Strange goings-on on LinkedIn, Ukraine publishes a list of alleged Russian FSB agents, and police in Pittsburgh investigate an odd report of an active shooter.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Lazarus Heist’s Geoff White.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Yeah, sometimes cyberattacks can be like farts though, silent but deadly.
Well, this is the thing. There's a huge amount going on in the background.
I know there've been fears of chemical warfare, Carole, but that's gone a step too far.
Maybe that's what did for Roman Abramovich and that negotiating team. Maybe it wasn't a chemical agent. Maybe it was just a huge air biscuit that someone floated. Anyway.
Smashing Security, episode 268, LinkedIn Deepfakes, Doxing Russian Spies and a False Alarm with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 268. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 268. My name's Graham Cluley.
And I'm Carole Theriault.
And we are joined by podcast royalty. It is the king, The Lazarus Heist's Geoff White.
Hello, how are you both?
The Lazarus Heist, it's not just a podcast, is it? It's going to be something else.
It is now a book. It will be a book in June. I wrote the book in four months, which was tight.
That's good going.
Yeah. So that's going to be out in June.
And it doesn't just go the podcast, it goes the whole hog and does loads of other stuff about North Korean cyberwar, North Korea's alleged computer hacking campaigns, full nine yards.
And there are just some bonkers stories, and it just gets more and more outlandish the more you cover it, that story.
And it doesn't just go the podcast, it goes the whole hog and does loads of other stuff about North Korean cyberwar, North Korea's alleged computer hacking campaigns, full nine yards.
And there are just some bonkers stories, and it just gets more and more outlandish the more you cover it, that story.
Well, we're going to read all about it because we've pre-ordered. Yay!
Which you can do now.
Well, we have, yeah, both of us have.
Yeah, we'd like it signed.
Of course, of course.
Yeah, next time we see you.
I've got a question for you.
Considering all the trouble that Sony Pictures got into after The Interview, that movie which sort of made fun of the North Korean leader, are you at all worried about publishing this book?
Considering all the trouble that Sony Pictures got into after The Interview, that movie which sort of made fun of the North Korean leader, are you at all worried about publishing this book?
I do hate this question because, I mean, the answer is yes. We take a lot of measures and steps to try and protect ourselves.
And yeah, the irony of reporting on a major media company that did something North Korea didn't like and then got hacked as a major media company reporting on something North Korea doesn't like.
The irony on both the BBC and Penguin, the publisher of the book, was not wasted. So we have made strenuous efforts. But look, you never say never.
I mean, nobody's 100% secure, are they? So all I can say is, so far we seem to be safe and we fully intend to keep ourselves that way.
And yeah, the irony of reporting on a major media company that did something North Korea didn't like and then got hacked as a major media company reporting on something North Korea doesn't like.
The irony on both the BBC and Penguin, the publisher of the book, was not wasted. So we have made strenuous efforts. But look, you never say never.
I mean, nobody's 100% secure, are they? So all I can say is, so far we seem to be safe and we fully intend to keep ourselves that way.
Yeah. Well, the cover is not giving anything away though.
No. Well, Kim Jong-un on the cover was a sort of bold move.
Yep, I would say so.
There was discussions about that. About how that would work and what was tolerable and what wasn't tolerable. And could we sort of change the colour of his face to fit the thing?
Is that— no, we're not sure about that. So there was lots of discussions about what you can do to Kim Jong-un's face, basically.
Is that— no, we're not sure about that. So there was lots of discussions about what you can do to Kim Jong-un's face, basically.
As long as it's a flattering photograph, surely he won't mind, as long as it makes him look good.
Given the subject matter, it's difficult to get a flattering photograph, I think, of Kim Jong-un.
Be very careful, Geoff. This is when the hack is going to begin.
Did you see the video of their latest missile launch, the astonishing video they put out?
Oh, yes. I heard of it, but I did not see it.
No, it was almost— I really had to double-check. I thought, I want to retweet this, but I have to double-check it's not a parody, because it really, really looks like a parody.
It's sort of, you know, it's like Fast and Furious meets, well, meets Pyongyang. It's just weird.
It's sort of, you know, it's like Fast and Furious meets, well, meets Pyongyang. It's just weird.
Wow.
And that's the thing. The problem is these videos that, you know, it's hard not to find entertaining, but obviously there is a nuclear threat behind it all.
So you have to really sort of balance your emotions on that.
So you have to really sort of balance your emotions on that.
Shall we get this show on the road, boys?
Why not?
Yay!
Let's first thank this week's sponsors, Collide and Keeper Security. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm thinking of Lincoln.
Okay, nice, nice, Graham. What about you, Geoff?
We're going to take a trip to Ukraine.
Ooh, and I'm taking a trip to sunny Pittsburgh. All this and much more coming up on this episode of Smashing Security.
Now, chums, are you on LinkedIn?
Yeah. Oh yes.
Yes, but no.
Yeah, Carole, your situation on LinkedIn is a little bit odd, isn't it? Because you have an account. I sometimes tag you in my posts. But you could have changed.
I'm on there very rarely. I go in maybe once a quarter or once every 6 months and respond.
I'm not even connected to you. Wait, I'm connecting now. There we go.
Oh yeah. Okay. Well, it'll take a while.
Yeah.
Take a while to be accepted.
Well, I used to be really strict about who I connected with on LinkedIn. I didn't to accept LinkedIn requests from any old Thom, Dick, or Harry.
I didn't even accept LinkedIn requests from people who worked at the same company as me, or even in the same department.
I had a very simple rule, which was I'd only accept a LinkedIn connection if it was someone who I would feel comfortable coming round to my house and having dinner at my dinner table.
I didn't even accept LinkedIn requests from people who worked at the same company as me, or even in the same department.
I had a very simple rule, which was I'd only accept a LinkedIn connection if it was someone who I would feel comfortable coming round to my house and having dinner at my dinner table.
So Graham and the two people.
The smallest LinkedIn following in the world goes to Graham Cluley.
100% attendance.
Well, all of that changed when I became a freelancer and I loosened up a bit and I realised, you know what? I'm going to link in with bloody everyone.
I'm going to pretend to be friends with people who I don't know. I'm going to accept LinkedIn requests from just about everyone. Not quite everybody, but pretty much.
I mean, obviously people who are sort of into blockchain and stuff that. I refuse their connections. But generally—
I'm going to pretend to be friends with people who I don't know. I'm going to accept LinkedIn requests from just about everyone. Not quite everybody, but pretty much.
I mean, obviously people who are sort of into blockchain and stuff that. I refuse their connections. But generally—
Do you do upon request job recommendations?
Oh yes.
Oh, I could maybe— hang on. There's maybe a thing I could—
Make a bit of wonga?
I could monetise there. I haven't thought about that.
Just look, insert name here.
Okay, let's brainstorm that after the podcast. I quite that idea. But yeah, it doesn't matter if I've never heard of you, never met you, will never meet you. The more the merrier.
But sometimes people break etiquette. Sometimes people send me a LinkedIn connection, right? And that's fine. But then they try to talk to me.
And that's okay, I guess, if they want to say something nice about the podcast or book me to speak at an event.
But it's pretty tedious when they say, oh, maybe we could set up a call sometime to talk about your requirements as a company, or can I come and work for your company?
It's, I'm a one-person band.
But sometimes people break etiquette. Sometimes people send me a LinkedIn connection, right? And that's fine. But then they try to talk to me.
And that's okay, I guess, if they want to say something nice about the podcast or book me to speak at an event.
But it's pretty tedious when they say, oh, maybe we could set up a call sometime to talk about your requirements as a company, or can I come and work for your company?
It's, I'm a one-person band.
It's a business connection site. That's the whole point.
I get that too though. People say, oh, Geoff, you know, I've heard you're hiring information analysts. It's, have you? With what money? I'm one person.
And now you understand why I'm never on it.
Well, I think a lot of people are probably a lot more patient than I am because I just instantly, if someone does that, if someone does that and it annoys me, I just remove the connection.
I just think, oh, clearly you're using this for some ulterior purpose, whereas I definitely wasn't.
But some people don't do that, some people are more willing to connect, like Renée DeRista of Stanford University, for instance.
She received a LinkedIn message from a woman called Keenan Ramsey.
I just think, oh, clearly you're using this for some ulterior purpose, whereas I definitely wasn't.
But some people don't do that, some people are more willing to connect, like Renée DeRista of Stanford University, for instance.
She received a LinkedIn message from a woman called Keenan Ramsey.
Okay.
And Keenan said she was a member of the same LinkedIn group as Renée, and she sent her a little cheery greeting, "Hi there," and some grinning emojis.
And after a bit of chitchat, she swiftly moved on to the sales pitch.
And she said, oh, quick question: have you ever considered or looked into a unified approach to message, video, and phone on any device anywhere?
And after a bit of chitchat, she swiftly moved on to the sales pitch.
And she said, oh, quick question: have you ever considered or looked into a unified approach to message, video, and phone on any device anywhere?
Well, who hasn't?
Cut and paste.
Yeah, exactly. And you just think, oh, here we go.
Have you ever? That's the worst have you ever question ever, isn't it? Have you ever?
Have you ever?
Because if you say yes, you engage. And if you say no, well, let me tell you all about it.
Yeah, because anyway, so Keenan's profile revealed to Renée that she worked for RingCentral and had been working there since September 2019.
And RingCentral, if you don't know, they're a business communication solution offering web meetings and video calls. It's a bit like Zoom, all that kind of jazz.
And RingCentral, if you don't know, they're a business communication solution offering web meetings and video calls. It's a bit like Zoom, all that kind of jazz.
You're coming back for businesses though, or?
Yeah, for business, right. And prior to that, Keenan, according to her profile, worked at a cloud firm, Merantis.
Prior to that, she was a marketing specialist at a firm called Language.io, and she's got a degree in business admin from New York University. She's got 300-odd connections.
It all kind of checks out.
Prior to that, she was a marketing specialist at a firm called Language.io, and she's got a degree in business admin from New York University. She's got 300-odd connections.
It all kind of checks out.
Legit, legit, legit. Yeah, no red flags at the moment.
Well, apart from the fact that I'm mentioning this on the podcast.
Yes, well.
Which instantly—
I was just trying to build some tension, Graham.
Yes, it sets your antenna off, doesn't it? You think this isn't a normal— why would Graham be speaking about this otherwise?
So Renée DeRista, who received this message, she wondered, what's going on here, right? She was a bit suspicious about it.
She thought, is this an attempt to phish some sensitive information? Maybe there's going to be a click here to set up a meeting kind of link.
So Renée DeRista, who received this message, she wondered, what's going on here, right? She was a bit suspicious about it.
She thought, is this an attempt to phish some sensitive information? Maybe there's going to be a click here to set up a meeting kind of link.
That's what I was thinking, yeah.
Yeah.
Is it just business or is there an intention to steal information or something like that?
She thought that particularly when she received an identical LinkedIn message with the same emojis from someone else claiming to work at RingCentral.
She thought that particularly when she received an identical LinkedIn message with the same emojis from someone else claiming to work at RingCentral.
Oh, well, I mean, lots of call centres have scripts. So there may be— there could be a marketing script, right? Maybe.
And then Renée received an email. An email, not a LinkedIn message, from a third RingCentral employee, which referenced the message sent to her initially by Keenan Ramsey.
Mm-hmm.
God, I'm over like hives.
It's just—
It's just swarming.
They're really keen on Renée de Resta. And the thing is about Renée de Resta of Stanford University, she has a very particular set of skills. Skills she's acquired over her career.
Skills that mean she is one of the few people in the world who can spot the telltale signs of an AI-generated image. She's an expert in deepfake imagery.
So she looked at the profile picture that Keenan had used on her profile, and she thought this— she thought, hmm. She's only got one earring.
Skills that mean she is one of the few people in the world who can spot the telltale signs of an AI-generated image. She's an expert in deepfake imagery.
So she looked at the profile picture that Keenan had used on her profile, and she thought this— she thought, hmm. She's only got one earring.
And that's not unusual, really.
Apparently on LinkedIn, it's a little bit unusual. Your profile picture, most people will have more than one earring.
Remember both earrings?
Yeah, they're balanced out. Otherwise, you know, you have a lopsided image, right?
What are you like?
Also, her eyes were aligned precisely in the centre of the photograph, right in the middle of the picture. So, imagine you had an image which was 500 pixels by 500 pixels.
The eyes are bang right where you would expect them to be. Right in the crosshairs.
The eyes are bang right where you would expect them to be. Right in the crosshairs.
That could be a cropping thing though.
It could be, but it's a level of professionalism. The background was blurred and vague, didn't look anything in particular.
And some strands of Keenan's hair appeared to blur into this background. And so, it just got Renée's spider senses tingling. She knew something odd was going on.
She thought, this is weird, this is weird. So what she did was she contacted RingCentral. And she said, can I speak to Keenan Ramsey, please?
And RingCentral said, oh, we don't have any employee by that name.
And some strands of Keenan's hair appeared to blur into this background. And so, it just got Renée's spider senses tingling. She knew something odd was going on.
She thought, this is weird, this is weird. So what she did was she contacted RingCentral. And she said, can I speak to Keenan Ramsey, please?
And RingCentral said, oh, we don't have any employee by that name.
Ding, ding, ding.
And then she spoke to Language.io and they said, no, no, we've got no records of her ever having worked for us.
Merantis, the company she worked for allegedly between Language.io and RingCentral, they said, they couldn't share any employee information without written authorization from the employee.
Now, I don't know how you get that written authorization when the person is a fake. You would think the company would say, oh no, we haven't had anyone called that here. But anyway.
Merantis, the company she worked for allegedly between Language.io and RingCentral, they said, they couldn't share any employee information without written authorization from the employee.
Now, I don't know how you get that written authorization when the person is a fake. You would think the company would say, oh no, we haven't had anyone called that here. But anyway.
Yeah, well, they're not an employee if they haven't worked there. Therefore, that's null and void.
Yeah, you would think so, wouldn't you? New York University, they said no. Nobody called Keenan Ramsey has ever received a degree here.
Now, people lie on their CVs and LinkedIn profiles all of the time, right, Carole?
Now, people lie on their CVs and LinkedIn profiles all of the time, right, Carole?
I don't know. I don't hang out there.
Oh.
Are you suggesting I lie on my— is there anything you want to point out to me?
Well, maybe we should take a look at it right now.
Maybe we should. I'm very happy. Go for it.
You're in school uniform, Carole, on your LinkedIn profile. Probably. That's how old it is.
It's not actually a photograph. It's a brass rubbing. It's that old.
You're wearing a puffball skirt and pixie boots. When was this taken?
So what happened then was Renée decided, well, I'm gonna look up the LinkedIn profiles of the other people who contacted me claiming to work for RingCentral.
Of course, yeah.
Same story. Work and educational histories didn't pass the sniff test. The image appeared to be deepfaked.
And the third contact she had, the email from a RingCentral employee, that referred to the email from the fake Keenan, that was a genuine worker at RingCentral.
So why are fake people being used by RingCentral to get people to make contact with them?
And the third contact she had, the email from a RingCentral employee, that referred to the email from the fake Keenan, that was a genuine worker at RingCentral.
So why are fake people being used by RingCentral to get people to make contact with them?
So it's fake, fake, real, was the—
So the email was real, and then two phishing attempts.
Yeah, exactly, exactly.
Okay.
So Renee got together with one of her colleagues at Stanford University, a chap called Josh Goldstein, and they started investigating.
They found more than 1,000 accounts that appear to use AI-generated images, which is a breach of LinkedIn's rules.
And when they searched for evidence that those people actually existed on the internet, they found no evidence that they were real.
So normally, if you find someone on LinkedIn, you can find other evidence that they exist.
They found more than 1,000 accounts that appear to use AI-generated images, which is a breach of LinkedIn's rules.
And when they searched for evidence that those people actually existed on the internet, they found no evidence that they were real.
So normally, if you find someone on LinkedIn, you can find other evidence that they exist.
I don't— I just kind of get the idea of people using deepfakes in order to hide their real ugliness?
Yeah, maybe ugliness, or also that you wouldn't mind someone that approximates you, but it's not exactly you, just to obfuscate yourself from AI recognition software.
Yeah, maybe ugliness, or also that you wouldn't mind someone that approximates you, but it's not exactly you, just to obfuscate yourself from AI recognition software.
Seems a little bit uncomfortable if you're gonna get into some sort of business trust relationship with someone if you're— I mean, presumably you're also lying about your name, are you?
You're comfortable with your name, but not with your photograph? It's, like I said, it's against LinkedIn rules.
I mean, there have been studies done which said that people trust average kind of faces more. So if you are particularly odd—
You're comfortable with your name, but not with your photograph? It's, like I said, it's against LinkedIn rules.
I mean, there have been studies done which said that people trust average kind of faces more. So if you are particularly odd—
Sorry, Graham.
Well, if you have some sort of peculiarity in your face, whether it be astounding beauty and handsomeness, or whether it be you're a bit fugly, then people are less likely to trust you.
But if you're sort of average, then it works.
But if you're sort of average, then it works.
But you're going to have a meeting with these people at some stage where you turn up and they go, wait, 'You're not a cross between Brad Pitt and George Clooney.
You're fugly.' And at that point, any trust you've worked up is going to vanish pretty damn quickly.
You're fugly.' And at that point, any trust you've worked up is going to vanish pretty damn quickly.
Are you going to have a meeting though, Geoff? Are you going to have a meeting? Because these days it's all remote, isn't it?
I suppose that's true. You could go on Zoom.
Yeah, and your foot's in the door, right?
Right. Yeah, hideously ugly foot's in the door then.
Yeah, your monster claw.
So what the Stanford researchers found was that most of these fake accounts all had similar kind of jobs.
They said, we're business development managers, we're sales development, we're demand generation. So it's all about getting leads.
And as a great report in NPR describes, the researchers, Renée and Josh, they discovered this whole undercover industry of firms that create fake LinkedIn profiles that then reach out to potential customers and set up meetings for in-house salespeople, for instance, at RingCentral.
They said, we're business development managers, we're sales development, we're demand generation. So it's all about getting leads.
And as a great report in NPR describes, the researchers, Renée and Josh, they discovered this whole undercover industry of firms that create fake LinkedIn profiles that then reach out to potential customers and set up meetings for in-house salespeople, for instance, at RingCentral.
Is that because it's a time saver and a resource saver? So you have what, AI-generated profiles? Or they're just fake profiles in case someone reports them?
They're like, oh, we don't know. They don't exist here. I don't understand.
They're like, oh, we don't know. They don't exist here. I don't understand.
Well, it's not being done directly by the company which eventually gets the sales lead.
So the companies which are interested in the sales lead, they sort of farm them out to service companies and third parties. They don't really care how they get the leads.
It's just like, if you can help us, that's great, and we'll turn a blind eye to what you're doing.
So the companies which are interested in the sales lead, they sort of farm them out to service companies and third parties. They don't really care how they get the leads.
It's just like, if you can help us, that's great, and we'll turn a blind eye to what you're doing.
Well, that's true. I can understand that.
If you've got thousands of people on LinkedIn who are potential leads and you want to narrow those down to the sort of 500 hot leads, a company that says, look, we've got 500 people who said yes to a meeting, that's— they're the people you want to contact, not the thousands of people who would never respond.
It's a filtering exercise, isn't it? It's an AI filtering exercise.
If you've got thousands of people on LinkedIn who are potential leads and you want to narrow those down to the sort of 500 hot leads, a company that says, look, we've got 500 people who said yes to a meeting, that's— they're the people you want to contact, not the thousands of people who would never respond.
It's a filtering exercise, isn't it? It's an AI filtering exercise.
It is. But they're claiming to work for RingCentral. They're claiming to have all this background and all this banking information on their CV.
Yeah, there's a credibility question.
It's like, why aren't they using their own images? Is it because they're too ugly? Why aren't they saying who they really work for?
Now, what does RingCentral say? They say, oh yeah, yeah, no problem.
Well, they've issued a kind of apology.
They said, while this may have been an industry-accepted practice in the past— bullshit— going forward, we do not think this is an acceptable practice and is counter to our commitment to our customers.
They said, while this may have been an industry-accepted practice in the past— bullshit— going forward, we do not think this is an acceptable practice and is counter to our commitment to our customers.
So sorry, not sorry.
Kind of, yeah.
NPR, they didn't give up in their investigation, and they contacted a whole load of companies who were offering this kind of service, and each one they contacted were kind of like, oh no, no, no, we don't do that anymore.
We used to do that. We used to do that with two-factor authentication, and they removed evidence of it from their website.
The RingCentral employee who contacted Renee he's very helpfully left the company and isn't returning any messages. So he's disappeared.
It's all a big nothing to see here, nothing to see here.
For its part, LinkedIn, they say in their latest transparency report that it's removed more than 15 million fake accounts, although most of those— that was in the period of 6 months during 2021.
Most of those happen at the time of registration rather than later once you're active. They're looking for suspiciousness there.
So it does appear there's a fair amount of that going on.
And what was interesting to me when I read this report, and it is worth reading and digging a little bit more into it, was that this is the use of deepfake AI imagery, not for disinformation and misinformation, but for something rather more mundane, just a way of generating leads.
And if, you know, it's fascinating that the technology is now being adopted by just about anybody 'cause it's so easy to create fake images of realistic looking people.
NPR, they didn't give up in their investigation, and they contacted a whole load of companies who were offering this kind of service, and each one they contacted were kind of like, oh no, no, no, we don't do that anymore.
We used to do that. We used to do that with two-factor authentication, and they removed evidence of it from their website.
The RingCentral employee who contacted Renee he's very helpfully left the company and isn't returning any messages. So he's disappeared.
It's all a big nothing to see here, nothing to see here.
For its part, LinkedIn, they say in their latest transparency report that it's removed more than 15 million fake accounts, although most of those— that was in the period of 6 months during 2021.
Most of those happen at the time of registration rather than later once you're active. They're looking for suspiciousness there.
So it does appear there's a fair amount of that going on.
And what was interesting to me when I read this report, and it is worth reading and digging a little bit more into it, was that this is the use of deepfake AI imagery, not for disinformation and misinformation, but for something rather more mundane, just a way of generating leads.
And if, you know, it's fascinating that the technology is now being adopted by just about anybody 'cause it's so easy to create fake images of realistic looking people.
Hmm.
Graham, we have to make full circle now. So how many of your connections on LinkedIn do you think—
I know.
We have to start looking at their central eye positionings.
Wait, I'm looking at Carole's picture here. The eyes are in the middle.
How do you do almost like blobs?
Geoff, what have you got to talk about this week?
I am gonna take us to the Russia-Ukraine conflict, which is in a lot of ways a very drear topic.
However, however, there is something absolutely stunning that's come out of the last couple of days, which I just think is really worth having a look at.
Because it sort of indicates where we are with the kind of cyber conflict.
Because I think a lot of people were assuming when there was another big war that cyber would be— there'd be a cyber war, we'll see all these cyber attacks and robotic tanks and all that kind of thing.
And we just haven't seen it, frankly, so far that we know of in Ukraine.
However, however, there is something absolutely stunning that's come out of the last couple of days, which I just think is really worth having a look at.
Because it sort of indicates where we are with the kind of cyber conflict.
Because I think a lot of people were assuming when there was another big war that cyber would be— there'd be a cyber war, we'll see all these cyber attacks and robotic tanks and all that kind of thing.
And we just haven't seen it, frankly, so far that we know of in Ukraine.
Yeah, sometimes cyber attacks can be like farts though, silent but deadly.
Well, this is the thing. There's a huge amount going on in the background.
I know there've been fears of chemical warfare, Carole, but that's gone a step too far.
Maybe that's what did for Roman Abramovich and that negotiating team. Maybe it wasn't a chemical agent, maybe it was just a huge air biscuit that someone floated.
But anyway, look, so what's interesting about this is there's been a leak, a massive leak of information from the Ukrainian government.
This is the details of 625, I think it is, FSB agents, so Russian Secret Service agents. And they've published it on their website.
I'm looking at it right now, and it's just lists of people's names, dates of birth, passport numbers, addresses, mobile phone numbers. It is absolutely astonishing.
But anyway, look, so what's interesting about this is there's been a leak, a massive leak of information from the Ukrainian government.
This is the details of 625, I think it is, FSB agents, so Russian Secret Service agents. And they've published it on their website.
I'm looking at it right now, and it's just lists of people's names, dates of birth, passport numbers, addresses, mobile phone numbers. It is absolutely astonishing.
So this isn't something which has accidentally leaked from the Ukrainian government. They've published it, and they've basically doxxed 600 Russian spies.
This is on their website.
Wow.
I mean, this isn't without precedent.
I mean, you'll remember there was an incident back in 2018 when a bunch of Russian agents turned up in The Hague and tried to hack into the OPCW, the Organisation for the Prevention of Chemical Weapons.
This was after the poisoning attack in the UK, and there was this idea that the Russians were going to OPCW to try and interfere with the investigation.
They got caught and left The Hague, but they couldn't arrest them because these guys were on diplomatic passports.
I mean, you'll remember there was an incident back in 2018 when a bunch of Russian agents turned up in The Hague and tried to hack into the OPCW, the Organisation for the Prevention of Chemical Weapons.
This was after the poisoning attack in the UK, and there was this idea that the Russians were going to OPCW to try and interfere with the investigation.
They got caught and left The Hague, but they couldn't arrest them because these guys were on diplomatic passports.
Yeah.
That must be so frustrating.
Oh my God.
I know, you can imagine, "Oh, damn it." But what they did do, the authorities, they released the details of the passports.
They said, "Look, these are the passports they were traveling on." So Bellingcat, the investigative website, went and found these passports on a Russian database.
And the passports were registered to a particular address. And there was a whole thing about people's cars being registered to this particular address.
And clearly, FSB agents were registering their cars to the FSB headquarters.
They said, "Look, these are the passports they were traveling on." So Bellingcat, the investigative website, went and found these passports on a Russian database.
And the passports were registered to a particular address. And there was a whole thing about people's cars being registered to this particular address.
And clearly, FSB agents were registering their cars to the FSB headquarters.
Yes.
So they did a reverse search and said, "Okay, show me all the other cars that are registered here," and got a list of 305 Russian agents who'd all registered their cars to the office address.
But that was a leak of information legitimately that was then turned by Bellingcat into a database, whereas this is just the Ukrainian government going, "Here you go." And what's remarkable, I mean, obviously I've been doing a bit of digging into this list, and I mean, for a start, some of these guys are on WhatsApp.
So I was going to send them an invite to FarmVille. I thought, you know, they're clearly under the cosh, these poor chaps. And, you know, maybe—
But that was a leak of information legitimately that was then turned by Bellingcat into a database, whereas this is just the Ukrainian government going, "Here you go." And what's remarkable, I mean, obviously I've been doing a bit of digging into this list, and I mean, for a start, some of these guys are on WhatsApp.
So I was going to send them an invite to FarmVille. I thought, you know, they're clearly under the cosh, these poor chaps. And, you know, maybe—
They might need a bit of entertainment.
Bit of distraction, yeah. Come and plant a courgette with me.
So that's the whole point. So there's nothing unclear about it. They are posting all this information to say, hackers of the world, here you go.
Well, this is the thing. I wonder, we've now got a database here apparently of, I should say, alleged Russian agents, FSB agents, because this is—
Right, who knows?
Coming from the Ukrainian government. But if it's right, we've got a list of mobile phone numbers here.
I mean, as we know from the sort of NSO Pegasus mobile phone malware story, targeting mobile numbers of foreign operatives is something that you can do if you've got the malware, so that's one option.
I haven't caught up on whether the whole SS7 mobile phone problems have been sorted, but there was a period of time where you could track people's mobile numbers and send them text messages via the SS7 system.
Again, you know, is that going to happen?
Also, if I'm a foreign government now and I'm thinking, right, I want to know if I've got any FSB agents in my country, I can take these mobile numbers, give them to the sort of tier 1 mobile phone provider like BT in the UK, for example, and say, 'Right, if these mobile numbers pop up on our network, could you please let us know because we've got Russian agents in the country?' All sorts of stuff you can do with this.
Oh, and the other thing that's crazy about this is there's little notes on some of these profiles as well. So there's one which is called— now, what's the name of it? Hang on. Dima.
I'm just going to refer to him as Dima because I don't want to name the guy just in case, get sued and everything.
But it says, "Dima, the terrible lieutenant," in inverted commas, and it's got his address here.
There's one that says, "FSB operative, late payments on loans." So clearly somebody, Gorbunov Maxim, is behind on his payments. Just astonishing detail in this leak.
Absolutely amazing.
I mean, as we know from the sort of NSO Pegasus mobile phone malware story, targeting mobile numbers of foreign operatives is something that you can do if you've got the malware, so that's one option.
I haven't caught up on whether the whole SS7 mobile phone problems have been sorted, but there was a period of time where you could track people's mobile numbers and send them text messages via the SS7 system.
Again, you know, is that going to happen?
Also, if I'm a foreign government now and I'm thinking, right, I want to know if I've got any FSB agents in my country, I can take these mobile numbers, give them to the sort of tier 1 mobile phone provider like BT in the UK, for example, and say, 'Right, if these mobile numbers pop up on our network, could you please let us know because we've got Russian agents in the country?' All sorts of stuff you can do with this.
Oh, and the other thing that's crazy about this is there's little notes on some of these profiles as well. So there's one which is called— now, what's the name of it? Hang on. Dima.
I'm just going to refer to him as Dima because I don't want to name the guy just in case, get sued and everything.
But it says, "Dima, the terrible lieutenant," in inverted commas, and it's got his address here.
There's one that says, "FSB operative, late payments on loans." So clearly somebody, Gorbunov Maxim, is behind on his payments. Just astonishing detail in this leak.
Absolutely amazing.
Do we know where the Ukrainians got this data from?
No, that is a very good question, and one to which we don't know the answer, at least not as far as the stuff I've seen.
Yeah, we're waiting for people like MI5 and the CIA to come out and go, "Oh, Frank. Yeah, yeah, Serge. Yeah, yeah." You know?
Well, I wonder if it'll be annoying to other secret services because they may have had access to this information already.
And maybe were trailing and tracking some of these mobile phone numbers. And now, basically the balloon's gone up, hasn't it, to all those agents? Change your mobile phone numbers.
And maybe were trailing and tracking some of these mobile phone numbers. And now, basically the balloon's gone up, hasn't it, to all those agents? Change your mobile phone numbers.
And what if some of them are double agents? And how that hurts the contacts with maybe information.
The other thing is, Russia does seem to be a very leaky place data-wise.
There's an investigation on BBC the other day, which BBC and again Bellingcat, this investigative journalist's investigative outfit, where what they've done is they got travel documents and they tracked the movements of Russian opposition activists.
And then they tracked who was on the same plane and the same train at the same time. And effectively worked out who was tracking these guys around the world.
And it's like, okay, here's an FSB agent who's basically on the same plane and same train as this opposition activist at exactly the same time. They're clearly being tailed.
And this is in advance of the poisoning of Alexei Navalny. But they got a lot of information.
Bellingcat says that some of the information came from Russian databases that are just being bought and sold and freely traded.
So it does seem like in Russia, if you've got deep pockets, you can get hold of information passport information, travel information, flight information that in the UK just would not be able to get hold of.
It's a leaky place, and I suspect people's willingness perhaps to make a cheap buck by leaking information is slightly higher in Russia than it is in a lot of other countries.
So, yeah. Interesting. Gosh.
There's an investigation on BBC the other day, which BBC and again Bellingcat, this investigative journalist's investigative outfit, where what they've done is they got travel documents and they tracked the movements of Russian opposition activists.
And then they tracked who was on the same plane and the same train at the same time. And effectively worked out who was tracking these guys around the world.
And it's like, okay, here's an FSB agent who's basically on the same plane and same train as this opposition activist at exactly the same time. They're clearly being tailed.
And this is in advance of the poisoning of Alexei Navalny. But they got a lot of information.
Bellingcat says that some of the information came from Russian databases that are just being bought and sold and freely traded.
So it does seem like in Russia, if you've got deep pockets, you can get hold of information passport information, travel information, flight information that in the UK just would not be able to get hold of.
It's a leaky place, and I suspect people's willingness perhaps to make a cheap buck by leaking information is slightly higher in Russia than it is in a lot of other countries.
So, yeah. Interesting. Gosh.
Carole, what have you got for us this week?
I have a story that has a really big fat takeaway. I think it's fairly obvious and should give us all pause. In fact, at the end, you guys tell me if you think you know what it is.
I'll ask the question. Okay, so buckle in, because we're heading to Pittsburgh.
I'll ask the question. Okay, so buckle in, because we're heading to Pittsburgh.
Gotta pay attention now. Okay, can't relax.
This is a high-stake drama. Have you ever been to Pittsburgh?
I've never been. No, no, no.
Okay, so we can't give the city any color, but it is Friday in late March 2022, and it's lunchtime at Nova Place.
This is a new multi-million dollar redevelopment in the north side of downtown Pittsburgh, and it boasts restaurants and a fitness center and Pittsburgh's largest co-working space.
So you got people chilling, eating, meeting, sweating.
This is a new multi-million dollar redevelopment in the north side of downtown Pittsburgh, and it boasts restaurants and a fitness center and Pittsburgh's largest co-working space.
So you got people chilling, eating, meeting, sweating.
You've probably got a subway, there are probably yellow cabs.
Exactly. And then suddenly, city and county cops screech into the scene and police start swarming around.
According to one worker at one of the restaurants at Nova Place, said, "We heard this emergency alarm go off and cops started telling people there was a 911 call saying there was an active shooter on the premises." Not good.
And I'm sure there was probably a Columbo-style detective there, Graham.
According to one worker at one of the restaurants at Nova Place, said, "We heard this emergency alarm go off and cops started telling people there was a 911 call saying there was an active shooter on the premises." Not good.
And I'm sure there was probably a Columbo-style detective there, Graham.
Oh, okay. Now you've got my interest. You're doing this just to keep me engaged, aren't you?
So, I want you to wear the Columbo hat, okay?
Yeah, okay. He doesn't wear a hat.
Okay. A coat. Whatever.
Wrinkly Mac was Columbo, wasn't it?
Just one more thing. That's right.
A guest at Nova Place, Ted Uminski, said, "Three cops, guns drawn, and they're like, 'Did you guys see anything?' And we said, 'No,' and they're like, 'Get out of here now.'" And so, you're eating at a restaurant, right?
Do you just get up and leave? Do you leave $20? Do you leave money or do you hide in the bathrooms?
A guest at Nova Place, Ted Uminski, said, "Three cops, guns drawn, and they're like, 'Did you guys see anything?' And we said, 'No,' and they're like, 'Get out of here now.'" And so, you're eating at a restaurant, right?
Do you just get up and leave? Do you leave $20? Do you leave money or do you hide in the bathrooms?
What do you do?
I'd take the food with me. Would you?
I'd be running out, chowing down. I wouldn't stop eating. I'd run and eat.
Two mitts full of spaghetti bolognese. Exactly.
Just jamming it into my face as I head for the exits. I mean, you've gotta get calories if you're gonna run that fast.
You might get shot. You'll look like you've been eating brains.
So the tomato ketchup may look like blood. That's the danger.
So there's this alarm screeching, there's a gaggle of cops with weapons in hand, there's a frantic public being told to get out of Dodge.
Nearby elementary schools were also placed in lockdown. I mean, this is not what you hope for for a pleasant Friday lunchtime.
Nearby elementary schools were also placed in lockdown. I mean, this is not what you hope for for a pleasant Friday lunchtime.
No, it's not normally. It's chaos. Although you've avoided paying for your lunch, so there is that.
Some of us left it behind. Some of us shoved it in our pockets. So, for the next 2 hours, cops looked for signs of the shooter in the vicinity.
Everyone's on high alert, but they come up with nothing. And so, everyone's frustrated. I'm sure the stress was palpable.
Everyone's on high alert, but they come up with nothing. And so, everyone's frustrated. I'm sure the stress was palpable.
Where's a man with a gun when you want one? You kind of expect, you're in America, it shouldn't be hard to find someone acting suspiciously with a weapon.
But on this particular occasion, they can't find anybody.
But on this particular occasion, they can't find anybody.
Come up blank. Unbelievable. So, okay, Columbo, Columbo, you're in charge of this operation. What do you do now? You've been told by— on a 911 call, there's a shooter. You're there.
Well, who left this 911 call? Can we find out who they were?
Yes. Yes. So it seems that the frantic 911 caller reported that shots were heard in the Nova Place office building.
Were development, and this is the call that made the cops hightail it over. But it turns out the caller was off-site, right? Right. So how did they get the information?
How far off-site are we talking?
I mean, you know, so what happened to them is that they received a text from one of their buds who was hanging out at Nova Place with the words firearm.
So the caller calls the sender, right, to go, "What the hell's going on?" But there's no answer. So just from the message "firearm"—
Were development, and this is the call that made the cops hightail it over. But it turns out the caller was off-site, right? Right. So how did they get the information?
How far off-site are we talking?
I mean, you know, so what happened to them is that they received a text from one of their buds who was hanging out at Nova Place with the words firearm.
So the caller calls the sender, right, to go, "What the hell's going on?" But there's no answer. So just from the message "firearm"—
I mean, I don't know how dangerous Pittsburgh is.
Apologies to— You know, but maybe if someone in the state says "firearm," you take it seriously.
"Firearm." But it could be an autocorrect error or something. It could have been something— Oh, could it?
Yes. Well, the thing is, you know, surely the quicker way to text is to go, "Gun," rather than "firearms." I think it's okay. A Glock 9mm. No, gun! Gun! Exclamation mark.
So I'm already sceptical as to why someone would just type firearm. That's very peculiar. Yeah, it's kind of an unusual word.
So I'm already sceptical as to why someone would just type firearm. That's very peculiar. Yeah, it's kind of an unusual word.
Totally. And so, Graham, very good to say autocorrect. Really? What could it have really been, do you think?
I'm looking on my phone keyboard now.
Okay, I need to find an autocorrect generator.
Firearm. Firearm. Okay, now remember, there's a noise. There's a screeching noise.
Tire?
Tire—
An alarm screeching? Oh, fire alarm?
Fire alarm? Yes! Fire alarm.
So what they meant to write was, "Fire alarm at Nova Place," not, "Firearm at Nova Place." Right.
Sending a huge gaggle of cops with guns drawn, scaring the shit out of people having a nice Friday lunch.
Sending a huge gaggle of cops with guns drawn, scaring the shit out of people having a nice Friday lunch.
Mm-hmm. I do feel the world took a step backwards evolutionary-wise when the iPhone came along and started autocorrecting everything.
Because when you had BlackBerrys and you had a full bloody keyboard— I love the BlackBerry.
Because when you had BlackBerrys and you had a full bloody keyboard— I love the BlackBerry.
I love the BlackBerry.
And you could actually write out words. And you would never type— write 'you' as just the letter 'u'. You'd write 'you', which is the proper way to do it.
And you'd always put a space after a full stop, and you'd use capital letters at the beginning of sentences.
I just think those were better times, and you wouldn't have had this kind of thing happen.
And you'd always put a space after a full stop, and you'd use capital letters at the beginning of sentences.
I just think those were better times, and you wouldn't have had this kind of thing happen.
It's a trip down memory lane, isn't it?
I was a much better typist on the BlackBerry because I think, you know, you can feel where you are. You're not on a slippery screen.
You can kind of count the buttons almost, you know, unconsciously. Like, "Oh, I'm at the E." You don't even have to look. You can just feel your way across.
You can kind of count the buttons almost, you know, unconsciously. Like, "Oh, I'm at the E." You don't even have to look. You can just feel your way across.
God, I can't believe the pair of you wanting a BlackBerry back. I do. Oh, geez. Geez Louise.
It's just— I mean, I'm not exactly a spring chicken, but this is listening to my mom waxing lyrical about her flip phone that we've just had to replace.
"Well, it had buttons." "Yes, Mum. This doesn't have buttons." "No, Mum, it doesn't." When we had paper tape and 8-inch floppy disks.
It's just— I mean, I'm not exactly a spring chicken, but this is listening to my mom waxing lyrical about her flip phone that we've just had to replace.
"Well, it had buttons." "Yes, Mum. This doesn't have buttons." "No, Mum, it doesn't." When we had paper tape and 8-inch floppy disks.
Those were the days.
Shall I read you out, just for entertainment, my mum's first text that she sent me? Ever? No, on the smartphone. Okay, here we go. So, no punctuation, all one sentence.
"Sorry I was so rushed last night. Woo! Just discovered the word thingy that comes up. Tried taking a photo last night, but took a video instead.
Have you any idea how little tulips move? Please, no idea what is happening now. Kiss kiss."
"Sorry I was so rushed last night. Woo! Just discovered the word thingy that comes up. Tried taking a photo last night, but took a video instead.
Have you any idea how little tulips move? Please, no idea what is happening now. Kiss kiss."
It sounds to me like she sent you an end-to-end encrypted message there. It really does. Even Priti Patel couldn't crack that one.
And the lesson is just read a text before you send it, especially if you're in a bit of a panic, because this is what the scammers, tangential tie to security, tend to take advantage of, right?
I did some recon on other types of autocorrects that happen. So you have to guess what they tried to say. This is in text messages. So, between two lovers.
"My love is so strong, I wish I could buy you a casket if I could."
I did some recon on other types of autocorrects that happen. So you have to guess what they tried to say. This is in text messages. So, between two lovers.
"My love is so strong, I wish I could buy you a casket if I could."
Castle.
Yes! Castle? Yes, come on. Good one. Okay. "I devoured a baby in a cab."
Bagel? Nope. Kebab? No, it's the verb actually that's wrong.
Devouring. Devoured?
What do you do with a baby?
Well, mostly devour them, but that's just me. Deliver! Right, it's still quite exciting. And then there's one, "Are you sitting down?
Your brother was adopted." And actually turned out to be accepted to Yale. And then the final one, "Do you think you can pickle that up?"
Your brother was adopted." And actually turned out to be accepted to Yale. And then the final one, "Do you think you can pickle that up?"
Pick it up. Sticky pickles.
There was one I remember, which was— do you remember Flirt Divert? Did you ever hear of this service, Flirt Divert?
Flirt Divert was if somebody was chatting you up in a club, and you weren't interested, and they asked for your number, you could give them the number for— I think it's a radio show.
And so the text messages and calls would be received, and then sort of read out on air the next day.
Flirt Divert was if somebody was chatting you up in a club, and you weren't interested, and they asked for your number, you could give them the number for— I think it's a radio show.
And so the text messages and calls would be received, and then sort of read out on air the next day.
That's outrageous.
And there was one woman who basically gave this number to a guy who was trying to chat her up. And then the next day they read out the text. It was a while later, actually, I think.
Read out the text, said, "Please call me. I think you may have given me Arabs." Which—
Read out the text, said, "Please call me. I think you may have given me Arabs." Which—
Crabs.
"May have given me crabs." But I had this image of guys turning up on horseback with big scimitar swords.
"You've given me arabs!" Kolide sends employees important, timely, and relevant security recommendations to their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
So imagine this scenario: you're out of the office unexpectedly and a colleague pings you because they need access to some system you have credentials for.
Now, listeners would never send passwords over email or Slack, but what about your coworkers? How many organizations out there are sending logins back and forth in plain text?
Worse yet, how many just store all of their logins on a shared spreadsheet?
We all know that human errors are the biggest threat to your organization's security, but did you know that weak or stolen passwords account for over 80% of all data breaches?
There are tools out there that allow you to share credentials, set access permissions, and monitor the dark web for stolen logins.
Keeper Security's enterprise password management platform does just that.
Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented zero-knowledge encrypted vault, and it takes less than an hour to deploy across your organization.
Sign up for a Keeper free trial for your organization today and get a free 3-year personal plan VPN. So get started by visiting smashingsecurity.com/keepersecurity.
That's smashingsecurity.com/keepersecurity. And welcome back. And you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Kolide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
So imagine this scenario: you're out of the office unexpectedly and a colleague pings you because they need access to some system you have credentials for.
Now, listeners would never send passwords over email or Slack, but what about your coworkers? How many organizations out there are sending logins back and forth in plain text?
Worse yet, how many just store all of their logins on a shared spreadsheet?
We all know that human errors are the biggest threat to your organization's security, but did you know that weak or stolen passwords account for over 80% of all data breaches?
There are tools out there that allow you to share credentials, set access permissions, and monitor the dark web for stolen logins.
Keeper Security's enterprise password management platform does just that.
Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented zero-knowledge encrypted vault, and it takes less than an hour to deploy across your organization.
Sign up for a Keeper free trial for your organization today and get a free 3-year personal plan VPN. So get started by visiting smashingsecurity.com/keepersecurity.
That's smashingsecurity.com/keepersecurity. And welcome back. And you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or whatever they wish. Doesn't have to be security-related necessarily.
Better not be. Well, my pick of the week this week is not security-related. Good. As you know, I like to keep my finger on the pulse.
I like to keep up to date with the latest culture, the latest shows that are coming out.
Obviously, I've pre-ordered a copy of The Lazarus Heist, so I'm all ready for that as soon as it comes out. Pre-ordered. Thank you very much.
But I wasn't quite so quick when it came to watching the Netflix show with Ricky Gervais, After Life. Yeah, no, I haven't watched the whole thing.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or whatever they wish. Doesn't have to be security-related necessarily.
Better not be. Well, my pick of the week this week is not security-related. Good. As you know, I like to keep my finger on the pulse.
I like to keep up to date with the latest culture, the latest shows that are coming out.
Obviously, I've pre-ordered a copy of The Lazarus Heist, so I'm all ready for that as soon as it comes out. Pre-ordered. Thank you very much.
But I wasn't quite so quick when it came to watching the Netflix show with Ricky Gervais, After Life. Yeah, no, I haven't watched the whole thing.
I've watched the first season.
Well, okay, let's talk about that. So, I thought, "Oh, I'm not sure I like that.
I don't know." The premise is, it's all about Ricky Gervais's character dealing with life after his wife dies of cancer.
And I thought, "It's going to be cloying, a bit mawkish maybe." And I thought, oh, is it just going to be a bit too on the nose? I don't know. But actually, it's rather lovely.
So I've just finished watching the first series, and apparently there are 3 series. But I feel I've seen enough, probably.
I feel— and I find this with a lot of TV shows, is that I like to watch the first series, Killing Eve, for instance. And I think, okay, that was great. I don't want to ruin it now.
I feel you've told the story. You've wrapped it up with a little bow. I've seen enough. I don't need to see more of the same.
So I'm very gingerly going to start the second series, but I wouldn't be surprised if I stop. But I don't think that should stop other people from checking out Afterlife because—
I don't know." The premise is, it's all about Ricky Gervais's character dealing with life after his wife dies of cancer.
And I thought, "It's going to be cloying, a bit mawkish maybe." And I thought, oh, is it just going to be a bit too on the nose? I don't know. But actually, it's rather lovely.
So I've just finished watching the first series, and apparently there are 3 series. But I feel I've seen enough, probably.
I feel— and I find this with a lot of TV shows, is that I like to watch the first series, Killing Eve, for instance. And I think, okay, that was great. I don't want to ruin it now.
I feel you've told the story. You've wrapped it up with a little bow. I've seen enough. I don't need to see more of the same.
So I'm very gingerly going to start the second series, but I wouldn't be surprised if I stop. But I don't think that should stop other people from checking out Afterlife because—
Just because you have no attention span.
I like to think I'm just too sophisticated.
Really? You think sophisticated is the right word?
I only had to watch the first series of Game of Thrones, and I thought, "All right, I've seen enough boobs and dragons now. I don't need to see more."
Discerning would be— would that be the better word, Graham? You're a discerning audience, yeah.
Geoff, I really do recommend everyone pre-orders Geoff's book. Oh my gosh, you guys. Anyway, have either of you seen Afterlife? Carole, you've seen a bit of it.
Well, I've seen the first series. But yeah, I haven't been moved to see the second one yet, weirdly. I don't know.
I find it quite touching, and I think it's quite good.
I think with second series and third series, you need to kind of say where it's going next, what's going to be different, how it's going to be different, and make that very, very clear.
So we watched Fargo, we watched the TV series Fargo, which is astonishing because every one of those series is completely different to the one that went before, era-wise, directorially, and stuff.
So that was quite— but the one with that was there was a jolt when we watched each new series, and we went, "Oh, this is different to what we had before," but we ended up really enjoying it.
But at least you've demarcated the difference and where it's going to move next. And it's not just going to be the first series again. It's going to be something else again.
So we watched Fargo, we watched the TV series Fargo, which is astonishing because every one of those series is completely different to the one that went before, era-wise, directorially, and stuff.
So that was quite— but the one with that was there was a jolt when we watched each new series, and we went, "Oh, this is different to what we had before," but we ended up really enjoying it.
But at least you've demarcated the difference and where it's going to move next. And it's not just going to be the first series again. It's going to be something else again.
There are some shows where I've carried on. I mean, I'm thinking Breaking Bad. I did watch all of Breaking Bad. And I thought that sort of maintained consistency.
And I thought it was still great to watch. But anyway, Afterlife is my pick of the week.
And I thought it was still great to watch. But anyway, Afterlife is my pick of the week.
There you go.
Geoff, what's your pick of the week?
I'm going to pick a book for my pick of the week, which I finished and I quite enjoyed. Which is a book called Time on Rock by a writer called Anna Fleming, who is a rock climber.
And the book is about her time as a rock climber and how it goes.
And it's quite interesting because it sort of starts at the beginning when, like most climbers— I'm a climber myself— and you start off terrified and sweaty and you get to the top just panting and gratefully you're still alive.
And then gradually you kind of get into it and you work out what you're doing.
And it's just a wonderful book where at the end she ends up in a position because a lot of the rock climbing terminology is like, fight it and smash it and grip it, and you're conquering— you conquering the rock, you know, like a big prehistoric man.
And she sort of— it's interesting because she in the end stops fighting the rock.
She's like, no, don't fight against it, you know, that's not the way you're gonna— and I found that really interesting.
And suddenly her climbing improves and her sort of enjoyment of the thing improves. I thought, yeah, that's actually really interesting, you know.
There's a great quote, which is that the best climber in the world is the one that's having the most fun. Yeah, that's so true.
So often we're trying to— not just in climbing, in lots of things— that I must, can't go and smash it. It's like, yeah, but are you really enjoying it?
And actually learning to not fight and learning to love it. Yeah, Graham. Remembering when you loved it is worth doing. So that's Time on Rock by Hannah Fleming. I highly recommend it.
It's a good little book.
And the book is about her time as a rock climber and how it goes.
And it's quite interesting because it sort of starts at the beginning when, like most climbers— I'm a climber myself— and you start off terrified and sweaty and you get to the top just panting and gratefully you're still alive.
And then gradually you kind of get into it and you work out what you're doing.
And it's just a wonderful book where at the end she ends up in a position because a lot of the rock climbing terminology is like, fight it and smash it and grip it, and you're conquering— you conquering the rock, you know, like a big prehistoric man.
And she sort of— it's interesting because she in the end stops fighting the rock.
She's like, no, don't fight against it, you know, that's not the way you're gonna— and I found that really interesting.
And suddenly her climbing improves and her sort of enjoyment of the thing improves. I thought, yeah, that's actually really interesting, you know.
There's a great quote, which is that the best climber in the world is the one that's having the most fun. Yeah, that's so true.
So often we're trying to— not just in climbing, in lots of things— that I must, can't go and smash it. It's like, yeah, but are you really enjoying it?
And actually learning to not fight and learning to love it. Yeah, Graham. Remembering when you loved it is worth doing. So that's Time on Rock by Hannah Fleming. I highly recommend it.
It's a good little book.
Can I ask, are you a climber? What— how did this book come in your echo chamber?
Yes, I am a climber. Oh, I didn't know that. Yes, yes, yes.
Cool. Well, Geoff looks like a climber. He's like me. He's got that sort of wiry physique, right? He's— yes, I can, I can exactly like you. Yeah, yeah, yeah, yeah.
Ropy is what I'd say to you. Yeah.
When you say look like a climber, I thought you're going to say bruised, bruised and bleeding, because that's generally how we end up.
Yeah. There is something amazing about— I mean, I'm absolutely petrified of heights, so I couldn't possibly climb at all. And water and ice. And most things.
But I do find climbing quite fascinating. And I mean, I haven't read books about it, but I've seen some amazing documentaries about climbing.
And years ago, I went to see a talk by Joe Simpson, of course, who was the Touching the Void chap. Which was quite an experience too.
But I do find climbing quite fascinating. And I mean, I haven't read books about it, but I've seen some amazing documentaries about climbing.
And years ago, I went to see a talk by Joe Simpson, of course, who was the Touching the Void chap. Which was quite an experience too.
Yeah, yeah, another incredible story. An incredible film as well. Yes.
I just want to point out as what I also love about Time on the Rock is Touching the Void, the film you talked about, and the one Free Solo, the Alex Honnold film, which a lot of people have seen.
Most of these films about climbing being terrifying and death-defying. That's not why we climb. And if you read Anna Fleming's book Time on the Rock, it's the same thing.
You know, it's not all about Sylvester Stallone clinging on with one hand or you die. That's not why we do it.
I just want to point out as what I also love about Time on the Rock is Touching the Void, the film you talked about, and the one Free Solo, the Alex Honnold film, which a lot of people have seen.
Most of these films about climbing being terrifying and death-defying. That's not why we climb. And if you read Anna Fleming's book Time on the Rock, it's the same thing.
You know, it's not all about Sylvester Stallone clinging on with one hand or you die. That's not why we do it.
That movie was terrifying. Oh my goodness. I know.
Could you do that though? Could you, if you suddenly, if you were clinging on with one hand, could you hoist yourself up? That? The one-arm—
I— one-arm pull-up? I don't think so. Adrian! Adrian!
Different movie, Graham. Oh.
Anyway, Time on Rock by Anna Fleming, my pick of the week. It's a lovely book. Awesome.
Carole, what's your pick of the week?
Mine is also a TV series, a brand new one. It's actually not even— the full first series is not already out yet. It's we've still got two episodes left.
So this is on Apple TV, and it's a show called Severance. And it's basically a high-concept show that takes the whole concept of work-life balance and puts it to the extreme.
So, you're in this office-type building, and you don't really know what you're doing. You're working, though. And that's how the series starts.
And it turns out that our workers in this nondescript department are innies.
And they're called innies because they've somehow been chemically severed from their outies, themselves, but on the outside of work hours.
So yeah, so you go to work, you go through the elevator, and you completely forget about your life outside, and you totally focus on your crazy job that you have no idea what it is.
And then you go home at night and the person outside has no idea who your work person is. The whole idea is that they can't communicate at all or know anything about each other.
But of course, a few glitches happen in the story that causes cracks to appear, and it all goes a bit nuts. Pretty great cast.
You've got Adam Scott, Patricia Arquette, John Turturro. And obviously, the famous Christopher Walken's in it as well.
Currently, at time of recording, we're on episode 7 on Apple TV. So if you want to be in the know when stuff is hot, this is a time for a little binge session.
So this is on Apple TV, and it's a show called Severance. And it's basically a high-concept show that takes the whole concept of work-life balance and puts it to the extreme.
So, you're in this office-type building, and you don't really know what you're doing. You're working, though. And that's how the series starts.
And it turns out that our workers in this nondescript department are innies.
And they're called innies because they've somehow been chemically severed from their outies, themselves, but on the outside of work hours.
So yeah, so you go to work, you go through the elevator, and you completely forget about your life outside, and you totally focus on your crazy job that you have no idea what it is.
And then you go home at night and the person outside has no idea who your work person is. The whole idea is that they can't communicate at all or know anything about each other.
But of course, a few glitches happen in the story that causes cracks to appear, and it all goes a bit nuts. Pretty great cast.
You've got Adam Scott, Patricia Arquette, John Turturro. And obviously, the famous Christopher Walken's in it as well.
Currently, at time of recording, we're on episode 7 on Apple TV. So if you want to be in the know when stuff is hot, this is a time for a little binge session.
Doesn't sound like a barrel of laughs, Carole. Doesn't sound like it's really jolly.
Well, it's not a comedy show, but it's fascinating, and it's not dark. I don't think it's dark and creepy.
It's kind of interesting on how it's the opposite of what we've done to ourselves now, where we're carrying our work phones all the time with ourselves and our laptops and bringing our work everywhere, and we've totally meshed in.
And I think they've just turned that on its head, to say what would be the opposite way. And turns out not great. So if you want to check it out, it's called Severance.
It's from Apple TV, and it is my pick of the week.
It's kind of interesting on how it's the opposite of what we've done to ourselves now, where we're carrying our work phones all the time with ourselves and our laptops and bringing our work everywhere, and we've totally meshed in.
And I think they've just turned that on its head, to say what would be the opposite way. And turns out not great. So if you want to check it out, it's called Severance.
It's from Apple TV, and it is my pick of the week.
Marvelous. Well, that just about wraps up the show for this week. Geoff, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that and find out more about your upcoming—
What's the best way for folks to do that and find out more about your upcoming—
Oh yes, I'm on Twitter's best way, Geoff White. So G-E-O-F White, like the color. And 247, because I'm Geoff White 24/7.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter isn't allowed to have a G, and we also have a Smashing Security subreddit.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Overcast, Apple Podcasts, and Spotify.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Overcast, Apple Podcasts, and Spotify.
And high five to this episode's sponsors, Kolide and Keeper Security, and of course, to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 267 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 267 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye-bye.
It's a leaky place, and I suspect people's willingness perhaps to make a cheap buck by leaking information is slightly higher in Russia than it is in a lot of other countries.
So yeah, interesting.
So yeah, interesting.
Yeah, totally. Talking of things that are leaky, Carole, what have you got for us this week?
Well, okay, that's— I think I have no idea what it means. I don't know either. I think that will probably get edited out. Oh, right. Okay, maybe.
Carole, what have you got for us this week?
Carole, what have you got for us this week?
Okay, so I have a story that has a really big fat takeaway,
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Geoff White – @geoffwhite247
Show notes:
- North Korea tests its ‘largest intercontinental ballistic missile’ — YouTube.
- LinkedIn Professional Community Policies — LinkedIn.
- Community Report — LinkedIn.
- The latest marketing tactic on LinkedIn: AI-generated faces — NPR.
- List of FSB agents — Ukraine Ministry of Defence.
- How the Dutch foiled Russian 'cyber-attack' on OPCW — BBC News.
- Boris Nemtsov: Murdered Putin rival 'tailed' by agent linked to FSB hit squad — BBC News.
- Police: Autocorrected text triggered large police presence on Pittsburgh’s North Side — WPXI.
- Pickle me up: Hilarious autocorrect fails, from Krispy Koreans to wet, sloppy kids — Daily Mail.
- After Life — Netflix.
- After Life trailer — YouTube.
- "Time on Rock – A Climber's Route into the Mountains" by Anna Fleming — Canongate Books.
- Severance — Apple TV.
- Severance trailer — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Keeper Security
Keeper Security’s enterprise password management platform locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization.
Sign up for a Keeper free trial for your organization today, and get a free 3-year personal plan, at keepersecurity.com/smashing
Sponsor: Kolide
At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
Try Kolide Free for 14 Days; no credit card required.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
