Smashing Security podcast #260: New hire mystery, hacktivist ransomware, and digi-dating

And you think, yep, this guy's all right. We're going to give him the thumbs up, gets my seal of approval. And the company makes John an offer, Jack.

Jack, his name is Jack.

I thought his name was John.

You said Jack twice. Jack to Jack everywhere now. Well, I don't know which one's right.

His name is John.

So his name is John, okay, John.

So this guy called Jack, John. I love it. Smashing Security episode 260: New hire mystery, activist ransomware, and digi dating with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security episode 260. My name's Graham Cluley. And I'm Carole Theriault. And Carole, we've got a special guest, our first of the year. Oh, finally. Who might it be? My favorite.

Maria! Hi. Oh my gosh, I'm honored to be the first guest of the year and to bring you both back into guesting. Guest host guesting. Yes.

It was time, wasn't it? It was time.

Yes, it was definitely time. We were just very busy and now we have a bit more time and that makes it so much more worthwhile and more fun.

And I think also we were beginning to go a bit stir crazy with just each other on the podcast. It was a bit like being in our own personal lockdown with each other. It's like we need other people.

Shake it up, shake it up.

Yeah, when people started reaching out on Twitter saying they need guests, that's when you know it's getting desperate.

Thanks, thanks for reminding us.

Maria, get on the show. Okay, all right.

Let's thank this week's sponsors, 1Password and Uptix. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be discussing remote working problems.

And Maria, what about you? Operation Scorching Heat. And I'm heading to the online dating world. All this and much more coming up on this episode of Smashing Security.

Now, chums, you work high up in IT security at a company. In this make-believe world.

Yes, not in real life.

No, you're a big cheese. The IT VIP, you've reached the top and had to stop and that's not bothering ye. All right. And sometimes as part of your job, you get called in as part of the interview process, don't you? When new hires are brought in, to vet them, make sure they're a good fit.

Sure, yeah, yeah, yeah. I remember all that. Isn't that a thing? I delegate to somebody lower than me so I don't have to do that stuff?

Well, you might delegate the earlier stages of the interview to weed out the chaff. Yes. But eventually you get to the person you're going to be working alongside maybe for years and years. Right, right. So this chap called John, he gets interviewed. Obviously, it's remote interview because this is 2022. And he goes through a couple of rounds of interviews. And the people before you, the ones who are doing the preliminary interviews, they decide he's the guy for the job.

God, he must have had a nice suit on or at least a nice shirt and jacket.

Yeah, he dressed up. He ironed for the process. Yeah, shaved, plucked his eyebrows, whatever it required. Nose hairs, removed bits of apple from between his teeth. He knows the subject inside out. He seems confident. His resume looks good. He checks out. So the company has effectively thrown out all the other candidates. And he comes through to the third and final panel, which includes you. You know, big cheese.

I'm now going to, as the IT VIP, I'm going to get to meet this.

Yeah, online, remotely. You're going to rubber stamp it, probably, because it sounds like it's probably a good fit already. And so you interview him online. You ask him some tricky questions. He handles it with aplomb.

Okay, aplomb, well used aplomb.

And you think, yep, this guy's all right. We're going to give him the thumbs up, gets my seal of approval. And the company makes John an offer. So all is good. John starts working remotely for the company.

Oh right, so he gets hired. He gets the job. High five, he's in, rock and roll. Okay. He's in, he's in. Right. And so he's attending conference calls. He's on Zoom meetings, he's on Teams, groups, whatsits, all those sort of things. He has hard stops, all of those things going on. Right. And the only weird thing, I mean, everything is good, apart from when you're on a Zoom call with John one time, you think you spot something odd about him.

Well, that's okay, right? I mean, he got a haircut. He's wearing a wig and, you know, yeah. It could be. It could be. John's also talking a lot about working in the garage because his kids and wife are home. But in the interview, he'd mentioned that he was single. And he was sitting in somewhere with loads of desks. Oh. Hmm, a bit odd, isn't it? Double life, maybe?

Okay, so John's not John. That's what

you're saying. John is Jack now. Yeah.

And John is being aloof and a little bit timid, whereas the John who was interviewed was confident, articulate. So what do you do as the head cheese of IOT? You know, what do you do at this point? And none of us

have actually met him in person, right? No one's met him in person. It's all happened remotely because that's the modern way in which things happen.

Can't you just say you're not the person I interviewed? Well. You were not the person I gave the

job to. Well, you've got to be careful saying something like that because what if they are? Right? Because HR and legal, who are the bane of all of our lives, the ones who ruin all the fun in the office.

So much for happy hour. Yes.

They're going to get involved. Well,

I mean, is there anything illegal about saying, I don't know if you're the same person? Is there some sort of thing that says you can't say that? They might get unhappy saying that's mean, but it's not gonna... Right?

No? Well, what happens if you then take action against that person? What if the person says, well, you know, you weren't justified in what you were saying or you're picking on me or you just didn't like my nasal voice or, you know, I don't know. Was the interview recorded? Because then you could do a voice check. Or you could take a screenshot. I mean, there's all kinds of things you could do to try and compare. So the interesting thing is, according to this woman who wrote into the Ask a Manager website about her husband's predicament, someone else then high up in the company, Holly, the boss of her husband, had suspicions as well. And Holly called up the husband on mobile phone. She said, I don't want there to be a record of this and said she had suspicions. But she didn't want to accuse him of anything in case they were way off. There were legal concerns.

So she was onto John as well, not being John. Right. She

thought, this is weird. Is there something weird going on here? This guy knows sweet F.A.

about IT, let me tell you.

I mean, I remember working at companies where people were hired in senior positions, and I assumed that somehow some sort of hobo had walked off the street, you know, and been given this job with no knowledge whatsoever. Yes, I've worked for many of those people.

Well, is Jack or John or whatever his name is, is he actually getting the work done?

Well, no, he doesn't appear to be very competent. I mean, he's getting a bit of it done, but he's not really the star who they were expecting to hire. So there's concern. Is he

a stand-in for actual John? Has John gone on holiday for a month or something and just said, look? Very good questions. Okay. I'm just trying to figure it out. I'm trying to figure it out.

Because Holly and the husband of this woman who's written into the website are trying to figure it out as well. And Holly says, you know, I was on a Zoom call with him and he didn't seem to know who I was. and I'd introduced myself and that's despite me being present on all of the interviews and he was like well who are you what do you do you know oh you know and it's. I heard a story by the way I heard a story by the way of someone who got hired for a job remotely or something they went into the office and it was a couple of months later and they were in the kitchen area and this guy comes up to them and they kind of vaguely recognise them and not sure who really they are because there's so many new people in the office. And he sort of asked her, you know, how are you getting? How are you settling on? And he goes, oh, job's a bit boring, to be honest. You know, it's a... And it turns out it was one of the guys who interviewed him. Oh,

Lord. So you do have to be... Rookie move. You have

to be quite careful. So Holly and this chap, they're trying to work out, you know, if he is an imposter, what might he be doing? And should IT put some monitoring software remotely on his PC to watch his behavior and activity?

Oh, no. Oh, come on. No. Well,

legal told them they could. They said, it's our computer. We can install that.

Okay. Yes, you can. Bossware.

Because they'd shipped him a computer, you see. And he was using it. And he was accessing data. And they're sort of – but they're a bit nervous of calling him out as a liar. So the eventual consensus, lots of to-ing and fro-ing. And the eventual consensus is that HR should have an online meeting with this guy to discuss the concerns. And they say, what we'll do is we'll say it's about your performance and whether you've been overselling your abilities on your resume.

Fascinating how everyone's pussyfooting around. Gently tiptoe around it.

Maybe put him on a performance. What are they called? Performance enhancing plan. What are they called? That's something else.

So a call was arranged for that child. But before they could ask him their very first question, just as he began to get the hint of how it was going to go, John said, thank you, but I'm quitting. And he hung up the call and has not replied to any messages since.

How long has gone by since he was

hired to this point? It's not entirely clear. It feels like it's been a couple of weeks.

So he's made some cash. Yeah. And

he's definitely had access to all the things. Yeah. God knows what he was up to. I mean, that should be easily discoverable by any competent IT team, one would hope. But, ooh, yeah.

So I did some reading about it. Now, apparently this fake interview thing is very real. So there's a variety of ways in which it can take place. So it might be, as appears to have happened in this case, someone different actually takes the interview. And you just don't remember you. Maybe you're hiring so many people. And it's a bit like taking an exam test or taking a driving test for somebody else.

Yeah. Like you use your cousin's ID to get into the bar and you guys look kind of similar. Like, yeah, I'm totally 18. I could totally go here. That's me.

Some remote interviews, they tell you to take your earbuds out in case you're getting sort of answers. But even that wouldn't work, would it? If someone was in front of you with a whiteboard writing down the answers. As you asked them over the call.

Listen, come on, come on, come on, come on. If I had to hire somebody who actually was backed up by four different people, all of which had a part of the job covered, and they represented themselves as one entity to do the work for me, do I actually care? The problem here was he wasn't doing the work very well. If he was a stellar performer, would they have given a shit?

Well, you might have done because there's still some lying involved. But they don't know who the first guy is either. No, but there is some deceit, isn't there? It's not necessarily trustworthy.

So what you're saying, Carole, is that basically it all falls apart because he wasn't doing a good job. But if he was, this guy could have just been a mole and just sat there and taken a whole bunch of confidential data and no one would have been the wiser. Oh, take notes, whoever wants to do this. Just make sure his story's airtight.

Or if you were following Carole's advice, You could be outsourcing it to someone I don't know in another part of the world and all of the company's data. Now, I had a bit of a think about this and I thought, wouldn't it be a good scam, right? Because of all this remote working, there's no reason why I couldn't take on more than one remote working job. I could have a full five day a week job, but in multiple places. Maybe I could have seven different jobs at the same time.

Sure. I'm sure people are doing this right now. People are definitely doing this right now. Definitely. And you

just turn up to some Zoom calls and things. You participate very ineffectively. Or sometimes you just say, oh, I couldn't get the internet to work.

And wait to get made redundant.

And you're going to cash in, aren't you? You just work for eight weeks a year, and you've probably been paid enough for the entire year. Have you had enough companies like this? So right now, I'm recording for the Cyber Wire. Maria, what story have you got for us this week?

So I'm going to start with questions for the two of you. I'm going to do a little free association. So when I say the word hacktivism, what do you think of?

Vegans. Sorry, you just asked what's top of my head. That's just what came out.

Okay, it doesn't have to be just a word, but the phrase is when you think of what hacktivists do.

I would say a bit of anonymous-iness, right? Going after maybe political entities they don't agree with or people who've done bad things. Doing specifically what?

Defacing websites is the first thing I think of.

Yes, defacing websites, stealing data, maybe exfiltrating it from a database. DDoSs? Yes. So we don't like you, we're going to shut you down, right? So there's that. And then, okay, when I say ransomware, what do you think of? So another little free association.

Oh, just extortion and I think more sort of organized crime rather than hacktivists. Yes.

Right. It's more about the

money rather than the political stance. Yes. Yes. So I also think with ransomware, people kind of biding their time and waiting for the right moment to strike. That's a sort of a more recent-ish wrinkle with that one.

No, no, no. Tell me everything.

Okay. So you may know that there is some tension going on in Ukraine between Ukraine and Russia. I'm sure you're aware. And this hacktivist ransomware attack was done by a group calling themselves the Belarusian Cyberpartisans. Belarus being a neighbor to Ukraine and Russia, kind of involved. Don't want to get into too much of it. I think we all know that it's very complicated, right? So the Belarusian Cyberpartisans are... Please don't hack me, guys, if I get this wrong. Aligned with the opposition. And they put out a notice on Twitter, and I'll read to you exactly what they wrote on Twitter, because I think it's really fascinating. As a command of the terrorist Lukashenko, who is the leader of Belarus, Belarusian Railway allows the occupying troops of Russia to enter our land. We encrypted some of Belarusian Railway's servers, databases, and workstations to disrupt its operations. Automation and security systems were not affected to avoid emergency situations, but we have encryption keys and we are ready to return Belarusian railroad systems to normal mode. Our conditions are release of 50 political prisoners who are in most need of medical assistance and preventing the presence of Russian troops on the territory of Belarus. Problems.

So they're holding all the people that depend on those rail systems for work, for everything, to getting A to B, kind of hostage as well because they can't travel, right?

Yes. And they're doing it to keep Russian troops from sort of amassing on the border with Belarus and Ukraine. It's still not super clear to me if it's been 100% effective, but I'm just going to assume that it was because there was a lot of chatter in the press that people were asking for proof that they actually did manage to hack into these systems. And what was interesting to me, because I started reading about the story a few days ago when it broke, and it's been developing rapidly since then. And I'm sure by the time this podcast is out, there'll be more. And when the cyber partisans were asked for proof, they actually posted a thread on Twitter with screenshots sort of proving to the public that they actually had been able to access bank statements, file servers on the back end. Of the railway. Railway systems. And then to me, fascinatingly, screenshots that they took during the cyber attack showing directories within the Belarusian railway systems. And one tweet said this, screenshots taken during a hashtag scorching heat cyber attack on the Belarus railroad reveal that employees frequently used pirated software. Do you think it's connected to how they got hacked with a bunch of upside down smileys afterwards? And the screenshots showed VMware workstation keymaker directories and directories called crack. So lots of Warez type stuff going on.

What a shit show, eh? Oh, no.

Yeah. So a lot of people in the press are saying that this is pretty much the first time we've ever seen political hacktivists using ransomware to achieve their goals, which sounds about right to me because I can't think of another situation where this has happened. But their demand wasn't financial. They're not trying to extort the railways. They're not trying to get money. They want political prisoners released and they want Russian troops to get out of Belarus, basically. So in terms of who did this, who are the cyber partisans, they actually have a spokesperson, Yuliana Shemitovits. And she's not part of them, but she's their spokesperson, she says. She says that the opposition activists once worked in Belarus's well-respected computer science community. That was pretty much all we know. And NATO is trying to stay away from this because, as you imagine, you don't really want to get involved. But according to a NATO intelligence officer, they said, I have no reason to doubt that they're an independent outfit and they don't appear to have done anything more than a decent hacker might do. So was this a sophisticated hack? I don't really know if we can say that. But it seems like a lot of these targets are sort of rife for being hacked. And there's some worry that this is going to escalate and there's going to be counterattacks and retaliation. So I guess put a pin in it. Watch the space. But if we start seeing Russia getting attacked by hacktivists. Oh, it's definitely going to

happen, isn't it? I mean, whether state-sponsored or not, you can expect effacements and attacks to occur from people's bedrooms.

Yeah, because these guys aren't associated. These cyber partisans are acting independently. They're not associated with any state. They say. They're not being supported by another nation, they say. But if somebody goes after, say, Russia, we know that Russia knows how to counterattack. So it would be a lot of escalation happening and that could get really nasty. It does seem rather ambitious to ask for the release of 50 political prisoners. I mean, I'm not saying that's a right or wrong request.

supply chain, for work, for everything.

But how long does it take to fix computer systems? You may have a backup or you may be able to restore. I mean, there have been railways which have been disrupted by ransomware attacks in the past. And it may be disruption for a few days or whatever.

If it was disruption for a few days, then presumably, they fix the vulnerability and they go, okay, everything back to normal, then it fizzles out.

I just think they're asking for quite a lot. I think you should start small, maybe asking for the quality of the sausage rolls on the railway or something to be improved or something like that. And, Carole, there's actually, there's still some doubt as to whether or not they were able to stop any of the railways from operating. Listeners in Belarus, let us know.

Yes. Super. I'm fascinated by this, but it's also kind of scary because I'm imagining a lot of people are going, oh, that's a great idea. You know, I don't want the next president of the United States to get installed. So maybe we're going to do something similar. Or, you know, I imagine someone's taking notes. I am not doing that. Please don't come after me.

Maria, in your time away from us, did you forget this was a comedy show?

I know. I was really nervous about talking about this on the show. I'm like, I'm going to get targeted. No, I'm not. I'm not that important. No, I just thought it was such a fascinating story. Because it's the next evolution. It seems almost logical that we've gotten to this place. And I'm going to be very interested to see where this goes.

Carole, you should know more than anybody that you don't have to be funny on this podcast. Ooh. Zing. Wow. Carole, what have you got for us this week?

Well, Maria, my dear friend, and Graham, we are visiting the online dating world.

Oh. Must we?

Well, it's just that you see, you were interested in cyber, you know, political ransomware. I'm interested in the mega changes that have happened in the online dating world over the last few years. Because, you know, Rona changed stuff for everybody. Couldn't be in person, you were very often or easily, and you couldn't go out and do stuff. And it basically threw a huge curveball on how people used the sites. I mean, dating is kind of a social activity and social distancing doesn't really align, right?

That's the problem. It's kind of a social activity. So no surprise, online dating apps hit this all-time high during this time. Tinder recorded 3 billion swipes in a single day at the height of the pandemic. 3 billion swipes. Seems very bored. Really bored. And OkCupid saw a 700% increase in dates. How many percent?

91. So 9 out of 10. Yeah, they say there's no stigma.

Yeah, I would believe that.

I think most of the stigma has disappeared these days, actually, because it's just so common.

And what about this one? Two in three Americans believe it's possible to fall in love without meeting in real life.

It's a lot easier than when you do meet them.

Well, you don't have the smell factor. That's well said. So, because of the pandemic, virtual dates have become a big thing. I mean, I can see it's easier, it's cheaper. Virtual dates. You meet on Zoom or something and not in person. People are saying they wait a month virtual dating before they go for a real date.

So what, they're sitting on the Zoom call and they both have dinner at opposite ends?

Yeah, play cards, do an online game, watch a movie together. Okay. Right? Okay, yeah. When you were in lockdown, you must have done those kind of things with people. Yeah, okay. The survey also showed that people seem to be more interested in serious relationships now as opposed to hookups. And they say that when they do meet in person, they ask if the person is vaccinated. Mm-hmm. Okay. So since last summer, Tinder offers users vaccinated or vaccine soon interactive stickers for profiles.

Yes. Yes, I heard about that. Yep.

Right? Okay, main dating apps in the US, so Tinder, Hinge, OkCupid and Match partnered with the White House to raise vaccine awareness by offering features such as profile badges or boost or super likes for anyone who revealed that they were vaccinated. And even the UK government teamed up with, I think, Snapchat to provide in-app bonuses for vaccinated profiles.

But do you have to be, do you really have to be vaccinated to get one of these stickers or can you just say yes on that and get a sticker?

No, so that's, I think, something to put in your back pocket. But I have a problem with that too. In France for the moment, as of Monday, you have to have a vaccine passport. So if you want to go to a restaurant or go to the theater, you have to prove that you are fully vaxxed. Do you have that? Have you had that at all in Boston?

Vaccine passports? Yes. A huge controversy. Yes. Yeah. And we had them when I was in Canada, everywhere. You couldn't go anywhere without it. And I quite, I was okay with it. Right. Other way around don't use your Tinder photo on LinkedIn, but yes, okay.

And not a recent photo if you've been under lockdown either because you're one before the pandemic. Yes, 2019 only. Okay so I'm asking this question, like do we have views on it being acceptable for dating sites to request that people indicate medical situations? Because I know, I get we're being asked for medical information, you know, we're being encouraged by our governments to share this medical info in order to encourage people to be vaccinated. I feel that's a fair statement to make across our, right? We presumably don't have to say if you don't want to. It's only a request, isn't it?

No, no, but you do get more dates if you do put out your status, yeah.

But maybe you don't want dates with people who are so inclined in that fashion, you know. Yeah, but—

You're also, you know, spending time and or money there trying to find dates, so I think. And you don't have to prove it, so I'm sure some people are lying.

If you're anti-vaxx do you have a sticker saying I'm anti? Because I bet that really works well finding other anti-vaxxers.

I think a lot of people, yeah. I listen to Joe Rogan and that's all we need to know.

No, no. Okay, but put it this way, right? So we want to know whether someone's vaxxed or non-vaxxed because we don't want to be at risk or all the stuff, right? We all know this stuff. But what about asking stuff, someone, oh, you know, are you sane? We don't ask that of people. We don't expect them to put that in their profile. Sometimes you can just infer it from reading the profile. Well, what if a profile is this, do you have all your limbs, yes or no?

Well, that's a binary thing, isn't it? You know, yes or no, whether you have all of your limbs. But sanity, you don't know. That's a sliding scale.

All I'm saying is if I put that in my profile description, that's up to me, right? So if in my profile description, it's really important for me to communicate my vax status. I can say, hey, by the way, I'm totally vaxxed. But for them to have the option there, if it said, please enter your BMI, right? Some people would be, screw you. That's personal, private, medical information.

A lot of people lie on dating sites. There's the whole joke about how every man on those dating sites is a certain height. And then when you meet them in person, you're, you definitely are not the height you said you were. Same thing with the ladies often saying, I'm this weight. And then you meet them in person. You're, you are definitely not that weight. So people lie.

I agree people lie, but therein lies another paradox of people, if people are trying to move to more serious relationships with people, I worry that people are going to be more open with their information because they're saying, hey, this is me, let's go. And might be wanting to share more and more information. And I'm not so much worried about, you know, between two people, but, you know, there's a company in the back that we have seen many security vulnerabilities with insights on the dating world, right? And they're collecting a ton of info here.

Okay, so I thought you were asking the question more, is it bad socially to be putting this information up front? But you're saying, is it bad to be providing this information because that's just too much information in the hands of the companies? Or is it both?

Yeah, because now it's not in a profile description. It's now as a tick box that you can choose. So by not answering that tick box, I am making a, it seems now, a political choice. But by answering it, I'm also giving away medical information, which I agree right now, we're all sharing that information, but is that something that we want to trep into other bits of our medical information?

You know, you do have a choice which dating site you join. I bet there are sites for, you know, people who aren't vaxxed. By the way, the whole idea of I'm not vaxxed, it just makes me think of Eastern Europeans saying that. I am not vaxxed, would you be interested in me? I am totally vaxxed for you. Sorry, I'm being filthy. Oh my god, but—

Maria, Maria, to your point, right, so there's loads of liars. So if you're in France right now and you now have a vaccine passport and you've been lying on your dating app saying I'm totally vaxxed, man, to all the people. Have fun going on dates, right? Because you'd be, oh, let's go down and see this restaurant. I'd love to go. Yeah, no, maybe we can go to the park, right?

Yeah, I mean, I'm thinking at it from the situation I'm in in the States where Boston, which is the city I'm near, does have vaccine passports, but none of the surrounding areas do. And also a lot of the places where we get vaccinated are actually through private companies. So that information is already in the hands of private companies. Like I got vaccinated through a Walgreens, for example. Like my first two shots were through a hospital and then my booster shot was done through Walgreens. So that private company has that information already that I'm vaccinated and boosted and all that stuff. So for me, I'm just like a lot of the information is already in the hands of private companies in my case. So that horse is out of the barn. Yeah, I don't know. It's an interesting question, though, Carole. I think it's I'm glad you're asking it.

And it's kind of sucky that they might be using that for advertising purposes, too. Right. Oh, yeah.

I mean, people put this stuff, like, I know you're not on Facebook anymore. If you are, you would see that many people put that information on their profile photos, like, hey, I'm vaccinated. It becomes a way of people to self-select. I don't know. I mean, it's

just a slippery slope, but I see how we got here, right? Like in an emergency situation, you're like, I know, let's all encourage everybody. Let's do this. But I think we're maybe at a point where we have to just think about, like, what the hell are dating apps doing with this kind of info?

It's not as though this one knew, right? Okay, so it's happening with vaccination, but I bet before the pandemic it was happening with, do you like the poetry of Emily Dickinson? Or, you know, do you like whatever it is?

But that's not private, personal, medical information.

It is private, personal, not medical information. No. Do you like walks on the park? Do you like...

BMI information, for the most part, assuming people aren't lying, haha, is already in there. A lot of people will disclose their height and weight. So that's already there. Age is already there. A lot of cases where somebody lives is already there. I mean, if you have a visible disability, you can't hide that. If you were born missing a limb, a photo will reveal that about you. I don't know. It's an interesting question. I mean, what does somebody do with, hey, they're vaccinated, knowledge that somebody's vaccinated?

I'm just waiting for Google to buy one of these dating sites and see what happens. There you go, there's my joy for the day.

You said my story was depressing.

Secure your online payments and grow your business with Brex and 1Password. Growing businesses have enough on their plates, don't they? Well, let 1Password and Brex simplify finances and online security so you can focus on doing what you do best. Brex is the financial operating system that powers tens of thousands of businesses, and now that power is accessible through 1Password in the browser. With this new integration, Brex customers can autofill their Brex corporate and vendor card information while checking out anywhere on the web, right from 1Password in the browser, making online payments simple, secure and frictionless. 1Password's integration with Brex is available right now to 1Password teams and business customers based in the United States. To find out more about 1Password and Brex, check out smashingsecurity.com slash Brex. That's B-R-E-X, smashingsecurity.com slash Brex.

We are also sponsored by Uptycs. Uptycs is a cloud-native security analytics platform built to protect the modern attack surface. Uptycs zeroes in on blind spots that are preventing you from identifying and responding to existing threats and vulnerabilities in your ecosystem. Plus, Uptycs normalizes telemetry across macOS, Linux, Windows, and containers, records system activity for historical investigation even when no alert has fired, and enables you to build complex custom detections. In short, Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform. Visit smashingsecurity.com forward slash Uptycs. That's U-P-T-Y-C-S to learn more about its cloud native security analytics platform. And thanks to Uptycs for sponsoring the show.

And welcome back and you join us at our favourite part of the show, the part of the show that we like to call Pick Of The Week.

Pick Of The Week Pick Of The Week Pick

Of The Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick Of The Week this week is not security related. It is something that's been around for some years, but I remembered it this morning. I thought that was a bit of fun. And so I've been playing it today. And if I were to tell you that at this very second, I am baking 75,143 cookies per second. What? Would you know what game I am playing?

No. I have no idea.

I am playing Cookie Clicker. Cookie Clicker.

That sounds like an insult. You, Cookie Clicker.

Cookie Clicker is a very addictive and utterly pointless game. Free and online.

I'm playing it right now. Oh, my God, I'm playing it right now.

Okay, click on the cookie.

I've got 38, 41. Okay, so You're creating cookies. Now, what you'll find is when you've got some cookies under your belt, you will then be able to buy things to help you click on that cookie.

An RSI from doing this? Oh, no, but This is the thing. Like I said, so I haven't been clicking throughout this recording, but I have recruited grandmothers and farms and all kinds of other things which are doing the clicking for me, you see.

I would like you more if you actually baked real cookies. Well maybe this will inspire me. It's quite a funny and amusing JavaScript based game. Yeah I agree with Maria, RSI. You ninny, I haven't been clicking all this time. It's because I've got things which are clicking for me.

I'm at about 200 cookies in my Have you bought anything on the right hand side yet? A grandma? Growing exponentially, so now we're talking math. Okay right.

Now you're a math game.

It's a math game and the scientific notation. Okay I'm so glad Maria's here. This is, I would be so underwhelmed on my own here. No, my husband loves games like this though and I'm always making fun of him for playing games like this. Well I hope he enjoys this. It's called Cookie Clicker, links in the show notes. What's my Cookie Clicker of the week?

What's your cookie of the week?

Well, I have not been eating many cookies because I've actually been on a bit of a fitness kick.

Ooh. La-di-da.

Since the beginning of the year. I love bicycling. It's my absolute favorite sport. And I'm very slow. I'm also very short, so I'm not great at it. But I love doing it. And I got myself an indoor bicycle. One of those trainers. Not a Peloton. I got a different one. And so I'm

Good for you.

I have a little tiny living room. And I have my bike in there. And it's so I can sort of watch TV as I'm biking. Yeah. And I've been looking for good things to watch while I'm on the bike. Because I'm in there a lot now. And I've been going through my Netflix. And a show that I've been watching recently that I really have been enjoying is Getting Curious with Jonathan Van Ness, which is a video version of his very famous podcast. So there are some fascinating guests on there, some really interesting conversations. And it's very bingeable and very watchable while you're exercising or whatever. So what would be like a typical show? Well, the first episode was about bugs. Okay. Like, how cool are they? What do they do? And how delicious can they be? Have you ever eaten a bug? Knowingly eaten a bug.

Because Jonathan Van Ness, I've seen him on Queer Eye. He's very hairy, isn't he? He's not that hairy. But I think he's, not compared to your husband, but I mean, I would imagine, but he's actually quite well groomed despite the amount of hair. So I wouldn't think he has a lot of bugs on him.

No, no. Yeah. But I think it was sort of like, bugs gross me out. Maybe I should learn about them to figure out what the big deal is about them. So the first episode was interesting also about people who eat bugs. I've eaten bugs knowingly. I've had crickets, they were delicious. But there was another episode about the history of hair and hair grooming around the world and

Oh that's why he's such good hair.

As you know, so I'm only about three or four episodes in, but every episode I've seen was really very interesting. And I'm looking forward to watching the rest of the season.

He's a bit full on Jonathan. I have watched some episodes of Queer Eye and although sometimes there's an emotional story in it and some of them are quite charming. It can be a little bit too much. Can't it? I personally, I think, and he's possibly. He can be a little extra.

Sure. But I mean, that's part of the fun I think that's part of the fun.

Chris Chris Chris pick of the week is also food related. Oh, you came over for dinner recently and we made you this dish called chicken fatty, not like fatty but fatty F-A-T-T-E-E. It's good right?

It was incredible. It was delicious. Yeah. And it's a recipe that from a restaurant I used to frequent in London in the before days called Morrow. Okay. Now, Maria, the reason I chose this is because you're on. So let me send you the link.

Okay. I do love to cook. So, yes.

Yeah, yeah. I know you love to cook. And I think this is going to be right up your street.

Send me that recipe. I want to check it out.

And I'm going to send it for everybody they can put in the thing. So basically, it's kind of like a rice, chickpea, allspice, cinnamony. There's crisp breads. There's yogurt. And it kind of looks complicated when you see the recipe, but it's not. It's like – Oh, nice. And it's so different and unusual. And you could totally do a veggie if you wanted. So anybody out there, we all have to eat, right? And sometimes we get really bored with the stuff we cook. Like we all have like, what, seven, ten dishes that we do on repeat.

Oh, I think I've made this before. Oh, really? It's really fantastic. Yeah. Oh, I think it was called something different.

This recipe says serves eight. I have to say it's so delicious. I think it could serve one.

It served four. I actually made the whole recipe and it served four on the weekend.

Yeah, it was pretty good.

I can also recommend all of Morrow's cookbooks, which I own and cherish. And they're a delight to cook from. And in fact, I was like, oh, what would you have after this? Maybe I should throw a dessert in, right? Moro's chocolate apricot tart which Graham you've also had.

Oh my gosh what a great combination.

It's the most delicious fucking delicious tart in the world. Oh yes so I'm putting that inside the links for you guys as well. Okay so there you go just cook something a little different. It's February, it's a dark dreary month for many of us so do something delicious.

Yeah, you don't get this kind of content on the cyber why. Do you? No well that just about wraps up the podcast for this week. Maria I'm sure lots of our listeners would love to know more about what you're doing and follow you online. Is there a way of doing that?

Yes pretty much on Twitter at M Var Mazes is where you can find me and if you want to see the artwork I make it's at M Var Mazes Art. Yay.

And you can follow us on Twitter at Smash Security, no G Twitter and last have a G and. And we also have a Smashing Security subreddit. And don't forget, if you want to ensure you never miss another episode, follow Smashing Security in your favourite podcast app, such as Overcast, Apple Podcasts and Google Podcasts.

And big shout out to this episode sponsors 1Password and Uptix and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists and the entire back catalogue of more than 259-ish episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye. Why do you say two goodbyes? I only notice now that you say cheerio then bye bye. Is that like for your US and UK following?

Yes, say it in both languages. Yeah.

In case people don't say what cheerio means.

Au revoir. Au revoir. But you gotta say the au revoir twice as big, right? Sorry.