No, you’re not talking to Jason Statham

It would have made much more sense for me to give him a lift to a petrol station, filled up a petrol can. Not

feeling it's a killer. You know what? You know what? I think it just says you're a good guy. Who cares if he scammed you? You're a good guy.

So having convinced myself there's no way I could be a victim of this, what you've done, Carole, very successfully there is you've said, no, you have been a victim of this, you moron. No, I've said, Mark, you're human. Mark's human. Mark's human, everybody. Chicken loving human. There's your sound bite. Smashing Security, episode 126. Zombie chickens and fast food victims. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 126. My name is Graham

Cluley. And I'm Carole Theriault. Hello, Carole. And we've done too many of these things.

Well, we are joined by a special guest. He's dialing into the show right now. It's chicken fancier Mark Stockley from Naked Security. Hello, Mark. Hi. Chicken fancier? I'm not sure I would describe myself as a chicken fancier. You do run a Twitter account called the Internet of Hens, I believe. Yes, yeah. But it's not what your description might suggest. The content's all safe for work. Yeah, right. Says Mark Stockley. I assure you. I

assure you. Yeah, that's what they said to me when they said, go visit Lemon Party. Okay.

Now, where are you calling in to us from today? So I am calling in from what's colloquially known as the Glastonbury Toilet, which is this microscopic studio at Sophos HQ. And I was given very specific instructions by Paul Ducklin earlier about how to turn on the fan so it doesn't get too hot in here. So obviously I completely ignored him and I can't find the fan, so I'm basically sat in a polystyrene box. So how long does this podcast last? Once again, Duck proves that he's right. As a businessman in the city, you'd pay a good amount of money to be in clothes like that, I imagine. Yeah, just imagine you're in a sauna. Yeah, wrap yourself up in polythene. Go for the whole experience. Why not? If you hear a loud thud about three quarters the way through the podcast, don't worry about it. That's just my head hitting the desk as I pass out. Carole, what have we got coming up on the show this week?

So coming up on this episode of Smashing Security, Graham shines his spotlight on all manner of scams, including romantic ones. Mark gives us the lowdown on a nasty fight for site ownership of DoItForTheState.com. And I'll be yakking about how a promo character from the 70s comes back to seek out Canadian fast food junkies. Buckle up your seatbelts, folks. All this and much more coming up on this episode of Smashing Security. Now, now then, now then. Cluley. Cluley, yes. I assume you mean me.

Yes. Cluley, I don't always say pleasant things about you, but the truth is you're everything a man could ever want, aren't you?

Where are you going with this?

Deep voice, hairy chest, lots of muscles. Now the truth is, there are lots of lonely chaps out there who'd love the thrill of having a frisson with you. They've heard the voice, they've observed the charm, they're dreaming of what you might be like in the full bodied flesh. This is revolting. And scammers, they know that you're a hot tamale as well and there's loads of guys out there would love to wrap you up in a banana leaf and fill you up with. Stop this. Don't worry Carole, don't worry, it doesn't mean you work for all men. Goodness gracious no, you certainly don't. Take Mark for instance, don't drag me into this. He's the web developer type isn't he, he's got a bit of a neck beard going on, he's very hairy. He's got a neck beard. No, but he's got a lot of hair in all kinds of places, hasn't he? He's not wrong. He dreams of a girl who knows her way around a cascading style sheet. That's what he likes. He's hot for HTML5. He's after a woman who clicks yes when offered an Adobe browser plug-in. Just as long as it's not over in a flash, right? That's what he likes. That's the kind of thing. You're into all that, Mark? Yeah, into the webby stuff, right? Just keep going. Am I right? We're just ignoring you. I'm right. Well, my point is this. My in-depth research reveals that scammers are posing on dating sites and social media. And of course, they're posing, not in the normal way we pose on social media, but posing as individuals that they are not. And just like an imposter might claim to be a doctor and offer to take a look at your calves, so a romance scammer might try to convince you that they run in similar social circles to you, right? They're going to change their language which they're going to speak to in a fashion which makes you think, oh, they're just like me. So, Cluley, you're into baking. They might tell you about their buns that they've been working on. I thought you were

going to say I'm into swearing. Yeah, so you're perfect. So the scammer may pretend to have Tourette's. You know, yeah, I'll get on great with you, right? Mark, you've got your chickens, obviously. I'll leave that to your imagination. Any fluffing feathers? Call me crazy, but I think you're describing a romance scam here. Yeah, exactly. And this is how they do it is they claim to be compatible with you by first of all, making the connection. And then they come along, you know, with maybe a business opportunity. Right. They say, oh, I met this great guy, John McAfee, told me you should buy some cryptocurrency. He's tweeted about it. Let's go and give me lots of money. I'll do it. Yeah, they don't want to say, I'm sorry, I'm a very busy man and I don't drink coffee, for instance, right? That would be inappropriate.

I can't sort out your bee infestation. You're going to have to find someone else to do it, right? I'm beginning to understand why I haven't fallen victim to any of these scams. Your utter lack of empathy. Is that what...

Like I said, web developer. Mark knows something happened to you on the road, didn't it? With a car. It was a live scam.

Oh, no, you're right. You're right. It was the weirdest thing. I was driving along and I was flagged down. But literally, my car was flagged down and I opened the door and this guy gave me a story and then I handed him some money. Yes. What? And then I drove off. And then after I'd driven off, I then spent the next couple of hours going, I was just flagged down and I just handed someone some money. Wow. Wow. It was entirely incongruous. I assume now it was a scam. I mean, it wasn't a lot of money.

Yeah, I think it was for petrol. That's what I remember it being. He had to get somewhere because someone was sick. Yeah, his car had broken down. And he was out of petrol and yada, yada, yada. I imagine, yeah, even if you didn't know the guy, even if you, I presume you didn't form an emotional attachment with him, a romantic relationship during those five minutes. I don't know how well it was. He was batting his eyelashes at Mark. Yeah saying no involves slashing your car door and leaving him in a cloud of dust. Yes but also waiting to get into the highway again so you might be sitting there for quite a while.

You're not famous as a killer.

You know what? You know what? I think it just says you're a good guy. Who cares if he scammed you? You were a good guy. You're a good guy.

Oh, isn't that nice? So having convinced myself there's no way I could be a victim of this, what you've done, Carole, very successfully there is you've said, no, you have been a victim of this.

No, I've said, Mark, you're human. Okay, great. Carry on.

Mark's human. Mark's human, everybody. Chicken loving human. There's your sound bite. The reason why I'm talking about romance scammers and such like today is because, according to BBC News, there is a woman who hasn't been named, because I imagine she might be a little bit embarrassed. Not embarrassed because she joined a Facebook fan page for Jason Statham, the Hollywood Fast and Furious actor, but because she was contacted via Facebook after joining that page by someone who posed as Jason Statham. Is it wrong that I've lost all sympathy for this person already? Because it's Jason Statham. He's talking like that. It's like Lock, Stock and Two Smoking Barrels, isn't it? It's all that sort of thing. He's always a hitman, isn't he, I think, in his movies. Not that I've actually seen that. I can't

Even think of who he is. He looks

A bit like one of the Mitchell brothers from EastEnders, if you've ever seen them. So basically he's got a head like a boiled potato. Great. She's into him. Oh, yeah, she's seriously into him. I mean, she joined the fan page and then he contacted... And she thought, oh, isn't he nice? He's contacted me. And over time their conversation got more intimate and they switched to WhatsApp. Whereupon he started to say, can you send me a selfie? And, you know, I just need a decent smile from someone like you right now.

If the equivalent happened to me and Noam Chomsky got in touch, right? Noam Chomsky! Right? I think I would tell people about it because I'd be so excited that that had happened. If Noam Chomsky got in touch with you, you'd still be reading the first email that he sent you. Like you didn't have time to tell anyone else. Don't understand how you'd get rid of that much money unless you were being blackmailed. Yeah, no, no, if you're being blackmailed, like say he had pictures of her and threatened to do something or something like that, I can see why some people might think, okay, pay them off.

She thinks Jason Statham is going to be her boyfriend. She maybe thinks he's already her boyfriend. In her head, she

Doesn't think, oh, he might have richer friends than me.

I think the thing is, I guess this stuff works because for the victim, this is a one-to-one communication. But actually for the attacker, he might be doing this with hundreds of people. And it may be that all of them have exactly that same thought. All, you know, 99 out of 100 of them say, of course he's got richer friends. This is obviously a scam. You only need one of them to turn around and say, yeah, I'll send you a few hundred thousand dollars. And it's absolutely worth your while. And she was vulnerable, right? That's the thing to remember. She was in a low point in her life. You know, rubbish was going on in her life. And maybe this was the one thing that she was clinging on to.

And she might be thinking, what do I care about money? The people I love are dead. I don't care. A bit depressed.

And, you know, maybe I'll shack up with Statham.

Yeah, I'll just shack up with this.

Why not? Right. The thing is, if you don't send the money, that's the point where you're driving away and leaving them in a cloud of dust because you're basically... Right. Exactly. We need to go back to Mark. Mark is the one who's actually been there in a relationship with someone. It'd been brief. It hadn't been online. It'd been face to face. It was with a member of the same sex, same species at least, which is an improvement for you, Mark. So that was a good thing. But, you know, it happens, right? People get duped. People get duped. And we've just seen in America nine men arrested in three different states in connection to a series of email scams, some of them business email compromise, some of them romance scams, that earned them over three and a half million dollars doing this kind of things. They also pretend to be Russian oil oligarchs. It's easy to say that people are dumb or stupid or deserved it. No, no one said that. You did. No, actually you did. You were saying that earlier on. Yeah, I might have as well. Oh, there you go. So it's easy to say that, folks, because you just did. But when... I feel gaslit. You're being scammed, Carole. When I wrote about this earlier this week, about this poor woman I got that reaction lots of people were saying oh you know they're blaming the victim and saying you know you deserve to lose all that money and all that you're so dumb but I think people who go around blaming them are actually part of the problem only about 5% of victims are estimated to come forward from these romance scams so it's the tip of an iceberg. If you're telling people they're dunces you're not actually helping because no one thinks they're a dunce everyone thinks they're being logical everyone thinks in the moment that they're being entirely reasonable or being nice right with the information which they have so i think we need to stop calling people der brains and actually just warn them of the threats rather than say you're a bloody idiot because no one will identify at that point they think well i'm not being an idiot because jason really likes me and he's a really nice guy

Has this happened to you Graham? Is that why you're being so defensive?

Well I joined of course the Diana Rigg Appreciation Society some years ago. How many other members were there when you joined? Enough said. Enough said. Mark, what's your story for us this week? So my story is for anyone who's ever endured the pain of doing a domain transfer. So if you own a website domain, like, I don't know, let's say, nakedsecurity.sophos.com, plug then you might have an idea about what a pain in the ass transferring domains can be basically if you want to give ownership of your domain to someone else you have to do a domain transfer and all you're doing is you're moving a record from one computer to another so it should be the simplest thing in the world but normally it involves dealing with some massive hosting companies automated processes or worse their first line support people yeah so it creates complications and it wastes time far out of proportion to what's actually involved. And I've wasted more time on domain transfers than I can tell you. And one of the reasons it's hard is because if you control the domain, you can control the site. So taking control of a site's name is often easier than hijacking the site proper. And hijacking normally means some kind of phishing or hacking. There was a spate of domain hijacks a few years ago. As websites became harder to break into, people started phishing the owners to get the domains instead. I remember, for instance, Twitter, their domain details got hijacked by one of the hacking groups. So anyone who went to Twitter instead got a page about, I can't remember who the hacking group were now, but it looked like the Twitter website had been defaced. But in fact, what happened was everyone was being pointed towards a different site. Yeah, and it's happened to Google as well. I mean, Google have amazing security, but I think it was Google Palestine. They had a domain hijack and exactly the same thing happened. Visitors were sent to a different site. And it's happened to lots of sites. And Google's a good example because they have such good security. It sort of shows how a domain hijack can be a bit of an end run around security sometimes. Anyway, that isn't what happened in this case. This is about a man called Rossi Lothario Adams II from Cedar Rapids. What?

Sorry. What? No, say that real

Rossi Lothario Adams II Did you say? Yeah Wow Breathe, breathe, Graham Self-appointed

Name or, you know Well no, appointed By his dad, I imagine. It says the second, there was an original Rossi Lothario Adams. Somebody who was so impressed with his own name I've come up with a brilliant name for our son. Where was I? Hey, this man Rossi Lothario Adams the second from Cedar Rapids really wanted to own a domain name called do it for state.com. That's do it for state spelled with a four spelled F-O-R. Oh, I see. How frustrating that must be.

So it's the website and social media for State Snaps. It's dedicated to sort of US college debauchery. So it's drinking games, toga parties, drugs, and anything related to beer, boobs, butts and combinations of those things.

Ah, university. Butts and beer, what a great combination.

Are you with me so far?

Yep. Yes, but I'm not on the site. I'm sorry. Tap, tap, tap, tap. You're not looking at beer and butts.

So doitforstate.com, spelled with an F-O-R, was owned by a man called Ethan Dayo, a self-styled entrepreneur and personal branding expert. And Adams tried to purchase doitforstate.com with an F-O-R from Dayo for about two years without success.

And what was this other guy doing with the version with the proper spelling? What was he doing with his site?

I think it was unused. As far as I know, there hasn't been anything on doitforstate.com with an F-O-R since 2015.

Right, OK.

But Adams was unsuccessful in his attempts to purchase from Dayo because he didn't want to sell.

I wonder who else he was thinking would want it. If not the people... Anyway, okay. So the price couldn't be agreed, right?

Yeah. So then Adams changed his tactics. And Dayo became aware of Adams' new approach when he heard somebody breaking into his home in Cedar Rapids on the 21st of June 2017.

Holy moly.

The burglar breaking into his home was a man called Sherman Hopkins, who was a cousin of Mr Adams.

Keep it in the family.

He broke in with a gun and he forced Dayo at gunpoint to turn on his computer and to connect to the internet. Now, I'm guessing that Hopkins has endured the pain of doing a domain transfer before because he had thoughtfully written out the instructions on how to do a transfer to go from one GoDaddy account to another.

So, hang on, hang on, hang on. So, the guy's come in holding this other guy at gunpoint and says, turn on your computer and move the domain, follow these instructions to move the domain on GoDaddy to this new owner, doesn't that rather give you a clue as to who might have hired the gunman at that point? Isn't there rather a bit of a flaw in this crime?

Well, could he have not broken into the computer? His email address is... Adams the Third or whatever it is. Could he not have just... Could the burglar not have done it himself? You know, rather than... It's a bit obvious. The thing is, it didn't get that far.

Oh, OK. OK, so the scene is exactly as you spelled out. So Hopkins is holding a gun to Dayo's head and he's given him these instructions. Oh, goodness.

But as is normal during a domain transfer, it didn't go smoothly and they ran into problems.

Did they have to call up tech support?

Instead of calling support, there was a struggle. Hopkins pistol whipped and tased Dayo before shooting him in the leg.

Tased? He came fully armed?

Remarkably Dayo himself then managed to get the gun and shot Hopkins in the chest. So all told oh my goodness you're making this up all told a slightly less experience than calling support and we know about this because the cops got involved and Hopkins and Dayo have now both had their day in court.

Oh, the police got involved in this, did they? Oh, I see. It was a matter for the authorities. You surprised me.

So Hopkins has been sentenced to 20 years and Adams was convicted last week. And he's also facing a maximum of 20 years in jail. So, again, in the end, not a million miles away from how it feels to do a normal domain transfer.

One comes in with a gun and forces the other to swap over the domain. And why are they both facing 20 years of jail time? I understand why the shoot, you know.

Hopkins is the guy that broke in with the gun. He got 20 years. And in the process of convicting him, I guess the police found out that he was working on behalf of Adams. So Adams has now had his day in court. So Hopkins was convicted and charged last year and Adams was convicted last week and is now awaiting sentencing.

Oh, okay. So we still don't know the sentence of Jezebel Adams the fourth.

No. That's going to come at some late point.

And our poor victim still has his hands on the domain.

As far as I know, yeah. He's got no one to sell it to. Price has gone up.

So happy days, happy days.

If you want that domain, you now know how hard you have to work to get it. Carole, what's your story for us this week?

Okay, can you guys tell me what popular 80s food chain character used to use the catchphrase rabble, rabble? Rabble, rabble.

It's not gobble, gobble, is it? Because that was Colonel Sanders.

I think you've got chickens on the brain. I think we know who's obsessed with chickens here. Actually, it's not Mark.

I want to know what you've been doing with Colonel Sanders.

You don't. I know there's some listeners out there screaming the answer at you two. So those are the raspy tones of the Hamburglar. Do you remember that? He's a pint-sized thief with an insatiable hunger for Mickey D burgers. He started out in the 70s as one of the first McDonald's villains in ad spots to help build decades of narrative tension between Ronald's crew and the baddies crew, which had Hamburglar. And I think it was that big purple blob thing, Grimace. Now in North America at least the Hamburglar was this red-headed pudgy kid and he had a black and white striped shirt, a cape, wide brimmed hat, red gloves. It looked kind of Puss in Boots style and the only thing he said was either unintelligible or "rabble rabble." Yeah, yeah, yeah. To be honest, there's a lot of McDonald's stuff which is quite spooky. I mean, Ronald McDonald himself is a terrifying character, isn't he? Funnily enough, though, during my research, it brought up the UK version of Sir Hamburglar a lot. Or your Hamburglar. And what the fuck, guys? Don't you— What the French fries? This Hamburglar has the super long witchy nose. His teeth look like they've been thrown into his face from a good distance. I mean, you tell me. Look, you've got the link there. I want to understand. You both were born here. I want to know why marketing experts in the UK thought this would appeal to the 10-year-old you guys.

I'm checking it out. Oh, my goodness. There's that clown. Here he comes around the corner. Oh, whoa, whoa. Right? Yeah, he's terrifying. He's terrifying. Absolutely terrifying. So I don't understand.

It says a lot about everything. Of course, you're wondering, why am I talking about the Hamburglar? Yeah. Well, there's a reason. This promo character has become a reality, and he is hunting down burgers in my homeland of Canada. So Canuck burger fiends are under attack from a real life Hamburglar who is making use of their My Mickey D apps to steal a heck of a lot of burgers. So in February Lauren Taylor from Halifax told the CBC she had no idea how get this $483 and change was spent on her McDonald's app.

We're looking for someone who's about 30 stone, she's actually dressed as a hamburger?

I watched a video with her. So she first noticed the order confirmations, dozens of them, right? And they're all sporting the last four digits of her actual debit card. And by the time she checked in with the bank, she only had $1.99 left in her bank account.

And all this money was spent on produce from McDonald's?

All this was spent through the app for McDonald's produce, but they were made in another Canadian province, about 10 hour drive away in Quebec. And Lauren told the CBC, "This is an app that's supposed to be secure. So why do I live in Nova Scotia? And why is my card being used in Quebec? It's crazy." She changes them frequently, never shares her passwords. Passwords are strong. So what's going on? And the Mickey D app requires eight to 12 characters, upper or lower case, one number in it. So all this sounds a bit suspicious, or it might sound like it was just her spending 500 bucks on a big, crazy meal. I've seen the menu, how you can spend 500 bucks at McDonald's and it's quite difficult. It's impossible. It's impossible. It's clearly feeding a village or something. Are you saying that the McDonald's store where this was happening was in another state or something so some distance away from her? It's about I don't know a thousand miles so yeah.

Oh quite a lot yeah, she'd have big calves wouldn't she?

The problem is Lauren's not the only person to have noticed that her Mickey D app seems compromised. One guy, Brett, noticed that within half an hour, his account had been used by an imposter and spent $50 worth of food at McDonald's in Mirabel, Quebec. So he was in Halifax. Again, the attack happened in Quebec. And there were two orders, one for 30 chicken McNuggets and another for a double Big Mac meal. This is where he gets the name, the Hamburglar. And fast forward to this week, the latest victim is Patrick O'Rourke, who was getting email notifications but hadn't actually been managing his email account very well and someone purchased get this 100 meals in a single week racking up a $2000 bill. This included loads of Big Macs and McFlurries and O'Rourke obviously not a dumbass doesn't think one person could have possibly eaten all this food.

No, they'd be dead so—

What's going on here right? This Hamburglar has already nabbed food worth thousands from a handful of victims across Canada and what do you think the likely scenarios are? What's the modus operandi?

So one idea I had is a place like McDonald's have free Wi-Fi, right? And I was wondering whether maybe their Wi-Fi at some branches wasn't set up properly, and maybe the app isn't communicating securely, and maybe people are stealing tokens or passwords or something from the app?

I wonder if people actually use the app when you're in store. Did people do that?

Oh yeah, well if you're really lazy I don't know. Actually it's not beyond the realms of possibility that people will be sat in a McDonald's on their phone ordering food. I mean letting their kid do it or something. Yeah it's a long way to the counter.

I mean could it be a disgruntled employee or ex-employee? Could that be something because would they have access even to the passcodes at some point and be able to use them?

But they're saying that there isn't a vulnerability in the app, are they? And that's correct, is it?

Well, that's certainly what McDonald's are standing by at the moment.

It's not impossible to imagine a scenario where a company says that there is no vulnerability in their app and later turns out... What are you talking about, Mark? Goodness gracious. I've never heard such a thing. I'm just saying it's not an impossible scenario. Highly unlikely, though. Highly unlikely.

I mean, someone's definitely seeming to attack Canadians that don't seem to have a lot to do with each other. So it seems to be happening around different provinces, but they're all taking place in Quebec. So Quebec police are now apparently looking for the Hamburglar.

Do we know how many of these things have taken place? So you've spoken about three of them, but is this...

When they put it up on Twitter, lots of people were saying, hey, this happened to me too. This happened to me too. So there seems to be a lot of unconfirmed reports online. Yeah. But there seems to be about four or five in the press. I wonder if it's an accident. Well, maybe.

Could it be like butt dialing? People are ordering these things without realizing they're ordering them.

Yes, but they're not ordering at the McDonald's where they live, right?

OK, OK. I'm sorry. I haven't got the answer. Is it actually the case that there's a McDonald's in Quebec that's had to hand over 100 hamburgers in one order? Or is it just kind of ghosts in the machine?

So this guy O'Rourke, who had 100 meals bought on his Mickey D app, that happened over a spate of a week. And it happened at different locations, different McDonald's around in the vicinity. So they're obviously trying to go in and buy something that's maybe probably $50, not raising too many eyebrows and doing it right. And there's probably more than one doing it at the same time.

Have you got an actual answer for us, Carole?

No.

Oh, for goodness sake. But I have advice.

Okay, okay. It better be good. So one, I think McDonald's can't sit there and saying nothing to do with us, Gov. I think that's just uncool because they're obviously not enforcing 2FA on the app. They're not doing anything to validate that the device belongs to the account user before a payment is made. I mean, they could ask for a code number upon receiving it or something. So they could bake in more security, I think, in the app. And users, don't use a debit card for your online purchase accounts. Consider using a credit card, right? So a credit card is where the credit card company makes the purchase, and then you pay for that purchase upon receiving it. And if it's not what you want, you can say, hey, I'm not paying for this. But if it's coming out of your own money, and it's debiting your account, you're the one who is losing out there. Now, in this case, both banks have paid two of the users back the money that they lost. But I don't hear McDonald's paying back the money. So that's, I don't know what's gonna happen there. And I mean, really, do you really need a frickin' junk food app on your phone?

So that's where I was going to go. I think all of your advice is great. And I think the point that you made earlier about, or the point that Graham made about blaming the victims earlier is well made as well. And I don't think, it's nobody's fault that they use a McDonald's app. But we do live in a world where there's an app for everything. And I thought the whole point of McDonald's and fast food was that it was fast. They've optimized the delivery of food over the taste, the quality like literally everything has been sacrificed to get you that burger in double quick time. So trying to shave a few seconds off that by using an app is a great way of increasing your attack surface. So I think just, you know, do you really need an app for all the things that you do is a great question because you have to go there to pick it up anyway unless it's, I don't know, are they delivering by drone now? The last thing you want other than of course natural McDonald's burger is a McDonald's burger that's been waiting for you for 10 minutes, isn't it? So I have some there's a queue of them literally, you can see it if you look over the shoulder of the person who's serving you. I'm thinking you would only actually use this when you're at the store. Have you ever used the touchscreens they have inside McDonald's these days? I wonder if it's anything like these giant touchscreens and the idea is that you walk in and instead of standing in a queue you walk up to this touch screen and then you spend I don't know three or four hours making your order as you figure out this sort of giant, you have to slap it and scrolling and these sub menus that and oh. If the app is anything like that then it'll add hours to your day and that touch screen will have been touched by loads of horrible kids who've been to the loo and not washed their hands. That's disgusting.

Yeah and so yeah, I think the takeaway here is maybe take a look at the apps on your phone particularly those tied with debit or credit cards and ask yourself if you really need those apps, if they're providing really the value you think they are because they're just vulnerabilities waiting to happen. Actually do you want to hear one last fun fact about the Hamburglar guy? So they killed them off right, they killed him off in the early noughties.

Did they video that? Did they put an advert of his death? Facebook Live? Yeah yeah, was it like Chucky being killed? But they brought him back to life in 2015. Oh nice, McDonald's were introducing this sirloin burger you know full flavor thing and they needed a character and a promo. I know, 50 shades of Hamburglar. Hang on I've got one, I've got one. Couldn't they have said 50 shades of filet or fish filet gray filet? Oh come on that's, he likes burgers, they could have. Graham I don't know why they would.

They could have, I think hers is better. Hey Graham, didn't you recently download the threat intelligence handbook from Recorded Future?

I did, yes. I went and grabbed myself a copy, it's a chunky thing you know, 100 pages. Whoa yeah, it's not some cheapo flimsy little pamphlet, no. The threat intelligence handbook really gives you the skinny on threat intelligence and how you can apply it in your workplace to really get some practical benefits.

Best of all, it's completely free. Listeners, visit smashingsecurity.com slash intelligence to get your free copy. We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve stolen password or a poor password?

Yeah, stolen passwords, poorly chosen passwords, reused passwords. Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.

Listeners can learn all about LastPass Enterprise at lastpass.com slash smashing.

You don't have to say forward slash, by the way, you can just say slash, just so you know.

And last but not least, we are supported this week by Gartner. Gartner is the world's leading research and advisory company, and they are having a big event. It's massivo, I'll tell you. All of the big security vendors are going to be there. They're going to be talking about cyber attacks, artificial intelligence, blockchain, machine learning, and much more. And listen up listeners, you can receive $350 off the registration fee by using the code smashing with a G. To learn more visit smashingsecurity.com slash gartner.

Welcome back and you join us our favorite part of the show, the part of the show that we like to call pick of the week. How is the polystyrene chamber pot or whatever it is that you're sitting in? I've lost about 10 pounds in sweat since the beginning of the podcast, I'm not gonna lie. Pick of the week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they like. Doesn't have to be security related necessarily. It shouldn't be. It doesn't have to be. Now, my pick of the week this week. No, definitely doesn't have to be. My pick of the week this week is a movie which I saw yesterday and it was rather wonderful. I don't know if you guys have seen it or not. It is called Spider-Man: Into the Spider-Verse.

Strangely, I've not been on my list.

Has it not? Well, you know, the name itself would normally have put me off because I am not interested in superhero movies. I tend to fall asleep during any sort of CGI fighting or anything like this. This is an animated film.

Oh. I'm dying to see this film. Oh, well, Mark, actually, because you are quite an artist yourself, as indeed are you, Carole. I believe you're appearing in Oxford Art Weeks. Let's not forget that. Let's plug that again. Yes. I'm looking at the promo right now and it does look fantastic, Graham.

It is incredible. It is the closest I've ever seen a movie to a comic strip. Yeah, yeah. Brilliant. It looks very beautifully drawn.

Yeah. I've put in a couple of links in the show notes to some documentaries about the animation, which I'd really recommend you check out. And if that doesn't whet your appetite to go and see the movie proper, I don't know what will, but I'd really recommend it. Spider-Man: Into the Spider-Verse.

And when Graham says show notes, just someone asked this, that means on the website. So just go to smashingsecurity.com and you'll find it all there. Yeah, and some of the podcast apps as well will include it. Sometimes they don't put them in as clickable links, but smashingsecurity.com, you'll find them on there too. Yeah. Mark, what's your pick of the week?

They were lovely. I think I'd offer myself up to the zombies because don't you get stronger the longer you are a zombie? So if you're one of the first...

It probably wouldn't help your complexion, Carole.

That's true.

So your plan for surviving the zombie apocalypse is just to immediately become a zombie.

Immediately become a zombie and, yeah. If only we'd had people like you during World War II, Carole. Yeah. You know, just, oh, here come the Germans. Yes. Let's just give in. Yeah, I've watched that actually.

But the first series of Fear the Walking Dead it's all about that sort of people struggling with the initial outbreak and they've crossed that with 28 Days Later which is a terrifying Danny Boyle zombie film where the zombies run and so when you get bitten by a zombie you become a zombie almost instantly you don't have to wait a day so they just pop back up to life and then they run after you.

See that sounds much more fun than being chased.

It is but it's very claustrophobic there's lots of close camera work. It's all about the people and the fear. It's very, very good. If you like zombies, watch it.

Are you sure you're not just talking about your little box that you're in right now being claustrophobic being the first word that came to mind?

Yeah, and it's really warm. Carole, what's your pick of the week?

I have a doozy this week and I was waiting to hear yours to see if I would beat you, and I think I have. It's not a competition. If any listeners in front of a computer right now I suggest you follow my instructions. Hang on, it's worth it, it's really good. Please head to coolmathgames.com. Cool Math Games, math with a TH. Are you sure? No, yeah, TH, no. S normal coolmathgames.com. Yeah, do I want to accept cookies? Math Games, it's been around since 1997. This is a brain training site where logic and thinking meet fun and games.

Graham already? There you are. No, I started doing some, I tried to do some chess but I'll do IQ Ball instead. Okay.

I'm quite a fan of this little cute one.

We have to get our little purple critter to the target. It says to do this you shoot out with his grabber and latch onto things.

Yeah, just and it just goes and you can play there's no having to log in. You could just go and waste 10 minutes which I did happily on this morning before we decided to record. It's cute. See, look at you guys sitting there. Wow. Yeah. Now, this is amazing, right? So already you're thinking, wow, Carole, this is pretty cool. Guess what? Gets better. Gets better. You ready? You can go Cool Math for Kids and Cool Math Games and CoolMath.com, which was the first one for math for ages 13 to 100.

Don't accept all the cookies, no, never. Hurry up Graham, I'm starting to feel a bit faint here. Okay, which one, which one do I need to play? Anything? I don't know. I'm just saying all these three, right? You have something for your kids, there's something for you, there's math, there's games, there's logic. Wow, well Carole, that's a great pick of the week. So I've tried that, I think you need to go and try out Black Summer and Spider-Man Into the Spider-Verse and only then will we know which was the best pick of the week.

Well you can hear me every week on the Naked Security Podcast and you can follow my chickens on Twitter at Internet for Hens. Cool. And you can follow us on Twitter at Smash Insecurity.

And big shout out to this week's Smashing Security sponsors. Their support helps us give you this show for free. So be sure to check out their offers. And of course, big thanks to you all. Thank you for listening, supporting us and helping us spread the word.

And until next week, cheerio.

Bye bye.

Later.

You passed out.

Yep. But you revived me, so thank you. Are you going to say toodaloo or anything?

Oh, sorry, goodbye.

Bye. Good, excellent. Well, that went very smoothly, I think. Whoop, whoop.