What is slushygate and how does it link to sextortion in the States? What is the most impersonated brand when it comes to delivering phishing emails? And what the flip is nano-targeting?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by fan favourite Maria Varmazis.
No contortionists were hurt during the making of this episode.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
All right, these weren't brand new recruits.
Yeah, no, Maria, calm down.
Calm down, Jesus Christ.
Okay, yeah, calm the fuck down.
What is going on this week?
Well, Maria and I are having a great time.
Smashing Security. Security Episode 295: Slushygate, Sextortion, and Nanotargeting with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security Episode 295. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security Episode 295. My name's Graham Cluley.
295. I'm Carole Theriault.
And Carole, we've got a special guest, someone returning to the show this week. It is dot dot dot dot dot dot dot.
Maria Varmazis!
Hi!
Hi everyone.
Hi Maria, space correspondent on the CyberWire, of course, but I like to think that we discovered you. You didn't exist before you came on the Smashing Security podcast.
Would that be fair to say?
Would that be fair to say?
I was but a fetus. I was just, yes, I was just a little fetus in the podcast world. Well, I mean, yeah, actually you did discover me, so thank you for that. That's not a lie. Yeah.
Well done, Graham.
That's pretty true actually.
Yeah.
I've started working on the CyberWire as their space correspondent, which is really cool.
And last week I got to speak to some students at Amherst College about cybersecurity, and the reason I was invited there was because of this show.
So because they've heard me on Smashing Security, so if your ears were burning last week, I was talking about the two of you quite a bit and how much I love you both.
And last week I got to speak to some students at Amherst College about cybersecurity, and the reason I was invited there was because of this show.
So because they've heard me on Smashing Security, so if your ears were burning last week, I was talking about the two of you quite a bit and how much I love you both.
It galls me a little bit because I do a little work for the CyberWire, right? And I'm UK correspondent, and she's in charge of the entire space.
Infinity of space.
All of space and time.
Yeah.
I'm in her vortex. I'm within her realm. She must be my uber leader.
Yeah, they haven't made me the space and time correspondent yet, but I'm working on the time one.
Only a matter of, well, time, I suppose.
Meet me on Gallifrey.
Ha ha ha. Before we kick off, let's thank this week's sponsors, Bitwarden, Sealit, and Kolide. It's their support that helps us give you this show for free.
Now coming up on today's show, Graham, what do you got?
Now coming up on today's show, Graham, what do you got?
Oh, I'm going to be getting slushy this week.
Okay, and what about you, Maria?
We're going to be talking about phishing.
And I will be asking, what the flip is nanotargeting? All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, have either of you ever been to Louisville in Kentucky?
I have. Louisville, yes.
Oh, is it Louisville, not Louis—
I am not a native of the area, but my understanding is it's preferred as Louisville, but that may be pretentious and I could be wrong. So I don't know.
So confused because you get meet me in St. Louis.
That's a different place.
I know it's a different place, but I mean, what's going on? Anyway, in August 2018, something strange was happening in Louisville, Kentucky.
It's known for Muhammad Ali and it's the home of Kentucky Fried Chicken, of course.
It's known for Muhammad Ali and it's the home of Kentucky Fried Chicken, of course.
KFC now, please. Thank you.
That was about to become notorious for something else because people were calling up the cops. They were calling up the police and said they had a complaint.
They said, oh, I've been attacked in an unusual way.
They said, oh, I've been attacked in an unusual way.
What?
Attacked in an unusual way?
In an unusual way. So let me explain what was going on.
For just over a year, from August 2018 onwards, two people were driving around Louisville pretending to be Louisville Metro Police officers.
So they had all the gear, they were sort of disguised, they had the uniforms, they had the guns. They had the donuts.
For just over a year, from August 2018 onwards, two people were driving around Louisville pretending to be Louisville Metro Police officers.
So they had all the gear, they were sort of disguised, they had the uniforms, they had the guns. They had the donuts.
They were not cops, presumably.
They had— Carole, don't ruin the story. They had the— That'll get edited out.
She anticipated your denouement.
You're ruining my big reveal. They had all the gear, they had the uniforms, they had the guns, they had the donuts, they had the police radio, and they had beverages.
Large beverages.
Large beverages.
Is that a euphemism?
Are these Big Gulps?
That sounds like a euphemism.
It could be.
Up and down.
They have Mega Gulps, just saying.
Okay, you'd know. Up and down they would drive, looking for targets on the sidewalk or near the street.
When they thought they'd identified someone, they'd pull out their police radios and they'd say, "We got 10-4. We got a problem in Houston. Eagle has landed.
Someone's thirsty on the sidewalk," or "We've got a thirsty fam situation." And do you know what they'd do then?
They would throw their slushie, including the container, at the member of the public.
When they thought they'd identified someone, they'd pull out their police radios and they'd say, "We got 10-4. We got a problem in Houston. Eagle has landed.
Someone's thirsty on the sidewalk," or "We've got a thirsty fam situation." And do you know what they'd do then?
They would throw their slushie, including the container, at the member of the public.
What?
Yeah, the drink would get thrown out of the car at these people. Sometimes it would actually be a car behind them. They may be in a convoy, right?
So the first one would go, "Shut up, shut up, shut up, shut up, shut up. Got someone thirsty on the street." And then the following car would actually throw out the slushie.
So the first one would go, "Shut up, shut up, shut up, shut up, shut up. Got someone thirsty on the street." And then the following car would actually throw out the slushie.
And I'm not allowed to ask you whether these guys are legitimate cops or not?
It's a very good question. Who are these guys?
Oh, right. Now I could ask, who are these folks?
Well, they're not driving marked police cars, but it may surprise you to discover that they were actually policemen.
And what's more, they were policemen who were also filming the assaults on their phones. And sharing it with their mates.
So more than 40 of these videos existed of policemen, not young policemen.
And what's more, they were policemen who were also filming the assaults on their phones. And sharing it with their mates.
So more than 40 of these videos existed of policemen, not young policemen.
So they were in their bona fide cop cars with their bona fide guns and bona fide—
For some reason they were unmarked policemen.
But they were not in uniform.
No.
Well, they were wearing their— Yeah, were they wearing their uniforms?
But they were in their uniform and they had all the gear and they had their police radios.
And their guns.
They'd turn up to people. And the guns and everything else that police people carry in the United States.
Did they skip that day of training where they're not supposed to do that?
Or, I don't know.
Look, and there's a worker shortage, right? So maybe training's being skipped through really quick.
There's also a level of research which one does when compiling a story for Smashing Security, which—
Well, speak for yourself. Speak for yourself. Speak for yourself.
Anyway, so they were filming these things and they were sharing them with their cop buddies as well. And you might think these would be— Yeah, so they were being dicks.
They were being dicks.
They were being dicks.
Okay, I'm making sure I understand that these guys, they were doing this— Were they— Can you tell me this?
Because I don't know about how your level of research— Were they doing this during work hours or was this just a bit of fun on the side?
Because I don't know about how your level of research— Were they doing this during work hours or was this just a bit of fun on the side?
What was the weather like the days they were doing this? What was the music on their car radio?
All right, come down. These weren't brand new recruits.
Yeah, no, Maria, calm down.
Everybody calm down, Jesus Christ. Okay, yep.
Alright. Alright.
Cool. I'm just very excited.
Calm the fuck down.
What is going on this week?
Well, Maria and I are having a great time.
Well, I'm having a blast.
Now you might think, oh, these must be new cops.
These have been new cops who've been given new guns and new cars and new orders about throwing slushies out of the car at people in the street. No.
These have been new cops who've been given new guns and new cars and new orders about throwing slushies out of the car at people in the street. No.
That's not what I was thinking, but—
Just throw those drinks. It's part of your job now.
But one of these policemen was 40 years old and had spent 20 years in the Air Force. He'd done tours of duty in Iraq and Kyrgyzstan.
I don't know if those are places where you throw out slushies at people or not. The other was in his mid-30s. So they were actual cops.
And it turns out this isn't the kind of thing which the Louisville police in Kentucky think is a good way to go.
I don't know if those are places where you throw out slushies at people or not. The other was in his mid-30s. So they were actual cops.
And it turns out this isn't the kind of thing which the Louisville police in Kentucky think is a good way to go.
Shut the front door.
I know, it's a surprise. It's a surprise, 'cause all they were doing was helping people. Occasionally—
Yeah, people were dehydrated on the street and they were parched.
And let's face it, accidents happen. I remember doing cybersecurity conferences in the past. I remember being on the trade show floor, you know where they have all the booths.
And this was back in the day when we had actual hard boxes full of software, right, containing multiple floppy disks. And they were pretty chunky kind of things.
And I remember, you know, having a little competition with people in the audience and there'd be someone, you know, probably quite a few meters back who'd put up their hand and answer the question.
And I would throw a box through the air and boom, it would go into their eye, giving them a black eye.
I figure, if you're gonna come to a cybersecurity event, you're gonna get hurt.
Maybe if you're walking the street in Louisville and a police car comes by, expect a slushie in your gob. It may happen.
And this was back in the day when we had actual hard boxes full of software, right, containing multiple floppy disks. And they were pretty chunky kind of things.
And I remember, you know, having a little competition with people in the audience and there'd be someone, you know, probably quite a few meters back who'd put up their hand and answer the question.
And I would throw a box through the air and boom, it would go into their eye, giving them a black eye.
I figure, if you're gonna come to a cybersecurity event, you're gonna get hurt.
Maybe if you're walking the street in Louisville and a police car comes by, expect a slushie in your gob. It may happen.
Yeah, but usually when you get hurt at a cybersecurity conference, it's you've had too much to imbibe. Or maybe your feet are tired from a lot of walking. Something like that.
Yeah, not usually ransomware to the arm.
Yeah, not usually ransomware to the arm.
Or Graham's hurling rocks at you. Yeah, can you imagine? It'd be like a boomerang, a floppy disk.
Woo, woo, woo, woo, woo, woo, woo, woo! The thing is, I don't think you realise just quite how heavy these software boxes were. Because when I worked at Dr.
Solomon's, we basically produced something which looked like a hardback encyclopedia.
Solomon's, we basically produced something which looked like a hardback encyclopedia.
Yeah, those things used to be quite big.
It was hard.
Yeah.
It had sharp edges. Yeah, so it was—
Okay, how many discs were in that box though? How many? Oh, phew.
By the end, it was probably about half a dozen if we were on 3.5-inch. Yeah, anyway, listen, listen, listen, listen.
Oh sorry, I fell asleep there.
It turned out, whoever's in charge of the cops in Louisville thought this was a bad thing. And so these cops were suspended for what they did. They were told, "You can't do that.
We're gonna have to investigate this." Yes.
We're gonna have to investigate this." Yes.
Oh yes, suspend them.
Yeah.
Yes.
With pay, of course.
And they, well, they weren't allowed to be cops anymore. They were told, "No, no, no, you can't carry on doing this. You're gonna have to leave.
And we'll investigate this, you know, whether you've, whether there's anything, any federal charges about throwing beverages at pedestrians out of the window."
And we'll investigate this, you know, whether you've, whether there's anything, any federal charges about throwing beverages at pedestrians out of the window."
Pretending to be cops.
Pretending to be cops. Well, not— they were cops. They were cops.
No, no, no, but okay, you're right.
They weren't pretending to be cops.
That's true.
That's true.
Yes. So that, in that way, they didn't commit a crime. Now, here's what you're probably wondering. You're thinking, hang on a moment.
You've been wrong so far with all of the things I've been wondering. But anyway.
If I've lost my job at the police force because I was helping people out with some slushies and filming things and squirting them in the face, what are you going to do with your time?
Well, if you're one of these cops, 36-year-old Brian Wilson, not to be confused with anybody else called Brian Wilson.
He was involved in this Slushygate incident, as the media called it. And he thought, oh, what can I do to fill up my time? He thought, I know what, I'll become a sextortionist.
Well, if you're one of these cops, 36-year-old Brian Wilson, not to be confused with anybody else called Brian Wilson.
He was involved in this Slushygate incident, as the media called it. And he thought, oh, what can I do to fill up my time? He thought, I know what, I'll become a sextortionist.
What?
I have this— Not contortionist.
I was like, what he wants to do in his private time is none of my business.
I had my theory in my head was he was going to become a YouTube star doing this, you know, with fake cop stuff and make more money that way and say, I don't want to go back.
You know, Carole, I actually wondered if that was the reason why they did all of this, whether they wanted to be the coolest social media cops.
Yeah.
And go viral.
Were they shouting Worldstar when they were throwing these things like, Worldstar!
WordStar? What, the old word processor? No.
Oh, never mind.
Yeah, just don't.
Mm-mm.
Mm-mm. So, this chap, Brian Wilson, he became part of a plot to stalk and extort young women online. And he hired a hacker.
What?
To break into people's Snapchat accounts and steal their naked photos and videos. And now, so far, so normal, right?
People breaking into Snapchat, stealing videos of sexy, topless, whatever. Videos of people.
People breaking into Snapchat, stealing videos of sexy, topless, whatever. Videos of people.
So to be clear, he's extorting people of sexual content. He is not doing sexual contortioning.
I misunderstood that too, actually, Maria. I really did.
All right.
Okay.
Yes. Sextortion isn't— Yes.
Okay.
Yes, exactly. Now, so far, so normal. But what makes this unusual is that, of course, he used to be a policeman and he exploited his background as a policeman when doing the hacks.
Jesus.
Because when he had been a policeman, he had had access to a police tool called Accurint.
Oh.
And Accurint, it's a rather controversial, powerful data gathering tool, which allows you to— it scoops up all kinds of information about people on the internet and makes all the links.
And, you know, delves into the dark web and onto social networks and finds out all kinds of who they are, this is where they live, this is what their mother's maiden name is.
And, you know, delves into the dark web and onto social networks and finds out all kinds of who they are, this is where they live, this is what their mother's maiden name is.
And it's all public information, I'm sure, but it does it for you so you don't have to do the digging, right?
Absolutely. Okay. And so, the police make use of this in investigations. And—
So, all cops had access to this, or presumably at a certain level, you could have access to this, and it's pretty powerful.
Exactly. He had access to it, and his passwords had not been revoked after Slushygate.
So, he was able to entertain himself by logging into Accurint for months and months and months gathering information.
Accurint claims to scan millions of websites, hundreds of social networking sites. It makes all these links.
Clearly can be useful to law enforcement, but shouldn't be used by someone who's been throwing slushies at homeless people.
So, he was able to entertain himself by logging into Accurint for months and months and months gathering information.
Accurint claims to scan millions of websites, hundreds of social networking sites. It makes all these links.
Clearly can be useful to law enforcement, but shouldn't be used by someone who's been throwing slushies at homeless people.
Oh man.
There's a big difference between being a sextortionist.
Mm-hmm.
I don't even like that word at all.
No, same.
Someone who extorts people through, what, sexual violence online, and someone who throws a slushie at somebody.
Yeah, he escalated it.
Yeah, it seems—
I think I'd agree with that.
Yeah. Well, it's a classic story though of an organization forgetting to revoke credentials after somebody leaves or is suspended. I mean, that happened.
I'm sure that's happened to the two of you because it's happened to me after I've left a job—I still have access to tools that I shouldn't.
I'm sure that's happened to the two of you because it's happened to me after I've left a job—I still have access to tools that I shouldn't.
Oh yeah.
Yeah. Yeah.
So having grabbed nude photos, he would text the victims threatening to release them to their family, friends, coworkers.
We've actually got an exchange in the court documents as to what he said to people. "Hey, I'm making you the focal point of this collage. Check out the pictures."
We've actually got an exchange in the court documents as to what he said to people. "Hey, I'm making you the focal point of this collage. Check out the pictures."
Oh, shame on this man.
And they'd say, "Well, who are you?" And they'd say, "Oh, do you mind if I post them?
You know, I'm telling everyone I really love them." "How did you get these?" And he said, "Oh, I'm going to send them to your grandparents. I'm going to post them up on Pornhub.
But you know, we can keep this between ourselves if you promise to send me a few more pics. And that way we can both benefit." What an asshole. He was an asshole.
He called people "dirty sluts," "whores," and "bitches." He's not very nice. He wasn't very charming about this.
You know, I'm telling everyone I really love them." "How did you get these?" And he said, "Oh, I'm going to send them to your grandparents. I'm going to post them up on Pornhub.
But you know, we can keep this between ourselves if you promise to send me a few more pics. And that way we can both benefit." What an asshole. He was an asshole.
He called people "dirty sluts," "whores," and "bitches." He's not very nice. He wasn't very charming about this.
Oh, if he had been charming, I would've given him a pass, Graham. If he'd called them "darling" and "pussycat."
Said it nicely. Would've put a little bow on it.
Please.
If he'd been like Colin Firth or Mr. Darcy and been terribly polite about it, I think it would be absolutely fine.
Standing there in the rain looking a little bit sad.
Oh, bless him. Or standing there covered in a slushie. So, Brian Wilson did actually send sexually explicit images to a victim's employer.
Apparently, it almost resulted in her termination. And some of his victims said they suffered real psychological trauma, as you can imagine.
Apparently, it almost resulted in her termination. And some of his victims said they suffered real psychological trauma, as you can imagine.
I believe it, yeah.
So, the good news—good news—he's now been sentenced to a total of 30 months in a federal prison, which is more than the other chap who'd just done Slushygate.
So this is—they combined the crimes.
So this is—they combined the crimes.
He was a member of the police force when he was doing this. He was on suspension and he gets 30 months.
I think he'd actually been let go. I think he wasn't just suspended at the time of the sextortion, but he was still using those credentials to access the system.
But yeah, it doesn't feel like a very big sentence to me.
But yeah, it doesn't feel like a very big sentence to me.
Well, I just feel compared to other sentences, I mean, hey, look, 3 days in jail would be a pretty horrific experience for most people.
So, you know, I'm not putting— but it's just, you know, some people seem to get like 25 to life for carrying a bit of junk in their pocket.
So, you know, I'm not putting— but it's just, you know, some people seem to get like 25 to life for carrying a bit of junk in their pocket.
Anyway, yeah, these crimes are not taken seriously enough, that's for sure. But yeah, they're like, oh, that sounds inconvenient that your naked pictures might have gotten leaked.
Oh well.
Oh well.
Yeah, you bitch.
Yeah, you deserve it or something because you took those photos in the first place, is sort of the other thing.
I don't understand why you would go to so much effort and hiring a hacker to help you, and you'd put all this energy into stealing people's Snapchat accounts and grabbing their photographs.
Not to extort money out of them, not to get sexual favors, but in order to get hold of more photos.
Not to extort money out of them, not to get sexual favors, but in order to get hold of more photos.
God knows what he was doing with them!
Oh, you know what he was doing. Come on!
I think we know. I think we know what he was doing with them.
I just mean perhaps he was going beyond that, maybe selling them. Maybe there was a little black market going on with the pictures he was collecting.
It's a power trip. He knows that he's scaring people doing this and that he has a grip on them. It's the fear. It's the power over other people.
I think he could have done it for no money and not even public consumption, supposedly, just to terrify the shit out of these women and to know that he had them.
I think he could have done it for no money and not even public consumption, supposedly, just to terrify the shit out of these women and to know that he had them.
I think the power is the frisson, isn't it? Because it's not like there's a shortage of pictures of naked ladies on the internet.
Yeah, I hear they're perhaps a little bit plentiful on the internet, but I haven't checked to verify.
So, but yeah, no, it must be the power trip. And the slushies?
He's just an asshole.
Yeah, a total asshole. Exactly.
Maria, what's your story for us this week?
So I have a story about phishing, and I wanted to have a little coffee talk about it.
I'm a very busy person. I don't drink coffee.
A tea chat.
I'm more of a Pellegrino man, but okay, go ahead.
Pellegrino. Okay, that also works. Yeah, open up that bottle.
So there's a blog post that just came out from Check Point and they published their top 10 list of who is the most imitated company for the purposes of phishing in Q3 2022, which is right now.
And this is worldwide stats. So not America focused, not UK focused.
So there's a blog post that just came out from Check Point and they published their top 10 list of who is the most imitated company for the purposes of phishing in Q3 2022, which is right now.
And this is worldwide stats. So not America focused, not UK focused.
Like who?
So I'm curious who you think is the number one most imitated company. Is imitating the right word for this? Impersonated?
In the world.
In the world.
Would it be someone like eBay or Amazon?
I was thinking, isn't it the Alibaba one? Is that what it's called?
Yeah, the Alibabas. Yeah.
Yeah, same idea, right? Isn't it kind of Amazon?
I think that's a really good guess. I'm going to tell you both that neither of you are correct, but I'm going to give you a hint about who might be in the top.
So think about what's going on in Q3, what's happening specifically end of Q4, what people might be getting ready for.
So think about what's going on in Q3, what's happening specifically end of Q4, what people might be getting ready for.
Christmas.
Yeah.
So if somebody is getting ready for Crimbo, what are they probably doing?
Shopping.
Ordering shit online. Not shit.
Ordering lovely things online.
Yes, lovely things.
Fighting inflation with their hard-earned cash, if one can even do such a thing. So think about who might be purveying such goods.
Alibaba.
Amazon.
eBay.
We've mentioned these.
Yeah, yeah, yeah. So not them, not them. Actually getting those items directly to the persons of interest.
Oh, UPS.
FedEx. Yeah, you're on the right track.
DHL.
Ah, ding, ding, ding, ding, ding. It's DHL. DHL was the number one most imitated company for phishing purposes. 22% of all phishing attacks globally are using fake DHL emails.
And apparently DHL was specifically the target of a huge phishing campaign, especially over the summer. But they're still at the top of the list right now.
But I'm just curious who you think is also on that list, because nobody that you've mentioned is on there in, say, the top 10.
And apparently DHL was specifically the target of a huge phishing campaign, especially over the summer. But they're still at the top of the list right now.
But I'm just curious who you think is also on that list, because nobody that you've mentioned is on there in, say, the top 10.
Banks?
Yeah, I don't — I see — I do see a bank at number 9 is HSBC.
PayPal?
PayPal? No PayPal. No PayPal.
What about charities?
Charity, mate.
Charity. I feel like you're gonna be smacking yourself on the forehead when I tell you who the number 2 and 3 are, because I feel like they're —
Oh, what about Netflix?
They're number 5 at 5%.
Oh, okay, okay. Well done, girl. Well done.
Oh, Apple.
Gaming centers.
Not Apple. I don't see Apple on here.
PlayStation.
No PlayStation. Do you want me to tell you? Put you out of your misery. Number 2 at 16% is Microsoft.
Oh, I've heard of them.
Yeah, this little firm called Microsoft. And it's a lot of OneDrive, Microsoft OneDrive imitation email.
Why didn't we think of that?
I don't know.
Because Microsoft?
That's probably part of it, right? And number 3 at 11% is the previous top in the Q1 and Q2, which is LinkedIn. I guess everybody looking for new jobs with this.
Bloody LinkedIn.
LinkedIn. And number 4 is Google.
So, yeah, we say these —
Carole, we're imbeciles.
No, again, speak for yourself.
I did like that number 6 is WeTransfer. So people who are getting — where is there something? I don't know what they're downloading on WeTransfer. Videos? Number 7 is Walmart.
So I don't know, do they ship globally? Number 8 is WhatsApp, which I feel like watch that space because there's been a whole bunch of fake WhatsApp imitators.
So I don't know, do they ship globally? Number 8 is WhatsApp, which I feel like watch that space because there's been a whole bunch of fake WhatsApp imitators.
Interesting.
So you say DHL's number one. If someone's sending me a physical item, DHL don't get told my email address, do they?
So why would I be tricked into clicking on — I can understand if I was sending something that maybe they would have my email address, but I'm not the customer in a way, am I?
I'm the person receiving the good. Sent by the person who dealt with the — I don't understand why people would fall for that one.
So why would I be tricked into clicking on — I can understand if I was sending something that maybe they would have my email address, but I'm not the customer in a way, am I?
I'm the person receiving the good. Sent by the person who dealt with the — I don't understand why people would fall for that one.
Okay, so I have a few theories on DHL, but they are a little bit US-centric, admittedly.
So I know that DHL is a huge purveyor of packages, but in the States, it's not because they don't do— they only do, I think, international package delivery at this point.
So to me, when I do get an email from DHL, because I opted in ages ago to get email notification, so that is a thing you can do.
That to me indicates I've got something coming from abroad, which is very exciting.
So I know that DHL is a huge purveyor of packages, but in the States, it's not because they don't do— they only do, I think, international package delivery at this point.
So to me, when I do get an email from DHL, because I opted in ages ago to get email notification, so that is a thing you can do.
That to me indicates I've got something coming from abroad, which is very exciting.
Exciting, exotic.
Yes. Yeah. It's not just my regular old Amazon delivery of oat milk or whatever. It's something like, oh, somebody sent me something from somewhere else. And that can be exciting.
But I know they're very cute. Proper chocolate, maybe, from Europe.
Maybe.
Something pleasant, which you can't get in— Proper cheese, maybe, which you can't get in America, right?
Hey!
That's not true. You don't get proper cheese in America. Yes, you do.
Do you?
That's—
No, no, no. Yes!
I will not stand for that blasphemy. Chocolate, yes, but not cheese. Cheese we've got.
All right.
Not just government cheese. We've got other cheeses. I live near Vermont. I mean, come on. Exactly. And Canada, which also has cheese. Yeah.
So it, to me, it's like, ooh, there's something interesting arriving from DHL. And you can opt in to these package, UPS, FedEx, DHL.
You can opt into a thing that'll tell you when you've got a package coming to you so you can tell them when to deliver it or to hold it for a bit. So, it's a possibility.
So it, to me, it's like, ooh, there's something interesting arriving from DHL. And you can opt in to these package, UPS, FedEx, DHL.
You can opt into a thing that'll tell you when you've got a package coming to you so you can tell them when to deliver it or to hold it for a bit. So, it's a possibility.
Oh, yeah.
But I don't think people are even thinking of it that much. Maybe they're just going, "Ooh, package." Exciting.
I mean, it's working if it's the number one most imitated brand right now for phishing purposes, it's probably because it's working, right?
I mean, it's working if it's the number one most imitated brand right now for phishing purposes, it's probably because it's working, right?
Yeah, I guess so.
And what was interesting for over the summer when they were the target of a lot of phishing attacks, to me anyway, was one of the attack vectors was actually referring people to a fake landing page where the phish was done through a fake chatbot.
Whoa.
Yeah. So it wasn't just like, hey, put in your credit card information and, oh, it doesn't work. Oh, shucks.
There'd be a whole thing where you'd had to talk to the DHL assistant chatbot, which is how a lot of brands are talking to people now, right?
If you've got an issue, they want you to talk to that little chat thingy in the lower right of your screen.
And that's actually where— and the chatbot would actually give responses that sort of made sense based on what the person was putting in.
And then that would be what delivered the phish. So that to me was an interesting thing.
I don't know if that's still happening right now in Q3, but that was happening over the summer.
There'd be a whole thing where you'd had to talk to the DHL assistant chatbot, which is how a lot of brands are talking to people now, right?
If you've got an issue, they want you to talk to that little chat thingy in the lower right of your screen.
And that's actually where— and the chatbot would actually give responses that sort of made sense based on what the person was putting in.
And then that would be what delivered the phish. So that to me was an interesting thing.
I don't know if that's still happening right now in Q3, but that was happening over the summer.
So, yeah, it's an interesting, more sophisticated way of doing it, I suppose, isn't it?
Yeah, it's adapting to the times because again, I feel like for a lot of issues that I've had with my phone company or other things, it's almost always a chatbot that they want me to talk to first.
They don't want me emailing them. They don't want me calling. It's use that damn chatbot.
They don't want me emailing them. They don't want me calling. It's use that damn chatbot.
I've never used a chatbot yet.
Yet.
Yet.
They might shunt you towards one, one of these days. But yeah, yeah, I guess we have to be careful of what's on that.
So what's your advice, Maria?
Yes, space correspondent.
Yeah, blast yourself into orbit and don't worry about these problems. No, I mean, phishing works because it works, right? People keep doing it.
We tell people not to click links and then we've got malicious chatbots, so everybody needs to still be as careful as they can.
But I mean, even people who are very seasoned, sophisticated security types will, can, and do fall for phishing attacks.
So I don't think blaming users and being like, you're dumb if you fell for it, is going to help.
So we all got to be careful, but you know, just be wary of who's asking and for what, but don't beat yourself up if it happens to you, I guess. I don't know if that's good advice.
We all sound very troubled now.
We tell people not to click links and then we've got malicious chatbots, so everybody needs to still be as careful as they can.
But I mean, even people who are very seasoned, sophisticated security types will, can, and do fall for phishing attacks.
So I don't think blaming users and being like, you're dumb if you fell for it, is going to help.
So we all got to be careful, but you know, just be wary of who's asking and for what, but don't beat yourself up if it happens to you, I guess. I don't know if that's good advice.
We all sound very troubled now.
Oh gosh. Yeah.
Don't worry, I'll cheer us up.
Yeah, cheer us up, please, please.
Growl, what have you got for us this week?
Okay, no, Graham. Graham, I want you to cast your mind back. I think it's about 8 years ago.
Oh my God.
You and I met up with a UK-based corporate hotshot in a London members club.
Oh yeah, I know who you're talking about, yes. Yes, yes.
You know, puffy eye, puffy eye.
That's his code name. Yes. No names.
And he talked excitedly about digital marketing based on location profiles.
So I remember him, he was using a bassinet as an example, and he was like, if you try to flog them on Facebook, the approach you would use in New York to try and get mothers to buy this bassinet was wildly different from one that you would use if you were targeting moms in LA.
So I remember him, he was using a bassinet as an example, and he was like, if you try to flog them on Facebook, the approach you would use in New York to try and get mothers to buy this bassinet was wildly different from one that you would use if you were targeting moms in LA.
What is a bassinet? Sorry, I'm—
Like something you put babies in.
Oh, like a crib?
Little tiny baby. Yep.
A little baby, right? Okay.
Yeah, teeny tiny baby, right? And this thing attached to the bed, and at the time it was new and it was all cool.
And in New York, you'd talk about how it benefited the mother because the baby slept more soundly, so you'd get more sleep, etc., etc.
And in LA, you'd talk about the organic materials and the safety features.
And in New York, you'd talk about how it benefited the mother because the baby slept more soundly, so you'd get more sleep, etc., etc.
And in LA, you'd talk about the organic materials and the safety features.
And in Europe, you'd say how it benefited the father because the mother would be happy and that would make your life happy.
And I remember when he was telling us this going, whoa, that's crazy, you know. And but boy, things have moved on at a pretty fast clip, okay.
And now, while we welcome our second unelected prime minister, Richie Rich Sunak, right, the U.S., the U.S.
faces a fierce midterm election fight in a few weeks to elect new members of Congress. Is that right, Maria?
And now, while we welcome our second unelected prime minister, Richie Rich Sunak, right, the U.S., the U.S.
faces a fierce midterm election fight in a few weeks to elect new members of Congress. Is that right, Maria?
Yep, yep, you've got your finger on the pulse of what's going on over here. It's great. Great times in America.
Everything's going to be marvelous, isn't it?
Oh, we could swap. We could swap. It's really fun here too.
No, I know. It's, it's a just dumpster fire all the way down. I know. No.
And now the reason this is a hot topic is there's a grab for the midterm elections, right?
So there's a Senate race and there's 6 states that could make or break it for one party or the other.
And of course, there are many people out there, volunteers, employees, contractors, working their guts out so that you vote with their party, whichever one they're representing.
And, you know, they hold rallies, go door to door, put up billboards, but they're also making huge strides through data mining. Okay, so I'm going to pivot here for a moment.
Okay, so we're going to go back to 2019. This was an article in The New York Times by Kashmir Hill, and it's called "I Got Access to My Consumer Score." And you can get yours too.
So it's a great article talking about, you know, these specialist data mining companies that have these consumer scores for you to help them better provide you access to the goods and services that they're trying to flog.
And the score might be something between 1 and 10, 1 and 100, whatever, right? And there's a variety of different data points.
And prior to 2019, it was near impossible to get your hands on a report detailing what they knew about you. But that changed.
And in 2019, Hill put in a request for her consumer profile from a company called Sift.
So there's a Senate race and there's 6 states that could make or break it for one party or the other.
And of course, there are many people out there, volunteers, employees, contractors, working their guts out so that you vote with their party, whichever one they're representing.
And, you know, they hold rallies, go door to door, put up billboards, but they're also making huge strides through data mining. Okay, so I'm going to pivot here for a moment.
Okay, so we're going to go back to 2019. This was an article in The New York Times by Kashmir Hill, and it's called "I Got Access to My Consumer Score." And you can get yours too.
So it's a great article talking about, you know, these specialist data mining companies that have these consumer scores for you to help them better provide you access to the goods and services that they're trying to flog.
And the score might be something between 1 and 10, 1 and 100, whatever, right? And there's a variety of different data points.
And prior to 2019, it was near impossible to get your hands on a report detailing what they knew about you. But that changed.
And in 2019, Hill put in a request for her consumer profile from a company called Sift.
Sift.
Sift.
Sift.
Uh-huh. Sift. And what returned blew her mind. Let's see if it blows yours.
Okay, go ahead.
I'll just read a few paragraphs here. She goes, quote, "I got mine and I found it shocking.
More than 400 pages long and it contained all the message I'd ever sent to hosts on Airbnb. Years of Yelp delivery orders, a log of every time I'd open Coinbase app on my phone.
Many entries included detailed information about the devices I used to do these things, including my IP address at the time." She goes on: "Sift knew, for example, that I used my iPhone to order a chicken tikka masala, vegetable samosas, and garlic naan on Saturday night in April 3 years ago.
It knew that I used my Apple laptop to sign into Coinbase in January 2017 to change my password.
Sift knew about a nightmare Thanksgiving I had in California wine country as it captured my messages to the Airbnb host of a rental called Cloud Nine." Mind blown or mind blasé?
More than 400 pages long and it contained all the message I'd ever sent to hosts on Airbnb. Years of Yelp delivery orders, a log of every time I'd open Coinbase app on my phone.
Many entries included detailed information about the devices I used to do these things, including my IP address at the time." She goes on: "Sift knew, for example, that I used my iPhone to order a chicken tikka masala, vegetable samosas, and garlic naan on Saturday night in April 3 years ago.
It knew that I used my Apple laptop to sign into Coinbase in January 2017 to change my password.
Sift knew about a nightmare Thanksgiving I had in California wine country as it captured my messages to the Airbnb host of a rental called Cloud Nine." Mind blown or mind blasé?
Oh, I wish I was more surprised by this.
Yeah, I'm sort of more mind resigned, I think. I think I've— yes, there's been so much of this that you begin to get worn down, don't you?
You begin to think, well, this is the norm, which it shouldn't be. Of course we should be outraged. We should have pitchforks and blazing torches and walking in the street.
You begin to think, well, this is the norm, which it shouldn't be. Of course we should be outraged. We should have pitchforks and blazing torches and walking in the street.
But, you know, but I think for 99.999% of us, what we assume they're collecting, I think it's vastly— yes, huger and much bigger than we can ever even imagine.
And if knowledge is power, then profiling data is, you know, the mecca. So let's move back to the midterms which are coming. Okay.
And if knowledge is power, then profiling data is, you know, the mecca. So let's move back to the midterms which are coming. Okay.
They sure are.
A new article in New York Times talks about government representatives taking advantage of the vast reach of these data mining companies. Of course they are.
Yeah, to mobilize what they call desirable voters. And they do this through voter scores and voter profiles rather than the undesirable.
Yeah, to mobilize what they call desirable voters. And they do this through voter scores and voter profiles rather than the undesirable.
Desirable, isn't that what—
well, yeah, you don't want that. You don't mobilize the undesirable.
Something like that, wasn't it?
The deplorables?
I think that's the one. It was something like that.
Yes. Desirables versus deplorables. Gotcha.
So as you probably can guess, voter scores are intended to predict the likelihood that an individual agrees or disagrees with a particular party or political stance, right?
Like a belief in gun control. Or they might also be used to predict a person's likelihood of voting.
Like a belief in gun control. Or they might also be used to predict a person's likelihood of voting.
Has bought red baseball cap. That kind of thing.
Uh-huh. Gets way more granular than that.
So to your point, Graham, things like there are voting on hot button issues like racial resentment scores, trans athletes should not participate scores, and even UFOs distrust government scores.
What? Okay.
So to your point, Graham, things like there are voting on hot button issues like racial resentment scores, trans athletes should not participate scores, and even UFOs distrust government scores.
What? Okay.
There are a lot of illegal aliens out there, aren't there? Yes.
Yeah. Lots more information in New York Times, links in the show notes. Okay, so all these scores help make up a voter profile.
So let's say that I'm one of these firms tasked with finding out how people in a particular state think about legalizing jazz cigarettes.
Okay, because let's say that my party wants to use that as maybe part of its platform.
So let's say that I'm one of these firms tasked with finding out how people in a particular state think about legalizing jazz cigarettes.
Okay, because let's say that my party wants to use that as maybe part of its platform.
You mean cannabis, marijuana.
Right. Mary Jane, whatever.
Mary Jane.
Whatever the kids call it these days. So first, I might want to get some voter profiles.
So I would first use commercially available data like you were talking about earlier in your story, Graham.
So I would want to find out the net worth, the education level, the occupation, the home value, the number of children in one's household, gun ownership, pet ownership, political donations, hobbies, habits, cooking, woodworking, gambling, smoking, whatever.
You know, things that you can purchase from data aggregators like customer loyalty card records, for example.
So I would first use commercially available data like you were talking about earlier in your story, Graham.
So I would want to find out the net worth, the education level, the occupation, the home value, the number of children in one's household, gun ownership, pet ownership, political donations, hobbies, habits, cooking, woodworking, gambling, smoking, whatever.
You know, things that you can purchase from data aggregators like customer loyalty card records, for example.
Would some of that information indicate whether you were likely to be pro-drugs? So for instance, if you had bought a terrapin once?
That suggested you must be on drugs because one day it's going to be absolutely huge and taking over your living room.
That suggested you must be on drugs because one day it's going to be absolutely huge and taking over your living room.
Kinda, Graham, kinda.
Because once I've kind of got this whole glut of information that I can legally get my hands on, I can then survey a representative sample of voters, some as large as 150 million strong.
Jeez.
Because once I've kind of got this whole glut of information that I can legally get my hands on, I can then survey a representative sample of voters, some as large as 150 million strong.
Jeez.
Yep.
Scoring respondents based on their views on marijuana legalization. I would then apply machine learning to identify common characteristics.
Oh, there's that phrase again.
Calculate the scores on each topic for each voter profile so I can build voter profiles and create groups that are likely to respond desirably to my messaging.
So back to my little Mary Jane example, I want to identify which desirable voters in my camp want to hear about my plans to legalize weed.
There may be some that are into that, but there may be others that aren't. But they're both still potential voters for me.
But I can bury the message for those that don't like it and really call it to the fore for those that do.
So back to my little Mary Jane example, I want to identify which desirable voters in my camp want to hear about my plans to legalize weed.
There may be some that are into that, but there may be others that aren't. But they're both still potential voters for me.
But I can bury the message for those that don't like it and really call it to the fore for those that do.
So you could send campaign leaflets about legalizing certain drugs, for instance, to the people who are keen on that.
And maybe those leaflets could also double up if they rolled them up, they could make an enormous spin.
And maybe those leaflets could also double up if they rolled them up, they could make an enormous spin.
I was wondering why you're saying leaflets. Yeah, it's also online. It's all the ads that you might be seeing across the internet. And then you could smoke your leaflet as a doobie.
God, I'm from the '70s. Can you tell? Right. Okay.
So the upshot of all this is that these voter scores and profiles make it much easier for candidates to surgically, and this word was used and I love it, surgically target messages to mobilize the most receptive voters into voting.
So a few little concerns that I thought of.
God, I'm from the '70s. Can you tell? Right. Okay.
So the upshot of all this is that these voter scores and profiles make it much easier for candidates to surgically, and this word was used and I love it, surgically target messages to mobilize the most receptive voters into voting.
So a few little concerns that I thought of.
Yeah. Is this bad? Is this bad, Carole?
Yeah. Is this bad? What do you think? Actually, I should turn to you guys. What do you think could go wrong?
Okay. They could make a wrong assumption about somebody, but they're doing that anyway when they sort of broadly leaflet as it is.
So I am always getting political text messages, phone calls, flyers on my door, flyers in the mail for political parties with whom I would never vote if my life depended on it, which in two years it might.
So I am always getting political text messages, phone calls, flyers on my door, flyers in the mail for political parties with whom I would never vote if my life depended on it, which in two years it might.
So you would like it to be more targeted?
No, I don't want any of this shit. I want them to leave me alone.
The thing that I really hate is I get political messages that are hyper-targeted at my deceased father to me, which is really, really dark every time I get an email to my dad.
So it's whatever they're doing, it's definitely not correct.
So I don't know if this meant that I got less of this crap, then I'd be— I don't want to say I'd be okay with it, but I want less.
I'm getting just inundated and I don't even live in a battleground state. My family that— my families that do, it's absolutely relentless. So I don't know.
I'm exhausted from all of it, to be honest.
The thing that I really hate is I get political messages that are hyper-targeted at my deceased father to me, which is really, really dark every time I get an email to my dad.
So it's whatever they're doing, it's definitely not correct.
So I don't know if this meant that I got less of this crap, then I'd be— I don't want to say I'd be okay with it, but I want less.
I'm getting just inundated and I don't even live in a battleground state. My family that— my families that do, it's absolutely relentless. So I don't know.
I'm exhausted from all of it, to be honest.
And think about it. So good point, Maria. So they get the information wrong, let's say.
Very wrong in my case, yeah.
Right? And let's say that information does get into the wrong hands, an employer, foreign agent, whatever.
And also this pseudo-anonymized, I don't know if I can use that term here, but it feels to me pseudo-anonymized data, right?
Because there's so many data points, I think you can practically just say, "And that's you." You know, you could have a game show on this.
And also this pseudo-anonymized, I don't know if I can use that term here, but it feels to me pseudo-anonymized data, right?
Because there's so many data points, I think you can practically just say, "And that's you." You know, you could have a game show on this.
You know, this reminds me of something. Can I just go on a little tangent?
Yeah, please.
Yeah, this reminds me of, back when a lot of us were much more active on Facebook, maybe 5, 6 years ago, personally.
And there was an option where you could see what ad attributes Facebook had assigned to you based on what you had read and clicked. And I remember digging it.
I think actually it was, maybe it wasn't that long ago, 'cause I want to say that you actually told me about this.
And I dug into it and it was everything they had assigned to me was wrong. It was wildly off.
And I heard the same thing from a lot of people that they would say, based on what you read or clicked or whatever, they would say, oh, we think we know how you would vote or your political party.
And a lot of people, it's just super, super wrong.
And there was an option where you could see what ad attributes Facebook had assigned to you based on what you had read and clicked. And I remember digging it.
I think actually it was, maybe it wasn't that long ago, 'cause I want to say that you actually told me about this.
And I dug into it and it was everything they had assigned to me was wrong. It was wildly off.
And I heard the same thing from a lot of people that they would say, based on what you read or clicked or whatever, they would say, oh, we think we know how you would vote or your political party.
And a lot of people, it's just super, super wrong.
So yeah, and then you're, okay, so that's why people are trying to predict elections are getting it so fucked up.
Yeah, I need to know. But it's just there's an element of, based on certain data people who this kind of food or watch this kind of show tend to vote this way.
And I know in broad strokes that might track, but maybe I'm just a corner case.
And I know in broad strokes that might track, but maybe I'm just a corner case.
The other— one more thing, though.
The other thing that bugs me on this, you know, if you think back to Cambridge Analytica and that whole drama with Facebook and them secretly gathering information through forms and stuff, and, you know, on unsuspecting users to target them with ads.
Isn't the government kind of doing the same thing right now?
The other thing that bugs me on this, you know, if you think back to Cambridge Analytica and that whole drama with Facebook and them secretly gathering information through forms and stuff, and, you know, on unsuspecting users to target them with ads.
Isn't the government kind of doing the same thing right now?
Oh, they absolutely are doing the same thing.
Government Accountability Office, they came out with a report saying, maybe we need to put some regulations in place here. Eh.
It feels less wooing to me now in terms of getting someone into a party, but more duping. And I don't that.
It feels less wooing to me now in terms of getting someone into a party, but more duping. And I don't that.
It'll never happen. It'll never happen because the folks that were in the private sector, they get money to go to the public sector and fix this stuff.
And then they kind of bounce back and forth. Anything that gives politicians more money in their pockets.
Sorry, I'm so cynical, but at least in the States, I have zero trust that it'll happen.
And then they kind of bounce back and forth. Anything that gives politicians more money in their pockets.
Sorry, I'm so cynical, but at least in the States, I have zero trust that it'll happen.
Yeah, no, I have hope. I have hope.
Oh, that's nice. What's that feel like?
Hang on a minute. Hang on. Couldn't— I can see a positive in all this, right? Because it's a real nuisance having to go down to the polling station to vote every few years.
If they know this much about us, could they just leave us out of the whole voting process?
Could they just not look at all the data and say, well, he's obviously a Tory, he's Labour, you know, they're Republican. They're a Democrat. They're an independent.
If they know this much about us, could they just leave us out of the whole voting process?
Could they just not look at all the data and say, well, he's obviously a Tory, he's Labour, you know, they're Republican. They're a Democrat. They're an independent.
We don't even have to bother him. Let's not bother him with voting. We've got this.
Yeah, exactly. And they could just work it all out. They just build an algorithm. Why not do that?
Who needs representative government when we have AI? Yeah, right.
Exactly. Exactly. I think we've solved the problem there. Fantastic.
Can't be any worse than what we have now, right?
We all know that data is the most important asset of any business. And the value and usage of information makes data very tempting to thieves.
With Sealit, however, you can protect, share, and monitor confidential emails and files without passwords. And it's all integrated with Gmail, Outlook, and file systems.
Deploy Sealit across your organization within minutes and achieve peace of mind thanks to its end-to-end encryption that relies on the Zero Trust security model.
Get the right tool to own your data and gain great Sealit benefits. Plus, Sealit is offering a very special deal for all Smashing Security listeners.
Anyone who signs up for the professional plan before 2nd of December, 2022 can grab 30% off Sealit for a year.
And if you sign up to Sealit, listeners can also grab a free Sealit signature no trust t-shirt.
With Sealit, however, you can protect, share, and monitor confidential emails and files without passwords. And it's all integrated with Gmail, Outlook, and file systems.
Deploy Sealit across your organization within minutes and achieve peace of mind thanks to its end-to-end encryption that relies on the Zero Trust security model.
Get the right tool to own your data and gain great Sealit benefits. Plus, Sealit is offering a very special deal for all Smashing Security listeners.
Anyone who signs up for the professional plan before 2nd of December, 2022 can grab 30% off Sealit for a year.
And if you sign up to Sealit, listeners can also grab a free Sealit signature no trust t-shirt.
Woo-hoo!
Check out more about Sealit and take advantage of these offers at smashingsecurity.com/sealit. That's smashingsecurity.com/sealit. Sealit.
And thanks to Sealit for supporting the show.
And thanks to Sealit for supporting the show.
Bitwarden's open source password manager that is trusted by millions of individuals, teams, and organizations around the world has just announced its October release.
And it is chock full of goodies, which include password protected encrypted export. Which allows you to export your vault in an encrypted format using the password of your choice.
Plus, there's the mobile username generator. It's finally here. They also have DuckDuckGo email aliases available. And here's a little insider scoop for you.
They're working with DuckDuckGo to get macOS browser integration in the forthcoming DuckDuckGo macOS browser. Want to try these features out? I don't blame you.
Visit bitwarden.com/smashing. That's bitwarden.com/smashing. And thank you to Bitwarden for sponsoring the show.
And it is chock full of goodies, which include password protected encrypted export. Which allows you to export your vault in an encrypted format using the password of your choice.
Plus, there's the mobile username generator. It's finally here. They also have DuckDuckGo email aliases available. And here's a little insider scoop for you.
They're working with DuckDuckGo to get macOS browser integration in the forthcoming DuckDuckGo macOS browser. Want to try these features out? I don't blame you.
Visit bitwarden.com/smashing. That's bitwarden.com/smashing. And thank you to Bitwarden for sponsoring the show.
The challenge with endpoint security has always been that it's difficult to scale. And when remote work took over, that challenge got exponentially harder.
You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets.
But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide.
Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system.
Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't.
And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack.
You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how.
If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's k-o-l-i-d-e dot com smashingsecurity.com.
And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets.
But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide.
Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system.
Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't.
And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack.
You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how.
If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's k-o-l-i-d-e dot com smashingsecurity.com.
And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, that book they've read, TV show, movie, record, podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily.
Could be a funny story, that book they've read, TV show, movie, record, podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related. Excellent. Pick of the Week this week is all about idioms, but idioms which have gone wrong.
Ah.
Someone has— now, this is a problem that we can face here on the podcast because sometimes we're just shooting our mouths off, talking a whole load of cobblers, and you just stumble over your words and you say something and it doesn't really make sense.
Oh, I do it all the time.
Thankfully, the Mixed Idioms website at mixedidioms.co.uk are collecting such malapropisms.
That's a big word for you, Graham.
It was. I took a good run-up at it, but I think I did it all right. Yes.
Malapropisms, a great word. Yes, love that word.
So, if you've ever danced a flamingo.
Instead of flamenco, I guess. Yeah.
Right. If you're worried about the worst case Ontario.
Worst case scenario.
If you've got a baby in the oven. Or if you've told someone to get rich or try dying.
Then you might well enjoy this collection of malapropisms, eggcorns, mondegreens, Escher sentences, mixed idioms, and malaphors.
Then you might well enjoy this collection of malapropisms, eggcorns, mondegreens, Escher sentences, mixed idioms, and malaphors.
Maybe a spoonerism in there somewhere.
There quite possibly is, yes, a queer old dean in there as well. Who knows? You could well get one of them in there too.
Some of it's quite funny because, I mean, I don't know if you've ever listened to a song and you've been very, very wrong about the words?
Some of it's quite funny because, I mean, I don't know if you've ever listened to a song and you've been very, very wrong about the words?
Oh, yes. Oh, yes.
Dancing queen, young and sweet, only 7 teeth.
I've never heard that one.
Every time you go away, you take a piece of meat with you. So, you know, there's—
Really?
These are all documented up on this website. And I think it's rather fun. And that is why mixedidioms.co.uk is my pick of the week. Maria, what's your pick of the week?
Mine is space-related. I know, big surprise. It wasn't intentional actually.
It's for a book that I just bought for myself, and I'm recommending it to anyone else who might be interested in this kind of thing.
This book is called Apollo Remastered, and if you are a space nerd, you probably already know about it.
If you are really into photography, this actually also might be of interest to you because this book—if you don't want to buy the book, go to the website apolloremaster.com and read about how they made this project.
So Andy Saunders, who's an amazing photographer and a photo restorer, worked with NASA to basically rescan and remaster a lot of the original film that was taken from the moon landings, which has been in frozen storage for 50 years.
Basically, a lot of the images that we've seen from that historical landing, they were sort of scanned and processed at the time with the technology that was available at the time.
And we've just sort of reused those images since then. But we obviously have much better scanning technology now and a lot more things that we can do with film.
I'm not a film buff, so apologies, people who know more about this than me. But he basically rescanned, reprocessed some of this stuff.
And the images are crystal clear there—you've never seen the pictures like this before.
And he also looked at some of the film, the actual moving film that the astronauts took, and got some stills from those that we've never seen before.
So I think for people who like space stuff, they'd be interested in this. This is a huge coffee table book.
But even if you're just really into photography, the project page where they describe how they remastered all this and got the film out of frozen storage in Houston—I thought that was really cool.
It's for a book that I just bought for myself, and I'm recommending it to anyone else who might be interested in this kind of thing.
This book is called Apollo Remastered, and if you are a space nerd, you probably already know about it.
If you are really into photography, this actually also might be of interest to you because this book—if you don't want to buy the book, go to the website apolloremaster.com and read about how they made this project.
So Andy Saunders, who's an amazing photographer and a photo restorer, worked with NASA to basically rescan and remaster a lot of the original film that was taken from the moon landings, which has been in frozen storage for 50 years.
Basically, a lot of the images that we've seen from that historical landing, they were sort of scanned and processed at the time with the technology that was available at the time.
And we've just sort of reused those images since then. But we obviously have much better scanning technology now and a lot more things that we can do with film.
I'm not a film buff, so apologies, people who know more about this than me. But he basically rescanned, reprocessed some of this stuff.
And the images are crystal clear there—you've never seen the pictures like this before.
And he also looked at some of the film, the actual moving film that the astronauts took, and got some stills from those that we've never seen before.
So I think for people who like space stuff, they'd be interested in this. This is a huge coffee table book.
But even if you're just really into photography, the project page where they describe how they remastered all this and got the film out of frozen storage in Houston—I thought that was really cool.
And you can buy prints on the website as well. So they're from £165 in England. But yeah, so you can actually purchase from there too if you want a part of it.
So that's amazing photography.
So that's amazing photography.
Maria, I really like this. I think it's great. I'm rather obsessed with photographs of the moon. In fact, I follow a chap called Cosmic Background online.
He has a website, cosmicbackground.io.
He hasn't been up in space like NASA, or indeed you, but he has a decent telescope in his back garden and he takes incredible photographs of the moon in extraordinary detail and the sun and the planets.
And I'm rather obsessed with it all. So I will check this out. This sounds like a terrific book and a great website.
He has a website, cosmicbackground.io.
He hasn't been up in space like NASA, or indeed you, but he has a decent telescope in his back garden and he takes incredible photographs of the moon in extraordinary detail and the sun and the planets.
And I'm rather obsessed with it all. So I will check this out. This sounds like a terrific book and a great website.
Yeah, these photos, we've seen them all before, but not like this. It's high def basically. So I really hope everyone just give it a look—it's really fascinating.
See, a cool thing technology's done for us.
Mm-hmm.
There you go. Carole, what's your pick of the week?
My pick of the week this week is a podcast from Pushkin called Death The Birth of an Artist. Have either of you heard it?
I have not. No.
It centers on two artists, a Cuban refugee called Ana Mendieta, and she was a cutting-edge body artist, probably best known for her Silueta series, where she inserts her own silhouette into landscapes.
It's amazing stuff. And she's no wallflower, does some incredibly disturbing, important scenes revolving around women, sexual violence in the mid-'70s. Some big stuff.
And we should be enjoying her work today, but we cannot because she died rather dramatically.
And the question is, did she throw herself from a, I think, 16th floor New York balcony, or did her husband, artist Carl Andre of minimalist little squares, if you've been to MoMA, you'll see a load of those, did he shove her off in a fit of pique?
It's amazing stuff. And she's no wallflower, does some incredibly disturbing, important scenes revolving around women, sexual violence in the mid-'70s. Some big stuff.
And we should be enjoying her work today, but we cannot because she died rather dramatically.
And the question is, did she throw herself from a, I think, 16th floor New York balcony, or did her husband, artist Carl Andre of minimalist little squares, if you've been to MoMA, you'll see a load of those, did he shove her off in a fit of pique?
Oh, crumbs.
And so we hear of their work in the podcast. I think it's 6 episodes, but you hear about Ana's work and you hear about Carl's work. You hear about their relationship.
You hear about the art world at the time. You hear about the murder— sorry, death. And how—
You hear about the art world at the time. You hear about the murder— sorry, death. And how—
Spoilers.
And how the art world was split in two and remains split in two. For those that think that Ana was murdered and those that support Carl and think it was a tragedy.
Okay, so the story is fascinating.
It's really nicely produced, as most of the things from Pushkin are, and it's told exceptionally well by Helen Molesworth, who was the chief curator of the Museum of Contemporary Art, MOCA, in Los Angeles, where she was until 2018, when she was abruptly fired.
And she speaks—
Okay, so the story is fascinating.
It's really nicely produced, as most of the things from Pushkin are, and it's told exceptionally well by Helen Molesworth, who was the chief curator of the Museum of Contemporary Art, MOCA, in Los Angeles, where she was until 2018, when she was abruptly fired.
And she speaks—
Oh, I thought you were going to say she was pushed off a building as well. Oh no. I've been a serial artist.
Spoilers.
Yeah, but I think because she got free of that role, she was able to tell this story because she didn't have pressure from other people to not tell the story.
So she speaks about this whole drama of being fired and the whole drama between these two artists and what happened and what she thinks.
And I found the whole thing rather moving, and I heartily recommend it. So that is called Death of an Artist from Pushkin.
So she speaks about this whole drama of being fired and the whole drama between these two artists and what happened and what she thinks.
And I found the whole thing rather moving, and I heartily recommend it. So that is called Death of an Artist from Pushkin.
Find it in all good podcast apps. Yeah. Cool. Well, that just about wraps up the show for this week.
Maria, I'm sure lots of our listeners would love to follow you online, find out what you're up to. What is the best way for folks to do that?
Maria, I'm sure lots of our listeners would love to follow you online, find out what you're up to. What is the best way for folks to do that?
Well, they can continue to follow me on Twitter @mvarmazis while Twitter still exists, if Elon Musk allows it to, or you can listen to me on the CyberWire and wherever fine podcasts are found.
And you can follow us on me on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G, and we also have a Smashing Security subreddit.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.
And huge, huge shout out to our episode sponsors, Kolide, Bitwarden, and Seelet, and to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog, blog with more than 294 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest list, and the entire back catalog, blog with more than 294 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye-bye.
Bye. I say bye to the phone.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Episode links:
- Memorandum of sentencing of Bryan Wilson – United States District Court Western District Court of Kentucky at Louisville.
- Accurint for Law Enforcement – LexisNexis.
- LexisNexis illegally collected and sold people’s personal data, lawsuit alleges – CBS News.
- Ex-cop abused police tool in Snapshot sextortion plot that stole sexually explicit photos and videos – Bitdefender.
- Congress should consider enhancing protections around scores used to rank consumers (PDF) – Government Accountability Office.
- Online Shoppers Beware: Scammers Most Likely to Impersonate DHL – Check Point.
- Why Am I Seeing That Political Ad? Check Your ‘Trump Resistance’ Score – New York Times.
- I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too – New York Times.
- Mixed Idioms.
- Apollo Remastered.
- Cosmic Background.
- Death of an Artist – Pushkin podcasts.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Sealit – Zero Trust Data Protection: protect, share, and monitor confidential emails and files — without passwords. Integrated with Gmail, Outlook and file systems. Learn more and take advantage of Sealit’s special offer to Smashing Security listeners.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
