This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. How do you find the time to write a book with this constant distraction?

---

MARIA VARMAZIS. There's no time!

---

GRAHAM CLULEY. There's children, there's taxes, there's TikTok, there's—

---

MARIA VARMAZIS. Children, taxes, and TikTok. Yes, those are the problems.

---

CAROLE THERIAULT. I only have to deal with one of those.

---

UNKNOWN. Smashing Security, episode 306: No Fly Lists. Cell phones and the end of ransomware, itches with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 306. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Carole, welcome back. We've all been worried about you.

---

MARIA VARMAZIS. Thank you.

---

CAROLE THERIAULT. I'm glad you worried about me. I had 24 hours of not-to-be-discussed violent illness. Holy moly.

---

MARIA VARMAZIS. Let's just say the perfect cue for our guest, Maria Varmazis, coming out both ends. Maria Varmazis. Yay!

---

GRAHAM CLULEY. Yay!

---

MARIA VARMAZIS. Hi, Maria.

---

CAROLE THERIAULT. You don't make me sick. Hi.

---

MARIA VARMAZIS. That is a ringing endorsement. I don't think anyone's ever said something nicer about me. I don't make you sick. That's so great. Love you too.

---

CAROLE THERIAULT. Before we kick off, let's thank this week's sponsors: Bitwarden, ManageEngine PAM360, and NordLayer. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be giving some great advice for budding authors.

---

CAROLE THERIAULT. Ooh. And Maria, what about you?

---

MARIA VARMAZIS. How to hack an airline, or not really.

---

CAROLE THERIAULT. And with me, you'll enter the world of ransomware, if you dare. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, huddle up because I want to ask you a very serious question, which is, have either of you ever been interested in writing a book? Have you thought about writing a book?

---

CAROLE THERIAULT. Yes. A billion times.

---

MARIA VARMAZIS. Yep, yep, yep.

---

GRAHAM CLULEY. Oh, okay. Maria, what kind of book have you thought of writing?

---

MARIA VARMAZIS. Oh goodness, I've had a whole bunch of ideas. I don't want to embarrass myself, but I haven't done it, which is the important thing. So nobody has to do the, how's your novel coming along?

---

GRAHAM CLULEY. You ready?

---

CAROLE THERIAULT. Would it be romance-y or crime-y?

---

MARIA VARMAZIS. No.

---

CAROLE THERIAULT. Or sci-fi-y?

---

MARIA VARMAZIS. No.

---

GRAHAM CLULEY. Sexy?

---

CAROLE THERIAULT. Erotica?

---

MARIA VARMAZIS. No.

---

CAROLE THERIAULT. No.

---

MARIA VARMAZIS. Memoir? Memoir.

---

GRAHAM CLULEY. A memoir.

---

MARIA VARMAZIS. A memoir. Yeah.

---

GRAHAM CLULEY. Carole, have you ever thought of writing a book?

---

CAROLE THERIAULT. Yes, 1,000 times.

---

GRAHAM CLULEY. Yes?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. I remember you writing something when you were, well, we used to work at the same company, of course, and you used to spend part of your time writing about, it was sort of an erotic romance about one of the senior members of staff and his body of pink steel.

---

CAROLE THERIAULT. This is you ranking crazy, he's whisking up our past to be completely different.

---

MARIA VARMAZIS. My goodness.

---

CAROLE THERIAULT. What happened, Graham, was—

---

MARIA VARMAZIS. Was the security very naked or no?

---

CAROLE THERIAULT. What happened was that I bought Graham for his birthday a how-to book for dummies, you know, those dummies books, and it was how to write erotic romance novels, and it was fantastic. And then we challenged ourselves and we both wrote one about senior members of staff at Sophos.

---

GRAHAM CLULEY. On paper, he was an impressive catch. As a senior player in a leading IT security company, money and the founding father of several charities. He wore his great power and wealth lightly.

Nothing gave him as much joy as seeing the faces of the children he helped save. As an ex-member of the British Olympic badminton team, women fantasized about him lifting them into his arms and carrying them to a large silk-draped bed. His simple gray suit hid a body of pink steel with a taut chest that rippled as his perfect ass made women stifle.

---

CAROLE THERIAULT. And the game was which one was sexier and which one could you identify. I think you won the prize, Graham. I think you won.

---

GRAHAM CLULEY. Well, I don't want to blow my own trumpet, which did of course occur in Chapter 3. But anyway, I've always wanted, I've always thought, wouldn't it be wonderful to write maybe my memoir? Maybe, you know, my struggle, you know, how a young lad—

---

CAROLE THERIAULT. I don't think 20-page books are a big rage.

---

MARIA VARMAZIS. That's a pamphlet.

---

GRAHAM CLULEY. The thing is, the thing is I think many of us would love to write a book or write a novel or something that, but how do you find the time? How do you find the time to write a book? There's constant distraction.

---

MARIA VARMAZIS. There's no time.

---

GRAHAM CLULEY. There's children, there's taxes, there's TikTok, there's—

---

MARIA VARMAZIS. Children, taxes, and TikTok. Yes, those are the problems.

---

CAROLE THERIAULT. I only have to deal with one of those.

---

GRAHAM CLULEY. And maybe more importantly, how can you be sure that you're actually making any money out of the book? Because it was— Such a waste of time, wouldn't it? Writing a book and you're not going to make any money out of it. You know, just—

---

CAROLE THERIAULT. I don't think you write a book for money.

---

GRAHAM CLULEY. Well, I hope you don't, because I think it's quite hard to make money out of a book.

---

MARIA VARMAZIS. Yeah, you would think that people would understand that, Carole, but a lot of people don't.

---

CAROLE THERIAULT. No, you write it for the cachet.

---

GRAHAM CLULEY. The cachet, not the cash.

---

MARIA VARMAZIS. Okay.

---

GRAHAM CLULEY. Wait a minute, look, I've got the answer. I've got the answer. I've worked out somewhere where you can go. You can spend hours in the privacy of your room, not being disturbed by children, not distracted.

You don't have to worry about paying your bills. You don't have to think, oh, I've spent too long at Waitrose, you know, popping out to the shops, doing things other than writing. It is the perfect place to be. It is, of course, prison. If you go to prison, they lock you up for hours and hours, 23 hours a day. In a cell.

---

CAROLE THERIAULT. With a brand new Apple Mac.

---

GRAHAM CLULEY. Well, no, they don't. I don't know that they do give you an Apple Mac.

---

CAROLE THERIAULT. Lightning speed fibre.

---

GRAHAM CLULEY. Well—

---

MARIA VARMAZIS. So you can surf the internet and not write your novel.

---

GRAHAM CLULEY. You sound rather sceptical, but my attention was brought this week to a report in The Marshall Project. It's a non-profit news organisation. They've taken a close look at the use of cell phones behind bars. Behind prison bars.

---

MARIA VARMAZIS. Prison bars, okay.

---

GRAHAM CLULEY. Yes, prison bars. Not behind the bar of— Not Moe's Bar.

---

MARIA VARMAZIS. Okay.

---

GRAHAM CLULEY. Amanda Hugginkiss. Nothing that.

---

CAROLE THERIAULT. Wow.

---

MARIA VARMAZIS. '90s references. Love it. Get everything on this podcast. It's great.

---

CAROLE THERIAULT. He stopped living then.

---

MARIA VARMAZIS. Early Simpsons. I'm with you. I got it.

---

CAROLE THERIAULT. He just started using the word woke. So, you know.

---

MARIA VARMAZIS. Oh no.

---

GRAHAM CLULEY. I'm ignoring you. In most prisons—

---

MARIA VARMAZIS. Is yeet gonna be next? No? Okay, sorry.

---

GRAHAM CLULEY. In most prisons, you're not allowed phones. They don't it.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. But it doesn't mean people don't have phones. They definitely do have phones. Sometimes they're very, very tiny phones. I looked up on Amazon, there's a phone called the Zanco Teeny Tiny T1.

---

MARIA VARMAZIS. Alright, I need to Google this. What is this?

---

GRAHAM CLULEY. It claims to be the world's smallest phone. It's about the size—

---

MARIA VARMAZIS. Oh my god.

---

CAROLE THERIAULT. Fits into any orifice.

---

GRAHAM CLULEY. Exactly.

---

MARIA VARMAZIS. Oh, that is definitely going up somebody's bum. Oh my God.

---

GRAHAM CLULEY. I don't know if it has a vibrating ringtone or not. I don't know if it can help you play chess to a grandmaster level or not. But it's known as the BOSSBeater because it's designed to beat a body orifice security scanner known as the BOSS.

You can listen to music, albeit muffled. You can text with your friends. You can make calls. But it's so tiny, this thing.

I mean, it's about the size of your ear. Because you hold it up to your ear with its tiny little speaker.

I wonder whether you're also covering the microphone, which is meant to be your mouth, whether you're constantly sort of sliding it back and forth. I don't know. But it is presumably, as we've already said— well, as you've said, Maria, rather grubbily— it is probably fairly easy to smuggle into a prison, albeit somewhat uncomfortable.

---

MARIA VARMAZIS. Okay.

---

GRAHAM CLULEY. So mobile phones are apparently one of the most smuggled items into prisons, after cakes with files in them.

---

CAROLE THERIAULT. Well, it's how you do your business, right?

---

GRAHAM CLULEY. Exactly. It's how you do your business.

---

CAROLE THERIAULT. Do you contact Uncle Joe and say, "Uncle Joe, remember the meeting."

---

GRAHAM CLULEY. Don't be late. Well, I don't know if they're meeting— What, you mean meeting in the prison? No.

---

CAROLE THERIAULT. Maybe, you know, you're conducting business outside the prison if you have a phone. You have ability to do that.

---

GRAHAM CLULEY. I don't think they're calling cell to cell. I know they're called cellular phones, but I don't think they're calling from cell to cell. It's the outside world that they want to talk to, isn't it? Because of course you might still—

---

CAROLE THERIAULT. That's what I'm saying.

---

GRAHAM CLULEY. You might still— Is that what you were saying?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Oh, okay. Anyway, the thing is, normally a phone, right? If you've got a phone in the prison, it's being monitored, isn't it? You have to sort of— you're only allowed to call certain people your brief or your mole outside. But the thing is that the phone calls are being monitored and supervised for understandable reasons.

---

MARIA VARMAZIS. Exactly. Yeah.

---

CAROLE THERIAULT. And they're being recorded at all times. So it's not you're going to conduct illegal businesses or—

---

MARIA VARMAZIS. No, a prisoner never would do something shady that.

---

GRAHAM CLULEY. Never do anything that. So prisoners might want their own phone. And some are using these just to stay in touch with their families, which is understandable because you would be worried.

I would be worried. You know, I might call up the dog, see that he's doing okay. I might call up my child. I might just want to check they've done their homework or something.

So I'd give, you know, I'd give someone a bell. So you might want it for legitimate reasons and simply not be restricted to the times when you're allowed to use the phone and who you're allowed to call. But also, people are using their mobile phones in prisons, especially in America, to traffic guns and drugs.

And even sextortion scams are being operated from inside prison. You know, these scams where they pretend to be naïve young women and get you to take your clothes off and do things in front of them.

---

CAROLE THERIAULT. I've heard of them, yeah.

GRAHAM CLULEY. Yeah?

---

MARIA VARMAZIS. Do you know the coolest prison racket that I've ever heard of?

---

GRAHAM CLULEY. Go on, tell me.

---

MARIA VARMAZIS. Poetry.

---

GRAHAM CLULEY. Hey?

---

MARIA VARMAZIS. There was a prisoner who would coordinate with other prisoners that he would write erotic poetry for the loved ones back home for a certain amount of money or cigarettes or whatever. Because he was a very good writer.

So he would actually— other prisoners would pay him, and he would do a Cyrano de Bergerac thing.

---

CAROLE THERIAULT. Oh!

---

GRAHAM CLULEY. Without the big nose. Ah, that's quite romantic. I quite like that.

---

MARIA VARMAZIS. Yes. Poetry from prison. Yeah.

---

CAROLE THERIAULT. Erotic poetry.

---

GRAHAM CLULEY. Oh, it's erotic poetry.

---

MARIA VARMAZIS. Yes. Yeah, it was erotic poetry. Yeah, yeah.

---

GRAHAM CLULEY. You have to— It's quite difficult, isn't it, finding rhymes for certain things?

---

MARIA VARMAZIS. You can do it if you try.

---

GRAHAM CLULEY. I was thinking of the family china and, you know, things that. Maybe— Anyway, some people get up to naughtiness.

So more naughty than that. I heard of one guy who was on death row, and he was making threatening calls to a Texas state senator, saying, you know, we're gonna kill you, mate.

---

MARIA VARMAZIS. Did it work? No, I'm just kidding.

---

GRAHAM CLULEY. But anyway, the Marshall Project, they report that they can also be used for good. So they say that some people are smuggling contraband phones into the prison to take public Harvard classes. So they're actually—

---

CAROLE THERIAULT. Oh, right. Oh, to study, right.

---

GRAHAM CLULEY. Yes, to study. So to improve themselves, which is a wonderful thing, isn't it?

Or they're learning medical care. So maybe, you know, Jimmy Fingers, you just got slashed down in the showers.

So if you've got a gaping wound and you don't want to go to the Rozzers or the Nurks, what's the phrase for prison guards? I don't know.

---

CAROLE THERIAULT. You definitely want your doctor to be called Jimmy Fingers and not Jimmy Stumps.

---

MARIA VARMAZIS. Jimmy Sutures.

---

GRAHAM CLULEY. And so, people are going up on these sites and they're checking out all these videos and they're doing their, they're sort of fixing people up with, I don't know, pipe cleaners and a bit of, you know, a spring they find down the back of a bunk bed or something. They're doing first aid and they're using YouTube and TikTok to develop new skills.

You know, it's wonderful really, isn't it? Now, one guy was able to FaceTime his mum before she passed away.

I mean, that's a great thing, isn't it? Aw. Isn't that lovely?

---

MARIA VARMAZIS. From the phone that he smuggled up his bum.

---

CAROLE THERIAULT. With a faint poop stink. You must put it in a condom or something.

---

GRAHAM CLULEY. Some have even— Charming. Some have even self-published books on Amazon, which they wrote.

---

CAROLE THERIAULT. They've typed on the tiny phone's keyboard.

---

GRAHAM CLULEY. Well, no. Okay. I knew you were going to say this.

They're not necessarily using the tiny teeny Zanco T1, which has the world's smallest keys to press. Some of them have actually smuggled in smartphones, of course, which include voice dictation.

Might be a bit quicker, maybe. I don't know.

But this is what's going on. This is what's going on.

Some are taking online classes. Some are participating in Zoom classrooms. So—

---

MARIA VARMAZIS. That's kind of admirable, though. I mean, getting your master's degree from prison, that's kind of great.

---

CAROLE THERIAULT. Can I ask how they know this?

---

MARIA VARMAZIS. Because—

---

CAROLE THERIAULT. Is this what they said? They've gone to interview somebody?

---

GRAHAM CLULEY. The Marshall Project have been talking to prisoners and finding out what's going on.

---

MARIA VARMAZIS. Honest to God, if I was a prisoner and I'd pulled this off, I would tell everybody. I would be, yeah, I did that.

---

CAROLE THERIAULT. Yeah, only when you're out though.

---

MARIA VARMAZIS. Yeah, well, I mean, you know, if I got in in the first place, I probably wasn't the smartest, but yeah, I would be bragging like hell.

---

GRAHAM CLULEY. Well, and some are doing this to participate in Zoom classrooms. Others, you know, this online gig hustle, which you can do, you know how everyone's remote working these days.

You say to the boss, oh yeah, yeah, as long as I get the work done, you know, don't worry about the hours I do, I'll get the work done. And you either farm it out to Fiverr or something and get someone in Indonesia to do the work for you, or you have about 3 or 4 different jobs on the go at the same time. You're employed by all these different companies and you say, yes, yeah, I'm there. You just got different windows open.

Well, some of these guys in prison apparently are doing online gig work. So maybe they're helping the rest of us.

---

MARIA VARMAZIS. They're on Fiverr.

---

GRAHAM CLULEY. Yeah.

---

MARIA VARMAZIS. They're like, listen, I don't care if that task, I'm only getting $5 for it. I'm in prison. It's more than I would make.

---

CAROLE THERIAULT. It is incredible though. Like you can be incarcerated physically, but you can still, you know, as long as you've got one of these little gadgets.

---

MARIA VARMAZIS. This is the wonder. Isn't there a famous character from some TV show who gets his law degree from prison?

---

GRAHAM CLULEY. Probably. There are people who've done that, haven't they? Where they've been in prison and they've basically trained themselves up because they feel that they got stitched up.

---

CAROLE THERIAULT. Well, what else are you gonna do, right?

---

MARIA VARMAZIS. You've got all that time. Yeah, it'd be the one time in my life I'd be like, yeah, I will commit to this now.

---

CAROLE THERIAULT. You've made me. I'm in a cell.

---

MARIA VARMAZIS. I'll do it.

---

GRAHAM CLULEY. There's one prisoner who's managed to sign up 300 other prisoners at different prisons across the United States. They're all signed up now for a Harvard computer science course.

---

MARIA VARMAZIS. Good for them.

---

GRAHAM CLULEY. And so it's, you know, but it's— and freelance writing, right? I could work anywhere because I do a bit of writing, right? I write blogs and things. I could do that.

---

MARIA VARMAZIS. A little bit, yeah.

---

GRAHAM CLULEY. Maybe, maybe I could actually do this from a prison cell. I'd have unfettered internet access. Why don't you try?

---

MARIA VARMAZIS. You should go to prison. I think that is the plan. You should do that. Just go try it out. Try!

---

GRAHAM CLULEY. Anyway, I think this is a fine thing as long as it's not being used for scams. If there was some way to get people to use this for good rather than bad and not engage in the bad stuff, maybe we just need Net Nanny. Maybe we just need more surveillance as to what people are doing.

I don't know. What would you do if you had a life sentence and an internet connection, Maria Varmazis?

---

MARIA VARMAZIS. Life sentence and an internet connection.

---

GRAHAM CLULEY. Yes.

---

MARIA VARMAZIS. That's what the pandemic felt like, honestly.

---

GRAHAM CLULEY. Maria, what have you got for us this week?

---

MARIA VARMAZIS. Mine is actually about security. I don't know if that's okay, but let's try it out.

---

GRAHAM CLULEY. Mine was definitely about security. Mine was about—

---

MARIA VARMAZIS. Hush, hush, hush now, Graham. Hush, hush.

---

CAROLE THERIAULT. It's now Maria's turn.

---

GRAHAM CLULEY. BYOD. It was BYOD.

---

MARIA VARMAZIS. Yeah. So the teaser for my segment is how to hack an airline or not. And is it really hacking something if you just walk into something?

---

GRAHAM CLULEY. What?

---

MARIA VARMAZIS. And just find an unsecured list of names on an unsecured server? Is that really hacking if you just pick it up?

---

GRAHAM CLULEY. It sounds more like stumbling, doesn't it?

---

MARIA VARMAZIS. Stumbling upon it.

---

CAROLE THERIAULT. Yes. No, I think the hacking bit is taking it, isn't it?

---

MARIA VARMAZIS. Is it, or has one just found it? Yeah. So our listeners, I'm sure, will understand what I'm about to say. Shodan has struck again.

Struck gold. A person who goes by the name of— okay, I'm gonna get this name incorrect, hold on a second— Maya Arsen Crimeu is a Swiss hacker and used Shodan to scan unsecured servers on the internet, as one does with Shodan, because that's what Shodan does, and happened to find an unsecured server run by the U.S. national airline Commute Air, which I have never heard of, but they must be a smaller provider.

---

GRAHAM CLULEY. Okay.

---

MARIA VARMAZIS. And found a text file on that server, you know, wide open to the internet, called no-fly.csv.

---

CAROLE THERIAULT. Their no-fly list, we're not flying that person.

---

MARIA VARMAZIS. It is not Commute Air's no-fly list. It is the United States' no-fly list. In a CSV file.

---

GRAHAM CLULEY. So it's not encrypted. It's just plain text. It's not even an Excel spreadsheet format, is it? It's just anything you can open with, right?

---

MARIA VARMAZIS. Yeah, you can just use it with Notepad or whatever. TextPad. Just plop it on open. And it apparently has about 1.5 million entries in it.

And it includes names and birthdates, multiple aliases for some people who may be trying to evade the government. This is the official— Jesus, Webb. —U.S. government terrorist screening database, and the official U.S. government no-fly list, which has been extremely controversial in the United States for the past 20-plus years, by the way, but it ballooned in size ever since 9/11 for probably very obvious reasons.

---

GRAHAM CLULEY. Have we searched the list for the names of people we know?

---

MARIA VARMAZIS. You know, I bet you could. I actually have not gone to look to see if someone has put this CSV online, although maybe we could just go find— we could just go on Shodan right now and be like, "Hey, no-fly to CSV!" Graham wants to Google his name, you see.

---

CAROLE THERIAULT. He wants to see if he's on it.

---

GRAHAM CLULEY. No, no, no. I remember that— in fact, Maria, we all three of us worked at a company where a certain person who worked in the virus lab shared the name with someone who was on the do-not-fly list.

---

MARIA VARMAZIS. Yeah, I remember that.

---

GRAHAM CLULEY. Mm-hmm. Yeah. Yeah. And I think it caused them some difficulties, didn't it?

---

MARIA VARMAZIS. I imagine it would. Yeah. My husband ran into some issues with that, and his name, I don't know if it was on it or not, but he had an issue with getting flagged from that.

It's a big problem if you're flagged and you just— there's really no recourse for you if you feel like you've been incorrectly included. It's a big problem. Yeah. So according to Crimeu, who's— by the way, their website is maya.crimeu.gay. Amazing, just amazing URL.

That apparently a lot of the people on the list, their names were of obvious Arabic or Middle Eastern descent. There are some names that are Hispanic or Anglican sounding. But there are also a lot of Russian-sounding names.

I don't know what we want to do with that information, but it's just interesting, I guess. Yep. And apparently the TSA says it is, quote, aware of a potential cybersecurity incident with Commute Air, and we are investigating in coordination with our federal partners.

And further investigation showed that this no-fly list is apparently from 2019. So it's a few years old.

---

CAROLE THERIAULT. So presumably it's gotten bigger since then. So my gut says, okay, you'll tell me if I'm right or wrong, maybe you'll know, but I guess there's an employee who could have a little cut and paste while they are working for the TSA, and now they find themselves working at CommuteAir and just plopped it in the database as their kind of welcome gift for hiring them.

---

GRAHAM CLULEY. I mean, it's a goof, isn't it? It's quite—

---

CAROLE THERIAULT. It's a goof that someone found it.

---

GRAHAM CLULEY. It's not a goof that it exists. Yeah, but do you think it was maliciously taken or left there, or it's more likely to be a cock-up, isn't it?

---

MARIA VARMAZIS. Oh yeah, I mean, Maia Crimew just stumbled across it. It didn't take super long for them to find it either. That was, their blog post is super funny. And it's just basically using Shodan, looking for exposed Jenkins servers, all of a sudden, doink! What is this file? Oh my God, look at this.

Apparently a lot of the process in the blog post was actually trying to find journalists who'd be interested in this story. And a lot of them did not understand what Maia Crimew was trying to tell them, which is hilarious.

---

GRAHAM CLULEY. I'm reading the blog post right now, and the way they put it is, "Holy shit, we actually have the no-fly list. Holy fucking bingo, what?" Various emojis.

---

MARIA VARMAZIS. Yeah, it doesn't take a whole long time for Maia Crimew to find this file and be "Oh, that's what this is." It's just, it's ridiculous. So this isn't just people's names.

---

GRAHAM CLULEY. This is also passport details and license numbers and addresses and all sorts of information about crews as well as actual people on the no-fly list.

---

MARIA VARMAZIS. Yeah. Maia Crimew was able to find a bunch of other files that were exposed openly on the internet, including that information that had serious PII that you mentioned. The no-fly list had just, I believe, names and birth dates, which again, not a small thing either. But yeah, all sorts of other sensitive information was also wide open to the internet.

I mean, it's really a hacking story if it's just yet another bucket misconfig. It is, but it's oh my God. No, I know, but it keeps us employed, I guess.

---

CAROLE THERIAULT. But yeah, if I left, you know, if I left a golden statue in my front garden, would I expect it to disappear? Yes, I would, right? And that's kind of what they did. They kind of just left something, but they didn't leave it out front.

Someone had to go, you know, it's I left it in my back garden in the corner off to the side.

---

GRAHAM CLULEY. I wouldn't say necessarily this was in the back garden at the corner. It feels it was maybe it was right on the curb.

---

MARIA VARMAZIS. Yeah, right there. Somebody went, oh, it's on the curb, this must be available. Yeah, it's somebody's donating this or it's going to trash, whatever. it's on— it's unclear.

---

CAROLE THERIAULT. Yeah, but it goes to show, I wonder if all small airlines have access to the no-fly list. Do— does everyone have that?

---

MARIA VARMAZIS. Is this— I would imagine they must, because they all have— if you fly within the United States, you have to comply with the United States federal air laws.

---

GRAHAM CLULEY. But do you need it as a great big list, or should there be a system whereby you can sort of look up a name or something?

---

CAROLE THERIAULT. Well, I suspect that's how it works, and someone has the whole list.

---

MARIA VARMAZIS. Yeah, or maybe it was a centralized database and someone's like, I'm gonna make a local copy. I mean, I don't know how it works on the backend. I mean, keep it on the cloud in CSV form with no protection. Maybe their internet went down at some point and they're like, well, we can't fly unless we have this list, so we better have a local backup. Like, I could totally see that.

---

GRAHAM CLULEY. Well, that's true. I mean, if you had to access some sort of shared resource and you were— if you were a baddie getting onto a plane and you realize you're on the do not fly list, then the thing to do is to DDoS the do not fly server, I suppose, isn't it? So people wouldn't be able to access it to look you up. So I guess people must have access to this data somehow.

---

CAROLE THERIAULT. Yeah. And did Maya get in touch with them to tell them that they found this?

---

MARIA VARMAZIS. That's a good question. So she's—

---

CAROLE THERIAULT. It's not responsible disclosure really if you're slapping this out there. So what happened?

---

MARIA VARMAZIS. So at the bottom of their blog post it says what happens next with the no-fly data. I'll just read what they wrote. Said, so while the nature of this information is sensitive, I believe it is in the public interest for this list to be made available to journalists and human rights organizations. So if you are a journalist, researcher, or other party with legitimate interest Please reach out to . I will only give this data to parties I believe will do the right thing with it. Alternatively, the data is now available for access upon request via DDoS Secrets. So the TSA knows now. They know. Yeah. No, I know.

---

CAROLE THERIAULT. But we do tap dance about, you know, responsible disclosure. And I think it's important. Yeah.

---

GRAHAM CLULEY. But they haven't, they haven't released the data to the wild, as it were, have they? They haven't. Publishing for any Thom, Dick, and Harry to see.

---

CAROLE THERIAULT. No, they're just telling their story. I suppose you're right.

---

GRAHAM CLULEY. They're just telling their story, I think, and sharing it with journalists to corroborate their story, maybe.

---

MARIA VARMAZIS. Okay. Given the outcome, could one classify this as, I hate saying this phrase, but hacktivism?

---

CAROLE THERIAULT. I think if they put the list out for everyone to see, yes.

---

GRAHAM CLULEY. Yeah, but they haven't done that.

---

MARIA VARMAZIS. They haven't done that, no. I mean, yeah, it is, I mean, again, expose server to the wide open internet, like it's, ah, but at the same time, I mean, these things happen and it happens a lot. And I guess this is a better outcome than someone going, I'm just going to put it on Pastebin, go nuts.

---

GRAHAM CLULEY. So I don't know. You know, sometimes I get emails from people saying, would you like the contact details of 50,000 people who are interested in a particular product or something like this? Would you like this mailing list? And I'm thinking, if I ran a multinational evil conglomeration, and I wanted to get together all the baddies around the world for some mega conference, probably underneath a volcano, then this is the kind of list which I would really like. This would be fantastic, wouldn't it?

---

CAROLE THERIAULT. Yeah, you could hit them up, right? Hit them up.

---

GRAHAM CLULEY. Yeah, you know, make a sort of— I've got another whole new James Bond plot in the offing here.

---

MARIA VARMAZIS. I was going to say, you're really entering your James Bond villain phase. Yeah, yeah, yeah, yeah.

---

GRAHAM CLULEY. Crow, what have you got for us this week?

---

CAROLE THERIAULT. If you wanted to rob a bank, you need some guts, right? Because you'd have to storm in. You'd have to figure out the best time to do it when it was quiet and the security guy was having a poop or something. You'd have to cover your face to make sure no one could see you to describe you. You have to scare people into cooperating, hoping to God that in 30 seconds you'd have a fat bag of money and you'd be diving in your getaway car peeling out. Yeah, it's not for the faint-hearted.

---

GRAHAM CLULEY. No, it's not. What could go wrong there, you know?

---

CAROLE THERIAULT. And today, if you want to steal cash, you just go down the ransomware route, right? You're unlikely to get killed, you're unlikely to be recognized. Unlikely but not guaranteed, but much less likely.

---

GRAHAM CLULEY. A lot of crims are doing it.

---

CAROLE THERIAULT. That's true, a lot of crims are doing it.

---

MARIA VARMAZIS. Yeah, they're working from home in their pajamas.

---

CAROLE THERIAULT. And ransomware as a service, big model now, right? It's thriving.

---

GRAHAM CLULEY. Maybe they're in prison. Maybe they're in prison coordinating a ransomware operation by their mobile phone, which would be a cybersecurity angle. Oh, full circle.

---

MARIA VARMAZIS. We did it. We did it, everybody.

---

CAROLE THERIAULT. But last year, there was a notable shift in the ransomware ecosystem. Really? Yes, because had you asked me last year, I would have said that based on the fact that everyone's putting every digital thing they've ever done online in a cloud somewhere to keep, from nudes to prescriptions to photos to everything, it seems inevitable that ransomware is going to continue to plague both the lowly user and enterprises and companies and hospitals and all that. However, according to Chainalysis, this is a company that claims to be the blockchain data platform, they recently shared some ransomware findings and it's receiving more than its fair share of press because the news is rather surprising.

Cybercrime gangs have had a 40% drop in earnings in 2022. That's huge. So in 2021, extortions were estimated at $765 million, whereas 2022 was estimated at $460 million. 40% drop.

So why? Sadly, it's not because ransomware has had its heyday. Despite the drop in revenue, the numbers of unique ransomware strains in operation have reportedly exploded in 2022.

But despite this so-called explosion, there's a strong whiff of affiliations in the ransomware world. So while dozens of ransomware strains may technically have been active throughout 2022, many of the attacks attributed to these strains seem to be carried out by the same people.

Microsoft security researchers back this up by analysis on similarities between attacks of different strains. And saying, look, how they're carried out is very, very similar. Must be the same people behind it.

---

GRAHAM CLULEY. Well, the same people behind the technology, I guess, but it could be different criminals who are actually launching them, couldn't it?

---

CAROLE THERIAULT. Well, this is where Chainalysis comes in because they look at blockchain wallet activity. And they say that often the ransomware attackers reuse wallets for multiple attacks. So in other words, there's loads of strains but it's being administered by a small group of folks.

---

MARIA VARMAZIS. Okay, we're with you.

---

CAROLE THERIAULT. But this doesn't really explain the 40% drop in ransomware return. 40%? Yes. Feels a lot. Doesn't it feel a lot?

---

MARIA VARMAZIS. That does, especially considering the fever pitch every year of ransomware is out of control. I mean, it's not a small issue. I'm not going to—

---

CAROLE THERIAULT. I'm going to try and convince you now.

---

GRAHAM CLULEY. Okay, try and convince us.

---

CAROLE THERIAULT. Yep. So Conti was a prolific ransomware strain for a few years, taking in more revenue than any other variant in 2021. But in February, following Russia's invasion of Ukraine, the Conti team publicly announced its support for Vladimir Putin's government.

Soon after, a cache of Conti's internal communications leaked and indicated connections between the cybercrime organizations and the FSB, the Russian Federal Security Services. Okay. Ipso facto, many ransomware victims and incident response firms decide that that paying Conti attackers was too risky as the FSB is a sanctioned entity.

---

MARIA VARMAZIS. Oh, I see. Okay. Yep.

---

CAROLE THERIAULT. So Conti is not a sanctioned entity, but because there's connections with the FSB, people were like, I don't want to get in trouble. So Conti basically eventually responded by announcing its closure, right? So they just said we're not doing any more.

Conti's closure drove many affiliates or people to conduct attacks for other ransomware strains where ransom victims were more likely to pay because people weren't paying with these ones and notably not tied to the FSB as they could see. But because the people reused the same wallets, Chainalysis are able to better understand the ransomware ecosystem. So it all kind of makes sense. You're following me? Yep.

---

GRAHAM CLULEY. I'm with you. I'll tell you what I don't understand is if you are saying that Conti stopped getting ransomware payments because organizations didn't want to pay criminal organization associated with the FSB. Wouldn't it be in the interests of the US authorities, for instance, to name lots of other ransomware groups as being affiliated with the FSB as well?

And people wouldn't pay them either. Why not claim that they're all working for the Kremlin?

---

CAROLE THERIAULT. I've linked to the Chainalysis report. So they do do a bit of that, saying here are the other ransomware attached with the same wallets. Right. So they're using the wallets as a way to link the people who are behind it.

They say the upshot of all this is that it may be more productive to think of the ransomware ecosystem not as a collection of distinct different strains, but instead of a small group of hackers who rotate brand identities regularly. So they basically just rebrand them.

---

MARIA VARMAZIS. Mm-hmm. Okay. Right? Yeah, yeah. Like a corporation.

---

CAROLE THERIAULT. Yeah. Mm-hmm. Bill Siegel, CEO and co-founder of Coveware, says the number of core individuals involved in ransomware is incredibly small versus perception. Maybe a couple hundred.

Wow. So he says it's the same criminals, they're just repainting their getaway cars. Fascinating. Wow.

---

MARIA VARMAZIS. Well, it definitely changes my perception of ransomware a little bit. It's— that's not at all what I would have expected. I thought it was just a huge wide web of thousands upon thousands and they were all just casting wide nets.

I would not have thought just a couple of hundred.

---

CAROLE THERIAULT. I think what's kind of cool about it for me as well is they're keeping to one wallet. You have also ransomware researchers looking at the actual nuts and bolts inside the code to see how they're operating, how they're encrypting, how they're working, whether it's a service, whatever, whatever. And you put those things together, you get a much different picture of what's going on.

And that's kind of cool. So yeah, interesting reading.

---

MARIA VARMAZIS. Wow. News you can use. Amazing.

---

GRAHAM CLULEY. How much money do these guys actually need? I mean, I can understand why Boris Johnson might need to keep on having dodgy loans given to him, but I mean, just what are they gonna do with all of this money? Even if their numbers have gone down by 40%, which—

---

MARIA VARMAZIS. Still a fuck ton of money though, yeah.

---

CAROLE THERIAULT. Yeah, I think Graham's hurting financially right now, and he's now why does anyone need more than when they need? 'Cause then I could have a bit more.

---

MARIA VARMAZIS. Give me some. I turn around and say, what drives them?

---

GRAHAM CLULEY. Because, you know, if you've made your fortune through ransomware, isn't that enough? Do you have to keep on going and maybe get yourself in more trouble?

---

CAROLE THERIAULT. Yeah, we've seen people step down when they have enough, Geoff Bezos, and Mark Zuckerberg, and yeah, all of them. Elon.

---

GRAHAM CLULEY. I think you'll find Elon is letting loose a lot of money. He's burning money.

---

MARIA VARMAZIS. He's burning that money. Oh yeah. Yes. Didn't he get the Guinness World Record for the person who's lost the most amount of money?

---

GRAHAM CLULEY. Yeah. Yes, lost the most money in history.

---

MARIA VARMAZIS. Amazing. All imaginary money that never existed to begin with, but he lost it. Amazing.

---

GRAHAM CLULEY. So there's probably a lot of Smashing Security listeners out there who might be concerned after hearing about the data breach which recently occurred at LastPass. Now, that allowed hackers to steal customers' password vaults, and unfortunately there were parts of those password vaults which were astonishingly unencrypted. There's no doubt a lot of questions users are going to ask LastPass about how that could have happened and why some of that data was left in that insecure state, but one password manager that isn't making that mistake is our sponsor Bitwarden.

Customers of Bitwarden know that their vaults are entirely end-to-end encrypted with zero-knowledge encryption, including, unlike LastPass, the URLs for the websites which you have saved passwords for. You can learn more about that in the Bitwarden Help Center and at bitwarden.com/privacy. And if you happen to be looking to switch password managers right now, well, Bitwarden makes it easy.

They support importing from lots of other solutions, and there's even a LastPass migration guide available. Learn more at bitwarden.com/migrate. That's bitwarden.com/migrate. And stay safe.

Today's podcast is also brought to you by NordLayer. Now, NordLayer safeguards your company's network, but it's much more than just a VPN for business. As you already know, business networks today are more vulnerable than ever due to remote work, ransomware attacks, data leak incidents.

Well, NordLayer secures and protects remote workforces as well as business data, and it can even help you ensure security compliance. Simply go to nordlayer.com/smashing and get 1 month free. NordLayer is easy to start as it takes less than 10 minutes to onboard your entire business on a secure network.

NordLayer is easy to combine as it's hardware-free and compatible with all major operating systems. And finally, NordLayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth. So if you want to secure your business network, go to nordlayer.com/smashing to get your first month free.

And thanks to NordLayer for supporting the show. Over 80% of all breaches occur when bad guys get their hands on the credentials of critical resources. Well, an efficient way to combat threats is using a Privileged Access Management, or PAM, solution.

An enterprise PAM tool like ManageEngine PAM 360 offers a holistic picture of all the privileged devices, users, and credentials in your IT infrastructure. ManageEngine is part of Zoho that offers IT management solutions to over 280,000 enterprises around the world, so you're in good company. PAM360 is a fully functional Privileged Access Management suite that is easy to adopt and implement.

From managing and governing access to all your enterprise resources to automating the access management lifecycle in your organization, PAM360 does it all. It's also recognized by the Gartner Magic Quadrant. Additionally, PAM360 offers excellent round-the-clock support for all customers and onboarding assistance for enterprises that need fine-grained customizations.

PAM360 is the solution for value-oriented enterprises looking to achieve world-class Privileged Access Management without making a dent in their IT budget. Find out more and see for yourself at smashingsecurity.com/pam360. Smashingsecurity.com/pam360.

That's smashingsecurity.com/pam360. And welcome back. Can you join us at our favorite part of the show? The part of the show that we call Pick of the Week.

---

MARIA VARMAZIS. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. Better not be.

Well, my pick of the week this week is not security-related. It is a particular niche form of pornography, which I'm interested in, which I'm going to explain. All right. Yeah.

So the particular branch of pornography I'm most interested in is property porn, which is—

---

MARIA VARMAZIS. Oh, not chess porn. No, no, no. Chest porn?

---

GRAHAM CLULEY. Oh no. I am actually a member of the chess porn subreddit, which isn't— it's mostly people drooling over lovely pieces rather than anything more fruity than that. But yes, no, I'm talking to you today about property porn.

And I've been— I've got a dirty little secret, ladies and gentlemen. When I'm on my exercise bike lately, I've been watching a TV show. It's— I mean, you know, it's not high culture. It's called Luxe Listings Sydney. And it's on Amazon Prime. Yeah. Yes. Amazon Prime. Yes. Yep. Luxe Listings Sydney.

---

CAROLE THERIAULT. You get half an hour or whatever, 10 minutes to yourself on the bike.

---

GRAHAM CLULEY. 45 minutes, thank you very much. And 45 minutes, and this is how you choose to spend your time.

This is how I'm choosing to spend my time. Okay. Rather than running some sort of dodgy scam from my prison cell, instead I'm on my exercise bike watching Luxe Listings Sydney. On my tiny little teeny Z1 phone. It is—

---

MARIA VARMAZIS. Graham, I'm with you. You have to watch trashy TV when you're doing bike stuff. I do the same thing.

---

GRAHAM CLULEY. You've gotta do it. You've gotta do it. Anyway, this is one of those reality programmes where, in this case, we've got a buyer's agent.

His name is Simon Cohen. He is someone who's helping people buy houses. And there's also two real estate agents, Dillian Lewis and Gavin Rubinstein.

And it's all fast cars, flashy cars, you know, flashy suits, complete wankers. It's just— Maybe I should restart that sentence.

---

CAROLE THERIAULT. Is that what you're doing on the bike? You can— Jeez. That's why you called it porn? Oh, God. I don't have the energy.

---

MARIA VARMAZIS. I don't wanna watch people wanking, thank you.

---

GRAHAM CLULEY. It's— The point is that they're going round incredible high-end luxury properties. It's $25 million, $30 million that we live in.

---

MARIA VARMAZIS. It's just disgusting the way the other half lives, you know.

---

GRAHAM CLULEY. I'm not sure it's a half, half a percent perhaps, but it is quite astonishing. And so I've been watching this because I'm currently in the market for a new property.

I'm looking around, the properties I'm looking at don't really compare with these. But I'm quite enjoying it. I find it quite enjoyable.

And so I am watching, and I'm not ashamed to say it, I am enjoying Luxe Listings Sydney on Amazon Prime. And it is my pick of the week.

---

MARIA VARMAZIS. Graham, I have to make a confession. Before I came on this show, I was agonizing what I was going to do as my pick of the week.

And I was, what's a show I've been watching lately? Oh, I can't mention any of them because they're all trash I watch when I'm on my bike. I'm not even joking. I was, I can't, 'cause they're all just stupid reality TV that I can sort of zone out to while I'm biking.

---

GRAHAM CLULEY. Tell us one. Tell us one, Maria. Come on, own up.

---

MARIA VARMAZIS. Yeah, there's this one called The Traitors. It's basically the Mafia party game, but they did it on TV and—

---

GRAHAM CLULEY. Oh yes, that's been on UK TV, but I think there's also an American version, isn't there?

---

MARIA VARMAZIS. Oh, I didn't know there were two different ones. I'm presuming I'm watching the American version. Okay. But yeah, I'm just like, that's not something I would just sit down and watch, but I'm on my bike, I'm— yeah, I absolutely— yeah, why not?

---

CAROLE THERIAULT. Yeah, that's better though than— no, Carole, have you watched Luxe List in Sydney? I just— anyone who wants to buy a house for $100 million because, oh, we definitely need 50, you know, a 5-bedroom house for the dog.

---

MARIA VARMAZIS. Do you watch Grand Designs?

---

CAROLE THERIAULT. Just— yeah, occasionally.

---

MARIA VARMAZIS. Isn't that just sort of similar?

---

CAROLE THERIAULT. Well, it has some integrity.

---

GRAHAM CLULEY. Carole, you don't really get to see the actual buyers. It's mostly their agents, people— because when you're that rich, you don't actually buy the property yourself. You get someone else to do it all for you.

---

MARIA VARMAZIS. You just trust their taste. Oh my God, I can't imagine. I cannot imagine. Thank you, Graham.

---

CAROLE THERIAULT. You've had a great week. You've had a great week.

---

MARIA VARMAZIS. I feel like I made my confession. I feel better already. I'm enjoying it anyway.

---

GRAHAM CLULEY. Maria, your pick of the week.

---

MARIA VARMAZIS. I'm not on TikTok. But this person is very famous on TikTok and also on Twitter, and their videos get reposted.

I see them all over everywhere, at least where I live. His name is Matt Shearer, and he is— he's a local reporter here in the Boston area for a really old-school radio and TV station called WBZ.

So it's the old grandfather of TV and radio around here. And he's a young reporter, and he has gone viral a gajillion times on TikTok for his hilarious videos about all the weird quirks and foibles and strange characters in the area where I live in Massachusetts.

And he's got— it's one of those things where if you've ever been to this area, you might recognize some stuff, but if you haven't, you would go, is any of this real? And I can assure you that it is.

And he's just got this knack for making these really funny minute-and-a-half videos that are just brutally funny with a very weird sense of humor. There's a really famous one he did about 3 Market Baskets within on the same street.

The Market Basket is our supermarket chain up here that people are religious about, myself included. It's a whole thing.

He also has a very famous video about how the town of Stowe lost its only Dunkin' Donuts and the entire town was in mourning not having a Dunkin' Donuts. It's really like that around here.

And his videos are super funny. So yeah, Matt Shearer at WBZ. I think his Twitter account is @MattWBZ. But if you've ever seen a video that's gone viral about something stupid in Massachusetts, it's probably him who made it.

---

GRAHAM CLULEY. Ah, fantastic. I love the idea of that. Yeah.

---

MARIA VARMAZIS. And he just did a video as we've been talking in my hometown of Chelmsford. So I just saw that pop up as I was going to put his URL in on the show notes. And I was like, oh, he just went to my hometown. That's amazing.

---

GRAHAM CLULEY. Oh, it's snowy there, Maria. I'm watching the video right now. Oh, yeah? It's— oh, blimey.

---

MARIA VARMAZIS. That's what it's like. That's what it's like out there. That's what it's like out here. This is normal. Actually, this is a small amount of snow for us. Graham's never seen snow.

---

GRAHAM CLULEY. No, I never, never.

---

CAROLE THERIAULT. Crow, what's your pick of the week? I have a great one and I've been saving it for Maria because I know she's a bit of a sci-fi junkie. Oh, indeed. Yeah. Okay. So my pick of the week is a Netflix miniseries called Hot Skull. Have either of you seen it?

---

MARIA VARMAZIS. Hot Skull. Hot Skull. S-K-U-L-L. Yeah. H-O-T.

---

GRAHAM CLULEY. I've never even heard of it.

---

MARIA VARMAZIS. Oh yeah, thank you. I appreciate that clarification. Okay, I'm setting up the premise right now.

---

CAROLE THERIAULT. You guys are going to be hooked. You ready? You ready?

Yeah, yeah, I'm ready. For the past 8 years, a worldwide epidemic has been affecting how people communicate. I know, I know, I know. It's called ARDS, A-R-D-S, okay?

And the main symptom is the people infected speak nonsense, okay? They are called jabberers. The virus is spread via the jabberer, okay?

If someone who doesn't jabber is exposed to a jabberer's speech, they would become infected. So to protect themselves, people around wear ear muffs, noise-cancelling headphones throughout the streets of Istanbul.

---

GRAHAM CLULEY. At set.

---

CAROLE THERIAULT. Okay. And enter our hero, Murat Syavus. He somehow found himself immune to the Jabber virus, right? He's the only one.

---

GRAHAM CLULEY. Has he just got a lot of earwax? Is that how he's immune?

---

CAROLE THERIAULT. He seems to be able to communicate with other people just fine. But when he's exposed, he tests himself by listening to tapes of Jabber, and his head spikes in temperature, but he recovers, and he never jabbers. Hence, hot skull.

Oh, right. Okay. Okay? Gets a hot skull.

So, he is hunted by those in power, of course, 'cause he's known as the one who, you know, is immune. But he wants to elude them 'cause he wants to search for the secret of his hot skull. It's frickin' fabulous.

I loved it. It's a miniseries. It's on Netflix. It's great. It shows you what a lot of imagination and heart can create. I'm gonna—

---

GRAHAM CLULEY. How does a TV series get made? 'Cause this is the most bonkers idea for a TV show ever.

---

MARIA VARMAZIS. There was an episode of Star Trek: Deep Space Nine that had this premise. So, I'm just saying that. Oh!

I've never seen this show. And I'm actually wondering if I can watch it in the US. It might not be available. And that might be why I've never heard of it.

---

CAROLE THERIAULT. I hope so. It's called Hot Skull. I found it on Netflix in the UK.

If you a wacky premise and a sci-fi angle, this is for you. Check it out. My pick of the week.

---

GRAHAM CLULEY. It's certainly whack if you ask me. Well, thank you. That just about wraps up the show for this week.

Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

---

MARIA VARMAZIS. Honestly, nowadays I use Mastodon more than Twitter. On Mastodon, I am @varmazis, @mstdn.social if you can remember all that. I'm still @mvarmazis on Twitter.

And of course, I'm on the CyberWire and I'm doing— I'm the space correspondent. Darknet. So if you listen to the CyberWire, you can hear me there as well.

---

CAROLE THERIAULT. Space.

---

MARIA VARMAZIS. Space. Final front ear. Front ear. Yes.

---

GRAHAM CLULEY. Yes. And you can follow us on Twitter @SmashingSecurity, no G. Twitter won't allow us to have a G. No chance of that happening anytime soon, I imagine.

Smashing Security also is on Mastodon. We love it too. You can find us most easily by going to smashingsecurity.com/mastodon and that will redirect you to our account.

And look, check up the Smashing Security subreddit on Reddit and don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

---

CAROLE THERIAULT. And massive shout out to this episode's sponsors, Bitdefender, NordLayer, and ManageEngine PAM360. And of course to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship information, guest list, and the entire back catalogue of more than 305 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio.

---

MARIA VARMAZIS. Bye-bye. Bye. I'm better. Yay. I'm glad you're better.

---

GRAHAM CLULEY. Yay. Welcome back, Carole.

---

CAROLE THERIAULT. Thank you, Graham. Do you know, Maria, I was looking for the show notes for this episode and I mistyped and I didn't notice because your name, you did episode 36 with us on the 3rd of August, 2017. Oh my God, are you serious?

Yes, and your topic was Flash. Oh, Flash, what is Flash? It's not dead yet.

---

MARIA VARMAZIS. That's what you said. Yeah, well, I thought you were gonna say Facebook. No more Facebook, please.

---

CAROLE THERIAULT. There you go. Blast from the past.

---

MARIA VARMAZIS. Oh my God, 2017. I was a baby.

-- TRANSCRIPT ENDS --