A Russian bank tells its customers to stop installing security updates, an Apple employee ends up in hot water, and learn our tips to avoid being virtually kidnapped.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
She should feel very grateful that the police are ringing in advance to say, "Oh, by the way, we're coming around.
That drugs thing you've been involved with, we're going to be popping around between 2 and 3 next Tuesday to arrest you. Could you make sure you're in?"
That drugs thing you've been involved with, we're going to be popping around between 2 and 3 next Tuesday to arrest you. Could you make sure you're in?"
Yes.
Smashing Security, episode 267: Virtual Kidnapping, Two Helipads, and a Security Apple employee with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 267. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 267. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we're joined this week by fan favorite. Yes, she's back. Anna Brading. Hello, Anna.
Hello.
Sorry, not Maria.
Yeah, exactly. Just call me not Maria.
She's my favorite. Oh, Carole. She helped me start Sticky Pickles. She'll always be my favorite.
Oh yeah, that's true. Hey, talking of fan favorites, I wonder if you saw the latest developments on the Smashing Security NFT.
I saw this.
It's not real. Is it real?
Well, as real as any NFT is.
So a friend of the show, Mark Stockley, he created a Smashing Security NFT, which combined my face with Carole's in a rather gruesome human caterpillar style fashion.
So a friend of the show, Mark Stockley, he created a Smashing Security NFT, which combined my face with Carole's in a rather gruesome human caterpillar style fashion.
And he talked about it all on the show.
He did. He did a while back. And astonishingly, someone actually purchased it for $330.
£335. £335.
£335.
Obviously it's lovely, because it's a lovely photo of you two, but wow.
Well, they don't get the photo, remember.
They only get— such an idiot.
That was right, yeah. Now, the person who bought it is now trying to sell it, and he's upped the price a little bit. He's now trying to sell it, this mystery person.
Ooh, £500.
No.
No.
$3 million.
Has anyone bought it?
Not for $3 million. Not yet.
Oh, they're lining up.
Well, I just need to talk to my bank.
Link in the show notes if you want to make that purchase. So we don't—
You don't know who bought it?
Well, we only know his sort of code name, his username, which doesn't really tell us anything.
Graham, is it you?
No, it— no.
Oh gosh, it probably is. We should thank this week's sponsors, Collide and Drata. It's their support that help us give you the show for free.
Now coming up on today's show, Graham, what do you got?
Now coming up on today's show, Graham, what do you got?
Oh, I'm going to be taking a look at good old trusty, or should that be rusky, open source software.
Ooh, sounds exciting. I love the pun there. And Anna, what about you?
I am going to be talking about virtual kidnappings.
Ooh, and I'm talking about how not to steal from a tech giant. All this and much more coming up on this episode of Smashing Security.
Now, chums, I don't know if you've noticed, but in the last few weeks.
I don't know if you've seen them all, the politicians, the journalists, they've been quite frankly causing quite a bit of trouble, stirring up aggro, making a big song and dance out of rich Russian oligarchs, claiming that they're doing something wrong by generously investing their billions in London property or Premier Division football clubs.
Have you seen this going on?
I don't know if you've seen them all, the politicians, the journalists, they've been quite frankly causing quite a bit of trouble, stirring up aggro, making a big song and dance out of rich Russian oligarchs, claiming that they're doing something wrong by generously investing their billions in London property or Premier Division football clubs.
Have you seen this going on?
Yeah, but I'm not sure what your point is. So they're just saying, "Oh, look, look at all these people buying up all bits of London."
As if it's a bad thing. As if it's a bad thing.
Well, they haven't just started doing this.
This has been going on for quite a while. Exactly. So why are they making the big fuss now, right? They've been enjoying it up until now. They've been enjoying the riches in London.
They've been enjoying, you know, waving at Vladimir Putin, motoring around on his $700 million superyacht with two helipads, currently moored in Italy, apparently.
They've been enjoying, you know, waving at Vladimir Putin, motoring around on his $700 million superyacht with two helipads, currently moored in Italy, apparently.
I really need two helipads. Not one, I need two.
Have either of you been on a boat? I've been on a boat.
What, with two helipads?
No, I've been on a pedalo, I've been on a ferry, and I've been on a sort of sailboat thing.
My dad used to have a boat.
Yeah, mine too.
It's not pleasant. I don't understand why these billionaires buy boats.
Yeah, but they're not— that's not like a pedalo, Graham.
No.
His superyacht with two helipads.
Yeah, you have a place to have a poo.
It's probably—
Yeah. Or five.
Probably slightly less choppy than your pedalo.
Yeah, it's just— it's just, how is this fun? No exercise, Graham, either.
It's not like you've got to— motor yourself with your feet either, right?
Yeah. Someone does that for you.
Well, the journalists, the politicians in the West have been saying this is somehow a bad thing. And it stinks of ungratefulness, doesn't it, by the West, really?
I mean, these philanthropic investments made by Russian billionaires, saving our Premier Division football clubs from ruin, investing their billions in property.
It's no wonder that some feathers have been rustled in Moscow.
I mean, these philanthropic investments made by Russian billionaires, saving our Premier Division football clubs from ruin, investing their billions in property.
It's no wonder that some feathers have been rustled in Moscow.
Ruffled, you mean?
What did I say?
Rustled? No, I like that. That's fine. They're rustling the feathers.
Yes. Anyway, people are annoyed in Moscow because of the sanctions and freezing of assets outside Russia.
Yeah.
And there's no McDonald's anymore.
Well, yeah, but there is Burger King apparently.
Oh, is there?
Oh gosh. Because I think it's because of the franchise arrangement. So Burger King isn't actually run by Burger King. It's run by— Vlad and Dmitry, you know, instead.
Got it. Got it. Yeah.
So do either of you have any business dealings in Russia at all? Do you have offices based over there?
Not that I want to talk about.
Do you have any money squirreled away in Russian bank accounts?
What, like I have a bank account full of rubles?
Well, hopefully not rubles because they're worth pigeon feed at the moment, aren't they?
Well, it might be an issue if you do, and not just because it's become rather unfashionable, but also because of a real cybersecurity challenge.
So if you remember, Putin has said that any Western companies who quit Russia, sort of pull out, they face the prospect of having their local operations taken over by the state.
In other words, Vladimir will come round, and who knows what information he'll be able to extract from your offices if he takes over your property and maybe takes over your servers.
Have you wiped your databases? Have you got rid of all the keys which you had lying around there?
If you left in some haste, you may not have scorched the earth on your way out to prevent a data leak. So that's a real problem.
Well, it might be an issue if you do, and not just because it's become rather unfashionable, but also because of a real cybersecurity challenge.
So if you remember, Putin has said that any Western companies who quit Russia, sort of pull out, they face the prospect of having their local operations taken over by the state.
In other words, Vladimir will come round, and who knows what information he'll be able to extract from your offices if he takes over your property and maybe takes over your servers.
Have you wiped your databases? Have you got rid of all the keys which you had lying around there?
If you left in some haste, you may not have scorched the earth on your way out to prevent a data leak. So that's a real problem.
And this is for Western companies that have a base in Russia.
Who have offices in Russia and then say, oh, we're not going to operate here anymore, we're out.
Yeah, right. Yeah.
Potentially someone else could move in.
Right.
And so you want to make sure that they don't have any access to your other infrastructure and you haven't left any data there. You know, it's more than just shredding files.
You maybe need to securely wipe the data off any servers which you have out there as well, and computers.
You maybe need to securely wipe the data off any servers which you have out there as well, and computers.
I wonder if it's a big cloud problem. I mean, you know, if they're using the cloud, it wouldn't be that hard, right? It's a password job effectively.
Well, as long as you haven't got the passwords, you know, stuck with a sticky note on the wall.
You haven't left your USB keys around.
Right. I mean, imagine it, right?
Imagine how much stuff you would have in an office lying around and making sure— remember, you're doing this remotely because you're thinking, oh crikey, we've got 20 people in that office.
We're the IT department out in Los Angeles. How are we going to get over there to make sure that they've cleaned up properly?
Imagine how much stuff you would have in an office lying around and making sure— remember, you're doing this remotely because you're thinking, oh crikey, we've got 20 people in that office.
We're the IT department out in Los Angeles. How are we going to get over there to make sure that they've cleaned up properly?
And I remember your desk, Graham, and it was— there'd be a lot to clear there.
You just wouldn't want to touch it, actually. It's its own hazard in itself.
Actually, that's true. It would be quite safe. No one would want to touch it.
Yeah, exactly.
So there are real security issues for businesses which are operating in Russia or maybe coming out of Russia.
And as we discussed in last week's wonderful episode, serious considerations for companies in the West who might be using Russian software, such as Kaspersky.
And as we discussed in last week's wonderful episode, serious considerations for companies in the West who might be using Russian software, such as Kaspersky.
Mm-hmm.
But it's not just the West that needs to be worried about what might be coming in their next software update.
So what we've seen in recent weeks are activists who are using software updates to target Russia.
So earlier this month, there were some widely used open-source libraries which had added to them some unexpected functionality.
So whoever maintains those libraries up on GitHub or npm, they included some new functionality which broadcast calls for peace, for instance.
So anti-Russian messages or messages telling them to clear off out of Ukraine. Or demanding some sort of peaceful resolution to all the ghastliness which is going on out there.
So what we've seen in recent weeks are activists who are using software updates to target Russia.
So earlier this month, there were some widely used open-source libraries which had added to them some unexpected functionality.
So whoever maintains those libraries up on GitHub or npm, they included some new functionality which broadcast calls for peace, for instance.
So anti-Russian messages or messages telling them to clear off out of Ukraine. Or demanding some sort of peaceful resolution to all the ghastliness which is going on out there.
Yeah, was this the case where you were sending it off to random email addresses on a daily basis that had .ru at the end or something?
That's something else. So there have been websites which have been set up which basically allow you to spam people in Russia.
Right, yep.
With messages saying, do you know what your government is doing on your behalf? And there's also a website, it's called something Fuck Russia or something anyway.
But there is a website where you can press a button and it will randomly call a Russian phone number so you can have a geopolitical discussion with the person who answers it.
But there is a website where you can press a button and it will randomly call a Russian phone number so you can have a geopolitical discussion with the person who answers it.
Is it global translators that are joining the call?
No, no, no.
No, no.
You can just do that with Google Translate.
That's right, so easy.
It's fine.
They give you some phonetic scripts to read out, or you could just adopt a Russian kind of accent and hope that that's the translation. That's how I speak French.
After all, just do the accent.
After all, just do the accent.
Speak a bit of French to Carole. She understands.
Oh, bonjour Carole. Comment allez-vous?
I don't understand what he says ever.
Son livre qui vend 3 000— Oh, okay. So there were some which broadcast messages for peace, but others went further. Some deliberately wiped files on computers.
Right.
If they worked out via the IP address that they were based in Russia or Belarus, they overwrote files with a heart symbol. Now, you've got to be careful with that, haven't you?
I remember back in the day— are we ready to talk about our top spamming nations report, which we did for a security company long ago?
We used to produce a dirty dozen list of the top spamming nations, and our labs would give us information as to where the spam was being relayed from based on the IP address.
And if I recall correctly, we once found out from the stats that a disproportionate amount of spam was coming from the Pitcairn Islands.
I remember back in the day— are we ready to talk about our top spamming nations report, which we did for a security company long ago?
We used to produce a dirty dozen list of the top spamming nations, and our labs would give us information as to where the spam was being relayed from based on the IP address.
And if I recall correctly, we once found out from the stats that a disproportionate amount of spam was coming from the Pitcairn Islands.
Which had the smallest number of people.
There were about 12 people there and one computer. And there might have been a goof with the IP lookup table. So you have to be careful.
Yeah, they were very angry, the Pitcairn Islands.
Yeah, they were very angry, the Pitcairn Islands.
Well, no, but they knew that they hadn't because they had to pay a fortune for every transmission. So they knew that no one was doing this.
And it was an extremely embarrassing situation all round. Yes.
And it was an extremely embarrassing situation all round. Yes.
Yeah, we're still persona non grata in the Pitcairn Islands, I think. So pretty nasty, overwriting your files.
The problem is, of course, that you might be running a piece of software which used one of those open source libraries and not realized it had been converted into protestware or you could argue actual malware, and you might be using software which you don't know relies upon those open source libraries.
'Cause that's the thing, programmers don't like to do their own coding, they steal other people's code.
The problem is, of course, that you might be running a piece of software which used one of those open source libraries and not realized it had been converted into protestware or you could argue actual malware, and you might be using software which you don't know relies upon those open source libraries.
'Cause that's the thing, programmers don't like to do their own coding, they steal other people's code.
I think that's 99% of the time.
Right.
Right? You don't know where the code came from. You just know that it came in a package. Yeah. You don't even know how many pieces of code are in it.
You don't even know the supply chain, you know nothing.
You don't even know the supply chain, you know nothing.
Yeah.
And if a library gets updated, you just use the latest library 'cause you assume it's better. You assume it's got a bug fix and you trust it.
Now, one of the chaps behind one of these malicious updates is a chap called Brandon Miller, and he's defended the functionality he added in what he calls the Peace Not War module, because he says, well, I was upfront about it.
It's all public. It's documented. It's licensed. It's open source.
Now, one of the chaps behind one of these malicious updates is a chap called Brandon Miller, and he's defended the functionality he added in what he calls the Peace Not War module, because he says, well, I was upfront about it.
It's all public. It's documented. It's licensed. It's open source.
Did you not read the release notes?
Well, exactly. Did you not check the source code?
Did you not read the privacy agreement? Oh, I don't know why you're using that stupid voice, Graham.
Okay. Wow. Well, I did the French accent earlier. I thought I'd do something that might be a bit closer to home to you.
So, because, you know, so he says, we know it's open source, it's open source. You know, how can anything open source ever be wrong, right?
Because you could always check it, can't be bad.
So, because, you know, so he says, we know it's open source, it's open source. You know, how can anything open source ever be wrong, right?
Because you could always check it, can't be bad.
So what you're saying is just because you can check it doesn't mean people do check it.
Of course they don't. Of course they don't. Other than you, Carole, you're the only person I know who checks the privacy and the terms and conditions and all those sort of things.
Would you look at the source code of a program to check?
Would you look at the source code of a program to check?
No.
Ah, right.
But I would, yeah, I would read the privacy statements.
Okay, all right.
I would. All right. But yeah, no, I wouldn't look at the source code. I wouldn't even know what I was doing there.
No, no. Well, so here's the thing.
I could say yes to you, but it would mean nothing to me.
So here's the thing. And this is why I asked if you had any money hidden away in Russian banks, because there is a Russian bank called— I don't know how to pronounce this— Sber.
And Sber has told its customers to stop installing software updates for any applications.
And Sber has told its customers to stop installing software updates for any applications.
So that's crazy. So a bank—
Who you would think would care about security. And not want their customers to be phished or have any malware on their computers.
But they don't have jurisdiction over the whole machine. They just are in charge of their own little website or app.
They're not enforcing it, but they're giving this advice to their customers.
They're telling their customers, "Stop installing any software updates for any applications because it might contain malicious code targeted against Russians." For the bank's app itself?
They're telling their customers, "Stop installing any software updates for any applications because it might contain malicious code targeted against Russians." For the bank's app itself?
No, for any software.
For anything. Because if there was something running in the background on your computer, which you'd installed, it may then impact the bank.
At the moment, they've got about, well, every person has about 28 million rubles at the moment. So it's about £2.80 and potentially a problem.
At the moment, they've got about, well, every person has about 28 million rubles at the moment. So it's about £2.80 and potentially a problem.
Yeah.
They've said various content and malicious code can be embedded in freely distributed libraries used for software development.
In other words, those open source libraries we're talking about.
And the use of such software can lead to malware infection of personal and corporate computers as well as IT infrastructure.
And they're saying, if you absolutely must use a piece of software and update it, scan it with an antivirus or carry out a manual review of its source code.
The thing that— Oh God.
In other words, those open source libraries we're talking about.
And the use of such software can lead to malware infection of personal and corporate computers as well as IT infrastructure.
And they're saying, if you absolutely must use a piece of software and update it, scan it with an antivirus or carry out a manual review of its source code.
The thing that— Oh God.
There you go, Carole.
The thing that even Carole Theriault refuses to do.
Well, no, not refuse, just wouldn't be very useful.
Well, of course, who could do that?
Review the source code.
And it's not as though the source code is going to have a comment in it saying, now we're going to do the deletion. It's going to be obscured and obfuscated.
And I wonder whether this information being given to its customers would encourage people to leave comments in sites or quotes saying, this is great, super cool, don't worry, thumbs up, thumbs up, I love it.
We love Putin.
He's the best.
Jesus.
Or whether people will think, oh, this is such a pain. I'll just take all my money out of the bank. Might be a good idea anyway, and hide it under the mattress instead.
Convert it into gold or porridge or whatever the new form of currency is.
Convert it into gold or porridge or whatever the new form of currency is.
Or whether most people just won't listen to the bank and won't install updates because they never do anyway.
Oh, cynic.
Or whether people are already set up to automatically get updates and don't have any idea how to turn that off.
Very true.
Well, this is a pickle. So does that mean— Last pickle. Does that mean—
She's trying to get it in everywhere.
Does that mean that if someone does happen to update their software and it does have an impact on the bank, that the bank can penalize that individual?
Well, I don't know in the case of Smashing Security.
Yeah.
With some banks in the past, they have claimed that customers have been careless with their personal security and that's why their accounts may have been phished or had money extracted from them.
So they might try and use that argument.
Certainly, I don't know why these guys, if they really want to cause some pain to Russia, rather than affecting regular Igor on the streets of St.
Petersburg, why don't they target these oligarchs instead? Why not write malware? By the way, I'm not giving this advice. Why not write malware?
So they might try and use that argument.
Certainly, I don't know why these guys, if they really want to cause some pain to Russia, rather than affecting regular Igor on the streets of St.
Petersburg, why don't they target these oligarchs instead? Why not write malware? By the way, I'm not giving this advice. Why not write malware?
Sounds like you are.
Which targets superyachts instead.
To do what?
Take over their navigation system and make them automatically sail to, I don't know, Washington or something. Is Washington by the sea?
So automatically put up the sails and know what the weather's like and be able to tack across the ocean to wherever.
Carole, this is why Graham has only used a pedalo.
That's right. Yes. So where are they gonna be going? Where do you want them to automatically go?
Well, anywhere. To the police. To the police run by a decent—
To the police.
To the police island. Okay.
I think the police know where the oligarchs are, don't they? I don't think that they're on the run.
There's some fascinating research going on at the moment trying to locate some of these superyachts. By the way, these superyachts don't all have sails, Carole.
No, you said sail. You said sail. As you will see in your edit.
If you change it, I will know. To sail, to motor— It's a generic term for movement of a yacht. Yes. Doesn't— Anyway. Just—
He gets his knickers in such a twist.
No, I just—
I tried to make this very interesting. You've ruined it all.
You've done amazing.
Anna, what have you got for us this week?
Okay, so I'll invent some names. Because although the story is true, these people don't want their names to be revealed.
Are these people you know?
This is a story about a woman called Carole.
Oh no.
No, let's call her Sue.
Sue.
Maybe it's Carole, maybe it isn't. Can't say. Okay, so Sue is at home one day and she gets a phone call from an unknown number.
Now this feels like I'm talking on a Sticky Pickles podcast, but I'm not.
So she's looking for a job, so she wouldn't normally answer an unknown phone number, but she thinks, oh, maybe this is my job, maybe this is my job that I'm gonna get.
Now this feels like I'm talking on a Sticky Pickles podcast, but I'm not.
So she's looking for a job, so she wouldn't normally answer an unknown phone number, but she thinks, oh, maybe this is my job, maybe this is my job that I'm gonna get.
Exactly.
So she answers it. It's not a job, it's the Social Security office telling her that she's about to be arrested.
Because her identity has been used in drug trafficking and money laundering. Now, can you imagine how Sue feels? She's a bit—
Because her identity has been used in drug trafficking and money laundering. Now, can you imagine how Sue feels? She's a bit—
Has she? Is she a big heroin dealer?
She should feel very grateful that the police are ringing in advance to say, "Oh, by the way, we're coming round." Warning her. "We're coming round.
That drugs thing you've been involved with, we're going to be popping round between 2 and 3 next Tuesday to arrest you. Could you make sure you're in?" Yes.
That drugs thing you've been involved with, we're going to be popping round between 2 and 3 next Tuesday to arrest you. Could you make sure you're in?" Yes.
So Sue is in a panic, actually. She's quite worried about this. And she's got, no, no, no, no, no, that's not me, that's not me.
But luckily, the Social Security office are very understanding. That's nice, isn't it?
So they say to fix this stuff, all she needs to do is set up a new financial account, specifically a secure Bitcoin account, to cover up for the fact that she has had her identity used in all her deals.
But luckily, the Social Security office are very understanding. That's nice, isn't it?
So they say to fix this stuff, all she needs to do is set up a new financial account, specifically a secure Bitcoin account, to cover up for the fact that she has had her identity used in all her deals.
Red flag.
Red flag.
Red flag all the way. Ransomware shop.
Okay, hold on. You have the benefit of being involved in infosec for a long time. Sue has not.
Right, okay, fair enough.
So she's been told, set up a bitcoin account, buy an NFT from the Smashing Security podcast for £335, for $3 million.
No, what she has to do is— that sounds absolutely fine.
All she needs to do is move $12,000 from her run-of-the-mill normal Chase bank account and deposit it into a bitcoin machine in a petrol station.
I didn't actually know they had bitcoin machines in petrol stations.
All she needs to do is move $12,000 from her run-of-the-mill normal Chase bank account and deposit it into a bitcoin machine in a petrol station.
I didn't actually know they had bitcoin machines in petrol stations.
Do they?
Yeah, I think there have been some in the— yes, I've heard about it.
Like a Costa Coffee dispenser, and then beside that you have your bitcoin machine, and then you have your coin counting machine, right, that helps, you know, that you throw all your coins in.
Well, the bitcoins actually come out. Yeah, that's right.
I was speaking to a guy the other night who has sold outside laundry. Have you seen these sort of laundry machines which are outside at petrol stations?
No.
You can rock up to a petrol station and put your clothes in and it will wash and dry them.
I think that's smart, actually. I mean, it is, although most people probably use their ones at home.
No, actually it's not that smart because the last thing you want to do is spend 3 hours or however long it takes for your laundry to wash and dry at a petrol station.
Like, what do you do?
Like, what do you do?
Well, apparently these sell a lot in Ireland. I asked that question. He says, actually, it's quite a good day out for people in Ireland.
They like to go to the petrol station, wash their clothes, and there'll be a little attached restaurant as well.
They like to go to the petrol station, wash their clothes, and there'll be a little attached restaurant as well.
Oh, I see.
Right, and you go for a little walk. Yeah.
They make a day of it. And this is— But the problem is that some people try and launder their horse blankets, and so the machines get clogged up with horse hair.
Sorry, this is a bit of a digression. You digress.
Sorry, this is a bit of a digression. You digress.
I don't think there's any laundry involved in this story. Right.
So, the Social Security office very understanding, very lovely, warn her that there's a risk that her husband is going to be implicated in this identity theft situation.
So together they agree not to tell him anything at the moment. Yeah, so Sue, she's in a panic. And also you should know she's a new mother, so she's got a baby.
So at the same time as she's taking the call from the Social Security office, she's also probably trying to shake a rattle, change a nappy, clear up sick, and breastfeed, wipe the baby's nose, all that sort of thing at the same time.
So, the Social Security office very understanding, very lovely, warn her that there's a risk that her husband is going to be implicated in this identity theft situation.
So together they agree not to tell him anything at the moment. Yeah, so Sue, she's in a panic. And also you should know she's a new mother, so she's got a baby.
So at the same time as she's taking the call from the Social Security office, she's also probably trying to shake a rattle, change a nappy, clear up sick, and breastfeed, wipe the baby's nose, all that sort of thing at the same time.
And frankly, when you've had a baby, I mean, you've sort of pooed your brains out anyway, aren't you? You're so exhausted.
Yes, that's what happens. That's how you have a baby.
You can't think of anything.
Yeah, Graham understands these things because he's had a baby himself and he knows.
I'm currently working on one.
Yeah. Good, lovely. Well, that's something you can do while you're laundering your clothes at the petrol station.
So while she's doing all this baby entertaining, changing nappies and everything, the Social Security officer being so nice, but they're actually a bit worried about the baby because they hear it crying.
So what they do is they ask Sue to send a picture of the baby to them just to check if the baby's okay because they're a bit worried.
So while she's doing all this baby entertaining, changing nappies and everything, the Social Security officer being so nice, but they're actually a bit worried about the baby because they hear it crying.
So what they do is they ask Sue to send a picture of the baby to them just to check if the baby's okay because they're a bit worried.
What? Okay, red flag number 2.
Don't forget, Sue's just had a baby. She's pooed her brains out, as Graham says.
You've had a baby in real life. Would you go, oh yeah, no problem, here's a picture of my kid?
I think it depends on how proud you are of the beauty of the baby.
That's true.
The baby is quite ugly.
It's a very beautiful— yeah, it's true.
You wouldn't want send anyone a picture. But if you're one of those proud parents saying, oh yes, here is the photograph, here's my adorable cherub.
So she sends it anyway because she's a new mum. So while that's going on, across town, Sue's husband, let's call him Greg, sees a text message pop up on his phone screen.
So it's a photo of his baby with the message, do you want your baby back or not? He gets a phone call to tell him that his wife and baby have been kidnapped.
Now, my God, it's definitely his baby in the photo. Okay, I know most babies are the same.
So it's a photo of his baby with the message, do you want your baby back or not? He gets a phone call to tell him that his wife and baby have been kidnapped.
Now, my God, it's definitely his baby in the photo. Okay, I know most babies are the same.
Okay, what would you do now, Sticky Pickle style? And the answer would be call my wife.
No, because he's so worried.
You're so worried you don't contact your wife.
What's the point in calling her if she's being kidnapped?
She's busy being kidnapped.
She's probably not going to answer her phone, and she's doing the breastfeeding and the diapers and the rattle.
Exactly. And he's thinking, she's pooed her brains out, she can't cope with anything.
This entirely plausible that she could have been kidnapped.
Exactly.
This is the kind of thing that happens to her.
Yes, exactly. And so then another text pops up, ransom demand, and the words, "You are responsible for your family." Okay, so yeah, what would we do at this situation? Graham?
Oh gosh.
What would you do?
Do I like my wife and child, or have—
I would say in this situation, Graham, for the purposes of this story, yes, you like your wife and children.
Okay, all right. Well, I mean, I think the traditional thing is to call the police, isn't it? And say, I appear to have received a sort of ransom demand for the kidnapping.
No, because they tell you not to. In every single ransom film— have you ever seen a kidnapping film? They always say, don't tell the police.
I saw the one with Mel Gibson where he goes on TV and he offers a bigger ransom for anyone who can capture the kidnappers. Oh, yes, I've seen that. Do you remember that?
That was very exciting.
That was very exciting.
I mean, obviously I haven't seen it, but I've seen clips of it, so I don't watch films. Yeah, but so anyway, so he's got this. So Graham, you would call the police?
Well, absolutely. I'm a law-abiding, sort of upstanding sort of chap, and I'd say, look, can you sort this out for me? I'm very busy. I've got a podcast tour at it.
Yes, sorry guys.
So could you handle the kid?
I haven't got a lot of time right now. Yes. Carole, what would you do?
What I would do is call my wife and go, hello, right? But assuming I don't work in security and I'm feeling a little stressed out, I'd be what do you mean? I would engage.
I would engage. I go, what?
I would engage. I go, what?
I mean, actually, there is a horrible point in this saga where the scammers tell the man Greg that his wife and kid were in the back seat of a car in a particular location.
So he races to the location and there's no car, and he's just running from car to car checking the back seats. At that point, he thought, hey, I could call the police.
So he calls them.
So he races to the location and there's no car, and he's just running from car to car checking the back seats. At that point, he thought, hey, I could call the police.
So he calls them.
Okay.
And they track his wife down using her mobile phone, and she—
Can I just interrupt for a second?
Yes.
Did this actually happen?
Well, I read it on a news site, Graham, so—
Oh, okay.
It wasn't the Daily Mail.
Okay. Oh, whoa. In which case— This is horrifying. So this man, he got this message that his wife and child had been kidnapped.
Yep.
He races to try and rescue them, presumably with a bag full of cash. He can't find them.
Yeah.
And yeah, not very good.
So then he calls the police. So, they intercept her car using mobile phone signals. They find her.
Triangulate, triangulate.
And intercept her car. She's on the move, probably in the boot. So they—
Argh!
They screech to a halt. They've caught the kidnapper. But instead they just find Sue and her baby in the car, probably driving to the petrol station with their bitcoin cash machines.
About to do some laundry.
Laundry, yes. So of course it's all a scam. Sue's not been kidnapped. There's no drug trafficking, no identity theft, nothing. He's almost had a heart attack.
It's a virtual kidnapping invented by scammers preying on someone's worst fear. That's not the only case. There are loads of them. I was reading it earlier.
There was one where the father receives a phone call about his daughter that's at uni saying she's been kidnapped, but actually she's just away at university.
But he doesn't find out until he'd paid $4,000. Oh boy.
It's a virtual kidnapping invented by scammers preying on someone's worst fear. That's not the only case. There are loads of them. I was reading it earlier.
There was one where the father receives a phone call about his daughter that's at uni saying she's been kidnapped, but actually she's just away at university.
But he doesn't find out until he'd paid $4,000. Oh boy.
It's a kidnapping for lazy people, really, isn't it? People who can't be bothered to actually pull off the kidnapping. App.
Well, why bother? You don't need to. Anyway, the FBI has warned people. So these are the signs to watch out for.
If you get a call from someone that's been kidnapped but it's not their phone number, call their phone number. The caller will try and keep you on the phone as long as possible.
They might— well, because they use social media to try and connect all the dots, they will probably be able to answer simple questions about who's been kidnapped and what they look like.
And they also might ask for the ransom to be wired to several different accounts in small amounts. So yeah, don't send money to people you don't know.
If your wife gets kidnapped, call her. And don't send photos of your child to Social Security.
If you get a call from someone that's been kidnapped but it's not their phone number, call their phone number. The caller will try and keep you on the phone as long as possible.
They might— well, because they use social media to try and connect all the dots, they will probably be able to answer simple questions about who's been kidnapped and what they look like.
And they also might ask for the ransom to be wired to several different accounts in small amounts. So yeah, don't send money to people you don't know.
If your wife gets kidnapped, call her. And don't send photos of your child to Social Security.
I actually have advice if you are kidnapped.
Oh, is this from personal experience?
Yes.
No.
Right.
But it's a really good— okay, tell me what you think of the idea.
Is it about if you're in the boot?
No, no, no, no. So you're— so say you're at home, some person comes in and you're in a house arrest situation. And, you know, it's been a while.
It's been a few hours and you got to go, you know, at some point, you're "Hey, is anyone hungry? I can call for a pizza.
Shall I do that?" And they'll go, "Yeah, do it." Right at gunpoint, maybe.
And then you call 999 or 911, and then you order the pizza, and they apparently will immediately go, "Are you in trouble?" And you go, "Yeah, mushrooms.
Definitely pepperoni, pepperoni." And they will ask questions, and you'll say yes or no to them in order to then, you know, figure out what's going on.
It's been a few hours and you got to go, you know, at some point, you're "Hey, is anyone hungry? I can call for a pizza.
Shall I do that?" And they'll go, "Yeah, do it." Right at gunpoint, maybe.
And then you call 999 or 911, and then you order the pizza, and they apparently will immediately go, "Are you in trouble?" And you go, "Yeah, mushrooms.
Definitely pepperoni, pepperoni." And they will ask questions, and you'll say yes or no to them in order to then, you know, figure out what's going on.
Right, there you go. That's good advice.
Thanks.
First of all, a couple of things, couple of things.
If your hands are tied, are you doing this hands-free? Why—
Oh, the kidnapper's not ordering the pizza.
They're holding the gun.
And secondly, why don't they use Deliveroo?
That's true.
I did hear you're supposed to kick out the lights, aren't you, if you're in a boot? Really?
You're supposed to kick out the brake lights so then you can put your hand out, wave to the people. I've been kidnapped.
You're supposed to kick out the brake lights so then you can put your hand out, wave to the people. I've been kidnapped.
I thought you were supposed to befriend the kidnapper and sort of, you know, start a relationship with them. Not necessarily get married or anything, but just sort of—
Ask them if they want pizza.
Stockholm syndrome style.
Yeah, well, yeah, exactly. You just say, oh, you know, oh, I love your blue eyes. That kind of thing. You know, just love these.
Yeah.
Do you work out? And just sort of—
I love your gun.
Chat them up. Cool. I'd love to. I've never held a gun myself. Maybe I could have, you know, after a few minutes, maybe you could turn the tables. Just an idea.
Can I just say categorically, no one should take any advice from us at all on these things.
Absolutely not.
No.
Call the police.
Yes.
Please, not the pizza company, Crow. Crow, what story have you got for us this week?
Okay, so you guys have been around the block once or twice, you know, the corporate block, so to speak, the technology block.
So let me ask you this: have you ever stolen from a company?
So let me ask you this: have you ever stolen from a company?
No. Oh, no, definitely not.
No.
Because my next line says anyone who says no is a liar.
Oh, definitely not a laptop.
Have you not stolen maybe a pen or office sundries from the cupboard or a sticky note notepad?
Is it stealing or is it taking advantage of a loan, a long-term loan?
Yes. Do you give it back?
Yes.
Well, maybe the loan hasn't yet expired. Maybe it's something— maybe it's a library book.
If you work from home a bit, maybe you need the sticky notes at home. As part of your job.
But that's not stealing then, is it?
Well, no, exactly.
Ah, and you know, you sent maybe yourself internal files or documents by email because you got to do the call from and you can't get the information from another place.
Or, you know, some people even steal face towels from hotels, I've heard, right? So I did that once actually, because I put my— I rubbed my eyes on it, it was full of mascara.
Or, you know, some people even steal face towels from hotels, I've heard, right? So I did that once actually, because I put my— I rubbed my eyes on it, it was full of mascara.
What, yours?
I was embarrassed to leave it. Oh.
Yes.
I was embarrassed to leave the white face cloth that now was black. But I don't— isn't that ridiculous? So I stole it. I stole it.
I just don't know what to do.
Sorry, Hilton.
Because that's less embarrassing than leaving a dirty one they can wash, is to just steal it.
You definitely did the right thing there, Carole. Thanks.
Actually, I know someone who was accused of stealing a company laptop after leaving a company. And they sent the cops round to search his house.
What?
And they didn't find it. And strangely enough, within a few months, they ended up rehiring the guy as a consultant because he was a super great iOS programmer.
And he said yes because he'd upped his salary by, like, a factor of 3. So, there you go.
And he said yes because he'd upped his salary by, like, a factor of 3. So, there you go.
That is so juicy.
That is. I'd say yes.
Yeah?
It was bleep bleep bleep bleep.
They sent the police around to his house.
Yes!
Now speaking of thieving employees and all things Apple, let me introduce you to Apple employee, or ex-Apple employee, Dhirendra Prasad is his name.
Now he's 52, lives in San Joaquin County, and was employed by Apple for 10 years, 2008 to 2018.
And for most of that time, he worked as a buyer in Apple's global service supply chain.
So he was responsible for purchasing parts and services from vendors, doing the whole supply chain stuff. And Mr.
Prasad is alleged to have exploited his position by engaging in multiple different schemes to defraud Apple. Stealing stuff.
So it turns out some people are pretty brazen when it comes to taking stuff from their employers.
He's being accused of taking kickbacks, stealing parts, and causing Apple to pay for items and services it never received. Get this, to the tune of more than $10 million.
Now he's 52, lives in San Joaquin County, and was employed by Apple for 10 years, 2008 to 2018.
And for most of that time, he worked as a buyer in Apple's global service supply chain.
So he was responsible for purchasing parts and services from vendors, doing the whole supply chain stuff. And Mr.
Prasad is alleged to have exploited his position by engaging in multiple different schemes to defraud Apple. Stealing stuff.
So it turns out some people are pretty brazen when it comes to taking stuff from their employers.
He's being accused of taking kickbacks, stealing parts, and causing Apple to pay for items and services it never received. Get this, to the tune of more than $10 million.
That's more than a few envelopes and Post-its, isn't it?
Right? That's not just a Bic pen, right? So why— a few questions at this point. Why did they take 10 years to notice this? Presumably maybe he wasn't up at it for the whole time.
Was he— you know, is it likely that he was a disgruntled employee thinking he was underpaid and under-resourced and he was going to take a bit back?
Or what does it say about Apple's scrutiny of the books? $10 million is not chump change.
Was he— you know, is it likely that he was a disgruntled employee thinking he was underpaid and under-resourced and he was going to take a bit back?
Or what does it say about Apple's scrutiny of the books? $10 million is not chump change.
Yeah, I mean, I know it's chump change in their humongous financial ocean, but yeah, but I mean, it depends how much he's ordering, I suppose, each month and how much is coming past his desk, if it is a vast amount, then maybe $10 million wouldn't get noticed over that period of time.
Yeah. I mean, I know Robert De Niro right now, he's been in this huge lawsuit with his former PA.
Apparently, he claims she stole $6 million worth of crap, including air miles from him. And she says he was a super shitty boss who underpaid her.
And I wonder if Prasad had that, felt undervalued, which helped motivate his— or he was just in it for the win. Why not? You know, skim off the top.
Unfortunately though, he now faces 5 criminal counts for exploiting his position of trust and making off with this $10 million worth of wanga.
There's a few things that he did that makes these charges, these federal charges, a little bit more severe. So he steals stuff from Apple, right?
And he does that through wire and transfer fraud. And just for that, being caught for that, he is facing 5 to 20 years in the link.
Apparently, he claims she stole $6 million worth of crap, including air miles from him. And she says he was a super shitty boss who underpaid her.
And I wonder if Prasad had that, felt undervalued, which helped motivate his— or he was just in it for the win. Why not? You know, skim off the top.
Unfortunately though, he now faces 5 criminal counts for exploiting his position of trust and making off with this $10 million worth of wanga.
There's a few things that he did that makes these charges, these federal charges, a little bit more severe. So he steals stuff from Apple, right?
And he does that through wire and transfer fraud. And just for that, being caught for that, he is facing 5 to 20 years in the link.
Ouch.
If he's found to be guilty, says the DOJ.
Yeah.
But he's also accused of conspiring with others to launder the money because he needs to figure out a way to make all these sudden riches look legit.
Yeah.
So you have all this dirty money and you try to clean it, make it look legal. And this is where two co-conspirators, Robert Gary Hansen and Don M. Baker, come in.
These two owned vendor companies that did business with Apple. They were charged with conspiring with Prasad to commit fraud and money laundering.
And this is super bad for Prasad's case because they were each earlier charged in separate federal criminal cases, and they both admitted to their involvement, right?
So the prosecutor's office already has all that.
These two owned vendor companies that did business with Apple. They were charged with conspiring with Prasad to commit fraud and money laundering.
And this is super bad for Prasad's case because they were each earlier charged in separate federal criminal cases, and they both admitted to their involvement, right?
So the prosecutor's office already has all that.
So these were companies which were supplying Apple with goods.
Yes.
They were supplying them via this first chap.
Yeah, he was working— he was like maybe the negotiator from Apple, right? So he was kind of like, hey, hey, hey, I've got a deal, you guys want in?
You guys are my buddies over drinks, right? And they're like, yeah, okay, yeah, no problem. And they'll get a piece of the pie.
You guys are my buddies over drinks, right? And they're like, yeah, okay, yeah, no problem. And they'll get a piece of the pie.
We'll claim you ordered 50 million Post-it notes or something like that. Yes, I see.
And so for that, for conspiring with these two guys, if he's found guilty of it, he faces an additional 20 years each. Okay, so now he's facing 60 years in the clink.
How much time would you be expected to spend in jail if you stole, for instance, a face towel from a hotel? Which you've covered in mascara.
If you had conspired with your husband and told him that you were taking that face towel as well, would that add an extra 20 years to your sentence?
If you had conspired with your husband and told him that you were taking that face towel as well, would that add an extra 20 years to your sentence?
Yeah, what if you gave it to Graham and he washed it for you?
Hey, leave me out! Whoa, whoa, whoa, whoa, whoa.
Sorry, sorry, sorry.
Yeah, but conspiring with someone to do something bad is huge. I learned that from the jury case I did earlier this year.
So they didn't even get away with the cash, but the fact that they— that more than one person kind of negotiated on how to go about it, and they got caught in the act, is huge in terms of the law.
But the other big thing is that— and the reason why I think this is a federal case— is the tax evasion angle. The U.S.
wants a piece of your pie, whether you earned it or stole it. So you have to pay tax on illegal earnings.
So they didn't even get away with the cash, but the fact that they— that more than one person kind of negotiated on how to go about it, and they got caught in the act, is huge in terms of the law.
But the other big thing is that— and the reason why I think this is a federal case— is the tax evasion angle. The U.S.
wants a piece of your pie, whether you earned it or stole it. So you have to pay tax on illegal earnings.
So you're expected to declare your illegal earnings, right? Right. Yeah, that'll happen.
You can also take deductions for costs relating to criminal activities.
So someone is like, okay, well, now I'm defending myself in court, I'm gonna use the criminal earnings as my financial backdrop for these court proceedings.
And apparently there's a legal loophole that makes that happen. So there you go. Fascinating.
So someone is like, okay, well, now I'm defending myself in court, I'm gonna use the criminal earnings as my financial backdrop for these court proceedings.
And apparently there's a legal loophole that makes that happen. So there you go. Fascinating.
Wow.
Wow. Okay, so, so he—
That's—
So now he's facing 60 years. So the tax evasion thing comes two more charges: attempt to defraud the US and tax evasion. So 5 years each.
So now our guy is facing 70 years, and that's kind of a scary situation to be in, which is why he's probably not commented in the press to how he's feeling about his trial, which starts today, Thursday, March 24th.
So now our guy is facing 70 years, and that's kind of a scary situation to be in, which is why he's probably not commented in the press to how he's feeling about his trial, which starts today, Thursday, March 24th.
Would you expect them to get that for that much money?
Well, they've seized his assets. Bought a few houses, has loads of bank accounts. They say there's about $5 million in all those, so those are all frozen.
But it's like, look, if you're gonna steal, I think maybe sticking to pens is the way to go, or maybe the occasional stapler if you really want to branch out.
But it's like, look, if you're gonna steal, I think maybe sticking to pens is the way to go, or maybe the occasional stapler if you really want to branch out.
Or face cloth.
Or a face cloth. Not a bath towel. Not a bath towel.
No.
This advice is not endorsed by all of the hosts of the Smashing Security podcast.
Collide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
Collide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
Is your organization finding it difficult to achieve compliance and scale its security posture?
At G2's highest-rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance.
Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database.
They say it's like having your cake and securing it too.
Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to have Drata as a trusted partner in their compliance process.
Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.
At G2's highest-rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance.
Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database.
They say it's like having your cake and securing it too.
Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to have Drata as a trusted partner in their compliance process.
Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.
And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related. I, the other day, rang up my good bud Carole Theriault, and I said to her, is there anything good on TV at the moment?
Actually, you were sitting on my sofa.
I was sitting on your sofa. I didn't phone you from my— from your sofa to the other sofa.
No.
Yeah. Okay. I was around for dinner at my pal Carole Theriault's the other day, and I said, is there anything good on TV? And she said, oh, I know what you might like.
You might like this show called Mandy.
You might like this show called Mandy.
Yes.
And Mandy—
My husband loves this show. Really loves it.
I have to say, it was a most excellent recommendation.
Yes.
So Mandy is a BBC comedy starring Diane Morgan. Now, you may not be familiar with the name Diane Morgan, but you may know her as Philomena Cunk. Or possibly Kath in Afterlife. Yeah.
The Ricky Gervais thing.
The Ricky Gervais thing.
She's in Motherland as well.
Yeah, Motherland, yeah.
Oh, is she? Right, okay.
That's funny. You might like that, Graham.
Okay, well, Diane Morgan is hilarious.
Isn't she?
And she plays, and apparently wrote as well, she's the originator of this entire TV show.
She plays a character called Mandy, who is a young jobless woman who ends up in a series of utterly daft adventures.
She plays a character called Mandy, who is a young jobless woman who ends up in a series of utterly daft adventures.
She walks and holds her mouth in a way that is astounding to know that she could do that for the length of time that she does. It is astounding.
Her facial expression and her gait, the way in which she walks in her very tight jeans and boots is just something to behold.
Anyway, she gets into a variety of scrapes and has jobs ranging from being an arachnid control operative at the banana factory to being an applicant to be the first human to travel to Mars.
The programme starts off fairly sort of pedestrian in a way.
Anyway, she gets into a variety of scrapes and has jobs ranging from being an arachnid control operative at the banana factory to being an applicant to be the first human to travel to Mars.
The programme starts off fairly sort of pedestrian in a way.
Well, edgy BBC comedy, but—
Funny, yes. In the second series, it goes completely and utterly bonkers.
I think it was the pandemic. I think people were just like, "Go for it. Just go for it." And it is brilliant.
Have you seen this at all, Anna?
No, I haven't, but I've heard of it, and I keep meaning to watch it, so I'll do that tonight, yeah.
It's worth it.
And it's short, right? It's only 25 episodes, 25-minute episodes.
Yeah, yeah. Each episode's only about 25 minutes. That's right. Diane Morgan is— she's just wonderful. Absolutely brilliant.
She's getting an OBE.
The BBC comedies are so— there's so many that are so good.
Yeah.
There are some which are terrible, but there are jewels out there as well.
But yeah, Diane Morgan, I think in just about everything I've seen, because she was in Charlie Brooker's Screenwipe, wasn't she?
But yeah, Diane Morgan, I think in just about everything I've seen, because she was in Charlie Brooker's Screenwipe, wasn't she?
Yep.
Yeah, she was. That was Philomena Cunk, wasn't it?
Yeah, that's Philomena Cunk. That's what started off Philomena Cunk.
Yeah.
She's very good at keeping a straight face. Very funny. Anyway, so Mandy on BBC is my pick of the week.
Well, my husband's, but yeah.
Yeah, alright, borrow it. Anna, what's your pick of the week?
So, my pick of the week. Everyone who was anyone was playing Wordle at the start of the year. Graham, were you playing Wordle?
Nope.
Carole, you weren't?
I'm nobody.
Nope, refused.
Okay, so that's the end of that. I play every day still. I do have a habit of hopping on anything that's faddy, so when I saw it on Twitter, I had to try it out.
But I never shared my scores to Twitter.
But I never shared my scores to Twitter.
Oh, that's all right.
Graham loves it, by the way, if people—
Oh, he does. He's a secret player. He's like me.
Yeah, he likes the scores.
Yeah, I just find it repulsive when people— Mark Stockley tweets their Wordle.
Listeners, if you would like to tweet your Wordle performances to Graham, do not tag me. He is very—
Tag him.
He wants to be tagged.
Yeah, I feel no one cares.
What you want to do in the privacy of your own home is fine, just don't do it in front of me with your Wordles.
Okay, all right, well noted. So since it arrived, obviously then everybody was doing lots and lots of alternatives. So there was Swerdle, my personal favourite.
Yes, I heard of that. Brilliant.
Yes, well, you guess your favourite swear words. Then there was QWODL, which is 4 Wordles in 1, which is just basically, I'm better than anyone else.
Oh, that's one for my husband.
Oh yes, you should. I tried it once. It's just taking the fun out of it. It's just too hard. Yeah, yeah, yeah.
Anyway, so I thought, oh, I'll have a look what other alternatives there are. So I came across one called HEARDLE.
So it's not really Wordle-related at all, other than you get 6 guesses and it ends in 'dle'. But the aim of this— I think they're jumping on the bandwagon.
So the aim of the game is to guess the songs from the first few bars of the song.
Anyway, so I thought, oh, I'll have a look what other alternatives there are. So I came across one called HEARDLE.
So it's not really Wordle-related at all, other than you get 6 guesses and it ends in 'dle'. But the aim of this— I think they're jumping on the bandwagon.
So the aim of the game is to guess the songs from the first few bars of the song.
Oh, I like that.
So you get first second, and then the next second, then you get two seconds, and a bit more, and a bit more. So you get 6 guesses.
I actually like that idea. I'm all right with that.
Do you want me to send— I'll drop it into the show notes. Yeah.
Yeah.
Hold on. This is going to take a while.
See, I would not be great at that because I don't actually know most names of songs that I like. I don't know what they're called.
But if you hear the start of it, you can sort of sing along. Yeah, yeah. Until you get to the title, can't you?
But also it's quite good, because you can type it in and it auto-populates. So you don't have to get it completely right. You can be like, oh, I think that's a Britney Spears song.
And then you get a choice.
And then you get a choice.
Okay, that's kind of cool.
So have a go.
Okay, I'm gonna have a go. I'm going in. Listen to the intro, blah, blah, blah. Right, okay, here we go. Okay, play.
Play.
Uh-huh. Well, that was nothing. It was just— That was it.
Annoyingly, my husband got it at that part, at that point. That's just irritating. I did not.
Did he? Okay, okay.
Yeah.
How do I get it to play more than 1 second?
Then you do skip 1 second or something. There's a button, you can skip it.
Michael Jackson's Bad?
Nope.
Oh. This is Beyoncé or Destiny's Child. It's the one where it's—
That's what would happen to me all the time.
Is that it?
Yes, it is it. What's it called?
Independent Women?
Yes.
All the women? Independent Women?
Independent Women, yeah.
Oh my goodness.
Yeah, that's what I got it on the third one.
He got that on the first second.
He went, "Oh, this is a Destiny's Child song." Ugh. Oh, he's good. He's just really irritating.
Oh, I like him a lot.
But really, it's fun, and you only get one a day. So it's the same as Wordle.
Oh yeah, you've got to spell things properly, it turns out.
Well, yeah, you have to spell things properly in Wordle as well, Carole. It does just automatically, doesn't it?
I mean, it does bring up a list of songs for you, Carole. So, how bad are you getting this spell wrong?
Does the— but this doesn't have you then tweet how impressive you were on Twitter about it.
I think there is a share button, so you probably could.
Oh, for goodness' sake. Oh, I see, got it.
So you can do that if you want now, Graham.
No, I'm not going to, because I'm not that desperate. Okay, Heardle. Brilliant.
Yeah, that's my Pick of the Week.
Cool.
Good Pick of the Week, Anna.
Thank you.
Thank you, Carole. What's your pick of the week?
Mine is also cool. So let's say you're decorating a room, or you want a color scheme for a website, or anything where you need help choosing the right colors to go together.
And I know a lot of people have that drama. So let me introduce Adobe Color.
I've used this site forever, so you can see this at color, spelled American style, so c-o-l-o-r.adobe.com. And it's super simple.
You have basically this huge color wheel there, and you'll see there's 5 little circles on the color wheel, and there's one with a tiny little triangle.
There's one — yeah, that's your master color. So you click that one and then put it to whatever color you like for that particular — so I'm gonna go some kind of yellow.
Now at the top you'll see it says Color Harmony Rule, and there's a downward pull-down menu.
And I know a lot of people have that drama. So let me introduce Adobe Color.
I've used this site forever, so you can see this at color, spelled American style, so c-o-l-o-r.adobe.com. And it's super simple.
You have basically this huge color wheel there, and you'll see there's 5 little circles on the color wheel, and there's one with a tiny little triangle.
There's one — yeah, that's your master color. So you click that one and then put it to whatever color you like for that particular — so I'm gonna go some kind of yellow.
Now at the top you'll see it says Color Harmony Rule, and there's a downward pull-down menu.
Oh yeah.
So then you can choose what kind of color rule you want to apply.
So you can go monochromatic, you can do a triad, and then you can do squares, and you'll know that all these colors will fit together.
Oh, and you can adjust your main color at the bottom they have these RGB or whatever scales. They have a number of different scales, CMYK and all of them.
And you can then change slightly the hues and the tones and the saturations to get exactly very harmonious color scheme.
So you can go monochromatic, you can do a triad, and then you can do squares, and you'll know that all these colors will fit together.
Oh, and you can adjust your main color at the bottom they have these RGB or whatever scales. They have a number of different scales, CMYK and all of them.
And you can then change slightly the hues and the tones and the saturations to get exactly very harmonious color scheme.
Oh, that's great.
Very cool.
Yeah.
And it's totally free. And there's — it's just nice, nice little thing to do if you're doing some kind of decorating.
And there's people that have built loads of them, so you can actually go and scooch around and see what kind of palettes people have built or whatever. So quite fun.
And you don't have to log in or anything. You can and then keep your list of colors.
So if you're into art or whatever, you may have a bunch of different schemes that you wanna keep, but otherwise you can just drop in, drop out, and just know you're doing the right thing.
And there's people that have built loads of them, so you can actually go and scooch around and see what kind of palettes people have built or whatever. So quite fun.
And you don't have to log in or anything. You can and then keep your list of colors.
So if you're into art or whatever, you may have a bunch of different schemes that you wanna keep, but otherwise you can just drop in, drop out, and just know you're doing the right thing.
One of the things I see that you can do with this is you can upload an image if there's a color you like in an image. And it will show you what colors will go with that image.
That's quite handy, isn't it?
That's quite handy, isn't it?
Oh, that's clever. Yeah.
That's a much better way to do your room. Find a really nice piece of art and then make your room work around the art. That's what I say.
So guys, you can find it at Color, spelled American-style,.adobe.com. And that is my pick of the week.
So guys, you can find it at Color, spelled American-style,.adobe.com. And that is my pick of the week.
Marvelous. Well, that just about wraps up the show for this week. Anna, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
I'm on Twitter @AnnaBrading.
Simple as that. Thank you so much for coming on the show.
And don't forget, folks, you can also follow us on Twitter @SmashingSecurity, no G, which allows us to have G, and we also have a Smashing Security subreddit.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
And don't forget, folks, you can also follow us on Twitter @SmashingSecurity, no G, which allows us to have G, and we also have a Smashing Security subreddit.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
A big shout out to this episode's sponsors, Kolide and Drata, and to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 266 episodes, check us on SmashingSecurity.com.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 266 episodes, check us on SmashingSecurity.com.
Until next time, cheerio, bye-bye.
Bye-bye.
I said bye like you before you said it.
Ah, bye-bye. Bye-bye.
Bye-bye.
I've just also worked out that it's nurdle, not hurdle, which is what I've been calling it all day. So thank you, Graham, for correcting me there. Nurdle.
Yeah, hurdle. Murdle.
Murdle. Murdle. Nurdle.
Nurdle.
Don't talk about yourself that way, Graham.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Anna Brading – @annabrading
Show notes:
- Smashing Security 263: Problèmes de Weefeee, AI artists, and Web 3.0 — In which Mark Stockley discusses the NFT he created in Smashing Security’s honour.
- Graham or Carole? – Untitled Collection #173407394 — OpenSea.
- Mark Stockley reveals the Smashing Security NFT is being resold… for $3 million — Twitter.
- Секрет Шехерезады. Яхта Путина за 75 000 000 000 ₽ — YouTube (best watched with the subtitles on…)
- ‘Mysterious’: the $700m superyacht in Italy some say belongs to Putin — The Guardian.
- "The road from Moscow to Kyiv passes through Belgravia" — Video from Led By Donkeys, posted on Twitter.
- Burger King owner says operator in Russia refuses to shut shops — The Guardian.
- Pitcairn Islands relays most spam per person, reveals Sophos — Sophos.
- Pitcairn spam haven, North Korea definitely isn't — The Guardian.
- Sabotage: Code added to popular NPM package wiped files in Russia and Belarus — Ars Technica.
- Activists are targeting Russians with open-source "protestware" — MIT Technology Review.
- JavaScript library updated to wipe files from Russia systems — The Register.
- After ‘protestware’ attacks, a Russian bank has advised clients to stop updating software — The Verge.
- Irish petrol station offers 24-7 laundry service — Petrol Plaza.
- Clip from Mel Gibson movie "ransom", starring Mel Gibson — YouTube.
- FBI warns of ‘virtual kidnapping’ scheme executed on Miami couple — Local 10.
- FBI Chicago Warns Public About Virtual Kidnapping Scams — FBI.
- Former Employee Charged With Defrauding Apple, Money Laundering, And Tax Crimes — Department of Justice.
- U.S. charges former Apple buyer with defrauding more than $10 million from company — Reuters.
- Mandy — BBC iPlayer.
- Diane Morgan as Mandy — YouTube.
- Heardle — The daily musical intros game.
- Color wheel, a color palette generator — Adobe Color.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Kolide
At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
Try Kolide Free for 14 Days; no credit card required.
Sponsor: Drata
Is your organization finding it difficult to achieve compliance and scale its security posture? As G2’s highest rated cloud compliance software, Drata streamlines your SOC 2, ISO 27001, PCI DSS, GDPR & HIPAA compliance and provides 24-hour continuous control monitoring so you focus on scaling securely. Drata is also the only compliance automation platform with a private tenant database. That’s like having your cake and securing it too
Countless security professionals from companies including Notion, FullStory, & BambooHR have shared how crucial it has been to have Drata as a trusted partner in the compliance process.
Listeners of Smashing Security can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
