No one knows the wrath of a bride and the mother of the bride.

No sexism here.

Yeah, a bit sexist actually, Dave. We're not sexist on this show.

Oh, come on.

We're very woke. What is sexist about it? No, you just said you like—

Tell me one story about Groomzilla. There is no show called Groomzilla. Give me a break.

Smashing Security. Episode 141: Black Hat and Bridezillas with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 141. My name is Graham Cluley.

Is that number a little bit big for you there, Graham? My name is Carole Theriault.

I did have a spot of bother there saying the number 141, didn't I? Hi, Carole. Good to hear from you again. Everything going well in your world?

Yes, yes, we talked about 10 minutes ago. So yeah, nothing's changed. Nothing's changed. We're still rocking.

Other people might care as well. And we're joined this week by Dave Bittner, all the way from The CyberWire.

Hello, I am glad to be back.

My other kind of fellow host in another planet of pod.

Oh yes, because people who don't know, The CyberWire and Hacking Humans, both produced and put together by Dave and his happy crew features regular correspondents, doesn't it, Carole, from you?

Yes, we have a UK correspondent of Canadian origins.

That's such a funny title. I laughed so hard when that title was handed to me. UK correspondent.

Well, you know, I have a question before we dive in here. One of my favorite things about listening to Smashing Security is that as the episode goes along, towards the beginning of the episode, you bleep out the curse words. But then as you make your way through, it's like whoever's turn it was to do the edit that week, because it's "ah, screw it, just let them through."

How interesting you spot that.

Yes, I can explain. So the way we work it is that Graham actually edits the first 20 minutes of the show.

Oh.

And I edit the second half of the show.

Yes, I see.

And I think I'm a little more comfortable with harder language than our gentle Mr. Cluley.

I see. See this? I'm glad I asked. This is a revealing behind the scenes. I like it.

You can always tell us which bit of the show you like better, part 1 or part 2, right? I'm always interested.

Yeah, if you fucking believe that, you'll fucking believe anything. So, yes, Carole, without further ado, what the fucking fuck have you got for us this week?

A huge thank you to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you the show for free. Now on today's show, Graham talks about ransomware that holds your pics hostage. David pokes fun at a Black Hat sponsor who made some truly unbelievable claims. And I'll be putting Dave and Graham into a wacky scenario. It should be fun to see how they're gonna get out of it. All this and more coming up on this jam-packed episode of Smashing Security.

Sounds like trouble.

My middle name.

Well, chaps, as we've already mentioned, we are joined this week by true podcast royalty. David Montgomery Bittner is here. David.

That's Mr. Bittner to you, please. Thank you.

David, you're famous throughout the world, of course, for your fantastic performances on CyberWire and Hacking Humans, Grumpy Old Geeks, etc. The list goes on and on.

Okay.

I can only imagine really the kind of life you lead.

Lamborghinis of the rich and famous have nothing on you. Diamond pools.

Swarovski crystal Segways.

Chauffeured limousines every day to and from the studio.

Did you say bedazzled Segways?

Not bejazzled, no.

Bedazzled Segways, yes, it's true. I actually have— I've hired someone to ride my bedazzled Segway because I can't be bothered with it myself.

It's not all fun, it's true.

It's not all fun being serious famous. Oh no, no.

It's a tremendous responsibility.

I'm quite lonely.

There are autograph hounds. There are groupies.

Yes.

There's paparazzi.

There are.

Staking you out 24 hours a day, right?

Mm-hmm.

Catching you off guard as you skip into some musical theater or, you know, if they can.

Fortunately, I lived in a gated community with—

They're shouting over the fence, "Strike a pose, Dave, strike a pose."

Yes, all true.

All the time you're hearing that click, click, click, aren't you? Click, click, click of the paparazzi's cameras, yeah.

Yeah, yeah, it's a burden, but I'm willing— one I'm willing to make for the greater good.

And what if, Dave, what if you had a way of fighting back against the paparazzi? Go on. What if you had a way of making their candid pictures of you with coleslaw down the front of your shirt worth peanuts so they weren't able to sell them to the rags?

I'm listening.

Well, you will be interested in some research which has just come out from the boffins at Check Point. They found a way to exploit vulnerabilities on DSLR cameras, specifically the Canon EOS 80D. Now, do either of you have a DSLR?

I do. I can't say I've used it in a long time.

I don't. Right, so DSLR— they are the digital versions of those old big fat cameras with the great big lenses. You know, they take really nice photographs. It's still, I think they're better than the typical smartphone photograph, but of course you've got to lug them around. And Nikon and Canon are sort of the two big names, aren't they? And unlike cameras of old, modern DSLRs, they have a way of transmitting images to your computer. You can either do it via USB or via Wi-Fi using a protocol called Picture Transfer Protocol, PTP, PTP they call it. And researchers at Check Point discovered that just as cybercriminals can encrypt the sensitive data on your computer, they can also hold your pictures to ransom on your actual camera. Yes!

You really have to care about the picture, eh?

I don't know if I care.

Well, Carole, pictures are precious. If you are at, for instance, a wedding or on holiday or something like that, the sort of thing where you might actually take your DSLR camera because you care about it, you think, "I don't want my smartphone camera." I want a proper camera to take really good photographs. They're going to be the most precious ones. They're going to be the ones for the big family occasions, the baptisms, the— I was going to say burials. I was going to say, well, maybe not.

I love a picture of the corpse.

Good photo op, yeah, exactly. Just get a little closer to the casket there. Okay, good, good.

Put your arm around him.

Yeah, oh, so it's not really good for that.

Oh, if you're paparazzi, if you're a professional photographer, you're going to have one of these kind of cameras.

Right, well, that I think is the thing, that these are professional cameras. These are not cheap. And so the folks who are using these for, I mean, imagine that you're a wedding photographer and you've been paid a good amount of money to photograph someone's wedding. And that's a once in a lifetime event.

Well, these days.

So someone holds, well.

Quite often it's repeated.

Well, it's bad, but it's not that bad. It's not Ebola bad.

Oh, but well, it's not, no, you don't want Ebola at a wedding, but you would at least some photographs.

It might be mildly annoying.

I love, Carole, that your scale of badness starts at nothing at all versus Ebola.

I was using a little hyperbole there.

Oh, okay.

A little hyperbole.

So if you held someone's wedding photos ransom, I could imagine the professional photographer paying you something to get them back. No one knows the wrath of a bride and the mother of the bride.

Yeah, no sexism here.

Yeah, a bit sexist actually, Dave.

Good.

We're not sexist on this show. Oh, come on. We're very woke.

What is sexist about—

No, you just think—

Tell me one story about Groomzilla. There is no show called Groomzilla. Give me a break. The groom shows up. Graham, you're married. I'm married. What is our job at the wedding? To show up and be told where to stand?

That is exactly the problem. That's what you think your job is. Your job is to help organize the fucking day. Where the hell are you during all that?

No, no, no, no, no, no.

Down the pub.

No, no, we're not—

We have not been spending our lives dreaming of this event.

Or have I?

Well—

Just 'cause we have boobs doesn't mean it's a—

Whoa, whoa, wow.

Whoa, don't worry, bleep.

All right.

It's Graham's section.

Okay, right. I think you agree. There's serious damage that could be done if you couldn't update your Instagram with your latest selfies, if you're an Instagram celebrity. Dave, have you got an Instagram account?

I do not.

You don't? Oh, see, I'm beginning to feel maybe Smashing Security should have an Instagram account.

Well, hey, yeah, you go run that.

Oh, I don't fancy that. I thought maybe you could, just the wedding. You can organize that.

Oh yeah, of course.

Anyway, the chaps from Check Point, they developed this way of basically infecting DSLR phones via this protocol. So updating the firmware with something malicious, which would encrypt the pictures which were currently being held. On the camera before they were transferred to the computer. And they even added a picture, which was a lovely little, very attractive little screen that they've put there. And we'll put a link to it in the show notes so you can check it out as well, which says, "Your pictures have been encrypted. We're white hat hackers. Don't worry, smiley emoji. A malicious actor—" I hate, by the way, they call them actors. I find that very confusing when hackers are called actors all the time. Anyway, "A malicious actor would have taken your camera, encrypted all your images for ransom. To stay protected, update the firmware." So this isn't something which, as far as we know, has been done by bad guys out there, but has been done by researchers.

It's an interesting dilemma because even though their goal is different, they're still kind of messing around with my phone without me asking them to.

Well, they're not doing it to strangers, Carole. I imagine they're just doing this to their own cameras at the moment, aren't they? They're not going around the streets. Well, what's the point of the smiley face then if they know, like, you know? A good point, actually. Yeah. Why have they done it? Is it because they were worried that there could be someone in the vicinity who they accidentally, in fact, maybe they weren't doing it in a Faraday cage? I don't know. Or is this just purely for the purposes of the press release? I don't know, but—

It strikes me that one of the issues here is that how often do the folks who own these cameras update their firmware?

Yes. Oh, like never, I guess. Right. Well, maybe if you're a professional, you would though, because it's your livelihood, right?

Perhaps, perhaps, but I suspect many of us may have DSLR cameras tucked away in a drawer somewhere, which only get brought out at weddings and special events. And the main thing you're worried about is, have I charged the battery? Is there enough room on the memory card? You're not looking in the options to see, is there a firmware update or should I be downloading something to install on this thing? So I suspect they are left for much, much longer than the typical laptop computer is. I don't know.

Do we think that this is going to go anywhere? No. No.

I don't. No. I think the researchers say that although they found these vulnerabilities in the PTP protocol implemented by Canon, that they're probably also present in other cameras as well. So there may be other models which are affected and so probably other cameras which need to be updated. But it feels to me like there's an awful lot of faffing about for the bad guy, you know, where they could just infect your laptop instead. With a malicious email attachment. I mean, in the report they do give some scenarios, like for instance, they say, well, an attacker could set up an infected Wi-Fi access point at a tourist destination to pull off a camera ransomware attack. Again, it feels like an awful lot of effort to go to when there's so much easy money to be made elsewhere. But if you were celebrity Dave Bittner and you didn't want those sort of things—

Dave Bittner.

Oh gosh.

Dave, I swear to God, you see?

If you were celebrity Dave Bittner and you had paparazzi pointing cameras at you, you might quite like it, wouldn't you? If you could press a little button or something and initiate an attack. Maybe that's just the British pronunciation of my name.

Oh, right. Yeah. Like aluminium and— Massage.

Massage. What is it? I don't even know which one's which. That happens a lot.

Garage. Garage. Garage.

Garage. Garage. Garage. Garage.

Horrendous.

It seems to me that if you could actually brick the camera, now you're talking.

Oh, I think you probably could.

Because now you got a professional's attention because the camera has so much value. These are not cheap cameras. No. But surely you'd go to the shop and they would just update the firmware and fix it. That would be the hope anyway. If I was out on a shoot somewhere, out covering the Ebola outbreak and they said to me, unless you send me $100 in bitcoin, your camera is bricked.

Yeah, okay, I like this one.

Then maybe I'll send the $100.

I've got some advice for you. Even though I don't think this is extremely likely to happen, I think we should give folks advice, and that is avoid using unsecured Wi-Fi networks. Don't let your camera automatically join Wi-Fi networks. That's a bad idea. In fact, you should probably turn off your connectivity functions in your camera when they're not being used. It makes sense anyway, because Wi-Fi is going to be a real battery hog, and that's the last thing you want happening, isn't it, if you're taking some photographs of a family event. And update and obviously install any software patches, security patches, firmware updates which come out for your camera, just like any other gadget. So keep yourself protected that way.

So basically the same old advice we've been giving for about a decade.

No, Crow, let's not suggest that we're just repeating ourselves on this Smashing Security podcast. It's not like we do a daily show, Graham.

It's— Dave, what's your topic today?

Oh, Carole. Over to you, Dave. Well, my topic, Carole, is about a presentation that was given last week at Black Hat that has caused quite a stir. This is some folks gave a presentation that was titled "The 2019 Discovery of Quasi-Prime Numbers: What Does This Mean for Encryption?" What a title, eh? Just on that alone, you'd just be like, "What?" Yeah, so the presenter was a gentleman named Robert E.

Grant. No relation to Richard E. Grant, was it? From "Withnail and I"?

The iconic actor? So anyway, Carole—

Just thought you might have got his name wrong. That's all.

The company name is Crown Sterling, which to me sounds like it's from your neck of the woods, and they're pitching something called Time AI. Now I'm going to read part of the pitch here. It goes a little bit like this: "A new understanding of how mathematical constants interact with primes and quasi-primes to propagate and mirror-reflect in infinite wave conjugations. Academic researchers believe this discovery may be the key to unlocking a new unified physics cosmology, a theory of everything. Time AI is an entirely new classification in data privacy called quantum encryption, an impenetrable system utilizing 5 dimensions of encryption technology."

Only 5 dimensions? How disappointing.

David, you could sell anything.

He's so smooth, isn't he? He's so good. It is like chocolate.

When you have as much practice as I have doing a daily podcast. Of course, Dave, I understand, buddy. Yeah, you get to work your instrument, as it were. So while this gentleman was giving this presentation, there were folks in the audience who understand high-level mathematics and encryption.

Right, yeah, wrong audience to choose, right?

Honestly. And they took issue with many of the things he was proposing here. There is a YouTube video that this company Crown Sterling has put out promoting their discoveries, and it is a lot more of this sort of, dare I say, word salad. "Infinite variations within music composed real-time by artificial intelligence."

"Time AI generates quantum encryption keys as unique as your own iris."

"Each quantum public key is paired with two quantum private keys that are entangled through mirror symmetry mathematics in value, time exposure, and oscillation speed. These quantum keys change at the nanosecond scale of time, directed by state-of-the-art AI technology harnessing time's entanglement."

"One key from the past and one key from the future, changing the number series 1 billion times per second with no pattern."

"The speed of the AI oscillations allows—"

There's a lot of buzzwords here. I'm not understanding any of this. What on earth is going on?

That's because your attention span is like a microsecond or even shorter, like a nanosecond. So you would just hear 3 words and go, "No, this is boring for me. I didn't hear Doctor Who, so I'm not paying attention." Sorry, Carole, what were you saying?

I was just looking at my phone there. I was just checking out Twitter.

Yeah. Are there any applications of this to chess? Because otherwise, I'm over here.

Okay, so they're utilizing 5 dimensions of encryption technology and basically a whole new unified cosmology, a theory of everything. Sounds pretty impressive stuff. Yes, absolutely.

So folks took issue with this in real time. My understanding is that one person in the audience was actually removed from the presentation because he was challenging the presenter. So that gets to the next point, which is that this was a sponsored presentation. And the way that many of these conferences work is that you can do a keynote if you pay to have the space. There's nothing wrong with this. This is the way that many of these conferences pay the bills. These keynote presentations are not cheap. They can run in the six figures for the privilege of doing a presentation. But as is sort of demonstrated here, the vetting of these presentations could be a little more lax than the folks who are just on the academic track because, well, money talks, right?

I mean, they've effectively rented the room for half an hour or 45 minutes, haven't they? And I imagine the conference organizers don't really care. They've marked it as a sponsored keynote and everyone goes in knowing that they've paid to pitch.

But you know what, I imagine that there was the write-up in the little pamphlet for Black Hat, right? And then a bunch of people, people that would never normally go and attend this stuff, probably read the intro, and it was probably written very similarly to the quote you read out, and they probably just thought, what, WTF, what is going on here?

And then just went for it because they're pretty excited discovering quasi-prime numbers, Carole, and a theory of everything.

Yes. You know, big deal. Time AI. Yeah.

So here's the other part of it though, is that I think these folks from Crown Sterling now in their own promotional materials, they can say as featured in a keynote presentation at Black Hat, the international hacking conference. So they paid to be able to say that. And maybe that's all they were after. That's money well spent as they're trying to go out and raise money for this endeavor.

You know what though? They now have a little bit of a Twitter tail following them around a bit, right? So it makes them a little less attractive. So what do you guys make of this?

Well, I mean, conferences have to survive and sometimes you need companies with big pockets to pay a bit of cash. You know, they don't always want to sponsor the lunch or they don't always want to sponsor the bags. They want to have an opportunity to speak to your audience, don't they? And I think as long as it's clearly marked as a sponsored presentation, most people, if they see sponsor presentation, they're kind of going, oh, you know, do I really want to go to that?

I completely disagree with you. Oh, really? Yes. Of course you want to be able to have sponsors that you're proud of, right? You don't want to just be selling. We certainly vet our sponsors. We don't just allow anyone, right? So you kind of want people to kind of look into the message. And I mean, even just reading what you wrote here, just the quote is ridiculous, and you just want more information.

But if a company has come to you and given you $100,000, let's say, for giving a keynote presentation at Black Hat, it's going to be quite difficult to vet them, isn't it? It's not like most of these companies will have the presentation available. It's not like they're going to make changes if you request them. They're going to say, "Well, this is what we want to talk about, what we think will be of interest to your delegates."

And to your point, the sponsor fee that they provide in order to do this keeps the entry fee much more affordable, right? So it's kind of, if it's $100 grand, that's a big benefit to everybody else.

Black Hat does say in their materials that the paid keynotes cannot just be sales pitches. You have to be talking about some kind of technology or something like that, which they were doing here. It's just lots of people in the audience say they're selling snake oil. I don't know.

I feel like if people want to talk complete codswallop, they should be allowed to, or at least there should be an opportunity for people to hear what they say and then throw tomatoes at them and say it's nonsense.

No, I think you should have rules, right? If your rules are to say what you want, we don't care, you're the sponsor, you're the boss, fine, right?

But surely, surely he's going to understand that this is a discovery of quasi-prime numbers, a new theory of everything, man. This is five dimensions of encryption technology.

Just because you were baffled by it, right, doesn't mean that most people with brain wouldn't kind of go, "Hey, wait a minute, this seems really, really crazy." You would think so too if you actually paid attention long enough to read what they said.

And hey, what if they're right and everyone else is wrong? It could be. It could be, right? Could very well be.

People not laugh at Galileo. Exactly, right? Exactly. Engelbert Humperdinck was once not recognized as a musical genius.

Einstein worked in the patent office. There you go. So we'll see. Time will tell. AI time.

AI time will tell.

Time AI. Time AI will tell. Kroll, Kroll, it's time to find out what you're going to talk to us about this week. And of course, I'm going to hand over now the editing of the rest of the podcast to you. So prepare yourself, everybody, for the swears. Strap it in.

Okay. So everyone, close your eyes. Okay. Now don't do this if you're obviously driving or walking or watching out for your little cherubs.

Performing open heart surgery. Right. Something like that. Right.

But every other activity is perfectly safe. So go on and close your eyes. Now I want you to imagine you're at a conference in your preferred field of interest and you're there because you are an authority on this topic. And they have asked you specifically to present the keynote. Dave, you were at the musical theater shindig, and Graham, you're at a regional model village convention. In other words, this is a big deal, guys. Yes. Now, of course, you arrive on time, fully charged MacBook under arm, your presentation's all ready to go, all with the Comic Sans fonts and the multicolored text and the whiz-bangs and the annoying switching.

Lots of bullet points.

Yes. Bullet points. And you're waiting for a call from the organizers for where you should go and set up. Okay. But quelle horreur! Your phone is dead and time's a-ticking, right? So you're scrambling through your bag, in your pockets, looking for the freaking Lightning cable. Maybe I'll beep that out. Maybe I won't. So you can steal some of the MacBook juice, right? Okay, yes. But you can't find it anywhere. You stupidly forgot your Lightning cable at home. Imbecile. Now sweat starts to pinprick at the back of your neck. You repeatedly mumble expletives like Graham, you'd be like, "crumbs, crumbs, crumbs," right? It's always food related with you, isn't it? It's always food related. And Dave, you'd be swearing like a sexually frustrated pirate, I'm sure.

Sorry? Is there any other kind?

But then, like a rainbow after a wall of rain, this wonderful lady called Janine walks up. She says she saw your sweaty distress and tells you not to worry. Right. And she rummages in her fanny pack and offers you her very own Lightning cable. And you're so grateful, right? You actually kiss her on the top of the nose, right? You grab the cable, plug your phone into your MacBook, and hoover up a sliver of power to get the phone call. And everything goes tickety-boo, right? Your MacBook recognizes and detects your phone, asks whether you wanna trust this device, blah, blah, blah. And as a thank you for saving your proverbial bacon, what do you do? A, do you offer an autograph and a podcast sticker as a special thank you?

Goes without saying.

Or do you kick her in the shins and scarper for forgetting to return the cable?

No, you wouldn't do that.

So you'd hand her an autographed picture or something like that. Yeah, well, a sticker.

A sticker would be nice, wouldn't it? I might borrow her smartphone and go to the podcast app and subscribe her to the show and say, "Oh, I'll give you a shout out next episode." Something like that. You know, that's what I normally try. I'd normally try and steal someone's phone to subscribe them to the podcast.

Well, would you be surprised that it turns out that maybe kicking the lovely Janine in the shins might have been the best thing you could have done here? Because you've kept your hands on that cable. And this Lightning cable, the one that Janine gave you, looks like every other Lightning cable you've ever used. You know, pretentiously white. But actually, it's a powerful data-snarfling and snooping snake of a thing. So this is all according to an article in Vice penned by Joseph Cox. Yes. So basically this dude who goes by the moniker MG physically upgraded real Lightning cables to basically allow an unauthorized third party to basically give them full control.

Right. So your MacBook imagines that you've actually plugged in a keyboard rather than a Lightning cable and is able to send keystrokes to the laptop. Which could be evil.

And you'd think this would be difficult to do, but he says in the article, quote, "In the end, I was able to create 100% of the implant in my kitchen and then integrate it into a cable," unquote. So he made these by hand, modifying them to include mini powerful implants that could action various things like payloads or scripts or commands. And a hacker could even remotely kill the USB implant, hopefully hiding evidence of its existence or that it's even been used. Oh, I see.

So after it's activated and done its dirty work, it could just turn into a— you'd think, "Oh, Janine, this Lightning cable no longer works. It's not doing anything," but you throw it away. Yeah.

Get rid of the evidence.

Can I have my sticker back? Something like that.

Now, he showed these off at DEF CON and get this, he is now selling these cables. Oh, I bet he calls them O.MG cable. Get it? Because his name's MG. Here he goes, like MG. OMG. Oh my God. Yeah, see, really funny. See, Graham, that's the kind of caliber of joke I expect from you, okay? That's what I want more of in the show. Now, Vice reports that MG said Apple cables are simply the most difficult to do this to. So if I successfully implant one of these, then I can do it to any other cable.

Why are they difficult to do? Is it because they're sort of sleek and small and pretentious white.

I don't know.

What's so pretentious about something being white? Well, it is. I mean, computers get dirty, right? It's a bit running trainers. I just don't get it. Coincidentally, that was my rapper name back in the day. Oh, I thought you meant Dirty Trainers. Okay.

Now, how much do you think he was charging for these? $99. $200. Oh, I was gonna say $50. Wow, $200.

That's more than an actual Apple-purchased Lightning cable. I mean, they're pretty expensive, aren't they?

Well, this one does so much more.

Only a few dollars more than what they charge you Well, I wanna know who do you think he's selling these to? Who do you think his target audience market is, who do you think's buying them?

Well, not just bad guys. I would think also penetration testers. So people who want to prove how easy it is and indeed people who want to do a presentation at some security show.

at the Apple Store.

What a great thing to have in your repertoire is, see this Lightning cable, let me plug it into your laptop. Oh, I now own your laptop. So it's kind of a cool party trick from that point of view. I think a lot of people just to have these things in their ownership.

I mean, that's certainly his sales pitch, right? This is a legit security tool, excellent for red teaming. So for those that don't know, red teaming refers to a kind of attack team in a cyber scenario, right? Red team tries to break into—

It is a bit pretentious. They call themselves red teams.

And the red team tries to break into something perhaps like a protected network while the blue team attempts to foil the attack. And protect the assets. So we're so fun, we're so fun in our industry. But I can totally see an argument for someone a vengeful ex-partner, for example, a furious employee, for example.

Yeah, just leave one of these, leave one of these in the lunchroom at work.

Oh yeah, they get snuffled up in no time, won't they? Is that worth the $200? Don't pick that up, it's for Steve!

Well, so but how do you possibly protect against this in a world where—

In a world—

In a world where cables are dangerous, one man— Yeah. Keep going. It's so good. I don't even know why I'm interrupting.

Could you do

I'm too excited. So I've got two solutions.

that with the voice, Dave?

One, you know, if you're saying this is for legit uses pen testing et al., wouldn't you just double check and control the orders and accept them only from proven white hats or consultancies or whatever?

Well, could it not even be branded? Could it not actually be tagged on the actual thing saying, "This is a malicious lightning cable," right?

Well, that'll work really well during the fake social engineering tests that pen testers would do.

Here's what I wonder about. What about someone who's fairly good at sleight of hand walks into an Apple Store with one of these all packaged up in the package that looks just like the Apple Store package, just puts it on the shelf without anyone noticing. So some innocent person goes to the Apple Store, buys what they think is a proper cable from a trusted source. The cable doesn't look any different from a real Apple cable because it started its life as a real Apple cable.

He's an evil mastermind, Dave Bittner.

I have one tried and tested piece of advice for this situation. Not that I've been in this exact situation, but this is actually something I do. So buy some loudly patterned electrical tape. Wrap it tightly around your personal cables. And that way, well, no, but that way you always find your own earbuds. Like, how gross is it when you grab someone else's earbuds and they're all waxy? And then you tend to spot them more easily when you have the cable nest, which I have many of around my desk. You know, the big boxes full of ginormous cables, you can kind of find the ones you need. So, you know, I do the ones that I take out of the house to charge my phones and to listen to stuff or whatever. Anyway, so top tip from yours truly, and just don't use my color, green and yellow stripes. So stay away from that.

Well, thank you very much. But with macOS, it does pop up this warning message, doesn't it? Saying, do you trust this device that you've attached? But is it not the case that if it is a device you've previously attached, like your iPhone, your computer won't pop up and say that again?

Well, you see, I wondered that. I suspect you're probably right, but that would still dupe me because I never tether my device to my phone. I don't know if you do.

But the cable still functions as a perfectly normal lightning cable. It works. It does its primary job. So there's nothing to throw you off from that point of view.

But I think you should be cautious if it's a wire or cable you haven't used before, if you're plugging into something which you haven't attached to before and you see that message, that should be the point to think, you know, do I trust that thing which Janine has plucked out of her fanny pack? And it could be something I don't want to plug into my— anyway.

So these are available on the market. There's a company selling them, Hak5, I think is the name of them. They're selling them. They're out of stock at the moment. So boy, they've been popular or they had a very, very short run. It will be interesting to see if they bring them back and see what people think. On Reddit and different forums, people seemed really excited about the availability of these. But again, for a variety of different reasons, some from very ethical to some maybe questionable.

I have a question. Unrelated to— well, I'll proceed. It has come to my attention in the past week that on your side of the pond, the word fanny— oh my goodness, that even stops— has a different meaning than it does on our side of the pond. Is this true?

I think it's time for our sponsors, isn't it?

Good, Grim. Good. Slick. Hey, Grim. Yes? There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing. We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.

So, Carole, would you, if I bought one of these hypothetically, would I be able to program it to send different commands Yeah, they do online training. They've gamified it. It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business. to my targeted computer? Yeah. Right, okay.

And best thing, it's not boring.

No, not boring at all. You learn everything. GDPR, malware, data security, password safety. You can grab it all. And save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.

On with the show.

And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is a YouTube documentary called Remain Seated Please: The Hoot and Chief Story. And it runs for about 30 minutes or so. And I watched it a little while back and I really enjoyed it. It is about a couple of young lads who really love going to Walt Disney World's Epcot Park, if you remember that, back in the '80s and the '90s. And they would make regular visits. And the ride they loved more than any other was a ride called Horizons, which was an animatronic trip into the year 2086. I've been on it. Have you really? Yes, of course. Oh my God. You've got to watch this documentary then. I have. Oh, you have?

Oh, yes, yes, yes. Oh, wonderful.

Loved it. Oh, wonderful. Okay. So, so it was one of those sort of rides where you sort of get carted around, I think, in a car. And so a bit like Pirates of the Caribbean, but not as exciting, not as much drama or something like that. But, you know, you're seeing things. And sadly, by the mid-'90s, Disney realized folks were more interested in exciting rides. And so they closed it down. And these two kids who really enjoyed the ride were a bit disappointed because they had gone on it so many times and they used to hop off the ride and go behind the scenes and they'd become very comfortable. They were hanging out there. They would eat dinner there, wash themselves in the waterfall. They even invited their friends and they knew this ride inside out and always trying to avoid detection from the security team.

Right. And that's a really important part of the story is that somewhere along

Right. And so they found this blind spot where no one would see them. They'd hop out and they knew what time. And of course, they had to avoid other passengers as well. So they had to choose a particular carriage in order so that they wouldn't be spotted. Anyways, it's fascinating. So the ride got closed down and then a couple of years later, it was briefly reopened for some reason or another. And these two kids were so excited. It's like, oh, you know, it's come back. We need to document this. We need to go in and video what goes on in this place. And so that's what they did.

the lines they either figured out or got the intel that Horizons was the

They went back to the ride, and while it was briefly reopened, they made the film. Oh, cool. And they took photographs, and it's now this fabulous documentary about what they discovered there. And it is really quite touching. And obviously, eventually it was time for their final ever ride because they knew the ride was going to be closed down. The staff had told them permanently.

only ride on Disney property that had no security cameras.

And at the end of the documentary, I'm not going to ruin anything by spoiling it, but it is genuinely touching what happens at the end of the documentary. Did you cry? Well, Carole, you know I'm quite an emotional type, so let's just leave it at that. But, you know, it's a touching movie and I would recommend it to everyone. Really good fun. And I'll also link to some articles about it as well in the show notes so you can read some more.

Did you fall asleep?

No, I did not fall asleep. I like documentaries. I don't tend to fall asleep in documentaries. It tends to be in CGI movies where robots are fighting other robots. Like Doctor Who. Where characters, well, I have fallen asleep quite a lot in Doctor Who in the last year because it was quite dull. But this documentary, Remain Seated Please: The Hoot and Chief Story, really recommend it. Cool. That is my pick of the week. I concur. Highly recommended. Dave, what's your pick of the week?

Well, my pick of the week is also a documentary. This documentary is about a gentleman named Steve Young. He was a writer on The David Letterman Show, and they did a regular bit on The Letterman Show that was called Dave's Record Collection. And they would go find funny albums, funny albums with funny names and funny covers, and they'd write jokes about these funny records that were allegedly in Dave's collection. You can go online and find videos of the old Letterman show with him doing Dave's record collection. So Steve Young was the person who was tasked with going out to find these funny records. And so he would go to used record stores in New York City. And he kept coming across these odd recordings from industrial musicals. So imagine it's the 1970s, the heady times of the 1970s. I'm there already. There's a corporate sales meeting and business is going well and you want to really just razzle dazzle your sales team, get them pumped up and ready to go for the new 1976 model year. Okay. Yeah. I'm with you. And so what you would do back then, if you were a big corporation, is you would hire Broadway producers, Broadway writers, Broadway actors, Broadway choreographers. Are you trying to make a work pitch here?

Are you selling— you offering yourself to our listeners as someone who can do this now? I know where this is heading.

Okay, carry on. Sorry to interrupt. Don't— spoiler alert, Carole. Spoiler alert. So these industrial musicals were produced. They had names like Diesel Dazzle. Oh, I love it. The Mighty O, which stood for Oldsmobile, not what you were thinking about, Carole. And my personal favorite, The Bathrooms Are Coming.

What? The Bathrooms Are Coming?

And these were only performed at the corporate sales meeting. These weren't actually on Broadway.

They were not on Broadway. They were performed in big convention halls. And oftentimes they were performed once. One show. And the budgets for these shows were quite often bigger than actual Broadway shows. Budgets were in the millions. And there were some big names who performed. When a typical Broadway show had a budget of around half a million dollars, these shows had budgets in the several millions of dollars. And they talked to some of the big names who are in these shows. They talked to Chita Rivera, Martin Short, Florence Henderson, people who came up doing these shows. And for working actors, this was a really good gig because they were union gigs, they were well paid. And so you could make a living doing these industrial musicals. A pretty good living. It's a forgotten part of theater history and also that kind of Madison Avenue advertising era. So it's a charming documentary. Steve Young, he goes and he himself becomes fascinated with this. So he goes and hunts down some of the composers and the performers. And it's a real charmer of a documentary. So I highly recommend it. It's called Bathtubs Over Broadway. It's on Netflix. We have a link to the trailer for it as well. Just a real charmer. So do check it out.

I think I read somewhere that it wasn't just the actors, but sometimes the people who actually wrote these musicals were big names. The people who wrote Cabaret, for instance.

Well, you're not going to give a million bucks to some Joe Schmo down the corner.

I think in the documentary they talk about the folks who did Fiddler on the Roof did one of these. And because it was just a gig. It was good money. Why not?

Serious money. Wow.

You could reuse the same tunes, I imagine, at different conferences because you wouldn't get the same audience. Just change the words. Who would know? One time it's the bathrooms are coming and then it could be the dishwashers are arriving or something like that.

I love it. So they'd wheel out all the tractors on stage and people dance and sing all around them there.

So where can people see this documentary? It's on Netflix.

He didn't listen. He tuned out again. It's on Netflix.

I'm just reinforcing it, Carole.

Oh, of course you are. Go check it out. Bathtubs Over Broadway. It's on Netflix. That is my pick of the week. Marvelous.

Carole, what's your pick of the week?

Well, mine is not a documentary. Mine's in fact fiction. And it's in podcast form. So I did a really long drive on my own this weekend. From glorious Plymouth to Oxford, so I had to keep myself entertained, which I did with The Amelia Project. A fictional podcast by Pip Thorne and Brager Øystein. And it seems to be a collaboration of a lot of artists across Europe. So basically the show opens with this kind of answerphone message that says, "Congratulations, you've reached The Amelia Project."

Congratulations, you've reached The Amelia Project.

This phone call isn't happening. If you're not serious about this, hang up now. If you continue, there's no way back. Good choice. A new life awaits. You'll hear back from us within the hour. If you don't hear back, please consider the whole thing a hoax. Leave your message after the beep. Okay, quirky, quirky. Okay. And the whole thing, the idea behind it is that the Amelia Project is a very special business or service. It fakes its clients' deaths. And its eccentric clientele include cult leaders or scientists or politicians, all desperate to disappear and start over. And so the podcast is basically an interviewer, and we eavesdrop on the first meeting between the interviewer whatever client. So each episode is named after a client. And then they present this bizarre request to this interviewer representing the Amelia Group to help them disappear, or die, or whatever. It's very interesting. And it's, you know, the one show I just listened to, the concept behind it was really complicated to pull off on radio. And they did it without sounding contrived, or just trying too hard. And they did it beautifully. And it's a little bit hammy, but delightfully so. So if you like The Bright Sessions, which I did, and I think it was my pick of the week at one point earlier, but I tried to look for it. I couldn't find the episode number. So if someone knows off the top of their head, let me know. Check this out if you like The Bright Sessions. It's very original. It's fun. And it's basically an audio drama. Is it a set number of episodes or is it a serial kind of thing where it's a series but each episode kind of has its own stand? However, as we're all podcasts here, let me discuss one little dynamic that they have with the pod offering, right? So the free pod, the ones I'm talking about, are these initial interviews. But if you want to know what happens when the agreed plan is set in motion, you need to become a patron, right? So I don't know, clever or nasty? Clever, nasty? Because it's not nasty.

Why should you get everything, you know?

No, no, I understand, but I would like a few tasters before I dipped my toe into giving Patreon my details. See, I think that's my issue.

I wouldn't want to taste anything you've dipped your toe into. Sounds disgusting.

I'll not be hasty.

On that delicious bombshell, that just about wraps it up. Dave, I'm sure lots of our listeners would love to hear more from you. What's the best way for folks to do that? As if we didn't—

Head on over to thecyberwire.com and it's all right there.

Fantastic. And you can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And you can join us on Reddit as well. Go to smashingsecurity.com/reddit and it'll take you straight to our subreddit. And a huge thank you to this week's Smashing Security sponsors, MetaCompliance and LastPass. Their support helps us give you this show for free, so be sure to check out their wonderful offers. And today, a special shout out out this week to all those of you who have left us a lovely review telling us what you like and what you want more of. Well, until next time. Cheerio. Bye-bye.

I get to edit this bit. Bye-bye.

Dave, are you going to say goodbye or are you just— Dave left already. Yeah, he's just out of here.

He's a celeb, man. He's a celeb. He's out of here.

He's busy, man. See that sound?

That's my limo peeling out and pulling away. Yeah, Crow, you didn't thank our Patreon subscribers.

You didn't thank our Patreon subscribers. I mean, what's that about? They're giving us money, they're giving us hard-earned cash. They're not giving us jokes for kids.

Yes, Dave Bittner is a Patreon subscriber.

Oh, Dave is? Dave!

Maybe I wanted to just acknowledge our David Bittner.

Oh, I was so horrible to name at the beginning of the show. Oh my goodness, Dave, Dave, thank you so much.

Did you opt for the $5 or $2 option, Dave? He did.

He went for the top one. Ooh, $5, platinum package.

Well, you know, I got to spread it around a little bit.

Yeah, nothing but the best. Thank you very much, Dave.

Oh, thank you for all of the wonderful entertainment.

And thank you to everyone called Dave, because a few shows ago — and those not called Dave. A few, well yes, but especially those called Dave, because a few weeks ago we did complain that there weren't anyone who supported the show called Dave. But now there's a huge number of people called Dave and variations who've come forward. Perhaps even some people have changed their name — they may have changed their names just to cheer us up.

I don't know. We love you all.