A high-rolling Hushpuppi gets extradited to the United States, Carole details her problems with clipboards and Disposophobia, and our guest becomes the subject of fake news during the Senegalese election.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by investigative journalist Michelle Madsen (or is it Michelle Damsen? Hmm…).
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey everybody, before we kick off this show, I want to do a very heartfelt shout out to a few of our amazing Patreon supporters.
This week, shout out goes to Jonathan Haddock, Lisa, Robert Odegaard, Nat Wang, David Browsinski, Sanketh Menda, Roy Tate, Dan L. Barker, and Eric Carpenter. You guys rock!
If you want join this amazing community and get loads of extras, check it out at smashingsecurity.com/patreon. Let's get this show on the road. Look at him in this tiny bed.
Why is he in a cot the size of a 2-year-old child's?
This week, shout out goes to Jonathan Haddock, Lisa, Robert Odegaard, Nat Wang, David Browsinski, Sanketh Menda, Roy Tate, Dan L. Barker, and Eric Carpenter. You guys rock!
If you want join this amazing community and get loads of extras, check it out at smashingsecurity.com/patreon. Let's get this show on the road. Look at him in this tiny bed.
Why is he in a cot the size of a 2-year-old child's?
That's on a PJ, Carole. That's on his PJ reading his copy of Forbes.
What's a PJ?
A private jet.
Although I must say the private jet looks remarkably like a small narrowboat.
That's what you should do. You should rebrand your boat and tell people you're in a PJ flying around to avoid COVID-19.
Smashing Security, episode 186: This One's for All the Karens, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 186.
My name is Graham Cluley.
Smashing Security, episode 186: This One's for All the Karens, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 186.
My name is Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined this week by someone who's new to the show, a freelance journalist, a poet, a theater maker. It is Michelle Madsen. Hello, Michelle.
Hello.
Welcome. New to the show as well.
Very excited. Exciting to be here. Thank you for having me.
I think, Michelle, this is the very first time we've had someone actually call in from a boat, which is what you've done today, isn't it?
I'm very excited to be such a first for you guys. I'm on a boat which is currently slightly listing but not sinking.
Is this a humongous powerboat on edge of the Mediterranean?
A gin palace.
A small, kind of small floating shed on a canal in Hertfordshire, but it's just my home and I love that.
You're not on a cruise ship? No. Okay, thank God.
But I guess that the beauty of being on a canal during lockdown is that you could, in theory, move. What are the rules regarding that?
Wow.
I don't think the government have been very explicit about this, have they?
No, they haven't. So, don't tell anyone.
Shh, huddle, huddle.
Shh, just come round, everybody. So what I did, I was in London for most of the lockdown.
Yeah, I was just about to move to Berlin, and then the lockdown happened, and I didn't have a sink or an oven in Berlin, so I was, oh no, I'm gonna have to go back to the boat, which is inevitably gonna have a disaster if I don't look after it.
So I came back to the boat and then got stuck in London for a month and a half with some very rowdy ducks and some very nice other boat people.
And so I spent a lot of time complaining about the joggers and then before I started jogging, I was interviewed by National Public Radio in the States about how much I hated the joggers.
I must have been quite sort of angry about them. And then I escaped.
I ran away to Watford because that's where everyone escapes to, and it's very hilly and pretty here, if a little bit weird and rainy.
Yeah, I was just about to move to Berlin, and then the lockdown happened, and I didn't have a sink or an oven in Berlin, so I was, oh no, I'm gonna have to go back to the boat, which is inevitably gonna have a disaster if I don't look after it.
So I came back to the boat and then got stuck in London for a month and a half with some very rowdy ducks and some very nice other boat people.
And so I spent a lot of time complaining about the joggers and then before I started jogging, I was interviewed by National Public Radio in the States about how much I hated the joggers.
I must have been quite sort of angry about them. And then I escaped.
I ran away to Watford because that's where everyone escapes to, and it's very hilly and pretty here, if a little bit weird and rainy.
So, and probably doesn't have the best Wi-Fi or internet connection in the world.
Well, I've moved to a better spot. The last spot I was at, there was nothing, and I had a lot of very frustrated people shouting at me going, I can't get hold of you.
But now it's all fine and I'm on the radio and I'm on the podcast with you guys, so that's amazing.
But now it's all fine and I'm on the radio and I'm on the podcast with you guys, so that's amazing.
Fantastic. Great to have you here, Carole. What's coming up on the show this week?
First, let's thank this week's sponsors, Authenticate and LastPass. Their support helps us give you this show for free.
Now on today's show, Graham introduces us to the crazy world of Ray Hushpuppi. I used to love my Hushpuppies.
Michelle shares her fake news whodunit, and I tell a sad privacy tale of copy and paste. All this and much more coming up on this episode of Smashing Security.
Now on today's show, Graham introduces us to the crazy world of Ray Hushpuppi. I used to love my Hushpuppies.
Michelle shares her fake news whodunit, and I tell a sad privacy tale of copy and paste. All this and much more coming up on this episode of Smashing Security.
Now, chums, I've really got to ask ourselves, why on earth are we bothering? What are we doing this for?
What, you think you should end it all?
Are you—
Is this suicide watch?
What's going on? What are we wasting our time for?
It's not that bad, Graham.
Hey, don't worry, I haven't got the COVID blues. I am not saying this. It's cybercriminal gangs. They're getting depressed for years.
They've invested their effort, their time, their money, investing in infrastructure, hiring malware developers and programmers and hosting sites in their attempts to make a fortune.
And what have they seen?
What they've seen is that it's easy, it's a doddle for anyone to steal $1 million simply by sending an email through and asking their victim to wire through a chunk of cash.
They've invested their effort, their time, their money, investing in infrastructure, hiring malware developers and programmers and hosting sites in their attempts to make a fortune.
And what have they seen?
What they've seen is that it's easy, it's a doddle for anyone to steal $1 million simply by sending an email through and asking their victim to wire through a chunk of cash.
Oh yeah, 'cause I have a million just waiting around for anyone who asks for it.
Well, Carole, you could have if you had a criminal bent. Then maybe you would've been a business email compromise scammer.
Criminal bent? I don't know that expression.
You don't?
A penchant for crime?
Yes, yes.
Oh, right.
If you had a leaning in that direction, that's right. Then maybe you would have done that. Because there are lots of people who do. And it's remarkably successful.
One of the biggest growing forms of cybercrime. You're a Daily Mail journalist.
One of the biggest growing forms of cybercrime. You're a Daily Mail journalist.
No, no, no, no, come on. People do. What the majority?
Are you encouraging people to do this?
No, of course I'm not.
Is this another way of getting sponsorship?
And this week, the show is brought to you by the Crouching Lion Gang. No, nothing that.
No, I mean, if you read the FBI reports, billions of dollars are being lost every year by companies who basically have people scamming them, who get emails claiming to be from the CEO or claiming to be from some sort of supplier, asking them to send money into a bank account for work that's been done.
And it works really well. So why write ransomware? Why hack into organisations and do really sophisticated stuff if simply sending an email works?
That's what cybercriminal gangs have been questioning themselves. They've been looking at their navel as a result. Because seriously, any bozo can do this.
No, I mean, if you read the FBI reports, billions of dollars are being lost every year by companies who basically have people scamming them, who get emails claiming to be from the CEO or claiming to be from some sort of supplier, asking them to send money into a bank account for work that's been done.
And it works really well. So why write ransomware? Why hack into organisations and do really sophisticated stuff if simply sending an email works?
That's what cybercriminal gangs have been questioning themselves. They've been looking at their navel as a result. Because seriously, any bozo can do this.
I think most of them wear shirts, you know?
What?
Well, you can't see your navel if you're wearing clothes. Would you imagine all these hackers are just butt naked everywhere?
I think that's the joy of being a hacker, isn't it? You can just hang around at home and not—
Exactly.
Aren't we all enjoying that now, Michelle?
Well, if you could but see.
Now, as proof that any bozo can do this, there is a chap. His real name is Ramon Abbas, but he calls himself Ray Hushpuppi.
See, good name.
Yeah.
I his name.
Hushpuppi with an I, because he's that cool.
Right?
Ray Hushpuppi, get this, has 2.3 million Instagram followers.
Oh, is this another, I'm so jealous of how many people he has versus—
No, I'm not jealous. No, I'm not jealous of his internet following.
Okay.
What I'm jealous of slightly is his lifestyle.
Because if you go up and look on Ray Hushpuppi's Instagram account, which is still available and live up there, you will see picture after picture of him in front of very expensive cars in his Mr.
Hushpuppi dressing gown. You will see him in front of private jets.
Because if you go up and look on Ray Hushpuppi's Instagram account, which is still available and live up there, you will see picture after picture of him in front of very expensive cars in his Mr.
Hushpuppi dressing gown. You will see him in front of private jets.
Look at him in this tiny bed. Why is he in a cot the size of a 2-year-old child's?
That's on a PJ, Carole. That's on his PJ, reading his copy of Forbes.
What's a PJ?
A private jet.
Although I must say, the private jet looks remarkably like a small narrowboat, just to note.
It does.
That's what you should do. You should rebrand your boat and tell people you're in a PJ flying around to avoid COVID-19.
Okay, and I love how he got permission to park right in front of the Eiffel Tower. I'm calling BS on Hushpuppi.
Seriously, go and check out— Have you seen this cake which Fendi made for him?
Have you seen the cake?
That's incredible. They've actually made a little doll of him, which they've stuck on the top and surrounded by Fendi bags. He likes his designer brands.
He likes his flash cars, his designer clothes. But he left a digital trail online, which led investigators to his door.
Because police believe that he has been responsible for scams which have laundered, well, hundreds of millions of dollars.
He likes his flash cars, his designer clothes. But he left a digital trail online, which led investigators to his door.
Because police believe that he has been responsible for scams which have laundered, well, hundreds of millions of dollars.
Are you kidding me?
From businesses. This is—
So, you're saying he got rich because he's basically a hacker.
So, what he's been doing, allegedly, allegedly, can we insert a whole bunch of those?
He is accused of running an operation which targeted businesses around the world, tricking them into wiring money into his accounts.
One of the targets was an unnamed English Premier League soccer club, for instance. In another case, they tried to get £200 million from a company running out of Edinburgh.
He is accused of running an operation which targeted businesses around the world, tricking them into wiring money into his accounts.
One of the targets was an unnamed English Premier League soccer club, for instance. In another case, they tried to get £200 million from a company running out of Edinburgh.
Okay, how? How?
How does someone go, "Oh, okay, yeah, no problem. Here's the £200 million. Sorry."
I'll explain this in just a minute, because this is, as I was saying, this is the reason why scammers are doing this now.
And bad guys are doing this rather than writing malware so much. Anyway, he's been caught by Dubai police. They've seized 21 laptops, 13 cars, 47 phones.
And bad guys are doing this rather than writing malware so much. Anyway, he's been caught by Dubai police. They've seized 21 laptops, 13 cars, 47 phones.
Does he live in Dubai?
He was in Dubai, yes.
He was in Dubai.
But now he's in America.
Who would live in Dubai?
I mean, I did for a year, but I absolutely hated it.
Yes, I think I would hate it. It's just not— I like trees, water.
It's a bit rubbish for a canal boat. Dubai. Actually, it probably isn't. They probably have the most incredible canals in Dubai.
They have canal boat lands. Special canal boat land made especially out of solid gold canals, which you can't make yourself.
And from space, it looks like one big, huge canal boat. Yes, exactly.
Anyway, Mr. Hushpuppi has been extradited to the States. If convicted, he faces up to 20 years behind bars. But he left lots of clues lying around on the internet.
And obviously, there's lots of photographs you can still check out as to his extravagant rather ostentatious wealth.
But the point I really wanted to make was about criminal gangs who are now moving into this area as well.
There is a cybercrime gang, according to the researchers at Agari, who I always think should be pronounced "ay-garry," but they have been monitoring a gang called—
And obviously, there's lots of photographs you can still check out as to his extravagant rather ostentatious wealth.
But the point I really wanted to make was about criminal gangs who are now moving into this area as well.
There is a cybercrime gang, according to the researchers at Agari, who I always think should be pronounced "ay-garry," but they have been monitoring a gang called—
Second time you've made that joke on the show.
I know, it's still a funny joke, Carole. They have been monitoring a group called Cosmic Lynx.
Now, they've previously been involved with banking Trojan horses like Emotet and TrickBot, and Android click fraud malware.
Since middle of 2019, however, they've moved their attacks into targeting companies in 46 different countries, 6 continents, targeting senior execs at Fortune 500 companies, 3/4 of whom had titles like general manager, managing director, vice president.
Now, they've previously been involved with banking Trojan horses like Emotet and TrickBot, and Android click fraud malware.
Since middle of 2019, however, they've moved their attacks into targeting companies in 46 different countries, 6 continents, targeting senior execs at Fortune 500 companies, 3/4 of whom had titles like general manager, managing director, vice president.
Okay, so in English, basically, they're targeting the head honchos of companies.
That's right.
Okay. In lots of countries across the world.
Lots of countries around the world.
Okay.
So this is an organized cybercrime gang. This isn't kids in their back bedroom. These guys are serious and they were making a lot of money beforehand.
And now they've decided, hey, we can make money for less effort and maybe greater success using this method instead. And the way they do it is this.
They will email, say, the vice president — I don't mean Mike Pence when I say vice president, I mean any sort of vice president. They will pretend maybe to be the company's CEO.
And they ask the sort of second in command or someone in the chain and they say, look, we are close to acquiring an Asian company as part of our expansion and we want you to work with an external legal counsel to coordinate the payments.
But it's obviously on the hush-hush, got to be quiet. It's very sensitive, tell no one, commercially, don't tell anybody.
And we've seen these sort of attacks before, but because this is the Cosmic Lynx gang, they do this with a really high level of professionalism.
So you don't just get contacted by one scammer pretending to be the CEO.
You also get contacted by people who pretend to be legitimate attorneys at a UK law firm, for instance, whose name will show up.
And if you were to look them up on LinkedIn, there they would be. But in fact, it's the bad guys again, and they're really good at it.
No spelling mistakes, genuine-looking boilerplate, they know all the lingo. And they even, when they start the emails, they'll say, you know, I hope everyone's doing well.
You know, what a terrible time this is, they mention COVID-19 or how lockdown is looking for the company.
And as they begin to ease up, it's a message you would expect to get from a CEO or from a legal firm. And it's really working.
And now they've decided, hey, we can make money for less effort and maybe greater success using this method instead. And the way they do it is this.
They will email, say, the vice president — I don't mean Mike Pence when I say vice president, I mean any sort of vice president. They will pretend maybe to be the company's CEO.
And they ask the sort of second in command or someone in the chain and they say, look, we are close to acquiring an Asian company as part of our expansion and we want you to work with an external legal counsel to coordinate the payments.
But it's obviously on the hush-hush, got to be quiet. It's very sensitive, tell no one, commercially, don't tell anybody.
And we've seen these sort of attacks before, but because this is the Cosmic Lynx gang, they do this with a really high level of professionalism.
So you don't just get contacted by one scammer pretending to be the CEO.
You also get contacted by people who pretend to be legitimate attorneys at a UK law firm, for instance, whose name will show up.
And if you were to look them up on LinkedIn, there they would be. But in fact, it's the bad guys again, and they're really good at it.
No spelling mistakes, genuine-looking boilerplate, they know all the lingo. And they even, when they start the emails, they'll say, you know, I hope everyone's doing well.
You know, what a terrible time this is, they mention COVID-19 or how lockdown is looking for the company.
And as they begin to ease up, it's a message you would expect to get from a CEO or from a legal firm. And it's really working.
Low tech sometimes is best.
And it does seem to have taken business email compromise to a new level of professionalism.
One of the things I would recommend to organizations if they're worried about this, and they probably should be worried about business email compromise, is setting up DMARC so that your mail server— I know this is a bit nerdy, this.
We'll link to some stuff on the web so you can read more if you haven't already done it.
What you can do is you can protect your domain so that if criminals try and pose as you by using your domain, by forging an email, email systems can reject that email and say, well, that authentication doesn't appear to match.
It's not entirely foolproof. They can still send you emails, but they won't be quite as convincing. And so they're more likely to be suspected.
One of the things I would recommend to organizations if they're worried about this, and they probably should be worried about business email compromise, is setting up DMARC so that your mail server— I know this is a bit nerdy, this.
We'll link to some stuff on the web so you can read more if you haven't already done it.
What you can do is you can protect your domain so that if criminals try and pose as you by using your domain, by forging an email, email systems can reject that email and say, well, that authentication doesn't appear to match.
It's not entirely foolproof. They can still send you emails, but they won't be quite as convincing. And so they're more likely to be suspected.
Graham, you should write an article on your blog explaining exactly how to do this in simple terms so that people can then do it, because it's not straightforward.
It's not straightforward.
In my experience.
You want someone in your IT team to set this up and also—
Graham's available, guys. Tweet him @GCluley.
Well, you want to be careful with this because I actually set this up for GrahamCluley.com, right? Because I thought, oh, well, that's a sensible thing to do.
I don't want people pretending to be me, as if, you know, as if they would.
But what I found was that the account software which I use, sends invoices to people pretending to be my email address.
And so some of my clients weren't receiving my invoices because they were being sent by my partner, not me. And it didn't work with DMARC. So it doesn't work.
I don't want people pretending to be me, as if, you know, as if they would.
But what I found was that the account software which I use, sends invoices to people pretending to be my email address.
And so some of my clients weren't receiving my invoices because they were being sent by my partner, not me. And it didn't work with DMARC. So it doesn't work.
So another sales pitch for the DMARC way.
Well, sadly, no, not for me until my invoicing service.
Can I just ask, what is DMARC? What is DMARC?
Oh, it's an acronym. Okay.
I was thinking what is this thing? Is it—
You've got to be in the inner club.
It's a special secrecy acronym.
It is. No, I've just clicked on it in order to— everyone calls it DMARC. It is Domain-Based Message Authentication Reporting and Conformance.
Oh, great that we have an acronym.
So— Michelle, you've got an interesting story for us, haven't you?
Yes, I do, which is also a bit about people being sent fake stuff and then acting upon it.
So in January of 2019, my name was used— a name very similar to mine was used to basically smear a guy called Ousmane Sonko, who was one of the main runners for the presidential race in Senegal.
So in January of 2019, my name was used— a name very similar to mine was used to basically smear a guy called Ousmane Sonko, who was one of the main runners for the presidential race in Senegal.
Okay, so big stakes here.
Yeah, big stakes, big stakes. And there was a sort of opinion piece that went out on a website called Modern Ghana. I write quite a lot about West Africa as a journalist.
I usually write about UK-based companies or individuals who are doing things untoward in West Africa because I started off working as a staff writer, a staff editor, writing about extractives, and I ended up writing a lot about Africa because it was in the same time zone.
And because of that, I just ended up going to all these bizarre conferences and encountering lots of very interesting people who were involved in the mining and oil and energy industry.
And I was really thinking, oh, so they all have offices in Mayfair and they all seem to have registered in the UK and they're on the alternative investment market, they're part of the London Stock Exchange, and yet I absolutely know that there's something very dodgy going on here.
So that was kind of— that became my practice as an investigative journalist. That's what was always interesting.
I usually write about UK-based companies or individuals who are doing things untoward in West Africa because I started off working as a staff writer, a staff editor, writing about extractives, and I ended up writing a lot about Africa because it was in the same time zone.
And because of that, I just ended up going to all these bizarre conferences and encountering lots of very interesting people who were involved in the mining and oil and energy industry.
And I was really thinking, oh, so they all have offices in Mayfair and they all seem to have registered in the UK and they're on the alternative investment market, they're part of the London Stock Exchange, and yet I absolutely know that there's something very dodgy going on here.
So that was kind of— that became my practice as an investigative journalist. That's what was always interesting.
So you've been like a professional thorn in the side of firms which maybe have been doing a few dodgy things in West Africa. Would that be fair to say?
Because you've been doing it quite quietly until now. Until now.
Because as a freelance investigative journalist writing about people who've got lots of money and power, there are certain advantages to not putting your name all over the place.
Because as a freelance investigative journalist writing about people who've got lots of money and power, there are certain advantages to not putting your name all over the place.
Absolutely.
You don't want your boat scuttled.
Exactly. There's a reason why I live on a moving boat without a fixed address.
Do you have a super huge power motor at the back?
No, I just get out and push it. It's the slowest getaway vehicle you'll ever encounter.
Because I'm bony. Get away.
Yeah, so for a long time I've sort of been writing for, I do investigations in connection with the Center for Investigative Journalism and built little investigative groups around that.
And I worked alongside groups from Global Witness, and I've written bits for Private Eye and Africa Confidential and other publications.
So I was to people who knew that world, they might have known me a little bit, but somebody from Ghana probably wouldn't have come across me before.
So this story went out on Modern Ghana and the author was called Michelle Damson.
And I worked alongside groups from Global Witness, and I've written bits for Private Eye and Africa Confidential and other publications.
So I was to people who knew that world, they might have known me a little bit, but somebody from Ghana probably wouldn't have come across me before.
So this story went out on Modern Ghana and the author was called Michelle Damson.
And your name is Michelle Madsen.
Exactly. So they just moved around some of the letters, or maybe they didn't. Maybe Michelle Damson exists. Who knows?
So what happened basically was it didn't affect anyone in Ghana at all, but within minutes of this story going out, it had been sent round with some documents to a whole bunch of different publications in Senegal.
And obviously it mattered a lot to people in Senegal because that was where the election was going to happen in a few weeks' time.
And so all of the papers in Senegal were saying, is this true? Has Ousmane Sonko taken this massive bribe from Tullow Oil, which is a British oil company?
And who is the author of the story? Who is Michelle Madsen?
So what happened basically was it didn't affect anyone in Ghana at all, but within minutes of this story going out, it had been sent round with some documents to a whole bunch of different publications in Senegal.
And obviously it mattered a lot to people in Senegal because that was where the election was going to happen in a few weeks' time.
And so all of the papers in Senegal were saying, is this true? Has Ousmane Sonko taken this massive bribe from Tullow Oil, which is a British oil company?
And who is the author of the story? Who is Michelle Madsen?
So when these stories are going out, is it all verified news, or is it all pending on this Michelle Madsen? No, there's no paper trail.
So it's all pending on this Michelle Madsen opinion piece.
And then when the story goes around out in Senegal, a couple of publications including Dakar Actu and some of the blog sites put out some evidence which were some letters from Tullow Oil which said, "Ah, Ousmane Sonko has given us some help and we're going to pay him some money." But these letters were definitely not made by, was it Cosmic Links?
Because they had put the Tullow logo right in the middle of the page and—
And then when the story goes around out in Senegal, a couple of publications including Dakar Actu and some of the blog sites put out some evidence which were some letters from Tullow Oil which said, "Ah, Ousmane Sonko has given us some help and we're going to pay him some money." But these letters were definitely not made by, was it Cosmic Links?
Because they had put the Tullow logo right in the middle of the page and—
It looked totally dodgy.
It looked really dodgy. This was a stamp in a strange place and you can see that the language had been copy-pasted.
And after about 24 hours, this really fantastic fact-checker at Agence France-Presse called Anne-Sophie Febvre-Cadras, she's, "Wait a minute, I've seen that text before." And she found out they had been taken from a statement that Oxfam had put out on one of its websites about some project it had done.
So she basically disproved these documents. But by that point, loads of photos of me have been taken off my Facebook account and put on the papers in Senegal.
And after about 24 hours, this really fantastic fact-checker at Agence France-Presse called Anne-Sophie Febvre-Cadras, she's, "Wait a minute, I've seen that text before." And she found out they had been taken from a statement that Oxfam had put out on one of its websites about some project it had done.
So she basically disproved these documents. But by that point, loads of photos of me have been taken off my Facebook account and put on the papers in Senegal.
Why did they think you— literally just because there were two letters and they thought that must be—
If it was Graham Cluley, yeah, right, that someone had put something out somewhere, would Graham...
But this Michelle, right, rather than Michelle Damson, this Michelle we've got on right now, Michelle Madsen, has a history of writing articles about West Africa and about organisations, you know, doing stuff and messing around with politics.
But this Michelle, right, rather than Michelle Damson, this Michelle we've got on right now, Michelle Madsen, has a history of writing articles about West Africa and about organisations, you know, doing stuff and messing around with politics.
And they just thought she was really ridiculous and thought she would hide her name by just swapping two letters.
Well, maybe that's just an accident. Maybe it was just a typo.
Oh, maybe it was a typo. Okay, okay.
I'm with you on this one. Or maybe people simply didn't even notice that the names are different.
Can I just say, actually, to the listeners, Michelle Madsen has actually created a BBC show all about this investigation, and you can hear the entire show.
We'll put a link to it in the show notes, and it's totally worth listening to. It's unbelievable.
Anyway, sorry, I just want to make sure that people can have the whole show, because we're getting a kind of good synopsis here.
We'll put a link to it in the show notes, and it's totally worth listening to. It's unbelievable.
Anyway, sorry, I just want to make sure that people can have the whole show, because we're getting a kind of good synopsis here.
Yeah, because the show sort of takes you on this adventure where I try and find out who is Michelle Damson. Why did somebody make this fake news story?
Because it was a fake news story. And like, who stood to gain from it? Because we took a look at fake news through this kind of little prism of this news story.
But we are in such a strange moment in the world, or maybe it's a perfectly normal moment in the world and everything else was strange.
But the way that the media works, what's truth, what's lies, who's manipulating who... It's happening everywhere all the time. And this isn't just a story about Senegal.
It's a story being planted in one publication in one country and then being picked up in another country with the name of someone who sounds a bit like a journalist in a completely different country being linked out over to the States.
So it's kind of the global nature of how this information and misinformation spreads. And also what happens once you throw muck out there.
And it sticks even if it's disproven, because words have that ability to kind of click into your brain.
And if you sort of see, oh, you know, a politician's name and massive bribe in the same story, even if it's been disproven, politician did not take massive bribe, the words politician and massive bribe are still in the same stories.
And my name and Damson's name are still in the same story. So it's really about how do we get affected by news?
Stays with us, what do we believe, and how easy is it to spread rumours about people. Very.
Because it was a fake news story. And like, who stood to gain from it? Because we took a look at fake news through this kind of little prism of this news story.
But we are in such a strange moment in the world, or maybe it's a perfectly normal moment in the world and everything else was strange.
But the way that the media works, what's truth, what's lies, who's manipulating who... It's happening everywhere all the time. And this isn't just a story about Senegal.
It's a story being planted in one publication in one country and then being picked up in another country with the name of someone who sounds a bit like a journalist in a completely different country being linked out over to the States.
So it's kind of the global nature of how this information and misinformation spreads. And also what happens once you throw muck out there.
And it sticks even if it's disproven, because words have that ability to kind of click into your brain.
And if you sort of see, oh, you know, a politician's name and massive bribe in the same story, even if it's been disproven, politician did not take massive bribe, the words politician and massive bribe are still in the same stories.
And my name and Damson's name are still in the same story. So it's really about how do we get affected by news?
Stays with us, what do we believe, and how easy is it to spread rumours about people. Very.
So you're saying you're an investigative journalist, you to keep your name on the down low, yet you've put out this podcast exposing all this, you know, your name being used and the non-name.
And so what's happened since? Has that changed stuff for you?
And so what's happened since? Has that changed stuff for you?
The decision to go ahead with this documentary was one which was sort of based on the fact that I had had a very ridiculous time.
I got this rush of messages on Facebook, on Twitter, my phone kept ringing, I was hounded for about a week and a half.
And because I'd actually got some funding, and there's 3 of us journalists, Shanna Jones, who's also an associate with the Center for Investigative Journalism, and Kaba Mohammed, who is a fantastic Sierra Leonean journalist we had got together to investigate a really important story about how BP got hold of a massive gas field just on the coast of Senegal from a guy called Frank Timmis.
And this had been a story I've been working on for years.
We've got funding to go and investigate it, but 3 independent journalists going to Dakar investigating something really sensitive.
And because of this story, it really compromised my ability to do a good job with this, because every time I went into a meeting, everyone was like, oh, you're Michelle Damson.
I was like, no, I'm not, I'm Michelle Madsen. But I realized that the ridiculousness of my identity had kind of been heightened by this.
And then also Panorama, we got scooped on the story by the BBC.
So Panorama, that's a bastard Well, they got a 17-gigabyte leaked cache of documents which completely blew our stuff out of the water, and then they put out the documentary 2 days after we got back from Senegal.
So we're okay, shucks, that's been screwed up.
But it was really— that's a really important documentary for Senegal because it really has highlighted the links between government and big business and what's going on.
I got this rush of messages on Facebook, on Twitter, my phone kept ringing, I was hounded for about a week and a half.
And because I'd actually got some funding, and there's 3 of us journalists, Shanna Jones, who's also an associate with the Center for Investigative Journalism, and Kaba Mohammed, who is a fantastic Sierra Leonean journalist we had got together to investigate a really important story about how BP got hold of a massive gas field just on the coast of Senegal from a guy called Frank Timmis.
And this had been a story I've been working on for years.
We've got funding to go and investigate it, but 3 independent journalists going to Dakar investigating something really sensitive.
And because of this story, it really compromised my ability to do a good job with this, because every time I went into a meeting, everyone was like, oh, you're Michelle Damson.
I was like, no, I'm not, I'm Michelle Madsen. But I realized that the ridiculousness of my identity had kind of been heightened by this.
And then also Panorama, we got scooped on the story by the BBC.
So Panorama, that's a bastard Well, they got a 17-gigabyte leaked cache of documents which completely blew our stuff out of the water, and then they put out the documentary 2 days after we got back from Senegal.
So we're okay, shucks, that's been screwed up.
But it was really— that's a really important documentary for Senegal because it really has highlighted the links between government and big business and what's going on.
Corruption.
Exactly, exactly.
And so this slightly ridiculous story about identity and fake news and cyber craziness is kind of a way of connecting with all of the different threads of the story.
And I just decided that my head had been flung out above the parapet anyway, and I was okay, I better own this and work on this.
And hopefully it will allow me to kind of go back and do some more investigative work around what's actually going on with the BP stuff, because ultimately whoever wrote this story, whatever happened, it's a small fry bit of news.
I think it probably did have some sort of impact on the election, but it's one bit of fake news in amongst a maelstrom of other stuff, which you'll find out if you listen to the program.
And it's very funny, we interview Ousmane Sonko, who's the politician who was smeared, and there are lots of little pointers which may suggest— we have our thoughts about who it could have been, but they're— that's it.
Yeah, you have to listen to find out more.
And so this slightly ridiculous story about identity and fake news and cyber craziness is kind of a way of connecting with all of the different threads of the story.
And I just decided that my head had been flung out above the parapet anyway, and I was okay, I better own this and work on this.
And hopefully it will allow me to kind of go back and do some more investigative work around what's actually going on with the BP stuff, because ultimately whoever wrote this story, whatever happened, it's a small fry bit of news.
I think it probably did have some sort of impact on the election, but it's one bit of fake news in amongst a maelstrom of other stuff, which you'll find out if you listen to the program.
And it's very funny, we interview Ousmane Sonko, who's the politician who was smeared, and there are lots of little pointers which may suggest— we have our thoughts about who it could have been, but they're— that's it.
Yeah, you have to listen to find out more.
It's a fascinating documentary, and we'll put a link in the show notes so people can listen to more.
Michelle, I've got a plan for you. I think you're now an influencer in this area, right?
So she's been on Smashing Security. We have more influence than the Ghana Daily as to what goes on in Senegal. We've got a lot of listeners out there.
She can't even walk in East Africa, West Africa without people going, oh, you're Michelle Madsen.
So you're now So I say move there, get yourself your iPhone, and then just start going investigating and do it on the fly.
Real time, real life, upload videos to Twitch about your investigations. You'll become the influencer, you'll become Mr. Hushpuppi.
So you're now So I say move there, get yourself your iPhone, and then just start going investigating and do it on the fly.
Real time, real life, upload videos to Twitch about your investigations. You'll become the influencer, you'll become Mr. Hushpuppi.
That is what I want. And I can move to Dubai and hang out in my private jet narrowboat. Oh my God, that's it.
That's my dream.
How did you know, girl?
Carole, what's your story for us this week?
Okay, well, we were supposed to record this episode yesterday, and I collected all my notes for the story, and then I promptly, two minutes before we were due to record, lost them all.
Oh no. Something else happened at the same time that made us have to change the time, but I'm going to tell you what happened.
Oh no. Something else happened at the same time that made us have to change the time, but I'm going to tell you what happened.
Which is I went on a bike ride and got lost.
Michelle went on a bike ride.
Yes.
But I will tell you what happened after the story because it is rather ironic. So before I start as well, you have to know that I'm disorganized.
My inbox has 10,000 mails in all of my inboxes.
My inbox has 10,000 mails in all of my inboxes.
No, no, no. Come, come. Not you, Carole.
Oh yeah, yeah. I have folders. My desktop is all bits of different information. And when it's full, I just select it all, dump it into a folder called Desktop.
I think I'm at Desktop 14. And then I just leave it in a folder on the desktop and then I fill it up again. For real. Is that normal? Do you guys do that or is that crazy?
I think I'm at Desktop 14. And then I just leave it in a folder on the desktop and then I fill it up again. For real. Is that normal? Do you guys do that or is that crazy?
I have 25,000 unread emails in my inbox.
Okay, exactly. Okay, Michelle, we're cut from the same cloth. Look, I have just diagnosed myself. Maybe you will agree with this diagnosis.
Digital disposophobia, the fear of organizing and disposing of things.
Digital disposophobia, the fear of organizing and disposing of things.
I think that's great.
Oh, you're one of these, these programs where they go into the houses of people who have some sort of mental problem where they're hoarding?
But I'm a digital disposophobic. Oh my goodness. Yeah, it's an illness, it's an ailment, and maybe you need to show a bit more sympathy.
Please, shall we set up a support group? Yes!
Let's do it. Yes, you can join us on Twitter.
Okay, so you won't be surprised then that I use copy and paste and your clipboards on the phone to dump and collect stuff and transfer it over between apps and devices all the time.
I'm sure you do too, Michelle.
Okay, so you won't be surprised then that I use copy and paste and your clipboards on the phone to dump and collect stuff and transfer it over between apps and devices all the time.
I'm sure you do too, Michelle.
Yeah.
Yeah, when you're doing stories or whatever, oh, grab that URL, or just, oh, that password's too long, let me just grab that password and slap it over to another thing.
Copy and paste is possibly the greatest invention of all technology, I think.
Well, we all know it.
Imagine computers without a clipboard.
Yeah.
It would just be horrendous.
I mean, I've been using it since WordPerfect time?
Okay.
I'm gonna ask you a question. I just need to know if I'm batshit crazy.
Would only an insane person assume that the only person that knows what's been copied onto your clipboard is you and your devices?
Would only an insane person assume that the only person that knows what's been copied onto your clipboard is you and your devices?
I'd hope so. You're gonna tell us we're wrong, aren't you?
I think most people would make that assumption, yes.
Most? Can you just give it a percentage? 99%?
Oh, definitely. Definitely. Yes. Because how could anyone else know?
Okay, so Michelle and I are people that would believe that. And no, we're wrong, Michelle. We're way wrong.
Oh no.
According to two researchers, Talal Hasbakri and Thomas Misk of the Misk Blog, a great source of information, way back in March of this year, they found that popular apps snoop on the clipboard pasteboard thing on iPhone and iPad apps.
So they create a video, right? Saying, showing. Now this is how it works. So you have a clipboard and you've copied something over, right?
Let's say you copied over a URL or your password or your credit card number and you've pasted it somewhere. But once you've pasted it, it doesn't go away.
See, that's the big weird thing about copy and paste. You can only copy one thing. It only saves the last thing you copied. But after you've pasted it, it doesn't go poof.
You could paste it again, right? You can press Ctrl+V, Ctrl+V, Ctrl+V to your heart's content.
So they create a video, right? Saying, showing. Now this is how it works. So you have a clipboard and you've copied something over, right?
Let's say you copied over a URL or your password or your credit card number and you've pasted it somewhere. But once you've pasted it, it doesn't go away.
See, that's the big weird thing about copy and paste. You can only copy one thing. It only saves the last thing you copied. But after you've pasted it, it doesn't go poof.
You could paste it again, right? You can press Ctrl+V, Ctrl+V, Ctrl+V to your heart's content.
Yeah, you've basically got to sort of paste something over it, haven't you? There's always something there.
There is always something there.
So imagine you've just taken your credit card number and you've transferred it over to a website because you want to buy something, and then you've forgotten all about it.
And when you then open up your TikTok app, for example, The first thing it does is goes and checks what's on the clipboard.
And then anytime you interact with that TikTok app, say for example, type a letter, check the clipboard, type another letter, check the clipboard, type another letter, check the clipboard.
Constantly.
So imagine you've just taken your credit card number and you've transferred it over to a website because you want to buy something, and then you've forgotten all about it.
And when you then open up your TikTok app, for example, The first thing it does is goes and checks what's on the clipboard.
And then anytime you interact with that TikTok app, say for example, type a letter, check the clipboard, type another letter, check the clipboard, type another letter, check the clipboard.
Constantly.
Why is TikTok, I must admit, I know this will be a surprise to listeners, but I don't use TikTok, but why does TikTok do that?
No one fucking knows. Their excuse Their excuse when confronted with this was, oh, it's something to do with anti-spam. You probably wouldn't understand. We'll stop that.
Right, okay, that's comforting.
But I was WTF-ED-F?
Hang on, let me just work that out. WTF-ED-F, right?
Now look, in the document, okay, it's not just TikTok that's the problem. This is a running tally. This is keep growing this list. Look at all these apps on your phones that do this.
Wow. This is, this is a lot of apps.
New York Times. I'm a frickin subscriber. Why do they need to know what's in my clipboard every time I use the app? The Economist. I'm a subscriber.
Why do they need to know what's in my clipboard? Block Puzzle and Fruit Ninja?
Why do they need to know what's in my clipboard? Block Puzzle and Fruit Ninja?
Fruit Ninja.
Why do they need to know what's my freaking clipboard?
There's quite a long list here, so we'll link to this. This I think is on the Misk blog, isn't it?
That's right.
Now what's quite cool about this list is they have obviously been, you know, shaming, calling out and shaming these people, and some of them have actually made changes.
Like TikTok is going to change that practice despite its very poor excuse. And other people ABC News used to do it, don't do it anymore.
CBS News used to do it, they don't do anymore.
Now what's quite cool about this list is they have obviously been, you know, shaming, calling out and shaming these people, and some of them have actually made changes.
Like TikTok is going to change that practice despite its very poor excuse. And other people ABC News used to do it, don't do it anymore.
CBS News used to do it, they don't do anymore.
I heard LinkedIn as well.
Yes. Well, thank you. I'm getting there.
Okay.
The latest that have come up, which was yesterday, was Reddit and LinkedIn, right? Both were doing it as well. So watch this space.
It's worth bookmarking this misc.blog so that you can see what sites are doing it. And you've got to ask yourself, do you want these apps on your phone?
Because here's the problem, right? This is the big— this is my big, you know, I don't think I can bring my voice any higher.
And I'm just gonna put another I'm on the soapbox I have. Okay, so the reason this is news, this came out in March, but why is it news now?
Well, iOS 14 is about to come out and they're beta testing it. This is where a group of people test the new operating system to find bugs, vulnerabilities, and usability errors.
And this is a very important thing to do. And there's, you know, we're all excited about this new iOS 14, 'cause there's loads of new features, including some privacy features.
One of these privacy features is it's going to tell you when something grabs something from your clipboard.
So if you were, for example, using Reddit and you're clipping along and you type something in, it's gonna show you at the top going Reddit access clipboard, Reddit access clipboard.
This little message will pop down and tell you. So the people that have been testing this have been going, holy moly, whole story now has exploded again, which is great.
Now here's the problem. I went and looked at the iOS 14 page. 'Cause this is my big worry. I was reading this and I was thinking, uh-oh, uh-oh. Because this is what it said.
This is from MacRumors. I'm just going to quote them, right?
So the clipboard privacy function: when an app or widget accesses text that has been copied to the clipboard, iOS 14 provides a notification so you can know what apps are accessing the text stored on the clipboard.
Do you see the problem here?
It's worth bookmarking this misc.blog so that you can see what sites are doing it. And you've got to ask yourself, do you want these apps on your phone?
Because here's the problem, right? This is the big— this is my big, you know, I don't think I can bring my voice any higher.
And I'm just gonna put another I'm on the soapbox I have. Okay, so the reason this is news, this came out in March, but why is it news now?
Well, iOS 14 is about to come out and they're beta testing it. This is where a group of people test the new operating system to find bugs, vulnerabilities, and usability errors.
And this is a very important thing to do. And there's, you know, we're all excited about this new iOS 14, 'cause there's loads of new features, including some privacy features.
One of these privacy features is it's going to tell you when something grabs something from your clipboard.
So if you were, for example, using Reddit and you're clipping along and you type something in, it's gonna show you at the top going Reddit access clipboard, Reddit access clipboard.
This little message will pop down and tell you. So the people that have been testing this have been going, holy moly, whole story now has exploded again, which is great.
Now here's the problem. I went and looked at the iOS 14 page. 'Cause this is my big worry. I was reading this and I was thinking, uh-oh, uh-oh. Because this is what it said.
This is from MacRumors. I'm just going to quote them, right?
So the clipboard privacy function: when an app or widget accesses text that has been copied to the clipboard, iOS 14 provides a notification so you can know what apps are accessing the text stored on the clipboard.
Do you see the problem here?
Uh, well, it doesn't actually stop it, right? Yeah.
So we are going to build— You think you're anxious right now?
It's really stressful. This is horrible.
I—
Who knew that Fruit Ninja was going to be stealing my information?
Yes! It's not just Fruit Ninja. I've just been looking up and down the list. There's Plants vs. Zombies, and this one caught my attention: Pigment, which is an adult colouring book.
Wow.
I don't know if they mean a colouring book for adults or whether—
Now I heard this one guy online, this one guy online was saying, look, you know, there is a legitimate reason why some people might do this.
For example, you might want to copy over a URL and Google might want to go, hey, I can get you to my app faster than anybody else because I'm your default browsing app.
So I'm just going to check your clipboard as you open my app and I'll just open the latest thing that's clipped there. Because I can do that.
For example, you might want to copy over a URL and Google might want to go, hey, I can get you to my app faster than anybody else because I'm your default browsing app.
So I'm just going to check your clipboard as you open my app and I'll just open the latest thing that's clipped there. Because I can do that.
Oh, because they could then sort of prepare a preview of the link.
Make the experience faster. Well, it's also make the, yeah, they preempt you.
But this explains a lot to me because, you know, of course a lot of companies now are saying, oh, we never really used that data. No one said sorry.
Everyone's just, oh, okay, well, we'll remove it.
But this explains a lot to me because, you know, of course a lot of companies now are saying, oh, we never really used that data. No one said sorry.
Everyone's just, oh, okay, well, we'll remove it.
Okay, so you've given an explanation from some developers as to what might be going on, but fuck off.
That's what I think.
There must be some reason. You wouldn't code this because I'm sure the adult coloring book doesn't want to cut and paste or see what's in your clipboard, right? Plants vs. Zombies.
Why would they want this? There must be some gaming reason. So I wonder if they're worried about too many presses or— I don't know, Carole, but it just seems— it does seem weird.
Why would they want this? There must be some gaming reason. So I wonder if they're worried about too many presses or— I don't know, Carole, but it just seems— it does seem weird.
Yes. It just sucks. There's a lot of things that suck here.
It sucks that iOS 14 or 15 is gonna notify us, but we can't do anything about it, making us all more insane than we are already.
It sucks that iOS 14 or 15 is gonna notify us, but we can't do anything about it, making us all more insane than we are already.
Can we actually not do anything about it? So if you get this new iPhone, then there's nothing you can do?
Yeah, there's a shitty, shitty thing you can do. There's two shitty things you can do. Yeah. One, don't use copy and paste on your phone.
Right, okay. Tricky.
And two, if you do use copy and paste, this is the crawl technique, okay? Someone might have a much better one than this.
Right, probably.
Make sure you close down all the apps that are sitting there hovering in the background, open but not open, but open.
Then go to the one place you want to copy it, copy it, paste it to the one place you want to paste it, and then copy the word fuck you or something like that.
So that, you know, stop reading my fricking clipboard. Maybe you could put in and then anyone who reads the clipboard will see that.
And maybe if everyone went, stop reading my clipboard, they might get the message. And people like the New York Times and The Economist will get their act together.
Then go to the one place you want to copy it, copy it, paste it to the one place you want to paste it, and then copy the word fuck you or something like that.
So that, you know, stop reading my fricking clipboard. Maybe you could put in and then anyone who reads the clipboard will see that.
And maybe if everyone went, stop reading my clipboard, they might get the message. And people like the New York Times and The Economist will get their act together.
It's just so irritating though that you have to go through all of this, do all this work yourself just to keep people out, you know, essentially go, get out of my house, stop it, stop snooping around.
It's every time you turn your back, there's a whole pile of gremlins that come in and start going through your underwear. It's so annoying.
It's every time you turn your back, there's a whole pile of gremlins that come in and start going through your underwear. It's so annoying.
Yep, it's completely gross. Oh, and the end of my story is what made this so funny.
So I was just talking all— I wrote a whole story about copy and paste, and then about— I finished my story yesterday.
I then copied and then pasted twice, but accidentally copied it between 4 words.
And because I was using Notes, I'd lost what was in my copy and I had lost everything that I wrote 2 minutes before.
So I was just talking all— I wrote a whole story about copy and paste, and then about— I finished my story yesterday.
I then copied and then pasted twice, but accidentally copied it between 4 words.
And because I was using Notes, I'd lost what was in my copy and I had lost everything that I wrote 2 minutes before.
Don't worry, contact the Plants vs Zombies guys. They'll have a copy of it.
Yeah, yeah, just say, hey dude.
Solo for Research Toolbox from Authenticate is a secure and anonymous web browsing solution that enables threat intelligence security and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep, and dark web.
To learn how Silo4Research enables teams to timely and efficiently investigate while ensuring maximum security and oversight to ensure compliance, including GDPR, go to smashingsecurity.com/authenticate.
That's smashingsecurity.com/authenticate, and that is spelt authentic with a number 8 on the end.
To learn how Silo4Research enables teams to timely and efficiently investigate while ensuring maximum security and oversight to ensure compliance, including GDPR, go to smashingsecurity.com/authenticate.
That's smashingsecurity.com/authenticate, and that is spelt authentic with a number 8 on the end.
Use a password manager. Just do it. These aren't my words. These are the words of Brian X. Chen, the lead consumer technology writer at The New York Times.
It's time that everybody uses a password manager, both at home and at work. Now get this.
LastPass from LogMeIn offer businesses a secure vault with centralized secure access, single sign-on, and simplifies remote management of all these accounts.
And guess what, you home users out there? You can get LastPass free. For more info, go to smashingsecurity.com/lastpass. That's smashingsecurity.com/lastpass.
It's time that everybody uses a password manager, both at home and at work. Now get this.
LastPass from LogMeIn offer businesses a secure vault with centralized secure access, single sign-on, and simplifies remote management of all these accounts.
And guess what, you home users out there? You can get LastPass free. For more info, go to smashingsecurity.com/lastpass. That's smashingsecurity.com/lastpass.
And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week is not security-related this week. It is about a chap who died this week. Oh, so sad. Ennio Morricone has died at the grand old age of 91.
Of course, he wrote the soundtrack to many great movies. Sometimes the soundtrack was better than the movie. Sometimes they made the movies soar and be magnificent.
You know, I remember, oh, I just like The Good and the Bad and the Ugly, right?
Of course, he wrote the soundtrack to many great movies. Sometimes the soundtrack was better than the movie. Sometimes they made the movies soar and be magnificent.
You know, I remember, oh, I just like The Good and the Bad and the Ugly, right?
Yes, that's a great movie. Great soundtrack.
Do you remember Cinema Paradiso where it's getting on?
Yeah.
Shows all the naughty clips at the end, the kissing scene montage. Fantastic movie. The Mission. Good old Jeremy Irons up to his knees in the water tooting on his oboe.
What a dream that was.
And the one which really stands out for me—was as a 12-year-old boy, I used to watch BBC TV and there was a programme for adults, which wasn't very exciting for me.
It was very dull—it was about—it's called The Life and Times of David Lloyd George with Philip Madoc playing the Welsh politician. And the music—
What a dream that was.
And the one which really stands out for me—was as a 12-year-old boy, I used to watch BBC TV and there was a programme for adults, which wasn't very exciting for me.
It was very dull—it was about—it's called The Life and Times of David Lloyd George with Philip Madoc playing the Welsh politician. And the music—
How old were you when you watched this?
I was about 12. And, you know—
You lived, you lived, but—
But I particularly to this day remember the theme tune. Which was written by Ennio Morricone.
And do you know that that theme tune, which is called 'Chi mai?'—I'm probably saying that wrong—which I believe is Italian for 'whoever'—that reached number 2 in the UK pop charts.
And it was a magnificent piece of music. And that's how I will always think of Ennio Morricone.
It was also used in an Asterix movie where Dogmatix is chasing a Legionnaire in slow motion, but that's not quite as poetic.
And do you know that that theme tune, which is called 'Chi mai?'—I'm probably saying that wrong—which I believe is Italian for 'whoever'—that reached number 2 in the UK pop charts.
And it was a magnificent piece of music. And that's how I will always think of Ennio Morricone.
It was also used in an Asterix movie where Dogmatix is chasing a Legionnaire in slow motion, but that's not quite as poetic.
Yeah, he's a dude. RIP Ennio.
Really? Ennio Morricone. Yeah. So there you go.
I will put some links in the show notes so you can check out that theme tune and maybe even watch an episode of The Life and Times of David Lloyd George as well.
I will put some links in the show notes so you can check out that theme tune and maybe even watch an episode of The Life and Times of David Lloyd George as well.
I looked at that video for 10 seconds and I was like, yeah, nope, not for me.
But there you go. Well, thank you for pissing all over my pick of the week. Now—
Well, it'll be interesting to see if you piss all over mine, actually.
Well, maybe I will. Michelle, what's your pick of the week?
Oh, I love all the competition. My pick of the week is, it's a poem. I'm putting my other hat on.
It's a poem which is written by a Bristol-based poet called Malaika Kgobe, and she put it out on Twitter and Facebook, and it's basically a list of all the microaggressions I think she's ever suffered as a person of colour, and it's absolutely brilliant.
And I will include the link to it and I'll send it over to you. But I really super, super honest and straightforward and very funny and also very touching. And yeah, she's great.
She was published by the same publisher as me, Burning Eye Books. They're also a Bristol-based publisher, and she is great. I recommend her to you all.
It's a poem which is written by a Bristol-based poet called Malaika Kgobe, and she put it out on Twitter and Facebook, and it's basically a list of all the microaggressions I think she's ever suffered as a person of colour, and it's absolutely brilliant.
And I will include the link to it and I'll send it over to you. But I really super, super honest and straightforward and very funny and also very touching. And yeah, she's great.
She was published by the same publisher as me, Burning Eye Books. They're also a Bristol-based publisher, and she is great. I recommend her to you all.
Oh, marvelous. Thank you for raising the cultural tone, because now of course we're going to plumb it back down and find out what is Carole's pick of the week.
Okay, well, it's not a pick of the week, Graham, it's a nitpick of the week, and I'm looking forward to see you're gonna piss all over it. It's my mom. She's lovely, your mom.
She's not, I'm not nitpicking on my mom. I'm just setting the story, calm down. Oh, okay. So my mom, she's pretty awesome.
She's not, I'm not nitpicking on my mom. I'm just setting the story, calm down. Oh, okay. So my mom, she's pretty awesome.
Yeah, yeah, she's pretty and she's awesome.
And she's mid-'70s, she's a whirlwind of a lady, a dog whisperer, long-distance walker, DIY queen. The family glue. Hot tub lover. Whoa, whoa.
Graham's always had a bit of a penchant for my mom.
Graham's always had a bit of a penchant for my mom.
Wow, I can hear that.
I think there's always been a certain magic between us. Ever since we shared that hot tub or that cold night in December.
All I'm saying is you love my mom more than you love me. And that's fine. Yeah, okay, what is my mom's name? Not your pet name for her. What's her real name?
Karen. Yes, yes.
Karen is her name. And this year, right, the crapness that is 2020 so far, the Karen meme is everywhere. So much so that my worst fear happened.
It managed to get into her own echo chamber. Oh no. And for those who aren't sure about the Karen meme, can you believe there's actually a Wikipedia definition?
And I want you, Graham, to tell me, yeah, this describes your mom, this is perfect or not.
Okay, okay, Karen is a pejorative term used in the US and other English-speaking countries for a woman perceived to be entitled or demanding beyond the scope of what is considered appropriate or necessary.
It managed to get into her own echo chamber. Oh no. And for those who aren't sure about the Karen meme, can you believe there's actually a Wikipedia definition?
And I want you, Graham, to tell me, yeah, this describes your mom, this is perfect or not.
Okay, okay, Karen is a pejorative term used in the US and other English-speaking countries for a woman perceived to be entitled or demanding beyond the scope of what is considered appropriate or necessary.
She's not always appropriate, your mother, I have to say, but I quite like that about her.
A common stereotype is that of a racist white woman who uses her privilege to demand her own way at the expense of others.
Depictions may include demanding to speak to the manager, being an anti-vaxxer, having a particular bob cut hairstyle. What? Particular hairstyle?
Yeah, as of 2020, the term was increasingly used to be a general purpose term of disapproval for middle-aged white women. Whoa. So this is pretty heavy stuff, right?
Depictions may include demanding to speak to the manager, being an anti-vaxxer, having a particular bob cut hairstyle. What? Particular hairstyle?
Yeah, as of 2020, the term was increasingly used to be a general purpose term of disapproval for middle-aged white women. Whoa. So this is pretty heavy stuff, right?
That's not very nice, really. I think it's not very nice for people who happen to be called Karen.
It's not very nice for your mum.
Yes! I thought we could try it out. So imagine we could just kind of go, "Oh, stop being such a Graham." "God, you see that Graham over there?
Oh, look at the Graham." So that's the kind of stuff that's happening. And anyway, so she calls me.
Oh, look at the Graham." So that's the kind of stuff that's happening. And anyway, so she calls me.
Yeah, your mum, yeah.
She calls me and she goes, "Carole, have you heard about this term called Karen, and it refers to people being absolute assholes?" Broke my heart.
You know, anyway, so what is she supposed to do, change her name to Steve? No, don't do that.
You know, anyway, so what is she supposed to do, change her name to Steve? No, don't do that.
That would be confusing.
So I'm starting a campaign, another campaign.
This is the second campaign I've started in one show, and I'm asking you, dear listeners, maybe we shouldn't use a really common people's names as a way of describing something so awful?
For my beautiful mom's sake. And what about all the other Karens out there? The good Karens, the lovely Karens.
This is the second campaign I've started in one show, and I'm asking you, dear listeners, maybe we shouldn't use a really common people's names as a way of describing something so awful?
For my beautiful mom's sake. And what about all the other Karens out there? The good Karens, the lovely Karens.
Well, Karen is quite a common name, but in some ways it would be even worse if it was a less common name, right? If it was something like Kendra, which I imagine is not as common.
Why do we have to use a name? Why can't we just say—
Well, I agree, I agree, but I just think those people would feel even worse in a way.
Can't we just say dickheads. We can reclaim Karen.
Yeah, I think we should try and reclaim Karen.
It's going to be hard though.
We can reclaim Karen. What's the male equivalent? Graham. Graham. Graham is very similar to Karen. Just kidding.
It's gammon. It's gammon, isn't it? I quite like the term gammon. I think that's got some humour about it.
Anyway, it's just, it's a bit close to home and— There you go. There's my nitpick of the week.
And your mum's gorgeous, Carole.
She is, and I love her a lot. So—
Oh, I've sent her my—
Mum, if you're listening, I'm on your side.
Graham, are you in? Does she listen to this?
Yeah, she does. She's gonna have heard everything you said.
Crikey.
Stop being gross. And on that bombshell.
Well, that just about wraps it up.
Hi, Karen. I'm here for you, Karen, as well. Yay, Karen.
Well, that just about wraps it up for this week. Michelle, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Well, they can follow me @mishmadsen, which is my catch-all Twitter handle, or @madsenjourno, which is when I am pretending to not also be various other things.
They're more professional, Michelle.
They can also listen to the show, which is on BBC Sounds, and it's called My Fake News Whodunit, and it was produced by my great producer Flora Carmichael, and it's a good listen.
They're more professional, Michelle.
They can also listen to the show, which is on BBC Sounds, and it's called My Fake News Whodunit, and it was produced by my great producer Flora Carmichael, and it's a good listen.
So listen, people, it's great. Please do.
And you can follow us on Twitter @SmashingSecurity, no G. Twitter wouldn't allow us to have a G. And follow us on Reddit as well.
Join our subreddit for Smashing Security news and Don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
Join our subreddit for Smashing Security news and Don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
A huge thank you from all of us to you for listening, for supporting, for sharing. We love all of you so much.
And also, hat tip this week to our Smashing Security sponsors, Authentik8 and LastPass. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
And also, hat tip this week to our Smashing Security sponsors, Authentik8 and LastPass. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye. Later. Bye. Bye-bye.
Yay. Yay.
I was a little bit on my soapbox there, eh? I yelled a lot.
No, but I think you were right to be. I think it's great.
It's really sad that, yeah, it's a name, isn't it?
Yes. Why the fuck are we all only finding out about it now?
Oh, hang on. Are you talking about the clipboard? Are you talking about Karen? Oh, because I'd be worried if you'd only found out about your mum's name.
What's she called?
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Michelle Madsen – @mishmadsen
Show notes:
- Ray Hushpuppi's Instagram account.
- Your 2.3m Instagram fans won't stop the FBI… Web star accused of plotting to launder millions from cyber-crime — The Register.
- Hushpuppi and Mr. Woodbery, BEC scammers: Welcome to Chicago! — CyberCrime & Doing Time.
- Dubai Police operation Fox Hunt 2 against Hushpuppi. — Vimeo.
- Cosmic Lynx Threat Dossier — Agari.
- Domain Message Authentication Reporting & Conformance — DMARC.
- My fake news whodunnit: Caught up in a Senegal fake news scam — BBC News.
- The Documentary: My fake news whodunnit — BBC World Service.
- TikTok grabbing the contents of an iPhone clipboard every 1-3 keystrokes — Twitter.
- Popular iPhone and iPad Apps Snooping on the Pasteboard — Mysk.
- The Life and Times of David Lloyd George (with Ennio Morricone theme tune) — YouTube.
- Dogmatix chasing a Roman legionary, to the tune of Ennio Morricone's Chi Mai. — YouTube.
- An Abridged Micro List — Malaika Kegode on Facebook.
- Karen (slang) — Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Authentic8
Silo for Research (Toolbox) from Authentic8 is a secure and anonymous web browsing solution that enables threat intelligence, security, and public safety professionals to conduct research, collect evidence, and analyze data across the open, deep and dark web.
To learn how Silo for Research enables teams to timely and efficiently investigate, while ensuring maximum security and oversight to ensure compliance – including GDPR – go to smashingsecurity.com/authentic8 now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
