.

coming up on

And I take to the skies to share the latest on drones. All this and much more coming up on this episode of Smashing Security.

the show this week? Now, chaps, are you on the—

Chaps?

Bitcoin?

Oh, no. We've got women here, for God's sake.

Oh, God. Oh, no. I've reverted. Now, chums, chums, are you on the Bitcoin bus? Jessica, have you jumped aboard the cryptocurrency caravan? I'm interested in whether you've invested any of your shekels in digital currency?

A little. You know, I've got a little stash.

Yeah, me too. I've only got a small investment there. Carole, what about you? Anything?

I don't think it's anyone's business whether I have or haven't.

Okay, I see. It's not the HMRC are listening. Don't panic too much.

That was the right answer though.

Because it's going to be big, or so we're assured. No less an authority than John McAfee.

Oh my God.

No, well known.

You are obsessed with this man.

Well known for his calm, mild-mannered personality, never overhyping anything. He has predicted, of course, that the price of one bitcoin will reach $1 million, in the words of Dr. Evil, by the end of 2020. In fact, in April 2019, he said it was a mathematical impossibility for the price of bitcoin to be less than $1 million.

So, what about when he said he was going to eat his dick?

Well, I wasn't going to mention that.

Are you doing a review on that?

I wasn't going to refer to that. But yes, he has made a bet that he will eat a part of his body.

Own anatomy.

Yes, on television.

Who's going to want to watch on TV? How old is this guy?

This is very Black Mirror, isn't it?

What channel is this? This isn't Jools Holland's Hootenanny, is it? I mean, what's happening that something that? It's extraordinary. There are only 3 months to go. It's unclear whether he's going to win his bet or not. Now, the price of bitcoin has risen around 40% since the beginning of this year. It's currently a little under $12,000 per bitcoin. That's still a lot lower than its— at its height in late 2017, it was about $20,000. And that means that the price of bitcoin is going to have to rise by more than $8,000 each and every day until the end of the year. For us not to have to watch that on television or for us to change the channel and just not watch it. That would be the ultimate insult, wouldn't it? Would just none of us watch it. So if you want to join the modern-day gold rush, don't dilly-dally. Maybe he'll be having a laugh at our expense, I don't know, or maybe do dilly-dally.

Maybe his mouth will be full.

Please. We don't offer investment advice on this podcast. You have to go to our podcast, that sort of thing. But some people do have large bitcoin investments, such as one anonymous investor who posted on GitHub this week that he had lost 1,400 bitcoins.

How do you lose them?

Down the sofa, obviously.

If only, if only it was down the sofa. 1,400 bitcoins is worth $16 million. Gosh, that's a big sofa. It is quite a comfy sofa.

Are we convinced that this actually happened? 'Cause the anonymous investor type, could just be a story.

Well, when you hear how it happened and some of the background, you may find it a little bit more believable. The problem lies in a vulnerability. A vulnerability that existed in a Bitcoin wallet called Electrum. And this isn't a new vulnerability. It was initially publicized in April 2019 by the chaps at Malwarebytes, and it's believed to have been present in the software for around 6 months before that. So exploitation of this vulnerability in the Electrum Bitcoin wallet was done through what's known as a Sybil attack. And Sybil, I can't think of anything other than Sybil Fawlty from Fawlty Towers.

Sybil?

It's the only thing I can think of.

I was thinking of Cybill Shepherd. Oh, oh, oh, this is Sybil with an S. So a slightly different kind of Sybil, but yes, that would be a more romantic kind of Sybil, wouldn't it?

What?

I don't understand.

Explain it very slowly to me. Like I'm 5.

So we have some software, we have some software called Electrum, which is a bitcoin wallet, and it has a vulnerability, which means people can be tricked into downloading an update.

Gotcha.

And the developers of the software were really keen for people to download a genuine update for the product in order that they would be patched against the vulnerability. And the only way they could find to try and do that was to exploit the vulnerability in their own software to redirect people to a genuine update. Do you get me?

Yes!

Wow.

It's like two bads make a right.

So, not everyone patched. Maybe some people found it a bit suspicious, I don't know.

Yeah, it's the most secure of all.

They were practicing good security.

And so some people never patched and they obviously never noticed the warning, which still exists to this day on Electrum's website saying you've really got to patch because we've got a serious flaw. And one of the people who never noticed this warning on their website was this anonymous user. And he posted on this GitHub thread. He said, I had 1,400 bitcoins in a wallet that I hadn't accessed since 2017. And I think there's probably quite a few people who bought bitcoins back in 2017, maybe when bitcoin was at the real high point of $20,000 or so, and then the price plummeted and they're thinking, oh crumbs, what am I gonna do? And some now it's at about $12,000, maybe think, well, maybe I should just cut my losses. You know, maybe I should sell now or something, get some of that money back.

I don't, you think most people use bitcoin for extra funds or do you think people actually have all their money in that?

I think some people were so carried away with all the hype. Just listen to the Missing Crypto Queen podcast. You know, there have been lots of people who've been scammed into thinking this is a way to get rich quick. And people have thought that they've heard all the amazing stories of people who made millions and millions through cryptocurrency, and they think that they can do it too.

Have either of you become millionaires on bitcoin?

No.

Well, I mean, that would be telling. I'm following your lead.

That's smart.

At the moment, HMRC investigating both of you and not me, 'cause I very clearly said, no, no, no, not me. So this chap said that he installed an old version of the Electrum wallet to try and access his funds, and he wanted to transfer about 1 bitcoin, so around about £11,000 or whatever. And it was at that point he was unable to proceed, and a popup appeared saying, you have to update your security prior to being able to transfer your funds. And of course, he hadn't used anything since 2017. He hadn't tried to access his funds, so he thought that was completely legitimate. And bam, that's when the bad guys ransacked his wallet using the information he gave them. They stole 1,400 bitcoins worth a stonking $16 million.

So they obviously knew that he had bitcoin, or do you think they were just— No, no. He wasn't being targeted at all.

It was just because he was using an old vulnerable version of the software, which meant that they were basically lying in wait and able to exploit it.

Well, it's worth it for $16 mil.

Big payday.

Yeah, not bad for a day's work, right guys?

But, but don't you think they should have waited until the end of the year when each bitcoin is going to be worth $1 million? That would have meant those bitcoins would have been worth at least $1.4 billion.

Graham.

Graham.

I don't think everyone puts John McAfee's predictions at the top of their list as, you know, a fait accompli.

Maybe they're not following him on Twitter and they just, you know, miss the news.

Yeah.

They'll listen to this and think, "Shucks.

If only I'd known." Well, bad guys are thought to have used the same flaw to steal $25 million. Since the flaw first existed in this software. So they are doing quite nicely about it. Now, there's a little bit of good news because the folks at Binance, the cryptocurrency exchange—

Binance.

Oh, yeah. Okay. The folks at Binance, the cryptocurrency— are we sure about that now? Are we definite about that? I don't know. They jumped in because the funds were transferred from this guy's account into an account which was held on Binance, right? And so they blacklisted those addresses used by the bad guys. And so that money is now frozen, but—

So it's like an escrow.

Oh, I don't know. I don't know enough about that.

That's where your money goes, you know, before you buy a house and, you know, before the house— Yeah, I'm not sure about that. The money's kind of locked away.

I think what they've done is they've locked those wallets so no one can access them any longer.

Yeah. But unfortunately, that doesn't mean that the victim gets his money back. It's locked away.

So that means it's just in limbo? No, it's never going to be released?

It's just like fairy dust, I suppose. It's just— and I imagine, hey, that probably helps the price of bitcoin as well, because some of it's been taken out of circulation as a consequence.

Schrödinger's bitcoin.

Horrendous. So what can we learn from this, folks? What can we learn? Well, I guess if you're installing software, make sure that you're installing the latest version and pay attention to any warnings on websites, which are telling you to be wary of old versions because of vulnerabilities.

Patch.

Yeah, patch.

But he hadn't visited since 2017, so he had the old software.

Yeah. Yeah.

Lame.

There we go. Well, there's the advice from Carole. You can weigh that up versus the advice from the esteemed antivirus industry veteran that is John McAfee and make your own choices. We're not going to give you investment advice here. Jessica, what story have you got for us this week?

Well, the security industry, as we all know, has an unfortunate tradition or temptation to refer to people as the weakest link, despite lots of examples of people actually being the strongest link. But sometimes people being the strongest link doesn't make the news. And yet this week we have seen an example of an insider at an organisation being the strongest link, and it did make headline news. This was a news story I first read about thanks to a contact of mine on LinkedIn, Martin Fell, who pointed me towards an article by Matthew Schwartz, about an insider at Tesla. So, the term insider usually evokes negative connotations, doesn't it?

Yeah.

But not in this case. And so, maybe it's time we gave the term insider a bit of an image change. So, let me tell you what apparently happened. It's a very interesting story. A Russian chap named Igor Egorovich Krushkov. I hope my Russian has not offended anyone there. It's my best attempt. This chap was arrested in LA on the 22nd of August, accused of attempting to recruit an employee at Tesla, seeking to bribe that employee with $1 million to install some customised malware on Tesla's computer systems.

Oh!

Whoa! And this was an attempt to exfiltrate data, and a gang behind the attack, which, you know, Igor was acting apparently on this gang's behalf. This gang was apparently going to use the data that they stole to make Tesla pay a ransom, allegedly of $4 million.

That's what they told this guy, the insider rebranded.

I think so. Or certainly they told him about another attack on another organization where they'd made $4 million. So I'm not sure quite what they told him, but these are the details that have emerged.

I can see that though, right? It's $1 million for you, $4 million from them. Boom, boom, boom, rock and roll.

This is something we're seeing is that organizations are getting targeted by criminal gangs who are sometimes deploying ransomware and encrypting lots of data on people's networks, but they're also exfiltrating the data and then basically holding it to ransom saying, unless you do something about this, we're going to release it to the press, we're going to publish it online, you're going to have a huge data breach, it's going to be mightily embarrassing for your organization, so you better pay up. Exactly. But in this case, they've actually approached an employee to get them to plant the thing rather than send a phishing email or something.

I think we're

I think it's something that we've known this has happened for a long time, but we're hearing about it publicly a little bit more. And in this case, the employee reported what was happening to management at Tesla.

seeing that more So he just was like, "Okay, sure, tell me more." Exactly. Collected loads of information.

Exactly.

and more, Cluey. And then went back to his boss and went, "You won't believe the lunchtime I just had." And I'll give you more details if you pay me $1.5 million. Only you'd think of that.

I sure hope this employee has got a nice bonus. I think they've earned it because not only did they go to management, tell them what was happening, but then when management at Tesla— this was apparently at Tesla— and when management got involved, they of course called the FBI. And then this insider served as what's known as a confidential human source for the FBI. So, basically gathered, recorded more incriminating conversations, got the evidence needed.

Oh, I would love that! Wouldn't that— wouldn't be wonderful?

This is a film. This has got to go on to be a film, surely. And it does seem that the insider was first approached by Kriuchkov via WhatsApp, was introduced through a mutual acquaintance. I believe the employee is also Russian, so a mutual acquaintance introduced them.

This does suggest to me this is quite a well-run operation, not only because the employee said no. I'd assume 99% of people would say, "Yeah, you got the wrong person. I'm not that guy or that girl." But the fact that they also go and report it, and that the company also backs them up and helps them work with the FBI and doesn't make their life hell, I can imagine many institutions, it would be hellish.

Yeah, yeah. And I've certainly heard of cases before, or cases where an employee has been the victim of a phish, and then the first thing the organization does is assume that they were involved, assume that they were an insider. So, I mean, it's a fascinating case.

So this insider at Tesla, they actually met the alleged bad guy in this instance, it wasn't just via WhatsApp, but there was actually an in-person meeting as well.

Yes, yes, indeed. So it seems that Kriuchkov flew out to the States, and I believe they met in person quite a few times. And so the employee, who obviously hasn't been named, was able to gather these recordings.

And they would have been wired up by the FBI to record things. Oh, it'd be very exciting. There'd be someone on the next table pretending to be a diner, and in fact they're an FBI person. In their black sunglasses.

Directional mics hidden in pens and—

Oh, I the way you're thinking.

Do you remember when I showed you how to look at someone without looking at someone?

Yes.

Do you remember how to do it? Can you explain it to Jessica?

On a podcast? Yeah. Is it possible to explain this audibly, Carole, rather than—

I don't know.

We'll find out.

We'll find out. Okay, so what Carole's suggesting is, this happened to us when we were at a very swanky restaurant. And there was someone who Carole was, 'Look at that, look at that person over there, look at that person over there.' And you know when you don't want to very obviously look at someone? So Carole explained that what you do is you kind of swivel. You go past the person as though— I'm now swivelling away. Why am I swivelling? I'm actually swivelling now. I'm actually swivelling now. No, you don't need to do that, Graham. So what you do is you sort of, you go further than the person. You pretend to be—

You're supposed to use the clock. It works way better.

Right.

So you imagine you're at 12 o'clock.

Yes.

Right. They're sitting at 4 o'clock.

Okay.

You swivel all the way to 7 o'clock.

Yes.

And then back to 4 o'clock, having two quick views of that person. Right. And therefore commit to them.

Because you're kind of looking at a corner of the restaurant thinking, oh, very nice. And then you go, vroom, and you go past them.

Very smart. That's some good spying skills.

If you ever see me and Carole doing that in a restaurant, you know that we're secretly spying on you.

Well, they'll never know because it's that subtle.

So Igor reached out to the unnamed Tesla employee via WhatsApp. Do you think it would have been more successful if they'd reached out via something like Tinder? So if it'd been Svetlana rather than Igor approaching Boris, and so there was an opportunity for a little bit of hanky-panky as well, some sort of flirty phishing going on there. Do you think that might have been more of a lure for the person?

I'm not sure why you have to change the sexes for that to happen.

You really gotta go with the times, Cluley. Okay, sorry, yes, all right. I suppose it depends, whatever you're up for.

Exactly.

Yeah, okay. It's just my little fantasy. I've always wanted to be seduced by—

An Igor. Well, he's always wanted to be seduced.

Just an Eastern European spy. You know, I've always liked to imagine that my wife, although she appears to come from the West, might actually be deep, deep undercover.

Well, when you write this up, you know, as a screenplay, you can add a few extra dimensions, Graham. Looking forward to it.

I wonder how they handle the handing out of the cash afterwards. I mean, can you be guaranteed you're going to get $1 million if you did something like this?

I wondered this as well, you know? Does he take it off?

Because these guys are criminals, right?

Yeah, who are you going to complain to?

Right?

I tried to bring down Tesla. I failed. They promised me a million quid, never got it. Can you go after them, please?

What are you going to do, right? And the article that I mentioned does break down some of the finances. Apparently, the idea was that a million would go to the insider. $2 million would go to the crime gang boss, don't know who that is, obviously, and then $250,000 would be paid to the individual who created and customized the malware, and then the rest would go to the gang's associates. So, I mean, the insider gets a tasty cut of it if they actually do get their cut.

So does the creator of the bespoke malware. Jeez, that's a house payment. You know, I mean, that's like a— you buy a house for that.

It's a lucrative endeavor, isn't it? If they had got their $4 million, or even maybe more, maybe.

Yeah, but JLo's got me.

Hang on, JLo was involved?

She just makes more cash for sure.

Jenny from the Block.

Yeah, yeah, she don't care about the size of a rock. Exactly.

I can't remember the words. I bet Jess— no, Jess isn't into all that.

Whoa, you know she is.

She talked before about hip-hop and rap and— That's not hip-hop or rap. No, but Jenny, JLo is down with— I'm not talking about Jennifer Aniston.

I'm talking about Jennifer Lopez. Well, we are, as I said earlier, taking to the skies because on Monday this week, the Federal Aviation Administration, FAA, told us they had issued a Stop ticking. Stop ticking. Part 135 air carrier certificate to Amazon's fleet of drones.

What on earth does that mean?

It means that they will be able to fly if they can meet certain stipulations.

Oh my goodness.

And this is all in the name of commercial everythingism, right? Improved package deliveries.

No, what this is, is all in the aim of Skynet. This is the end of time. I've seen Terminator. This is how it all starts, is with Amazon deliveries. Carole, what have

Oh, this is a perfect story for you. You're going to have so many ideas.

Am I?

Yeah, yeah, yeah. But first, do you want to guess what the Amazon fleet of drones might be called?

you got for

Skyweb?

That's good, but think Amazon terms.

There's a river, there's a forest, there's a canopy. Canopy? us this week?

The company.

Oh, Jesus.

Okay. Prime Air, of course. Now, according to the New York Times, the company said it was required to submit evidence of the safety of its operations and to demonstrate those operations for the FAA. And a VP of the company said, quote, we would work closely with the FAA and other regulators around the world to realize our vision of 30-minute delivery. 30 minutes. Now, this is where I need your help.

It's a bit lazy of them, isn't it?

Couldn't they do it quicker than that? Can you give me a scenario in your day-to-day life where this might prove very beneficial or necessary?

Condoms. Condoms, definitely.

Condoms.

Okay.

Yeah, that's a good point.

You haven't got one and you really need one.

Yeah, cling film won't cut it.

Exactly.

Exactly. You have Ziplocs.

Yeah.

Okay.

Bandages if you cut yourself. I got—

You might bleed to death in 30 minutes, depends where you're—

Yeah, depends.

You know not to remove the knife if you get stabbed, right, Clue?

Oh, is that right?

Yeah, yeah, seriously, I'm not kidding. If you stab yourself, leave the knife in there, put pressure around it, call 911. No, not 911, call 999. 911 is not going to work for you. Okay, now Amazon is not the first company to have their drones certified by the FAA. First came Wing Aviation, which is owned by Google's parent company, Alphabet, and UPS Flight Forward. Not as catchy a name there, but neither of the companies have implemented drone delivery widely. Amazon seems to be the one to watch for the commercialization of the drone.

Mm-hmm. Okay.

Now, the last I heard, I don't know about you guys, but last I heard drones are kind of the bane of FAA's life because, you know, you have all these yahoos flying incompetently around neighborhoods at night, all to look at Mrs. Conway's baps or something.

So what? Sorry, who?

She's baking.

Kellyanne Conway. What would you— It's this thing I hadn't heard about.

What are you talking about? But it could be that the FAA seems to actually be on board with this drone tech now. So they've apparently just donated $7.5 million in grants to universities for research on the safe integration of drones into our national airspace.

So this is for 30-minute delivery. Is that really necessary? Is that what's driving this, is the need to deliver things faster? Because it's pretty astonishing right now here in the UK, if I order something on Amazon, it will arrive the next day. I mean, sometimes even arrives the same day, you know, late at night, but— Which is astonishing. You do live in the UK where the Amazon fleet office is probably what, 45 minutes from your door. I don't know.

Okay, it's drone fact time, everybody.

Yes, exactly. So the commercial drone market is expected to reach $6.3 billion by 2026. So in 5.5 years, that's big money.

About 10 bitcoins by the end of the year, yes?

Yeah, the most common type of waiver being approved by the FAA is nighttime operation.

Oh, so they're mostly going to be flying at night, are they? It's condoms again.

It's condoms.

So is this for a 30-minute delivery at 3 AM?

These are just drone facts for commercial drones. Yeah. And 50% of airspace authorizations were approved for controlled airspace. So that means out of every 2 people that ask for authorization, 1 gets it, which is pretty high. The company that's the biggest in the market for drones is DJI. They own nearly 80% of the market in the United States.

Yes, I've heard of them.

Oh, have you?

Interesting. They do the Mavic drone, don't they? Aren't they a Chinese company? Is that right?

Probably. I don't know.

Every company is, let's face it. So yeah.

Okay, so this of course is the Smashing

Okay.

So what issues might you foreshadow when thinking of the dawn of the drone? Is there anything that you see this is gonna not be good? Security podcast, so we should foray into the

Hacked drones, obviously, you know?

security areas, shall we, chums?

Yeah.

Yeah.

Well, I can also think of drone robbery. So you might want to send a denial of service attack to a drone while it goes over your house, and you can pick up all the deliveries. Yep.

Could you do— Do you think you could do Wi-Fi jamming, Graham?

If a drone was going over my house.

Could you hijack it by sending a deauthentication process?

Yes, that's exactly it.

And then jam the intended drone frequency?

You've taken the words out of my mouth.

All you need is a Raspberry Pi, apparently.

Yeah, I would think, yeah, I'd use one of those.

So yeah, you could totally do data interference interception. This is based on a number of drone research papers, which I have linked in the show notes. Also the idea of privacy, right? Drones can basically give any viewer of the content that drone is collecting the bird's eye view of anything whenever it decides to be activated or used, right?

Yeah, it's observational. I mean, when you're out in your garden.

Exactly.

Minding your own business.

If Mrs. Conway is sunbathing.

Yeah, yeah, exactly. Fermenting her baps.

Please.

Okay.

But the thing is— Carry on.

Carry on, drone. Yeah, I'm going to drone on. The thing is, drones are apparently proving to be actually quite life-changing outside the commercial realm.

All right.

So they provide healthcare deliveries in Rwanda. So you have really steep hills and poor roads. And if you need to get emergency blood to the hospital up there, it takes hours. With a drone, 30 minutes.

Right.

And in Mongolia, they use it to monitor endangered vultures just to make sure the population is healthy. They are using drones to map industrial emissions so that we can hold people accountable if they're not following the rules. Farmers can assess their crops and help plant seeds and seedlings. And the coolest one is pipeline inspections, but not just oil or gas, but water. So water goes through huge pipelines via the desert. And rather than having to have people actually go out and check it, you can actually have infrared cameras on drones that can see water leakages in the hot desert and be able to isolate and tell them where it is. Which is pretty amazing. So drones are cool as long as they're used ethically.

Like any technology, isn't it? It's what you use it for.

Yeah. What do you think of people who sort of have drones for their own personal use, like these vloggers and YouTubers? Are you in favour of everyone setting their drones off and up into the sky?

No, I don't know. If I had a drone over my house, I would not be happy.

Yeah.

I think I've actually wanted to get a baseball bat for that, but of course they can fly a lot higher than that.

We have a near neighbour who has a drone, which upsets my wife mightily.

Yeah. Because she suspects it might be spying. They're a rather odd couple.

Make sure she raises her baps indoors. That's all I got to say about that.

It's those privacy concerns that Carole mentioned isn't it? If you've got drone flying over your back garden, it just feels intrusive.

I would hate it. I would hate it.

Yeah. Anyway, there you go. There's my story on drones. Yes.

Get down with the drones people. Seriously, from developers to engineers to support personnel to operators to securing devices to policy creators, I think this is a huge job market ready to take off. So it'd be a good place to get in early. Because they're here to stay. I mean, this is a new— Oh, yeah. Going to agriculture, going to retail, going to industry. So, it doesn't matter what area you are focused on already, this is something that's going to come in and they're going to need that kind of, you know, that bridging between the two industries, between how do you get drones to work safely and securely and effectively within this industry or this market or this company.

That's so true. I wonder how many schools and universities are talking to young people about drone careers. Yep. Well, you've heard it here first.

My goodness.

Who could have predicted where we'd find ourselves in September of 2020? So many of us now working from home for the first time, IT administrators as well as employees. So you want to make everyone's life a little bit safer look into LastPass. For admins, you get a centralized dashboard to administer all the integrations and the policies and the reporting. Plus you get a vault for every single user. And users, you have these cool functions like autosave and autofill, or organizing notes and documents, or helping you manage your work and personal life separately. It's a pretty cool piece of software.

Ransomware.

Check it out at smashingsecurity.com/lastpass. And remember, home users, you can use it at home for free. More info at smashingsecurity.com/lastpass.

Attacks and breaches are sadly a fact of life. They happen. What's most important is how well your organization responds, and technology isn't really enough. Your staff must be ready to Immersive Labs delivers hands-on, challenge-based training and exercises to make your team ready to fight real-world threats. Check out their free ebook all about the MITRE ATT&CK framework and how you can use it as a part of your cyber skills strategy and improve your security posture by identifying weaknesses. Go to immersive-labs.com/smashing right now to download your free ebook. That's immersive-labs.com/smashing. Smashing. And welcome back. Can you join us on our favorite part of the show? The part of the show that we call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Now, my Pick of the Week this week is not security related. We are coming to the end of the school summer holidays, and as people will know if they've been listening to the show, I've been recommending lots of games, both board games and computer games, which I've been playing with my son.

And I'm guessing none are sticking, right? In imagination. No, no, no, we like a variety. Okay.

We're enjoying. It is available, I believe, for the PC. I believe you can get it via Steam, but we have it on the Nintendo Switch, and it is called the Heave Ho game. And it's one of these party games. You can play it on your own, or you can play it with a party of people, and it's quite hilarious. So, imagine, if you will, that you are an orangutan. And you know how orangutans have those long arms, or chimpanzees, or something like that, and they're sort of going from branch to branch, grabbing hold, and then they swing, and then they grab with the other arm. Well, this Heave Ho game is a bit like this. You are a blob, and you're trying to get from one place to another, and you have sticky hands, and you can grab hold of things and swing on a rope or swing on a platform and then grab something else with your other hand. And if you're playing with more than one person, you can create a chain. And then, of course, you're reliant on someone. Don't let go of your right hand, right? Because everyone's hanging off it, and you're swinging back and forth, and then you let go of your left hand, and you may send them spiraling over to your intended destination.

I'm not sure this is a very good game to be advocating right now, Graham, during this—

Why is that?

—frickin' global pandemic. Oh, because hand-holding?

Yes, sticky hand-holding.

This is really not on.

But virtual.

Kids are about to go back to school. You should be teaching him to wash his hands, not celebrating sticky hands.

The graphics are fairly rudimentary, elementary, but it doesn't matter because it is immense fun. It is created by a crazy French game development group. Have you noticed how many games which are bonkers are French?

I know, I love French developers for that. They're the best. Yeah, they're the best.

It's Raving Rabbids.

Isn't that French?

Oh, I think it might have been. I think it may have been. So this game is fairly elementary, hugely enjoyable, especially if you played with a group, because you start blaming each other. It's like, let go, let go. Okay, you hold onto this. I'll hold onto that. Okay. Now on the count of three, on the count of three, we all have to whoop. Okay. And you miss. And it's a lot of fun. And I managed to pick it up for about a fiver because it was on special offer. I think normally it is less than $10 in the Nintendo eStore. I don't know how much it costs on Steam.

Graham, I have a question for you actually. I have a game that I would like you and maybe your son to test out for the show. Okay, it's an old game. Did you ever play Oregon Trail?

Oh, I've heard of it. I never played it.

Apparently it's the way that kids can actually learn American history, and apparently it's amazing and it's fun and you remember it for life. So you should check it out. They have loads of emulators online, and I was going to check it out, but it might be cooler if you and your son do it.

It's about pioneers, isn't it? Making sure you don't die.

Apparently you can die of hunger if you don't have enough food, and you've got to make sure you talk to the right people and go to the right places. Sounds good.

Oh, well, okay. Thank you. Sorry to hijack you. Well, exactly. You've just usurped my fun game to one about trying to survive.

It is a pandemic, not sticky hands.

Anyway, Heave Ho is the name of my pick of the week.

I'm just wondering about the marketing meeting. Do we care? Do we care about the sticky hands? Should we change the whole thing? No! Oh, shut up!

It's too late. It's done.

It's too late. Get it out the door.

Sell it with hand sanitiser.

Jess, what is your pick of the week?

Well, Graham, you spoke about bitcoin earlier, and so I thought I would bring us full circle with a show about cryptocurrency.

Oh, I thought you were going to give away a bitcoin to all our listeners. Kind of.

Kind of about cryptocurrency. It's not really, but it sort of is. And this is a show, it's been out for a while, but I have just finished watching it on Amazon and it's called Startup. And it is, it's a great cast. It includes Adam Brody, who finally you forget about him on The O.C. and his character. Eddie Gathegi, who I was not familiar with before Startup, but an absolutely amazing actor, fantastic in this show. Ron Perlman, Martin Freeman, Mira Sorvino, who turns up sort of later on. So, a really pretty good cast, really well-written characters, and it's essentially about a sort of unlikely group of people, small group of people, who kind of stumble into launching a tech startup. And what surprised me is it was actually, it's actually quite a gritty show. So, it tackles corruption, organized crime, racism, sexism, and throughout there's kind of this thread of a critical look at VC-funded tech bro culture. But another fun point is that, of course, they get some of the tech very wrong. So, you have to go in knowing that, expect it, and rather than getting annoyed, just decide that's going to be your little— your Easter eggs is looking out for the, for example, the time where they show an IP address of 285. And of course, we know they don't go past 255, stuff like that.

Quite simple stuff. You know, it's funny though, actually, because we all are kind of, we have this romantic idea of startups, right? Which is basically a small company with not much necessarily in terms of experience, getting a wad full of cash and amount of stress to produce really quickly, high caliber, earth-shatteringly amazing software in the shortest amount of time possible. It's, you know, no wonder a lot of them get it wrong and fall over.

Absolutely. And one interesting thing, I don't want to give it away. But one interesting thing is the extent to which and the speed by which they monetize it. Like you say, they're given all sorts of money, but do these startups— how many of them actually make money? And how long does it take them to start making money? And how much do they think about that even to begin with? But it brings in loads of other dimensions around social injustice and all sorts of other things. Characters are really well-written. Yeah, I think certainly by the time Ron Perlman comes in, in season 2, you're just absolutely hooked. I love him. He's amazing.

Yeah. Was he the guy who was the Beast in Beauty and the Beast with Linda Hamilton? Do you remember that?

I believe he was. I believe he was.

That was with makeup though, Kuhoo. Oh, okay.

Okay. He doesn't look like that still. Jeez. Crow, what's your pick of the week?

Pick of the week. So my pick of the week— I'm just talking slowly because I'm scrolling— because a podcast, it's an audio drama, Graham, your favorite. But I think you would like this one. Do you really? No, seriously, seriously, audio drama. Oh, let me just give you a little, a little 5-second, high-level what's going on, and then you can ask any questions you like, okay? Okay, but I think you're gonna like it. So this is, not a new podcast, although it's a very, very good one. It was published in the before times, 2017. Remember then when we cared about things like Brexit? Anyway, here's the storyline. So 14-part story of Dakota Prentiss, okay, and Matt Salem, two government employees guarding the biggest secret in the world: crashed UFO. Dakota, or Dak, the security chief— oh, it's security related, right?

Stop the show.

"Cancel everything." "Eh, eh, eh." "You thought we wouldn't notice."

You thought we wouldn't notice." She's like a security chief, and it's Matt's first day at the facility. So, you kind of get walked around with Matt, and you kind of get to understand how it all works. And what I love about this podcast so much is the ease with which Dak, the main character, jumps between conversations with other characters around and her own secret brain farts. So, she literally will kind of go, "God, I hate this guy," and then go right back to the conversation. But you can totally tell when she's doing one and the other, and I don't know how that happens. It's just brilliant. Anyway, it kind of is a Battlestar Galactica. Oh yeah. You know, did you watch that, Jess?

Oh, I love Battlestar Galactica.

Me too. Me too. And Dak is just a great strong character. She reminded me a bit of the Starbuck character. So that may be something. And honestly, one of the best audio drama pods I've heard in a long, long time. I was literally at one point, there's tension moments, and I was literally all clenched up going, what's the name of this crew? Steal the Stars. Yeah, and it ends very clearly and definitely. So it's not like it kind of leaves you on like Battlestar did and go, ah, she's alive again. Oh, is that another spoiler? Oh please, let's not do that. But trust me, trust me, trust me, it's awesome radio drama. Check it out. Steal the Stars by Tor Labs, and links in the show notes.

Nice. Well, we're all waiting for the aliens in 2020. That's what's next, surely. So it seems quite apt even though you said it was a while ago.

Yes, I think they might already be here.

Yes. Good point. Good point.

And that just about wraps it up for this week. Jessica, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

You can find me on Twitter @DrJessicaBarker. Also check out our Sci-Genta website, sci-genta.co.uk, and our blog site, blog.sci-genta.co.uk. And finally, I may have mentioned I have a book coming out soon. It's called Confident Cybersecurity, published by Kogan Page, and you can find out more at confidentcyber.com.

Very cool. And you can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G, and you can also join our subreddit. Just look for Smashing Security up on Reddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app. Such as Apple Podcasts, Overcast, Spotify, or Pocket Casts.

And socially responsible winks to you all for listening, supporting the show via Patreon, and sharing this podcast with your people. Also, high five to this week's Smashing Security sponsors, Immersive Labs and LastPass. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

Until next time, cheerio.

Bye-bye. Bye-bye.

Bye. Boom! In the bag.