Smashing Security podcast #101: Rule 34, Twitter scams, and Facebook fails

Hey, there's a niche for everything, right? Oh, it exists, yes. Rule 34. I don't know what that

means, but... You don't know what rule 34 means? Oh, no! I have to be the one to tell you? On air. Should I Google it? Oh, yes! I'm Googling. Oh, no. Oh, no. NARRATOR/ANNOUNCER. Smashing Security, Episode 101, Rule 34, Twitter scams and Facebook fails, with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, Episode 101. My name's Graham Cluley. I'm Carole Theriault. Hello, Carole. Hello, Mr. Graham. And we've got a returning guest, it's our family favourite, it's Maria Varmazis. Hello, Maria as well. Hello, everyone.

You should have let him keep going and see how high he can get in his pit. Hello! Oh, no. Hello, everybody. I have no doubt, Rhea, that you can go get right up there. Steady on. Anywho. I had a question for you, Graham. Oh, yes. All right. So I haven't been watching the new Doctor Who because it's not in the States legally yet in ways that I can acquire. Oh. But I know one of the new companions' name is Graham. and I want to know if your inner child is freaking out every time he

comes on the show. It's really weird because Graham isn't a name which I encounter that often. There aren't that many Grahams in the UK, I would argue. Yeah,

there's no Graham Norton who's on

TV almost every... He's one. He's one. How many others are there compared to Johns or James or Waynes and things? Well, maybe not Wayne. Wayne? But Dave or something that, right? That's fairly common. So it's a little bit odd because I keep on hearing the name Graham when I listen to my Doctor Who podcasts. and every

time the Doctor says Graham I presume she says it a few times and I can't get everything and say the Doctor isn't that if Captain Picard had ever met a Maria I would have freaked out I just would have seriously have

you not watched any of the new Doctor Who? I have not at all

I know and I keep reading all the spoilers about them and I have not had a chance to actually watch them myself so I'm really excited I hear they're great I haven't really been paying attention but I've just gone to the website ranker.com and there's a lot of famous Graham's. You're saying

a lot of Graham's are Rankers? Yeah, there's a lot of them.

Okay, quiz time, quiz time. What percentage of data breaches originate from email? Seven out of 10. It's a pretty good guess, but you're way wrong. 96%. Oh, bloody. And one of the big things that companies have to worry about is phishing scams, because that's the kind of way that hackers and other baddies break into your company.

Because that's how they get your passwords, I guess. That's

how they get your passwords. So, MetaCompliance make it easier to train and prepare your whole environment to stop these kind of attacks. They have information on phishing and cybersecurity and policy and privacy and incident management. There's all kinds of training out there. Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com slash metacompliance. That's smashingsecurity.com slash metacompliance. Hey, Graham. Hey, Carole. I have a question for you about these password manager things you keep talking about. All right, go on then, shoot. What happens if you forget your master password? What are you going to do about that?

Oh, you think you're really clever, don't you? You think if you've forgotten your master password, you can't access any of your other passwords anymore. Well, piff, paff, poof, Carole, because if you're running LastPass Enterprise, you can integrate your password manager with Microsoft Active Directory. And that means the same password that your employees are already comfortable with using to log into your system will unlock everything. It will unlock their passwords, it will unlock their work, makes it super easy to bring LastPass into your enterprise. Seriously? and it's still super safe? It's still super safe. Wow, that's kind of cool. It's a great way of getting new employees using passwords safer and more securely. Rock on LastPass, I say. And Carole, if you or indeed our listeners want to try it for themselves, all they need to do is go to lastpass.com slash smashing. So let me take you to the city of Reading, Pennsylvania. I've been. Have you? I have. Oh, what can you tell us about it? Not much. Okay. The city of Reading, Pennsylvania. It's one o'clock in the morning. It's dark. Okay. Most people are asleep.

What am I wearing? You tell us, girl.

Guys, I'm trying to make this atmospheric. I'm setting the scene, all right?

You can probably smell the distant smell of cow manure wafting in over the land.

Cows are mooing, owls are hooting. There's a dog barking in the distance. A cat meowing. Somewhere you hear the sound of a mosquito burning as it lands on a hot lamp. And a young female pizza delivery driver is on her way with a stack of pizzas to a home on Windsor Street. She's got a pile of pizzas worth $75 dollars. She walks up the path to the house.

Is this the Halloween edition of Smashing Security? It's...

She rings the doorbell. It's more of a... Or... But there's no answer. So she ends up going back to the restaurant. And her boss, let's call him Luigi or something that, tells her to try harder right

tells her to try harder

she calls the customer on her cell phone and he says oh yeah I'll be waiting for the delivery outside the house so she goes back to the house it's now about half past one right again noises and you know what podcast you're

on cyber security podcast you know exactly where you are a man steps

out of the shadows and she says oh can i have 75 Oh,

that's not how that usually happens. Terrified. What? Nothing. Jimmy Cagney. I'm just holding my head in my hands. terrified that the delivery driver does what she's told and gives him the cash that she's carrying, which is just $35. And she scarpers, and the robbers take the food, and they clear off as well. Now, back at her car, she calls the police. Well, thank you very much for sharing. That's a great segment for Smashing Security. Let me go into my story now. Chapter

two. 26 days later, the pizza delivery woman receives a Facebook friend request. And she thinks, I know that guy, even though he's not holding a gun. It's the robber. And she thinks to herself, I bet that's not even your real Facebook profile. So he then sends her a new friend request from his real Facebook account. and of course she goes to the cops she lends criminal investigator buck wendell her phone

what a name you're kidding criminal investigator buck wendell on the case part of the red in Pennsylvania cops I so hope he's super cool yeah but he is cool and this week police have arrested 26 year old Jerell Guzman and charged him with robbery, theft, and simple assault. That does seem like it was a pretty simple fellow from the sound of things. Maybe he could get a bit of that as well as robbing her.

Get some of that on the side. Guzman, who isn't from Windsor Street, which is where the robbery took place, but on Moss Street, has been committed to the county prison in lieu of $20,000 bail. But what we don't know is how Guzman found the victim on Facebook. So having committed the robbery, how did they make the connection? I was wondering about this, and I thought, well, maybe he got her phone number when she called up his cell phone, possibly. Or maybe it's her link with the pizza restaurant. Maybe he found the pizza restaurant on social media.

Or maybe she said, I work there. Or maybe

she had a name badge on. Or who knows what?

Probably he got one of those Facebook suggestions, the friend suggestions. You've got all these phone numbers in your phone. Oh, we know who those people are. So maybe

it's Facebook's artificial intelligence. Probably, yeah. Linking them together. Big data. It's the red string of fate. Isn't it? It

was meant to be. Okay, so basically, I don't really understand why there was a gun involved in this. Surely if the guy just went up and said, hey, give me the pizzas now or else. And there's two of them and you're outside and there's no one around. I just go, here you go, dude. Take him.

Because America. That's why. Because she might know karate or something like that.

Isn't that why they. But who's going to fight over 75 bucks worth of pizza? In America, in America,

Carole, pizza delivery women might actually be armed. They might be locked and loaded. And they're going to be protecting the pizza with their lives. Is that what you're saying? I'm just saying that obviously people go around carrying guns in America. You're just ridiculous. It's not ridiculous. It's not ridiculous. I just say it's ridiculous that they felt that need for a gun. I have five guns on me right now. It's true. I have one on each leg. It's a thing. No, he fancied her. Come on.

Wow, cynical. Cynical in your old age, aren't you? No, I'm just a man.

I know how it works. We're not going to... You know, you're going to think, she was a bit hot, but I robbed her. I wonder if I apologise whether she'll then go out on a date with me. I have a conversation starter. Yeah, exactly. It is a conversation starter because that's often a challenge, isn't it? If you're trying to chat up a lady... Tell you what, that would turn me on. Would it? Yeah.

No! No! I'm learning too much about you today. What you're wearing, what turns you on, didn't need to know. Someone has to lower the tone.

Anyway, look down your privacy settings, folks. Be careful what you post or where you, say, where you might work, for instance. You know, don't share your phone number. Don't allow people to look you up by your mobile phone number either. Although, in this case, it actually helped entrap a bad guy, didn't it? But normally, it's bad news.

I'm actually surprised this hasn't happened more often. Anyone who gets food delivery nowadays, the delivery driver calls you from their personal cell phone number. So I've had so many people call my house and I don't know who they are. You You know why it doesn't happen more often? Because normally the relationship then flourishes. There's no reason to go to the police because this is the way in which young people meet each other. Evidence of yours, Graham? Can I just say, I don't know what planet you guys live on.

Thank God you're entertaining. That's all I got to say. I hope you like the sound effects.

How can I follow up to that? I'm not doing sound effects in mine. You guys can supply your own, but I don't think I can be that thrilling. I'm sorry. Graham can jump in. So my story, instead of being about Facebook, is about another social network that's been causing a bit of agita, and that's Twitter. And this is my own little bit of gumshoe reporting. I actually saw a scam going down on Sunday.

No way.

I did.

Oh, my God.

Basically, what I saw on Sunday was a verified account that had renamed itself to say that it was Elon Musk. I'm giving 1,000 Bitcoin to my followers to identify your address, just 0.1 to 0.3 Bitcoins to the address below and get 1 to 30 Bitcoins back to your address, followed by the Bitcoin address. And then, oh, if you're late, your Bitcoin will be sent back to you. I'm going, OK, how the heck did this appear in my timeline? How did this get past all of the Twitter quality controls? And who the hell would actually fall for something like this? I mean, this is so obviously a scam. And thankfully, a lot of the comments in response were like, this is a total scam.

And this wasn't just a tweet. This was a promoted tweet.

A promoted tweet. Yeah, I'm sorry if I didn't clarify. It's a promoted tweet from a verified account. So it had one of those blue check marks next to the name. And I don't know how you get one of those. Graham, you have one of those, right?

I do, yes.

Yeah. What did you have to sign over for them to verify? A lot of information. I actually stopped halfway through the verification process. I was like, geez.

Yeah, you have to enter the seventh circle of hell, basically, and sign over your youngest child.

So it's hard to get one of these things, and it gives you a lot of social cachet on the site.

Huge cachet. Huge cachet if you've got one of those.

Yeah, it's like people fall at your feet when they meet you kind of thing. Graham glows now. He glows. I can only imagine what it might be like to have one of those. I can just only dream. Yeah, and this account was verified. The tweet was promoted. And again, it was said it was promoted by Elon Musk right at the bottom. So how did this pass all of the Twitter flags? Anyway, so I saw this happening at about 1 p.m. on Sunday, and I figured this was going to get taken down within minutes. So I screen capped it for I checked on Monday morning. That tweet ran for at least 12 hours, which was like, that's a long time for a scam to run.

Did you report it?

I did. And a number of other people did, too. People were tagging Twitter support, that kind of thing. And I'm honestly surprised it took them 12 hours to take that down.

Well, it was a Sunday, right?

Yeah. You think they're not working on Sundays?

Yeah, I don't know. There may be less. There's always stuff on Sundays in tech firms. I'm less about the response time and more how did this even happen in the first place. My guess is that this verified account had really poor security on their own account. They didn't have 2FA set up. Somebody reused their credentials and they just abandoned their account at some point. Tell me.

Well, they had about 17 deposits made to their account.

Really?

Within those 12 hours. Yep. Most of them were really tiny. Some of them worth about $10. But some of them were several thousand dollars. So...

Shut the front door.

Within 12 hours of that tweet going live with just 17 deposits, they made over $10,000.

Oh, my goodness.

Yeah. It's good money if you can get it, right? And Twitter doesn't get to see a penny on it.

But the ad was promoted. So someone paid Twitter maybe with a stolen credit card or something. But they wouldn't have spent anything like that kind of money to get that.

Maybe $50. At most, maybe $100. It doesn't cost very much. I've done these before. It really costs very little money.

You've done these scams before. I've done these scams before, yes. Just to be clear, I have not done these scams before. When I promoted tweets, you pay per impression. So, you know, you're paying cents on the dollar. It's super cheap. Can I just say, that's a lot more money than I make. Oh, is it? Oh, I'm so unfortunate. We need to rethink our careers is basically all I'm saying. Yeah. I mean, it's not even a sophisticated scam, is it? No. It's simply saying, fill up our Bitcoin wallet and we'll give you more Bitcoins back. And there are dumb people out there who do it. Fell for it. Yeah. Guys, don't call them dumb. Why would you do that? Gullible? Just because they're giving lots of money away to something they don't really understand. Yeah, but the tweet wasn't all emotional, was it? It wasn't like...

No, I read it to you at the beginning. It's very, just give us Bitcoins and maybe we'll give you some back. And maybe they forgot that Bitcoins have some sort of monetary value. They're going, oh, half a Bitcoin. What's that? A third of a Bitcoin. It's nothing. So they're basically being fooled by the Elon Musk, the verified tweet, the promotion of it. All those cues. Yeah, those cues that usually indicate on Twitter that something's generally trustworthy. It wasn't promoted by the real Elon Musk. It was not going to guess. It was someone else who has that screen name. Correct. Very least. Yes, I did not know this. Because Twitter identified that his account was acting strangely. His Twitter account had posted "I love anime" and posted an image with the text "wanna buy some bitcoin" and he said something about he's got a wolverine named Chibi or something. Yeah, I'm amazed I didn't hear about this.

Incredible. But it's a weird world where the fake Elon Musks on Twitter are more plausible than the real Elon Musk on Twitter.

Well, I mean, when I was looking at the account that got taken over, it was a Swiss life insurance brokerage app. And so they'd been tweeting on and off for a few years about life insurance, sometimes in German, sometimes in English, but really dry stuff. I think the reason why this is happening is they are simply flooded with so much of this. Yeah, I think there's so much this going on that they cannot cope with it.

But can't they just go, oh, that's a brand new account. Maybe we'll hold off for a bit. Or maybe we don't allow tweets right away if someone changes a password.

Well, they probably could do something, yes, or put people in limbo.

Yeah, previous accounts, they would try doing scams like this. They would actually rename the handle. And then that was a red flag. So I think Twitter has stopped allowing people to do... I think the verification goes away if you rename your handle. That's right. But in this case, they actually just changed the display name. So the handle was the same, but the display name said Elon Musk. And that doesn't set off any red flags, apparently.

So do you have any tips for people as to how to better protect their accounts?

Yes. So don't use your same password that you use on Twitter anywhere else. Keep a unique password on Twitter and turn on 2FA. Between those two things, you're going to be much better off than a lot of folks. And selfishly, if you run a social media account for a company, make sure you don't abandon your Twitter account and just leave it sitting and rotting in a corner. Somebody should always have access to that account. Because stuff like this can happen and you want to be able to regain control quickly before your company has egg on its face. I mean, I don't think Twitter's making that much money from these scams either. I don't think it's a selfish thing of, oh, we're making money, so we want to let the scammers do their thing. If anything, this is probably hurting credibility of the platform, which, you know, such as it is. And Elon Musk's stellar reputation for PR and handling situations very well. One must consider such things, yes. Stop picking on...

Elon Musk. He's not the only famous person on Twitter who's posted the occasional bizarre message, is he? Covfefe, right?

I was thinking more Kanye. I was thinking more McAfee, not Covfefe. Where does it end? Clulee. Oi. Oh. Stop that.

Fantastic. Well, Karol, take us from the craziness of Elon Musk and Bitcoin scams to whatever you've discovered this week.

Thanks to things like disinformation or fake news, data breaches, ransomware, Russian hackers, a lot of us are getting uneasy around technology. You know, you keep hearing of people abandoning Facebook and such things. One way to handle or tackle this problem is to stick to sites that you've liked and used for a long time. So if, for example, you like getting your news from the BBC and you've been doing that for years and you trust what they say and you like how they operate, you're going to continue doing so, right? Now, BBC is a big site and it has a big, robust tech team providing and protecting services that it offers. But, of course, there's a zillion legacy websites that are much smaller operations than BBC, and some of these smaller legacy sites may not have updated their services and not be au courant with security infrastructure of today.

Oh, that was French, was it? Au courant. For a moment, I thought you said, oh, the Quran. I thought that's going to cause some trouble. Okay, carry on, Maria. So sites that have created themselves maybe a decade ago that have just been ticking over nicely may not have invested in security infrastructure or additional layers to improve their services, et cetera, et cetera. And there may be sites where you've shared some sensitive information. Okay, I'll try.

Okay, so this week Ars Technica reported on how eight adult websites were hacked. Oh, you're going to do it. I'm

not doing a sound effect for Ars Technica.

What about adult websites? There you are. Wow. Might need some oil in. Was that the zipper coming on top? What was that? Get some WD-40. Oh, God. Good luck, girl. Okay. Good luck. Okay. Now, where was I? So Ars Technica reported on how eight adult websites were hacked, and the personal data of its users was slapped online. The attackers exploited a script that was used on all these eight sites, including Indian, sex4u.com, nudeafrica.com, nudelatins.com. Do you see a trend here? Nudemen.com and wifeposter.com, oddly. Here's a sound effect.

Wife poster? Yes. Posters of your wife. It's a site where you can order a poster of your wife rather than one of Bon Jovi or whoever it is you have on your wall.

It's unclear. This is pictures of users' spouses. Yes. It's unclear whether the affected spouses have actually given consent to their images being made available online.

Ooh. Ooh. Would I be correct in assuming that these pictures of women are of them scantily clad or in compromising positions rather than down the supermarket?

I think you could probably answer that for yourself, Graham.

I think I have. Okay, carry on.

In the exposed data, there were IP addresses connected with the sites. There were user passwords that were hashed using a four-decade-old crypto called DESCrypt. 1.2 million unique email addresses were also picked up and displayed and exposed, although the owner says that only 10% of those people are actual users of the site. In any case, this is kind of dwarfed by the Ashley Madison 2015 hack, where I think 35, 36 million users had their information stolen. And payment details were stored separately. So according to a statement from the owner of these affected sites, they have not been compromised.

But still bad, because this data might identify you as obviously a user of these rather dodgy websites, right? Well, exactly. So when I heard about the fact that one of these sites was about posting images of your spouse, you're thinking, okay, well, maybe the pics of the spouse aren't identified. Yeah, so rather than my real name, I might have chosen a username, something. Yeah, like Hot Dog or

something, right? Graham Oxford. Graham Cracker. Graham Cracker. However, turns out that on this site, customers were allowed to have two email addresses, one for public-facing interactions and a private one to manage their account, you know, pay money, whatever. And the bad news is the private one got nabbed and publicly ousted as well. Now, Dan Goodin from Ars Technica wrote that a simple web search of these private email addresses quickly returned accounts on Instagram, Amazon and other big sites that give the users first and last names or geographic location or information about hobbies, family members and other personal details. So seriously, not good.

No, not good. Yeah. Now, it took the owner of these websites, a guy named Robert Angelini. So it took him three days to verify and confirm the breach. And he took down the site. Saying, I think you've got a problem. So it's just one guy running all these different websites. And all of them are basically insecure and not safe.

Basically, yeah. And the thing is, this guy doesn't seem to be making a ton of money. He claims last year in his article that he only made 22,000 USD from the site. So this is one of the problems, right? He's basically saying, I'm taking the site down. It's now offline. And you know what? Isn't going back up unless I get this whole problem fixed.

He should promote the sites on Twitter with a promoted ad from Elon Musk to help. Yeah, it could help him out. But there's a serious problem, right? Small companies that just shut down and throw away the key because it's not that profitable and they don't care, that doesn't help the victims right? Thousand dollars a year from all of these sites might not be better off trying to sell the domain names. Nude Latins, nude men, what was, what, you're looking to buy a clue? No, I'm not. But there presumably are proper porn companies who would be interested in it.

Oh, it exists, yes. Rule 34.

I don't know what that means.

You don't know what Rule 34 means? Oh, no. What does it mean? I have to be the one to tell you? On air. Should I do? Google it.

I'm Googling. Oh, yes. I'm Googling. Oh, no. Okay, I'm going to find out live on air. Right, okay. Let's see what this means. Rules of the internet. Okay, here we are. What does this mean? Okay, here a minute. Let's just see. It's loading.

It's when somebody has never heard of Goat Sea before and you're well.

I've been told not to look at that. Oh, you can Google that too if you. I've come to know a rule. Okay, I'm scrolling down. I don't understand. There is. Oh, I see. So there's porn for everything. Yes. Basically. Yes. Basically, somebody names two things that are just bizarre and you go, oh, that's gross. And you just say rule 34. There's porn for it. And they're usually, I've yet to be proven wrong. I'm looking at a mouse mat right now. There's gonna be mouse mat porn. If I Google for mouse mat porn, I'm going to look at this right now.

Is safe computing on? You do have a child in the house. I don't know what mouse whatever is, but okay.

I'm sure there is porn for it. I've been taken to a Pinterest page.

Turn around now. Back out. Back away.

I'm backing off. I'm backing off. Let's go back to the podcast.

I've had to be the one to tell you about Rule 34. All right. It's virginity being broken. I'm so sorry. Yeah, it's a bit gross. Okay, now look, so this site, this adult site, it's been around for 21 years. Just take a look. I put a link in for you guys. Just take a look at how the site looked just a few days ago.

Okay, all right. Right?

So you can see how modern it is. What I'm saying is this does reek of a site that's 20 years old, isn't it?

Oh, yeah. It looks sort of...

It's still loading. It looks Yahoo.com circa 1998.

Yeah, or Geocities or something that. It does look, he probably creates this website in Edlin or some sort of text editor, doesn't he? I mean, it's yeah.

And I hate to judge a book by its cover, but a site that looks this would make me consider that perhaps their security is not the latest and greatest. Is that fair? Online since 1997. I'm amazed that's not blinking.

Yeah. Yeah, yeah. Blink, blink, blink. Foot lovers. Monitor pics. Is that related to mouse maps? The link is in.

The show notes for those that like to see it because it's now offline. Right now, if you go to the site, for example, if you go to wifeposter.com, you will see their statement, which is basically saying we're not here. Now problem number two then is that sites that have been around a long time that have built trust because they've been there for you day in day out may be hiding some nasty vulnerabilities because they're not being regularly patched. Even if it was state-of-the-art security at the very beginning of the get-go, if it isn't properly managed it goes out of date pretty quick. Yeah, this is probably run out of some server in his basement. So the icing on the cake here is that Robert Angelini has publicly speculated about the identity of the hacker that exposed all the data. He's pointed the finger at a family member. He's actually attempting attribution. That's ballsy. He's been fighting with a family member for two years and pretty convinced they know their way around the computer. I think they might have something in with it. So the upshot here is delete accounts on sites that are not up to date. I think that's a fair statement. If you've got old Friends Reunited accounts out there, is Friends Reunited still even going? I don't think, I don't know if it is, actually. It got acquired. Yeah, none of this sounds familiar. But basically, there's a lot of old sites you might have been on 10 years ago that you've completely forgotten about, but those websites might still be going.

Friends Reunited is dead. It was ultimately owned by DC Thompson, who of course are the publishers of the Beano comic for kids. Those are all words. I don't know what any of that means.

To be honest, I didn't hear most of today's podcast. Rule 34 has sort of blanked out everything else.

You should now Google Goatsy. You should just break the seal and do it. No, no,

No, no, no, no, no, no, no. Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in. Imagine running a company, hiring new staff and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare. That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise. LastPass brings a vast array of features for enterprise users including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory. As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus. Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass. Hey, Cluley. Hey, Kroll.

Did you listen to my little bit about Meta-Compliance and their e-learning?

Oh yeah, I heard that earlier in the show. Yeah, nice one. Well, have you signed up yet?

Well, no, I've been doing the podcast, Kroll. I haven't had time to sign up for it, have I? Well, women know how to multitask. Surely you can get a move on and sign up. Smashingsecurity.com/metacompliance. Enter the code smashing.

It should definitely not be. We've done a hundred of these, we know the rules now.

My pick of the week this week is a video which was put together by Wired Magazine. It's rather fun. It is an interview with a former CIA chief, specifically a chief of disguises. Ooh. Jonna Mendez.

You mean disguises? What? I'm now dressed as a hairdresser or I'm dressed as an engineer? Yes, or

A pirate or something that. If you needed to disguise yourself. This Is just in time for Halloween. The CIA has pirates. Well, Ms. Mendez will explain in this video how disguises are used by the CIA and what aspects to the deception make for an effective disguise. And so it's a cute little video. Contrapposto, actually. It's the word. Whereas Europeans apparently sort of balance between both legs. They're just better, use both of them. Apparently, and I'm not so sure about this one, in the video she claims that Americans hold a cigarette between their two fingers on one hand. And she says that rather like Bond villains, Europeans hold a cigarette between their thumb and finger. The pincer hold.

What? Maybe this is for mobsters or something.

Oh, I'll give you another one. Apparently, we use knives and forks differently. So if you don't want to appear American. Americans don't use them at all. But it is true that Americans use a fork in the wrong hand, don't they? What? They do. You put a Canadian flag patch on your backpack. Everybody knows. Well, that's the thing, Carole, because she does say it's easier to make people fatter, older and taller, but not the other way around.

Oh, okay. Anyway, there's no cool tricks about wrapping yourself in cling film or something.

I've been disguised for a few years now. But video is a little bit crazy because I do think, you know, if you're an American tourist in Europe, are you really going to go to all of these lengths? Anyway, the most amazing thing of this whole video, and you should watch the video, is that she once wore a full face mask, Mission Impossible style, as she briefed George H.W. Bush. And then she kind of ripped it off and went, "Ha ha, it's me." And apparently he was fooled by this.

Did he choke on his pretzel when this happened? Yeah. So anyway, check it out. Interesting video. He's suddenly in speedos. Covered in sun cream. Everybody needs breakaway pants.

That is my pick of the week.

My pick of the week is The Good Place, which is a TV show in the States that you may have heard of. You may not have. I don't know.

Controversial. Okay, keep going. Really? Why is that controversial? Let's talk about it first, then I'll tell you. I think he's having a heart attack. Yeah, are you okay?

I think you could probably explain the premise of the show.

Yeah, it's a show about heaven and hell, and about what it means to be a good person, which sounds really, really dull. But it generally... It's a comedy, isn't it? The trolley problem?

One person or three people die. Which one do you choose, right?

When you say trolley problem, I'm imagining a shopping trolley with a wonky wheel.

That is a trolley problem. Right. Yeah, that is quite a trolley problem. People don't normally die.

Now, this show stars the guy from Cheers and Three Men and a Baby, doesn't it?

Yeah, Ted Danson.

Ted Danson does. But the other folks on the show are all really great. So it's the only show that I tune into every week that, you know. Does rule 34 apply to the good place at all?

It absolutely does. That is the twist. Of course it does. I'm 100% sure that the porn has been written. Not only well in the last episode one of the stars of the show he took his shirt off and the Twitter went alight about how ripped he was.

Are people shipping Ted Danson?

I'm sure they are. I don't look this up. I'm just sure they are. You guys live in a different world. I'm just going, la, la, la, la, la, that doesn't happen in my world. La, la, la. Well, if you live on the internet, as I do. I just don't go looking around on the deep, dark recesses.

Okay, so Krohn, you don't rate it great, but Maria says it's fab.

I didn't hate it. I would maybe give it like a five out of ten, six out of ten for me. For me. Okay, fair enough. This is probably the most mainstream-y one I've ever recommended.

Says the woman who recommended the Star Trek Enterprise laptop. Kuro, what's your pick of the week? Okay, so do you ever get irritated by all the screens that are around? No, many first dates are ruined by the fact that you're there delivering pizza and it turns out he's trying to rob you instead of having a date. That's what goes wrong, Carole, these days.

And we've come through a circle. See, that's how you wrap up a show. That was so bad. Follow me on Twitter, even though my story was about how bad Twitter is. Follow me on Twitter anyway. M-V-A-R-M-A-Z-I-S is my handle. M-Varmozis, you can find me there.

And you can also follow us on Twitter as well, at Smash Insecurity. No G Twitter will not allow us to have a G. And you can check out our online store where we've got some t-shirts, stickers and a range of mugs as well at smashingsecurity.com slash store. Thank you for tuning. If you like the show rate us on Apple Podcasts, tell your friends and subscribe. It really helps guys please do. It really does. So until next time cheerio bye bye.

Bye bye holy mother god. I'm sorry I had to mute myself at a point and you're like I can't stop laughing. Thank you.