Smashing Security podcast #186: This one’s for all the Karens!

Hey everybody, before we kick off this show, I want to do a very heartfelt shout out to a few of our amazing Patreon supporters. This week, shout out goes to Jonathan Haddock, Lisa, Robert Odegaard, Nat Wang, David Browsinski, Sanketh Menda, Roy Tate, Dan L. Barker, and Eric Carpenter. You guys rock! If you want join this amazing community and get loads of extras, check it out at smashingsecurity.com/patreon. Let's get this show on the road. Look at him in this tiny bed. Why is he in a cot the size of a 2-year-old child's?

That's on a PJ, Carole. That's on his PJ reading his copy of Forbes.

What's a PJ?

A private jet.

Although I must say the private jet looks remarkably like a small narrowboat.

That's what you should do. You should rebrand your boat and tell people you're in a PJ flying around to avoid COVID-19. Smashing Security, episode 186: This One's for All the Karens, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 186. My name is Graham Cluley.

And I'm Carole Theriault.

And Carole, we are joined this week by someone who's new to the show, a freelance journalist, a poet, a theater maker. It is Michelle Madsen. Hello, Michelle.

Hello.

Welcome. New to the show as well.

Very excited. Exciting to be here. Thank you for having me.

I think, Michelle, this is the very first time we've had someone actually call in from a boat, which is what you've done today, isn't it?

I'm very excited to be such a first for you guys. I'm on a boat which is currently slightly listing but not sinking.

Is this a humongous powerboat on edge of the Mediterranean?

A gin palace.

A small, kind of small floating shed on a canal in Hertfordshire, but it's just my home and I love that.

You're not on a cruise ship? No. Okay, thank God.

But I guess that the beauty of being on a canal during lockdown is that you could, in theory, move. What are the rules regarding that?

Wow.

I don't think the government have been very explicit about this, have they?

No, they haven't. So, don't tell anyone.

Shh, huddle, huddle.

Shh, just come round, everybody. So what I did, I was in London for most of the lockdown. Yeah, I was just about to move to Berlin, and then the lockdown happened, and I didn't have a sink or an oven in Berlin, so I was, oh no, I'm gonna have to go back to the boat, which is inevitably gonna have a disaster if I don't look after it. So I came back to the boat and then got stuck in London for a month and a half with some very rowdy ducks and some very nice other boat people. And so I spent a lot of time complaining about the joggers and then before I started jogging, I was interviewed by National Public Radio in the States about how much I hated the joggers. I must have been quite sort of angry about them. And then I escaped. I ran away to Watford because that's where everyone escapes to, and it's very hilly and pretty here, if a little bit weird and rainy.

Well, I've moved to a better spot. The last spot I was at, there was nothing, and I had a lot of very frustrated people shouting at me going, I can't get hold of you. But now it's all fine and I'm on the radio and I'm on the podcast with you guys, so that's amazing.

Fantastic. Great to have you here, Carole. What's coming up on the show this week?

First, let's thank this week's sponsors, Authenticate and LastPass. Their support helps us give you this show for free. So, and probably doesn't have Now on today's show, Graham introduces us to the crazy world of Ray Hushpuppi. I used to love my Hushpuppies. the best Wi-Fi or internet Michelle shares her fake news whodunit, and I tell a sad privacy tale of copy and paste. All this and much more coming up on this episode of Smashing Security.

Now, chums, I've really got to ask ourselves, why on earth are we bothering? What are we doing this for?

connection in the world. What, you think you should end it all?

Are you—

Is this suicide watch?

What's going on? What are we wasting our time for?

It's not that bad, Graham.

Hey, don't worry, I haven't got the COVID blues. I am not saying this. It's cybercriminal gangs. They're getting depressed for years. They've invested their effort, their time, their money, investing in infrastructure, hiring malware developers and programmers and hosting sites in their attempts to make a fortune. And what have they seen? What they've seen is that it's easy, it's a doddle for anyone to steal $1 million simply by sending an email through and asking their victim to wire through a chunk of cash.

Oh yeah, 'cause I have a million just waiting around for anyone who asks for it.

Well, Carole, you could have if you had a criminal bent. Then maybe you would've been a business email compromise scammer.

Criminal bent? I don't know that expression.

You don't?

A penchant for crime?

Yes, yes.

Oh, right.

If you had a leaning in that direction, that's right. Then maybe you would have done that. Because there are lots of people who do. And it's remarkably successful. One of the biggest growing forms of cybercrime. You're a Daily Mail journalist.

No, no, no, no, come on. People do. What the majority?

Are you encouraging people to do this?

No, of course I'm not.

Is this another way of getting sponsorship?

And this week, the show is brought to you by the Crouching Lion Gang. No, nothing that. No, I mean, if you read the FBI reports, billions of dollars are being lost every year by companies who basically have people scamming them, who get emails claiming to be from the CEO or claiming to be from some sort of supplier, asking them to send money into a bank account for work that's been done. And it works really well. So why write ransomware? Why hack into organisations and do really sophisticated stuff if simply sending an email works? That's what cybercriminal gangs have been questioning themselves. They've been looking at their navel as a result. Because seriously, any bozo can do this.

I think most of them wear shirts, you know?

What?

Well, you can't see your navel if you're wearing clothes. Would you imagine all these hackers are just butt naked everywhere?

I think that's the joy of being a hacker, isn't it? You can just hang around at home and not—

Exactly.

Aren't we all enjoying that now, Michelle?

Well, if you could but see.

Now, as proof that any bozo can do this, there is a chap. His real name is Ramon Abbas, but he calls himself Ray Hushpuppi.

See, good name.

Yeah. Hushpuppi with an I, because he's that cool.

Right?

Oh, is this another, I'm so jealous of how many people he has versus—

No, I'm not jealous. No, I'm not jealous of his internet following.

Okay.

What I'm jealous of slightly is his lifestyle. Because if you go up and look on Ray Hushpuppi's Instagram account, which is still available and live up there, you will see picture after picture of him in front of very expensive cars in his Mr. Hushpuppi dressing gown. You will see him in front of private jets.

Look at him in this tiny bed. Why is he in a cot the size of a 2-year-old child's?

That's on a PJ, Carole. That's on his PJ, reading his copy of Forbes.

What's a PJ?

A private jet.

Although I must say, the private jet looks remarkably like a small narrowboat, just to note.

It does.

That's what you should do. You should rebrand your boat and tell people you're in a PJ flying around to avoid COVID-19.

Okay, and I love how he got permission to park right in front of the Eiffel Tower. I'm calling BS on Hushpuppi.

Seriously, go and check out— Have you seen this cake which Fendi made for him?

Have you seen the cake?

That's incredible. They've actually made a little doll of him, which they've stuck on the top and surrounded by Fendi bags. He likes his designer brands. He likes his flash cars, his designer clothes. But he left a digital trail online, which led investigators to his door. Because police believe that he has been responsible for scams which have laundered, well, hundreds of millions of dollars.

Are you kidding me?

From businesses. This is—

So, you're saying he got rich because he's basically a hacker.

So, what he's been doing, allegedly, allegedly, can we insert a whole bunch of those? He is accused of running an operation which targeted businesses around the world, tricking them into wiring money into his accounts. One of the targets was an unnamed English Premier League soccer club, for instance. In another case, they tried to get £200 million from a company running out of Edinburgh.

Okay, how? How?

How does someone go, "Oh, okay, yeah, no problem. Here's the £200 million. Sorry."

I'll explain this in just a minute, because this is, as I was saying, this is the reason why scammers are doing this now. And bad guys are doing this rather than writing malware so much. Anyway, he's been caught by Dubai police. They've seized 21 laptops, 13 cars, 47 phones.

I his name.

Does he live in Dubai?

He was in Dubai, yes.

He was in Dubai.

But now he's in America.

Who would live in Dubai?

I mean, I did for a year, but I absolutely hated it.

Yes, I think I would hate it. It's just not— I like trees, water.

It's a bit rubbish for a canal boat. Dubai. Actually, it probably isn't. They probably have the most incredible canals in Dubai.

They have canal boat lands. Special canal boat land made especially out of solid gold canals, which you can't make yourself.

Ray Hushpuppi, get

And from space, it looks like one big, huge canal boat. Yes, exactly.

Anyway, Mr. Hushpuppi has been extradited to the States. If convicted, he faces up to 20 years behind bars. this, has 2.3 But he left lots of clues lying around on the internet. And obviously, there's lots of photographs you can still check out as to his extravagant rather ostentatious wealth. But the point I really wanted to make was about criminal gangs who are now moving into this area as well. million Instagram followers. There is a cybercrime gang, according to the researchers at Agari, who I always think should be pronounced "ay-garry," but they have been monitoring a gang called—

Second time you've made that joke on the show.

I know, it's still a funny joke, Carole. They have been monitoring a group called Cosmic Lynx. Now, they've previously been involved with banking Trojan horses like Emotet and TrickBot, and Android click fraud malware. Since middle of 2019, however, they've moved their attacks into targeting companies in 46 different countries, 6 continents, targeting senior execs at Fortune 500 companies, 3/4 of whom had titles like general manager, managing director, vice president.

Okay, so in English, basically, they're targeting the head honchos of companies.

That's right.

Okay. In lots of countries across the world.

Lots of countries around the world.

Okay.

So this is an organized cybercrime gang. This isn't kids in their back bedroom. These guys are serious and they were making a lot of money beforehand. And now they've decided, hey, we can make money for less effort and maybe greater success using this method instead. And the way they do it is this. They will email, say, the vice president — I don't mean Mike Pence when I say vice president, I mean any sort of vice president. They will pretend maybe to be the company's CEO. And they ask the sort of second in command or someone in the chain and they say, look, we are close to acquiring an Asian company as part of our expansion and we want you to work with an external legal counsel to coordinate the payments. But it's obviously on the hush-hush, got to be quiet. It's very sensitive, tell no one, commercially, don't tell anybody. And we've seen these sort of attacks before, but because this is the Cosmic Lynx gang, they do this with a really high level of professionalism. So you don't just get contacted by one scammer pretending to be the CEO. You also get contacted by people who pretend to be legitimate attorneys at a UK law firm, for instance, whose name will show up. And if you were to look them up on LinkedIn, there they would be. But in fact, it's the bad guys again, and they're really good at it. No spelling mistakes, genuine-looking boilerplate, they know all the lingo. And they even, when they start the emails, they'll say, you know, I hope everyone's doing well. You know, what a terrible time this is, they mention COVID-19 or how lockdown is looking for the company. And as they begin to ease up, it's a message you would expect to get from a CEO or from a legal firm. And it's really working.

Well, you want to be careful with this because I actually set this up for GrahamCluley.com, right? Because I thought, oh, well, that's a sensible thing to do. I don't want people pretending to be me, as if, you know, as if they would. But what I found was that the account software which I use, sends invoices to people pretending to be my email address.

It's a special secrecy acronym.

And so some of my clients weren't receiving my invoices because they were being sent by my partner, not me. And it didn't work with DMARC. So it doesn't work.

And they just thought she was really ridiculous and thought she would hide her name by just swapping two letters.

Can I just say, actually, to the listeners, Michelle Madsen has actually created a BBC show all about this investigation, and you can hear the entire show. We'll put a link to it in the show notes, and it's totally worth listening to. It's unbelievable. Anyway, sorry, I just want to make sure that people can have the whole show, because we're getting a kind of good synopsis here.

Which is I went on a bike ride and got lost. Yeah. Yeah.

I—

That's what I think. Low tech sometimes is best.

And it does seem to have taken business email compromise to a new level of professionalism. One of the things I would recommend to organizations if they're worried about this, and they probably should be worried about business email compromise, is setting up DMARC so that your mail server— I know this is a bit nerdy, this. We'll link to some stuff on the web so you can read more if you haven't already done it. What you can do is you can protect your domain so that if criminals try and pose as you by using your domain, by forging an email, email systems can reject that email and say, well, that authentication doesn't appear to match. It's not entirely foolproof. They can still send you emails, but they won't be quite as convincing. And so they're more likely to be suspected.

Graham, you should write an article on your blog explaining exactly how to do this in simple terms so that people can then do it, because it's not straightforward.

Do you remember Cinema Paradiso where It's not straightforward. it's getting on?

Yeah. In my experience.

You want someone in your IT team to set this up and also— I was about 12.

Graham's available, guys.

And your mum's gorgeous, Carole. And, you know—

Tweet him @GCluley. So another sales pitch for the DMARC way.

Well, sadly, no, not for me until my invoicing service.

Can I just ask, what is DMARC? What is DMARC?

Oh, it's an acronym. Okay.

I was thinking what is this thing? Is it—

You've got to be in the inner club.

It is. No, I've just clicked on it in order to— everyone calls it DMARC. It is Domain-Based Message Authentication Reporting and Conformance.

Oh, great that we have an acronym.

And you can follow us on Twitter @SmashingSecurity, no G. So— Michelle, you've got an interesting story for Twitter wouldn't allow us to have a G. us, haven't you? And follow us on Reddit as well.

Yes, I do, which is also a bit about people being sent fake stuff and then acting upon it.

Join our subreddit for Smashing Security news and Don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.

So in January of 2019, my name was used— a name very similar to mine was used to basically smear a guy called Ousmane Sonko, who was one of the main runners for the presidential race in Senegal.

Okay, so big stakes here. Yeah, big stakes, big stakes. And there was a sort of opinion piece that went out on a website called Modern Ghana.

So you've been like a professional thorn in the side of firms which maybe have been doing a few dodgy things in West Africa. Would that be fair to say?

Because you've been doing it quite quietly until now. Until now. Because as a freelance investigative journalist writing about people who've got lots of money and power, there are certain advantages to not putting your name all over the place.

Absolutely.

You don't want your boat scuttled.

Exactly. There's a reason why I live on a moving boat without a fixed address.

Do you have a super huge power motor at the back?

No, I just get out and push it. It's the slowest getaway vehicle you'll ever encounter.

Because I'm bony. Get away. Yeah, so for a long time I've sort of been writing for, I do investigations in connection with the Center for Investigative Journalism and built little investigative groups around that. And I worked alongside groups from Global Witness, and I've written bits for Private Eye and Africa Confidential and other publications. And your name is Michelle Madsen. Exactly. So they just moved around some of the letters, or maybe they didn't. Maybe Michelle Damson exists. Who knows? So when these stories are going out, is it all verified news, or is it all pending on this Michelle Madsen? No, there's no paper trail.

So it's all pending on this Michelle Madsen opinion piece. And then when the story goes around out in Senegal, a couple of publications including Dakar Actu and some of the blog sites put out some evidence which were some letters from Tullow Oil which said, "Ah, Ousmane Sonko has given us some help and we're going to pay him some money." But these letters were definitely not made by, was it Cosmic Links? Because they had put the Tullow logo right in the middle of the page and—

It looked totally dodgy.

It looked really dodgy. This was a stamp in a strange place and you can see that the language had been copy-pasted. And after about 24 hours, this really fantastic fact-checker at Agence France-Presse called Anne-Sophie Febvre-Cadras, she's, "Wait a minute, I've seen that text before." And she found out they had been taken from a statement that Oxfam had put out on one of its websites about some project it had done. So she basically disproved these documents. But by that point, loads of photos of me have been taken off my Facebook account and put on the papers in Senegal.

Why did they think you— literally just because there were two letters and they thought that must be—

If it was Graham Cluley, yeah, right, that someone had put something out somewhere, would Graham... But this Michelle, right, rather than Michelle Damson, this Michelle we've got on right now, Michelle Madsen, has a history Well, maybe that's just an accident. of writing articles about West Africa and about organisations, you know, doing stuff and messing around with politics. Maybe it was just a typo.

Oh, maybe it was a typo. Okay, okay.

I'm with you on this one. Or maybe people simply didn't even notice that the names are different.

Yeah, because the show sort of takes you on this adventure where I try and find out who is Michelle Damson. Why did somebody make this fake news story? Because it was a fake news story. And like, who stood to gain from it? Because we took a look at fake news through this kind of little prism of this news story. But we are in such a strange moment in the world, or maybe it's a perfectly normal moment in the world and everything else was strange. But the way that the media works, what's truth, what's lies, who's manipulating who... It's happening everywhere all the time. And this isn't just a story about Senegal. It's a story being planted in one publication in one country and then being picked up in another country with the name of someone who sounds a bit like a journalist in a completely different country being linked out over to the States. So it's kind of the global nature of how this information and misinformation spreads. And also what happens once you throw muck out there. And it sticks even if it's disproven, because words have that ability to kind of click into your brain. And if you sort of see, oh, you know, a politician's name and massive bribe in the same story, even if it's been disproven, politician did not take massive bribe, the words politician and massive bribe are still in the same stories. And my name and Damson's name are still in the same story. So it's really about how do we get affected by news? Stays with us, what do we believe, and how easy is it to spread rumours about people. Very.

So you're saying you're an investigative journalist, you to keep your name on the down low, yet you've put out this podcast exposing all this, you know, your name being used and the non-name. And so what's happened since? Has that changed stuff for you?

The decision to go ahead with this documentary was one which was sort of based on the fact that I had had a very ridiculous time. I got this rush of messages on Facebook, on Twitter, my phone kept ringing, I was hounded for about a week and a half. And because I'd actually got some funding, and there's 3 of us journalists, Shanna Jones, who's also an associate with the Center for Investigative Journalism, and Kaba Mohammed, who is a fantastic Sierra Leonean journalist we had got together to investigate a really important story about how BP got hold of a massive gas field just on the coast of Senegal from a guy called Frank Timmis. And this had been a story I've been working on for years. We've got funding to go and investigate it, but 3 independent journalists going to Dakar investigating something really sensitive. And because of this story, it really compromised my ability to do a good job with this, because every time I went into a meeting, everyone was like, oh, you're Michelle Damson. I was like, no, I'm not, I'm Michelle Madsen. But I realized that the ridiculousness of my identity had kind of been heightened by this. And then also Panorama, we got scooped on the story by the BBC. So Panorama, that's a bastard Well, they got a 17-gigabyte leaked cache of documents which completely blew our stuff out of the water, and then they put out the documentary 2 days after we got back from Senegal. So we're okay, shucks, that's been screwed up. But it was really— that's a really important documentary for Senegal because it really has highlighted the links between government and big business and what's going on.

Corruption. Exactly, exactly. And so this slightly ridiculous story about identity and fake news and cyber craziness is kind of a way of connecting with all of the different threads of the story.

It's a fascinating documentary, and we'll put a link in the show notes so people can listen to more.

Michelle, I've got a plan for you. I think you're now an influencer in this area, right? So she's been on Smashing Security. We have more influence than the Ghana Daily as to what goes on in Senegal. She can't even walk in East Africa, West Africa without people going, oh, you're Michelle Madsen. So you're now So I say move there, get yourself your iPhone, and then just start going investigating and do it on the fly. That is what I want. And I can move to Dubai and hang out in my private jet narrowboat. That's my dream.

How did you know, girl?

Carole, what's your story for us this week?

Okay, well, we were supposed to record this episode yesterday, and I collected all my notes for the story, and then I promptly, two minutes before we were due to record, lost them all. Oh no. Michelle went on a bike ride. Something else happened at the same time that made us have to change the time, but I'm going to tell you what happened.

Yes.

But I will tell you what happened after the story because it is rather ironic. So before I start as well, you have to know that I'm disorganized. My inbox has 10,000 mails in all of my inboxes.

No, no, no. Come, come. Not you, Carole.

Oh yeah, yeah. I have folders. My desktop is all bits of different information. And when it's full, I just select it all, dump it into a folder called Desktop. I think I'm at Desktop 14. And then I just leave it in a folder on the desktop and then I fill it up again. For real. Is that normal? Do you guys do that or is that crazy?

I have 25,000 unread emails in my inbox.

Okay, exactly. Okay, Michelle, we're cut from the same cloth. Look, I have just diagnosed myself. Maybe you will agree with this diagnosis. Digital disposophobia, the fear of organizing and disposing of things.

I think that's great.

Oh, you're one of these, these programs where they go into the houses of people who have some sort of mental problem where they're hoarding?

But I'm a digital disposophobic. Oh my goodness. Yeah, it's an illness, it's an ailment, and maybe you need to show a bit more sympathy.

Please, shall we set up a support group? Yes!

Let's do it. Yes, you can join us on Twitter. Okay, so you won't be surprised then that I use copy and paste and your clipboards on the phone to dump and collect stuff and transfer it over between apps and devices all the time. Yeah, when you're doing stories or whatever, oh, grab that URL, or just, oh, that password's too long, let me just grab that password and slap it over to another thing. I'm sure you do too, Michelle.

Copy and paste is possibly the greatest invention of all technology, I think.

Well, we all know it.

Imagine computers without a clipboard. It would just be horrendous.

I mean, I've been using it since WordPerfect time?

Okay.

I'm gonna ask you a question. I just need to know if I'm batshit crazy. Would only an insane person assume that the only person that knows what's been copied onto your clipboard is you and your devices?

I'd hope so. You're gonna tell us we're wrong, aren't you?

I think most people would make that assumption, yes.

Most? Can you just give it a percentage? 99%?

Oh, definitely. Definitely. Yes. Because how could anyone else know?

Okay, so Michelle and I are people that would believe that. And no, we're wrong, Michelle. We're way wrong.

Oh no.

According to two researchers, Talal Hasbakri and Thomas Misk of the Misk Blog, a great source of information, way back in March of this year, they found that popular apps snoop on the clipboard pasteboard thing on iPhone and iPad apps. So they create a video, right? Saying, showing. Now this is how it works. So you have a clipboard and you've copied something over, right? Let's say you copied over a URL or your password or your credit card number and you've pasted it somewhere. But once you've pasted it, it doesn't go away. See, that's the big weird thing about copy and paste. You can only copy one thing. It only saves the last thing you copied. But after you've pasted it, it doesn't go poof. You could paste it again, right? You can press Ctrl+V, Ctrl+V, Ctrl+V to your heart's content.

Yeah, you've basically got to sort of paste something over it, haven't you? There's always something there.

There is always something there. So imagine you've just taken your credit card number and you've transferred it over to a website because you want to buy something, and then you've forgotten all about it. And when you then open up your TikTok app, for example, The first thing it does is goes and checks what's on the clipboard. And then anytime you interact with that TikTok app, say for example, type a letter, check the clipboard, type another letter, check the clipboard, type another letter, check the clipboard. Constantly.

Why is TikTok, I must admit, I know this will be a surprise to listeners, but I don't use TikTok, but why does TikTok do that?

No one fucking knows. Their excuse Their excuse when confronted with this was, oh, it's something to do with anti-spam. You probably wouldn't understand. We'll stop that.

Right, okay, that's comforting.

But I was WTF-ED-F?

Hang on, let me just work that out. WTF-ED-F, right? Now look, in the document, okay, it's not just TikTok that's the problem. This is a running tally.

Wow. This is, this is a lot of apps. New York Times. I'm a frickin subscriber.

Fruit Ninja.

Why do they need to know what's my freaking clipboard?

There's quite a long list here, so we'll link to this. This I think is on the Misk blog, isn't it? That's right. Now what's quite cool about this list is they have obviously been, you know, shaming, calling out and shaming these people, and some of them have actually made changes. I heard LinkedIn as well.

Yes. Well, thank you. I'm getting there.

Okay.

The latest that have come up, which was yesterday, was Reddit and LinkedIn, right? Both were doing it as well. So watch this space. It's worth bookmarking this misc.blog so that you can see what sites are doing it. And you've got to ask yourself, do you want these apps on your phone? Because here's the problem, right? This is the big— this is my big, you know, I don't think I can bring my voice any higher. And I'm just gonna put another I'm on the soapbox I have. Okay, so the reason this is news, this came out in March, but why is it news now? Well, iOS 14 is about to come out and they're beta testing it. This is where a group of people test the new operating system to find bugs, vulnerabilities, and usability errors. And this is a very important thing to do. And there's, you know, we're all excited about this new iOS 14, 'cause there's loads of new features, including some privacy features. One of these privacy features is it's going to tell you when something grabs something from your clipboard. So if you were, for example, using Reddit and you're clipping along and you type something in, it's gonna show you at the top going Reddit access clipboard, Reddit access clipboard. This little message will pop down and tell you. So the people that have been testing this have been going, holy moly, whole story now has exploded again, which is great. Now here's the problem. I went and looked at the iOS 14 page. 'Cause this is my big worry. I was reading this and I was thinking, uh-oh, uh-oh. Because this is what it said. This is from MacRumors. I'm just going to quote them, right? So the clipboard privacy function: when an app or widget accesses text that has been copied to the clipboard, iOS 14 provides a notification so you can know what apps are accessing the text stored on the clipboard. Do you see the problem here?

Uh, well, it doesn't actually stop it, right? Yeah.

So we are going to build— You think you're anxious right now?

It's really stressful. This is horrible. Who knew that Fruit Ninja was going to be stealing my information?

Yes! It's not just Fruit Ninja. I've just been looking up and down the list. There's Plants vs. Zombies, and this one caught my attention: Pigment, which is an adult colouring book.

Wow.

I don't know if they mean a colouring book for adults or whether—

Now I heard this one guy online, this one guy online was saying, look, you know, there is a legitimate reason why some people might do this. For example, you might want to copy over a URL and Google might want to go, hey, I can get you to my app faster than anybody else because I'm your default browsing app. So I'm just going to check your clipboard as you open my app and I'll just open the latest thing that's clipped there. Because I can do that.

Oh, because they could then sort of prepare a preview of the link. Make the experience faster. Well, it's also make the, yeah, they preempt you. Okay, so you've given an explanation from some developers as to what There must be some reason. You wouldn't code this because I'm sure the adult coloring book doesn't want to cut and paste or see what's in your clipboard, right? Plants vs. Zombies. might be going on, but fuck off. Why would they want this? There must be some gaming reason. So I wonder if they're worried about too many presses or— I don't know, Carole, but it just seems— it does seem weird.

Yes. It just sucks. There's a lot of things that suck here. It sucks that iOS 14 or 15 is gonna notify us, but we can't do anything about it, making us all more insane than we are already.

Can we actually not do anything about it? So if you get this new iPhone, then there's nothing you can do?

Yeah, there's a shitty, shitty thing you can do. There's two shitty things you can do. Yeah. One, don't use copy and paste on your phone.

Right, okay. Tricky.

And two, if you do use copy and paste, this is the crawl technique, okay? Someone might have a much better one than this.

Right, probably.

Make sure you close down all the apps that are sitting there hovering in the background, open but not open, but open. Then go to the one place you want to copy it, copy it, paste it to the one place you want to paste it, and then copy the word fuck you or something like that. So that, you know, stop reading my fricking clipboard. Maybe you could put in and then anyone who reads the clipboard will see that. And maybe if everyone went, stop reading my clipboard, they might get the message. And people like the New York Times and The Economist will get their act together.

It's just so irritating though that you have to go through all of this, do all this work yourself just to keep people out, you know, essentially go, get out of my house, stop it, stop snooping around. It's every time you turn your back, there's a whole pile of gremlins that come in and start going through your underwear. It's so annoying.

Yep, it's completely gross. Oh, and the end of my story is what made this so funny. So I was just talking all— I wrote a whole story about copy and paste, and then about— I finished my story yesterday. I then copied and then pasted twice, but accidentally copied it between 4 words. And because I was using Notes, I'd lost what was in my copy and I had lost everything that I wrote 2 minutes before.

Don't worry, contact the Plants vs Zombies guys. They'll have a copy of it.

Yeah, yeah, just say, hey dude.

Solo for Research Toolbox from Authenticate is a secure and anonymous web browsing solution that enables threat intelligence security and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep, and dark web. To learn how Silo4Research enables teams to timely and efficiently investigate while ensuring maximum security and oversight to ensure compliance, including GDPR, go to smashingsecurity.com/authenticate. That's smashingsecurity.com/authenticate, and that is spelt authentic with a number 8 on the end.

Use a password manager. Just do it. These aren't my words. These are the words of Brian X. Chen, the lead consumer technology writer at The New York Times. It's time that everybody uses a password manager, both at home and at work. Now get this. LastPass from LogMeIn offer businesses a secure vault with centralized secure access, single sign-on, and simplifies remote management of all these accounts. And guess what, you home users out there? You can get LastPass free. For more info, go to smashingsecurity.com/lastpass. That's smashingsecurity.com/lastpass.

And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my Pick of the Week is not security-related this week. It is about a chap who died this week. Oh, so sad. Ennio Morricone has died at the grand old age of 91. Of course, he wrote the soundtrack to many great movies. Sometimes the soundtrack was better than the movie. Sometimes they made the movies soar and be magnificent. You know, I remember, oh, I just like The Good and the Bad and the Ugly, right?

Yes, that's a great movie. Great soundtrack.

Shows all the naughty clips at the end, the kissing scene montage. Fantastic movie. The Mission. Good old Jeremy Irons up to his knees in the water tooting on his oboe. How old were you when you watched this? You lived, you lived, but— But I particularly to this day remember the theme tune. Which was written by Ennio Morricone. And do you know that that theme tune, which is called 'Chi mai?'—I'm probably saying that wrong—which I believe is Italian for 'whoever'—that reached number 2 in the UK pop charts. Yeah, he's a dude. RIP Ennio.

Really? Ennio Morricone. Yeah. So there you go. I will put some links in the show notes so you can check out that theme tune and maybe even watch an episode of The Life and Times of David Lloyd George as well.

I looked at that video for 10 seconds and I was like, yeah, nope, not for me.

But there you go. Well, thank you for pissing all over my pick of the week. Now—

Well, it'll be interesting to see if you piss all over mine, actually.

Well, maybe I will. Michelle, what's your pick of the week? Oh, I love all the competition. My pick of the week is, it's a poem. I'm putting my other hat on. Oh, marvelous. Thank you for raising the cultural tone, because now of course we're going to plumb it back down and find out what is Carole's pick of the week. Okay, well, it's not a pick of the week, Graham, it's a nitpick of the week, and I'm looking forward to see you're gonna piss all over it. It's my mom. She's lovely, your mom. Yeah, yeah, she's pretty and she's awesome. And she's mid-'70s, she's a whirlwind of a lady, a dog whisperer, long-distance walker, DIY queen. The family glue. Hot tub lover.

Wow, I can hear that.

I think there's always been a certain magic between us. Ever since we shared that hot tub or that cold night in December.

All I'm saying is you love my mom more than you love me. And that's fine. Yeah, okay, what is my mom's name? Not your pet name for her. What's her real name?

Karen. Yes, yes.

Karen is her name. And this year, right, the crapness that is 2020 so far, the Karen meme is everywhere. So much so that my worst fear happened. It managed to get into her own echo chamber. Oh no. And for those who aren't sure about the Karen meme, can you believe there's actually a Wikipedia definition? And I want you, Graham, to tell me, yeah, this describes your mom, this is perfect or not. Okay, okay, Karen is a pejorative term used in the US and other English-speaking countries for a woman perceived to be entitled or demanding beyond the scope of what is considered appropriate or necessary.

She's not always appropriate, your mother, I have to say, but I quite like that about her. A common stereotype is that of a racist white woman who uses her privilege to demand her own way at the expense of others. Depictions may include demanding to speak to the manager, being an anti-vaxxer, having a particular bob cut hairstyle. That's not very nice, really. I think it's not very nice for people who happen to be called Karen.

It's not very nice for your mum.

Yes! I thought we could try it out. So imagine we could just kind of go, "Oh, stop being such a Graham." "God, you see that Graham over there? Oh, look at the Graham."

Yeah, your mum, yeah.

She calls me and she goes, "Carole, have you heard about this term called Karen, and it refers to people being absolute assholes?" Broke my heart. You know, anyway, so what is she supposed to do, change her name to Steve? No, don't do that.

That would be confusing.

So I'm starting a campaign, another campaign. This is the second campaign I've started in one show, and I'm asking you, dear listeners, maybe we shouldn't use a really common people's names as a way of describing something so awful? For my beautiful mom's sake. And what about all the other Karens out there? The good Karens, the lovely Karens.

Well, Karen is quite a common name, but in some ways it would be even worse if it was a less common name, right? If it was something like Kendra, which I imagine is not as common.

Why do we have to use a name? Why can't we just say—

Well, I agree, I agree, but I just think those people would feel even worse in a way.

Can't we just say dickheads. We can reclaim Karen.

Yeah, I think we should try and reclaim Karen.

It's going to be hard though.

We can reclaim Karen. What's the male equivalent? Graham. Graham. Graham is very similar to Karen. Just kidding.

It's gammon. It's gammon, isn't it? I quite like the term gammon. I think that's got some humour about it.

Anyway, it's just, it's a bit close to home and— There you go. There's my nitpick of the week. She is, and I love her a lot. So—

Oh, I've sent her my—

Mum, if you're listening, I'm on your side.

Graham, are you in? Does she listen to this?

Yeah, she does. She's gonna have heard everything you said.

Crikey.

Stop being gross. And on that bombshell.

Well, that just about wraps it up.

Hi, Karen. I'm here for you, Karen, as well. Yay, Karen.

Well, that just about wraps it up for this week. Michelle, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that? Well, they can follow me @mishmadsen, which is my catch-all Twitter handle, or @madsenjourno, which is when I am pretending to not also be various other things. They're more professional, Michelle.

So listen, people, it's great. Please do. A huge thank you from all of us to you for listening, for supporting, for sharing. We love all of you so much. And also, hat tip this week to our Smashing Security sponsors, Authentik8 and LastPass. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

Until next time, cheerio, bye-bye. Later. Bye. Bye-bye.

Yay. Yay.

I was a little bit on my soapbox there, eh? I yelled a lot.

No, but I think you were right to be. I think it's great.

It's really sad that, yeah, it's a name, isn't it?

Yes. Why the fuck are we all only finding out about it now?

Oh, hang on. Are you talking about the clipboard? Are you talking about Karen? Oh, because I'd be worried if you'd only found out about your mum's name.

What's she called?