We take a look at why Peloton is being accused of ransomware-like behaviour, how one man lost $250,000 in a romance scam, and how a chap called Weiner has found himself in a political pickle.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown’s Andrew Agnês.
Plus don’t miss our featured interview with KnowBe4 expert Roger Grimes.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I imagine there's a little backlash.
Do you think?
Do you think maybe a soupçon of backlash? Just what I'm thinking, a nuage of backlash.
Do you think possibly his PR agency said, 'Freak, we're not sure that's the right approach on this one.' Shut the fuck up is what I would say. Shut the fuck up, shut the fuck up.
233, Peloton Problems, Romance Regret, and Wiener Woe with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 233. My name's Graham Cluley.
233, Peloton Problems, Romance Regret, and Wiener Woe with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 233. My name's Graham Cluley.
I'm Carole Theriault.
And Carole, we are joined this week by a special guest, someone who's brand new to the show.
A newbie.
But someone who might be known to a small fraction of our audience. Tiny. Tiny. That part of the audience which listens to the Host Unknown podcast is Andy Agnès.
Hello, Andy.
Hey, hello, the sole founder of Host Unknown.
Welcome, Andy.
I'm feeling a bit lost here because obviously to everyone else that's listening, they've just heard a whole load of music playing in, whereas I didn't. It feels a bit raw.
I feel a bit behind the scenes and I feel like I'm missing something.
I feel a bit behind the scenes and I feel like I'm missing something.
Because on your show, you guys do the music live, don't you?
We do.
We've actually got a band in the room with you.
No, they literally press play during, and everyone has to be quiet.
I was on the show recently and I spoke during one of the musics and I just heard one of the people going for fuck's sake, and then starting it again.
So it's a different production quality, isn't it?
I was on the show recently and I spoke during one of the musics and I just heard one of the people going for fuck's sake, and then starting it again.
So it's a different production quality, isn't it?
Different role.
Yeah.
Most definitely. But you recently won an award, is that right?
This is true. And I have to say thank you for the message that you sent us. We played it ourselves on our own show.
Don't remember sending you a message, to be honest.
I don't remember sending them a message either.
Oh, you listened to last week's show. It's on the Host Unknown podcast. You listen to that, you'll hear the message.
Should we go to the sponsors?
Yeah, probably.
Thanks to this week's sponsors: 1Password, KnowBe4, and JumpCloud. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?
Tread warily if you are thinking of buying a Peloton treadmill.
Oh, okay. And Andy, what about you?
I am going to be talking about the mother of all romance scams.
And I'm going to talk about Zack Wiener. His name is all we need. That's it. Plus, we have a featured interview with Roger Grimes of KnowBe4. It is a fantastic interview.
All this and much more coming up on this episode of Smashing Security.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, we are all fitness freaks, aren't we?
I am, actually. A fitness burger in my mouth. Yeah.
Right.
I don't know. A freak is— Okay, what do you mean by fitness freak? Can you just describe what that means?
You're an enthusiast, Carole. You do keep fit activities every day, don't you?
I'm an enthusiast, I think, because I'm not— I don't do marathons.
Yeah, but you have an exercise bike and you get on an exercise bike each day. I have an exercise bike.
Do you hang clothes on it?
I haul ass. No, I haul ass. You're right.
I haul ass.
Yeah.
Haul ass? I don't pull donkeys with it. No, I just go cycling. Andy, do you do anything at all?
Not that would qualify as exercise. I mean, I walk the dog occasionally.
Okay, alright.
But I don't need to pay a subscription to do that, you know?
Exactly. Oh my god, I'm so lucky.
I think you find you do, because if you have a pet dog, you're paying pet insurance, you're having to feed it, right?
Right, that's a subscription fee? Is that what you call it?
It is like a subscription fee, yes. Quite a lot of money involved.
Does your Peloton give you love back though?
I haven't got that attachment. But in April—
Grubby.
The Consumer Product Safety Commission, they told consumers to stop using the Peloton Tread+. So I have a Peloton Cycle.
Okay.
But some people have what's called the Tread+, which is that—
What is that?
It is their vastly expensive treadmill.
What do you mean vastly expensive?
Well, like $3,000 for a treadmill.
Okay, to go for a walk?
To go for a walk.
When there's ground outside.
But it comes with— but it comes with a TV screen as well.
Oh, right.
And so you can watch someone sort of shouting at you to carry on walking, and you can team up with your buddies, and you can have races against them.
It's a kind of fetish, isn't it?
It's a cult.
Yeah. The people that are getting sexually repressed, this is how they get their kicks.
That person can see you as well. Is that right? So when you're on the Peloton bike, can the person see you?
Well, look, nobody turns that on. Yes, there is a webcam in the bike.
Is there?
There is. Mine is covered up with a little—
Wait.
A little dot, a sticky dot thing.
Oh, okay. Graham, you're showing brain out the side of your shorts.
Because— Why would anyone want to see anyone else? It just doesn't make any sense, right?
Because you're sweating away.
Yeah, yeah. So you could technically go, "Go on, Geoff!" You know?
What if you were having a heart attack or something? Wouldn't you want someone to see that?
Not really, Crow. No, I wouldn't.
Okay, very good.
It's not something I'm planning to stream live onto the internet, no.
Okay.
Anyway, the Consumer Product Safety Commission, they told everyone, "Stop using your Peloton Tread," back in April because— There'd been a number of incidents where small children and pets had been injured beneath the Smart Treadmill.
Yes.
Yes.
What, getting caught?
It swallowed dogs, didn't it?
Okay, look, you guys are laughing. Someone died.
No, I'm not laughing.
You clearly are laughing. I can hear you laughing right now. It's not funny. There was one 6-year-old child which horrendously— In fact—
Are you kidding me?
No, I'm not. In fact, the Safety Commission, they have released a video on YouTube, and I thought, oh, I better go and check this out before talking about the story.
When I went to this link on YouTube, YouTube actually said, can you enter your credit card details first to confirm you're over 18?
They said, we're not gonna charge you, but this is pretty horrifying.
When I went to this link on YouTube, YouTube actually said, can you enter your credit card details first to confirm you're over 18?
They said, we're not gonna charge you, but this is pretty horrifying.
And did you?
Well, yeah, I did.
Oh, of course. 'Cause YouTube, they're so cool.
No, they have my credit card details already for other services I buy from.
Of course. Yeah, 'cause they're a really joined up communication company and they all know, everyone knows everything. Yeah, you're right.
Now, thankfully, this particular child in this video walked away, but it was pretty horrifying how this small child got sucked under the treadmill.
So what, it walked up, the treadmill is running on its own, or someone's running on the treadmill? Give me the scenario.
In this particular video I saw, there was a little toddler walking on the treadmill.
And it's on? It's on.
And it's on. It's going probably at 2 miles per hour or so.
And was this captured by the treadmill camera, or was this—
No, this is someone's home security camera.
Oh, thank God Nest was there or something.
Yeah. And there's another little kid around the back of it, getting all excited, seeing the floor moving, and sort of puts his hand underneath.
And at first he just sort of gets his arm trapped, and the other kid sort of runs off, presumably to get a parent. And then this kid is kind of dragged underneath, hoovered under.
And at first he just sort of gets his arm trapped, and the other kid sort of runs off, presumably to get a parent. And then this kid is kind of dragged underneath, hoovered under.
Oh my fucking God.
It was horrific. Link's in the show notes. Don't really recommend it.
No, no, don't, no, no, no.
There's a live link to the show notes.
They've linked to it. The Consumer Product Safety Commission have linked to it. So you get an idea of just because they were saying everyone needs to stop using these things.
And I think that's an important message. And having seen that, I took it a bit more seriously myself because I thought, well, yeah, this does seem pretty bad what happened.
Now the other day, so I have a treadmill, but I've only got a cheap one, which costs a few hundred pounds.
And I think that's an important message. And having seen that, I took it a bit more seriously myself because I thought, well, yeah, this does seem pretty bad what happened.
Now the other day, so I have a treadmill, but I've only got a cheap one, which costs a few hundred pounds.
And that's probably way safer, right?
Well, well, you think that, Carole, but about a week and a half ago—
You lost your dog. Worse!
I was on the treadmill and I made the foolish mistake of going on the treadmill in my socks, because I thought I'd just go—
Did you have those 5-toe socks with the grippy bottom?
I had a few minutes spare in my schedule and I thought I'd just hop on this, just for 10 minutes.
Get those bunions working.
Right. And then my phone rang and I sort of hopped off the treadmill while it was running. Not a good idea.
Oh, like a cool dude.
Like a gazelle. Imagine a gazelle.
Yes. Gazelle and you. I'm picturing it now. It's like this weird mythical creature. Okay.
But one of my toes then got trapped in the treadmill wrap.
Toes?
Yes. My flipping toe. My big toe got trapped. My big toe is all strapped up because I might have broken or fractured it or something. And it's still flipping sore.
This is a week and a half later. So I really hurt myself.
This is a week and a half later. So I really hurt myself.
This is a big intro for a security story, just saying.
Right. Anyway, so let's get back on track, right? I don't know why you went down that alley. The Consumer Product Safety Commission told people to stop using Pelotons.
Right, Peloton Tread+, let's be specific, the Peloton Tread+. Peloton CEO, he came out fighting. He said, oh, that's all inaccurate, misleading report.
Says we've got no plans to recall the Peloton Tread+ at all. He said, "It's safe when you follow our instructions.
Every day, thousands of people are enjoying working out on their TreadLife." He said that after seeing babies being hoovered underneath it?
Well, I don't know if he watched the video, but yes, certainly after the stories came out.
Right, Peloton Tread+, let's be specific, the Peloton Tread+. Peloton CEO, he came out fighting. He said, oh, that's all inaccurate, misleading report.
Says we've got no plans to recall the Peloton Tread+ at all. He said, "It's safe when you follow our instructions.
Every day, thousands of people are enjoying working out on their TreadLife." He said that after seeing babies being hoovered underneath it?
Well, I don't know if he watched the video, but yes, certainly after the stories came out.
He didn't want to put his credit card into YouTube to watch it.
Yeah, yeah, I imagine that's right. I imagine there's a little backlash.
Do you think? Do you think maybe—
Yeah, just a soupçon, a soupçon of backlash. That's what I'm thinking, a nuage of backlash. Do you think possibly his PR agent freaks?
We're not sure that's the right approach on this one.
Shut the fuck up is what I would say. Shut the fuck up, shut the fuck up, shut the fuck up.
Anyway, yeah, within a few weeks, Peloton had changed its tune and announced it was recalling both the Peloton Tread, which is the smaller version, which doesn't suck up children as far as we know, and the Peloton Tread+.
So the Tread+, they said, look, we're recalling this because there is this itsy bitsy safety issue of sucking up children.
And the Tread, they said, the problem with that is that the big touchscreen which you have on the front of the treadmill, it can accidentally wobble and fall on your foot, right?
Can fall off.
So the Tread+, they said, look, we're recalling this because there is this itsy bitsy safety issue of sucking up children.
And the Tread, they said, the problem with that is that the big touchscreen which you have on the front of the treadmill, it can accidentally wobble and fall on your foot, right?
Can fall off.
Is that what happened to your toe?
No, I don't have a screen on my treadmill. My treadmill's cheap, right?
Right.
Not connected to the internet.
Trusted. Trusted and cheap, Amazon special.
Just me.
Yep.
So at that point, the advice was stop using the Tread or the Tread+, contact Peloton for a full refund or some other kind of remedy.
So if your Peloton bike were to be recalled, would you literally stop using it, or would you say, fuck you, I paid £1,200 for this, so I'm using it, I'll be careful, I'm fine?
Don't you think 90% of people are still using their Peloton Treads?
Don't you think 90% of people are still using their Peloton Treads?
Well, I think you're right, and I think Peloton knows that as well.
Yeah, so Peloton is worried that more children get sucked up, and in the land of America, there may be lawsuits, right?
Yeah, so Peloton is worried that more children get sucked up, and in the land of America, there may be lawsuits, right?
Oh, they're worried about lawsuits. Okay.
Well, of course they are. They're going to worry about losing money.
Not pancake children. We don't care about them, but we care about the lawsuits. Okay.
So Peloton, one of the remedies they've come up with is a software update, which they've pushed out to the Tread+.
Without your authorisation, or you signed up when you bought it?
You get updates all the time that turn your lighter full, right? And it is something called Treadlock.
And what Treadlock does is it automatically locks the Tread+ treadmill if you put it to sleep or after 45 seconds of inactivity.
So if you haven't done anything for 45 seconds, you have to then enter a 4-digit passcode.
And what Treadlock does is it automatically locks the Tread+ treadmill if you put it to sleep or after 45 seconds of inactivity.
So if you haven't done anything for 45 seconds, you have to then enter a 4-digit passcode.
Oh my God.
So it's your phone, right? Your phone locking.
So if you stop for a text message and then start running again, you have to go and put your code in.
Yeah.
You have to put in your passcode. 6969 or whatever it is.
Yeah.
Now, so this has been pushed out to Peloton Tread Pluses, but there's a catch.
Okay.
Because you bought your Peloton Tread Plus for $3,000.
Cheap.
And what— So when you buy a— let me explain. When you buy a Peloton Tread Plus for $3,000, you can just buy it for $3,000. End of story. Right. And you can go running on it.
Yeah, okay. Or you can pay the $39.99 monthly subscription to have someone yell at you, to have some fitness model scream at you.
Yeah, okay. Or you can pay the $39.99 monthly subscription to have someone yell at you, to have some fitness model scream at you.
It's a form of BDSM, right?
Right, exactly. But what's happened with the Tread Lock is that you no longer have the option to just run. You have to sign up to the $39.99 monthly subscription.
Oh, they're such— Oh, I didn't say that. They're such— they're such douches.
And Peloton has said to its customers in an email, they said, this is for your safety and well-being.
You're going to give us $39.99 because we've now given you this Tread Lock feature. And you'll be surprised to hear some people are not very happy about this.
You're going to give us $39.99 because we've now given you this Tread Lock feature. And you'll be surprised to hear some people are not very happy about this.
So they want—
They can no longer run unless they pay $39.99 a month.
So that's a lot of money, isn't it, to run? I just want to— I just want to add up the annual fee of this, right, on a yearly subscription.
So how long do you want to use your Peloton? For probably 3 years, right? So it's $1,000 a year, right.
And then you've got your subscription fee, and then a year, that's $1,000, right?
So how long do you want to use your Peloton? For probably 3 years, right? So it's $1,000 a year, right.
And then you've got your subscription fee, and then a year, that's $1,000, right?
Yeah, well, it's a lot of money, but if you— but if you want all of the, you know, the whiz-bangs, the special classes, and the screen people screaming at you.
Gustav, Gustav, this, the master cyclist or the running man showing you these special moves.
Yeah.
So what some customers have compared this to is ransomware.
They say you've basically locked my device and you're telling me that to get it working again, I've got to pay you $39.99, and this wasn't the deal I signed up for.
They say you've basically locked my device and you're telling me that to get it working again, I've got to pay you $39.99, and this wasn't the deal I signed up for.
So everybody that bought one of these Tread Plus is now being locked into having to pay a monthly fee on top of the original fee. Is that correct?
That is what it looks like. Wow.
Would you— I mean, the Peloton.
So I'm, you know, I'm totally engrossed in this because normally I'm listening, you know, on my headset, but here I'm actually here and I can ask questions. I can interrupt you.
It's amazing.
So I'm, you know, I'm totally engrossed in this because normally I'm listening, you know, on my headset, but here I'm actually here and I can ask questions. I can interrupt you.
It's amazing.
No, you can't. Carole, have you got any questions?
So why would you buy a Peloton Tread for $3,000 if you didn't want someone to shout at you? Like, what's so special about that if it wasn't for the interaction part?
I've done the research. And so there's a Peloton Tread and a Peloton Tread+. The Tread+ is bigger and sturdier than the now cheaper one.
For the larger gentlemen, is it?
For the large children.
Exactly. So the smaller one can't suck up children as efficiently.
Hamsters and rabbits, guinea pigs.
Yeah.
Yeah.
So you need the Tread Plus. So. But yeah, I mean, it's. It's like a proper. I mean. I mean, I've got a Peloton bike. Right.
Which is the same. Which is the same, really. Right.
Well, it is a really nice exercise bike. You know, it's. What do you know about.
How many exercise bikes have you owned?
Oh, Carole, Carole. How many? Come, come.
How many?
None.
Come, come, come. Zero.
Hush now, hush, hush, hush, hush now.
Fuck.
Anyway, so Peloton is saying, look, we realize some people may not like this, so they're now offering people— they're saying, look, for 3 months you can have all-access membership, so we're going to waive the fee for 3 months.
But of course, some people never wanted that anyway. They just wanted a nice treadmill, end of story. That's all they wanted.
But of course, some people never wanted that anyway. They just wanted a nice treadmill, end of story. That's all they wanted.
Yeah, well, they should not have bought Peloton then.
Yeah, but they didn't know this, Carole, when they signed up.
Well, they know now. So, I mean, I always knew a bike for 3 grand— it's not a bike.
It's a treadmill.
Well, whatever. Any Peloton thing is over a grand, it seems.
You can ask for a refund, apparently.
Well, that's kind of them.
So is this spawning a whole new market of people that are offering to downgrade it or mod your Peloton?
Ooh.
You know, hey, you can get these forums where they mod LastPass.
Yeah, jailbreak it.
Yeah, exactly.
Well, the thing is, of course, there's just been this other story. The researchers at McAfee found a vulnerability in the Peloton bike. I think it's in the Peloton Bike Plus.
Oh, right. The cool thing you bought.
No, I got the Peloton bike, not the Bike Plus. It's different.
But anyway, apparently the vulnerability exists in the Tread Plus as well, where you can actually mod the software to spy on people.
So if you have physical access to the exercise gear, so maybe you could modify it to turn off the treadlock.
But anyway, apparently the vulnerability exists in the Tread Plus as well, where you can actually mod the software to spy on people.
So if you have physical access to the exercise gear, so maybe you could modify it to turn off the treadlock.
So effectively, I could go to your house, mod your Peloton, stream you live on YouTube, and then just wait for you to find out.
No, you couldn't, because I've got a sticker over the webcam.
That's the physical access part, right? You just peel off a sticker.
Yeah.
Yeah, thanks, Andy. Graham doesn't figure that out.
Andy, what's your story for us this week?
See, I'm expecting some sort of music to start coming out.
There is music.
Everyone else has got music.
Ding, ding, ding, ding, ding, ding, ding.
Everyone else heard it.
Yeah, okay, so I am going to talk about a romance fraud on steroids. So what do you know about romance fraud?
People pretend to love you and then say, oh, can you buy me a plane ticket? Can you give me some money, basically?
Yeah, exactly that. Yeah, so it's that type of scam which involves, you know, marks being duped into sending money to the scammers.
You know, they go to great lengths to play on your emotions, ultimately convince you to send money.
You know, they go to great lengths to play on your emotions, ultimately convince you to send money.
Yeah.
And they get all types of people with these scams.
You know, it's people who would probably normally never fall for scams, but because they're playing on their emotions to make decisions, it stops them from thinking through logically.
So, you know, typically a scammer would set up a fake profile, a nice appropriate photo, you know, find someone's looking for love, whether it's on dating sites, apps, or wherever.
You know, it's people who would probably normally never fall for scams, but because they're playing on their emotions to make decisions, it stops them from thinking through logically.
So, you know, typically a scammer would set up a fake profile, a nice appropriate photo, you know, find someone's looking for love, whether it's on dating sites, apps, or wherever.
Yeah.
They love bomb them. So they target vulnerable people, lonely people, older people, people with self-esteem issues, you know, make them feel good.
But don't you think anyone would fall for that? If someone said, oh my God, Andy, you're so great. You're the greatest. You're so great.
You're the favorite of all my hosts.
Yeah, you're my favorite person.
Exactly. And then it's followed by, yeah, you just need your credit card for another hour, sir. You know, and then—
But I think time plays a factor in this though, doesn't it? I mean, if someone said that to you the first day you met them, you might be a bit suspicious.
But if they worked on you for weeks and weeks and weeks, I'm working up to mine, Graham, with you.
But if they worked on you for weeks and weeks and weeks, I'm working up to mine, Graham, with you.
20 years in the making. It's going to be expensive.
But then somehow it seems more logical and natural, doesn't it? I think that's one of the problems is sometimes these scams can take place over weeks or months.
Yeah, you're right. It's not a 24-hour thing. And often, you know, the reasons why you can't meet are actually quite logical.
You know, whether they're in another country, so you can't just pop round or they can't come over. Or if they're in maybe a poorer country and they say, oh, my camera doesn't work.
You know, whether they're in another country, so you can't just pop round or they can't come over. Or if they're in maybe a poorer country and they say, oh, my camera doesn't work.
You know, I don't have a camera on my phone or, you know, I don't have video chat or anything like that. But it's usually when you look back, you can put together the red flags.
But at the time, as you're just saying, you build up to it, it's so emotive. It's actually easy to believe.
But at the time, as you're just saying, you build up to it, it's so emotive. It's actually easy to believe.
And then it is usually that next stage where, you know, the scammer asks to ship something or something gets held by customs.
They need your help releasing it or they need some money for a visa to come and see you or flight tickets or you know, some big complicated drama that you can't be arsed to go look into.
They need your help releasing it or they need some money for a visa to come and see you or flight tickets or you know, some big complicated drama that you can't be arsed to go look into.
It'll cost you 200 grand.
Yeah, exactly. Family member having an accident, you know, is another one which results in significant medical bills.
You know, and that's typically the only thing that's stopping them from coming to see you is they need to resolve this problem.
You know, and that's typically the only thing that's stopping them from coming to see you is they need to resolve this problem.
And you think if you pay up, then they will feel, you know, maybe they'll be a little bit more inclined to, you know, with you or something.
What? There's no sex involved in this one.
No, but there will be ultimately.
Yeah.
It's a long game on both sides.
Yeah.
So what can people do to protect against this? Okay, so there's multiple sources for, you know, the fraud prevention advice that recommends things like don't believe the photos.
They may not be genuine. So do your research first, you know, reverse search an image.
They may not be genuine. So do your research first, you know, reverse search an image.
Be suspicious for any requests of money from people you've never met in person, particularly if you only ever met them online.
Well, I give Amazon money every week.
Geoff Bezos hasn't been around to your house yet.
I've never met him. He's always declined my dinner invites.
I mean, all of this advice basically revolves around being wary if you haven't met someone, okay?
So there's a guy called James, which isn't his real name, so his identity's been protected, a 52-year-old charity worker who's living in the UK and asked by a friend in 2015 to help set up a new project supporting children that were fleeing the conflict zone in Ukraine.
So there's a guy called James, which isn't his real name, so his identity's been protected, a 52-year-old charity worker who's living in the UK and asked by a friend in 2015 to help set up a new project supporting children that were fleeing the conflict zone in Ukraine.
Wow. Okay. So he's, I'm all in.
Yeah, absolutely. I mean, he's charity work. This guy, you know, he's got a good heart. It's, you know, someone that you want to look after. So James had never worked abroad before.
So he had a translator assigned to him when he got there. This translator called Julia. He's still got a full-time job in the UK, but he's flying back and forth.
Gets to know Julia better on each trip he's out there.
Gets to know Julia better on each trip he's out there.
Meeting her in person.
Meeting her in person. Yes.
Yeah.
I think this is where your guard maybe drops down a bit more. So during the winter of that year in 2015, there's a massive heavy snowfall.
So Julia, someone who he's built a nice relationship with over the months.
So Julia, someone who he's built a nice relationship with over the months.
She's snowed in.
She's a translator and she said, how about you go on a date with one of my friends called Irina? And he's like, okay, well, sounds good.
Yeah, we're buds.
Someone, a mutual friend, that's got to be a good thing, better than a complete stranger. So he met Irina, who was a 32-year-old, so 20 years his junior.
And she had all kinds of stories that really tugged on his heartstrings.
Not just stories about fleeing a war, but she told him about these two previous marriages and why she would never want to marry a Ukrainian man again.
So she'd been scarred in the past and she wasn't looking for that.
And she had all kinds of stories that really tugged on his heartstrings.
Not just stories about fleeing a war, but she told him about these two previous marriages and why she would never want to marry a Ukrainian man again.
So she'd been scarred in the past and she wasn't looking for that.
And she really liked gray hair. She really liked gray hair and wrinkles and older gentlemen.
Beer belly. Yeah.
So despite this age difference of 20 years, right, they got on like a house on fire. For a few evenings in a row, they were going out enjoying Odessa's nightlife.
And while James always had fun with Irina, because she spoke minimal English and he spoke zero Ukrainian or Russian or anything with a Cyrillic character in it, Julia had to accompany them.
And as she was a translator, a professional service translator—
And while James always had fun with Irina, because she spoke minimal English and he spoke zero Ukrainian or Russian or anything with a Cyrillic character in it, Julia had to accompany them.
And as she was a translator, a professional service translator—
It's kind of sexy a bit, right? It's like you have a chaperone.
Like a third wheel. Yes. But she was getting paid $150 a day for this. So like £107 a day. By whom? By James, who's paying for it. For her services as a translator.
So he's like, oh yeah, come on our date and translate. I won't use Google Translate or any app that can help us. You come along and I'll pay you.
It's funny you say that because he actually said that it was easier to communicate when they were apart because they used the messaging app Viber, which had a translation function built into it.
Actually, I was introduced to Viber by an Eastern European friend.
So every 53-year-old guy wants to receive messages from an attractive lady 20 years his junior.
I'm sorry.
Yeah, I'm just saying it. Well, I'm going to speak for all men on that. I'm nowhere near 53 yet, but Graham, I'm sure you would.
You want to be flattered by a text message by someone that you've actually met in person? Yeah.
You want to be flattered by a text message by someone that you've actually met in person? Yeah.
No, no, I wouldn't. I don't want any 32-year-old unless it's Diana Rigg. 32. I'm more like 30 years younger than she was when she died, I think. But she—
But that would be quite cool though.
It wouldn't— see, because what I want to do is I want to curl up with a gorgeous woman and talk to them about retro television and LPs from the 1970s.
And I'm not going to be able to do that if they haven't ever heard of the Beatles, which is of course the fate of one of my past girlfriends.
And I'm not going to be able to do that if they haven't ever heard of the Beatles, which is of course the fate of one of my past girlfriends.
She's probably still crying about it.
Yeah. Anyway, James was up for it.
James was up for it. An example of a message he sent, she says, "You gave me a real fairy tale. Thanks so much for that. I believe in you. Just you can give me this happiness.
I love you." So it wasn't just a couple of nights they were going out. This went on for the next 6 months. James was flying over there a lot. Every night they went out in Odessa.
Expensive meals, evenings at the opera house. He was totally living up to her.
I love you." So it wasn't just a couple of nights they were going out. This went on for the next 6 months. James was flying over there a lot. Every night they went out in Odessa.
Expensive meals, evenings at the opera house. He was totally living up to her.
So, Julia was going to these expensive meals and to the opera house as well?
Yes.
Did she join them in the bedroom as well, just to kind of clarify what everyone wanted?
Well, so intimacy—
Just in case they couldn't work it out themselves.
Up a bit, left. Yes.
No, no, no, James. Jesus.
She's said wrong half. Reverse. Intimacy was awfully including kissing. So Julia, the translator, said that Irina didn't believe in sex before marriage.
But to James, that was a good thing. He had a very high moral standard. And so he actually liked her even more for that.
But to James, that was a good thing. He had a very high moral standard. And so he actually liked her even more for that.
I love how lack of sex is moral.
Okay, good. Good.
So they didn't have a kiss either?
No kisses. No, even kissing was off limits.
No second base. No first base.
Nothing like that.
You can't marry someone you haven't kissed.
I am totally hooked, line and sinker. This should be on Sticky Pickles. Okay, carry on.
It should be. So 11 months after they first met in that winter of 2015, they were engaged. So James had been prodded by Julia and Irina in that sort of direction.
Lucky him.
Yeah, he's getting a 32-year-old cutie who doesn't speak English and won't smooch him.
Yeah. But he was completely in love. He'd fallen in love with her and he was under no illusion. This was a real thing.
She was trapped in her country, you know, he wanted to be this knight in shining armour that helped her out, took her away.
And there's actually video footage from their engagement party, you know, which shows James dancing like a dad on the dance floor and Irina's moving around smiling, waving at the camera, glitter's falling from the sky, Whitney Houston's ballad "Could I Have This Kiss Forever" echoing across the room.
This is an Eastern European version of a Hallmark movie. Everything's good. So, how could this possibly go wrong? He's met her in person.
He was introduced to her by someone he thought was a friend. She's a real person. He knows all about her. How could this possibly end badly? Well, good question, I ask myself.
So, James started paying for her to have English lessons, right? And the hope was that he would be able to bring her back to the UK with him.
She was trapped in her country, you know, he wanted to be this knight in shining armour that helped her out, took her away.
And there's actually video footage from their engagement party, you know, which shows James dancing like a dad on the dance floor and Irina's moving around smiling, waving at the camera, glitter's falling from the sky, Whitney Houston's ballad "Could I Have This Kiss Forever" echoing across the room.
This is an Eastern European version of a Hallmark movie. Everything's good. So, how could this possibly go wrong? He's met her in person.
He was introduced to her by someone he thought was a friend. She's a real person. He knows all about her. How could this possibly end badly? Well, good question, I ask myself.
So, James started paying for her to have English lessons, right? And the hope was that he would be able to bring her back to the UK with him.
Civilise her. Yes.
I so hope when she learns English, she tells him, "Oh my God, I've been trying to tell you for months. I've been scamming you." Yeah.
It's the translator all this time. Yes.
So after a few chats with the embassy, it was clear that the process to get her back to the UK was going to take several years.
So he was "Look, I don't want to wait any longer." So he thought moving to the Ukraine and starting a new life with Irina there would be the best way to go.
So he quit his job, sold his house, and obviously with Irina's encouragement, they began looking for a place to live.
And obviously buying a house was expected because they said it gave that sort of permanence to the relationship.
But obviously transferring money from the UK to the Ukraine is not a straightforward task due to it being statistically one of Europe's most corrupt countries.
So money laundering controls are just ridiculous. You can't just transfer money from a house sale in the UK to a bank account in the Ukraine.
So, Irina came up with an out-of-the-box suggestion to sort of get this $200,000.
So he was "Look, I don't want to wait any longer." So he thought moving to the Ukraine and starting a new life with Irina there would be the best way to go.
So he quit his job, sold his house, and obviously with Irina's encouragement, they began looking for a place to live.
And obviously buying a house was expected because they said it gave that sort of permanence to the relationship.
But obviously transferring money from the UK to the Ukraine is not a straightforward task due to it being statistically one of Europe's most corrupt countries.
So money laundering controls are just ridiculous. You can't just transfer money from a house sale in the UK to a bank account in the Ukraine.
So, Irina came up with an out-of-the-box suggestion to sort of get this $200,000.
Give me your money.
I know how to get this apartment money to the Ukraine. But instead of putting the money into her personal account, she said, look, I've got another friend called Christina.
She's our wedding planner. But because she's got a business account, it's not going to flag anything, right? You know, that money can just get straight out there, no problem.
She's our wedding planner. But because she's got a business account, it's not going to flag anything, right? You know, that money can just get straight out there, no problem.
Of course, Sugar Plum. Sounds brilliant, Sugar Plum.
But again, you know, thinking, well, is this a good idea? But actually, it all makes sense, right?
You know, a business account has probably got less stringent controls on it than a personal account, or it's got certainly a higher limit.
You know, a business account has probably got less stringent controls on it than a personal account, or it's got certainly a higher limit.
There's a number of red flags here so far. You keep saying it all makes sense. I'm like, hmm.
But Carole, I think it kind of does because you're a year into a relationship here.
They've had their engagement party.
All the friends have been there.
You know, they've had the dance, they've had Whitney Houston, right? They're going to buy a place together.
It's just a way to get money in, is to put it through her friend Christina's business. Okay, it sounds good. You know, no snogging though, that's a bit disappointing.
It's just a way to get money in, is to put it through her friend Christina's business. Okay, it sounds good. You know, no snogging though, that's a bit disappointing.
No. Well, old school though.
Have they snogged now? Do we know that they snogged?
They're not married yet, Carole. You can't kiss people until you're married in Ukraine.
The wedding's coming.
They had Whitney Houston pre-wedding. That is a giveaway. That's a red flag if it's December 1st. Okay, carry on.
So a bit of a snag came up, okay? Irina announced to James that the bank would only release the money if he was legally married to Christina, the wedding planner.
Now, you know, it's just a formality, okay? She's saying, look, just, we'll get it done in 10 minutes, okay? You go to a registry office.
Now, you know, it's just a formality, okay? She's saying, look, just, we'll get it done in 10 minutes, okay? You go to a registry office.
Hang on. Does everyone who tries to give money to Christina's wedding planning business also have to marry her before they reach the money?
Yeah, I don't know how many times she's fallen in love and then had someone fly out there to live with her.
So you need to marry the wedding planner.
So now you need to marry the wedding planner in a registry office, 10-minute job, bish-bosh.
Okay, are you still saying— Of course, of course, of course. And then, you know, it's completely reasonable. Are you both saying—
Well, so now James is this isn't what I planned for. Okay.
This is not— this is a bit of a red flag.
Hang on. How hot is Christine? Christina? Do we know? How hot is she? Maybe he could do a pivot here. Does Christina speak English? Because that'd be convenient.
Yeah.
Do you know the Beatles?
I don't have that level of detail, unfortunately. So Christina's not a main character.
Okay.
Despite, I mean, despite getting married, obviously Christina's not the main character. So James is now in this impossible situation, right? Okay.
So Irina's threatening to call off the wedding unless, you know, this money's released and they had a home to move into, you know.
And she starts saying, look, you're going to make me look like a prostitute in the eyes of my family.
You know, is it essentially what she's saying, that, you know, I can't be married and not have a house to settle down in? And so, you know, things are not looking good.
He's feeling pressured.
So Irina's threatening to call off the wedding unless, you know, this money's released and they had a home to move into, you know.
And she starts saying, look, you're going to make me look like a prostitute in the eyes of my family.
You know, is it essentially what she's saying, that, you know, I can't be married and not have a house to settle down in? And so, you know, things are not looking good.
He's feeling pressured.
Yeah.
So 60 guests at the wedding, including their family. James is like, oh my God, I don't want this. I don't want it to look bad.
So I'm going to get married to Christina, then we'll get divorced, and then I can marry Irina.
So I'm going to get married to Christina, then we'll get divorced, and then I can marry Irina.
I love your empathy, Andy, because you really are identifying with him. Is this — Is he your friend?
Yeah. It's suspicious. They call this character James.
No comment. No comment. I'm still scarred. Nyet. So, it was July 2017. With the encouragement of his fiancée, Irina, James actually married the wedding planner, Christina.
Of course.
And Irina was there.
Reasonable.
Yeah, she was happy for them, jumping up and down. The money was released that same afternoon. And Irina then said, look, $200,000, it's all out. We've spent it on an apartment.
And that's great. They've now got the place to move to. But the challenge was that apartment wasn't just in James's name.
It was also in the name of Christina, his fake wife, the wedding planner. Yeah. Also, I mean, it gets even worse. He actually found out that the value of the property wasn't $200,000.
It was actually just $60,000. Oh. This is where the penny drops.
And that's great. They've now got the place to move to. But the challenge was that apartment wasn't just in James's name.
It was also in the name of Christina, his fake wife, the wedding planner. Yeah. Also, I mean, it gets even worse. He actually found out that the value of the property wasn't $200,000.
It was actually just $60,000. Oh. This is where the penny drops.
Oh, this is when! This is when it drops! This is when! It's not when he had to marry the fucking wedding planner. It didn't drop then.
Okay.
Okay, reasonable.
Now he's starting to have sort of second thoughts.
He's starting to think, hmm.
Seriously, Carole, you're being very sceptical. Have you never married someone else in order to get married to the person you wanted to get married to? Have you never done that?
Is that not how you do it in Canada?
It's fairly traditional, I thought.
Yeah. So, but believe it or not, he actually still got married to Irina. So he was obviously paying for everything. And Ukraine is relatively cheap by European standards.
But he had a $20,000 wedding bill. 60 guests.
But he had a $20,000 wedding bill. 60 guests.
Twice.
Twice. But 60 guests that he actually now believes were paid to be there. And now even Irina's mother turned out to be Julia, the translator's mother.
So the mother of the bride wasn't actually —
So the mother of the bride wasn't actually —
Oh, the translator's back.
Yeah. So, he was probably the only person at the wedding that thought it was real, unfortunately.
You know what? Netflix, grab the script. Yeah.
And it turns out that Irina actually already had a husband as well. She already had a husband. And the wedding planner also had a husband as well, who —
Oh, hang on.
Yeah. I know.
So it's traditional for the men to get married multiple times, but for the women, they don't get divorced. They just keep on marrying.
Well, so he actually divorced her prior to Christina's marriage to James. And then after James divorced Christina, her ex-husband then remarried her.
I'm gonna need a flowchart for this.
Yeah, this is The Archers on speed, okay?
I know. Yeah, so with the evening of the wedding reception, it was going to be their first ever night of intimacy with James and Irina.
And next thing you know, he sort of woke up in a taxi after violently shaking.
And next thing you know, he sort of woke up in a taxi after violently shaking.
We're drugged to the gills.
Exactly. He ended up in hospital. Irina refused to go and see him. She accused him of getting drunk and humiliating her in front of her family, you know.
And then for the next couple of weeks, kept saying she had medical problems and James couldn't visit her in hospital.
Because on his passport, he was still Christina's husband, not her husband. I mean, the whole thing just got worse.
So he, this kind-hearted charity worker, still sent $12,000 for her medical costs.
And then for the next couple of weeks, kept saying she had medical problems and James couldn't visit her in hospital.
Because on his passport, he was still Christina's husband, not her husband. I mean, the whole thing just got worse.
So he, this kind-hearted charity worker, still sent $12,000 for her medical costs.
Oh!
You know, which he genuinely believed she was ill. But ultimately, I mean, the madness stopped.
How much out of the pocket is he?
Totally, he's saying that the women scammed him out of $250,000. Boy, oh boy. But I mean, just the level that they went through to do this scam.
The amount of people involved, unbelievable.
The amount of people involved, unbelievable.
This is insane. If you live in Ukraine and you're listening to our podcast, can you get in touch and tell us if this is normal?
Would you do this?
Yeah, so they, funnily enough, people have said this does happen. In Odessa in particular, they've got a reputation for marriage scams.
And so the police don't really deal with these things too often. And there's been no justice so far. So James has paid a private investigator $100,000 to recover the money.
And so the police don't really deal with these things too often. And there's been no justice so far. So James has paid a private investigator $100,000 to recover the money.
Hang on, hang on.
And there's a 30% finder's fee as well.
Who's this private investigator married to? Is he the cousin of the translator?
Well, that would— I mean, this would just be next level if that was true, right? That would be so good.
Carole, what have you got for us this week?
Okay, so I don't know how I'm going to follow Andy's story. Have you guys heard of Zach Weiner?
No.
It sounds like a fake name, if I'm honest.
Doesn't it?
Sounds like a medical condition.
It's not.
Yeah.
I'm going to show you a photo of 6 people, and I want you to decide at this stage who you think Zach Weiner might be.
Okay, well, 3 of them appear to be female. I imagine that is Zach.
And I'm going to stereotype and say that it's a Jewish name. And so I believe it would be the guy with the beard.
Okay, I think it's the guy in the bottom right, the young guy, dark hair, glasses.
Let me describe him, what he does and stuff, and see if you change your minds at all. So Zach is a screenwriter, actor, and film producer based in New York.
He's also running for city council 2021 in a district in the city. And he's running against 5 other candidates.
And what you're looking at is the 6 candidates that are running for District 6.
Now, the election is actually happening right now as we speak, and by the time this show is out, we are going to know whether he has won or whether he got kicked to the curb.
He's also running for city council 2021 in a district in the city. And he's running against 5 other candidates.
And what you're looking at is the 6 candidates that are running for District 6.
Now, the election is actually happening right now as we speak, and by the time this show is out, we are going to know whether he has won or whether he got kicked to the curb.
So I checked out Zach's website, and there's an About Zach, and in the About Zach section, it says, Zach has new ideas for the neighborhood he loves.
He will not stand for bad deals that hurt the quality of life and neglect the homeless under the false pretense of moral righteousness.
He will not stand for bad deals that hurt the quality of life and neglect the homeless under the false pretense of moral righteousness.
Oh, that's disappointing, isn't it? Because I'd really want to vote for someone who did support bad deals.
And his tagline is, on June 22nd, vote Weiner to start production. You know, because he's a screenwriter.
Oh dear.
Get it? Yeah, he's writing a better script for tomorrow's New York inspired by the vision of his community. Okay. Yeah, I know.
Yeah.
Okay. So why am I talking about this guy? Well, seems he is the latest victim in a crazy scandal that just might help him win or lose the election.
And that is my question for you guys. Okay. So by the end of this, I want to know whether you think this actually helped him before we actually know the results. Okay.
So Candidate Weiner, that's what we'll call him. Aside from writing screenplays and running for city council, has a few pastimes. Not golfing or making sourdough or things like that.
No, one of his personal détente activities is to be bound, gagged, and under the full care and attention of a dominatrix.
And that is my question for you guys. Okay. So by the end of this, I want to know whether you think this actually helped him before we actually know the results. Okay.
So Candidate Weiner, that's what we'll call him. Aside from writing screenplays and running for city council, has a few pastimes. Not golfing or making sourdough or things like that.
No, one of his personal détente activities is to be bound, gagged, and under the full care and attention of a dominatrix.
Okay, yeah, right.
Like, who doesn't? I know.
Yeah.
Right.
It does sound a bit more fun than golf. But you know, what do I know?
Anyway, so we know this, we know that he enjoys this because someone anonymous, okay, air quotes here, released a snippet of a BDSM XXX video of candidate Weiner enjoying his private time.
And they released this on Twitter, along with the text, quote, my magnificent dom friend played with Upper West Side City Council candidate Zach Weiner, and I'm the only one who has the footage.
Do you want to see a still of the footage? I've got a still.
Anyway, so we know this, we know that he enjoys this because someone anonymous, okay, air quotes here, released a snippet of a BDSM XXX video of candidate Weiner enjoying his private time.
And they released this on Twitter, along with the text, quote, my magnificent dom friend played with Upper West Side City Council candidate Zach Weiner, and I'm the only one who has the footage.
Do you want to see a still of the footage? I've got a still.
I don't know, you tell us. Do we want to see a still of the footage?
Of course you do.
Have we got video?
No, we don't have video. And this is—
Oh, just stills.
Yeah, we just— I have one still for you.
Oh, for goodness' sake.
Oh, okay.
I don't want to look at that.
This is in the New York Post, this picture. You might be able to identify who it is now.
This is Thom's basement. Basement.
Right, okay.
I've seen this room before.
This doesn't look like an amateur image to me.
No, it's not. It's not.
This looks quite professionally taken, professionally lit.
Now, what's interesting is the timing of this leak is interesting because it's just a week before the local elections, right? So this got leaked last week and today—
Are those clothes pegs?
Yes. Clothes pegs are clamping something.
No, we don't go into detail.
No wonder the New York Post dubbed this whole story a late-breaking case of electoral bondage. So cute. Now, this is not a deepfake. Candidate Weiner is owning it. Okay.
In a call with the Post, Weiner confirmed it was him in the video and said the footage was made about 18 months ago with a former girlfriend he met during a Halloween party in 2019.
Quote, I am a proud BDSM I like BDSM activity. He refused to name the woman in the video and said he had no idea on earth how this footage was surfaced. Okay.
In a call with the Post, Weiner confirmed it was him in the video and said the footage was made about 18 months ago with a former girlfriend he met during a Halloween party in 2019.
Quote, I am a proud BDSM I like BDSM activity. He refused to name the woman in the video and said he had no idea on earth how this footage was surfaced. Okay.
Yeah, yeah, right.
The deal here was he did this little video. He knew it was being recorded. It was being recorded by this famous place in New York, apparently.
I can't remember what it's called, but there's someplace where you can kind of have your activities recorded, in sex. Yeah, that's right. The sex dungeon, the Guggenheim.
That's right.
I can't remember what it's called, but there's someplace where you can kind of have your activities recorded, in sex. Yeah, that's right. The sex dungeon, the Guggenheim.
That's right.
The Langford land.
And okay, so he comes out, he comes out, candidate Wiener, right? He goes, whoops, I didn't want anyone to see that, but here we are.
I'm not ashamed of the private video circulating of me on Twitter. This was a recreational activity I did with my friend at the time for fun.
Like many young people, I have grown into a world where some of our most private moments have been documented online.
While a few loud voices on Twitter might chastise me for the video, most people see the video for what it is: a distraction.
I trust that voters will choose a city council representative based on their policies and their ability to best serve the community. Comments?
I'm not ashamed of the private video circulating of me on Twitter. This was a recreational activity I did with my friend at the time for fun.
Like many young people, I have grown into a world where some of our most private moments have been documented online.
While a few loud voices on Twitter might chastise me for the video, most people see the video for what it is: a distraction.
I trust that voters will choose a city council representative based on their policies and their ability to best serve the community. Comments?
Right.
I'm backing up. Off the mic.
Can I intervene at this point?
Yes!
Because I can smell something in the air. In the air.
Interesting.
I think I smell a little bit of BS.
Do you?
About all of this.
BDSM or just BS?
Yeah, BDSM.
Because I think this is all a publicity stunt. I think this is a video which he has had made. It looks too professional. Doesn't look furtive.
I think he's done this to gain himself notoriety.
He's done this because now, presumably just a couple of days before the election's going to take place, everyone will be talking about him rather than anything else.
He's come out with this rather cute statement of oops, you know, I'm not ashamed of this and all the rest of it.
And all the trendy liberals on the East Coast, they're not going to be bothered about this either because he's not hurting anybody. It's not like he's been—
I think he's done this to gain himself notoriety.
He's done this because now, presumably just a couple of days before the election's going to take place, everyone will be talking about him rather than anything else.
He's come out with this rather cute statement of oops, you know, I'm not ashamed of this and all the rest of it.
And all the trendy liberals on the East Coast, they're not going to be bothered about this either because he's not hurting anybody. It's not like he's been—
It's consensual.
He's not been sucking up kids under his treadmill or something on that.
He's basically saying, you think I'm boring, I'm not boring.
Yeah, but you know what, I wouldn't vote for him now.
Why?
And not because, because I think he's full of shit. I think he's a liar.
Whoa, you have just, I just say you did 180 and you decided to hate him.
No, no, my hunch, my hunch, and may I, if I am wrong, let me know, but I have to work on my hunches here. My hunch is that he is behind all this as a publicity stunt.
He's pretending it's been leaked against his will. I think he was right behind it. And it just makes me think, well, I can't trust you. I don't want you representing me. Wow.
He's pretending it's been leaked against his will. I think he was right behind it. And it just makes me think, well, I can't trust you. I don't want you representing me. Wow.
See, I don't think it's a fake video. I think this is a genuine session that he's probably been through. But I do agree with Graham that I think he is probably behind the leak.
But I see it more as a power play. You know, if he's prepared to leak stuff like this, you know, what have you got on him.
You know, any sort of political leverage, you know, other— his opponents might think they've got. I'm going to release an embarrassing video of you.
And he's like, well, I've just released my own video of me with a hamster going up my ass in a gerbil in a toilet roll.
But I see it more as a power play. You know, if he's prepared to leak stuff like this, you know, what have you got on him.
You know, any sort of political leverage, you know, other— his opponents might think they've got. I'm going to release an embarrassing video of you.
And he's like, well, I've just released my own video of me with a hamster going up my ass in a gerbil in a toilet roll.
Beat that.
Yeah. What have you got? You know, bring it. This is a power move. This is.
So it's interesting because I got the same twinge when reading that statement he said, because I think all of it— owning it, fine, who cares, right?
I love this community, great, great, great, you do you.
I love this community, great, great, great, you do you.
Yeah, don't kink shame.
The fact that he didn't come out and say, and whoever did this, shame on you, and I hope you get caught— there's none of that.
There's no, basically, if this happened to anyone, it would be revenge porn. Yeah, I mean, this is kind of revenge porn.
You're doing something completely private and a third party is slapping it online, naming you and shaming you.
And he's ignoring that whole side of it going, "Yeah, yeah, it looks like— turns out I got a sexy sex life." I don't know. So I had a twinge there too about that.
So we will find out, I'm sure. Time will tell.
There's no, basically, if this happened to anyone, it would be revenge porn. Yeah, I mean, this is kind of revenge porn.
You're doing something completely private and a third party is slapping it online, naming you and shaming you.
And he's ignoring that whole side of it going, "Yeah, yeah, it looks like— turns out I got a sexy sex life." I don't know. So I had a twinge there too about that.
So we will find out, I'm sure. Time will tell.
So I think I want to vote for the woman who's in the middle on the top row of the 6 pictures now. I think I like her the most. Yeah.
Always go for a woman. I agree. Smashing Security. So I was wondering why, if you were into this, why would you film it? Especially if you were a millennial, I think he's 26, or 28.
So why would you consent to someone videoing you, you know, enjoying yourself?
So why would you consent to someone videoing you, you know, enjoying yourself?
Different generations, though. I think it's quite normal to live under a camera quite a lot of the time these days.
Yeah, because there was a Dom interviewed by Motherboard, a dominatrix, or I shouldn't use the shorthand.
They said sometimes clients request to be filmed because they want to be able to look fondly back at their experience.
Quote, think of it like a bar mitzvah video where the only person that might ever watch it again is the client.
They said sometimes clients request to be filmed because they want to be able to look fondly back at their experience.
Quote, think of it like a bar mitzvah video where the only person that might ever watch it again is the client.
So do you think he really is into BDSM?
Yep.
Yeah, yeah, because I wouldn't put those clothes pegs on unless I was, right?
Now, yeah, Twitter suspended the account hours after the video was posted, right?
But it was also posted on OnlyFans, or snippets were, you know, so that you could buy the whole video or whatever.
But it was also posted on OnlyFans, or snippets were, you know, so that you could buy the whole video or whatever.
And do we know where that money's going to, or who's behind that OnlyFans account.
Yeah, exactly. Follow the money. New York Times, tip to you guys, follow the money.
So OnlyFans only removed the video after 24 hours, and this was after Motherboard reached out to the company for comment saying it was in violation of the OnlyFans terms of service.
That's the story. So interesting. Yeah, so one of my questions at the end was, did he do it himself? But we've already covered that one because—
So OnlyFans only removed the video after 24 hours, and this was after Motherboard reached out to the company for comment saying it was in violation of the OnlyFans terms of service.
That's the story. So interesting. Yeah, so one of my questions at the end was, did he do it himself? But we've already covered that one because—
So are we all, are we all thinking he did.
We are.
Yeah. And so how is this going to affect the election?
It's not— I don't think this type of thing bothers people at all.
No, but do you think he might win? Maybe he was never going to win this thing because he just looks too young to run a city council for me, but I'm too old to judge that.
Anyway, who knows what's going to happen? But you know what, guys, go look up his name, Zach Weiner. Did he win? Did he win?
Anyway, who knows what's going to happen? But you know what, guys, go look up his name, Zach Weiner. Did he win? Did he win?
Might you confuse his name with the other famous wiener?
Well, you know what, that was my first thought. That's why I decided to cover the story straight away. I was like, no way, his son— his son is now in politics?
And then no, apparently they don't have anything to do with each other. But great documentary, Weinergate. Check it out.
And then no, apparently they don't have anything to do with each other. But great documentary, Weinergate. Check it out.
Chums, if you remember one thing from today's episode, it should be to check out the leading cloud directory platform, JumpCloud.
JumpCloud's directory platform makes it easier to solve today's IT challenges by unifying device and user management through a single pane of glass.
With JumpCloud securely managing your users and their devices, doing common things like onboarding and offboarding remote workers is easy.
Try JumpCloud for free today at smashingsecurity.com/jumpcloud and help your organization move to a modern, secure hybrid work model.
Around 80% of business data breaches result from weak or reused passwords.
Using 1Password can close the gaps in your company's security, combat shadow IT, and help your employees stay both productive and secure wherever they are.
1Password makes the secure thing to do the easiest thing to do.
Quickly deploy 1Password to a single team, multiple teams, or your entire organization, provision employees using trusted systems, respond rapidly to domain breach reports, and offer every business user a free 1Password Families account for work-from-home security.
Find out more and try 1Password for free for 14 days at 1Password.com. And thanks to 1Password for supporting the show.
JumpCloud's directory platform makes it easier to solve today's IT challenges by unifying device and user management through a single pane of glass.
With JumpCloud securely managing your users and their devices, doing common things like onboarding and offboarding remote workers is easy.
Try JumpCloud for free today at smashingsecurity.com/jumpcloud and help your organization move to a modern, secure hybrid work model.
Around 80% of business data breaches result from weak or reused passwords.
Using 1Password can close the gaps in your company's security, combat shadow IT, and help your employees stay both productive and secure wherever they are.
1Password makes the secure thing to do the easiest thing to do.
Quickly deploy 1Password to a single team, multiple teams, or your entire organization, provision employees using trusted systems, respond rapidly to domain breach reports, and offer every business user a free 1Password Families account for work-from-home security.
Find out more and try 1Password for free for 14 days at 1Password.com. And thanks to 1Password for supporting the show.
So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist.
In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised.
Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions.
And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform.
See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest.
Think of KnowBe4 for your security training.
In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised.
Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions.
And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform.
See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest.
Think of KnowBe4 for your security training.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
And my Pick of the Week this week is not security-related, but it is Canada-related, Carole.
Oh, better not be shaming us in any way.
No, not shaming. It is in fact possibly your greatest cultural export ever.
Oh, maple syrup?
In your history.
Leonard Cohen?
No, not maple syrup.
No, no. Celine Dion?
It is Joni Mitchell. Album Blue is 50 years old this week. Can you believe it?
You just heard about it?
50 years old this week. Perhaps it's my favorite album of all time. I absolutely love Blue by Joni Mitchell.
It chronicles the breakup of her relationship with Graham Nash, if you remember him from The Hollies, giving away her daughter in maybe the greatest Christmas song ever.
What was the greatest Christmas song ever, everybody?
It chronicles the breakup of her relationship with Graham Nash, if you remember him from The Hollies, giving away her daughter in maybe the greatest Christmas song ever.
What was the greatest Christmas song ever, everybody?
Killing in the Name of?
No.
Oh, damn it.
Anyone, anything else? Any other candidates? It is of course River. Never heard of it. Of course, you've never heard River by Joni Mitchell?
I don't know if I have or noticed it.
Well, you'd know the tune. It's Jingle Bells is the tune, but it's a sad, plaintive Jingle Bells. And also some of the shenanigans she got up to on a Greek isle.
A new EP has just been released with some demos and outtakes to celebrate the 50th anniversary of Blue, including a version of A Case of You with slightly different lyrics.
A new EP has just been released with some demos and outtakes to celebrate the 50th anniversary of Blue, including a version of A Case of You with slightly different lyrics.
Are you going to buy the record for your record player that I got you when you turned 50?
You know what? I very well might, because—
Good.
This is such an incredible LP. I love it to death.
This, Blood on the Tracks by Bob Dylan, and the Moondance LP by Van Morrison were the soundtrack of a couple of years of my life when I was at college.
I just listened to them on repeat constantly, and it's fantastic.
And if you've never heard Blue by Joni Mitchell, go and check it out in your normal places where you can hear LPs or albums, as I believe they're called these days.
And that is why it is my pick of the week.
This, Blood on the Tracks by Bob Dylan, and the Moondance LP by Van Morrison were the soundtrack of a couple of years of my life when I was at college.
I just listened to them on repeat constantly, and it's fantastic.
And if you've never heard Blue by Joni Mitchell, go and check it out in your normal places where you can hear LPs or albums, as I believe they're called these days.
And that is why it is my pick of the week.
Good one.
Good one. Thank you very much. Andy, what's your pick of the week?
So again, I do not have a security-related pick of the week. Do we have any Star Trek fans here?
Certainly not.
Oh my days.
I am kind of, but I don't have very good memory, so I'll do the best. What's your best?
Well, so, you know, if you can speak three languages, you're trilingual. If you can speak two languages, you're bilingual. If you speak one language, you're British. So my—
If you're lucky.
If you're lucky. My pick of the week is— Star Trek fans will know it as a universal translator. And this is the Timekettle. The particular model I've got is the M2.
So I work around the world and I have very poor linguistic skills. I barely speak English.
So I work around the world and I have very poor linguistic skills. I barely speak English.
That's what she said.
Dear. See, I'd expect that on the Host Unknown podcast, not this upmarket show, right?
Yeah, Graham.
Yeah, bringing the tone down.
And so what it does, you know, this sort of robotic voice that you've got at the beginning of the show, this is episode 232 with, you know, it does the intro.
And so what it does, you know, this sort of robotic voice that you've got at the beginning of the show, this is episode 232 with, you know, it does the intro.
So, oh yeah, Geoff.
This Geoff. Yeah, this is a real-time translator. And it listens to language, and in your earbuds, it will actually translate it, unfortunately, in that robotic voice.
But there's only about a 2-second delay. So I can join meetings with people speaking in Spanish, different dialects of Spanish, and it will translate it.
Unfortunately, dictionary word-for-word translation. So you have to put parts of it together.
But there's only about a 2-second delay. So I can join meetings with people speaking in Spanish, different dialects of Spanish, and it will translate it.
Unfortunately, dictionary word-for-word translation. So you have to put parts of it together.
Yeah, it's like Google Translate, I guess.
It is exactly that, yeah.
So you get about 60% of what they're saying, and make huge decisions based on that.
Excellent. Yes. Yeah. And it's worked for me so far. And that's how I became the mayor of Chakota in Russia.
Did you end up marrying some—
Yeah.
Well, had James used one of these devices for, you know, less than $200, he could have actually understood the conversations that were happening because it supports 40 different languages on one device.
Well, had James used one of these devices for, you know, less than $200, he could have actually understood the conversations that were happening because it supports 40 different languages on one device.
So this is like a Babel fish from Hitchhiker's Guide to the Galaxy.
People can use—
Yeah. Put this in your ear.
This is like international dating, you know, material. This opens up a whole new world, right?
So this really, hang on a minute. That's, backtrack, backtrack. Andy, this really works, does it?
Yeah, so I use these quite often. So I work in a company that's sort of multi, you know, quite global.
And if I join a meeting where I'm the only person that doesn't speak that local dialect, so whether it's Portuguese or Spanish or something, I'll say, look guys, don't let me hold you back.
You know, converse locally and I will, you know, I'll keep up with it. Yeah, I'll keep up.
And if I join a meeting where I'm the only person that doesn't speak that local dialect, so whether it's Portuguese or Spanish or something, I'll say, look guys, don't let me hold you back.
You know, converse locally and I will, you know, I'll keep up with it. Yeah, I'll keep up.
Hang on, but how do they understand you though?
Because I speak in English and because they are so good, their education system is far superior to us. They understand bits of English. It's just easier for them to speak.
Do you have very, very tiny earbuds that no one can see so they think you actually speak 40 languages? This is a problem.
They're not small. So if you think of the Apple— well, no, they do fit in your ear though. So if you think of the Apple AirPods.
Yeah, they're 15 times size.
They're over-the-ear versions of those. No, they are a bit thicker than that.
So, you know, they actually fit in the ear, but the thickness of that bar which comes down is a lot bigger. Probably about twice as big. Yeah, that matters though.
So, you know, they actually fit in the ear, but the thickness of that bar which comes down is a lot bigger. Probably about twice as big. Yeah, that matters though.
I remember a guy getting a watch that was twice as high as a normal watch, and it really caused issues. You know, the watch did.
Oh yeah.
Andy, I'm still interested in these. Are these, is there an online component? Is it sending the stuff to the cloud or is it all happening on device?
No, it's clearly sending stuff to the cloud. This stuff is way too small to do anything locally. And to be honest, you know, that information could be going to China or Russia.
I mean, the languages it supports from Arabic to Filipino, Icelandic, Tamil, Thai, Turkish, Urdu.
I mean, the languages it supports from Arabic to Filipino, Icelandic, Tamil, Thai, Turkish, Urdu.
It's Bluetooth, so it connects whatever, connects to your phone.
Yeah, and it uses your phone. Yeah, it goes through your phone and sends all your data.
But the great thing is at the end of it, because when it does a translation in your ears, it also does the transcript on screen on your phone.
So it's got what it heard and then it's got the English translation on the opposite side.
So for me, it's actually useful notes to go back and see what was discussed in the meeting as well. And then I can say, oh, that's how they understood it.
That's not the direction I was going.
But the great thing is at the end of it, because when it does a translation in your ears, it also does the transcript on screen on your phone.
So it's got what it heard and then it's got the English translation on the opposite side.
So for me, it's actually useful notes to go back and see what was discussed in the meeting as well. And then I can say, oh, that's how they understood it.
That's not the direction I was going.
So how much do these Timekettle earbuds cost?
The Timekettle, yeah, so I actually got it quite a while ago on Kickstarter. And, but now, you know, they've got their own website. You can buy them on Amazon as well now.
And I paid, I think at the time, about $179 US. And you love them? I do love them. It's just a whole new world for me.
And I paid, I think at the time, about $179 US. And you love them? I do love them. It's just a whole new world for me.
Have you ever caught anyone, have you ever got them to translate an insult that someone was saying about you, not realising that you were actually not listening to music, but actually eavesdropping on them?
No, most of my colleagues are polite enough to insult me in English.
Do you ever go to a restaurant on your own and put them on just to see what people say about you around you?
I haven't yet, but I, do you know, this is the only problem, you have to set what language to translate. It doesn't automatically translate.
So, you know, I need to, if I'm walking down the street and I hear, you know, some foreign language, I've got to figure out what language that is first.
If it's not French or Spanish.
So, you know, I need to, if I'm walking down the street and I hear, you know, some foreign language, I've got to figure out what language that is first.
If it's not French or Spanish.
There's an app for that, I'm sure.
Yeah, download another app. That'll be next week's Pick of the Week.
Okay, perfect.
Wow, that's extraordinary. Carole, what's your Pick of the Week?
Okay, Graham, you know what my Pick of the Week is, but for our listeners and for Andy, it is a crazy weird documentary that I watched over the weekend.
Now, it was released way back in 2015, and it's mad. It's a bit sad. It's funny.
Now, it was released way back in 2015, and it's mad. It's a bit sad. It's funny.
Is it?
Well, we'll come to that. Okay, the premise is this. Okay, Graham, you can interrupt any time because I mean, you watched it.
Okay, someone gets— I want to try and keep as much out of it as possible, right? But someone gets their leg amputated following an accident, and they decide to keep the leg.
And the leg, through a series of strange events, becomes the property of a third party who becomes known as the Footman because he uses this leg to try and gain some fame.
Okay, someone gets— I want to try and keep as much out of it as possible, right? But someone gets their leg amputated following an accident, and they decide to keep the leg.
And the leg, through a series of strange events, becomes the property of a third party who becomes known as the Footman because he uses this leg to try and gain some fame.
Notorious.
Became notorious. Yeah.
Yeah.
But our primary leg owner, the amputee, wants his leg back. And the story is about how he goes about this quest.
And the documentary is cleverly called Finders Keepers, which is not a giveaway. Though it could be, but it might not be. Don't read into that.
And the documentary is cleverly called Finders Keepers, which is not a giveaway. Though it could be, but it might not be. Don't read into that.
So with that kind of description, that's what enticed me to also watch this movie.
So Carole said to me, she said, oh, there's this great movie about a guy who's lost his leg, literally lost it. Well, not lost his leg.
It's become the property of somebody else and he wants his leg back. And she said, it's really funny. And so I watched— I found it— I mean, it's peculiar.
It's also rather miserable.
So Carole said to me, she said, oh, there's this great movie about a guy who's lost his leg, literally lost it. Well, not lost his leg.
It's become the property of somebody else and he wants his leg back. And she said, it's really funny. And so I watched— I found it— I mean, it's peculiar.
It's also rather miserable.
Andy, I'm really going to ask you to try and watch this, okay?
There's a lot of dysfunctional people in this.
Well, no, no, maybe normal. Maybe normal. Maybe you're the dysfunctional one. Who knows? There's a line where the footman says, quote, I'm pretty smart.
I'm sure you all figured that out by now.
I've heard from many a folk kin to me and close to me, and the ones that know me, they tell me I have the best business mind that they've ever seen.
Okay, so that's who you're dealing with as the footman.
I'm sure you all figured that out by now.
I've heard from many a folk kin to me and close to me, and the ones that know me, they tell me I have the best business mind that they've ever seen.
Okay, so that's who you're dealing with as the footman.
And he claims at one time that if he'd had a lucky break or something, I could have owned Microsoft, Apple, and I had owned Bill Gates's ass by now. I should be the CEO. Yeah.
Yeah, all I got is this foot.
Yeah, so Graham, he really thinks he's smarter than most people, right? And he just feels— there are some poignant moments, okay?
It's not just funny, but there's some poignant moments. And you go to laugh, but you walk away having learned something about the human condition.
It's not just funny, but there's some poignant moments. And you go to laugh, but you walk away having learned something about the human condition.
What did you learn about the human condition, girl, from this movie?
I learned that not all mothers are terribly loving. That sometimes you can go through something hard in life that actually makes you go crazy.
That if you somehow get addicted to something, it can skew your whole view on everything.
And if you have big dreams to become rich off the backs of other people, it can bite you in the ass. That's what I've learned.
Anyway, I recommend anyone who's kind of intrigued— Andy, you're totally intrigued. Go watch it. It's on Amazon. Finders Keepers.
That if you somehow get addicted to something, it can skew your whole view on everything.
And if you have big dreams to become rich off the backs of other people, it can bite you in the ass. That's what I've learned.
Anyway, I recommend anyone who's kind of intrigued— Andy, you're totally intrigued. Go watch it. It's on Amazon. Finders Keepers.
It says, "One man's leg is another man's treasure." That's the tagline for the film.
Exactly! That's the tagline. Why wouldn't you watch it? Our mutual friend, Thom Langford, watched it.
Yeah, but he's a freak. He's—
He liked it. So, Andy, we need you to break the oath.
Mutual acquaintance, really.
Yeah, exactly. You watch it, Andy, and report back to us.
I'll do that.
Okay.
Need a tiebreaker. Now, Carole, you've also been busy this week. You've been chatting to Roger Grimes of KnowBe4.
Yes. I have never spoken less in an interview than with this one. This guy has a lot to say, and it's all gold, really. Take a listen. Today we get to chat with Roger Grimes.
He has been with KnowBe4 as its data-driven defense evangelist for 3 years. Now, today Roger joins us on Smashing Security. Roger, it's a pleasure to speak with you.
Thank you so much for making the time to chat with us.
He has been with KnowBe4 as its data-driven defense evangelist for 3 years. Now, today Roger joins us on Smashing Security. Roger, it's a pleasure to speak with you.
Thank you so much for making the time to chat with us.
I'm delighted to be here, truly.
So here's a little bio for our listeners here. So you've been in the computer industry for more than 30 years.
You've been a consultant, an instructor, you hold dozens of computer certifications, you're an award-winning author, 10 books, 1,000 magazine articles. Are you 90?
Because that's quite a serious bio.
You've been a consultant, an instructor, you hold dozens of computer certifications, you're an award-winning author, 10 books, 1,000 magazine articles. Are you 90?
Because that's quite a serious bio.
Yeah, I'm 54. I'm actually just working on my 13th book right now. But yeah, I just kind of got into the groove of things.
I got a lot of certifications when I worked at a boot camp for a training boot camp for a couple of years that I took 50 certifications there.
So some people go, how could you possibly have that many? I have a lot of free time and I test for free, but I've been doing it 34 years.
I've certainly, I was here before the internet.
I got a lot of certifications when I worked at a boot camp for a training boot camp for a couple of years that I took 50 certifications there.
So some people go, how could you possibly have that many? I have a lot of free time and I test for free, but I've been doing it 34 years.
I've certainly, I was here before the internet.
Can you tell me a bit about your job? Is the title Data-Driven Defense Evangelist?
Yes, yes, I made it up actually when I came to KnowBe4. I'd written a book called Data-Driven Computer Defense, which I consider kind of my magnum opus out of my 13 books.
It really is the one that talks about the underlying problems.
Like we're so hacked today, you know, by malicious hackers and malware because we're not doing computer security we're not doing risk management correctly.
And that's what that book was all about because I realized I was working for Microsoft at the time and I've been doing security for a long time.
I was putting in these multimillion-dollar advanced security systems and multifactor authentication systems and helping to create the most secure features in Windows Vista and above.
And I realized that all my clients were still being hacked by social engineering and unpatched software. And it was kind of embarrassing how misaligned all the money was.
And that's what I realized, you know, the vast majority of people are compromised with social engineering and unpatched software, but the average organization only spends about 3 to 5% of their resources upon that.
And it's that fundamental misalignment that allows hackers and malware to be so successful today.
It's funny, computer security is 100% about risk management, and yet in this industry we have some of the most immature risk management ideals possible.
Most people have no idea of how bad it is. Everybody sees attackers and threats kind of as bubbles in a glass of champagne.
And what they don't realize is that two of those bubbles are far bigger than all the other bubbles added together. But the defenses, everyone's trying to do everything right.
Or put it in another context, suppose you get a security control document. In the States, a really popular one is the NIST Cybersecurity Framework or HIPAA or Sarbanes-Oxley.
Or NERC, or, you know, there's no lack of security control documents telling you to do good things, or PCI DSS, you know, for credit card transactions.
But what they, the average controls document is probably 80 to 200 pages long, probably has 200 to 300 controls and things they tell you to do well.
And what they don't tell you is that 2 or 3 of those things are almost all the risk.
And the documents themselves, even though they're 80 or 200 pages long, will devote less than a page to each of those two topics while spending 10 pages on storage encryption.
You know, and it's that, you know, it's the entire industry is trying to distract you from figuring out what you really need to concentrate on. So that was my book.
A lot of people that read it, a lot of people say it changed the way they think about computer security the rest of their life and every aspect of their job.
But when I came here, Stu, the CEO, said, Roger, what do you want your title to be? And I said, data-driven offensive analyst.
And I kind of, I regret barking that out because he won't let me change it now, but I get to talk about it to people such as yourselves, and so maybe it's all right.
It really is the one that talks about the underlying problems.
Like we're so hacked today, you know, by malicious hackers and malware because we're not doing computer security we're not doing risk management correctly.
And that's what that book was all about because I realized I was working for Microsoft at the time and I've been doing security for a long time.
I was putting in these multimillion-dollar advanced security systems and multifactor authentication systems and helping to create the most secure features in Windows Vista and above.
And I realized that all my clients were still being hacked by social engineering and unpatched software. And it was kind of embarrassing how misaligned all the money was.
And that's what I realized, you know, the vast majority of people are compromised with social engineering and unpatched software, but the average organization only spends about 3 to 5% of their resources upon that.
And it's that fundamental misalignment that allows hackers and malware to be so successful today.
It's funny, computer security is 100% about risk management, and yet in this industry we have some of the most immature risk management ideals possible.
Most people have no idea of how bad it is. Everybody sees attackers and threats kind of as bubbles in a glass of champagne.
And what they don't realize is that two of those bubbles are far bigger than all the other bubbles added together. But the defenses, everyone's trying to do everything right.
Or put it in another context, suppose you get a security control document. In the States, a really popular one is the NIST Cybersecurity Framework or HIPAA or Sarbanes-Oxley.
Or NERC, or, you know, there's no lack of security control documents telling you to do good things, or PCI DSS, you know, for credit card transactions.
But what they, the average controls document is probably 80 to 200 pages long, probably has 200 to 300 controls and things they tell you to do well.
And what they don't tell you is that 2 or 3 of those things are almost all the risk.
And the documents themselves, even though they're 80 or 200 pages long, will devote less than a page to each of those two topics while spending 10 pages on storage encryption.
You know, and it's that, you know, it's the entire industry is trying to distract you from figuring out what you really need to concentrate on. So that was my book.
A lot of people that read it, a lot of people say it changed the way they think about computer security the rest of their life and every aspect of their job.
But when I came here, Stu, the CEO, said, Roger, what do you want your title to be? And I said, data-driven offensive analyst.
And I kind of, I regret barking that out because he won't let me change it now, but I get to talk about it to people such as yourselves, and so maybe it's all right.
I think it's pretty good. I mean, you get to promote your book as well, so, you know, win-win.
Yeah, yeah, yeah.
So when we were chatting earlier about this interview, you said something that was really interesting.
You said, and you've made it, you alluded to it just now in your job description. So you mentioned that how most computer defenses are broken and how to fix them.
So maybe you can crack that open for me a bit more.
You said, and you've made it, you alluded to it just now in your job description. So you mentioned that how most computer defenses are broken and how to fix them.
So maybe you can crack that open for me a bit more.
Yeah, so certainly number one, it's this fundamental distraction of all of these threats coming at you.
Like last year, there was over 8,000 separate vulnerabilities that you were told that you had to patch. Year before that, over 12,000. Year before that, over 15,000.
Year before that, over 12,000. Even in the smallest years in the last earlier part of the decade, it was 5,000 or 6,000.
So we're being told to deal with somewhere between 5 or 7 and 55 different exploits that we're told that we have to patch every day.
About one-fourth to one-third of those are considered the highest criticality.
You have to worry about millions of malware programs, hundreds of millions of malware programs each year.
You have to worry about all the different types of attackers, ransomware attackers and script kiddies and financial thieves and nation states and intellectual property.
So you're being told you have to worry about all this stuff. And in the middle of that, it ends up distracting people and people can't focus on what really matters.
Not only that, but we actually are forever calling— one-fourth and one-third of everything we're told to fear, we're told is high risk.
You know, high risk, you have to deal with it. I use two really good examples.
One is, you probably heard about those credit cards that have those RFID tags on them, wireless, and, you know, they're used more in Europe than here, but they're actually getting quite popular in the United States.
And the whole threat model is that an attacker can simply walk by you, you walk by them at a corner, and they sniff your credit card with an RFID scanner, and then they recreate your credit card and steal and rob your bank account or your credit card account.
And indeed, I performed that demo at dinner parties, and you can go on YouTube now and put in RFID Prime, and you're going to get a ton of videos showing people myself, researchers showing you how easy it is to do.
It really is easy to do. And let me say, there's a billion-dollar industry that's been created to help stop this crime.
There's these little credit card sleeves they give away at computer security conferences. There's wallets made of the material. There's purses made of the material.
My wife said she was shopping for jeans last year and she saw the jean bragging that it had this anti-RFID material built into the pockets.
You know, but the wild thing is there's never been a single documented real-world crime that an RFID shielding product would have prevented.
Just because something can be done doesn't mean it will be done.
And understanding the difference between what could happen and what is likely to happen is the difference between an okay risk manager and computer security person and a good to a great computer security risk manager.
Like last year, there was over 8,000 separate vulnerabilities that you were told that you had to patch. Year before that, over 12,000. Year before that, over 15,000.
Year before that, over 12,000. Even in the smallest years in the last earlier part of the decade, it was 5,000 or 6,000.
So we're being told to deal with somewhere between 5 or 7 and 55 different exploits that we're told that we have to patch every day.
About one-fourth to one-third of those are considered the highest criticality.
You have to worry about millions of malware programs, hundreds of millions of malware programs each year.
You have to worry about all the different types of attackers, ransomware attackers and script kiddies and financial thieves and nation states and intellectual property.
So you're being told you have to worry about all this stuff. And in the middle of that, it ends up distracting people and people can't focus on what really matters.
Not only that, but we actually are forever calling— one-fourth and one-third of everything we're told to fear, we're told is high risk.
You know, high risk, you have to deal with it. I use two really good examples.
One is, you probably heard about those credit cards that have those RFID tags on them, wireless, and, you know, they're used more in Europe than here, but they're actually getting quite popular in the United States.
And the whole threat model is that an attacker can simply walk by you, you walk by them at a corner, and they sniff your credit card with an RFID scanner, and then they recreate your credit card and steal and rob your bank account or your credit card account.
And indeed, I performed that demo at dinner parties, and you can go on YouTube now and put in RFID Prime, and you're going to get a ton of videos showing people myself, researchers showing you how easy it is to do.
It really is easy to do. And let me say, there's a billion-dollar industry that's been created to help stop this crime.
There's these little credit card sleeves they give away at computer security conferences. There's wallets made of the material. There's purses made of the material.
My wife said she was shopping for jeans last year and she saw the jean bragging that it had this anti-RFID material built into the pockets.
You know, but the wild thing is there's never been a single documented real-world crime that an RFID shielding product would have prevented.
Just because something can be done doesn't mean it will be done.
And understanding the difference between what could happen and what is likely to happen is the difference between an okay risk manager and computer security person and a good to a great computer security risk manager.
And you know what, to be perfectly fair to that point, I don't think people in the media, people us, necessarily always help that because we talk about the new ways that people are either displaying how an attack might work or a proof of concept.
What you just said is very true. We even hurt ourselves, red teaming real quick. You're like, oh, I got a red team, we're going to break into my company.
Every red team I've ever met breaks in using these fantastic ways and they take over the organization and they publish this paper.
But the way that they broke in has almost no relevance to how real attackers actually break in. And so it really does you very— it actually does you harm. It distracts you.
If your red team isn't trying to break into you the same ways that the real-world attackers did, it's actually hurting you. So how do most people get broken into?
I've been researching this for two decades.
It's 70 to 90% is due to social engineering of some sort, usually email, can be through the web, can be through SMS messaging, can be through voice calls, can be through a physical thing.
But 70 to 90% of all successful malicious data breaches happen because of social engineering. About 20 to 40% happen because of unpatched software.
And then the third thing that might be up in there could be either password guessing attacks or USB key attacks or whatever, but number 1 and number 2 by far, those 2 things added together account for 90 to 99% of the risk, social engineering and unpatched software.
Not only do they account for 90 to 99% of the risk today, it's been for the entire perpetuity of computers since I've been in it for 34 years.
Every red team I've ever met breaks in using these fantastic ways and they take over the organization and they publish this paper.
But the way that they broke in has almost no relevance to how real attackers actually break in. And so it really does you very— it actually does you harm. It distracts you.
If your red team isn't trying to break into you the same ways that the real-world attackers did, it's actually hurting you. So how do most people get broken into?
I've been researching this for two decades.
It's 70 to 90% is due to social engineering of some sort, usually email, can be through the web, can be through SMS messaging, can be through voice calls, can be through a physical thing.
But 70 to 90% of all successful malicious data breaches happen because of social engineering. About 20 to 40% happen because of unpatched software.
And then the third thing that might be up in there could be either password guessing attacks or USB key attacks or whatever, but number 1 and number 2 by far, those 2 things added together account for 90 to 99% of the risk, social engineering and unpatched software.
Not only do they account for 90 to 99% of the risk today, it's been for the entire perpetuity of computers since I've been in it for 34 years.
Yeah.
You know, so when people go, and I say, don't believe me, I worked for KnowBe4, we're trying to sell you anti-social engineering software and services. I could be lying to you.
I have every incentive to lie to you.
Just ask yourself, when your company's been compromised and you're able to find out what was it, or when your computers at home got compromised, or your cell phone, how did it happen?
So about 2009, social engineering became more popular because Apple came in, Chromebooks came in, and the attackers would have to write different viruses and malware and software exploits to break into your equipment.
So they realized, oh, social engineering— if I ask you for your password, I don't care if you're on an Apple, a Chromebook, or a Windows machine, it works.
I have every incentive to lie to you.
Just ask yourself, when your company's been compromised and you're able to find out what was it, or when your computers at home got compromised, or your cell phone, how did it happen?
So about 2009, social engineering became more popular because Apple came in, Chromebooks came in, and the attackers would have to write different viruses and malware and software exploits to break into your equipment.
So they realized, oh, social engineering— if I ask you for your password, I don't care if you're on an Apple, a Chromebook, or a Windows machine, it works.
Do you think that social networking and the advent of more digital communication made it a hole-in-one that social engineering would take over in this front?
Yeah. I think that's a very astute thing, right? We all got used to connecting with each other more rapidly.
When an attacker had to do something physically, let's say even going back to the RFID crime, one of the reasons the RFID crime doesn't really work is that the attacker has to be in public and he has to be around you and he'd be captured on CCTV cameras.
And he takes physical risk, and he's gonna actually get far less money.
But a virtual attacker can buy the credit cards by the millions on the internet for $2 to $5 apiece, get a lot more money, a lot more likely to be successful, and almost no chance of being caught.
You literally have to be a stupid criminal to rob somebody in public when you can be a very rich criminal living on your island or in your town with almost no possibility of getting caught.
So all the gangs, right? All the gangs have gone corporate.
And the reason why they did is they're like, wow, we were actually just hitting people up for money on the street and the storefronts and doing prostitution and drugs.
Well, we can do it through the darkweb and we can extort people using ransomware. These ransomware gangs are making $25, $40 million in a single haul, right?
When an attacker had to do something physically, let's say even going back to the RFID crime, one of the reasons the RFID crime doesn't really work is that the attacker has to be in public and he has to be around you and he'd be captured on CCTV cameras.
And he takes physical risk, and he's gonna actually get far less money.
But a virtual attacker can buy the credit cards by the millions on the internet for $2 to $5 apiece, get a lot more money, a lot more likely to be successful, and almost no chance of being caught.
You literally have to be a stupid criminal to rob somebody in public when you can be a very rich criminal living on your island or in your town with almost no possibility of getting caught.
So all the gangs, right? All the gangs have gone corporate.
And the reason why they did is they're like, wow, we were actually just hitting people up for money on the street and the storefronts and doing prostitution and drugs.
Well, we can do it through the darkweb and we can extort people using ransomware. These ransomware gangs are making $25, $40 million in a single haul, right?
You know, it's crazy.
Yeah, they could have never done that in the physical world. Yeah, you'd have to pick a lot of pockets.
But let me give you one more example that I've used: probably the biggest vulnerabilities that were ever announced in my lifetime so far are Meltdown and Spectre.
Meltdown and Spectre came out a couple years ago. They were these chip flaws that impacted most of the chips that have been released since 1999.
If you had a Windows, Macintosh, Google, whatever machine you had, even your cell phone probably had this Meltdown and Spectre flaw in it.
And if you didn't patch it, there was no way to stop a compromise that was against it.
When they announced the Meltdown and Spectre flaws, they actually showed them conducting an attack.
And not only could you not stop it by anything your operating system had or firewalls or antivirus, but it wouldn't even show up in your event logs.
I mean, it was like this perfect crime. So I was sitting at a law office in New Orleans, and I said, listen, I don't think you need to patch Meltdown and Spectre. And they said, why?
I said, well, there's not been an attack in the wild. And one of the greatest indicators of whether something's going to be abused is if someone's actually using it.
And for one of the few times in my career, the person became dissatisfied with me. In this case, they actually stopped when I was talking and walked me out of the building.
And the guy said, listen, I'm trying to convince my board of directors — he was the CISO — he was like, I'm trying to convince my board of directors that we need to hurry up and patch these Meltdown and Spectre vulnerabilities.
They're super high risk and blah blah blah. Thank you, Roger, I think you're a great guy, but you're making my job harder. And he walked me out.
He ended up getting his board approval a couple of days later. He applied the patches.
It locked up all of his Windows machines, blue screened them, all of them, and it decreased the performance of his Linux machines by over 60%.
And here, two or three years later, there has not, as far as I know, been a single real-world attack using Meltdown and Spectre.
But let me give you one more example that I've used: probably the biggest vulnerabilities that were ever announced in my lifetime so far are Meltdown and Spectre.
Meltdown and Spectre came out a couple years ago. They were these chip flaws that impacted most of the chips that have been released since 1999.
If you had a Windows, Macintosh, Google, whatever machine you had, even your cell phone probably had this Meltdown and Spectre flaw in it.
And if you didn't patch it, there was no way to stop a compromise that was against it.
When they announced the Meltdown and Spectre flaws, they actually showed them conducting an attack.
And not only could you not stop it by anything your operating system had or firewalls or antivirus, but it wouldn't even show up in your event logs.
I mean, it was like this perfect crime. So I was sitting at a law office in New Orleans, and I said, listen, I don't think you need to patch Meltdown and Spectre. And they said, why?
I said, well, there's not been an attack in the wild. And one of the greatest indicators of whether something's going to be abused is if someone's actually using it.
And for one of the few times in my career, the person became dissatisfied with me. In this case, they actually stopped when I was talking and walked me out of the building.
And the guy said, listen, I'm trying to convince my board of directors — he was the CISO — he was like, I'm trying to convince my board of directors that we need to hurry up and patch these Meltdown and Spectre vulnerabilities.
They're super high risk and blah blah blah. Thank you, Roger, I think you're a great guy, but you're making my job harder. And he walked me out.
He ended up getting his board approval a couple of days later. He applied the patches.
It locked up all of his Windows machines, blue screened them, all of them, and it decreased the performance of his Linux machines by over 60%.
And here, two or three years later, there has not, as far as I know, been a single real-world attack using Meltdown and Spectre.
On KnowBe4's website, you have a free phishing test. Do you think this is something that organizations should be doing?
Most organizations, because they're trying to do 20 things right at once or 200 things right at once, don't realize how easy it is for their employees to get socially engineered.
We frequently hear people go, well, we've probably got a couple of people that might do it.
And then the average organization that runs that free phishing test to get what's called a baseline test finds out somewhere on the average, the average customer we have come to us when they do that first phishing test has about a 38% click rate, what we call a phish-prone rate.
So over a third of the people in the organization have, let's say, clicked on a phish that when they looked at it, you think the IT person's like, "Any reasonable person would not have clicked on that." But turns out all kinds of people do.
And so you just, no matter how good your policies and your technical defenses are, some amount of phishing and badness will get to your end users.
So you train them how to recognize and be suspicious of certain types of traits, things telling them to open unexpected emails, you know, asking to open documents or click on links or things like that, or weird email addresses.
So you teach them just to look for the basics.
It's like teaching your 2 or 3-year-old look right and left before you go across the street, and you have to do that for a while, and then pretty soon that kid is looking right and left before you ask them to do it.
That's what we're trying to do, is create this healthy culture of skepticism where people just get a little skeptical of certain things.
Customers that do do that, so they do the training and they do simulated phishing at least once a month, they will decrease their phish-prone rate from about 37-38% to below 5% in less than a year.
And since social engineering is involved in 70 to 90% of all attacks. It is the number one thing you can do to significantly decrease cybersecurity risk in your organization.
I don't even have to guess. I've watched it for over 30 years.
We frequently hear people go, well, we've probably got a couple of people that might do it.
And then the average organization that runs that free phishing test to get what's called a baseline test finds out somewhere on the average, the average customer we have come to us when they do that first phishing test has about a 38% click rate, what we call a phish-prone rate.
So over a third of the people in the organization have, let's say, clicked on a phish that when they looked at it, you think the IT person's like, "Any reasonable person would not have clicked on that." But turns out all kinds of people do.
And so you just, no matter how good your policies and your technical defenses are, some amount of phishing and badness will get to your end users.
So you train them how to recognize and be suspicious of certain types of traits, things telling them to open unexpected emails, you know, asking to open documents or click on links or things like that, or weird email addresses.
So you teach them just to look for the basics.
It's like teaching your 2 or 3-year-old look right and left before you go across the street, and you have to do that for a while, and then pretty soon that kid is looking right and left before you ask them to do it.
That's what we're trying to do, is create this healthy culture of skepticism where people just get a little skeptical of certain things.
Customers that do do that, so they do the training and they do simulated phishing at least once a month, they will decrease their phish-prone rate from about 37-38% to below 5% in less than a year.
And since social engineering is involved in 70 to 90% of all attacks. It is the number one thing you can do to significantly decrease cybersecurity risk in your organization.
I don't even have to guess. I've watched it for over 30 years.
Guys, you've heard Roger Grimes. You should try this for yourself. You can at knowbe4.com/freetest. Roger, thank you so much for coming on. You are such a pleasure to speak with.
Thank you, Carole Theriault. Thank you. Appreciate it. Thanks, everybody, for listening to us.
How about that then? Well, that just about wraps it up for this week.
Andy, I'm sure lots of our listeners would love to follow you online or get in touch or find out what you're up to. What's the best way for folks to do that?
Andy, I'm sure lots of our listeners would love to follow you online or get in touch or find out what you're up to. What's the best way for folks to do that?
The best way, probably just drop me a message, 0780 958 3134.
Sorry.
Or listen to the Host Unknown podcast, but either way will work.
I have a feeling that might not have been his own phone number. I have a feeling we might have to censor one of the two of those numbers.
I swear, call that number now and I will answer it. I guarantee.
I remember what you said.
Okay.
I will check tomorrow when I'm editing, I'll check.
And you can follow us on Twitter at Smashing Security, no G, Twitter didn't allow us to have a G.
Of course on Reddit, check out the Smashing Security subreddit and don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Spotify, Pocket Casts, and Google Podcasts.
Of course on Reddit, check out the Smashing Security subreddit and don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Spotify, Pocket Casts, and Google Podcasts.
And huge, huge, huge thank you to this episode's sponsors, 1Password, JumpCloud, and KnowBe4, and to our wonderful Patreon community. It's thanks to all of them the show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 232 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 232 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye-bye.
There we go, Andy. Baptism of fire.
That was fantastic. You know what, I just— it's like going to a live show.
When you're used to sitting on the sidelines and listening to it or watching it and you're actually there and it's like, wow, it's just so different.
When you're used to sitting on the sidelines and listening to it or watching it and you're actually there and it's like, wow, it's just so different.
What are you saying? We're shit?
It's so much better when you hear it on record.
No.
Hey everybody, Carole here. And we're going to do things a little bit differently today. I'm going to read this week's star review, and then we're going to discuss the content of it.
So the title is, "What a pair of idiots." Smiley face, smiley face. Quote, "I like Smashing Security a lot.
It's like listening to a well-informed, funny, long-married couple people bickering about something that interests you. I have to say I like Carole more. Or Graham. F it.
You can both stew over whom you like, but carry on with the great work." Signed, LaBar. Well, LaBar, let me tell you what I love about this. I love the 5 stars.
I love the smiley faces. I love that you put my name first. But idiots? I mean, I get idiot. One of us might be slightly subpar.
So the title is, "What a pair of idiots." Smiley face, smiley face. Quote, "I like Smashing Security a lot.
It's like listening to a well-informed, funny, long-married couple people bickering about something that interests you. I have to say I like Carole more. Or Graham. F it.
You can both stew over whom you like, but carry on with the great work." Signed, LaBar. Well, LaBar, let me tell you what I love about this. I love the 5 stars.
I love the smiley faces. I love that you put my name first. But idiots? I mean, I get idiot. One of us might be slightly subpar.
I don't know.
But definitely no S there, right? That was probably a typo. Anyway, LaBar, thanks so much. It's a great review, and it made me laugh, something that Graham consistently fails to do.
All right, guys, keep them coming. See you next week.
All right, guys, keep them coming. See you next week.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Andrew Agnês – @sirjester
Show notes:
- CPSC Warns Consumers: Stop Using the Peloton Tread+ — CPSC
- Peloton Tread+ Treadmill Safety Incident — YouTube.
- Peloton Recalls Tread+ Treadmills After One Child Died and More than 70 Incidents Reported — CPSC.
- Peloton Recalls Tread Treadmills Due to Risk of Injury — CPSC.
- Tread Lock — Peloton support.
- Peloton Tread owners now forced into monthly subscription after recall — Bleeping Computer.
- Is Your Peloton Spinning Up Malware? — McAfee.
- A fake wedding, and a $250,000 scam — BBC News.
- Romance fraud advice — Action Fraud.
- OnlyFans, Twitter ban users for leaking politician's BDSM video — Bleeping Computer.
- Statement by Zack Weiner — Twitter.
- Anthony Weiner documentary trailer — YouTube.
- Blue — Joni Mitchell.
- Timekettle Voice Language Translator.
- Finders Keepers trailer — YouTube.
- Finders Keepers (2015 film) — Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now at 1password.com
Sponsor: JumpCloud
JumpCloud’s Directory Platform makes it easier to solve today’s IT challenges by unifying device and user management through a single pane of glass.
With JumpCloud securely managing your users and their devices, doing common things like onboarding and offboarding remote workers is easy.
Try JumpCloud for free today at smashingsecurity.com/jumpcloud and help your organization move to a modern, secure hybrid work model.
Sponsor: KnowBe4
Did you know that 91% of successful data breaches started with a spear phishing attack?
Find out what percentage of your employees are at risk with KnowBe4’s free phishing security test.
Plus, see how you stack up against your peers with the new phishing industry benchmarks.
Find out more at www.knowbe4.com/freetest
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
