In episode 403 of "Smashing Security" we dive into the mystery of $65 million vanishing from Coinbase users faster than J-Lo slipped into Graham's DMs, Geoff gives a poor grade for PowerSchool's security, and Carole takes a curious look at QR codes.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Lazarus Heist's Geoff White.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- ZachXBT’s thread - Twitter.
- Coinbase employee tells users not to use a VPN or ad blocker - Twitter.
- What PowerSchool won’t say about its data breach affecting millions of students - TechCrunch.
- QR code - Wikipedia.
- Reed–Solomon error correction - Wikipedia.
- Urgent warning over QR code scam tricking drivers out of £100s at popular car parks - Express.
- Scam alert: QR code on an unexpected package - Consumer Advice
- New Star Blizzard spear-phishing campaign targets WhatsApp accounts - Microsoft Security Blog.
- What You Must Know Before Scanning a QR Code - AARP.
- “More” - Niall Conlon.
- “Money Men” by Dan McCrum - Penguin Books.
- Bitter Orange Marmalade Recipe - Ballymaloe Cooking School.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Tailscale – Tailscale is perfect for work or personal projects, making networking simple. Its free plan covers up to 100 devices and 3 users. Get started at tailscale.com and be up and running in less than 10 minutes!
- 1Password – Secure every app, device, and identity – even the unmanaged ones at 1password.com/smashing.
- Cortex Symphony 2025 - Ready to transform your cybersecurity? Register now to see the future of security innovation with exclusive insights, demos, and stories from pros.
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GEOFF WHITE. Off the back of this, can I also have a quick rant about ransomware operators?
GRAHAM CLULEY. Because they're all tuned in. They all listen to Smashing Security, all the ransomware bad guys.
GEOFF WHITE. Hey guys. Hey guys. Or should I say Privet or Strasvidscha? Because we know where you all are based.
UNKNOWN. Smashing Security, Episode 403. Bitcoin, Coinbase crypto heists, QR codes, and ransomware in the classroom with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 403. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And this week, Carole, we are joined by a very special guest, someone who's been on the show many times before. It is, of course, the star of the Lazarus heist and various other activities. It's Geoff White.
GEOFF WHITE. Hello, hello, hello.
CAROLE THERIAULT. The crowd goes wild. Thank you for being here, Geoff.
GEOFF WHITE. Can you jump on screen? Some applause there.
GRAHAM CLULEY. Geoff, what's been keeping you busy lately?
GEOFF WHITE. Well, yes, powering into 2025. I'm lucky because America Invades Greenland was on my bingo card, so I win. Been keeping up with the rolling chaos that is the incoming Trump administration, and I've got various projects in the work and things in the pipeline which I'm working on, so I'm busy, which is good.
GRAHAM CLULEY. Fantastic.
CAROLE THERIAULT. Let's thank this week's wonderful sponsors, 1Password, Tailspin, Scale and Cortex Symphony 2025. Coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be talking about how some companies are still telling their users to turn off their security.
CAROLE THERIAULT. Okay, what about you, Geoff?
GEOFF WHITE. I'm going to be talking about a school data breach and how annoyed I am with incommunicative ransomware gangs.
CAROLE THERIAULT. Okay, and I'm going to delve into the wondrous growth of the QR code. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, here we are, episode 403 of Smashing Security. Quite extraordinary. What have we actually learned? What's been the purpose of this? What wisdom have we shared with the wider population, do you think, after all these podcasts?
CAROLE THERIAULT. Are we on the educational tract and I didn't know?
GRAHAM CLULEY. Well, it would be nice if there was a small slither of that, wouldn't it?
GEOFF WHITE. Constantly educational, I would argue. Spreading the good word of cybersecurity and the important lessons to be learned.
CAROLE THERIAULT. Right, exactly.
GRAHAM CLULEY. I think to be safer online, we've often shared some pretty straightforward tips, even if you're only half listening while walking the dog. You've hopefully learned to use a password manager and have unique, hard-to-crack passwords. Yeah.
CAROLE THERIAULT. Use multifactor authentication.
GRAHAM CLULEY. Oh, good one. Install an ad blocker in your browser to prevent malvertising. That's a good one as well.
GEOFF WHITE. Oh, I haven't done that.
CAROLE THERIAULT. Yep, have a password keeper of sorts.
GRAHAM CLULEY. Use a VPN to ensure your connections can't be intercepted.
GEOFF WHITE. Don't use the phone in the bath. No, that was another podcast, sorry.
GRAHAM CLULEY. Brad Pitt almost certainly isn't in love with you. That's another thing we've learnt. Don't click on suspicious attachments or dangerous links.
CAROLE THERIAULT. We could go on forever, couldn't we?
GRAHAM CLULEY. I don't know if we could go on for 400 episodes, but anyway, somehow we've managed to. So how would you feel if a company told you specifically to stop doing some of these things? Hmm.
GEOFF WHITE. Concerned. In a word.
CAROLE THERIAULT. Or, or please, pray tell, say more.
GRAHAM CLULEY. What if they told you you really shouldn't run an ad blocker anymore? Or to believe it every time Jennifer Lopez drops into your DMs declaring her undying love for you? Not because following any of those behaviors is actually bad for your security, but because it might make you look suspicious. That's their argument. It's not that it's bad for your security. It's because it makes you look suspicious because you're securing yourself.
CAROLE THERIAULT. Suspicious to whom?
GEOFF WHITE. Hmm.
GRAHAM CLULEY. Well, to them, to the company. They're saying, don't do that because it makes you look suspicious to us. I mean, I would look suspicious if I was dating Jennifer Lopez, not just because I fancy Diana Rigg more than Jennifer Lopez. Although that would also be suspicious, as she has been dead for some years.
CAROLE THERIAULT. Jennifer Lopez has died?
GRAHAM CLULEY. No, Diana Rigg.
GEOFF WHITE. Oh my goodness. Frantically Googles Diana Rigg now.
GRAHAM CLULEY. That's my domain. In fact, probably the only way I might end up dating J.Lo for real would be if I made a cryptocurrency fortune. I think she's just split up with that—
CAROLE THERIAULT. No chance. No chance.
GRAHAM CLULEY. She's just split up with Ben Affleck. She's vulnerable.
CAROLE THERIAULT. You could be the gazillionaire, bazillionaire, 15 Elon Musks with a few Bezos on each shoulder, and you still wouldn't get J.Lo, dude.
GRAHAM CLULEY. Hey, she's still Jenny from the block.
CAROLE THERIAULT. Yeah, exactly. You're not from her block. Trust me. Trust me.
GEOFF WHITE. Fascinating as this is, and much as I'm enjoying the pictures now of Diana Rigg, back to the plot. Who is this company telling people, Graham? And why are they saying that implementing security makes you look suspicious? Can you name names?
GRAHAM CLULEY. I can. Yay. Coinbase.
CAROLE THERIAULT. Oh, they're crypto, right? The crypto guys.
GRAHAM CLULEY. Yeah. So that's how I'm going to lure J.Lo in. So I'm there in my mink coat with my silver cane, pouring my crypto fortunes into an online exchange like Coinbase. But some people have been having trouble with Coinbase lately. It turns out many Coinbase users have reported sudden restrictions on their accounts. So there is a chap we've spoken about him before in his work called Zackxbt. Sounds like a rapper.
GEOFF WHITE. Legend.
GRAHAM CLULEY. Yes. You know him, right? Renowned cryptocurrency investigator, and he's unraveled ransomware gangs and investigated all kinds of heists which happened in the past. He's recently mentioned in a thread on Twitter that folks are fuming that they have been locked out of their Coinbase accounts. And he posted a screenshot of dozens and dozens of Coinbase users reporting that they cannot access their accounts any longer, and they've been given no reason.
CAROLE THERIAULT. So that's when you're going in you normally would, you put in your username and your password, and it just goes, eh-eh.
GRAHAM CLULEY. You can't come in.
CAROLE THERIAULT. And it doesn't say why, you're just locked out.
GRAHAM CLULEY. So let me tell you what users are saying. There's a guy called Zubik. He says, "I woke up today, found out I can't access my funds on Coinbase. No warning or explanation. I've been trying to contact support all day. I've been refreshing the app nonstop. Nothing." He says, "I thought I could trust this platform. Now I'm not even sure I'll get any of my money back."
Justin Taylor said, "Locked out of my Coinbase account. Verification keeps failing. WTF is happening." Eric, poor old Eric, he says, "Just locked out of my account after trying to send $25,000 worth of crypto." A guy called Nas says, "Out of the blue, Coinbase restricting my account." And he says it gives him restriction instructions. It says, "Please visit the support page." When he goes to the support page, it goes, "Please follow the restriction instructions." So he's in this endless loop.
He says, "It's the worst customer support experience ever." A guy called The Bogfather says, "Coinbase has trapped my funds for two months with no explanation. I can't trade out of my current positions. This is egregious. Nobody should use an exchange that does this." Because of course, if you've got your funds trapped in a particular place and you're desperate to sell, it's horrendous.
CAROLE THERIAULT. And Coinbase, I'm assuming, is not regulated by whatever regulates all the banks and financial institutions.
GRAHAM CLULEY. I think there are more and more regulations. I mean, maybe you know about this more than me, Geoff, governing some of these cryptocurrency exchanges these days.
GEOFF WHITE. They are increasingly coming under regulations, but the main sort of activity around that's been around money laundering because with money laundering, it sort of doesn't matter which jurisdiction you're in. If you're handling anything to do with US dollars or US citizens, you know, US money laundering legislation will kick in. But no, to your point that you're right, they're not regulated in the same way as banks are.
But what's interesting, Graham, is from going back to the start, what you were saying is that when people have implemented, you know, things like VPNs and so on, that's what's triggering these Coinbase problems is that people have tried to implement a security thing.
GRAHAM CLULEY. So I'm going to come to that in just a minute.
GEOFF WHITE. Oh, sorry. I'll go back to pictures of Darnaway.
GRAHAM CLULEY. So why is Coinbase doing this? Well, according to ZackXBT, it's to prevent its users from losing something in the region of $300 million per year. Not each of them, but $300 million per year, he reckons, is being lost to social engineering scams on Coinbase.
And so ZackXBT, he's got this buddy Tanuki42, and he and Tanuki42 have been investigating this, and they say that they've seen evidence that $65 million was stolen from Coinbase users between December and January. And that, they reckon, is a huge underestimate. The true number is likely to be much higher because these are only the thefts that they know about.
They've seen evidence on the blockchain or they've had shared with them by victims rather than based on any information from Coinbase or police reports.
CAROLE THERIAULT. Well, where do you go? I mean, what's a cop going to say if you said, "Oh, I lost my crypto?" You know, what's a cop going to do?
GRAHAM CLULEY. I suspect those sort of questions are coming into police. There may be enormous challenges sometimes in chasing this kind of thing and getting a resolution. But, you know, this is a very common type of theft today.
GEOFF WHITE. It certainly is. I think I read the other day that — is it in the UK? Something like 12% of people now own crypto in some form or another.
CAROLE THERIAULT. Wow.
GEOFF WHITE. Could have been 12% among younger people, but yeah, it's like crypto's no longer a niche thing. It's, you know, you're looking at a significant percentage of the population. Yeah, in the UK we're trying to work out, I think crypto is now recognized as a thing in the UK. It's recognized as an actual asset in the UK.
So when it's stolen, you know, it should be recognized as having a property stolen. But of course, you know, going down to your local cop shop and saying, oh, I've lost my crypto. I'm not quite sure what kind of response you'd get to that.
GRAHAM CLULEY. So Zackxbt says he started looking into this because someone contacted him saying that they had lost $850,000.
CAROLE THERIAULT. See, that hurts.
GRAHAM CLULEY. I don't understand why you keep so much money in there.
CAROLE THERIAULT. I can, you know, I imagine because you're greedy, right?
GRAHAM CLULEY. Why do you keep that much money in a pension?
CAROLE THERIAULT. Because it's regulated.
GRAHAM CLULEY. Yes.
GEOFF WHITE. A lot harder to get money out of a pension, I think, than to enter a username and password and transfer it.
CAROLE THERIAULT. I mean, under your mattress is safer than many crypto joints, in my view. You know, it doesn't make as much money, I suppose.
GRAHAM CLULEY. Anyway, this particular guy who lost $850,000, ZackXBT found that something 25 other users had fallen for the identical scam, where a scammer called the victim, they sort of spoofed their phone number, they pretended to be Coinbase. They used personal information obtained from private databases to gain their trust. So they knew information about their victim.
Now, that isn't revolutionary. We've seen those kind of scams in the past, obviously, many times before. And what people don't realize is Coinbase will never, ever call you. But when they did call, when the scammer called, they told the victim their account had had multiple unauthorized login attempts. So people kept on trying to log in.
They then sent a spoofed email to the user, which appeared to come from Coinbase support with a fake case ID. Further gaining the trust of the victim.
CAROLE THERIAULT. Coinbase would never do that either. Send a support email.
GRAHAM CLULEY. Well, maybe their support people wouldn't get around to it, who knows? But that then instructed the victim to transfer funds to a Coinbase wallet and whitelist that address while support, in quotes, verified the account security. So obviously that's where the scam takes place, is that the money is then moved.
CAROLE THERIAULT. I can totally see people falling for this. What would you do? What would you do to verify it?
GRAHAM CLULEY. I guess many people would just click on the link and say, does this look the Coinbase site?
GEOFF WHITE. Mm-hmm.
GRAHAM CLULEY. And the scammers, of course, have cloned the Coinbase site pretty much identically. They're using what are called panels, which are being openly sold on cybercrime forums on Telegram, which are basically little do-it-yourself kits, ways for really rolling out a scam website.
So this once again is cybercrime industrialized where there are criminals who've given you the tools to piece together your scam and all the things that you need in order to con someone out of money. And there are many Telegram channels where scammers are advertising these sort of services.
The scammers can vary from being script kiddies, probably many of them are script kiddies, but they're also sort of more organized criminals as well based around the world. Now, earlier on, I was talking about companies which maybe were giving poor advice regarding security, telling you to turn off your security.
Scott Shapiro is a senior director of product management at Coinbase, and he recently tweeted that people shouldn't use VPNs and ad blockers as Coinbase treats them with suspicion. So his tweet said, "Public service announcement, don't use a VPN to access Coinbase.
Attackers always use VPNs, so our risk models take that as a negative sign, even if you're legitimately using your own account. Same with ad blockers and other extensions."
Well, yeah, hackers use VPNs in order to keep themselves safe and secure online, right? They don't want their identity falling out there.
They don't want to be tracked too much.
GEOFF WHITE. Duh.
GRAHAM CLULEY. Of course they're worried about law enforcement doing these things. But it seems to me it is crazy that Coinbase is actually telling people turn off things which normally we would suggest can offer an additional level of security, blocking malware with ad blockers and various extensions, maybe using a VPN as well, especially if you've got $850,000 worth of cryptocurrency in an online exchange.
CAROLE THERIAULT. I don't think they're alone though, in companies that say don't use VPNs if you want this to work. You know, lots of people use VPNs, for example, or used to, I don't know if it still works, but you know, used to use VPNs to watch streaming channels they weren't allowed to watch in certain regions and that sort of thing.
GRAHAM CLULEY. Yeah. There are non-security reasons to use VPNs as well.
There's perhaps less requirement for a VPN amongst the general population than there used to be, because so many sites now do have set up an encrypted tunnel with your browser via HTTPS. So I'm always dubious about some of these VPN companies who really oversell the security features of those systems, but—
CAROLE THERIAULT. You sound like Scott Shapiro.
GRAHAM CLULEY. Well, I'm not saying don't use it. I'm not saying don't use it.
And I think it's a real mistake for a company to say, because bad guys use this stuff, don't you ever use this stuff, because I think that does send a dangerous message.
CAROLE THERIAULT. So are you saying that basically the people that use VPNs are the ones that weren't able to log into their accounts, but their money is fine and safe? It's just don't use VPNs, otherwise we won't be able to identify you properly.
GRAHAM CLULEY. Certainly it seems some of these people have been locked out because of their ad blocker usage, maybe extensions, maybe their use of VPNs. Who knows what other signals Coinbase is looking for, for suspicious activity.
GEOFF WHITE. What's really fascinating about all of this is there's actually a really massive issue lurking in the heart of all of this, which is that when cryptocurrency was created, when Bitcoin was created as one of the first major cryptocurrencies, one of the big attractions of it was anonymity, was the idea that unlike your credit card and your bank account, you can't be tracked. It was basically digital cash was the idea. And that was a big draw at the beginning was governments did not control this.
There was strong privacy and anonymity in the whole thing. It was cash that you could use online. And then what happened after that was a bunch of people got involved that were thinking, well, this could be a huge — we can make money off of this. So from the very beginning of the Bitcoin era of crypto, you've had this schism between the idealists, if you like, about crypto who see this as a radical reinvention of society, et cetera, and the let's make tons of money out of this kind of people. And what's interesting with this Coinbase thing is that the things they're pushing back on, things VPNs and ad blockers, these are privacy technologies.
And so the very heart of cryptocurrency being a privacy-enhancing technology, Coinbase are saying, no, we're on the money side and you don't get the privacy enhancing technology stuff. I find that fascinating. The other observation I would make is frankly, if you've got £850,000 or dollars worth of funds anywhere, you need to be paying somebody to look after that security of that.
Now, if it's in a bank, the bank hires a security person to look after it. If you are giving it to Coinbase, Coinbase are not hiring a security person to look after your £850,000 and they're certainly not in this case, hiring them to do enough of a good job for you. It's worth taking a chunk of that lovely stash of money you've got and paying somebody to make sure that it's secured and vetting your processes.
GRAHAM CLULEY. Are you offering your services at this point?
GEOFF WHITE. Well, I just—
GRAHAM CLULEY. Has this turned into an advert?
GEOFF WHITE. For an $85,000 down payment, you can hire the services of Geoff White.
GRAHAM CLULEY. Geoff, what's your story for us this week?
GEOFF WHITE. I'm going to be looking at a hack on a US company called PowerSchool. I just can't help pronouncing it that. It just sounds PowerSchool.
This is a software provider for schools. So basically it provides the kind of software that logs grades and attendance and all that kind of thing. According to TechCrunch, 18,000 schools it's in and supports 60 million students in North America.
Software was hacked. This went back to, I think it was December last year, they first announced it. And we're still finding out the details about this. The reason this story caught my eye was, and it's a really facile reason, but do you remember that scene in WarGames, that classic computer hacking movie, where Matthew Broderick's character hacks into a school database and changes his grades?
CAROLE THERIAULT. Dialing into the school's computer. Are those your grades?
GEOFF WHITE. Yeah.
CAROLE THERIAULT. I don't think that I deserved an F. Do you? You can't do that.
GEOFF WHITE. It took me straight back to that as soon as I saw this, because it records your school grades, this software. And the idea that you can hack in and change your grades to an A, I just — it took me right back to WarGames.
GRAHAM CLULEY. But should I admit that having worked in this industry for 35 years.
GEOFF WHITE. Oh no.
GRAHAM CLULEY. I've never seen WarGames.
GEOFF WHITE. Oh no.
CAROLE THERIAULT. He's not seen a lot of very good films in my opinion.
GEOFF WHITE. Really? Were you raised by wolves?
CAROLE THERIAULT. He was probably raised by wolves.
GEOFF WHITE. Never seen WarGames.
GRAHAM CLULEY. No, no, nor E.T. We could list a lot of movies.
CAROLE THERIAULT. Oh no.
GRAHAM CLULEY. Sneakers, that's a hacking movie. Not seen that.
CAROLE THERIAULT. Independence Day?
GRAHAM CLULEY. I have seen Independence Day, yes.
CAROLE THERIAULT. Oh, there you go. There's a bit of weird hacking there, isn't there?
GRAHAM CLULEY. Thank goodness the aliens were using Mac computers, so Geoff Goldblum was able to infect them that way.
GEOFF WHITE. Anyway, so yes, WarGames. By the way, WarGames, I still think is worth a watch.
Right. It's a thrilling little tale. And there's this classic scene in it where Matthew Broderick's character is logging into the school software to change his grade.
I mean, there's a number of things about the film that are quite unrealistic. One is that there's a really attractive girl in school who's attracted to him, even though he's a computer geek.
And he tries to change her grades as well. And then she refuses and says, no, no, you shouldn't change my grades.
And then when she leaves, he changes her grade anyway to an A.
CAROLE THERIAULT. That's love, baby.
GEOFF WHITE. So in preparation for this podcast, I watched the scene. Oh, that's the amount of preparation I do for this program.
CAROLE THERIAULT. Watch some YouTube. Thank you.
GEOFF WHITE. Anyway, back to the plot. PowerSchool gets hacked and the hackers break into some portal which allows them access to a lot of the data that PowerSchool holds, which obviously is kids' data.
So that's bad.
GRAHAM CLULEY. Yes.
GEOFF WHITE. It has to be said, one of the major problems with this is exactly what the thing gave access to and what information got stolen. So we know that they said, well, this was potentially sensitive information.
So this was students' grades, their attendance and demographics, also Social Security numbers and medical data.
GRAHAM CLULEY. Ooh.
GEOFF WHITE. I was thinking about that. That could be, you know, my little Johnny has asthma and he might have to have his inhaler.
But even so, I mean, these days, mental health, does that include mental health data? Because that could be in there.
CAROLE THERIAULT. Oh, I'm sure it does.
GRAHAM CLULEY. Could be.
GEOFF WHITE. Significant stuff.
GRAHAM CLULEY. And this is a lot of schools who are using this software as well, isn't it?
GEOFF WHITE. Well, that's the other thing. A lot of schools using it.
How many schools are affected? We don't know.
PowerSchool are doing this interesting thing of saying, "Yes, we've got a handle on this. We know what's been affected." And then when journalists are asking, "Well, how many schools were affected?" PowerSchool say, "Well, we don't know."
It's either column A or column B there. Again, you get little tidbits of information come out.
Toronto School District Board, which is a school board in Canada, reckons the hackers may have accessed 40 years' worth of student data.
GRAHAM CLULEY. Oh, wow.
CAROLE THERIAULT. What are they keeping 40 years of student data online for?
GEOFF WHITE. Well, this is the thing, you've got to read these things carefully. May have access to 40 years' worth of— What that probably means is that PowerSchool systems have access to something 40 years' worth of data going back, but did the hackers access that or not?
GRAHAM CLULEY. It sounds to me Matthew Broderick's in trouble.
GEOFF WHITE. Certainly.
GRAHAM CLULEY. They may have records of him logging in and changing his grades after all these years.
GEOFF WHITE. Indeed, indeed. Maybe that was the thing that was used in WarGames. So there is a huge amount of fog of war around this type of stuff. But what's really been interesting is apparently the teachers who use this stuff, the school, I should say school administrators, it would be teachers, but also people who work in schools, run the IT systems, have been trying to get together and work out what the hell's happened.
The problem with this, and I do sympathize with PowerSchool, is each school sort of has its own implementation of this. They log their own types of data. So when people say, well, what data's gone? PowerSchool sort of said, well, it kind of depends what the school was storing on our systems, which is sort of up to them. So I do have a certain amount of sympathy. What's interesting is the school administrators themselves have started to weigh into this and actually take matters into their own hands and have started sharing on one of their forums, one of these bulletin boards, information saying, well, I looked up this and I found that and the hacker's IP address is this.
If you search for that, you might be able to find— they got it. So they're actually doing a sort of crowdsourced incident response to this thing, which just shows you in the kind of fog of war with a lack of information from PowerSchool, it seems the actual users themselves are coming together and trying to sort out what's happened. It's been a really interesting sort of thing to watch in terms of the incident response.
CAROLE THERIAULT. That's weird though, well, 'cause often we would say, oh, you know, be careful doing that in a way because you want to involve the person who's running the software. But if they're not coming back, what do you do?
GEOFF WHITE. Exactly. Somebody said that their information has been suspicious and not very useful. And it has to be said, given what they were saying to the press.
GRAHAM CLULEY. So has there been any kind of ransom demand over this?
GEOFF WHITE. Well, we think so. We think it's ransomware attack. Now obviously, the way these modern ransomware attacks work, they've broken in, they've probably stolen a bunch of data.
What's interesting about this again though, is in the past when the hackers have attacked systems like this, sometimes they've gone to the provider, in this case PowerSchool, but the other option is to go, of course, to the 18,000 schools and try and get 18,000 ransoms out of them.
GRAHAM CLULEY. Yeah.
GEOFF WHITE. Interestingly, this is again from this TechCrunch article, PowerSchool told TechCrunch they'd taken appropriate steps and said that it worked with cyber extortion incident response teams to negotiate with the threat actors responsible for the breach. The TechCrunch article then goes on to say, this all but confirms that PowerSchool paid a ransom to the attackers that breached its systems.
The company refused to say how much it paid or how much the hacker demanded. Now, I think that's a bit of a leap. Just because you've got somebody doing negotiation doesn't mean you've paid or certainly paid yet.
GRAHAM CLULEY. No.
GEOFF WHITE. But interestingly, what piqued my attention about this story was that I'm working at the moment on a ransomware story for an outlet. And so I'm doing a lot on ransomware.
So I'm looking at a lot of ransomware groups' websites where if they want to threaten the victim, they post details of the victim and say, we've hacked this company or this organization, you know, here's what we've got and we'll leak it unless they pay. I haven't seen this PowerSchool leak on any of the sites I've been checking.
I've got access to them all, but I've not seen it on there. And the suspicion always is, well, if your information's not on the site, you're probably negotiating and probably paying up.
So I don't know whether that roundup of ransomware websites I'm looking at indicates that maybe PowerSchool have paid and therefore aren't being identified on the sites. It's interesting. It's proper fog of war, this one.
GRAHAM CLULEY. And there's no sort of regulations about them reporting that they've fallen victim to this ransomware attack? Like, do they have to inform the FBI, who maybe want to gather information on different cybercriminal groups?
GEOFF WHITE. I understand in the US, if you're a public institution, like a sort of government department, then yes, you have to declare it. But PowerSchool is a private company, and I'm pretty sure in the US, as in the UK, it's still not the case that you have to report.
UK's looking at this. UK government, obviously, big consultation. What do we do about ransomware?
GRAHAM CLULEY. Yeah.
GEOFF WHITE. It's being reported that they're trying to talk about, you know, introducing a duty to report. You have to report if you get hit by ransomware.
The people I've spoken to say, no, it's a bit different to that, that it'll be a duty to inform government if you want to pay, which obviously means, you know, you have to go and tell teacher if you're going to do this. So the effect might be the same, that people don't want to pay 'cause they don't want to tell the government that they're gonna pay, but.
However, off the back of this, can I also have a quick rant about ransomware operators? Please.
GRAHAM CLULEY. Because they're all tuned in. They all listen to Smashing Security, all the ransomware bad guys.
GEOFF WHITE. They know us, bad guys. Or should I say Privet or Strasovice? Because we know where you all are based.
But anyway, as part of this story I'm doing about ransomware, I am contacting a whole bunch of these ransomware operators, of these dudes. And I've got to say, it is like pulling teeth.
It is the hardest interviewing job I've ever done because, A, they're computer geeks, and obviously computer geeks don't tend to, you know, be very verbose and chatty. And B, I think a lot of them are Russian, who, from my dealings with Russians, are some of the most taciturn people on the planet.
Trying to get more than two words out of these people is agonizing. Like you ask them like, oh, you know, what do you think of the LockBit takedown last year? No, it's no problem. Okay, yeah, why'd you get into ransomware? Oh, it's just the money.
CAROLE THERIAULT. You will not social engineer me, Mr. Journalist.
GEOFF WHITE. Just tell me. So I got one guy, I got one guy on the chat and he was coming out with answers and I thought, this guy's actually capable of stringing a sentence together, it's great.
And I was like, this is good, I can use some of these quotes, this is, you know, he is actually a ransomware operator, he's an affiliate, you know. And then I looked back at the interview and there was something really strange about his answers. Oh no.
GRAHAM CLULEY. There were shorter answers.
GEOFF WHITE. That were quite revealing about who he was and what he was doing. And in those answers, his grammar was pretty bad. He didn't spell I with a capital I when he was saying I am and that kind of thing, no full stops. And then the longer answers, the ones that I thought, oh, that's quite juicy, they were the kind of answers that you get from ChatGPT. And I was like, oh no, the one interviewee I got who could string a sentence together is actually just using ChatGPT. Bloody hell, it's impossible. I just want someone who talks sense. Oh my God.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. Well, before I get into my topic, have you guys been seeing articles about how children's reading levels are plummeting? Something like a third of 8th graders in the US have below basic reading levels. And if this can't be solved, my topic for today might be the answer, which is QR codes, because you don't need to read a thing.
So QR codes. Okay, what does it stand for? Any of you know QR?
GEOFF WHITE. Oh, I don't know.
CAROLE THERIAULT. It's an acronym?
GRAHAM CLULEY. Quick something, is it?
CAROLE THERIAULT. Yes. Quick response. Quick response code. Okay, so it's a two-dimensional matrix barcode invented when? Any guesses?
GRAHAM CLULEY. 1991.
CAROLE THERIAULT. 1994. Very close.
GEOFF WHITE. Whoa.
GRAHAM CLULEY. Oh, I'm so close.
CAROLE THERIAULT. And it was originally used by a Japanese company called Denso-Wave. And it was used to label car parts. And so these QR codes basically are, you know, we all know they're black squares on a white background and they have reference markers inside that are readable by most smartphones, computers, wearables, that sort of thing. And then the data is extracted magically from these patterns and then brings you to whatever, a service, a product.
GEOFF WHITE. So just to interrupt, for the eagle-eyed among us, magically interpreted. What I'm intrigued by is some QR codes are really blocky and they've got, I don't know, 16 square bits on them and others, they're really, really tiny little blocks and loads and loads of them. And yet they all scan. That's what I wonder is how does the phone turn the QR code into effectively a URL?
GRAHAM CLULEY. Yes, I've wondered that too, Carole. Could you tell me?
CAROLE THERIAULT. You know what? I'm not going to tell you on the show, but you can go read it in my show notes because I do have it in there and it uses some kind of technology, which I can't remember the name of right now, but yes, you can go read about it. So, you know, go do your homework. I won't do it for you.
QR codes have been poodling along for what, a few decades now? And suddenly they became pretty ubiquitous. We saw tremendous growth in the use of them a few years ago. Why did we see that?
GEOFF WHITE. I thought it was COVID. Yeah, COVID kicked it off.
CAROLE THERIAULT. COVID.
GRAHAM CLULEY. If you were ordering things, wasn't it? Like restaurants. Yeah, you wouldn't have a waitress going from table to table spreading nasty germs.
GEOFF WHITE. Or waiter.
CAROLE THERIAULT. Yeah, it's the germs. The germies. It's the germies. The fingerprints, the greasy stuff on the parking meters, or fingerprints on menus.
GRAHAM CLULEY. Yeah, it was during the whole— was it eat out to help out? Or also show up to throw up was the other way we phrased it.
CAROLE THERIAULT. It's hard to remember just how careful a lot of us felt we had to be during the peaks of COVID. And so it was a perfect storm that QR codes were there and it just proliferated during that time. And the other thing is that they're easy peasy lemon squeezy.
Even the youngest users would typically be able to figure out what to do with a QR code in a minute or two, right? It doesn't take a lot of technical nous. Because you think it's really good for the user, right?
It makes it easy for me to go to a parking place and then just scan this code and then off I go to where I need to go. But it's used in all manner of things, from sharing simple business card details to touchless payments, Wi-Fi event check-ins, ordering online.
And the reason people use them is they're cheap. Incorporating QR codes is straightforward, budget-friendly, and there's even free tools to help you create them.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. They're forgiving, so people can scan them from a bad angle. You don't have to be dead on. The size can be different.
GEOFF WHITE. Yeah.
CAROLE THERIAULT. They're also little research spies, these QR codes, because they help companies monitor who scans the material, how often, which type of device is used, what time did they scan, what location did they scan.
GRAHAM CLULEY. OK. Yeah.
CAROLE THERIAULT. And this tracking provides valuable insights, right? So they're pretty neat. And consumers like them. Businesses like them. So technological marvel.
GEOFF WHITE. Hmm.
CAROLE THERIAULT. There shouldn't be any problems. But there are. A lot of news right now happening both in the UK and the US about being careful of scams. The media is rife with reports about motorists being scammed at car parks across the UK, with councils battling fraudulent QR codes stuck on machines.
GRAHAM CLULEY. Yeah, this is where they stick over a false QR code, isn't it, on the machine?
GEOFF WHITE. Yes, I've seen this, yes.
CAROLE THERIAULT. That's right, right? And it can look really legitimate. And basically, the user just, you know, dum-da-dum, I need to pay for my parking, scan the code.
However, the link takes you to a fake website. So you're actually paying the fraudster, not the council, meaning that they'll probably fine you.
GEOFF WHITE. Who knows what the real parking website's supposed to look like? If it looks shonky, I'll be like, "Oh, that's just the parking website." That's normal.
CAROLE THERIAULT. And what about in the States? It seems to be US package scams. This follows last week's FTC scam alert on this very topic.
So this is what the FTC say. So an unexpected package from an unknown sender arrives in your name at your house. So you open it and you find a note that says it's a gift.
But it doesn't say who sent it. And the note also says, scan the QR code to find out who sent it.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Or to get instructions on how to return it.
GRAHAM CLULEY. But you've still got a gift. What's the gift?
CAROLE THERIAULT. Well, who knows? They promise big riches inside.
GRAHAM CLULEY. Maybe—
GEOFF WHITE. Cheetah bomb!
CAROLE THERIAULT. Has a diamond ring!
GRAHAM CLULEY. It's not a dog poop in a sandwich box or something like that. It is a proper— it's a proper thing that people might want.
CAROLE THERIAULT. So let's, I don't know, just say it's a shoehorn, for example. Right? You get it. This shoehorn.
GEOFF WHITE. Just to pick one of those incredibly popular items out of the— Yeah, yeah, yeah, yeah.
CAROLE THERIAULT. Okay, so you might—
GRAHAM CLULEY. Our survey said, uh-uh, a pair of grape scissors.
GEOFF WHITE. Do you know what? Both of those items I currently have in my house.
GRAHAM CLULEY. You are so upper class. So you get a shoehorn through the post in a package. You open it up. You think, who sent this to me? You're wondering who the bloody hell— It must be Geoff White, you're thinking, who sent me this.
CAROLE THERIAULT. He's the only guy I know.
GRAHAM CLULEY. He's the only guy I know who's into shoehorns. So you scan the QR code, you're taken to a website. What then happens? How do you get scammed at that point? I don't understand.
CAROLE THERIAULT. Well, you have to log in to your Amazon page, for example, to say—
GRAHAM CLULEY. Oh, I see. So it takes you to a fake Amazon. Oh, I see. I understand.
CAROLE THERIAULT. Maybe it's Amazon. Depends on what the scam is. Right.
GEOFF WHITE. Okay.
CAROLE THERIAULT. Right. Now, another targeted attack was presented in a Microsoft blog late last month, and it talked about a new spear phishing campaign. And rather unusually, it targeted targets WhatsApp and uses QR codes. So as with a typical phishing attack by Star Blizzard, you guys know about Star Blizzard? They're some gang that go around.
GRAHAM CLULEY. Oh, it's a hacking gang. It's one of those hacking gang names. All right. Okay.
CAROLE THERIAULT. Yeah. According to Microsoft, the threat actor initiates email contact with their target to engage them, right? In this campaign, the threat actor personates a government official, right? So that's what they used in this particular campaign. Email sent to the target contains a QR code, quote, purporting to direct users to join a WhatsApp group on, quote, the latest non-governmental initiatives aimed at supporting Ukraine NGOs.
GRAHAM CLULEY. Hang on, hang on. You get an email on your phone which contains a QR code. How do you scan an email on your phone with your phone's camera? You'd have to have mirrors. Have they thought this through properly?
CAROLE THERIAULT. Well, people, I don't know. I don't know how that works.
GEOFF WHITE. You could get the email on your laptop, couldn't you, if your email account's on your laptop, and then you scan it with your phone from your laptop.
GRAHAM CLULEY. Oh, I suppose so. I suppose so. Oh yes. Okay. Fair enough.
CAROLE THERIAULT. A lot of people have two phones. Maybe they're sitting there with both phones. Okay. So this code, this QR code, okay, in this email is intentionally broken and will not direct the user to any valid domain. And this is an effort by Star Blizzard apparently to target the recipient into responding.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So when the target does respond, the threat actor apologizes for the inconvenience and says, shortened link, those bit.ly links, to the so-called WhatsApp group.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. The target then clicks on the link and is redirected to a webpage with a QR code to join this so-called WhatsApp group.
GEOFF WHITE. Sounds like a lot of steps. Yeah, yeah.
GRAHAM CLULEY. It feels like a lot of effort.
CAROLE THERIAULT. I don't understand. Okay, however, okay, the malicious QR code that has been served up is not actually this NGO group, right? But it's actually used by WhatsApp to connect an account to a linked device or a WhatsApp web portal.
GEOFF WHITE. Oh.
CAROLE THERIAULT. Yeah. So this means now if the target follows the instructions on the page, the threat actor can gain access to the messages in their WhatsApp account.
GRAHAM CLULEY. Oh, that's sneaky.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. Oh, yes. The criminal is linking their device to your WhatsApp account.
CAROLE THERIAULT. Getting access to all your content in there.
GRAHAM CLULEY. Oh, that's really nasty.
GEOFF WHITE. Mm-hmm.
GRAHAM CLULEY. Okay. Okay.
CAROLE THERIAULT. Now, these are just a couple of ways that QR codes are being used by the bad guys. But, you know, fear not, help is on the way in the USA.
Because remember, we recently discussed the Voluntary Cyber Trustmark that the US are doing to better help secure consumer-grade internet devices like smart speakers and home security cameras and baby monitors. Well, the White House said that retailers, including Best Buy and Amazon, will be soon highlighting products that carry this US Cyber Trustmark.
And all you need to do is scan the QR code on the device for details about the cybersecurity of the product, such as the support of the product and security updates and all that stuff. Like, is that irony?
Is that irony? Is that the definition of irony?
GEOFF WHITE. And also, if you're buying a phone, you can't scan the QR code with your phone because you're buying the phone.
CAROLE THERIAULT. As Graham pointed out.
GEOFF WHITE. Yeah. What are you doing?
GRAHAM CLULEY. It's just a scam to sell more phones. Are you ready to experience the ultimate cybersecurity transformation?
Sign up for the Symphony 2025 Virtual Summit, the event that will keep you ahead of adversaries and empower you to stay one step ahead.
CAROLE THERIAULT. See, Symphony 2025 is your VIP pass to the future of security innovation. It's packed with exclusive insights, live demos, and stories from pros who are already conquering the toughest threats with Cortex, the comprehensive cybersecurity platform by Palo Alto Networks.
GRAHAM CLULEY. Whether you're a security leader, part of a security operations team, or simply interested in the latest cybersecurity innovations, this 1-hour event has something for you.
CAROLE THERIAULT. So register now at Smashing Security. Smashingsecurity.com/symphony.
That's smashingsecurity.com/symphony. And join Symphony 2025 and be part of the cybersecurity transformation event of the year.
And thanks to Symphony 2025 for sponsoring the show. Everyone these days has a VPN as a sponsor.
But Tailscale isn't like those. This isn't about hiding your browsing habits from coffee shop owners, and it's not about watching Netflix in any other country.
GRAHAM CLULEY. That's right. Tailscale is a modern networking solution for connecting your applications, your services, and devices securely.
It's great for companies and it's great for self-hosters too. And it's fast, really fast.
It's private. It's easy to deploy.
Zero config, no fuss. LastPass VPN, plus it means zero trust.
Every organization can use this.
CAROLE THERIAULT. Thousands of companies already use Tailscale, like Instacart, Hugging Face, Duolingo, and more. So why not try Tailscale for free today?
You'll get 100 devices and 3 users for free with no credit card required. Wanna learn more?
Visit smashingsecurity.com/tailscale. That's T-A-I-L-S-C-A-L-E.
And thanks to Tailscale for supporting the show.
GRAHAM CLULEY. Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security podcast. And this week, we want to tell you about how 1Password's extended access management can help your business.
CAROLE THERIAULT. This is the first security solution that brings all the unmanaged devices, apps, and identities used in your company under your control. And it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
'Cause 1Password Extended Access Management solves the problems traditional IAM and MDMs can't. It's security for the way we work today.
And it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.
GRAHAM CLULEY. 1Password's award-winning password manager as well is trusted by millions of users and over 150,000 businesses from IBM to Slack. And now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now. Go to 1password.com/smashing, and thanks to 1Password for supporting the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. My Pick of the Week this week, Kroll, you're into the whole art thing.
Well, I bought a piece of art. Art for my lovely wife.
CAROLE THERIAULT. Did she choose it?
GRAHAM CLULEY. No, she didn't. Well, no, she had hinted. She had hinted some months before.
She thought, said, oh, I quite like that. So I made a little mental note and thought, oh, I will get that for her one day.
So this particular piece of art is by an artist called Niall Conlon, who was brought up in Belfast and is in response to a sign which used to appear in some London boarding houses. Back in the 1950s, which used to say, "No Irish, no blacks, and no dogs," which they'd put up in the window because they didn't want people staying there.
Now, I don't know if you've noticed lately, but there's been some people who've been a bit anti-diversity lately and maybe have been picking on minorities or maybe just dogs, who knows? But as a result, I thought maybe I should choose this particular piece of art because Niall Conlon has done this piece of art, which is all about more Irish, more blacks, more dogs.
And so I bought it for my lovely wife. It's a vibrant piece of art.
It's a bit graffiti-esque, I suppose. Promoting inclusivity, empathy, and diversity.
You can go and check out other art by Niall Conlon if you wish to. He's even doing t-shirts and mugs and all sorts these days as well.
But that is my pick of the week.
GEOFF WHITE. Fantastic.
GRAHAM CLULEY. Geoff, what's your pick of the week?
GEOFF WHITE. My pick of the week I'm going to go for is a book that I just finished, which is called Money Men by a guy called Dan McCrum. This is also a documentary version of the book, which I think is called Skandal with a K, which is on Netflix.
Yes, I do. I have mixed feelings about this book. And it confused me.
It confused me, did this one. Because on the one hand, it's very compellingly written.
It's about a company called Wirecard, which was a German company. Yes, Wirecard, very famous case of a company that managed to achieve, I think it was an $18 billion valuation.
At one point they were going to buy Deutsche Bank. They thought they could buy out Deutsche Bank.
And it turned out the company was basically worthless. It was a giant fraud.
So you're kind of seeing, you want to see where it goes. You want to see what happens to the guy.
CAROLE THERIAULT. Wise.
GEOFF WHITE. And it is an interesting read and it is a compelling read. However, some of the stuff in it was just not well explained at all.
I thought some of the concepts— if you're a financial journalist and you understand things, fine, but I'm not. I'm a journalist mainly concentrating on technology.
I'm not thick, but sometimes it sort of left me behind a little bit.
GRAHAM CLULEY. Because Dan McCrum is a financial journalist, isn't he?
GEOFF WHITE. He is.
GRAHAM CLULEY. He works for the FT. Yeah, that's right. So yeah.
GEOFF WHITE. Yeah.
GRAHAM CLULEY. Yeah.
GEOFF WHITE. Works for the Financial Times and he had this amazing story and it is an incredible story. He actually from very early on understood this company was a basket case, but then had to go through hell and high water to sort of prove that. There is an interesting thing about how journalists work with or don't work with financial speculators who sometimes have a vested interest in a story being either true or not true.
So there's a whole subtext around that, which is all covered a bit in the book. But I don't know, I would be interested what other people think. I will recommend it simply because I say it's a good read, but I'd be interested to know whether other readers like me were left a bit baffled by some of the content.
And there's other stories like Bad Blood and Billion Dollar Whale, which are great books and great stories, you know, that are about an industry but get through to the general public. Money Men, I think, was pitched that way, and it is good enough to— definitely the story is good enough.
Every now and again, you just need a paragraph just put in layman's terms as to what's going on here, like a reprise paragraph.
CAROLE THERIAULT. Yeah, yeah.
GEOFF WHITE. So I will put it as my pick of the week because I have enjoyed it. But as I say, a flawed masterpiece.
CAROLE THERIAULT. Ah, I think that's quite elegant.
GEOFF WHITE. Yes.
GRAHAM CLULEY. It's one of those things where sometimes you want to sort of cut and paste the text and ask an AI to explain this bit as though I was 12 years old.
GEOFF WHITE. Yes. And I do wonder, I do wonder in future whether, and this is a kind of slightly out there thing in terms of publishing, increasingly obviously I think people are going to read on e-readers. And digital books and audiobooks.
It is possible, potentially, as an author to do two slightly different versions of the book. One for fast lane readers and another for sort of—
GRAHAM CLULEY. And one for thickies.
GEOFF WHITE. Yeah, and you could take out certain paragraphs, certain details if people wanted to just, you know, if they already knew that. You could almost set your level. How this would work, I don't know.
I think it's a huge ask, and also writing a book's traumatic enough as it is, as I well know.
CAROLE THERIAULT. It's the— yeah, it was Cole's Notes, what we used in university and high school way back in the day. Yeah, that's not reading though. That's information.
GEOFF WHITE. Exactly. Whereas this would be, you'd have different versions of the same book for different knowledge levels. Wow, I think that might become down the track.
CAROLE THERIAULT. Blowing my mind.
GEOFF WHITE. I know. Anyway, as long as they pay me three times as much to write the book, I don't mind.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. So January, we've just finished January. And January in the UK is a pretty bleak time of year to my mind. It's cold, it's drizzly, it's dark.
There's only a few hours of sunlight.
GEOFF WHITE. And so it seems to go on for about six weeks as well.
CAROLE THERIAULT. January goes on forever.
GRAHAM CLULEY. Oh, you guys, you guys are incredible. Think of how much worse December is. December, it's getting darker all the time.
January, it's getting brighter. In December, you're crammed into houses with relatives you only see once a year, and the tension is absolutely overwhelming. January is fantastic.
You don't have very much to do. It's relaxing. You know, you're just a slow start to the year.
CAROLE THERIAULT. Well, no, it's not just that. It's also, you know, you have to suffer after Christmas. You obviously, you know, maybe not spend loads at Christmas, but a lot of people do.
And you're sitting there after Christmas going, wow, my savings account is empty.
GEOFF WHITE. Yeah, the bank balance.
GRAHAM CLULEY. Okay, the list, right?
CAROLE THERIAULT. So I'm there a little bit nonplussed and I want to cheer myself up. And I thought, you know what? I really love marmalade. Do you guys like marmalade?
GRAHAM CLULEY. I like shredless marmalade. I don't like the one with the bits in it.
CAROLE THERIAULT. Okay. Okay. Well, I like the very bitty Seville orange marmalade. It's nectar of the gods to me.
GEOFF WHITE. Oh, really? Bitter.
CAROLE THERIAULT. Dark, not too sweet. And it's difficult to find in the stores. So I thought, why don't I make my own?
GRAHAM CLULEY. Right?
CAROLE THERIAULT. But you can only make your own in January or February because that's when Seville oranges from Spain are ready to be harvested.
GEOFF WHITE. Mm.
CAROLE THERIAULT. So I can't say it's not labor-intensive. It took a whole Sunday afternoon. I washed them, I boiled them, I took out the mushy inside, I chopped up the peel. And then you have to scoop this super hot sugary marmalade into hot clean jars without burning yourself. That's super fun.
GEOFF WHITE. Fun.
GRAHAM CLULEY. Okay. Yes, yeah. Laugh a minute.
CAROLE THERIAULT. Yep, exactly. So I've done 3 pounds of Seville oranges. That gave me 10 jars of the stuff.
GEOFF WHITE. Geez Louise.
CAROLE THERIAULT. And now I wake up, you know, it's cold, damp February.
GRAHAM CLULEY. And you're sick of marmalade.
CAROLE THERIAULT. The sun's not even out. I'm up, right? Buttery toast and a tablespoon or two of marmalade on there and a big cup of builder's tea. And I butt wiggle with joy. It's yum, yum, yum, yum, yum.
GRAHAM CLULEY. Oh, oh.
CAROLE THERIAULT. So I don't regret the time or effort. And if you want a crack at this, I've included the recipe that I use in the show notes.
GRAHAM CLULEY. Well, there you go. And that just about wraps up the show for this week. Thank you so much, Geoff, for joining us today. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?
GEOFF WHITE. As the police car rolls off into the distance.
CAROLE THERIAULT. He's right here, guys.
GEOFF WHITE. They've got me. Best way to follow me is probably on LinkedIn. Just look for Geoff White, Geoff with a G, G-E-O, and then White, like the color.
GRAHAM CLULEY. And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, Tailscale, 1Password, and Cortex Symphony 2025, and of course to our wonderful Patreon community. Thanks. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog, more than 402 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye.
GEOFF WHITE. Bye.
CAROLE THERIAULT. Bye then.
GEOFF WHITE. 400 though, wow.
GRAHAM CLULEY. Bloody hell.
GEOFF WHITE. 500 soon.
GRAHAM CLULEY. Yeah, well, no.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. You didn't get your maths GCSE, did you? Not that soon.
-- TRANSCRIPT ENDS --