Smashing Security podcast #220: Ransoms, scandals, and glitter bombs

My visage is used for a large variety of romance scams, and so I'm... Are

you kidding? Are you fucking kidding? I'm not kidding.

Smashing Security, episode 220, Ransoms, Scandals, and Glitter Bombs, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 220. My name's Graham Cluley. And I'm Carole Theriault. And this week we are joined by a returning guest, but a guest returning from the mists of time. Can you believe almost to the minute it is four years? Pre-Rona, pre-Brexit, pre-Trump. Since we had Alex Eccleberry on the podcast. Alex, how are you? What have you been up to for the last four years? What's happened to the world?

Can you make it quick?

Nothing really you know it's been slow, but I'd love to be back on the show and it is bizarre that we're at four years. I mean almost to the day it's actually very cool.

Is there anything you want to tell anybody about who you are and what you do and why they should care?

Yeah typically the last bit why they should care I've been told I have a good radio voice but so I look I've worked in security for many, many years. And, you know, I had an antivirus software company, a company called Sunbelt Software that's now Vipre Security. I sit on the board of a company called Malwarebytes, which is a wonderful product, endpoint security. And, you know, I was also an early board member of a company called KnowBe4, which is a security awareness training company. So I've done a lot of work on the board side. I also was a board member of StopBadware, which is the originally Google-backed outfit to help with malware on the web. So, you know, look, I love security. I love it, breathe it. And I'm definitely in the mix. And you love the show, right? Well, you know, I was going to say that of all the shows I listen to. This is not one of them.

So thanks to this week's sponsors, 1Password and SailPoint. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be sharing everyone a warning about Facebook.

Okay, fresh. Alex, what about you?

Oh, I want to talk about REvil, which is, you know, this ransomware as a service operation.

Cool. And I'm going to be asking whether academic research should be free for all and at what cost. So all this and much more coming up on this episode of Smashing Security.

Now chums have you ever had a slightly rough night on the tiles have you been out partying maybe there you were at a security conference in Prague?

I never partied, no. You didn't do that, I never went out, never had fun. Alex, have you ever maybe enjoyed yourself a little bit too much?

You know, I have a swollen head.

I say, well, I take the fifth. I hear B vitamins and water helps, but maybe you have a better idea.

Well, maybe if you did return to your hotel room or to your home and you were slightly inebriated or the worst for wear, you may think, you know what I'm going to do? What I'm going to do right now, while my judgment is obviously slightly squiffy. Massively impaired. Massively impaired is I'm going to send a message to my boss or I'm going to contact my ex-girlfriend or my ex-wife and I'm going to tell her exactly what I think because I've worked out precisely what I mean to say.

Yeah, and you're feeling it and you're, and I'm going to tell you something else, your mother fairy miniminimin.

At that moment, at that moment, you believe you're Oscar Wilde.

I wouldn't know, but I imagine it's very, very clear that you feel you can handle that situation at that moment. Yes, yes. Nothing could go wrong.

No, there's no way. You're on top of the world. Exactly. And obviously you then send a message and it's offensive or it's something which you later regret.

Can you give us an example? Well, it's not something I've ever done. No, no, but in your story, I'm presuming you have a story to back up. This is not just chit-chat.

You make a lot of assumptions about my story. Okay, sorry. I think maybe you should wait and see. So, you know, you could send something maybe inappropriate. You know, you could criticize someone's food or their hairdo, how they have spinach stuck between their teeth on Zoom calls or whatever it is. You could send off some message or tell your wife that she has halitosis or who knows what.

You mean text them? What do you mean tell them, text them?

Well, you could send them an email maybe or you could post a message. Maybe even worse than texting would be if you were to publish it publicly and tag them, like post it on Twitter or maybe post it on their Facebook wall and say, you look fat in that dress. I don't know, Alex, if you've ever been accused of looking a bit fat in a dress. Kilts, definitely a problem. So word has begun to spread that there is a new way for hackers to hurt and insult Facebook users. And that's why I'm talking about this. As if it weren't painful enough carrying the stigma of being a Facebook user. It turns out that hackers can send hurtful comments to your Facebook contacts, which look like you sent them or you posted them up on their wall. But, and here's the sneaky bit, your contacts can see the messages, but you can't see what you post. A bit like you can't see the offense when you texted or you called up someone or left them a voicemail when you were drunk. Yeah, right? Because it's invisible to you. You can't see what's wrong with it. Well, similarly, you can't see what you've posted up on the Facebook page. Oh, I see what you've done there. Good analogy, Graham. Right, right. Yeah. So thousands of Facebook users are sharing this warning across the social network and asking their friends and loved ones to share it further across Facebook. Tell all your contacts that if they get an offensive or inappropriate message from you, it's not really you, which I think is a rather fantastic alibi. Because you've now been given free reign to say whatever the hell you like to whoever you like.

Oh, okay. Well, why don't you tell us your top three? Because you... No, come on. Let's do this. Well, I'm not on Facebook. Carole, are you on Facebook? No, let's imagine. Let's do it on Smashing Security. Okay. So what honest message do you want to send?

Well, you wouldn't have... Well, I mean... Well, is there anything that you've ever wanted to say to a podcast co-host, Carole?

No, I'm not. I have no interest in any of this. You're just saying that you now have got a free card. Yeah, you've got a

get out of jail free card, right? Right. Because you can say it wasn't me. I must have been hacked. I find that interesting. And also it means that when the person calls you up and goes WTF, you can go, what are you talking about? You can say, oh, what? Which is the best thing to do, right?

What? It won't. Alex, are you on Facebook at all? Yeah, but I always thought this had to do with those sunglass ads I would get from friends, and they would always say, no, I wasn't hacked. But you're saying you could actually use this for other things? And would you find it useful? Do you think you'd quite like occasionally to use this threat as a sort of alibi, as a cover for abusing people? Yeah, yeah. But, you know, I think people will just do that anyway. I think we've seen that on Twitter. this is true. A lot of people do claim that they've been hacked when they haven't really. Awkward. It seems to me there's a few options here though right so either there is some kind of threat going around in which case Facebook should come clean pretty soon and go whoa this is happening or people are actually getting drunk sending the messages and then playing or or there is another alternative

I think it's a hoax. You are absolutely correct. There was no other option.

The warning is entirely bogus. I've fooled you. Well, I almost fooled you, apart from I didn't fool you. Because pivot, it's a pivot. It's a pivot in Smashing Security. We're pivoting now. We're pivoting, right? Because the whole warning is absolute nonsense. People are spreading this message saying, Oh, my goodness. Hackers are posting messages on walls. you'll see offensive things, but it's not being sent by you and you can't see it. Facebook has now come out and said, no, no, no. This is all a load of old cobblers, right? This isn't

actually happening. Okay, then what's the motivation? It's just for people to spread it, people to tell people something fake. That's the, I don't understand. This is the whole thing, Carole. This is the whole problem of disinformation generally, right? Is that people believe that they are being helpful to each other, that they believe, I found something out. I can help my pals. I can warn them about this as well.

How many times do we see the person posting, you know, from this point forward, all my information is copyrighted by the federal code, blah, blah, blah. You know, this is a hoax.

If Facebook uses any of my data without first giving me that many dollars. It's just, oh, my goodness. But yes, because you see Mimi, your friend Mimi, posting this message, you think, well, Mimi's lovely. Yeah, I love Mimi. You all right? And so you just reshare her message. Maybe you type it up yourself. Maybe you go and talk about it at your online book club. Maybe you discuss it in other places off Facebook as well and say, oh, by the way, did you know this is going on on Facebook? And so people are spreading this left, right, centre, upwards, downwards. And it's an old school hoax. In fact, this hoax, if you just spent a couple of minutes researching it before you shared it on with other people, you would have found it on Snopes, which has been debunking this particular claim since 2012.

It's been going around for a while. But then you get the thing that you put the Snopes article, and then they go, no, no, no, Snopes is owned by George Soros or something. So you can't win. I just got in an argument on Facebook yesterday about somebody posted a huge picture of this tree that's two and a half miles wide. It's a fossil, and it went up 10 miles. And it's a picture of this. It looks this giant tree. And I looked at it and I said, well, obviously you can't have a tree that goes up 10 miles. It makes no sense. You can't have a tree that's two and a half miles wide. So, of course, this is people, oh, my God, when giants roam the earth. I'm okay. So I do a quick Google search, find out it's some mesa in Tunisia. And then I say, guys, this is a mesa in Tunisia. I move on. Of course, how do you know? How do you know that for sure? Because I used

Google. I don't know. Have you tried this, guys? Go to google.com. Listeners, try this as well, right? Go to google.com. Other search engines are available, but on this occasion...

We'll wait while you get your... And I want you... Get off your exercise bike.

I want you to Google the phrase, who invented blinking, right? Who invented blinking? Put that into Google, and you will get the following answer. Alex, are you in front of a computer? Can you try that for me? I'm going to write it. Who invented blinking? Who invented blinking? Oh. What

does it say? Richard Blink. Blinking was invented in 1638 when Richard Blink tried to blink twice at the same time.

And this is an answer which Google has found on Alexa Answers for some reason. So you can't trust Google about that tree, can you? Maybe they're lying about it. No, exactly. It's possible, isn't it? And also Soros is involved, I assure you. Soros has got to be involved somehow, hasn't he?

Okay, but you know what? But I kind of think it gives me hope for humanity, the fact that all these people want to help other people by telling them. So the engine is working. It's just the start of the information being shite, right? The engine of communication is working fine. We can't blame that. It's just that the information was wrong.

Yeah, but good intentions, you know, aren't the worst. What,

is that why you never have any?

Oh, girl, that was funny. I think maybe we should get a seatbelt for internet users that they have to wear, you know, or something which just prevents them from... A seatbelt? Well, something which stops... Do you remember back in 2008, right? This isn't just a Facebook problem, but email, instant messaging. 2008, Google introduced a feature to Gmail called Mail Goggles. I think they got the name from Beer Goggles. So you know the experience when you go to a bar or something and you drink too much beer and suddenly everyone becomes three times more attractive than they are in reality. Thank you for explaining

the thing that every fucking person in the entire universe knows. But yes, go ahead.

Now, with male goggles on Gmail, if you enabled the feature, what it would do is it would ask you to complete a few simple maths problems in a limited period of time. So it's 29 plus 14 and things that, right? before it would send an email and it would activate automatically late at night on weekends when they thought you were most likely to be drunk emailing your ex-girlfriend or telling your boss what you thought of him. And maybe that was a good idea. And maybe we should have something that on WhatsApp and Signal and Slack and everything else just in case people are, you know, doing things before thinking. Well, food for thought, Graham. Food for thought. Thank you very much. Alex, what story have you got for us this week?

Well, we all know what ransomware is, right? And it is a plague. And there's this one particularly vile piece of ransomware called REvil. The name is actually inspired by the Resident Evil movie series. And REvil is a ransomware as a service. So if you're an aspiring low-life criminal, you can contact the REvil folks and say, hey, can I become an affiliate? And then REvil will cut you in for part of the profits, and then you go off and try to hack into somebody. Software as a service. It is exactly that. And the REvil folks, they even went so far as to have a blog, which they call, with great irony, Happy Blog, where they post — it's literally what it's called — where they post examples of stolen data and then threaten to release the files if they don't get paid the ransom. So you get hacked and then they post a bunch of — they almost always hack corporate networks. And they'll post a picture of, here, we've got this spreadsheet of all your customers or the spreadsheet, whatever. And then, and of course that's public. So because of this Happy Blog, some very enterprising security researchers, including people at Bleeping Computer and a few other places, discovered that REvil is claiming they've attacked Acer and are demanding a $50 million extortion. Now they put some leaked documents allegedly from Acer, including financial spreadsheets and bank balances and that sort of thing. And there's kind of this weird back and forth, and I guess some security research is going to figure this out, that the REvil folks have actually been enterprising and are offering a 20% discount if they got it by March 17th, which, of course, has already passed. Now it's until March 28th to meet the demands. And after that, it goes double, $100 million. So this is the biggest one we've seen from this group. I think last year there was one for around 30 million. This is rough. Of course, Acer has said in their defense, they've said there is an ongoing investigation and they're unable to comment. They haven't actually confirmed this. To their credit, this is still an ongoing situation. It's what we call a brown alert in the industry,

isn't it? That's what they're currently experiencing.

Exactly. Do you think they're going to pay?

From what I can see, there is a negotiator. There's an interlocutor.

Look, 10 million, guys. Come on, 10 million.

Exactly, that is according to this one website, that was actually 10 million was proposed.

Oh, really? There you go. I could be a negotiator. Anyone need to, yeah, I'm there. Yeah, exactly. Now, and again, we don't really know much about what's going on back and forth. So, you know, again, we shall see what happens, but it's certainly a heck of a story. we covered it actually a few weeks ago. Exactly. Yeah. Oh. And so, you know, I mean, is Microsoft doing an out-of-band patch for Exchange Server? You know, if you're running Exchange Server, definitely get updated.

I wonder if Acer have cyber insurance because the REvil gang, there was an interview done with a member of the REvil gang in the last week or so, a chap going by the name Unknown. The guys at Recorded Future interviewed him. And one of the things which he said was that they target organizations that have cyber insurance because they presumably think they're more likely to pay up because they've already spent money on the insurance. Yeah,

they're not personally liable or whatever. They're not going to go get tanked.

And the fascinating thing about this is that the REvil gang claim that what they actually are doing is they're hacking the insurers first to get their customer base to find out who's insured. They then hack those who are insured, and then afterwards they hit the insurer as well. So it's quite clever and quite targeted, some of the things which they're doing right now. Yeah.

And also insidious though, to the whole model of insurance, right? At the end of the day, whether they're targeting insured companies or not, which by the way, I would not be surprised. Really, if you run a business and you're an IT and you're a smart person, there's some very basic things you can do to protect yourself against ransomware.

Wise words from Alex there. Security. Put it in. Put it in hard. Good.

Excellent. You know, that's why they have me on the security podcast.

Carole, what have you got for us this week?

Right, so we're talking about SciHub. Have you guys ever even heard of that, SciHub? How

Do you spell psi as in like science like S-C-I? Okay, okay, okay. No, I haven't heard of that. Okay, perfect, perfect, perfect. This weekend I was seeing these headlines, you know, police warn students to stay away from a legal and dangerous website Sci-Hub, asking IT departments to block access to Sci-Hub on networks. And I'm like, oh, this is interesting, right? So I start doing a little digging. Oh, right. Any scientific discipline.

So if I published a scientific paper about my toenails or something—

Oh yeah, sure, your toenails. I'm just looking at what I can see in front of me and not directly. They're not on the tabletop anyway. But you know, but then other people could look that up and read about my research.

Yeah, exactly. Now this site was created by this Kazakhstani based computer programmer called Alexandra Elbakyan, okay? And she was born in the mid-'80s. And no surprise, she seems to be a super strong supporter of the whole open access movement, OA for short. And it's basically this set of principles where basically research outputs are distributed free of cost and without barriers, so anyone can access it anytime. All right. So, okay, so before we get into it, what do you think of that as a general sense? Do you think research should just be made available, or do you think—

I've actually experienced this because I'm a fiend for reading these types of things, especially during COVID. You know, you're just sitting at home and you want to learn more about this. And I certainly ran into this where I would start to Google various epidemiological studies and that sort of thing, just understand what we were dealing with. And of course, you do hit the paywalls. Now, whose economic benefit? I don't know if the researchers are getting—I mean, if somebody at Stanford or Harvard or, you know, or even my local University of Florida here is doing some postdoctoral research on some sort of virus strain. I don't think they're getting paid for that, right? And so there's some economic interest on these aggregators of data. But there's a value to what they do. They manage a peer review process. They manage how people get the data disseminated. They ensure that the data is vetted. There's an editorial process. So we have to respect that. But the actual research itself is, in many cases, coming out of public dollars, right? So it's a tough one.

No, no, you're exactly right. So not everyone is a fan of this. Because me, in principle, I am totally a fan of this. I think information, once vetted, should be made accessible to everyone, rather than all the junk we have available to wade through a pile of shit to get anything valuable on the internet. And there's companies like publishing companies like Elsevier who make their cash by providing paid access to research, like exactly as you said. So on average, Elsevier will charge $31.50 per paper for access. Whereas repository outfits like Sci-Hub will offer them for free. Okay, and Elbakyan's whole position is taxes pay for universities, universities produce research. They then pay publishing companies to publish the research, and then they have to pay to access said research and research from other universities or science labs. And that's a big problem with someone who supports open access because it's a very different model, isn't it? All this to say, Sci-Hub and Elsevier are not the best buddies.

Elsevier aren't going to be sponsoring our podcast anytime soon, are they? I guess I just lost them.

And problem number two is Sci-Hub got really, really, really big, really, really fast, okay? So for context, just know that Facebook managed 6 million users in its first year, okay? So in 2017, six years after Sci-Hub had launched, it had 70 million papers represented. That's two-thirds of all published scientific research available.

They just scooped them up and made them accessible.

And today, it's now 80% of the current available scientific papers out there. Now listen to this. Volume of data is roughly two and a half times the size of Wikipedia.

Oh my goodness. So you can imagine why many people might want to use that site.

Well, exactly. If you're a student and you're doing some research and you need to learn about something, what better place than this? It's a juggernaut of a site. But there is a little issue-ette. Let me get to that in a sec. So she's basically saying, fuck you academic publishers, right? I don't think you should be putting a paywall here. And she also has a ginormous amount of clout because she's got a lot of articles up there. So I was like, how? I'm sure you're wondering the same thing. How did she scoop them all up, right? They are behind paywalls. So let me tell you how it works. This is based on the scholarly kitchen. So let's say you want to learn about something. You may do a Google search and you would see Sci-Hub pop up somewhere. You would click on Sci-Hub and a captcha would show up to verify that you're not a bot, of course. Ironic, but there you go. Now, Sci-Hub works with a repository called Library Genesis or LibGen. And that is basically where all its research sits. You put a copy in, it then puts the request to LibGen. LibGen, if it has the research you're looking for, it then sends you a copy. However, if it does not have a copy in LibGen, then it uses multiple institutional access systems to search across publisher platforms like Elsevier, perhaps, and others, bypassing any access control barriers. And it retrieves a copy of the item. It delivers a copy to the user who requests it. And it stores a copy in LibGen so it's easier to serve up next time. So effectively, it's stealing the research and making it available to all.

So these papers aren't necessarily hosted on Sci-Hub's own servers, but it finds a way of giving you a link where you can access them. Is that right?

No. No, no. It downloads it, gives you a copy, right, because you've asked for it, but it also keeps it in its LibGen. So it grows every time you search for something new. Basically like Google. For every search, it can add or use something that it already has. And during this whole process, Sci-Hub asked for donations, which is how it makes its money. Bitcoins are preferred. So you can see why Elsevier are very pissed, right? And they've been pissed for a while.

So they're grabbing the credentials of maybe legitimate students and staff at a university to then use the university's own search engine. So

it's not really search engine. Every university has logins to these publishing firms, right, so that they can access the research. And they have authentication processes to go through in order to access that research. And authorities in the US and the UK are saying that Sci-Hub uses techniques like phishing to get a hold of these legit authentication logins to get into these research papers and then using them to scoop up the research. And this is where it gets kind of interesting, because obviously we can all understand why Elsevier and other publishing firms are really pissed off because it's cutting off, it's hitting their business model. Now, of course, Alexandra Elbakyan strongly denies this, right? She says that it mostly came from exploiting libraries and university subscriptions, saying that she gained access to around 400 universities that way. And she says also that many academics have offered their login information. But, you know, two and a half times the size of Wikipedia.

Well, why would anyone give their login information to Sci-Hub knowingly and consciously?

Because you want lots of people to read your frickin' paper, maybe? And they might be pissed off that it costs a fuckton of money to access this research normally.

Is that a metric fuckton or a regular fuckton?

Big ass fuckton. Okay. So huge brouhaha ensues and Sci-Hub end up getting sued successfully twice by US-based publishers. This happened both in 2015 and in 2017. But the site continues to operate because it's in Russia outside US jurisdiction. PayPal blackballed them as well, but now they use Bitcoin. So it's kind of like the WikiLeaks of science research. Do you think? It's kind of like that. It's like we're publishing information that's not ours for the benefit of all. But

they've also, allegedly, according to the UK police at least, they've also grabbed people's login credentials and passwords, and presumably they are storing them in some fashion on their servers. And do we have any confidence that that is being done safely and securely?

Do we have that with any company, to be fair?

Yeah, but this is...

Yeah, no, I mean, you know, I mean, you know. Anywho, the City of London Police late last week issued a press statement saying students stay away from the site. IT guys at universities block access to Sci-Hub as well because, A, it's an illegal site, and B, they operate in a way that is deemed dangerous. I'd love to know what they mean by illegal site, though. I mean, is it just like Pirate Bay? The description you've given me, the website is illegally accessing without proper authorization the servers of universities and accessing material there. So it doesn't have legitimate authorization to do that. So it is doing things which appear to be illegal. Yeah. And you also think if this phishing shit is

Going on, you... I think phishing shit, by the way, I think that's a different name for caviar, isn't it?

Yeah. Basically, the takeaway is whether you're pro or against open access as a concept, right? If you were a student, make sure you have a long and unique password for all your accounts, okay? That's just an easy no-brainer. And put on 2FA if at all possible. Two, this site is considered illegal. And I'm not sure exactly what that means for you as a visitor of those sites. And I did try and look. But I think that means be very careful before you visit the site or share links to it. I saw a number of articles about people saying, would it be illegal to share a link to an illegal site? Right. Even if you don't go to the site, there's a whole legal quag. I think the

Other thing that universities could do, perhaps, if people are accessing this from the university campus rather than from their home. So it depends on where you are being a student. Is, of course, you could block access to the site.

They keep repeating that. That's what you could do as the IT people is to block access to the site. You can also go to archive.org. That's A-R-X-I-V.org. That's currently the largest legal source of open access papers. So that one at least is legal. And you know what? Ask the person who wrote the paper. Nine times out of ten, they'll just say, oh, yeah, I'm so delighted. Here you go. Done.

You know, it's actually, the point you make is very valid. I actually had a COVID paper that I was very curious about, about the vaccine. And I just emailed the author and I said, you know, I have some questions on this. It's a professor at a major university. He emails me back and answers my question. So it's not like it's all ivory tower. A lot of these folks are accessible. And you know, a lot of these people are in this field because they want to help. Yes, totally.

I had my first vaccine jab last week, actually. It was great. I had the Oxford AstraZeneca one. No side effects at all. I'm completely... Wow. No, it was all right, really. Well, let's move on. Okay, pop quiz. How do you get the highest level of privacy without sacrificing convenience? Choosing one password for your business, that's how. It offers end-to-end encryption you can count on. You get auto-lock and manual lock for the 1Password app, multi-factor authentication, safe autofill on secure websites, privacy cards, and loads more. Plus, if you switch to 1Password, you can receive its switching bundle. It includes a subscription credit towards your current password manager, hands-on migration support, and free family accounts for every single member of your team. Go to smashingsecurity.com forward slash 1Password. And thanks to 1Password for sponsoring the show. Our favorite part of the show the part of the show that we like to call pick of the week pick of the week pick of the week pick of the week is the part of the show where everyone chooses saying they like could be a funny story a book that they read a TV show a movie a record a podcast a website or an app whatever they wish doesn't have to be security related necessarily should not be well my pick of the week this week is a little bit cyber security I'm afraid, but it is also quite entertaining.

So he's basically a vigilante taking the law into his own hands. Glitterifying, glitterifying the video

Is schadenfreude. I love I've watched that video. It is total schadenfreude. It's like, yeah. So

The latest video from him, which has come out in the last week, targets not these people who steal parcels, but instead it targets phone scammers. So the people who ring up little old ladies and trick them into, well, the specific confidence trick is they ring you up, they say, we owe you a refund for something or other. And then they trick the little old lady into believing they've been given maybe $20,000 rather than $200. Is it

Always a lady or do guys get fooled? Are they too smart? Can happen to guys as well. But OK, I just want to make sure. But

It principally happens, it appears, to people who are elderly, who are particularly susceptible to this. So the scam is you accidentally, you believe that you've had $20,000 put into your account because you can see it on your online bank account, and the scammer has remotely accessed your computer and has changed the appearance of what's on your screen. And then the phone scammer says, oh, I'm going to lose my job. This is disastrous. But we can fix this. Can you mail me back via UPS or FedEx the difference? So please send me $19,000 or whatever it is to make up for it, right? And people do this. People put huge amounts of money in the post. Now, what Roba did was he intercepted, with the help of some other fantastic YouTubers who fight phone scammers like Jim Browning, he intercepted some of these calls, told the people who were about to be scammed about what was going to happen. And in the place of the parcel they were going to send, instead sent a parcel with a glitter bomb inside it. So it didn't have money inside it, it had a glitter bomb instead. And a remote camera. With a remote camera and GPS and everything else. And you love it, right? You love it? You've got to check out the video. It's quite entertaining.

You know what? Your birthday's coming up. And I'm going to give you two presents.

Anyway, go and check it out. Links in the show notes. Alex, what have you got as your pick of the week? I love it. I love it. Well, I mean, the scams online are wicked. Unbelievable. And I mean, you know, there was, my daughter was shopping for some cart or some, she was shopping for a golf cart. And, you know, there's this incredible deal on a golf cart. Of course, you contact this person while they want to contact you offline. And then there's all this stuff. And of course, you're going to end up having to send some money to somebody that you're never going to get anything for. So be careful out there.

Yeah. So I get. Alex, you are a good looking. You're a good-looking fellow. Oh, no, no, no. This is bad. No, it targets a particular woman of a certain age. Let's be honest. But I get these, I get these, honestly, I'll joke is I get these heart-wrenching, heart-wrenching texts of people.

I think I would feel I'd feel phantom guilt even 100 to do with me yeah just for existing 100 100 I feel.

And being I feel awful that's what he tells Mrs. Eccleberry anyway yeah but you know I have to blame myself for you know listen obviously I've posted pictures of myself online on Facebook, so I've had to get my private... Are you nude in these? No. In the Speedos? Is it? No, no, this is... The Budgie Smugglers?

No, okay. You're not sending romantic Fabio-like pictures of you in the, you know, Tarzan get-up or something.

Yeah, yeah, no, that was definitely when I was in my 20s and those pictures, you know...

Maybe it's like the Garry Kasparov photo shoot in Playboy. Maybe it's like that. They're all at it. The hairy shoulders.

I think Gary Kasparov had a photo shoot in Facebook and, and, and playboy.

Yeah. Yeah. Yeah. He was on our show recently.

Yeah. Okay. Well, that's something, something I needed to really didn't need to know, but thank you. So yeah, anyway, this, this, this does happen. These romance scams are out. I don't know why we got into that. We got, we're talking about scams, but this is something that is, I mean, you know, we could do a show on this because apparently I've become an expert.

I think we should. I think we should specifically. Why have we done all the rest of this show? It should all have been about Alex Eccleberry, the romance scam. Let's re-record. It's humiliating. Please, please, please. Falling for a romance scam with Alex Eccleberry's face.

What's your pick of the week? Okay, well, mine is definitely not security related. It's my pick of the week is a new Netflix show that I know you've watched Graham I know you know what this is and I know yeah you've got some issues so it's called The One yes and it has a very similar premise to the Amazon show which I reviewed a few weeks ago and I can't remember the name of Soulmates Soulmates exactly similar to that one but a little bit different so this. This one's love and lies kind of spiral out of control where when this DNA researcher discovers a way to find the perfect love, the one true love, and then creates this bold new matchmaking service. So that's the premise as you open. Right. And the whole first episode is she's at the top of her, you know, find your number one love game. And, you know, she's the CEO of the company. She's Elon

Musk or the CEO. Yeah, she's like Elon Musk. Yeah.

But then a body's recovered from the Thames and it's someone she knows and the cops are sniffing around and you've got founders and you've got all kinds of action packed type deception stuff. And it's but I found it a very solid piece of entertainment, you know, Graham.

Well, I think the premise was quite fun because I have watched this on your recommendation. The premise was quite fun, which was imagine a world where you can sign up for a service and it will tell you the one person you are guaranteed to fall in love with and they will fall in love with you on a biological level. Were you hoping

they would have a little questionnaire at the end or something?

No, I thought that could be fun because imagine how that would change the world if that were to happen and people would get divorced and all the melancholy if your true one love got crushed by a steamroller or something. You know, I thought, oh, this could be interesting. But what a load of old cobblers it was watching this show. I'm sorry, Carole. It was, I was getting so annoyed by it.

So it made you feel something, check.

It did. Annoyance, yeah. Well, what, anything, anything at this point. I seem to remember I was halfway through episode two when I texted you and I said, does this get any better? Is it worth watching anymore? And you said, oh, yes, there's going to be twists and turns. And so I watched all ruddy episodes. And I... Okay, I don't want to be... I don't want to slag off your pick of the week. You haven't done that yet, no. But it wasn't for me. It wasn't for me, I have to say. I found some of the plotting absolutely ridiculous. And I was just... This from a Doctor Who fan. I spent a lot of my time just going, that wouldn't happen.

From a Doctor Who fan. Yeah, but Doctor Who's different. That's about time travel, which we know occurs.

You get garbage cans turned upside down coming after you. That could happen. That could happen. The plunger is coming at you. The whisk. Oh, no, not the whisk. Okay. Anyway, I thought it was great. She has excellent clothing. If nothing else, guys, watch for the stylish, stylish, stylish Rebecca Webb. And I thought it was great. And- Graham, can

we watch it together? Look up the dresses and stuff?

It's on Netflix it's called The One choose your side Graham crawl

Yeah that's all I can say they'll quit after episode two I'm sure of it it's not yeah well good

For them you know if you're going to throw out a movie I'm just going to throw out one I'm going to say Afterlife with Ricky Gervais is delightful oh yes I've

Not watched all is it good

Oh it's so delightful it's just delightful very very a lot of heart good show

Well on that note we've just about wrapped it up for this week Alex I'm sure lots of our listeners would love to follow you online maybe get into a romantic relationship with you get your phone

Number 555 at AlexEck at AlexEck on Twitter fantastic

And you can follow us on Twitter at SmashSecurity no G, Twitter and last of G and we're also on Reddit just look for the SmashSecurity subreddit and don't forget to ensure you never miss another episode follow SmashSecurity in your favourite podcast app and if you want to do something for the show sure you could become a patron but you know hey that's going to cost some money maybe just tell your friends about Smashing Security spread the word that's one of the best ways in which you can help us

But hey listen you already help us by listening to the show special thanks go out to 1Password and SailPoint as well to all our Patreon supporters all these people help make this show free for all for additional information on any of the stories we've covered here sponsorship details and the entire back catalog of 219 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye. And what, you're not going to say bye, Alex? Oh, God. It's just a bit

Antisocial. Bye. It's just a bit. Well, it's always hard when you're in someone else's podcast. You don't always know the rules. So you kind of just, I don't know. We're just teasing you. We're teasing you. Okay, so bye. Bye-bye. Bye. Take two. Take three. Bye. Bye. Bye. You can see me on the internet. Photos.