Mastodon is hot right now. After some years of only being used by geeks (yes, I’ve had an account for a while now) it’s at the tipping point of becoming mainstream… all because of two words:
Elon Musk.
Elon Musk’s purchase of Twitter, his erratic pronouncements, and the layoff of many of the site’s staff, has sent shockwaves through the Twitter community who are concerned about how the service might change.
So what’s the alternative. Many consider Mastodon to be a good new home. It’s free and ad-free, it doesn’t mine your data, it’s decentralised (which means that – unlike Twitter – there’s not one entity or crazy-ape-bonkers billionaire in charge of your content).
It’s perfectly possible – if you’re nerdy enough and fancy the job of maintaining a web server – to create your own Mastodon ‘instance’ (the name Mastodon users commonly use for a server) and be able to talk to anyone else on Mastodon.
Compare this level of control to your traditional social networks like Facebook or Twitter which control what you get to see in your timeline, mine for your personal data, and bombard you with targeted ads.
Mastodon isn’t like that.
If you’re interested in joining Mastodon, you can learn more about it here, or watch a video explainer.
You may even want to eventually follow me on Mastodon. I’m @.
But what I want to do in this article is mention some of the security and privacy considerations you should make if you’re going to start using Mastodon.
Passwords on Mastodon
Choose a strong, unique password for your Mastodon account. That means ensuring that you’re not using the same password elsewhere on the internet, and one that can’t be guessed by a friend, family remember, co-worker, or hacker with access to a database of 100 million of the most commonly-used passwords.
Ideally you should be using a password manager like Bitwarden, 1Password or LastPass to securely generate and store your passwords for you. I couldn’t tell you what my Mastodon password is, because I don’t know it. My password manager remembers it for me on my behalf.
Two-factor authentication on Mastodon
Having a strong password is the first step, but I also recommend enabling two-factor authentication (2FA).
Once you have enabled 2FA, you won’t just be asked to enter your Mastodon username and password – you’ll also be asked for a two-factor code. This is a time-based one-time-password that can be generated by an authentication app on your phone.
The idea is that a hacker might have stolen or guessed your password, but they won’t know the special code is.
Popular authentication apps that can generate codes for your account include Google Authenticator, Duo, and Authy. It’s possible your password manager (you have one of those, right?) also generates 2FA tokens.
You enable 2FA protection on your Mastodon account by logging into the account you have setup on your chosen Mastodon server’s website, and choosing Edit Profile > Account > Two-factor Auth.
Just follow the instructions there. You can also enable a hardware authentication key for additional physical security if you have one.
Direct Messages on Mastodon
This is an important one, as direct messages work differently on Mastodon than how they work on Twitter.
Direct Messages (DMs) on Mastodon are stored in clear text on the Mastodon server. They’re not encrypted. That means that they could be read by whoever is administering your Mastodon server. Furthermore, direct messages with users on other servers will be delivered to different servers and copies may be stored there.
In fairness, Mastodon does display a warning about this – but I wonder how many people will take that much notice.
There’s actually a similar privacy concern with Twitter. Twitter staff can read your DMs.
In short, if you want to say something private to somebody – don’t use Mastodon. You probably shouldn’t use Twitter either. Use a more secure end-to-end encrypted messaging system like Signal instead.
But there’s more danger potentially associated with direct messages on Mastodon.
Imagine you are having a direct message conversation with someone on Mastodon about a sensitive subject.
Maybe George and Paul are bantering via direct message on Mastodon, and one of them says “I’ll tell you who’s a twit. That bloody @Ringo”
Well, because @Ringo has been mentioned in the chat, he now sees a copy of the message too. Ouch, that’s awkward.
This would be particularly dangerous if you were communicating with another Mastodon user to report abusive behaviour. Suddenly your abuser knows you are complaining about them.
Email doesn’t work like that. Twitter direct messages don’t work like that.
(Sorry Ringo for using your name in this example, Peace and Love man!)
Verified users on Mastodon
As we all know one of the pickles Elon Musk has got himself embroiled in on Twitter is “verified accounts.”
Verified accounts on Twitter (the ones with a so-called “blue tick” – it’s actually a white tick on a blue background) used to be handed out for those free to public figures, celebrities, journalists and the like who had verified their identity with Twitter.
They also used to be free, but Musk appears to be hell-bent on doling out verified ticks to anyone who pays a monthly subscription for the privilege.
The rights-and-wrongs of that are outside the scope of this article, but what’s important for Mastodon users to know is that it doesn’t have a “blue tick” system.
Yes, Mastodon users can add an emoji of a blue tick to the end of their username if they wish (or an elephant, or an eggplant… the list is pretty much endless) but it doesn’t mean that they are verified.
But what Mastodon does do is let you self-verify yourself.
Here’s how Mastodon describes the process:
Mastodon can cross-reference the links you put on your profile to prove that you are the real owner of those links. In case one of those links is your personal homepage that is known and trusted, it can serve as the next-best-thing to identity verification.
If you put a link in your profile metadata, Mastodon checks if the linked page links back to your Mastodon profile. If so, you get a verification checkmark next to that link, since you are confirmed as the owner.
I have put a link on this website (grahamcluley.com) to my Mastodon account. To find out what link I had to put in, I logged into the account I have setup on my chosen Mastodon server’s website, and navigated to Edit Profile > Appearance.
In my case the link I have put on grahamcluley.com is: <a rel="me" href="https://
And I have also put a link on my Mastodon account’s profile to grahamcluley.com. Mastodon checks that the two are pointing to each other, and displays a green tick against the appropriate link.
Anyone who wants to confirm that the Mastodon account belongs to the same Graham Cluley who runs grahamcluley.com can see that tick, and know that I’m the real deal.
And now I’ll give you a real-life example of why this matters…
Be wary of following famous/celebrity accounts on Mastodon
Like I said at the beginning, Mastodon is hot right now. Most users are brand new to the site, and don’t know the dangers yet. Furthermore, many famous people and public figures may not yet have established a presence on Mastodon.
So, if you see a Mastodon account for someone famous, always check to see if their profile contains a verified link to their official website.
It’s child’s play for someone to create a fake account in the name of a famous person, and then use the account to spread disinformation, cryptocurrency scams, or malicious links. It would be much much more difficult for a scammer to add a verified link from the account to the celebrity’s official website.
More to be said
There’s probably a lot more to be said about how to behave safely and securely on Mastodon, but much of it applies to *every* website you post to on the internet. Be wary of links that are shared, don’t trust everything you read, never share your password, be careful not to be phished, etc etc.
As Mastodon becomes more popular it is almost inevitable that scammers, cybercriminals and fraudsters will attempt to exploit unsuspecting users.
For more discussion of the tips I’ve included in this article, be sure to listen to this episode of the award-winning “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Is it worse if I duped you into giving me all your money versus me sneaking into your house and stealing all your money? What's worse?
Well, I wouldn't hopefully store all of my money at home.
Okay.
What? So are you having an asthma attack? What's going on?
No, I would of course have many different accounts around the world, and it would be very difficult, in fact impossible, for you to get all my money.
However, Smashing Security Smashing Security, episode 297, Mastodon 101 and the Hush Puppy Saga with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 297. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 297. My name's Graham Cluley.
And I'm Carole Theriault. It's a big number, isn't it, Graham?
Well, it's a bigger number than last week and the week before, and that's the way numbers work, Carole. They just keep on going up and up until we die, until we drop dead.
And there's no more podcast. What a shame. Cheery.
And there's no more podcast. What a shame. Cheery.
Cheery. So cheery that we haven't a guest today.
No.
Today is a very big day in North America, midterm elections on the day of recording.
We tried to get a leading politician, didn't we, from America to come along and appear on the show, but they were busy.
They were busy. So it's just us this week. Don't worry, we've got some good stories.
Maybe we'll get Joe another week. Anyway, never mind.
But before we kick off, let's thank this week's sponsors. Bitwarden, Sealit, and Kolide. It's their support that helps give you this show for free.
Now coming up in today's show, Graham, what do you got?
Now coming up in today's show, Graham, what do you got?
Mastodon, Mastodon, Mastodon. I'm going to talk about Mastodon.
Okay. And I'm going to find out if Hushpuppi is actually now hushed. All this and much more on this episode of Smashing Security.
Now, chum chum, what a big week it has been. In the Twittersphere.
Yes.
It's all gone very smoothly, hasn't it? I mean, we talked about it last week in some depth, that the turmoil that has been caused by Elon Musk's takeover of Twitter.
Yeah.
Which has had an unexpected consequence.
One? I think more than one.
Well, yeah, a number of consequences, a number of consequences. Obviously, the man-child billionaire that is Elon Musk is causing havoc on Twitter.
With his pronouncements, with his bizarre behaviour, particularly in election week. But never mind, let's not focus too much on that.
As we all know, at least I thought I knew, I thought I knew what Elon Musk was spending $44 billion on.
With his pronouncements, with his bizarre behaviour, particularly in election week. But never mind, let's not focus too much on that.
As we all know, at least I thought I knew, I thought I knew what Elon Musk was spending $44 billion on.
Did you?
I thought he was spending $44 billion on buying Twitter. Turns out that's not the case.
Is it not?
No.
What's he buying?
What he's actually done is he's spent $44 billion promoting another service, which many people won't have heard of before, called Mastodon.
And Mastodon is a sort of Twitter without all the bad stuff. It's where you go if you liked Twitter, but you're worried that Twitter's going down the pan.
And Mastodon is a sort of Twitter without all the bad stuff. It's where you go if you liked Twitter, but you're worried that Twitter's going down the pan.
Right, it's like the next evolution, perhaps.
Well, Twitter is evolving at an enormous rate, but maybe not in a good direction.
Devolving, perhaps.
Perhaps, perhaps. Curiously enough, Mastodon, of course, is named after a— wasn't the mastodon, wasn't that a great big woolly mammoth or something?
I think in the— oh, I'm not an archaeologist. I'm not someone who digs up fossils.
I think in the— oh, I'm not an archaeologist. I'm not someone who digs up fossils.
Don't worry, you carry on. I'll find out.
All right. You find out while I'm talking about this. But anyway, yes, Mastodon is an unusual alternative to Twitter, which has proven in the last few days to have enormous success.
Because floods of people, I wouldn't say they're necessarily closing their accounts on Twitter, but what they are doing is they're worried and they're trying out Mastodon.
Because floods of people, I wouldn't say they're necessarily closing their accounts on Twitter, but what they are doing is they're worried and they're trying out Mastodon.
So they're worried that how are they going to live? They need to sleep, eat, go to the bathroom, and tweet?
Well, well, here's the thing. You can still tweet, obviously, on Twitter. You can do that. But rather than tweeting on the loo, wouldn't you rather toot?
Because that's what Mastodon allows you to do. It allows you to toot. Now, I personally don't like the verb to toot. It sounds a little bit like—
Because that's what Mastodon allows you to do. It allows you to toot. Now, I personally don't like the verb to toot. It sounds a little bit like—
I don't know what you mean to toot. What do you mean?
On Mastodon, the official terminology for a post is a toot, just like on Twitter, it's a tweet.
Right. Thanks. That's good. Now I'm not going to look so stupid when I talk about it.
So now I personally prefer to say post.
And in fact, on my Mastodon app, I've managed to change the button so it says post rather than toot, because it just pleases me more because I'm of a certain classy nature.
And in fact, on my Mastodon app, I've managed to change the button so it says post rather than toot, because it just pleases me more because I'm of a certain classy nature.
Tweetiness. Yeah.
Yeah, maybe. But no, I don't think that's— I think what people are concerned about is a whole variety of things, right?
Elon Musk bought Twitter and said, we need to have freedom of speech, right? He's very big on freedom of speech. And other people are saying, you know what?
Twitter's pretty nasty as it is, even with thousands of people moderating the content and getting rid of the unpleasantness. Do we really want complete free-for-all here?
And what's happened is Elon has fired a lot of Twitter staff, something like 50% of his staff have gone.
Elon Musk bought Twitter and said, we need to have freedom of speech, right? He's very big on freedom of speech. And other people are saying, you know what?
Twitter's pretty nasty as it is, even with thousands of people moderating the content and getting rid of the unpleasantness. Do we really want complete free-for-all here?
And what's happened is Elon has fired a lot of Twitter staff, something like 50% of his staff have gone.
Yeah, 3,700, I read.
Is it? It's a huge number, isn't it?
Yeah.
Huge number of people have gone. Many of them were involved in moderation.
It was reported that use of the N-word, I don't have to tell you what the N-word is, we're not going to say it on this show, but use of that rose something like 500% after Elon Musk bought the site and people began testing just how much they could get away with.
So people are concerned there's going to be even more toxicity on Twitter.
Plus, Elon, of course, is trying to make money out of Twitter, not only with verified accounts, but he's also looking to monetize advertising more.
So to get more information out of you.
In fact, one of the ways in which he's actually promoting the verified accounts, he's saying, if you get yourself your little new blue tick, which you pay maybe $8 a month for, then what we will do is you'll only see half the number of ads.
And he's saying, if you pay the money, you'll also have more targeted ads, he says. The ads will be better, he says, than the ones used for the masses.
It was reported that use of the N-word, I don't have to tell you what the N-word is, we're not going to say it on this show, but use of that rose something like 500% after Elon Musk bought the site and people began testing just how much they could get away with.
So people are concerned there's going to be even more toxicity on Twitter.
Plus, Elon, of course, is trying to make money out of Twitter, not only with verified accounts, but he's also looking to monetize advertising more.
So to get more information out of you.
In fact, one of the ways in which he's actually promoting the verified accounts, he's saying, if you get yourself your little new blue tick, which you pay maybe $8 a month for, then what we will do is you'll only see half the number of ads.
And he's saying, if you pay the money, you'll also have more targeted ads, he says. The ads will be better, he says, than the ones used for the masses.
We know, I think we know about him, that he's not someone who kind of sits around and ponders for very long periods of time before he starts blue sky thinking. Right.
And that's worked for— in his favor in some respects, certainly. But it's also led to some, you know, rather insane behaviors.
And that's worked for— in his favor in some respects, certainly. But it's also led to some, you know, rather insane behaviors.
Yes. Yes.
To me, this sounds fairly logical though.
If he had to purchase something that he didn't want to buy after he changed his mind and flip-flopped because, you know, he's a high-stakes roller, he's going to want to recoup as much money as possible.
And he seems to be doing it like crazy, like fire staff, charge people more, everything's going go, great, no one's going to leave.
If he had to purchase something that he didn't want to buy after he changed his mind and flip-flopped because, you know, he's a high-stakes roller, he's going to want to recoup as much money as possible.
And he seems to be doing it like crazy, like fire staff, charge people more, everything's going go, great, no one's going to leave.
Yeah. Well, people are leaving and people are concerned.
But how many people are leaving? Like 1%? Probably not even, right?
Well, at this stage, maybe. But what struck me is that I've encountered a number of people over the last few days who've been saying to me, what's this Mastodon thing then?
People who work outside of cybersecurity, people who aren't addicted to Twitter. I turned on the radio, I went to the supermarket earlier today. What were they talking about?
They were talking about Mastodon on the radio.
And I think if you remember when Twitter became really popular, Twitter became really popular, I think when Ashton Kutcher started going on about it all the time and it sort of reached that critical mass and the numbers of people who've been switching to Mastodon and the impact that's had on Mastodon sites with sites slowing down because of the deluge of traffic.
And I've had a Mastodon account for years 'cause I'm a bit geeky and nerdy. And to be honest, for years and years, all I ever did there was—
People who work outside of cybersecurity, people who aren't addicted to Twitter. I turned on the radio, I went to the supermarket earlier today. What were they talking about?
They were talking about Mastodon on the radio.
And I think if you remember when Twitter became really popular, Twitter became really popular, I think when Ashton Kutcher started going on about it all the time and it sort of reached that critical mass and the numbers of people who've been switching to Mastodon and the impact that's had on Mastodon sites with sites slowing down because of the deluge of traffic.
And I've had a Mastodon account for years 'cause I'm a bit geeky and nerdy. And to be honest, for years and years, all I ever did there was—
I just love how you say that as though the listeners don't know that.
All I did was I was tooting at Maria Vamarcis, the only other person I really knew who was on Mastodon, right?
And so we would exchange toots, right, back and forth, and that would be about it. Now I am getting more messages on Mastodon than I do on Twitter.
I'm getting more engagement, more people replying to my messages. I'm having hundreds and hundreds of new people following me every day on Mastodon.
And that's crazy because I had a lot of followers on Twitter, but Mastodon works much better. It seems to be a nicer place.
And so we would exchange toots, right, back and forth, and that would be about it. Now I am getting more messages on Mastodon than I do on Twitter.
I'm getting more engagement, more people replying to my messages. I'm having hundreds and hundreds of new people following me every day on Mastodon.
And that's crazy because I had a lot of followers on Twitter, but Mastodon works much better. It seems to be a nicer place.
So, okay, you had access to Mastodon for a long time and it took the huge shove of Elon Musk kind of destroying the camp for you to go, okay, then, oh, this is really nice.
You've been there a long time and you haven't waxed lyrical till now.
You've been there a long time and you haven't waxed lyrical till now.
No, no, no. I knew it was nice before, and I have written about it before and spoken about it before. The problem was there weren't very many people on it.
And it's like many of these sites, until you have a critical mass of people, they don't take off. And it's always that chicken and egg.
How are you gonna get people to come along if they don't know anybody there? It's a bit like getting—
And it's like many of these sites, until you have a critical mass of people, they don't take off. And it's always that chicken and egg.
How are you gonna get people to come along if they don't know anybody there? It's a bit like getting—
You were basically this kid in the sandbox playing on your own with some sand, and now there's some other kids now going, hey, you wanna play in the sandbox?
I want to stress, not just me, but there weren't a huge number of people.
Right.
But now their numbers have grown enormously and every hour there are thousands and thousands and thousands of new users of Mastodon, which is actually according to Twitter's own stats.
So it produces annual stats of how many users are added every day. Mastodon is getting more users every day than Twitter is.
So it produces annual stats of how many users are added every day. Mastodon is getting more users every day than Twitter is.
Mm-hmm.
And of course, people will be leaving Twitter as well because of the ads, because of the messing around with the timeline, not showing you stuff in chronological order, et cetera, et cetera, et cetera.
Okay. I'm asking you a question here. Do you think, I want you to put your name on the line. Do you think that Mastodon's gonna be the next TikTok?
I don't know that it'd be the new TikTok.
For old people.
Oh yeah, exactly. 'Cause TikTok's not for me. I don't want videos.
So I don't know about that, but I think Mastodon has just become another big player, but an unusual one because Mastodon, unlike the Twitters, unlike the Facebooks, is not owned by one entity.
It's not owned by one billionaire. It's a decentralized network, which means no one can ever buy it. No one can ever decide we're going to have ads on it.
No one can ever scoop up everyone else's data and information and try and exploit it. And I think people quite like it.
Now, as we're seeing lots of people coming on to Mastodon, what I thought would be useful— I know we have a slightly nerdy audience.
Well, people who are interested in technology listen to Smashing Security, and I thought it'd be useful, as many of those people might be considering checking out Mastodon, just running through a few of the things you should consider.
So I don't know about that, but I think Mastodon has just become another big player, but an unusual one because Mastodon, unlike the Twitters, unlike the Facebooks, is not owned by one entity.
It's not owned by one billionaire. It's a decentralized network, which means no one can ever buy it. No one can ever decide we're going to have ads on it.
No one can ever scoop up everyone else's data and information and try and exploit it. And I think people quite like it.
Now, as we're seeing lots of people coming on to Mastodon, what I thought would be useful— I know we have a slightly nerdy audience.
Well, people who are interested in technology listen to Smashing Security, and I thought it'd be useful, as many of those people might be considering checking out Mastodon, just running through a few of the things you should consider.
Right. Okay.
Security and privacy-wise. Okay. Some of these are bleeding obvious to you and me, maybe not to all Mastodon users.
And if you've got, you know, friends and family who are going on to Mastodon, these are things to bear in mind as well.
Some of them you may not have realized and are like, whoa, that's a bit weird. All right. So let's begin.
And if you've got, you know, friends and family who are going on to Mastodon, these are things to bear in mind as well.
Some of them you may not have realized and are like, whoa, that's a bit weird. All right. So let's begin.
Let's go.
Here's the most obvious one. Passwords.
Yeah, yeah, yeah.
On Mastodon. All right. On Mastodon. Choose a strong, unique password, right?
Yes.
Don't use the same password, right? Don't use your Twitter password. Otherwise Elon might log into your account.
Store it in your handy password vault.
Have a password manager, actually a password vault. Securely store your password. So that's, you know, kind of what we say all the time, isn't it? Have strong passwords, right?
But that, of course, is the first step.
With Mastodon, you can also enable two-factor authentication where it's not just going to ask you for your password, it's going to ask you for a one-time time-based password, and that's generated by an app on your phone or maybe your password manager, et cetera, et cetera.
Again, something we talk about a lot.
But that, of course, is the first step.
With Mastodon, you can also enable two-factor authentication where it's not just going to ask you for your password, it's going to ask you for a one-time time-based password, and that's generated by an app on your phone or maybe your password manager, et cetera, et cetera.
Again, something we talk about a lot.
And good that they have it.
Yeah. Good that you can do it. And in fact, you can do it even better. You can actually also enable a hardware authentication key.
So if you have something like a YubiKey, which you use, and some people who are really concerned about security and privacy have those, 'cause it's an extra step beyond the authentication app.
Well, Mastodon handles that too. All right. Cool. Now, this is an important one, which is direct messages.
So if you have something like a YubiKey, which you use, and some people who are really concerned about security and privacy have those, 'cause it's an extra step beyond the authentication app.
Well, Mastodon handles that too. All right. Cool. Now, this is an important one, which is direct messages.
Okay.
Now, direct messages, they work differently on Mastodon than you might expect.
Are they called direct toots?
No, no, they're called direct messages. Unimaginatively. They could have—
They could have had so much fun.
So a direct message isn't really private. It's not encrypted. The messages are stored in clear text on your Mastodon server.
Well, not everyone, but there's lots of different Mastodon servers.
As I said, it's not just one site, but the server which you've chosen to associate your account with, they could see your messages.
So if you're messaging someone, just be aware someone else could read that.
And to their credit, they actually display a message saying, don't share any sensitive information over Mastodon and don't on your direct messages, you know, don't say something which you wouldn't want someone else to see.
Instead, what you should do, of course, is use a secure messaging system like Signal. Another thing that we've tried to get people to switch to but hasn't reached critical mass.
So everyone's on bloody WhatsApp instead, owned by Mark Zuckerberg or some other ghastliness. Right, so that's a fairly simple message, right?
Which is that the messages aren't encrypted, they could be read by someone else, the direct messages. But there's a bigger danger with Mastodon direct messages.
So imagine this, imagine that me and Maria are talking on Mastodon, right? In a direct message.
Well, not everyone, but there's lots of different Mastodon servers.
As I said, it's not just one site, but the server which you've chosen to associate your account with, they could see your messages.
So if you're messaging someone, just be aware someone else could read that.
And to their credit, they actually display a message saying, don't share any sensitive information over Mastodon and don't on your direct messages, you know, don't say something which you wouldn't want someone else to see.
Instead, what you should do, of course, is use a secure messaging system like Signal. Another thing that we've tried to get people to switch to but hasn't reached critical mass.
So everyone's on bloody WhatsApp instead, owned by Mark Zuckerberg or some other ghastliness. Right, so that's a fairly simple message, right?
Which is that the messages aren't encrypted, they could be read by someone else, the direct messages. But there's a bigger danger with Mastodon direct messages.
So imagine this, imagine that me and Maria are talking on Mastodon, right? In a direct message.
Right, you're going, "You know what Carole did yesterday? Let me tell you what Carole did. You won't believe it."
Exactly. And if I had gone oh, that bloody @Carole, right? If I'd mentioned your username with the little symbol in front of it, it copies you in on the bloody message.
Isn't that— doesn't Twitter do that?
Not in a direct message, it doesn't.
Ah, I see. I see. So you think you're alone in your little world and then I'm suddenly just hoovered in to see the message of you bitching about me.
Exactly. So this is specifically about— it doesn't happen with any other username. It's specifically if anyone's— no, of course it does. It happens with any username.
So if you mention anyone else, so the example, I've written a blog post about this and I'm imagining that the Beatles are arguing at Abbey Road, for instance, and George and Paul are bantering around, slagging off Ringo's drumming, and they make the mistake of tagging Ringo.
And before you know it, the Liverpool lover from Liverpool, you know, can see that his bandmates are slagging him off.
So if you mention anyone else, so the example, I've written a blog post about this and I'm imagining that the Beatles are arguing at Abbey Road, for instance, and George and Paul are bantering around, slagging off Ringo's drumming, and they make the mistake of tagging Ringo.
And before you know it, the Liverpool lover from Liverpool, you know, can see that his bandmates are slagging him off.
This is a very good reason to have nicknames for people like "the dweeb" or—
But imagine this. Imagine you weren't just slagging off a friend. Imagine you were saying, I've just received a really creepy message from this user or from this guy.
And you included his account name in the person you were telling it to, like, watch out for this guy, he just posted a dick pic at me or something.
And you included his account name in the person you were telling it to, like, watch out for this guy, he just posted a dick pic at me or something.
Yeah. Yeah.
And he would then get included in that, which you don't want. So there is a serious side to this.
It's not just a bit of, oh dear, suddenly your abuser could know that you're complaining about them.
It's not just a bit of, oh dear, suddenly your abuser could know that you're complaining about them.
Is this something they're dealing with or is this something?
This has been the case for years and I don't know if there are any plans.
I mean, as it becomes more mainstream, I think historically they've kind of thought, well, we warn people about this and we tell people, you know, don't do these things because it could be— it's more of a conceptual way of how these so-called direct messages work, I think, because it's really a post.
It's really a post which you've said only this person with this user ID can see. So if you mention someone else's user ID, it includes them on the visibility to the post.
Does that make sense?
I mean, as it becomes more mainstream, I think historically they've kind of thought, well, we warn people about this and we tell people, you know, don't do these things because it could be— it's more of a conceptual way of how these so-called direct messages work, I think, because it's really a post.
It's really a post which you've said only this person with this user ID can see. So if you mention someone else's user ID, it includes them on the visibility to the post.
Does that make sense?
I completely understand what you're saying. I think our listeners are probably following too. What I'm wondering is why offer direct message at all?
Because that's not what it should be called.
Because that's not what it should be called.
Yeah.
It's more like, I don't know.
What is it? Yeah. I think people are expecting a direct message facility because they're used to it from other services. But it's a problem.
I would like to see them somehow address this.
I would like to see them somehow address this.
I would call it mini broadcast.
Right.
Instead of a mega broadcast.
Yeah, yeah. Maybe a silent but deadly toot, perhaps. Something which warns people.
I'm not sure about the name toot. I think that's also—
That boat has sailed. That boat has sailed.
Where are they from?
Where's who from?
Mastodon. Where was it conceived?
A German guy originally.
Oh, well.
But now it's open source.
They're very smart people, so.
They are, they are, they're intelligent.
They are.
Bit of tooting, you know, all that sort of thing. So, okay, I think that's quite a biggie for people to be aware of. Yeah.
You jump in, you think it's just a Twitter replacement and suddenly, uh-uh.
You jump in, you think it's just a Twitter replacement and suddenly, uh-uh.
Don't bitch about Carole, yeah. Right. You never know, I might be on there.
Okay, now another one. Elon Musk keeps talking about verified accounts, right? He's got himself in a broad and all of that, the so-called blue tick thing, flogging it to people.
And blue ticks have historically been given to public figures, celebrities, top cybersecurity podcasters, that kind of thing, journalists, that sort of thing to verify their identity.
Of course, he's now gonna be charging. People want to be verified on Mastodon as well to say, yes, this really is me, right? This isn't a fake Graham Cluley.
And blue ticks have historically been given to public figures, celebrities, top cybersecurity podcasters, that kind of thing, journalists, that sort of thing to verify their identity.
Of course, he's now gonna be charging. People want to be verified on Mastodon as well to say, yes, this really is me, right? This isn't a fake Graham Cluley.
Mm-hmm.
Some people, I saw Maria Varmazis do this, she added an emoji of a blue tick to the end of her username. So every time her name appears, you also see the blue tick symbol.
It's actually a white tick on a blue background, but you get the idea.
It's actually a white tick on a blue background, but you get the idea.
I mean, it's very clever, but it's not like someone couldn't do that. Yeah. Yeah.
But to the casual user, they might be fooled by that. Well, don't be fooled by that or any other kind of emoji.
But what Mastodon does do is it doesn't have a verified program like Twitter used to. It does let you self-verify yourself.
So what you can do is in your profile, you can include links like a link to your website, for instance, if you have one. And so I link to my website.
I say, here's my website, grahamcluley.com, blah, blah, blah, blah, right? Meanwhile, on my website, that links back to my Mastodon account.
And so the two see each other and it says, oh, Graham is pointing here and he's pointing back to here.
And because only Graham presumably can administer his website, this must be the real Graham.
But what Mastodon does do is it doesn't have a verified program like Twitter used to. It does let you self-verify yourself.
So what you can do is in your profile, you can include links like a link to your website, for instance, if you have one. And so I link to my website.
I say, here's my website, grahamcluley.com, blah, blah, blah, blah, right? Meanwhile, on my website, that links back to my Mastodon account.
And so the two see each other and it says, oh, Graham is pointing here and he's pointing back to here.
And because only Graham presumably can administer his website, this must be the real Graham.
That's interesting. Yeah, yeah, yeah. That's interesting. That's rather cute. Yeah.
So you can at least see if you go to someone's profile and look in their about information, if they have something there which they haven't just included a link, but it's got a little green tick on it, that means that it's been verified as they actually have control over that domain.
So I have control over Graham Cluley conferences. And if we created a Smashing Security Mastodon account, we would do the same thing with that as well. So why else is this important?
This is my final really big tip on Mastodon is you are leaping onto Mastodon and you're looking for people to follow and maybe you're looking for famous people, maybe you're looking for celebrities that you used to follow on Twitter, because that was a big reason why people liked to use Twitter to see what celebs were doing.
Well, it's really easy for anyone right now to create an account using the names of famous people on Mastodon, people who may not have established a presence on Mastodon.
So make sure you go to their profile and look for a verified link to their official website, one with the little green tick mark.
Because otherwise it might be a fraudster who's at work and they could post disinformation, cryptocurrency scams, malicious links, whatever it might be.
So just be careful because I think what happens is people go on to Mastodon, they're looking for people to follow, and Lord knows how many people right now are creating accounts in the name of Elon Musk.
So I have control over Graham Cluley conferences. And if we created a Smashing Security Mastodon account, we would do the same thing with that as well. So why else is this important?
This is my final really big tip on Mastodon is you are leaping onto Mastodon and you're looking for people to follow and maybe you're looking for famous people, maybe you're looking for celebrities that you used to follow on Twitter, because that was a big reason why people liked to use Twitter to see what celebs were doing.
Well, it's really easy for anyone right now to create an account using the names of famous people on Mastodon, people who may not have established a presence on Mastodon.
So make sure you go to their profile and look for a verified link to their official website, one with the little green tick mark.
Because otherwise it might be a fraudster who's at work and they could post disinformation, cryptocurrency scams, malicious links, whatever it might be.
So just be careful because I think what happens is people go on to Mastodon, they're looking for people to follow, and Lord knows how many people right now are creating accounts in the name of Elon Musk.
Mm-hmm.
So it's pretty fun. I think play with it, but be careful. Obviously, the usual rules apply for any website you're posting on. Be wary of links that are shared.
Don't trust everything you read. Never share your password. Take care about being phished.
Don't trust everything you read. Never share your password. Take care about being phished.
Or, you know, take a break from social media.
Wow.
Just calm down a bit.
Well, it's easy for you to say, Carole. Why?
Because I'm on the other side saying, hey guys, it's really fun. I also say that about, you know, yoga.
I mean, you are just better than us. You're better than all the rest of us.
I'm not better than you. You guys are just in some weird Warpville.
I wouldn't believe all that stuff people have been writing about you on Mastodon in my direct messages. Don't worry about it.
I'm not.
Don't worry about it. Nice try though. Carole, what have you got for us this week?
Do you remember Hushpuppi? Hushpuppi with an I. Ray Hushpuppi.
Not the things you put on your feet. You're talking about— This guy was an extraordinary Instagram influencer who got into a spot of bother.
If you tell the whole story right now, it's gonna be quite a short story. Just want you to know that.
Right.
Just go, yeah, yeah, I do, I do.
Hushpuppi, yeah, Ray Hushpuppi. I remember him. Yes. I think we've talked about him before, haven't we? Yes.
Do you remember his real name?
No, no, no, no.
Raymond Abbas. Okay. Raymond Abbas. And quite the Instagram influencer, wasn't he? Insta. He was Insta Man.
He had all the luxury brands, he was flying around the place.
Yeah, yeah, 2.5 million followers, so not bad.
And yeah, most of his stuff on his site seemed to be him looking really rather smug, very well groomed, with that kind of shiny complexion that can only come from— I don't know what the rich put on their skin.
You know, spoiled, deserving, looking deserving. Yeah. And maybe you're just saying this is why people join social media to go look at these kind of people.
So he has 2 million followers because people want to see pictures of a smug, rich, spoiled, and deserving looking person. Is that right?
And yeah, most of his stuff on his site seemed to be him looking really rather smug, very well groomed, with that kind of shiny complexion that can only come from— I don't know what the rich put on their skin.
You know, spoiled, deserving, looking deserving. Yeah. And maybe you're just saying this is why people join social media to go look at these kind of people.
So he has 2 million followers because people want to see pictures of a smug, rich, spoiled, and deserving looking person. Is that right?
You're being a little bit unfair, Carole. He's having a fantastic life. He's seeing the world.
If you are living in Doncaster and it's raining all the time, you might want to see someone having a fantastic time on a private jet flying to Paris expensive watches, you may just like, oh, that's great, how good for him, you know, guy having a great old time.
If you are living in Doncaster and it's raining all the time, you might want to see someone having a fantastic time on a private jet flying to Paris expensive watches, you may just like, oh, that's great, how good for him, you know, guy having a great old time.
Just watch a travel ad. Well, I suppose the thing is, when you look at this, it's going, well, where you're getting all your money, right? This is an expensive lifestyle.
We're talking, you know, yachts and, you know, swanky cars and the clothes and the threads and everything.
And he publishes this, of course, by cybercrime and money laundering, specifically BEC scams, because Hushpups— Hushpups isn't into lonely grannies anymore.
We're talking, you know, yachts and, you know, swanky cars and the clothes and the threads and everything.
And he publishes this, of course, by cybercrime and money laundering, specifically BEC scams, because Hushpups— Hushpups isn't into lonely grannies anymore.
Hang on, hang on. Are you on first name terms with Hushpups? Well, no, mind you, you're not calling him Ray, you're calling him Hushpups.
Yeah, that's my nickname for him.
Okay, great.
You see, now I can gossip about him on Mastodon and he would never be the wiser. You see? Smart. Anyway, Hushpupps, he's not into lonely grannies anymore.
This is how apparently he cut his teeth though, in the cyber underworld. But now he's into the big time where the fishies are fatter, juicier, richer.
And he used these BEC compromises to do businesses, you know, and you know how it works.
You know, you pretend you're someone legit in order to get someone to hand over money to you, right? And then they feel screwed.
This is how apparently he cut his teeth though, in the cyber underworld. But now he's into the big time where the fishies are fatter, juicier, richer.
And he used these BEC compromises to do businesses, you know, and you know how it works.
You know, you pretend you're someone legit in order to get someone to hand over money to you, right? And then they feel screwed.
Yeah. So this is where companies are fooled into transferring money into a scammer's bank account because they think it's someone they're doing business with also. Yeah. Okay. Yeah.
But you know, I was thinking when I was writing this, I was like, what's worse?
Is it worse if I duped you into giving me all your money versus me sneaking into your house and stealing all your money? What's worse?
Is it worse if I duped you into giving me all your money versus me sneaking into your house and stealing all your money? What's worse?
Well, I wouldn't hopefully store all of my money at home.
Okay.
But, sorry, are you alright? Are you having an asthma attack? What's going on?
No. 'Cause could we just— I would of course have many different accounts around the world and it would be very difficult, in fact impossible, for you to get all my money.
However, to answer your question, I wouldn't want Ray Hushpuppi coming into my home.
However, to answer your question, I wouldn't want Ray Hushpuppi coming into my home.
That'd be quite scary in the middle of the night. I wouldn't enjoy that. No, I wouldn't want anyone coming into my house uninvited.
But being duped is extra because you still end up with no cash. Yeah, but someone's basically snaked their way into your trust field and convinced you to give them all your money.
Yeah.
And the thing is that, you know, Hush, Hushie, was quite successful at his new nickname, his criminal craft, to the tune of $24 million.
On top of that, he has been called one of the most prolific money launderers in the world.
On top of that, he has been called one of the most prolific money launderers in the world.
Wow.
We've talked about some of these things before, but he helped his handful of cohorts to launder millions of pounds stolen from a Premier Football Club in the UK.
Right.
He also got a New York-based law firm to transfer nearly $923,000 to a criminal account. This is how he affords his fast cars and the like, right?
Yeah.
In 2019, he helped launder $14.7 million stolen by a North Korean hacker group. From a bank in Malta. And he funneled the money through banks in Romania and Bulgaria.
Yep.
He also tried to defraud someone in Qatar by selling a $15 million loan to build a school. And I said tried because this was the beginning of his downfall.
And we covered this— by we, I mean you covered this in episode 265. Do you remember the story?
And we covered this— by we, I mean you covered this in episode 265. Do you remember the story?
Oh, one of my favorites. Well, I, of course, I remember every single word that I said.
Do you? No, but do you remember this one? Or do you want me to give me a little hint.
Well, maybe, maybe I'd love, I'd love to hear your telling of it, Carole, rather than, you know, people get bored of my voice.
I never remember my stories either. Isn't that crazy? So this is where Hushpuppi and co.
apparently faked the financing of a Qatari school by playing the roles of bank officials and creating a bogus website.
And he and one of his conspirators, Vinny, Vinny fell out mid-swindle. Hey.
apparently faked the financing of a Qatari school by playing the roles of bank officials and creating a bogus website.
And he and one of his conspirators, Vinny, Vinny fell out mid-swindle. Hey.
Hey, Vinny, Vinny.
Yeah, that's exactly what he did on that show as well. 'Cause I listened to it earlier today.
Okay. Okay.
And Vinny got pissed off with him and he snitched.
Oh.
On Hushpuppi to the Qatari target. But then Hushpuppi bribed a fellow Nigerian Instagram influencer, Dirty Supercop, to bring Vinny down. Okay.
You can hear the whole story in episode 265, 'cause it is a crazy story. You couldn't make it up.
You can hear the whole story in episode 265, 'cause it is a crazy story. You couldn't make it up.
It is an extraordinary story. Yeah. And he was tied up with the North Koreans, as you said, and the Lazarus Group.
And it's, there's more to read about this in Geoff White's book as well. If you grab a copy of The Lazarus Heist. Yeah.
And it's, there's more to read about this in Geoff White's book as well. If you grab a copy of The Lazarus Heist. Yeah.
Yeah. There you go.
Plug for you, Geoff.
Yes. Good plug. Good plug.
Anywho, Hushpuppi, aka Ramon Abbas, he was arrested in 2020 in Dubai, then flown to the US in June 2020 to face charges of multimillion-dollar fraudulent schemes, including bank cyber heists.
In 2021, he reportedly pleaded guilty to money laundering in an LA court.
Anywho, Hushpuppi, aka Ramon Abbas, he was arrested in 2020 in Dubai, then flown to the US in June 2020 to face charges of multimillion-dollar fraudulent schemes, including bank cyber heists.
In 2021, he reportedly pleaded guilty to money laundering in an LA court.
Mm-hmm.
And this week he was scheduled for sentencing. And before getting his sentencing, he worked very hard to get his sentence reduced.
Well, that's what I was thinking. 'Cause you said he was found guilty in 2021 and he's only been sentenced now.
Mm-hmm.
I suspect in the interim he has been helping the authorities a little bit.
Yes, he may have been helping the authorities, but he's also begging.
Oh.
So 40-year-old Hushpuppi has personally sent a handwritten letter to the judge giving assurances that he is a changed person and promising to make full restitution in excess of the benefits he derived from the crimes to the victims.
Hmm.
Which I'm sure if you parse that legally means probably not doing too much of that.
Apparently, two imams also wrote to the judge in Los Angeles appealing for leniency, saying he regularly helped out widows and orphans, as well as donating things to feeding programs.
Apparently, two imams also wrote to the judge in Los Angeles appealing for leniency, saying he regularly helped out widows and orphans, as well as donating things to feeding programs.
Yeah.
And his wife wrote in too, saying his arrest has plunged her into hardship, noting that she has to do overtime in order to pay for their children's private education.
I bet you feel her pain, Clew.
I bet you feel her pain, Clew.
She could possibly send them to state-funded schools instead, couldn't she? If she's really hard up.
She could. Yeah. If you're feeling hard up, that is the solution, isn't it?
Yeah.
Yeah. So this guy is now saying, I'm a real Robin Hood. I did hone my skills by duping and robbing our grannies and then went to businesses. But please, please, pretty please, please.
However, he was still sentenced to what they were expecting, 11 years. Ooh. And he sports a $2 million restitution hole in his pocket. Which he needs to pay back. So, there you go.
Do you trust him? Do you think he's changed? Do you think he's turned a new leaf, become a good guy?
However, he was still sentenced to what they were expecting, 11 years. Ooh. And he sports a $2 million restitution hole in his pocket. Which he needs to pay back. So, there you go.
Do you trust him? Do you think he's changed? Do you think he's turned a new leaf, become a good guy?
Well, he's got 11 years to ponder about it, hasn't he? And, you know—
What's annoying is he stole tons of money. It's not like he was giving all this money to good causes. No.
He's obviously helped a few people, but he did hurt a huge amount of people and businesses. And then showed off.
He's obviously helped a few people, but he did hurt a huge amount of people and businesses. And then showed off.
Yes. And what to think about all those poor Instagram followers who are no longer going to be entertained?
Is he going to be posting pictures or is he going to be tooting from the prison cell, I wonder?
Is he going to be posting pictures or is he going to be tooting from the prison cell, I wonder?
Will Hushpuppi be hushed up? Find out next time.
He'll have fun smuggling the phone in, I expect. That's what normally occurs, from what I've been told. We all know that data is the most important asset of any business.
And the value and usage of information makes data very tempting to thieves.
With Sealit, however, you can protect, share, and monitor confidential emails and files without passwords. And it's all integrated with Gmail, Outlook, and file systems.
Deploy Sealit across your organization within minutes and achieve peace of mind thanks to its end-to-end encryption that relies on the Zero Trust security model.
Get the right tool to own your data and gain great Sealit benefits. Plus, Sealit is offering a very special deal for all Smashing Security listeners.
Anyone who signs up for the professional plan before 2nd of December, 2022 can grab 30% off Sealit for a year.
And if you sign up to Sealit, listeners can also grab a free Sealit signature no trust t-shirt.
And the value and usage of information makes data very tempting to thieves.
With Sealit, however, you can protect, share, and monitor confidential emails and files without passwords. And it's all integrated with Gmail, Outlook, and file systems.
Deploy Sealit across your organization within minutes and achieve peace of mind thanks to its end-to-end encryption that relies on the Zero Trust security model.
Get the right tool to own your data and gain great Sealit benefits. Plus, Sealit is offering a very special deal for all Smashing Security listeners.
Anyone who signs up for the professional plan before 2nd of December, 2022 can grab 30% off Sealit for a year.
And if you sign up to Sealit, listeners can also grab a free Sealit signature no trust t-shirt.
Woo-hoo!
Check out more about Sealit and take advantage of these offers at smashingsecurity.com/sealit. That's smashingsecurity.com/sealit. Com slash S-E-A-L-I-T.
And thanks to Sealit for supporting the show.
And thanks to Sealit for supporting the show.
Smashing Security listeners, did you know that Bitwarden is the only open-source cross-platform password manager that can be used at home, on the go, or at work?
Bitwarden's password manager securely stores credentials spanning across personal and business worlds.
A free Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
Bitwarden's password manager securely stores credentials spanning across personal and business worlds.
A free Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
The challenge with endpoint security has always been that it's difficult to scale, and when remote work took over, that challenge got exponentially harder.
You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets.
But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide.
Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system.
Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't.
And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack.
You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how.
If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's kolide.com/smashing. And thanks to Kolide for supporting the show.
And welcome back. And you join us for our favorite part of the show, the part of the show that we call Pick of the Week.
You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets.
But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide.
Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system.
Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't.
And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack.
You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how.
If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's kolide.com/smashing. And thanks to Kolide for supporting the show.
And welcome back. And you join us for our favorite part of the show, the part of the show that we call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my pick of the week this week is not security-related. Last night I popped out onto the puddled streets of Oxford to go to the cinema to see a film.
In the cinema? What is this, 1999?
The cinema. Actually there, surrounded by people. Someone actually was chomping on popcorn. There was a lady in front of the popcorn chomper who got very upset and turned around.
This isn't as dramatic a story as what happened to you, Carole, in the Viennese opera. But it was—
This isn't as dramatic a story as what happened to you, Carole, in the Viennese opera. But it was—
No, but obviously really dramatic in a movie theatre that someone says, "Do hush with the popcorn eating." For Oxford, it was quite dramatic.
Anyway, I was there to see a movie, a movie starring Bill Nighy. Is that how you say it, Bill? Bill Nighy.
Yeah.
And I like Bill Nighy. Do you like Bill Nighy?
Me too.
Yes. I do too.
I don't know why, but I've always liked him.
He's just got that irascible sort of rogue sort of thing about him, hasn't he? He talks a bit— That's quite a good impression.
Did he do the Nescafé ads? Did he do those or that's the other one? I mix them up with something.
Are you thinking of the professor from Buffy? He used to do them.
Yeah, exactly. I mix them up. But I think Bill Nighy did— Did Bill Nighy do them too?
Probably. I don't remember Bill Nighy doing coffee adverts, but maybe he has. Anyway, the movie I saw was called Living. L-I-V-I-N-G.
And Bill Nighy's not doing his usual shtick of being Bill Nighy. I think quite often he's asked to be Bill Nighy, right? He's got certain quirks about him.
And Bill Nighy's not doing his usual shtick of being Bill Nighy. I think quite often he's asked to be Bill Nighy, right? He's got certain quirks about him.
What?
I've seen him in Love Actually, and I've seen him in About Time, and I've seen him in Doctor Who.
And, you know, I think he's got quite a lot going for him, but he's quite often a little bit, you know, sort of aging rock star kind of thing. Anyway, he is superb in this.
He gives such a measured, gentle, quiet, unshow-offy performance. And he's actually—
And, you know, I think he's got quite a lot going for him, but he's quite often a little bit, you know, sort of aging rock star kind of thing. Anyway, he is superb in this.
He gives such a measured, gentle, quiet, unshow-offy performance. And he's actually—
He always does. He's excellent at it.
All right. I think he's doing something different in this one. Anyway, let me tell you about the story. It is set in the 1950s and it is set in London.
And Bill Nighy is working at the London City Council, as it was then. And he's told that he has a fatal illness.
And Bill Nighy is working at the London City Council, as it was then. And he's told that he has a fatal illness.
He's gonna die, right? He's only got 6 months to live. This is a comedy?
And it inspires him to change some of his life and cram a bit of fun in and spread a little bit of good.
Oh, are you getting a message before you get on your announcement? You're going to start having fun now?
What? Before I get—
Start living the dream?
Before I go to the doctors, you think? It's rather lovely. And he meets up with a sunny young female colleague. I pictured you and me actually, Carole.
I thought, here I am, the aging, irascible veteran, and the young flighty thing, you. And she has all this pep, she has all this vim and zest and ignites something.
And they don't get off. There's no smuttiness going on. There is a belly dancer at one point, but other than that, there's nothing like that. But it's lovely.
The screenplay is by Kazuo Ishiguro, who did The Remains of the Day, and it is based upon a film which came out in 1952 in Japan called Ikiru.
I thought, here I am, the aging, irascible veteran, and the young flighty thing, you. And she has all this pep, she has all this vim and zest and ignites something.
And they don't get off. There's no smuttiness going on. There is a belly dancer at one point, but other than that, there's nothing like that. But it's lovely.
The screenplay is by Kazuo Ishiguro, who did The Remains of the Day, and it is based upon a film which came out in 1952 in Japan called Ikiru.
Yes.
Which Kazuo Ishiguro loved. And apparently that is based on a story by Leo Tolstoy from 1886. But anyway, it is a delightful movie. I really liked it.
It's called Living, and I recommend it.
It's called Living, and I recommend it.
Right. And how are you—
There are no superheroes. There's no great big punch-ups, there's no car chases, and that's how I like my movies.
Well, you're not going to like my pick of the week.
Oh, what's your pick of the week, Carole?
Well, mine is Netflix series called KLEO. I think I've told you about this. I don't know if you've dived in yet, Graham.
KLEO like Cleopatra? Is this set in Egypt thousands of years ago?
No, K-L-E-O. So it's actually set in Berlin, late '80s, early '90s.
Oh, Berlin in the '80s, I see.
And we have Jella Haase. She is playing Kleo Straub, who is an unregistered agent for top-secret Stasi department.
And her main job is to nip from East Berlin to the West to eliminate enemies of the state.
And her main job is to nip from East Berlin to the West to eliminate enemies of the state.
Ooh, this sounds juicy.
Yes. And she does this with cold, calculating, unflinching demeanor, right? So she's a real killer machine.
Does she do kickboxing or anything like that? Does she do a high kick?
She's just got that real kind of stillness about her when she's in the zone. But then she morphs into quirky, cute, sassy kind of character.
So it's a bit Villanelle from Killing Eve.
So it's a bit Villanelle from Killing Eve.
Oh, Killing Eve. Yes.
Yes.
She's an assassin, isn't she? Yes.
Oh, wonderful. Yes. So it has a similar hook to that, I think.
And basically Kleo wants revenge on all those that hurt her, and she finds unusual sidekicks to help her along because it's pretty, you know, it's a bit of a thriller killer revenge story until these two who provide a bit of comedic relief show up in the story.
So you have Thilo. He's kind of, I think, the metaphor for West Germany because he's kind of just this kid jumping as in pastry. No, Thilo as in T-H-I-L-O.
And basically Kleo wants revenge on all those that hurt her, and she finds unusual sidekicks to help her along because it's pretty, you know, it's a bit of a thriller killer revenge story until these two who provide a bit of comedic relief show up in the story.
So you have Thilo. He's kind of, I think, the metaphor for West Germany because he's kind of just this kid jumping as in pastry. No, Thilo as in T-H-I-L-O.
Oh, okay.
Yeah, and then there's this undercover cop from the West that she meets up with called Sven. And they both end up bringing unusual twists to the story.
And of course, the backdrop is late '80s, early '90s.
So the Wall's coming a-tumbling and the entire communist regime is falling apart in East Berlin, and the production is stylish, edgy, fun.
And of course, the backdrop is late '80s, early '90s.
So the Wall's coming a-tumbling and the entire communist regime is falling apart in East Berlin, and the production is stylish, edgy, fun.
And this is a series, is it, on Netflix?
Yes, series. There's 8 parts, I really enjoyed it. If you like Killing Eve and miss it, this is a very good substitute.
Hmm.
So that is Cleo, and you can find it on Netflix. And that is my pick of the week.
So there you are. You can choose between—
Mm-hmm.
1980s Berlin assassin or my civil servant having a very quiet, gentle time as he faces his—
I think it says a lot about our personalities, Clue.
It really does, doesn't it?
It really does.
And that just about wraps up the show for this week. You can follow us on Twitter, we're still there.
We haven't created a Mastodon account yet, @SmashingSecurity, no G, which wouldn't allow us to have a G. And we also have a Smashing Security subreddit.
And don't forget, we would love you to never miss another episode.
And the way to do that is to follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
We haven't created a Mastodon account yet, @SmashingSecurity, no G, which wouldn't allow us to have a G. And we also have a Smashing Security subreddit.
And don't forget, we would love you to never miss another episode.
And the way to do that is to follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And huge, huge thank you to this episode's sponsors, Bitwarden, Kolide, and Seelet.
And of course, to our wonderful Patreon community, it's thanks to them all that this show is free.
For episode show notes, contact and sponsor information, and free access to the last 296 episodes, check out smashingsecurity.com.
And of course, to our wonderful Patreon community, it's thanks to them all that this show is free.
For episode show notes, contact and sponsor information, and free access to the last 296 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye!
Clue, I have a little idea for you.
Why don't you walk me through creating a Mastodon account and we could record the process and all my feelings and all the frustrations and we can slap it up for our Patreon listeners?
So if anyone wants to create one, they can do one with you telling them how to do it.
Why don't you walk me through creating a Mastodon account and we could record the process and all my feelings and all the frustrations and we can slap it up for our Patreon listeners?
So if anyone wants to create one, they can do one with you telling them how to do it.
We could do that, yeah.
You know what I mean? As a kind of maybe Xmas special or something.
Yeah, that could be fun as well.
Right.
You'd get exasperated with me.
Oh, and I suspect you with me as well. Patreon supporters, you like this idea? Let us know.
Take care of yourself and any friends who are venturing onto Mastodon, and if you have any questions either follow me on Mastodon or leave them below.
It might be worth pointing out that verification doesn't seem to get transmitted between servers. For instance, if I click on you on my Mastodon server, it takes me to the URL https://mastodon.social/@, which shows your information and your links, but not the fact that one of the links is verified. (Note that if you're not logged in as a user on mastodon.social, that URL will just redirect you to mastodon.green instead.)
counter.social is the only way to go. Full featured and secure.
It's worth adding that if there are lots of users associated with one domain that need to be verified, that domain / organisation will sometimes set up their own Mastodon instance and say that everyone on that instance is verified to be associated with their organisation.
For instance MIT (big university near Boston in the USA) has its own Mastodon instance at https://mastodon.mit.edu/ and the only people allowed to have accounts on it are staff and students at MIT, so any account on that instance can be verified as being from MIT – so anyone claiming to be an MIT professor and using some other instance is clearly dodgy.
"anyone claiming to be an MIT professor and using some other instance is clearly dodgy" or doesn't want their employer storing and censoring their social life.
A suggestion for describing Mastodon DMs to muggles who are Mastodon curious.
Mastodon DMs are DIRECT messages. They are not PRIVATE messages.
It's similar in a way to Facebook profile posts. On Facebook, if you have "Who can post on your profile?" set to "Only me", then the only way of directing a message towards you is via Messenger (one-to-one). But if you have "who can post" set to "Friends", well, then your Facebook friends can write a message on your profile, or wall as people used to say (one-to-many potentially). The typical use case for this: Happy Birthday! ????
It's possible to reply back-and-forth to such messages and others won't be prompted about the thread. BUT… it is also possible to mention/tag people in the replies of such posts and they'll be notified and pulled into the conversation. And all of it is generally visible to the larger group. Sort of like a private conversation in a public room at a party. If you call somebody over, it then becomes a direct conversation between three people.
In Mastodon's case, one must remember that the party host (the person running the server) is able to see everything at the party.
People often confused Facebook "wall posts" for private conversations back in the day. Hopefully that won't be the case on Mastodon – but I suspect that history will rhyme if people start adopting it en masse.
this is quite a useful comparison – thank You !
– just curious: any admin at a server can ALWAYS ? see all content?
– how do we actually know, WHO indeed is running a particular server?
See: https://blog.joinmastodon.org/2018/08/mastodon-quick-start-guide/
"Under the sign up form you will see a link to the rules page. It is likewise linked from the “Learn more” button under “Administered by”; on other pages, the rules are linked in the footer as simply “About”. You could also just enter the correct URL into the address bar of your browser directly as it always follows a format like https://mastodon.social/about/more."
"The rules page also tells you who the owner/administrator of the server is. Most servers set you up following the admin when you sign up, kind of like a modern take on MySpace Tom. This is great, it means you know who to ask if you run into problems and you can receive server-specific announcements (like when the software is being upgraded) and in general it’s great to know who runs the server you’re on."