Smashing Security podcast #112: Payroll scams, gold coin heists, web giants spanked

Honestly, he'd been running it for years, selling them from his space on the shop floor, and we only found out because one day someone smelled it, and not one of his colleagues would grass him up. Smashing Security, episode 112. Payroll scams, gold coin heists, web giants spanked. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 112. My name is Graham Cluley. I'm Carole Theriault. And we're joined today by a special guest, someone who's new to the show. Brand new. It's Jenny Radcliffe. Hello, Jenny. Hi, guys. Pleased to be here. Now, Jenny, if anyone out there doesn't know you and shame on them, what do you do? Why are you here? Why were you born? Is that what you're asking her? So, yeah, so I'm a social engineer. I do lots of talks on the topic, people hacker on social media and podcast, fellow podcaster. Yes, you do the Human Factor podcast, don't you? The thing is, everybody has a podcast these days. Exactly. Yes, exactly. And everyone also has a Reddit page. Well, we do now, and this is something we wanted to quickly plug. If people want to go and follow us on Reddit, they can now join in conversation and chat with the hosts. In other words, let me translate for Graham. Yes, please do.

Graham is spending a lot of time on Reddit and he's lonely. If you want to go spend some time with Graham, go to the Smashing Security sub and hang out with Graham, especially if you want to talk about chess or Doctor Who. No, I'm not doing that. He'll answer your questions. I'm not doing that in the Smashing Security. Anyway, the quick URL for it is smashingsecurity.com slash Reddit. And later in the show, we'll also be telling you all about how to find the human factor as well. And subscribe to that. So, Carole, what have we got coming up on the show this week? We've got a pretty interesting lineup this week. Graham, you are talking about new types of scams where hackers get on the payroll. Jenny has this wacky story about how a ginormous gold coin was stolen and it all used human hacking to do it. And I talk about the most fun topic of all, GDPR and fines. No, I'm not kidding. And I promise I make it interesting. All this and more coming up on Smashing Security.

Against the latest cyber attacks. Download your free copy now by visiting smashingsecurity.com slash intelligence.

Are you not running a password manager in your organization? What are you thinking? Check out LastPass Enterprise. Just go to this URL, lastpass.com slash smashing. God, I find that so hard to say. lastpass.com slash smashing. Here you can learn all about what password managers can do for your firm. You can download a Forrester report all about the topic. And you can learn more about LastPass Enterprise. I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, then put on your digital skates and slide on over to lastpass.com slash smashing. I use them, I heart them, so you should check them out. On with the show. Now, chaps, I wanted to know from you, have you ever had a boss from hell? Yes. Many times. Well, I used to be your boss, Carole, so you've had some fantastic bosses as well, haven't you? I have had one or two amazing bosses. Any who particularly stood out as being good? One was Swedish. You spend time in saunas. Do you remember him? Yes, I do. He was great. I have horrible bosses. Have you? In fact, it's one of the reasons I don't have a boss anymore. Yes, hear, hear to that. Yeah, I mean, I have some nice bosses as well. Yeah. Well, there are bosses out there who it's very difficult to say no to. They just won't accept it, will they? If they want something done, then you've got to do it. And you almost live in fear of them. And this is something, of course, which scammers take advantage of via business email compromise, where someone forges your boss's email address or worse, has actually managed to compromise your boss's email account. And they might send you a fraudulent message, maybe asking you to transfer money into a bank account under a hacker's control or forward sensitive information. We talked about this, if you remember, in episode 104, where we described how the Netherlands branch of the Pathé cinema chain, they got scammed out of millions. Yeah, yeah, that was a great story. Over and over again they were slammed, thinking their boss was telling them to move money because of a business deal, and they kept on doing it, and they never checked with the boss face to face. So that is something which can be a problem. There are giveaways, of course. Sometimes if a boss suddenly begins to say please and thank you, that can be a clue that it isn't your real boss, because they're speaking in an unusual or different way, right? That's one of the giveaway signs. So work can be pretty stressful. And a boss from hell can make it pretty stressful as well, I think. But so is buying a house, right? That's another stressful thing which happens to you. I know houses I've bought in the past, you know, solicitors have left for six weeks on an unexpected skiing trip without warning me or real estate agents. You know, they're all fairly sort of vile and slimy anyway, aren't they? I'm so trying to figure out where you're going with this. You've talked about evil bosses. Yes. And now you're talking about house buying. I'm just trying to preempt you, but I can't. Well, the thing is that the bad guys can pretend to be a boss. They could also pretend to be an estate agent or a solicitor. No, the process of buying a house, certainly in our country, is protracted enough and painful enough. The last thing you want is a scammer getting involved in the process, which they sometimes do. Increasingly, estate agents are, for instance, getting targeted by the scammers. And what they will do is they will pretend to be either the purchaser or the solicitor and they say, just so you know, just before the purchase goes through, we changed our bank account details. So when the big walloping sum of money comes through, put it into this account rather than the one we may have told you about in the past. Oh yeah, that's not suspicious. Well, you have to be a pretty small firm not to go. It happens an incredibly large amount. Millions have been lost. But here's the thing. Here's the thing is something that, when you're in the middle of that stressful situation and a problem appears, you know, one of the things we do in social engineering is we present the target with an easy way out, and if the easy way out is look, it's very simple, just change the bank account and that's that, they probably your decision making capacity is very low when you're emotional, right? So I can totally see how that would work. This the boss one, it is really all about social engineering, isn't it? Either it's done on the phone or it's done via an email, a hacked email address, but the outcome is the same. Money ends up in the wrong bank account. And someone's been seriously duped. Right. Now, there are other ways in which these kind of scams can happen. One that we see is that the bad guys will pretend to be one of a company's many suppliers. So you may have a big company with many contractors and firms working for you, working on big, big projects. And what the scammers will do is they will break into an email account. They may observe what projects you're working on and they will then create almost a bogus company with a bogus bank account in the name of that company. And they will actually send an invoice to your accounts department for a project that they know has just completed because they've been observing the emails. Sneaky, sneaky. Well, companies have lost tens of millions through exactly this kind of scam. Again, because they're idiots. Well, oh, that's nice, isn't it, Carole? Just call them idiots. Well, maybe they should just keep better logs so they can keep track of their money trails. Yeah, but this is a real thing which is being paid for, right? A project which has happened, you are expecting an invoice to come in. And even if the finance department contacted the individual in charge of the project and said, can you confirm that project moon landing has occurred? And they'd have a PO number. There'd be a PO number if they hacked into the email so they'd even know that number. Yeah, it's not that a mark is ever stupid necessarily. I think one of the things that's really starting to annoy me in the security industry is people saying how these attacks are not very sophisticated and that people have fallen for them because they're dopey or they're not very clever. If the take is of a decent size, it's really worth executing that con very well. And so spend a lot of time and effort making things look convincing, making sure that you hit the right kind of timings. The observation stage of any con is the longest stage. We spend longer on that than execution. Right. Much more than a lot of more basic cons because, yeah, you can always play the percentages on the smaller ones. But the bigger ones that you're talking about, those tens of millions, it needs more time and elegance. Elegance is what I keep telling people. There's no elegance in this. Right. SPEAKER_01. Scammers hacked into his email and sent him bogus bills. His business nearly lost more than three hundred thousand dollars. As Pam Zechman reports, the FBI believes this scam is growing and costing U.S. businesses billions. I'm in trouble. SPEAKER_00. How bad was the trouble? SPEAKER_01. The trouble was very bad. SPEAKER_00. Ahmet Diamond imports metal cutting machinery from Taiwan. His email system was apparently hacked by scammers who monitor business emails and then redirect payments. So that's another way in which the bad guys can get your money. Now, what I want to talk to you about this week is a different way in which this similar kind of thing can happen. And what can happen is the fraudsters can actually get themselves onto the payroll of your company. Shut the front door. So it's they've been hired by you as a permanent employee. This can happen in a number of ways. One way is they can target the email account of one of your employees. And we've got some examples which were linked to from a company called Agary. Hey, Gary. I'm not sure how you say it. Anyway, Agary. Hello, Gary. Anyway, so Agary, they've done some research into this, and they've actually included some screenshots and things of exactly these kind of emails being sent to HR departments claiming to come from an employee saying I've recently changed banks. I'd to change my direct deposit details to my new account. Can you sort this out for me? And sometimes the HR department are wise enough to say, well, look, you're going to have to send us something on the bank letterhead confirming your details. Well, again, you were saying, Jenny, if they're determined to get this money, they will fake the bank letterhead. They will send that through, you know, just as a PDF or something, say, here you go, here are the details, and the HR department will just update their database. But the other challenge is that many companies these days have a sort of self-service system where you can log into your own company intranet and maybe change your own payment details, because why would you need to speak to HR to do that? Why can't they trust you? So a lack of proper authentication there can mean that your employees log in or someone posing as your employee logs in and changes their details. And it may again take weeks or even months before someone notices they haven't been paid, you know, depending on who they are. Has anyone fallen for this? Have you seen any stories where someone's actually been duped by this and not gotten their salary and gone, hey guys, I think you owe me my salary. So that's what Gary are talking about and they're linking to and they've come across examples of this. And they also postulate, and I'm not unclear whether they're saying this has actually happened or not, but they were clearly thinking about what the next generation of these kind of attacks are. See, the challenge is with what I've just described, obviously, people are going to notice if they don't get paid, whether you're in the US government shutdown or, you know. Yeah, they're noticing every single day, I bet. Most people are going to notice at the end of the month if their salary hasn't arrived. Maybe too late for that month, but it's not an ongoing campaign. It's also something which would be hard for a scammer to do multiple times inside the same company, although they might do it in multiple companies. You know, one or two people in lots and lots of companies. Yeah, I don't know if you could do this at scale. I don't know. It sounds risky. It's a lot of contact. Yeah, a lot of contact, a lot of legwork for one payment, really, that might work. Yes, but a lot more payments than maybe the typical scam. Depends, I guess, who you manage to get, right? Exactly. Maybe you get more if you target someone who's C-level, for instance. Didn't we have a boss once who went to a younger employee and showed, went up to her with his P45, because he was obviously quite well paid. He was a big VP. And he kind of said, oh, look, my taxes are higher than your salary. He goes, isn't this disgraceful? Look how much tax I have to pay. That's more than you get paid a year. Sounds lovely. Yeah. So not all bosses are great. No, he was pretty rubbish, wasn't he? But anyway the next scale of attack so I've just mentioned that but Gary, anyway, the Gary security chaps they have they are talking about fictional phantom workers so they postulate that maybe you could actually get someone on the books of HR who doesn't actually exist in the company so if you have a big enough organization using hacked emails. Have you seen Frank? I've never seen Frank? The big guy? I think this is entirely possible. I've never put room to repaying people who were dead repaying people who'd retired. They just forgot to take them off the payload. Now that is dozy. Right, that is stupid. No, there's a difference between being dozy and being dead, Jennifer. If you prod someone enough times it reminds me a little bit of that. Do you remember that Michael J. Fox movie? This is really going to date me. The Secret of My Success, where he starts in the mail room and he finds... I've totally seen this, but it's a long time ago. Yeah, it's a long time ago. I had music by Yellow. It was ooh, yeah, and all that. Anyway, it was great. But yeah, he finds an empty office and he basically sort of moves into it. And just through using the same kind of techniques that you probably used, Jenny, to break into companies and find their weaknesses, everyone assumed he was quite high up in the company, put a name on the door, started telling people to do things, soon had a secretary and built himself up and complained to HR his salary wasn't arriving. Everyone, just because of his sheer brass, he got away with it. And I think that would be this kind of attack as well. I don't know if it's happened, but you can imagine in particularly large, disorganised organisations, it might be possible to actually get a fake person on the books who gets paid automatically every month and the money goes straight to the scammers. I went for one company and I noticed a health and safety violation. That was quite a big one. There was an obviously heavily pregnant girl, young woman, lifting their heavy crate. It was when I worked in factories. And so I went and reported to the head of the factory. He said, well, who's their boss? I said, well, I don't know. It's not me. I'm head of operating. Not me. Is it you? No. I said, well, who is it? Well, nobody can find out. Nobody knew who she reported to. She didn't know who she reported to. And so nobody, there was almost no one to blame for the fact that she clearly hadn't had the training in health and safety. Nobody really knew anything about her. And actually, I'm not sure how that panned out. I know she disappeared. Yeah. But I'm not sure how it panned out. But I've worked for companies of that kind of size and complexity that there was all kinds of stuff going on that people didn't know about. Lots of scams. We uncovered someone who was making bacon sandwiches and selling them from the factory floor. Nobody knew about that. False walls in warehouses. I mean, if physically you can hide people and bacon sandwich factories and parts of warehouses. Bacon sandwich factories. I'm sure virtually. Pigs are stuffed into the locker rooms. Honestly, he'd been running it for years, selling them from his space on the shop floor. And we only found out because one day someone smelt it and not one of his colleagues would grass him up. Well, no, it's bacon sandwiches. You wouldn't, would you? Because they were cheap. Well, we have to move on, Jenny. But this pregnant woman who said, oh, I don't know who my boss is, and no one else seemed to know, is it possible she was actually a thief? And she wasn't pregnant. She just had a monitor stuffed up the front of her jersey and was pinching it. And maybe she was being brassy. Maybe she was claiming, oh, yes, could you help me lift this thing into the back of my car? And off she would go. I'd love to think that that was the case, and then I missed a fellow social engineer in full flow. But I really don't think that was. Like ships in the night. Yeah. Yeah. If that's true and you're listening to this, do contact me and tell me because I'd to give you an interview on my show. If you've got to. Jenny, what have you got for us this week?

Oh, so I love, love this story. I am talking about the giant gold coin theft in Berlin.

I don't know anything about this. I haven't heard about this. What happened?

Oh, God, this is so good. So this week, four men have gone on trial because in 2017, four miscreants managed to break into the Bode Museum in Berlin and steal the biggest ever legal tender coin, which was solid gold. It was worth 3.75 million euros.

So bring that down the chippy.

The size of a car tire.

I buy you a lot of bacon sandwiches. How do you lift that? You just roll it down the road?

So you roll it. That's why, that's why, that's why, you know. Human ingenuity. Drain covers and things are round so you can roll them, right? You don't have to lift it. Anyway, it's the size of a tire. It weighs 100 kilos and they stole it. And I just love this story. So there's so many elements. They wheeled the coin through the museum on a roller board, smashed through a bulletproof cabinet, and then they used a rope and a wheelbarrow to transport it across the railway tracks through a park to a getaway car. And it stuns everyone. It's actually a Canadian legal tender. But I love this line in the article, which I sent you the link for that I'm sure you'll post. but it says it stunned the German public, not least because of its audacity and old-fashioned simplicity and the fact that no alarms have been triggered. Well, it turns out that no alarms have been triggered because just weeks before, one of their oldest friends from school started to work as a contract security guard.

Oh, fancy that, fancy that. Oh, insider. Pure coincidence.

I love it. They're looking at 10 years, but I mean, I love it because it's pure social engineering. It's old-fashioned sort of heists, the type of stuff that I do, legally, obviously. We replicate. Just how theatrical and wonderful is that? But they got caught.

Yeah, it's amazing to think that they thought they could get away with it.

Well, if it hadn't been for them pesky German authorities. Yeah, yeah. Wheelbarrow. Love it. Oh, yeah. Any crime committed with a wheelbarrow. Yeah, you just got to get it there.

Apparently. That's what I'm thinking is you'd have to check it in to the plane, wouldn't you? You're a pretty good swimmer, Graham, actually. You could probably just, you know, backpack it. It seems that it was made to break the record for the largest ever legal tender. I don't know whether that's largest physically or just in amount because, you know.

It could be both. But what do you do with it? I mean, you can't buy anything with it.

You roll it into a real estate agent, right?

No, no. I mean, it's obviously been melted down and sold on. I mean, you need a fence, Graham. Come on.

Right, right. I suppose so. Yeah. If you tried to get in a cab with it, it'd say, I haven't got change for that, wouldn't it?

But it was hidden in the wheelbarrow. Who knew?

What's your story for us this week? So reading recent tech headlines, it certainly seems the internet giants are having a bit of a comeuppance in 2019. And we are lucky enough to have a back row seat. We don't have a full picture of what's going on. But some of the information is making its way downstream, just mere users. And I wanted to speculate with you guys. Do we think the actions we're going to talk about here are going to make any difference? In other words, are Facebook or Google going to mend their ways?

I've got a theory already, but let's hear what's happening to them.

So this week, we saw France's data protection regulator, CNIL, get it? As in C-NIL? I don't know if you're supposed to say C-N-I-L or not. Anyway, C-NIL, we're going to call it that, issued Google with a 50 million euro fine, so that's just shy of 60 million dollars US, for failing to comply with its EU's General Data Protection Laws, also known as GDPR. This is the first GDPR fine that has at least seven zeros.

Thankfully, it's not just zeros. There's a non-zero at the front, right?

So other ones have included a Portuguese hospital, which was fined 400 grand after it staffed used bogus accounts to access patient records. We've had 20,000 euros being fined to a German social media and chat service for storing social media passwords in plain text. And there's even a small Austrian business. They would fine five grand in October for having a security camera that was filming a public space.

I know, I'm surprised that fits in under GDPR, but there you are.

Data protection regulator CNIL stated that Google failed to provide enough information to users about its data consent policies and didn't give them enough control over how their information was used. so just just to be just to reiterate under gdpr companies are required to gain a user's genuine consent for collecting information which means making consent an explicitly opt-in process that's easy for people to go to right yeah now gdpr fines can be set as high as four percent of a annual turnover. Okay, not profit. So Google or parent company Alphabet reported revenues of 33.7 billion last summer in three months alone. And that was up 21% from the previous summer. Not bad. Let's extrapolate and do a little math here, Graham.

Math. Maths.

Maths.

Oh, I'm outnumbered. Maths.

So let's say Google are raking in about 100 billion a year right so if they're making 30 yeah right 100 billion a year probably 120 but let's say 100 billion a year that's four percent fine would be for four billion four billion yes absolutely well done yes this is good easy so far so while this current gdpr fine of 50 million sounds impressive it's a bit having a hundred and someone fining you five cents for flagrantly ignoring the rules.

Yes, it's not. Well, yes, it's not. It's not a huge. Yes, you're right. Yeah. For us, for users, it sounds huge, right? It sounds really impressive. But really, in the grand scheme of things, from their point of view, this is probably less than they pay their lawyers in a year. It's probably less than they spend on sugar lumps in a year. I do seem to remember reading a story which said that Facebook and Google had lost $100 million to business email compromise scammers in the last few years. So you're quite right to say that, you know, this is something they can probably deal with quite easily. What was interesting is when I was researching the story, I decided to go and use a rarely used browser this morning to do a bit of Google news searching. And I was presented with this pop-up, which said, basically, it's a data protection law alert. And it was warning me of my settings and checking whether I was still cool with them. So I don't know if this is a response, because obviously I'm based in Europe, to this fining in this case. But it's interesting, it just popped up this morning. Even though it may be a relatively small percentage, no one wants to keep on getting fined, do they? And the fine might, of course, escalate over time. So I think they want to be seen, at least, to be warning people, go and approve our data policy, which, of course, they know hardly anyone's going to read. So this is France bringing this fine. This is Senil bringing the fine to Google.

Oui.

Presumably other EU countries can do the same thing.

Yes.

You know, where does the money go? The money goes to France's data protection regulator. Does it go to the EU?

So I don't know that.

Oh, I see. I see. So what you're saying is France has had a go and presumably they get the money. But or. And wouldn't that encourage other, you know, Greece, Greece?

27 or other countries.

Greece, yes. Spain. That's a good one. I think Britain might want to get in quickly.

I was just thinking that.

Right. TikTok, Britain. We could do with some cash.

I may have seen an answer. Across the pond to the US of A, we are seeing social networking platform Facebook in the FTC hot seat. According to the York Times, there are five commissioners that have been assigned to look into whether Facebook violated the binding user privacy agreements during the Cambridge Analytica scandal. FYFI, guys, I say they did.

Yes, obviously.

She said that. I never said that.

And there are rumours that the ICO may be planning to issue a record-setting fine. Now, in theory, the FTC could fine Facebook up to $40,000 per violation, though considering there are millions and millions of users affected by this breach, that would run into the trillions and not be viable.

Could you imagine a world without Facebook?

Oh, go on, do it. Plunk, flush, Facebook.

Oh, that'd be so awesome, wouldn't it?

You know what if they did that everyone in europe would end up we're the arabian oil magnets imagine the money flooding into europe if we could find 40

This is the ftc this is in the us

Oh oh okay well anyway they could be really rich as well that's terrific right but but as soon as it gets to those sort of levels counter arguments are going to come in that this is now part of society. This is something that people rely on. And also, it's sort of anti-business. And I mean, right at the beginning of the... I can't even bear talking. I can't believe you've got me talking about GDPR. But right at the beginning of it, I mean, you so owe me drinks now. Because I just don't talk about it. And it's too early for me to actually drink. If this was my podcast, I'd have a drink if someone mentions this. But back in the early days,

What is your problem? What is your problem with GDPR?

Because it's boring, Carole.

Oh, I don't find data privacy boring.

Well, that's lovely. Well, it's... Clearly, and it's... I don't, and I think my story's been exciting so far.

Your story is exciting, and I hate to bring hostility into the proceedings.

I'm not talking about you. Don't make it all about you.

No, no, you go ahead, Ginny. I think this. On my show.

Let's have a big catfight. You have to take a drink if you may. I've interviewed privacy professionals who are not allowed to say. A friend of mine said to me, there will be a huge case, a huge case, and it'll involve one of the giants. And when that happens, it'll be the lawyer train. And it'll go on so long and so much will happen during that process that whatever starts, it's going to be irrelevant by the end. And I think they're probably right because you've got companies Facebook have got so much money to kind of drag it out, to argue it, to lobby.

Lobby appeals.

Yeah. It won't be as straightforward as perhaps some of us would to see to sort of show that this is actually a serious thing. And I am joking with you, Coral, but that it's a serious thing that does need taken seriously.

Yeah, no, I agree. I know, I know. And GDPR does sound very dull. I agree. But I, well, as we'll see, maybe we're in a much better state than some of the Americas, for example, in terms of what is legal.

If I was making GDPR the action movie, you know, with Bruce Willis and Arnold Schwarzenegger and all that, really trying to make it dramatic in order to keep everyone interested.

Everyone be nude.

The subject of GDPR. Well, I was just thinking, the final twist at the end, you know, that moment in Seven when he opens the box and he realises it's Gwyneth Paltrow's head or something that. The final twist at the end would be that some scammers, just as Facebook is transferring the 300 trillion dollars...

They changed the bank account.

Exactly. Someone comes in and goes, oh, hello, we are the French people. We are from CNIL. We would you to know that we have changed our bank account details. And Zuckerberg, He's got his finger over the enter button. He clicks and the money goes in the wrong account. They say, ha ha, you've got to pay again, buddy. You just gave it to the baddies.

Or they divide it between all of the users and we all get a check.

We should write movies, you and me, Jen. We don't need to do podcasting.

No, no, I think you both should. I can't wait to see them. They sound great. So my question is, would we agree that these fines aren't necessarily going to have any financial impact? on these giants. Do we feel that these companies are too fat and powerful to regulate or not? Because what's stopping them? They've had carte blanche, they haven't had any legislation, and it turns out that they've not necessarily behaved very well with our user data.

Well, how big do you think the fine should be?

Well, maybe it's legislation and not fines that has to happen.

Exactly. This is completely not what we would do if we were trying to take someone down. You don't hit them in a place where they're not vulnerable. They're not vulnerable financially. You're not going to wipe them out. I would force them to help create the policies and the legislation that needs to take place in order to protect user policy and user privacy. And they're not going to behave on their own, right? So you need to get legislators and I guess the legislators arm at the moment is financial. It's a fine, right? But they have been taking the piss and so I say maybe we should support local legislators that are willing to tackle these giants because there's a few in the States, there's a few here in the UK and maybe it's time for them to pay the piper and maybe that is legislation, not fines.

I think it's a start.

Yeah, it's a good start.

It is a good start. I agree, too. I think it is a good start.

Well, I think if any of our listeners have thought of alternative ways in which we could punish tech companies for being sloppy with our data, they should let us know either by dropping us a line at studio at smashingsecurity.com or on our Twitter or on our Reddit as well. It'd be great to hear from you.

I'd love to hear.

And you see, this is why I do GDPR, because now Pick of the Week is so much more exciting.

You do realise I'm keeping a tally? That's eight drinks between me and me. That's easy. I can do that.

And welcome back. Can you join us at our favourite part of the show? The part of the show that we to call Pick of the Week. Pick of the Week.

I'm sorry. Was I supposed to say it too?

Oh, it's that, is it? Okay.

Pick of the Week.

Thank you. So Pick of the Week is the part of the show where everyone chooses something they. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they like. It doesn't have to be security related necessarily.

No, it definitely should not be.

Well, mine is not security related this week.

Good.

This weekend, I sat down with my little son and we played. I think we've mentioned before that we to play on the old Nintendo Switch.

Does he really enjoy it or do you enjoy it and force him to play with you?

He really does. and I think it's a good... It's good to get away from the sort of sniper... Game missile. So we have been playing a game, a short little game, but it's really fun and it was quite cheap in the Nintendo store. And you can also get it for iOS, Android and on Steam. And it's called The Office Quest.

Okay.

And The Office Quest is all about having a very, very dull job and you're in your office and you're so bored, bored.

Who chose this game?

And but it's very charming and basically you escape from the office you get away from your boss out into the world and then it all becomes more and more surreal what happens i give you an idea of the it's beautiful art in this game but everyone in the game it's completely unexplained is wearing a kind of animal onesie so there's people

What so for for furries.

I saw this in the link and I saw it was sheep. They're just, these are all the sheep in this link and I thought, is this some kind, is this a coded message about compliance? Not bloody GDPR compliance. There you go, you get one back. But about lame compliance exercises we do to show that people can be easily scammed. What is this?

They look furries.

It is a bit fervor-ish, but that's not soil, my son's childhood. There's one dress that's a banana.

Yes, well there you go

It does happen, Carole Anyway, so The Office Quest, really fun There's no dialogue in it whatsoever It's all done I guess that made it really easy to translate or whatever But it's not just a point and click It's also at one point a platformer And there's a lot of logical puzzles as well And we really have to think And it was a real brain bender We finished it in a weekend It was good fun, it only cost us about £10 And that is why I recommend the office quest to be my pick of the week.

I'll give you that it's very beautiful, actually. I love the drawings.

That is right up my street.

Yeah, very nice, but it's got a real style about it.

I'm just checking out the website. That's right up my street. Yeah, very nice, but it's got a real style about it.

Oh, so this is what I think about in the long, dark hours sometimes. And this isn't even a particularly new article.

It's going to be GDPR, isn't it?

Article that day I got it back um this isn't I've got a tally I'm telling you so this isn't even particularly new but I'd had a particularly bad day and and Brexit and all these things is going on and you think it couldn't get any worse and you should know that as Shakespeare said whilst you can say this is the worst the worst it is not or words to that effect so I'm just browsing actually through Reddit. So there you go. And I see something along the lines of, just when you thought things couldn't get any worse, there are several countries in the world that have got radioactive wild boars in them.

Wandering around.

Yes.

Not boring people.

No.

No, as in the sort of pig.

Oh, boars in Asterix. Sort of the things which snuffle up truffles.

Yes, indeed.

So in the Czech Republic, there is still fallout from Chernobyl.

Wow.

And it has turned a certain type of mushroom toxic from cesium-137. And the boars eat the mushrooms and then the boars are killed for goulash, which... And the article I read said, but you'd have to eat an awful lot of goulash for this to be an issue. I don't even want to eat any goulash if I think that the thing's radioactive.

They're in the Czech Republic. All they're going to be eating is goulash, from my experience. Maybe we need to start walking around with a Geiger counter and checking our dinners. What do you mean they've done really well? They've sort of grown extra heads or something.

It doesn't seem to have affected their breeding in a detrimental way. So the population has exploded. And now they are much more radioactive than the ones in the Czech Republic. So they are 300 times higher than the safe level.

Oh, my goodness.

So wild boar is a delicacy in Japan, but not when it's 300 times.

Yeah, this is when you don't buy local. Yeah. And so apparently it's... But one of the other side effects is they've not seen humans for a long time. So they're really aggressive. So if you thought you were having a bad day, imagine if you were... And I mean, I'm not trying to say this in poor taste as it were to poor people who suffered a terrible disaster. But if you were trying to return to your home, one of the things you probably didn't think you'd have to deal with would be a wild, wild, I was livid, boar that is radioactive, preventing me from re-entering the region. Can I just check? Can I just check that your pick of the week is a miserable story about the plight of wild boars which are radioactive because of humans messing up.

How perfectly English.

And this is what cheered you up because of Brexit.

You dissed me. You threw shade about the radioactive boars.

Threw shade. What are we, 14?

No, we were living in 2019. Language evolves Graham it's an interesting pick of the week Well I have I know it sounds a bit depressing. It's not at all. It's kind of a cocktail of comedy, sci-fi murder horror bit of philosophy bit of ethics it's really weird and lovely.