What can X Æ A-12 Musk teach us about passwords? How did our guest finally hunt down the man behind one of history's biggest virus outbreaks in Manila? And what on earth is a hacker doing breaching Roblox security?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.
Visit https://www.smashingsecurity.com/177 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Geoff White.
Sponsored By:
- DomainTools: Join our friends at DomainTools for a webinar as they walk you through the process of identifying a nefarious domain, mapping connected infrastructure, and reverse-engineering a ransomware attack which used a Coronavirus disguise.
- Learn more about how DomainTools helps security analysts turn threat data into threat intelligence and watch the webinar at domaintools.com/smashing
- Oracle: Build, test, and deploy applications on Oracle Cloud - for free.
- Sign up at smashingsecurity.com/oracle and you'll soon be building, testing and deploying cloud applications securely with Oracle.
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Vote for Smashing Security in the EU Security Blogger Awards!
- Graham Cluley on Earworm Island — Earworm Island podcast.
- Carole Theriault on Earworm Island — Earworm Island podcast.
- Elon Musk tweets a photo of his newborn child — Twitter.
- World Password Day — Days of the year.
- Grimes explains the baby's name — Twitter.
- Don’t Make These 5 Password FAILS! (But Do Notch These 2 Password Wins) — ID Agent.
- Love Bug Virus Creator Comes Clean — Geoff White.
- Memories of the Melissa virus — Naked Security.
- Roblox — Wikipedia.
- What is Roblox? — Digital Trends.
- Hacker Bribed 'Roblox' Insider to Access User Data — Motherboard.
- I'm Officially RICHER Than ROBLOX!! (WORLD RECORD BROKEN) — Linkmon99 on YouTube.
- WM97/Michael-B virus analysis — Sophos.
- Bookcase Credibility — @BCredibility on Twitter.
- Five Minutes With: Brian Sewell — YouTube. So you can see how good Graham's impression is.
- Syncplay.
- Netflix Party.
- Whole Chicken in a Can — Ashens on YouTube.
- Poundland Food Special - All Day Breakfast — Ashens on YouTube.
- MRE & Ration Reviews — YouTube. A man experiencing and reviewing military rations from 1863-current day.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Newsflash!
CAROLE THERIAULT. Newsflash!
GRAHAM CLULEY. Smashing Security has made it to the finals of the European Security Blogger Awards. If you can be arsed, please go to smashingsecurity.com/vote and vote for your favorite security podcast. Voting closes on the 11th of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote.
CAROLE THERIAULT. Now, on with the show.
UNKNOWN. Smashing Security, Episode 177: Elon Musk, Roblox, and Lovebug Author Found, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 177. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And we're joined this week by returning guest, it's Geoff White. Hello, Geoff.
GEOFF WHITE. Hi, how you doing?
CAROLE THERIAULT. Hello, Geoff.
GRAHAM CLULEY. Hi, Geoff. Good to have you back now. Yes, exactly. So something we need to raise, Geoff, is that as well as doing Cybercrime Investigations, that podcast of yours, you've also launched another podcast, haven't you? Earworm Island.
GEOFF WHITE. Yes.
GRAHAM CLULEY. Maybe you can tell our listeners who might not have heard Earworm Island, what's the premise of Earworm Island?
GEOFF WHITE. It's quite simple. So basically each week the guest gets to send their worst enemy to a desert island with The 4 most terrible records ever made and a completely useless object. That's pretty much it. Similar to other desert-based radio programmes you may have heard.
GRAHAM CLULEY. Now, so I was fortunate enough to be the first guest on Earworm Island.
GEOFF WHITE. You were a great guest too.
GRAHAM CLULEY. Thank you very much. You were a wonderful host. And I took along, of course, celebrity popera quadruplet, Il Divo is who I sent. And then apparently you also spoke to Rik Ferguson, who we had on Smashing Security last week.
CAROLE THERIAULT. I know, that was so weird how we slalomed through that.
GEOFF WHITE. That was—
CAROLE THERIAULT. I didn't know that he was going on your show.
GRAHAM CLULEY. I think Rik has basically become a podcast tart. And then your next guest was—
GEOFF WHITE. It was Carole, yes.
GRAHAM CLULEY. Yeah. Yeah, Carole.
GEOFF WHITE. Well, I should say, I don't dictate, you know, what the guests do on the show. They just come on.
GRAHAM CLULEY. So that's what I wanted to raise, because—
CAROLE THERIAULT. What's your problem, Graham? Geoff, are you happy with the episode?
GEOFF WHITE. Oh yeah, yeah, yeah, yeah. They've all been fantastic.
CAROLE THERIAULT. I was happy too.
GEOFF WHITE. Yeah.
GRAHAM CLULEY. So, Carole, you're the person you wanted to confine on this desert island and inflict pain on with some of the worst records ever.
CAROLE THERIAULT. No, no, no.
GRAHAM CLULEY. That was who exactly?
CAROLE THERIAULT. The person I wanted to help improve was you.
GRAHAM CLULEY. Yes. And I didn't know you were going to do that, did I?
CAROLE THERIAULT. No.
GRAHAM CLULEY. That was something of a surprise for me.
GEOFF WHITE. You could have got there first, Graham, I have to say.
CAROLE THERIAULT. It's just—
GRAHAM CLULEY. Because you're not evil.
GEOFF WHITE. That's the difference, you see, Geoff.
GRAHAM CLULEY. That's the difference between me and you. Me and my co-host is nasty.
CAROLE THERIAULT. Look, I was doing it as a favor. You say no news is bad news, right? So you like to be in the press. So I just thought, hey, I'll give you another hit. You're welcome.
GEOFF WHITE. Thank you both for coming on. We're all friends now. Yes, totally.
CAROLE THERIAULT. I'm everybody's friend always.
GRAHAM CLULEY. Working on it. Carole, what's coming up on the show this week?
CAROLE THERIAULT. Well, first, thanks to this week's sponsors, Oracle Domain Tools and LastPass. Their support helps us give you this show for free. Now, on today's show, Graham is going to give us a password update. Geoff tracks down a notorious hacker and gets the lowdown, and I'm exploring the world of Roblox and find out how a hacker upset the apple cart. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, amidst all the misery, all the gloom, the pandemic, the dystopian nightmare that we are all living through, we have some happy News. Yes, a child has been born just a few days ago.
CAROLE THERIAULT. I think there's children born quite regularly, Graham.
GRAHAM CLULEY. Not a child like this, because this is a child born of our saviour, the SpaceX and Tesla billionaire Elon Musk, who one day will be packing us off to Mars for the safety of humanity. Just a few days ago, he was making headlines by calling for the end of lockdown. Did you see him on Twitter?
CAROLE THERIAULT. Oh no, I didn't see that. I didn't see that. I saw that he was trying to sell his house. He was like, I'm going to be— 'Homeless. I'm gonna—' Yes. 'Yeah, I'm not gonna be in a home. No home ownership for me.' That's right.
GRAHAM CLULEY. He wants to sell all his possessions, his mansions. They've been listed online. He's got a $30 million, 7-bedroom, 11-bathroom house in Bel Air.
GEOFF WHITE. I'm always freaked out by houses that have got more bathrooms than bedrooms.
CAROLE THERIAULT. 'Cause isn't that a bit— That's true.
GEOFF WHITE. I don't know if that just implies bowel problems to me.
CAROLE THERIAULT. No, no, but you have a powder room downstairs. And then of course in the gym, you've got a bathroom, and in the cinema room. Oh, that's true.
GRAHAM CLULEY. And also, you might want a his-and-hers bathroom, but you might not want a his-and-hers bedroom. You might want to say, "Oh, sorry, we haven't got a spare bed. You're going to have to share with me." Right? Because all the 6 bedrooms are full.
CAROLE THERIAULT. It's 2020, Graham. I don't think that's how it works anymore.
GRAHAM CLULEY. Jeez. Anyway, he said various things. He also said that Tesla's stock was massively overvalued in his opinion, which sent his share price tanking. Which are not things for him to say, because I remember he's gone a little bit postal before on Twitter and has had no impact on his share price. So much so that he's actually been told the lawyers have to— he has to run any controversial tweets past them. So he can't have done this on this occasion because he went the full McAfee, right? He would never go the full McAfee.
CAROLE THERIAULT. Did he ever go totally apeshit on Twitter? Oh, he always does. Yeah.
GEOFF WHITE. Guess it's context. Well, there was the whole thing around the submarine.
CAROLE THERIAULT. Yes, the submarine thing is the only one that comes to mind for me. I don't follow him, so—
GRAHAM CLULEY. I don't follow him either. I think he quite likes to troll people and act quite bizarrely. Now, I was wondering, why has he done all this? And it's not a presidential bid, although I'm sure that will be coming. I'm sure it's only a matter of time.
CAROLE THERIAULT. I don't know if he'd want all those headaches, all the bureaucracy. I don't think that's his style.
GEOFF WHITE. The power, though. I mean, the power you get as president. I think that— I don't know. I can see it. I can see it. OK, interesting.
GRAHAM CLULEY. He could declare himself Lord Mayor of Mars or something, couldn't he? I mean, if he gets there first. Well, the answer as to why he's acting so peculiarly may be that he's having a little bit of stress at home where he lives with his girlfriend Grimes. Are you familiar with Grimes?
CAROLE THERIAULT. She's a singer or something. She is. Yeah, I know that. I know Grimes.
GRAHAM CLULEY. Now, she's not very happy with some of his tweets. Maybe she has some Tesla stock. She's dating Elon Musk? Oh, for a couple of years, I think.
CAROLE THERIAULT. I didn't know that. See, I don't follow this stuff.
GEOFF WHITE. I'm Googling the photos. Hang on.
GRAHAM CLULEY. So basically we've got grimes and we've got Musk, which is quite a combination.
CAROLE THERIAULT. They should make a perfume, a scent together. Oh yes.
GEOFF WHITE. It sounds like a house full of cleaning products, doesn't it? Get Grimes. The toughest stains.
GRAHAM CLULEY. Get Musk. Well, that's not the only source of tension, is the share price, because they've just had a flipping baby together. They have had an offspring, a little Musk. Was welcome to planet Earth. It was announced on Monday by Elon, and he posted a picture of his newly born with tiny face tattoos over it. So, which I think had been added via Photoshop. I hope so. Or something like that rather than—
CAROLE THERIAULT. That's his picture? He put those things on his kid?
GRAHAM CLULEY. Well, that is the picture he posted. I can't imagine they've really—
CAROLE THERIAULT. And what does it say? I see savage.
GRAHAM CLULEY. Savage, and there's some sort of weird symbols of a snake and I don't know.
GEOFF WHITE. Also, the look— I mean, the picture, just looking at it, there's the tattoos, but it also looks like it's been sort of Photoshopped to make the look— The eyelashes are upside down. Yeah, the eyelashes and lips are more sumptuous. It looks like the baby's wearing makeup as well as tattoos.
CAROLE THERIAULT. This is weird. So it's not his kid, it's just a kind of—
GRAHAM CLULEY. Who does that? It might be an Instagram filter, maybe. You know how sometimes, you know, like the likes of the Kardashians sort of touch themselves up. Yes. Now, you might be wondering what Musk Minor is going to be named. That's an obvious question. You know, how much is the baby? You know, how does it measure?
CAROLE THERIAULT. Does it weigh? That's exactly what I'm thinking about. I'd love it if it's something really boring.
GEOFF WHITE. Going like, "Kenneth." Yeah. "Kenneth." "Darryl's." Well— This is Elon, this is Grimes, this is Kenneth.
GRAHAM CLULEY. The name is X capital diphthong A-12 Musk. No. So, now according to— So that's what Elon said. And everyone thought, "Oh, he's having a joke." And then Grimes chipped in, and she explained the name.
GEOFF WHITE. Okay, okay, go.
GRAHAM CLULEY. So X, that represents the unknown variable. The capital diphthong, that is a— I think people call it ash or something, that particular character these days. It's the Elven symbol of AI, which can mean love and/or artificial— The Elven? Yes. What does that mean? As in Lord of the Rings. Oh, AI.
CAROLE THERIAULT. Okay, okay, good. So Lord of the Rings with artificial intelligence. Love, artificial intelligence.
GRAHAM CLULEY. Okay, this is deep. Carry on. A-12 is the precursor to the SR-17, of course. That's their favourite aircraft. It doesn't have any weapons, no defences, just speed. Great in battle, but non-violent, she says.
CAROLE THERIAULT. So if they have a second child, they're going to have the second favourite aircraft.
GRAHAM CLULEY. And A equals Archangel, she says, which is her favourite song. So that's the name of the new Musk, which is going to be a challenge, I think, when they fill in the birth certificate. As to whether the form's going to accept it. And now, are you— X for short, so that's what's gonna happen. You might be wondering, why am I bringing this up on Smashing Security?
CAROLE THERIAULT. Yeah, didn't someone complain saying, look, could you just talk a bit more about some security stuff, please?
GRAHAM CLULEY. Well, I think the explanation of this might be that this is actually Elon Musk's tribute to World Password Day, which is today, Thursday the 7th of May. As is every first Thursday in May, is officially World Password Day, when we're all reminded how important passwords are and about password security. Every month? No, the first Thursday in May.
CAROLE THERIAULT. The first Thursday in May. So every year we have a World Password Day. Okay, great.
GRAHAM CLULEY. That has been the case since 2013. This initiative was all started by Intel. They created a website called passwordday.org and launched it on Thursday, the 7th of May in 2013. And they continued to promote the event, you know, every year for a few years, and then they got a bit bored of it.
GEOFF WHITE. Well, I still firmly celebrate this every year. So every year I faithfully write my password on a billboard, and I go out down the street with a klaxon. Is that how everybody's supposed to celebrate World Password Day? Make sure you do it with a mask if you're going to do this. Yes, of course. Of course, yes.
GRAHAM CLULEY. Well, I was thinking maybe Elon had actually chosen his child's name with a password manager, because he's got a funny character in there. He's got a mixture of capitals and lowercase. And I thought it's probably fairly unique, I think. I can't imagine there's many more of them out there. And then I thought, well, maybe, you know, people keep on saying that passwords are dead, right? And that passwords are gonna be replaced by something else.
CAROLE THERIAULT. How— sorry, can I interject? Yeah. How is X gonna be able to open any accounts with his name?
GRAHAM CLULEY. I didn't know you're so familiar with them that you could just call them X, girl.
CAROLE THERIAULT. That's— How do you write Ash on a phone? Yep. It's not easy. It's annoying. He's gonna hate his dad. He's gonna hate him.
GEOFF WHITE. Isn't there some rule as well about what you can call a child? Like, I don't think in the UK you can call a child Jesus. Obviously Jesus in Latin American countries you can get. So I think if you tried to register a child as X, I don't know whether you can register that birth with that name. Is that— I don't know.
GRAHAM CLULEY. I don't know what the rules are in the US. I'm sure there are rules in some— I'm surprised you can't call a Baby Jesus in this country? I don't think you can.
GEOFF WHITE. I don't know.
GRAHAM CLULEY. So I said Baby Jesus. I didn't say Baby Cheeses, like Babybel.
CAROLE THERIAULT. You probably could name your kid Baby Cheeses.
GRAHAM CLULEY. Now, a company called ID Agent, for World Password Day, they have been looking through their database of past breached passwords. They went through over 2 billion breached passwords, and they came up with some of the most common ones, right? So lots of people are still using sports teams. This is 2020, and people are still doing this. Apparently, the number 1 sports team or sports slogan is Roll Tide. I don't even know what that means. Yankees, the Steelers, Eagles, and Red Sox. And then people are choosing sports like baseball, football, and soccer. Superheroes. The top superhero or cartoon character is Tigger.
CAROLE THERIAULT. It's probably kids.
GRAHAM CLULEY. Well, maybe, yeah. I mean, I suppose better that they're— Is it better that they're using Tigger and Snoopy than Password? No, no. So how about this, Carole? You're a bit of a muso, right? The top songs and bands. Mm-hmm. The number one apparently is Blink-182.
CAROLE THERIAULT. Oh yeah. Yeah. I was a big Blink— I was a big Blink-182 fan.
GRAHAM CLULEY. Rush, 2-1-1-2, then The Beatles, Blondie. Blondie? Blondie. In this day and— yeah, I know, but in this day and age, would that really be the fourth most common band using puzzles? And the other one which confused me, and I've Googled it, is 867-5309, which apparently is some pop song, something. I don't even— I think it's meant to be a girl's number in a song. It doesn't ring any bells with me. No idea.
CAROLE THERIAULT. You're over 50 though, Graham, so that's good.
GRAHAM CLULEY. That's true, that's true.
GEOFF WHITE. Number 5 most popular. So that's odd, isn't it?
GRAHAM CLULEY. So say ID agents. And I'm always like, I don't know really. I mean, yeah.
GEOFF WHITE. Oh, by the way, I just Googled the thing with Jesus. I think you can call a kid Jesus in the UK.
GRAHAM CLULEY. Apparently there aren't that many restrictions.
GEOFF WHITE. So I may have been misinformed. put fake news out there.
CAROLE THERIAULT. Okay. Okay. So what I think this is actually saying is saying of all the passwords we looked at, some of them had sports teams. Here they are, right? Yes. So—
GRAHAM CLULEY. And they've tried to categorize them and come up with a list of them.
CAROLE THERIAULT. Yeah. So I kind of, yeah, I think the list is, 'cause they didn't wanna put out the same news that everyone else puts out, is the number one word is password, and then it's password123, you know? And then it's 123456.
GRAHAM CLULEY. So, I think Elon has maybe given other people a great idea. So, if you haven't already started using some sort of random character generator or a password generator to generate stronger, more unique passwords, just like he's named his child.
CAROLE THERIAULT. Are you suggesting people start naming their kids following his lead?
GRAHAM CLULEY. Well, Carole, it's an approach, isn't it? You know, as we haven't had much success getting people to choose Stronger passwords. Maybe if everyone had a crazy user ID. Hey, maybe rather than creating unique passwords for every site, maybe we should all create unique usernames instead. So you have a different username for every single site.
CAROLE THERIAULT. Yeah, that'd be so easy to manage.
GEOFF WHITE. Also, can I just point out, if Graham's onto something here— I'm not. It would be a first. But if Graham's onto something here, hasn't Elon Musk just given everybody his password? Oh, good point. By naming and tweeting. Yeah, well, I think—
GRAHAM CLULEY. I mean, Elon Musk clearly is barking mad, but very rich. And therefore very powerful. And therefore very powerful and potentially very prone to legal action. So let's swiftly move on.
GEOFF WHITE. Geoff, what have you got for us? Well, I've been quite busy this week. Yes, you have, haven't you?
CAROLE THERIAULT. I'm settling in with a cup of tea for this story because I can't wait to hear it.
GRAHAM CLULEY. Tell us why you're in the news, Geoff.
GEOFF WHITE. It's more the story that's in the you know the news more than me, but this is the 20th anniversary this week of the Lovebug virus, the I love you letter. And it was 4th of May, 2000, it was launched. You guys must remember. Yes. Oh yeah.
CAROLE THERIAULT. We were working together. We were in like first responders because we were PR, 'cause we had to talk about what we'd done with the labs, how we'd helped defend against it. It was a big deal.
GRAHAM CLULEY. I was in Stockholm that day, actually. I was giving a talk and during a break, Lots of people turned on their phones and their phones started bleeping and they came up to me and said, hey, have you heard of a virus which sends love messages? And I said—
GEOFF WHITE. Hadn't you been talking about some love-related virus?
GRAHAM CLULEY. I had, yes. The funny thing was that morning I'd been telling people about funny viruses and I said, oh, there was this virus called No Smoking and what it could sometimes do is send a message, a network broadcast message saying I love you or something, or I'm in love with you. And I was joking about the problems that could cause in the office. So I'd made this joke and then we broke for coffee and things. Everyone's pagers started going off and they said, is that thing, is that in the wild? And I said, oh no, no, no, no, you know, you're not likely to encounter it. And they said, well, we've just been bombarded with love messages. And it was the Lovebug that day.
GEOFF WHITE. I worked for an internet company at the time. I just remember being in the office and people just kept falling for it. Every time you looked up from your desk, there was a new person sort of staring at their computer and kind of phoning IT support. It just, it Just went around like wildfire. It's 45 million machines, it's estimated. Yeah, it was huge, it was huge. What was interesting was a lot of the damage it caused was it flooded email servers. So basically you just got inundated with messages because it was a self-replicating worm. So for every person who got hit, it would attempt to send a copy of itself to everybody in their Microsoft Outlook contacts. We call them mass mailers. Mass mailers. So, so interestingly, it was the disconnection of stuff that caused a lot of the disruption, because it wasn't that you got hit by Lovebug necessarily, but you'd had to unplug all of your you know, your email server. So I find that interesting in that if you look at coronavirus, the period we're in now, a lot of the economic damage is being caused not by the virus itself but by the measures we're having to take to prevent the virus propagating. So I find it's an interesting sort of echo down the line because we've disconnected rather like the Lovebug virus made us disconnect. Exactly, yeah. So anyway, so they traced— so the part is a password-stealing virus as well. It was stealing passwords and it was sending them to an email address Investigators tracked the email address to Manila. They had a couple of suspects at the time, but there was no law at the time in the Philippines against computer hacking. That's right, I forgot that. Yeah, so they tracked back to an apartment. A couple of people connected with the apartment were computer science students at a local college, notably a guy called Onel de Guzman and a friend of his called Michael Buen. So, you know, these guys, you know, they did a press conference, people asked them and stuff, but there was no law against hacking. And Onel de Guzman when asked about this, said, "Oh, it's possible maybe I released it by accident, don't know." And then that was it. You know, everybody packed up and there was nothing more could be done.
CAROLE THERIAULT. And the world was screaming blue murder and they were going, "We can't do anything." Yeah.
GRAHAM CLULEY. And for anyone who's listening who wasn't working in IT at the time, because this was 20 years ago, this was the biggest virus outbreak we had ever seen. There'd been nothing like it. And to be honest, there wasn't much quite like it. In the years since either. It was one of the biggest outbreaks in history.
GEOFF WHITE. It really set, you know, it set the benchmark. And one of the things I've talked about in the book I'm publishing in August is, you know, that prior to Lovebug, it's not quite as binary, but prior to Lovebug, it was quite difficult to, A, you know, infect lots of people and get a good base of infections, but also it's quite difficult to make money out of that stuff. And I really feel in 2000 that changed. Suddenly it's like, yes, you can infect millions of people, And obviously one of the effects of that is, well, then millions of people can potentially be robbed, defrauded, and so on. So yeah, you're right. I think it really was a sea change. I mean, I've talked about, you know, the world's first global computer virus. There was obviously Melissa before in '99.
CAROLE THERIAULT. That was pretty big at the time. I mean, that was the biggest to date at the time.
GEOFF WHITE. They reckon about a million machines with Melissa, and it certainly didn't generate the kind of headlines.
GRAHAM CLULEY. The Melissa guy, David L. Smith, wrote the Melissa word macro virus. He was in America. Ended up getting caught, given a prison sentence eventually. But with de Guzman, nothing seemed to happen.
GEOFF WHITE. Exactly. So for the book, I wanted to start the book somewhere. I was thinking, where do you start the history of cybercrime if you're going to write about it? And the reason I chose the Love Bug was, A, as you say, it's a massive thing. B, it was my first sort of failed attempt at journalism. I sent a badly written article to The Guardian newspaper and they wrote back and said, we're not going to print your article. And by the way, sending us an email titled Love Bug during the middle of an outbreak called Lovebug isn't exactly the smartest move.
GRAHAM CLULEY. That's quite funny, Geoff. Geoff, I sent out a newsletter this week to my subscribers, and I mentioned the 20th anniversary of the Lovebug, and I called the subject line of my newsletter, because I'm just childish, I said, 'Kindly read the attached newsletter coming from me,' which is a kind of spoof of the message that the Lovebug had sent. And I did get some people you coming back to me saying, "I'm not sure I trust this email." I'm not going to open this.
GEOFF WHITE. But the other thing I find fascinating about Lovebug is time, and it's always people opening emails, clicking links. Very often that's the source of the infection. It's still the hacker's number one way in. And if you think of what you need to do to trick people to open the message, the lure that you're going to need, the Lovebug was the best lure ever created because it's got universal appeal. The one thing everybody in the world wants is love. You could not come up with a better lure for an email. It was inspired, absolutely inspired. Yeah. So I thought, I'm going to settle this dilemma. You know, who created Lovebug? There was two people. There was Anel de Guzman and Michael Buen. Michael Buen, as far as I can work out, still in the Philippines, still a coder. He's a very smart guy. He's very witty. And there's some stuff in the Lovebug, some little in-jokes. And I looked at it and I looked at Michael Buen and I thought, you know, he does look like the kind of guy who, you know, might have written it. So I started getting in touch with him, sent him many messages, and he just didn't reply. Onel de Guzman just went underground, never heard of again.
CAROLE THERIAULT. And we don't know why he went underground? Like, we don't know what led to that? He just disappeared?
GEOFF WHITE. He just disappeared, yeah, yeah. There was also gossip that he'd been hired by Microsoft and that he worked in the US and all this stuff. Then there was a little comment, like one comment on a forum, on an internet forum, from somebody who said 'Oh, I think I saw him in a market in Manila. I think he was working in a mobile phone shop.' And they named where the market was. I thought, well, I'm going to the Philippines anyway to research another story. I thought, I'll just go to the market. I'll pop by. I'll pop by. So I looked—
GRAHAM CLULEY. 'Hi, I've got a broken phone.
GEOFF WHITE. Could you fix it for me?' 'I love you.' But this market is like chaos. You can imagine a market in back streets of Manila, and there's dozens of mobile phone shops. And I thought, well, I'm here now, I've done some desperate things, I'm going to do a desperate thing. So I wrote his name on a piece of paper and I literally went around the market showing it to people just in these phone shops. And I was just like— and of course, I, you know, I, I'm taller and lighter skinned than most of the people there. I just look like a tourist dad who'd lost his kids. I was like, hello, have you seen this man?
GRAHAM CLULEY. Oh, so there wasn't a risk that other cybercrime investigators might be at the market, see you holding Ronaldo Guzmán's, and think you were de Guzman.
GEOFF WHITE. I am O'Neill. But then somebody said, oh yes, I know him, I remember him. I said, really? He said, yeah, yeah, he works at this mall, the shopping mall across town. So I went over there and I go around the mall with my little sign with his name on, and I get to the very back of the mall, like the real cheap bit of the mall, the cheap booths, and somebody says, oh yeah, he works at that booth down there. So I went down there.
GRAHAM CLULEY. Oh my goodness. And I thought, surely not.
GEOFF WHITE. And I go to this booth and there's a guy there and I look, he doesn't look much like O'Neill de Guzman. And it wasn't him, it was his colleague. And he said, oh yeah, O'Neill works here, but he'll be back tomorrow, it's his day off. And I was flying out the next day at 7 PM. Hey, it's your time. Yeah, I said, what time do you turn up to work? And he generally turns up about 3 or 4. I was like, oh no. And I just thought, well, he's not going to talk, obviously he's not going to talk to me, I'm a journalist, why on earth would he do that? And B, he's going to turn up late. He's got every opportunity to dodge this interview. But I'm here now. I'm here now. So I spent two days in the shopping mall. I didn't leave. I stayed there. And sure enough, the next day he turns up. And I sat down with him, and I was expecting him to, you know, I was expecting to have to put my evidence to him and, you know, finally force him to. But he just started, he just started talking about it and just admitted it pretty much straight off, to the point where I was so paranoid I thought, well, this must be a wind-up. This can't be the real guy. Right. So I was making notes in my notepad, and I just thought, well, how can I prove this is actually an Elder Gutzman? And I noticed he had moles on his face. So I started drawing in my notebook a map of where the moles were. So that later on— So smart! Well, I thought it's got to be something. But to be honest, like, as soon as he started talking about it, there was so much stuff that he knew. He also knew some other people I've been speaking to. So during the course of it, it was an hour's conversation. It became clear. It became clear this was an Elder Gutzman. He did create it.
CAROLE THERIAULT. So why would you be surprised that he wouldn't talk, given that I'm presuming he's still safe from imprisonment or from any legal ramifications?
GEOFF WHITE. He feels, yes, he feels that there's no risk of being prosecuted. He said there was a case that I think the ISP that he was using to gather the email addresses, I think they tried to bring a case against him, but that got dropped. It would be stunning after 20 years, I think, if there was an attempt to prosecute him.
CAROLE THERIAULT. Is he proud?
GEOFF WHITE. It's interesting, like a lot of techies who've been caught, he's proud of the code, he's proud of, from a technical point of view, I think, of what he did. Because it was, you know, it was a decent pull-together of the virus potential at the time. He's not proud though, he deeply regrets, you know, the damage that was caused. And he had no idea it was going to go international. He just released it at about 1 in the morning and he sent it to somebody in Singapore. There was a Filipino person in Singapore he says he was chatting to online, so he sent the virus to him. And then Arnaldo Gutzen went out drinking with a mate and just forgot about it.
CAROLE THERIAULT. It is kind of incredible how much disruption two guys caused.
GEOFF WHITE. So just quickly on that front though, I did ask about Michael Buen, the other chap who got— he said he did know Michael, they did write code together, but Michael Buen, according to Renato Goetzmann, had nothing to do with the Lovebug virus.
GRAHAM CLULEY. So I can finally settle that. Michael Buen though, he has always won my award for the dumbest virus writer in history because he wrote the WM97 Michael B virus, as we called it at Sophos at the time, which at the end of the month would print out his entire CV and say if you didn't give me a job, he was going to release another virus. And so you had his name, address, and contact details. If only, if only de Guzman had done that, you'd have been able to reach him. Exactly. Yes. Yeah. So you're quite right that the Love Bug caused this a huge problem of clogging up email systems. But what's all this? Occurred to me is that virus stole your dial-up internet passwords. So people used to connect things like FreeServe and CompuServe and things like that. It would steal those passwords and it emailed them to an address that de Guzman was in control of, presumably. Yeah. As millions and millions of people got infected, didn't that mean that his own email system would have run out of quota?
GEOFF WHITE. Yes, it crashed. There was millions of passwords coming in. So he not only DDoSed the world, he DDoSed himself.
CAROLE THERIAULT. In the process of DDoSing the world. But this was the whole point.
GEOFF WHITE. He basically— his whole point was, look, access to the internet is a human right, which is an interesting and ahead of its time as a viewpoint. I'm poor, I can't get access to the internet. Other people do and can pay for it. So if I can just take their passwords, I can get access to the internet for free.
GRAHAM CLULEY. Geoff, right now I believe toilet paper is a human right. It doesn't mean I'm going around stealing it from everyone.
CAROLE THERIAULT. You don't need to steal it, do you, Graham?
GRAHAM CLULEY. Have you been stockpiling? Well, I can't go into details.
GEOFF WHITE. That's disgusting.
CAROLE THERIAULT. That's all I'm gonna say. I didn't bring that up on Earworm Island. Fess up.
GEOFF WHITE. How many rolls have we all got? I'll start. We currently have 20. Oh, still. Okay.
GRAHAM CLULEY. I don't know. 4? Oh, I see. Okay. Really? I'm getting— Living on the edge. Well— That'll just last you till 7 o'clock tonight, won't it?
CAROLE THERIAULT. If I may, I don't think it's very becoming to walk around with huge bags of toilet paper.
GRAHAM CLULEY. I have a real issue with it. All right, look, we couldn't get any at the supermarket, and so we thought we'd order online. The problem was that where we were ordering online, they weren't going to sell us an individual box. We had to get like a crate. And so— How many's in a crate? So we've got— Look, I don't want to talk about this. Can we please move on? Please, let's move on. Wait, is it above 100?
GEOFF WHITE. Can we just settle it there?
GRAHAM CLULEY. No, I don't think it's above 100.
CAROLE THERIAULT. Okay, I think it is.
GRAHAM CLULEY. Carole, what's your story for us this week?
CAROLE THERIAULT. Well, boys, welcome to the world of Roblox. Now, do you— have you guys ever played with this? Your kids, cousins, anything like that?
GRAHAM CLULEY. My son is desperate to play Roblox, but I say that he's too young to do it. But I do know lots of kids who adore it.
GEOFF WHITE. One thing I will say about Roblox is I'm sort of dimly aware of this, but I've been trying to— I was trying to find Twitter accounts for police forces recently. And for some reason in Roblox, it's a virtual environment and there are police forces. And so they've set up Twitter accounts for Roblox police forces, but they're the same as the real police forces. So they have to say, look, this isn't really Manchester Police, this is the Roblox virtual. That is weird.
CAROLE THERIAULT. Oh, digital world and the real world are just mashing together in weird ways. So for those that don't know, Roblox is kind of like Minecraft or Fortnite. In Roblox's case, it's like a massive online game development suite, and it tends to focus on a younger audience. So kids, teens seem to love it, and it allows users to like program games. It's like they have their own language and they can create characters, design really complex, impressive environments from what I saw on YouTube. And they're all programmed in this thing called Roblox Studio. And the main draw of Roblox is that it offers thousands of free user-created games for users to play. And there's 100 million monthly active users. So no small potatoes. There is a lot of action and activity on here. So basically people can also make money on Roblox too, right? They're called Robux and you can get Robux either by paying an online subscription or by creating objects that other people desire and then selling them on. Okay. Much of the content seems to be developed with monetization in mind. So some developers have even become millionaires for flogging their creations. Wow. There's this YouTuber called LinkMon99, and he's well known in the Roblox community for being the richest Roblox player for selling items, items for inline games.
GEOFF WHITE. So if you're playing a game on Roblox, you can go to him and buy something for the game, is that right?
CAROLE THERIAULT. Yeah, so you buy Robux and you go to his section on the Roblox website. There's big catalogs and you go after certain people because they're better or they make certain cool stuff and you then spend your Robux.
GRAHAM CLULEY. So your Robux purchases get converted into real money for Linkmon99 or whatever his name is.
CAROLE THERIAULT. That's right. So then Roblox, the company and the creator both share the cash and the idea is that everyone gets some of that. Yeah. Now, and they seem to do, Roblox as a company, seem to do some good community stuff, like helping with online fundraisers. For example, they've just launched a $2 million fundraiser to support COVID-19 charities. This is UNICEF USA, Code.org, and No Kid Hungry. And the idea is they've created some items, people buy them, and then they'll donate money from those purchases to those three charities. So it all seems good. It's teaching people how to be creative, how to generate money, how to program. And I think it sounded quite cool. So I couldn't help but wonder what the head honchos at Roblox were feeling on May 4th after Motherboard's Joseph Cox published this article. Apparently a hacker tried to bribe a Roblox employee to gain access to the backend customer support panel of Roblox. You think, why would he want that? Why would he want access to that information? So the employee could have said, how dare you, sir? But didn't. Um, apparently the bribe was successful. Oh, so the way it worked is the hacker is said to have first paid an insider to perform a user data lookup, and that info helped the hacker choose his target, a customer support representative. And the hacker provided Motherboard with a series of screenshots showing the alleged communication between them and the insider. And in the, the insider, the, this employee on LinkedIn, the worker is listed as having worked as an in-game support contractor for Roblox. So again, LinkedIn is used as a treasure trove of information to help hackers pinpoint their targets in a company.
GRAHAM CLULEY. But hang on a minute. So this hacker bribed someone inside the Roblox conglomerate into sharing some information. And that's obviously, you know, kind of an insider threat in a way, isn't it? Because you've got humans and they're bribable.
CAROLE THERIAULT. Like, who's working in customer support? Who would be interested? Who would do this? Yeah. You know, and here, here's a payoff.
GRAHAM CLULEY. "Thanks for that information." But then the hacker goes to Motherboard. He goes to a journalist and says, "Look what I've been able to do," rather than monetizing it. Well, let's just wait.
CAROLE THERIAULT. All right. Wait, wait, wait. Be patient. Okay. The hacker gets access to Pandora's box. So I'll share a few highlights, and I want you guys to help me sniff out if he's a good hacker or a bad hacker.
GRAHAM CLULEY. Okay. Okay? Okay, right.
CAROLE THERIAULT. Okay, that's how we'll do this. So, okay, so by Pandora's box, I mean the hacker could look up personal information on any of its 100 million active monthly users. The hacker could steal virtual in-game currency from people. Oh, nice. The hacker could change passwords. A hacker could effectively lock people out of their accounts. They could turn off two-factor or multifactor authentication, ban users, and more. Wow. Okay, so he had access to the motherlode here. And he told Motherboard, "I did this only to prove a point to them." And Motherboard has granted the hacker anonymity to speak more candidly about the crime. Okay? So you're reading this and you're like, "Okay." Turns out the hacker first phished the Roblox worker to gain access to the backend customer support. So that was true. But he backtracked when he was talking to Motherboard and said, "Actually, it was due to an issue in a piece of authentication." software. And I was thinking, why would he first say it was— he phished and then say there was an issue?
GEOFF WHITE. And didn't it start out that he bribed? I'm confused. Yeah.
CAROLE THERIAULT. Well, I think it's because he tried to claim on the bug bounty from Roblox. So I think when he first started his story, he realized that actually that didn't mean there was any vulnerability in their system. Because he had done a social engineering attack.
GRAHAM CLULEY. And they wouldn't pay out a bounty just because they bribed an employee.
GEOFF WHITE. Exactly. Yes. Hmm.
CAROLE THERIAULT. So just for everyone to know, legitimate security researchers will identify vulnerabilities in sites or services like this. And then the deal is you report those to the company to say, hey, you must fix this problem. Once the problem is fixed, both companies can go out and tell the world about what happened. And then companies sometimes pay the researchers in response. But this hacker's request was denied. And you remember that Linkmon99? The rich Roblox YouTuber guy? He was snagged because he's super high profile. The hacker also stole passwords and stole items from Roblox users. And he said he did that only when he had a feeling the bounty shit was going to go south. That's what I think.
GRAHAM CLULEY. It's all right to steal from other people because Roblox aren't prepared to pay you a bug bounty because you bribed—
CAROLE THERIAULT. For fooling, for duping their employees and bribing one.
GEOFF WHITE. A murky tale.
CAROLE THERIAULT. The other one that I, just because Geoff is here and he might know the answer. So Motherboard gave him anonymity, this hacker, right? In exchange for his story. But surely Roblox may want to get the authorities onto this person and do some investigation. And should an investigator knock on Motherboard's door, do you think as a journo, would the Motherboard journalist know the identity of this hacker or would he not know him at all? Would it be safer for him not to know who the identity of this person?
GEOFF WHITE. Yeah, this is where it gets really tricky. So there's anonymity and there's anonymity. So there's anonymity where you know the source and you meet them and you verify, you know, like the classics of whistleblower where you chat them in a pub 'Um, but then when you publish the piece, you don't reveal their identity.' Um, but then now, particularly in the modern tech era, there's also the possibility that somebody gets in touch with you and you have no way of verifying their identity, which is what happened, uh, in the Paradise Papers, uh, story, where the identity was never known, or that they give you an identity that's just fake or that there's no way to verify, right? So a lot of outlets have started doing— saying, 'Well, okay, if the data is good, if the source is giving me data that I know is verifiable, and I can check, then I'll go with the story even though I can't identify the actual source of it.
CAROLE THERIAULT. In a way, I guess it protects you as well from getting into, you know, if you just, you know, if the police come knocking, you're like, here, I'll give you everything, but I don't know who the person is.
GEOFF WHITE. Yeah, the issue with that is you can be played quite badly as a journalist. So the classic was the Sony Pictures Entertainment break-in where a lot of the fingers are now pointing at North Korea. So a lot of the journalists who were taking information from sort of anonymous hacking groups and saying, 'Well, we don't know who's behind it, but we're publishing it anyway.' Then later on, it turns out that actually it was somebody who was basically manipulating you as a journalist to work to their agenda. So yeah, it gets you off the hook for prosecution, for the police coming to you and asking you for the identity of the source. But because you don't know the identity of the source, you're then at risk from a whole other angle because you could have just been basically manipulated and had your strings pulled.
CAROLE THERIAULT. I love that we get guests on like Geoff because they just raise our bar a little bit.
GRAHAM CLULEY. That's what we need, for goodness' sake, is It's just a shame he does that podcast, which insulted me so much. It didn't insult you.
CAROLE THERIAULT. It celebrated you and your eccentricities. We celebrated your eccentricities.
GRAHAM CLULEY. It's a no-brainer that businesses have to safeguard their data as they move more workloads to the cloud. Zoom is obviously experiencing massive growth right now, and they turned to Oracle Cloud Infrastructure. To support them as they innovate and provide an essential service while so many folks are working remotely. If you want to check it out for yourself, Oracle is providing some great cloud services for free for an unlimited time. Sign up and you'll soon be building, testing, and deploying cloud applications securely with Oracle. Learn more at smashingsecurity.com/oracle.
CAROLE THERIAULT. Maybe you don't have a single sign-on password manager, or maybe you do and you're not really happy with it. Well, why don't you start a free 14-day trial of LastPass Enterprise? You can manage every access point with integrated single sign-on and password management. Let me tell you about some extra features: central admin dashboard, easy user management, group management, directory integrations, advanced reporting, multifactor authentication options, password sharing, and the list goes on. Check it out at lastpass.com/enterprise. Graham Cluley.
GRAHAM CLULEY. Since the outbreak of COVID-19, cybercriminals have found many ways to take advantage of anxious users. Join our friends at Domain Tools for a webinar as they walk you through the process of identifying a nefarious domain, mapping connected infrastructure, and reverse engineering a ransomware attack which used a coronavirus disguise. Learn more about how Domain Tools helps security analysts turn threat data into threat intelligence and watch the webinar at domaintools.com/smashing. On with the show. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
GEOFF WHITE. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. It better not be.
CAROLE THERIAULT. Mine is so good this week, I can't—
GRAHAM CLULEY. Well, I think I might have mentioned somewhere already that one of the games that my wife and I have been playing in the evenings— Animal Crossing? Under lockdown. No, not Animal Crossing. This is a game that we play while sat on the sofa, is a game of looking at people's bookcases when they appear on TV programmes. So everyone's dialling in to news reports or magazine shows, and they've carefully set up the bookcase behind them to appear erudite and smart. Oh, I love that you're talking about this. Yes. And we check out what they're reading. And, you know, we don't listen to a word that all these talking heads are saying, but we're saying, oh, look at that, that he's got in the background. You know, why has he left that out? When I regularly broadcast from my study before I came to the Podcast Pleasure Palace, my wife used to regularly panic about some of her books which were behind me, which she thought weren't entirely appropriate. So there is a Twitter account called Bookcase Credibility. Twitter name is @BCredibility, and it is an account which is celebrating the backdrops behind the people appearing on TV. Absolutely brilliant. And what they're doing is really rather creative. They are They are describing the backdrops rather like they're— there used to be an art critic called Brian Sewell, who had the most wonderful voice.
CAROLE THERIAULT. That's very good, Graham.
GEOFF WHITE. It's a very good impression.
GRAHAM CLULEY. Yeah, yeah, I do a rather wonderful Brian Sewell impression. And so he, he, he, they will describe in Brian Sewell-like terms what they think of the backdrop. So we've got one here that they've done a bookcase behind David Baddiel, who is a writer and comedian. And he goes, "No chances taken here. David surrounds himself with bookcases in the vaguely hexagonal shape suggests they move around us, closing us in with him in a honeycomb of credibility. The sensation is of being welcomed into the hive of a particularly well-read bee." And these writers— What accent was that? Sorry, that was Brian Sewell still. Oh, right. That wasn't David Baddiel. And it was— I'll do him another time. But you get these wonderful write-ups, and they're done in this pretentious artistic way. And it's a joy. So that is my pick of the week, and it's Bookcase Credibility on Twitter. Okay, I've just subscribed. Geoff, what's your pick of the week?
GEOFF WHITE. I'm going to go for my pick of the week is— one of the things that I miss in this lockdown coronavirus period is going to see films in a cinema with my friends. That is one of the joys of life that I've I achingly miss. So a friend of mine recommended some software to me recently. Now, I should say at the beginning, I have not done a full security audit of this software, so don't come back to me if you get hacked. But it's called SyncPlay. And what it does is it syncs up. We've been using it with VLC player, which— oh yeah, loves— great player. So what you do is you all download the same movie file, you use SyncPlay, and effectively SyncPlay sets up a server that then connects to you all. And so you can all start, because you know you have this thing of, "We're going to start the movie at 8," and then somebody hits the play button a bit too late, and then they end up laughing at the joke before you've all laughed at the joke.
GRAHAM CLULEY. You know, that thing. We've just had this experience actually, Geoff, because Carole, I, and Maria Virmarsis just recorded for our Patreon supporters a commentary of the movie Zardoz. Have you ever seen Zardoz? With Sean Connery walking around in a red nappy?
GEOFF WHITE. Oh, is that the thing where there's a sex scene, isn't there, in Zardoz? I remember when I was at school— Just one or two.
CAROLE THERIAULT. Anyway, it's quite an interesting commentary. I think we added to the movie.
GRAHAM CLULEY. But we were getting out of sync occasionally, weren't we? You had to catch up, Carole, and things like that. So there was some— Anyway, tell us more about Syncplay. So you've downloaded this and you're all running VLC.
GEOFF WHITE. Download it, get VLC. You all have to have the same film, same movie file on your— Legally obtained, obviously. Legally obtained, exactly. Exactly, legally obtained. And then SyncPlay will allow you to play it and pause it. So anybody can play, anybody can pause it. But the other thing I love is you can give yourself a username when you log in to SyncPlay, which obviously endless fun with movie names. But also you can comment and your comment appears on VLC over the top of the movie. Oh! So we watched Flash Gordon through this And I had the joy of logging on as Klytus from Flash Gordon and typing out, "Hawkman, dive!" onto the screen.
CAROLE THERIAULT. Great. Endless fun. This might be something to add if you enjoy this sort of thing, watching movies with friends, is Netflix Party. Oh. So, I haven't done this yet, but I've had a few people recommend it to me. So, it's like a way of watching Netflix together. I've put the link in the show notes, but— Yeah, so same idea, and you can have a screen so your notes appear on the screen. Same, similar idea to yours, but might be a little bit simpler if the movie is already available on Netflix and all your friends are already having a conversation.
GRAHAM CLULEY. Rather than trying to get a legal copy of it. So this is something which plugs into your Chrome browser as an extension rather than you having to install traditional software. We could have done with that, Carole, couldn't we?
CAROLE THERIAULT. We could have done with that, but I don't think that Zardoz was on Netflix.
GRAHAM CLULEY. Oh yes, Zardoz was quite exclusive, wasn't it? It was hard to get hold of.
GEOFF WHITE. Anyways, exclusive is one word for it.
GRAHAM CLULEY. Yep. So Carole, excellent. And what's your pick of the week?
CAROLE THERIAULT. Mine is excellent. All right. I need to send you guys a link. Right. Food comes in many different packages, doesn't it? You can get fresh produce to things like crisps and other ready-made meals.
GRAHAM CLULEY. Some of them. I like your definition of food, fresh produce to crisps. I like that. The full gamut.
CAROLE THERIAULT. I think, I think, I think I'm just trying to make it quick. I'm moving along the list to get to this one. Okay. Right. And this is a YouTube channel from a producer called Ashens who likes to, amongst other different playlists that he seems to provide, likes to do some food reviews. So let me allow you guys to click on this link. This is his video of chicken in a can. You can turn off the sound. I found it's almost more enjoyable.
GRAHAM CLULEY. Okay, I'll turn off the sound. He's opening some— Alright, let's have a look. Some chicken broth he's opening. Is this— Oh my goodness.
CAROLE THERIAULT. No, it's a whole chicken in a can.
GEOFF WHITE. What? No, you can't fit a whole chicken in a can.
GRAHAM CLULEY. How would you put a chicken in a can?
GEOFF WHITE. Wouldn't the chicken complain? Oh. Oh, that looks bad.
GRAHAM CLULEY. He's pouring it out. So this is a pure— Why are you making me watch this? This looks horrible. Oh, oh my goodness. Oh, this is disgusting.
CAROLE THERIAULT. Okay, I'm going to close this now. What I love about this is the brown sofa that I think has been bought. It's like the stage, so it shows up in every single video that they do. Um, I do recommend watching it without sound almost, just so you can be absolutely revolted and you have your own commentary.
GEOFF WHITE. The skeleton is in there as well. Yeah, that's the actual— oh my Now, it's not all—
CAROLE THERIAULT. they're not all disgusting. There was a burger in a can, which was just— Oh. Like, people were like— the whole time we were like, "Is there a bun in there?
GRAHAM CLULEY. Is there a bun in there?" I remember seeing a YouTube channel a few years ago about a guy who would get out old military rations from, like, the Korean War. And he'd try and guess beforehand whether it was going to taste nice or not. So he would open these things up and then would try them out. And he had quite a lot of subscribers. Yeah, this guy eats everything he opens.
CAROLE THERIAULT. No, he doesn't. No. Oh yeah. Oh yeah, he eats this.
GRAHAM CLULEY. Oh. Does he also drink bleach? No! No. Well, he should try it. Might work.
CAROLE THERIAULT. But he has— he does worldwide food specials. So people send in crazy food from, you know, all four corners of the earth. And he follows the instructions. Well, there is—
GEOFF WHITE. I remember all-day breakfast in a can. Have you come across this? Have I come across all day?
GRAHAM CLULEY. Why do you have it?
CAROLE THERIAULT. Yes, a Poundland food special all-day breakfast. They have little egg— Yes, yes, yeah, let me send you the link now. Yeah, I can.
GEOFF WHITE. It says a can of beans and you get a sausage and a bit of bacon and an egg, and I think you get a hash brown. I think there's a hash brown floating about somewhere.
CAROLE THERIAULT. I watched that one.
GRAHAM CLULEY. Oh, this is the same chap? Yes, it's this—
CAROLE THERIAULT. so his full channel. So this is the channel, it's called Ashton's, it's on YouTube, and amongst his various playlists he does a number of revolting food reviews, which will put your potentially not wonderful dinner— if you don't have great cooking skills at home and you're stuck there and you can't wait to go to restaurants again, this will make you feel better about the food that you may be producing.
GRAHAM CLULEY. Well, on that charming culinary note, I think we've just about wrapped it up for this week. Geoff, I'm sure lots of our listeners would love to follow you online or check out one of your podcasts. What's the best way for folks to do that?
GEOFF WHITE. Uh, probably find me on Twitter. I am Geoff White, G-E-O-F-F, white like the color, 247, the number's 247, uh, at Twitter.
GRAHAM CLULEY. And you can follow us on Twitter at Smashing Security, no G, no diphthongs, which wouldn't allow us to have them. And on Reddit in the Smashing Security subreddit, go and find us there.
CAROLE THERIAULT. And as always, wonderful listeners, thank you. You keep Smashing Security alive by listening to us each week, virtually, literally, Also, a huge thank you to this week's Smashing Security sponsors: Oracle, Domain Tools, and LastPass. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, stay safe.
CAROLE THERIAULT. Geoff, cheerio. You matter, Geoff. Sorry, sorry.
GEOFF WHITE. I thought, you know, it's just a little bit antisocial, I'd say, Julia.
GRAHAM CLULEY. It's just, you know, we're all meant to be friendly in a kind of keeping distance kind of way right now. Hello, hello, hello, and welcome to Smashing Security After Dark. It's not even dark out. Well, it will be in a minute. After dusk. Well, during dusk. Smashing Security during dusk. Today we are going to be doing a commentary on a movie which Maria brought up on a recent episode of Smashing Security. And that movie is Zardoz. I thought it might be useful if each of us described our relationship with Zardoz before we began. How are we coming to this movie? Maria, as you're the person who first mentioned it, you start us off.
CAROLE THERIAULT. Oh my goodness. So I first saw it maybe a decade ago at a local movie theater here in the Boston area called the Brattle. They had a 24-hour bad sci-fi movie marathon called Schlock Around the Clock, and Zardoz— yeah, Zardoz was sort of like the prime feature. And a bunch of my friends and I went to see it. Some of them had seen it, some of them hadn't. And I— it, you know, you can't forget your first time. And every year when they would do this festival, I would always make a point to bring someone with me who hadn't seen it before. And at that point, I would just like watch their face and not the movie. Um, it's just a— in my, in my group of friends, we all love how bad this movie is. And, uh, yeah, it's— I, I love it in a bad way. I've never seen it, Maria, and I wish you could see my face. I wish we had a video cam on so you could watch it. Me too. I'll take selfies as appropriate when you say take a selfie now. Okay, you can line me up and I will do that for you and send them to you. Basically the whole first half of the movie, just record your face because It's just the beginning is especially like— The beginning is extraordinary. Yeah, it loses steam. Just a fair warning. It just kind of— Yeah. Well, you know, we can always hurry through. If it gets boring, we just call it off, right? Yeah. Well, that—
GRAHAM CLULEY. So Carole, you haven't seen it. This is completely new to you, but you've got someone in the background there to help you out during the recording.
CAROLE THERIAULT. Well, I have our designated fact checker during this filming. So if there's any questions that any of you have during it, I'll have it checked by Mr. Hubbs. I will make it very formal. I'll say, "Question!" or something like that. Like, I'm raising my hand.
GRAHAM CLULEY. Oh, hubs as in husband. I thought you meant like in Pornhub or USB hub.
CAROLE THERIAULT. Well, don't get specific. Don't get specific. It's fine. Jeez. All-purpose hub. Yeah. All of those things. The hub. Okay? That's all you need to know.
GRAHAM CLULEY. Now, Encardos is a movie that I knew about. So I was bemused when Maria mentioned it, but I'd never actually seen it. But I did watch it last night.
CAROLE THERIAULT. You spoiled it. Yourself.
GRAHAM CLULEY. I couldn't resist, so I watched it last night with my wife, and she fell asleep during it, and I mostly stayed awake during it.
CAROLE THERIAULT. Yeah, I, I tried to show my husband this movie a few years ago, but he apparently had the flu at the time, so about half an hour into the movie, he started like hallucinating and passing out. So Mr. Maria is not a fan? He's never— no, he would love to see it. He was actually asking to watch this with me while we're doing this, but someone has to watch our kids.
GRAHAM CLULEY. So you definitely don't want the kid watching this?
CAROLE THERIAULT. Well, why not? No, this is not a movie. No. Okay, okay. You see, you can tell I've not seen it. You see, I'm not faking. I mean, it would just be very boring for her. All right, for the most part. Okay, okay. Can we just kick this off? Yeah.
GRAHAM CLULEY. So we need everyone who wants to watch along with us, they need to get their DVDs, their legally purchased DVD, VHS tape, their Blu-ray, LaserDisc, their Amazon account or whatever, they need to go and grab a Zardoz. What year is this? 1974? Something like that. There's only one Zardoz.
CAROLE THERIAULT. Year of many good movies and also this one. So. All right.
GRAHAM CLULEY. So we are going to count down from— Well, count up 1 to 4 and say go.
CAROLE THERIAULT. Yeah. So do we go on 4 or do we go after 4? No. Can I just do this, Graham? Can you just not be weird? Okay. 3, 2, 1, go!
GRAHAM CLULEY. All right.
CAROLE THERIAULT. Okay, I'm seeing 20th Century Fox. 20th Century Fox. I'm seeing 20th Century Fox.
GRAHAM CLULEY. Yeah, okay, this is going well. This is going pretty well.
CAROLE THERIAULT. I have an X-ray on. This is fascinating. Me too. All right, do we want to say about the X-ray? Yeah, let's— yeah, why not? I mean, it's our— okay.
GRAHAM CLULEY. Oh, oh, I am Arthur Fryne.
CAROLE THERIAULT. And I am— he's bodiless.
GRAHAM CLULEY. This is Arthur Fry.
GEOFF WHITE. 300 years, and I long—
CAROLE THERIAULT. is that a nun?
GRAHAM CLULEY. But death is no longer— he appears to have a pair of trousers on his head.
CAROLE THERIAULT. Just take a closer look at his— what's on his chin. Just as he gets closer, notice his chin. Rich in iron. That line could not be said by an American.
GEOFF WHITE. We don't know how to roll our Rs.
CAROLE THERIAULT. Have yet occurred. That, that tash though. No, no, no, his chin. That chin.
GRAHAM CLULEY. This actually is my favorite part of the movie.
CAROLE THERIAULT. Beard, I think you mean. His beard. What's, what's on his chin?
GRAHAM CLULEY. Oh, it's getting closer. And the magician— I need to make this bigger.
CAROLE THERIAULT. It is. Is it?
GEOFF WHITE. What, what is it? I am the puppet master.
CAROLE THERIAULT. What do you think it is, Graham?
GEOFF WHITE. You collect Is it some sort of cave?
CAROLE THERIAULT. One could say, yes. Wizard sleeve, maybe. A hairy back end. Yeah. So my understanding is they had to tack this introductory scene on because nobody understood the movie. Yes. They hoped this would clarify things. I know. So he slowly goes down. I'm so into this already. Okay, I'm, I'm sitting back.
GRAHAM CLULEY. Okay, that was the highlight of the movie.
CAROLE THERIAULT. That honestly, it doesn't get much better than that.
GRAHAM CLULEY. So that guy we just saw, he's also in Alien 3. I read Arthur Frane, or the actor playing Arthur Frane. Yeah.
CAROLE THERIAULT. Oh, you see, did some research. I did some research. Oh yeah, I'm sure everyone really loves you did that. That's why they listen to this, to hear your really erudite commentary. He was also in Mamma Mia Oh well, I didn't, I didn't realize they filmed this in Ireland. Are those real horses or CGI? Fake horses. Oh, I love the logo. I love the logo. No, I love it, I love it. Oh, here it is. You're gonna be so disappointed when you learn what Zardoz means. Oh yes, yeah. Okay, spoiler, I'm gonna— I'm painting this tomorrow. This is inspiring me. Oh yep, okay. I'm gonna— I'm seriously, I'm gonna do it. So more than one Sean Connery in this movie. That's important.
GRAHAM CLULEY. This was a Rik and Morty episode. Yes, yes.
CAROLE THERIAULT. I would love to go where they shot this in Ireland and like recreate this with the giant heads in the sky. Show me what you got, let me see what you got. The head is descending. Outfits. Yeah, do you? Yes, do you, Carole? I'm having a Zardoz party when this is all over, Graham.
GRAHAM CLULEY. You're— I don't know how many people will be coming.
CAROLE THERIAULT. You haven't seen the whole movie yet. Guarantee you won't feel the same way by the end. Oh, it's just mud.
GRAHAM CLULEY. Oh, you have been raised up from brutality.
CAROLE THERIAULT. Everyone, are you his chosen one? No, none of us are. We're cursed. Blursed brutality.
GRAHAM CLULEY. Brutals. I love saying that shit. I just always think that the costume designer is like, okay, I'll put it up to— I know, but what did they reject? What did they think? This is the edited version.
CAROLE THERIAULT. You could never come up with this, Cluley. Never.
GRAHAM CLULEY. The gun is good. Okay.
CAROLE THERIAULT. Hubs is freaking out. I, I, that's the part I love to watch everybody's face.
GRAHAM CLULEY. I can hear it.
CAROLE THERIAULT. Oh man.
GRAHAM CLULEY. Want to hear more? Seriously? Well, you'll have to become a bonus content supporter of Smashing Security on Patreon. Sorry about that. Just visit patreon.com/smashingsecurity for more details. Until next time, cheerio, bye-bye.
-- TRANSCRIPT ENDS --