Chuck Norris gives a helping hand to a mysterious cryptocurrency CEO who may have separated investors from over a billion dollars, generative AI creates a nightmare for those wanting to Know Their Customer, and a determined journalist finally gets their revenge on a sneaky Airbnb scammer.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Maria Varmazis.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Chuck Norris here, and I want to give a shout out. This is the dawn of a new beginning with endless possibilities.
Keep up all the great work and just know you are Chuck Norris approved. Your friend, Chuck Norris.
Keep up all the great work and just know you are Chuck Norris approved. Your friend, Chuck Norris.
Smashing Security, episode 354, Chuck Norris and the Fake CEO: Artificial KYC and an Airbnb Scam with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 354. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 354. My name is Graham Cluley.
And I'm Carole Theriault. Hi, Graham.
Happy New Year to you, Carole.
Same back to you.
Thank you very much. And to our listeners and to our special guest this week, family favourite, Maria Varmazis. Hello, Maria.
Hi, and Happy New Year.
Is it too late for us still to be wishing each other Happy New Year?
On the 11th?
It's never too late.
Yeah.
No, no, we can do it. I think we've got all of January, or at least the first time you speak to someone in the new year. So we could go to July. I mean, really.
Okay, well—
We make the rules, Graham.
If it's the first time you've listened to us this year, hello, Happy New Year. Great to have you back.
Yes, and let's kick this show off. But first, let's thank this week's wonderful sponsors. LastPass, Collide, and Vanta. It's their support that helps us give you this show for free.
Now coming up in today's show, Graham, what do you got?
Now coming up in today's show, Graham, what do you got?
I'm going to be talking about Chuck Norris and an untrustworthy CEO.
And Maria, what about you?
AI is making it easier and easier to get around security measures.
And I'm going to talk about a double bait and switch. All this and much more coming up on this inaugural episode of 2024 of Smashing Security. Woo!
Now, chums, chums, I'm sure you all know about the metaverse, don't you? You've heard about the metaverse? Maybe you've dipped your toes into the metaverse?
Against my will, I know a little bit about it, but that's about it.
Yeah, I think it's for young people, really. It's not for people like us, is it?
Do you want to explain what it is for the 300,000 listeners?
It's the virtual world. It's the Lawnmower Man, that movie from 25 years ago. It's people having cybersex with avatars of each other.
Rather than each other because their own physical reality is too revolting.
Rather than each other because their own physical reality is too revolting.
So it's the opposite of a real doll.
So a second life? I mean, isn't it Second Life?
It's a bit like that.
Mark Zuckerberg has poured billions of dollars into it thinking it's the future before he realised artificial intelligence was actually the thing that people were excited about.
But, you know, people are strapping monitors to their eyeballs and choosing— it's just a horrible— anyway, I don't want to talk about the metaverse.
Mark Zuckerberg has poured billions of dollars into it thinking it's the future before he realised artificial intelligence was actually the thing that people were excited about.
But, you know, people are strapping monitors to their eyeballs and choosing— it's just a horrible— anyway, I don't want to talk about the metaverse.
Why do we talk about Facebook when I'm on the show? Why?
So maybe, I guess you're into streaming superhero shows. Maybe some of you have watched a few of these Marvel TV series. Maybe you've heard about the multiverse.
You heard about the multiverse where there's parallel universes and— This isn't real, by the way, Carole. Well, maybe it is. Who knows?
You heard about the multiverse where there's parallel universes and— This isn't real, by the way, Carole. Well, maybe it is. Who knows?
In case you were confused.
Anyway, I want to actually know if you've ever heard of the hyperverse. So not the metaverse, not the multiverse. Have you ever heard of the hyperverse?
Can I say that I've missed this? Over the holidays.
Really?
No, tell me about the Hyperverse, Graham. I'm dying to know.
Hyperverse, formerly known as Hyperfund, is a now defunct cryptocurrency hedge fund.
Cryptocurrency hedge fund?
Yeah, cryptocurrency hedge fund.
Okay, okay, all right. Yeah, I'm in.
I know, already alarm bells are ringing in your head.
All right.
So the reason why you might have heard of Hyperverse is not just because the company collapsed in 2022, but rather that when it did— I mean, after all, lots of cryptocurrency things collapse.
But rather when it did collapse, it resulted in approximately $1.3 billion.
But rather when it did collapse, it resulted in approximately $1.3 billion.
What was that number?
That was billion. $1.3 billion. Ba-ba-ding, ba-da-bong. Worth of losses for its customers. So a huge amount of money.
In fact, according to experts, more money was lost in 2022 through Hyperverse than any other alleged crypto scam.
In fact, according to experts, more money was lost in 2022 through Hyperverse than any other alleged crypto scam.
Hmm. It's a big number. A lot of wonga.
Millions and millions was lost.
Well, billions.
This is an Australian— Yeah, yeah, okay. Millions and millions does add up to billions eventually.
Well, you need a lot of millions, but yes, okay.
I'll give you that.
You do.
When this Australian crypto outfit, Hyperverse, shut down, impacted thousands of investors, somehow it escaped any warnings from regulators in Australia.
But in New Zealand, the UK, Canada, elsewhere, there were people and regulators and banks saying, we think Hyperverse could be a scam.
But in New Zealand, the UK, Canada, elsewhere, there were people and regulators and banks saying, we think Hyperverse could be a scam.
All right.
But for some reason, Australia sort of overlooked it. There's been a bit of fallout.
So the Five Eyes, everyone else in the Five Eyes was saying, this doesn't look good. And Australia was just going, I don't hear you. I don't hear you.
Are you talking about Five Guys the burger joint?
No.
Or Five Eyes?
Five Guys, Five Eyes.
Five Guys, Five Eyes.
I'm so confused. I'm so confused.
It's Five Guys, actually, where they collect information.
That's right, you go for a burger, you discuss your business.
Free peanuts. Listen, those fries.
Those fries.
Those fries.
Now, now. You're wondering, how did Hyperverse get people to trust them? Well, one way in which it did it was in December 2021, it appointed a new chief executive officer.
They introduced their new CEO, the new CEO of Hyperverse, a guy called Stephen Rhys-Lewis, at an online global launch event.
Video messages of support from celebrities were released.
Including from Steve Wozniak, the co-founder of Apple, Chuck Norris, the actor, all saying what a fantastic thing Hyperverse was.
And this Stephen Rhys-Lewis guy, he had an impressive resume, right? He was a maths and economics graduate at University of Leeds.
He held a master's degree from University of Cambridge.
They introduced their new CEO, the new CEO of Hyperverse, a guy called Stephen Rhys-Lewis, at an online global launch event.
Video messages of support from celebrities were released.
Including from Steve Wozniak, the co-founder of Apple, Chuck Norris, the actor, all saying what a fantastic thing Hyperverse was.
And this Stephen Rhys-Lewis guy, he had an impressive resume, right? He was a maths and economics graduate at University of Leeds.
He held a master's degree from University of Cambridge.
I haven't heard of that place.
Right, right. He'd worked for Goldman Sachs. He'd sold his company to Adobe, you know, made millions there.
He'd launched an IT startup and eventually had been recruited to head up Hyperverse, which he ran from his home in Dubai.
He'd launched an IT startup and eventually had been recruited to head up Hyperverse, which he ran from his home in Dubai.
Wow.
Impressive. Yeah.
Wowee.
Let's watch a little bit now of the announcement videos just so you can get a sense of it. There are multiple ongoing developments within the Hyperverse ecosystem.
And we are very excited to slowly unreveal and share them with you.
And we are very excited to slowly unreveal and share them with you.
They certainly put a lot of money into that.
Well, you know, impressive, exciting background music, I think you agree. But here's the thing — Stephen Rhys-Lewis doesn't exist.
Mm-hmm.
And we know he doesn't exist because the sleuths at The Guardian decided to do a little bit of digging after Hyperverse basically folded.
They thought, well, let's go and speak to the CEO. And so they tried to contact him and they weren't able to contact him.
So they went to the University of Leeds and the University of Cambridge and they said, we've never had anyone here who's a student by that name.
They thought, well, let's go and speak to the CEO. And so they tried to contact him and they weren't able to contact him.
So they went to the University of Leeds and the University of Cambridge and they said, we've never had anyone here who's a student by that name.
Do you know though, it's weird, right?
Because if you called the company up and said, hey, did Steve Rees ever work there, they could say, we can't divulge any information on our employees, but universities always cough up, don't they?
Because if you called the company up and said, hey, did Steve Rees ever work there, they could say, we can't divulge any information on our employees, but universities always cough up, don't they?
Wait, they usually can verify — they will say yes or no if someone has worked there.
Isn't that usually — maybe this is a country-specific thing, but usually they can just say yes, that person has worked for us, or no, they haven't.
Isn't that usually — maybe this is a country-specific thing, but usually they can just say yes, that person has worked for us, or no, they haven't.
They may not say you were a rubbish employee — they'll just verify yes, you were on the carpet or something like that. But they may say yes, they worked here from these dates.
Okay, interesting.
I'm pretty sure—
Listeners, if you know different, let us know because I'd love to know the answer to that.
So The Guardian contacted the university — no record of it, right?
Nor did any records exist of Stephen Rhys-Lewis at Companies House, which is where all companies register, or on the US SEC. He didn't even have a LinkedIn profile.
And I have to say, if you're going to fake your identity, create a LinkedIn profile, right?
Nor did any records exist of Stephen Rhys-Lewis at Companies House, which is where all companies register, or on the US SEC. He didn't even have a LinkedIn profile.
And I have to say, if you're going to fake your identity, create a LinkedIn profile, right?
That feels a sloppy thing to forget. You did all the other stuff and then not the LinkedIn? Isn't that usually what social engineers go for first, is the fake LinkedIn profile?
So question is, who the hell was this Stephen Rhys-Lewis guy and what was his background? The Guardian, I was reading this article just a few days ago, not able to find out.
Oh, it's Satoshi Nakamoto, definitely.
They couldn't work it out. But that doesn't mean, of course, that nobody on the internet could uncover the truth. And I found a YouTuber going by this strange name of Nobody Special.
So, this YouTuber, Nobody Special, he took it upon himself to do a little bit of digging.
So, he took a screenshot of the Stephen Rhys-Lewis CEO announcement video — so, he had his face and he loaded it into PimEyes. Now, I think we've spoken about PimEyes before.
It's an extraordinarily scary website where you can upload people's images and it will trawl the internet, not looking for that exact image, but actually do a kind of facial recognition.
So it will find social media pictures, all kinds of things of who it thinks is the same person. And it can be really, really quite convincing — you know, it's quite reliable.
So, this YouTuber, Nobody Special, he took it upon himself to do a little bit of digging.
So, he took a screenshot of the Stephen Rhys-Lewis CEO announcement video — so, he had his face and he loaded it into PimEyes. Now, I think we've spoken about PimEyes before.
It's an extraordinarily scary website where you can upload people's images and it will trawl the internet, not looking for that exact image, but actually do a kind of facial recognition.
So it will find social media pictures, all kinds of things of who it thinks is the same person. And it can be really, really quite convincing — you know, it's quite reliable.
Have you — you've done it, right? You've tried it out?
Yeah, yeah, yeah, I've done it. And some people I think, well, that isn't me, but there's quite a lot.
It's like, bloody hell, it has found me here and there, you know, including pictures of me when I was much younger, more handsome, etc., etc.
Anyway, this YouTuber, Nobody Special, he found images of someone who looked very much Stephen Rhys-Lewis.
Found images of this guy sprawled drunkenly around in cocktail bars in Bangkok, hanging out with strippers and prostitutes.
So not living your typical — I mean, he's clearly quite drunk in these images.
It's like, bloody hell, it has found me here and there, you know, including pictures of me when I was much younger, more handsome, etc., etc.
Anyway, this YouTuber, Nobody Special, he found images of someone who looked very much Stephen Rhys-Lewis.
Found images of this guy sprawled drunkenly around in cocktail bars in Bangkok, hanging out with strippers and prostitutes.
So not living your typical — I mean, he's clearly quite drunk in these images.
And it could definitely not be the Stephen he's looking for.
So PimEyes isn't saying the name of these people. It's just saying this is an image of someone who looks really, really similar.
And unfortunately, none of these pictures did reveal the man in the picture's true identity, right? It didn't say who he was.
So what Nobody Special, the YouTuber, did was he started searching for images of other people seen in these drunken snaps in Thailand cocktail bars alongside our mystery man, assuming they must be his drinking buddies because he was being photographed so often.
And one of them was a guy called Chris Moulton.
And he found Chris Moulton's Facebook page, and he was looking through images Chris had posted up on Facebook, and he found one of Chris with one of his mates eating pizza in a Bangkok bar.
It was clearly the same guy again, right? It's Stephen Rhys-Lewis, it's the CEO, and it's the same guy who appears in these Thailand cocktail bar pictures as well.
And unfortunately, none of these pictures did reveal the man in the picture's true identity, right? It didn't say who he was.
So what Nobody Special, the YouTuber, did was he started searching for images of other people seen in these drunken snaps in Thailand cocktail bars alongside our mystery man, assuming they must be his drinking buddies because he was being photographed so often.
And one of them was a guy called Chris Moulton.
And he found Chris Moulton's Facebook page, and he was looking through images Chris had posted up on Facebook, and he found one of Chris with one of his mates eating pizza in a Bangkok bar.
It was clearly the same guy again, right? It's Stephen Rhys-Lewis, it's the CEO, and it's the same guy who appears in these Thailand cocktail bar pictures as well.
Right.
It really sounds like—
This is a roller coaster ride.
Okay.
But the problem is Chris Moulton hasn't tagged our mystery man in these photos. We're so close now, but he hasn't tagged him in the photo. So what's his identity?
But the YouTuber who's investigating all this, he saw that the photo had been liked five times, and so he thought, "I'll just look to see who liked this." And one of the people who liked the photo was someone with the same face, and that was how they were able to identify Stephen Rhys-Lewis's true identity.
But the YouTuber who's investigating all this, he saw that the photo had been liked five times, and so he thought, "I'll just look to see who liked this." And one of the people who liked the photo was someone with the same face, and that was how they were able to identify Stephen Rhys-Lewis's true identity.
So Stephen Rhys-Lewis liked a video that he featured in.
He liked a photo of himself with his friend up on Facebook. And that's where the link was.
And his real name, it turns out, is Steve-O Harrison, originally from Bournemouth, which is a sort of fairly sleepy town on the UK south coast.
And his real name, it turns out, is Steve-O Harrison, originally from Bournemouth, which is a sort of fairly sleepy town on the UK south coast.
It's a beautiful place.
No, I used to go there as a kid. Maybe everyone seemed old when I went there as a kid. Maybe now I'd think they're all youngsters.
Yeah, if it's that boring.
I think it's quite a party place now, but it's not Bangkok, right? It's not quite the same.
And what this YouTuber did was he compared videos of Steve "Stevo" Harrison with Stephen Rhys-Lewis. And it's clearly the same voice and it's the same look.
In fact, I'll play it now.
Here's a bit of Stephen Rhys-Lewis speaking, the CEO: "And we are very excited to slowly unreveal and share them with you." And here's Steve, Steve-O Harrison: "I'm currently training for Spartan in three weeks.
I'm going down there to do the trail run, which is 10K, and I think I've done this course before." I would say that's the same voice. Would you not agree?
And what this YouTuber did was he compared videos of Steve "Stevo" Harrison with Stephen Rhys-Lewis. And it's clearly the same voice and it's the same look.
In fact, I'll play it now.
Here's a bit of Stephen Rhys-Lewis speaking, the CEO: "And we are very excited to slowly unreveal and share them with you." And here's Steve, Steve-O Harrison: "I'm currently training for Spartan in three weeks.
I'm going down there to do the trail run, which is 10K, and I think I've done this course before." I would say that's the same voice. Would you not agree?
I'm not an expert. I feel this is just crazy research.
Is it 'cause English people just sound the same to you?
No, because people confuse Carole and I all the time.
I do.
I have to say, yeah, we're actually the same person. We've been meaning to tell you, very similar, but this feels like the right time. So, you know, you've suspected all along.
Okay, I admire and appreciate this guy's— this YouTuber Nobody Special's work here, but I'm hoping that there's something a bit more proofy to this story than pure conjecture.
Well, I think it's pretty compelling. I'll link to the video so you can check it out for yourself and see if you agree with his evidence anyway.
He looked up Steve-O Harrison's LinkedIn account, and what you find is it describes himself as a TV presenter and sports pundit, not a cryptocurrency CEO.
He looked up Steve-O Harrison's LinkedIn account, and what you find is it describes himself as a TV presenter and sports pundit, not a cryptocurrency CEO.
Well, what do you need to be a qualified cryptocurrency CEO, to be fair?
He says this. He says he works alongside international businesses to help front their products and services. It sounds like he's been hired to pretend to be the CEO.
He's a rent-a-CEO.
He's a rent-a-CEO.
Oh, the twists keep coming.
And maybe we should have guessed that because if you look at Steve Rhys-Lewis's Twitter account, he's pinned a tweet which has a link to the promo video for the Hyperverse.
And there's a caption which reads, "Where reality ends and imagination begins." And I think that's really the case.
Now, interestingly, why have Chuck Norris, Steve Wozniak, and other celebrities fallen for this? Why are they endorsing Hyperverse?
And there's a caption which reads, "Where reality ends and imagination begins." And I think that's really the case.
Now, interestingly, why have Chuck Norris, Steve Wozniak, and other celebrities fallen for this? Why are they endorsing Hyperverse?
Chuck Norris here, and I want to give a shout out to Hyperverse. Under the leadership of CEO Stephen, Hyperverse will be the leader of metaverse space.
This is the dawn of a new beginning with the metaverse odyssey. With endless possibilities. Keep up all the great work and just know you are Chuck Norris approved.
Your friend, Chuck Norris. I was going to say, you know, remember we were talking about it just before last, at the end of the year, that rent a— yeah, you pay a fee.
This is the dawn of a new beginning with the metaverse odyssey. With endless possibilities. Keep up all the great work and just know you are Chuck Norris approved.
Your friend, Chuck Norris. I was going to say, you know, remember we were talking about it just before last, at the end of the year, that rent a— yeah, you pay a fee.
Cameo. Yeah, that's the thing, wasn't it?
Yep.
It was Don Johnson and Elijah Wood or something who were saying things about, was it Vladimir Zelensky or something, having a drug problem. They'd been tricked into saying things.
Well, it seems to be the same thing. So Woz has recorded a video where he's recorded it basically up his own nostrils. And Chuck Norris is a little bit more professional.
You'd think Woz would know where his webcam is. But these appear to be Cameo videos where, so this company just paid a few bucks.
You can normally ask a celebrity to wish someone a happy birthday, or in this case, endorse a cryptocurrency scam.
Well, it seems to be the same thing. So Woz has recorded a video where he's recorded it basically up his own nostrils. And Chuck Norris is a little bit more professional.
You'd think Woz would know where his webcam is. But these appear to be Cameo videos where, so this company just paid a few bucks.
You can normally ask a celebrity to wish someone a happy birthday, or in this case, endorse a cryptocurrency scam.
I thought they vetted those things way more carefully. They usually have a whole list of rules of stuff they won't say. I guess they don't.
That's wild. Yeah, but that probably goes direct to the person and they're, yeah, sure, I'll read that. I don't care. Probably haven't read it.
I need $20. Yes.
Chuck Norris needs $20? What world is this? He roundhouse kicks his $20 into his pocket. Would he need $20?
So Steve Harrison hasn't been collared by the law. As far as I know, he's still out in Bangkok doing whatever he does out there.
Someone else allegedly linked to the Hyperverse has been now arrested and charged in the United States. Someone who's known as Bitcoin Rodney has been.
Bitcoin Rodney, also known as Rodney Burton.
Someone else allegedly linked to the Hyperverse has been now arrested and charged in the United States. Someone who's known as Bitcoin Rodney has been.
Bitcoin Rodney, also known as Rodney Burton.
Bitcoin Rodney.
Is that his real first name? Is this a bit Judge—
That's his Christian name, Bitcoin Rodney.
He's alleged to have made fraudulent presentations claiming high returns for investors, but it was all obviously a whole load of garbage. So Hyperverse, who would have thought it?
We're kicking off 2024 with some cryptocurrency scamming. I suspect there's lots more of this to come.
Come on, Chuck, get your act together and Woz, work out where to point your webcam next time. Maria, what have you got for us this week?
We're kicking off 2024 with some cryptocurrency scamming. I suspect there's lots more of this to come.
Come on, Chuck, get your act together and Woz, work out where to point your webcam next time. Maria, what have you got for us this week?
I'm amazed that I picked a story not knowing what yours was about that is also about AI fraud and a little bit of bitcoin. Just completely by chance, and I mean that for real.
This story, I saw the beginnings of it trickling through on Reddit and the Fediverse of all things a couple of days ago, maybe about a week ago, I don't remember exactly, but right around the New Year.
And I saw a toot.
This story, I saw the beginnings of it trickling through on Reddit and the Fediverse of all things a couple of days ago, maybe about a week ago, I don't remember exactly, but right around the New Year.
And I saw a toot.
All right, let's not call them toots.
We don't say toot anymore on the Fetiverse.
I saw an image that looked totally innocuous, and I don't often see a lot of images on my feed on Mastodon because I follow a bunch of nerds, so it's always text only.
And it was just like a very normal verification post is what the title said at the top of the image.
And the image below was of a like youngish woman looking right at the screen holding up a piece of paper.
It's a completely insignificant image that reminds me of the gajillions of these that I've done for— I've done one for Binance, for example, where you have to hold up a government ID, it's a terrible selfie, and they run it through— I don't know what they run it through, a person or automated system, both— and they— it's supposed to verify that you are who you say you are.
And of course everyone always looks kind of terrible in these pictures, but that's what this image was, just says verification post.
And I'm just wondering why am I seeing this on my Mastodon feed? Did somebody make a security boo-boo and post something publicly that they shouldn't have, like a credit card?
And then I looked a little more closely at the image, just a smidge, and I noticed that the piece of paper that she's holding up to the camera, it has two lines of handwritten notes on it.
And the first one was clearly a Reddit username— sorry, a subreddit name. And the second line was a Reddit username, which was u/yourmom.
And I'm going, okay, that's an interesting Reddit username. What is going on here? And then of course I did the thing I should have done, which was read the text that came with it.
And this was from user— oh right, yes, read the actual text in the tweet— I mean the post.
It's from a username Nixcraft, and they said this: this is crazy, Stable Diffusion created a verification image of someone doing their KYC for a bank or similar.
AI will impact know your customer, which is what KYC means, not Kentucky Fried Chicken or whatever I thought it was.
AI will impact know your customer identity verification processes.
As AI makes it cheaper and easier to impersonate someone's likeness and identity markers, which are often found in a breach, it will become simpler for attackers to take over accounts and steal money, data, impact brands, etc.
I was like, wow, that's a great thing to read on my feed first thing in the morning. So I did what any good nerd would do is I went straight to Reddit.
And I wanted to find the original post where this was happening. And I went into the rabbit hole on Reddit where this was posted. It was on Stable Diffusion.
And there's a Reddit user there who was publishing a workflow that I don't know much about AI at this level, but it wasn't— it was complicated but not impossible.
A workflow to create really convincing deepfake identification selfies. I mean, way, way more convincing than anything I've ever seen.
That would take maybe at most a day to fake someone else's government ID and verification image. And not only that, but there are also video versions of this.
So if you're thinking, well, you know, it could just, what's the difference between this and Photoshop?
There's a very easy way for generative AI to make these know your customer videos that someone could just upload pretty easily to, I don't know, your bank to pretend to be you.
And the barrier keeps just dropping on how easy this is becoming. And you know, this information is posted pretty wildly and widely.
I saw an image that looked totally innocuous, and I don't often see a lot of images on my feed on Mastodon because I follow a bunch of nerds, so it's always text only.
And it was just like a very normal verification post is what the title said at the top of the image.
And the image below was of a like youngish woman looking right at the screen holding up a piece of paper.
It's a completely insignificant image that reminds me of the gajillions of these that I've done for— I've done one for Binance, for example, where you have to hold up a government ID, it's a terrible selfie, and they run it through— I don't know what they run it through, a person or automated system, both— and they— it's supposed to verify that you are who you say you are.
And of course everyone always looks kind of terrible in these pictures, but that's what this image was, just says verification post.
And I'm just wondering why am I seeing this on my Mastodon feed? Did somebody make a security boo-boo and post something publicly that they shouldn't have, like a credit card?
And then I looked a little more closely at the image, just a smidge, and I noticed that the piece of paper that she's holding up to the camera, it has two lines of handwritten notes on it.
And the first one was clearly a Reddit username— sorry, a subreddit name. And the second line was a Reddit username, which was u/yourmom.
And I'm going, okay, that's an interesting Reddit username. What is going on here? And then of course I did the thing I should have done, which was read the text that came with it.
And this was from user— oh right, yes, read the actual text in the tweet— I mean the post.
It's from a username Nixcraft, and they said this: this is crazy, Stable Diffusion created a verification image of someone doing their KYC for a bank or similar.
AI will impact know your customer, which is what KYC means, not Kentucky Fried Chicken or whatever I thought it was.
AI will impact know your customer identity verification processes.
As AI makes it cheaper and easier to impersonate someone's likeness and identity markers, which are often found in a breach, it will become simpler for attackers to take over accounts and steal money, data, impact brands, etc.
I was like, wow, that's a great thing to read on my feed first thing in the morning. So I did what any good nerd would do is I went straight to Reddit.
And I wanted to find the original post where this was happening. And I went into the rabbit hole on Reddit where this was posted. It was on Stable Diffusion.
And there's a Reddit user there who was publishing a workflow that I don't know much about AI at this level, but it wasn't— it was complicated but not impossible.
A workflow to create really convincing deepfake identification selfies. I mean, way, way more convincing than anything I've ever seen.
That would take maybe at most a day to fake someone else's government ID and verification image. And not only that, but there are also video versions of this.
So if you're thinking, well, you know, it could just, what's the difference between this and Photoshop?
There's a very easy way for generative AI to make these know your customer videos that someone could just upload pretty easily to, I don't know, your bank to pretend to be you.
And the barrier keeps just dropping on how easy this is becoming. And you know, this information is posted pretty wildly and widely.
But think of all the companies, five years ago, everyone that we spoke with were talking biometrics. Biometrics are everything, you know, and they invested loads of money in that.
And I always hated the idea because you only have one face. So biometrics are dead effectively in a lot of ways.
And I always hated the idea because you only have one face. So biometrics are dead effectively in a lot of ways.
TechCrunch also saw the same thing I did. A lot of people saw this on Reddit and they put an article together that I'm sure we can link in the show notes about this specific thing.
They also included a security research firm called Sensity that said they found that the 10 most popular know-your-customer providers are severely vulnerable to real-time deepfake attacks.
So I mean, I feel like an entire industry just got killed off effectively by GenAI right now. Whether or not you miss it, it's not really here or there.
But TechCrunch also included a quote from the chief security officer for crypto at Binance, which is the same thing that I had used for this exact thing.
And they said that yeah, this is very easy for deepfake tools to completely bypass their security measures for to pass liveness checks, which is what they call it.
So I guess everything needs to go back to in person is essentially what I'm taking away.
They also included a security research firm called Sensity that said they found that the 10 most popular know-your-customer providers are severely vulnerable to real-time deepfake attacks.
So I mean, I feel like an entire industry just got killed off effectively by GenAI right now. Whether or not you miss it, it's not really here or there.
But TechCrunch also included a quote from the chief security officer for crypto at Binance, which is the same thing that I had used for this exact thing.
And they said that yeah, this is very easy for deepfake tools to completely bypass their security measures for to pass liveness checks, which is what they call it.
So I guess everything needs to go back to in person is essentially what I'm taking away.
Maybe it'll have to be stuff like you'll get on the video, right? And then they're gonna have to spew out something unexpected like, do jumping jacks right now!
Oh my God, right? Yeah.
Or like, run around in circles.
Yeah, like those Google CAPTCHAs have already gotten super weird. I got one the other day that was, which animal is heavier or something?
And I was like, what the hell is this CAPTCHA? So yeah, they're gonna just gonna throw random things at you, like find something that's pink in your house right now or something.
And I was like, what the hell is this CAPTCHA? So yeah, they're gonna just gonna throw random things at you, like find something that's pink in your house right now or something.
Wow.
Maybe we're going to get to a point where we actually need to physically go somewhere to—
Well, that'd be great.
Maybe there'll be brokers where you could go to someone in the high street and they have certain security standards.
And so you have to go there, present yourself, and they will affirm that you are— They've closed all the branches.
And so you have to go there, present yourself, and they will affirm that you are— They've closed all the branches.
So— The branches are all closed.
Well, Carole, what's your answer? Are you gonna have a barcode under your armpit or something, which people can scan? Scan it in. What would you get it to?
Where?
What are you gonna—
It's a fascinating problem, and I don't know what the solution is. Does anybody?
I'm just not gonna buy anything again.
That's all.
I'm not doing anything.
Oh, Carole, your story was heartbreaking. I felt for you.
Oh, poor Carole.
I almost fell for a scam myself, so don't worry, you're not alone.
Did you get your money back yet, Carole? Is there anything new?
No, not yet. Watch this space.
No.
Sorry.
Listen to our last episode, everyone, if you want to hear about Carole's friend Charlotte, who was scammed.
I loved your reaction so much. 'Cause I wanted to tell you right away, and I said, no, keep it for the show. Keep it for the show.
Well, okay, Charlotte, what have you got for us this week?
Okay, are you guys Airbnb dates, or do you use that to rent houses, or is it VRBO in the States? So do you use that?
VRBO? Yeah, yeah, yeah, I've used them.
Yep, I've used Airbnb, yeah, a number of times.
Yeah, right, I'm an Airbnb-er, and for the most part it's been a pretty good experience.
I only rented a place once for one night with a very tightwad buddy of mine, and that experience was not great because we got what we paid for.
I only rented a place once for one night with a very tightwad buddy of mine, and that experience was not great because we got what we paid for.
Sorry about that.
Not you. So typically, you know, when you're organizing an Airbnb, you back and forth via the Airbnb messaging app.
Yep.
You share basic contact info, pay for the visit, then off you trot, right? And you fly off to wherever you're going, or driving, whatever. And then you have a check-in time, right?
So imagine you're sitting around the corner from your Airbnb, you know, maybe you're sipping a cranberry juice, Graham, a latte for Maria, until it's time for you guys to check in.
So imagine you're sitting around the corner from your Airbnb, you know, maybe you're sipping a cranberry juice, Graham, a latte for Maria, until it's time for you guys to check in.
Yeah.
And this is going to impact your romantic getaway, or, you know, whatever, if you're sleeping on the streets in a far-flung city.
And the caller explains, look, sorry, sorry, sorry, the previous guest flushed something down the toilet, flooding the unit.
'But don't worry, I've got another property until the problem gets sorted.' Thank goodness, right, thank goodness.
And the caller explains, look, sorry, sorry, sorry, the previous guest flushed something down the toilet, flooding the unit.
'But don't worry, I've got another property until the problem gets sorted.' Thank goodness, right, thank goodness.
These things happen.
These things happen.
You're going to be terribly nice about it in English. You're not going to complain. You'll say, 'Oh, you'll probably be the one to apologise.' I would actually apologise, probably.
'I'm sorry you had to go to the inconvenience.' Honestly, I would.
'Find me somewhere else to stay.' 'Even though it wasn't my poop, wasn't my poop that blocked the loo, but despite that, on behalf of everyone who poops, I would like to apologize.' You're gonna take that on yourself?
'I'm sorry you had to go to the inconvenience.' Honestly, I would.
'Find me somewhere else to stay.' 'Even though it wasn't my poop, wasn't my poop that blocked the loo, but despite that, on behalf of everyone who poops, I would like to apologize.' You're gonna take that on yourself?
So, so gracious, such a gentleman. Oh my goodness.
But the guy says, 'Look, look, I've got this other place and it's, you know, it's 3 times bigger and you'll get it for the same price.' And he sends you a few pics and the property does look bigger.
Brilliant.
You know, it looks fine. And, you know, the guy's, I need to know, you're booking or you're canceling? What do you want to do?
So you change the reservation by the Airbnb app to this new property and off you trot to the new property and it takes you a bit to find it.
You can't find on the main street because it turns out it's kind of behind the house, where a garage would be, a garage turned flop house type thing.
And while it's big, it's a vamped up shed. And the furniture is crap. It's a bit of a shithole, basically. But you're, it's one night, it's one night.
And so the next day, instead of getting good news, you get a text explaining the plumbing in the original rental is not fixed and that new tenants are moving into the flop house the next day, so you need to skedaddle and just, you know, ask for your money back.
Refund, refund, refund.
So you change the reservation by the Airbnb app to this new property and off you trot to the new property and it takes you a bit to find it.
You can't find on the main street because it turns out it's kind of behind the house, where a garage would be, a garage turned flop house type thing.
And while it's big, it's a vamped up shed. And the furniture is crap. It's a bit of a shithole, basically. But you're, it's one night, it's one night.
And so the next day, instead of getting good news, you get a text explaining the plumbing in the original rental is not fixed and that new tenants are moving into the flop house the next day, so you need to skedaddle and just, you know, ask for your money back.
Refund, refund, refund.
I can imagine myself apologizing again for this inconvenience cycle.
Yeah, yep, exactly.
You'd apologize. And also, you might be a bit fucked off with all this because you only have a short stay. This is holiday time.
Yeah, yeah, it is a bit of a shit.
So you're gonna go, fuck it, I'm gonna go to a hotel. I'll sort this out when I get home. And you try to get home and trying to recoup your money from Airbnb—
Airbnb—
From Airbnb, and it turns out that it's not as easy as one might think. And this is kind of a short version of what happened to Vice journalist Ali Conti back in 2019.
And she ended up having to repeatedly badger her Airbnb, and even then she only recouped a third of what she ended up paying for the rental.
Okay, but she's a journalist, so she started digging, and she learned that the phone number that she received the call from was a Google untraceable number.
When she did a reverse image search of the couple who were supposedly renting the property, it turned out to be a stock photo. And she started reading the reviews of the property.
And other people were saying, oh, last minute, there was a problem with the property, and that refunds were being ghosted.
So as soon as refunds were being discussed, the phone calls stopped. They stopped taking calls.
And she ended up having to repeatedly badger her Airbnb, and even then she only recouped a third of what she ended up paying for the rental.
Okay, but she's a journalist, so she started digging, and she learned that the phone number that she received the call from was a Google untraceable number.
When she did a reverse image search of the couple who were supposedly renting the property, it turned out to be a stock photo. And she started reading the reviews of the property.
And other people were saying, oh, last minute, there was a problem with the property, and that refunds were being ghosted.
So as soon as refunds were being discussed, the phone calls stopped. They stopped taking calls.
Right.
And there were some positive reviews as well.
But when you started looking at who they were, it turned out that they were also Airbnb-ers sharing very similar properties, like perhaps identical.
So in the show notes, I've given you 4 pictures of 4 different Airbnb-ers.
But when you started looking at who they were, it turned out that they were also Airbnb-ers sharing very similar properties, like perhaps identical.
So in the show notes, I've given you 4 pictures of 4 different Airbnb-ers.
Yeah.
And you can see it's just basically different angles of the same room. And it's exactly the same apartment.
Oh, yes.
Uh-oh. Okay.
So Ali's snooping unveiled 5 accounts controlling 94 properties in 8 different cities that all seem to be suspiciously run by the same people.
And she alerted Airbnb, but they showed little interest, and the active accounts remained open, and they did not respond.
And she started talking to people that left shitty reviews, and it turns out that she wasn't alone.
And it turns out that based on a bunch of small things the small print inside Airbnb, there's things like if a guest stays even one night in a rental, it's difficult to obtain a full refund according to the Airbnb rules.
And she alerted Airbnb, but they showed little interest, and the active accounts remained open, and they did not respond.
And she started talking to people that left shitty reviews, and it turns out that she wasn't alone.
And it turns out that based on a bunch of small things the small print inside Airbnb, there's things like if a guest stays even one night in a rental, it's difficult to obtain a full refund according to the Airbnb rules.
Hmm.
And if a host asks a guest to stay at a property that's different from the one rented, Airbnb advises the guest to request a cancellation if they're not okay with the switch. Right?
In both cases, the rules favor a would-be scammer and places the onus on the guests who have just parachuted into some place with their luggage and have nowhere to stay.
In both cases, the rules favor a would-be scammer and places the onus on the guests who have just parachuted into some place with their luggage and have nowhere to stay.
Oh, nightmare.
Right? And remember, this was back in 2019. And there's an update.
Right.
Because according to Daily Beast's Joss Dallio, he wrote that Shray— I don't know how you say this last name. It's G-O-E-L. Goel?
Shray Goel.
Shray Goel. He's the alleged Airbnb scammer. He was arrested just after Christmas this year.
Oh, and this was because Ali Conti published her very detailed piece in Vice way back in 2019. She got a call from the FBI wanting to hear more.
Here we are 4 years later, and Goel has been charged with wire fraud and aggravated identity theft.
20-page indictment laying out how the self-proclaimed visionary real estate investor allegedly grifted millions by running a double booking bait-and-switch scheme.
Oh, and this was because Ali Conti published her very detailed piece in Vice way back in 2019. She got a call from the FBI wanting to hear more.
Here we are 4 years later, and Goel has been charged with wire fraud and aggravated identity theft.
20-page indictment laying out how the self-proclaimed visionary real estate investor allegedly grifted millions by running a double booking bait-and-switch scheme.
Oh geez.
So he and his cohorts would contact the lower-paying renter at the last second. So he'd rent it to two people, one would be paying a little bit less.
They would contact them sometimes minutes before their scheduled arrival to tell them the property was unavailable for the entirety or a portion of their stay, right?
And the indictment said that Goel would then offer to rebook those guests to an upgraded property free of charge. And many would accept without properly reviewing the new lodging.
And of course, the upgrade was usually inferior.
They would contact them sometimes minutes before their scheduled arrival to tell them the property was unavailable for the entirety or a portion of their stay, right?
And the indictment said that Goel would then offer to rebook those guests to an upgraded property free of charge. And many would accept without properly reviewing the new lodging.
And of course, the upgrade was usually inferior.
Yeah.
And this spanned over 100 properties throughout the US, including some in California pads and rent-controlled buildings.
And in total, they said he used fake profiles and deception to make more than 10,000 reservations on Airbnb that amounted to $7 million in payouts.
And in total, they said he used fake profiles and deception to make more than 10,000 reservations on Airbnb that amounted to $7 million in payouts.
Wow.
It's a pretty lucrative scheme, huh?
Makes you a bit frightened of booking things via Airbnb, really, doesn't it? If this is possible.
You know, there's so many properties on there.
Yeah.
The thing that I don't like is, remember at the beginning when Ali Conti was gathering evidence, Airbnb didn't want to know.
And it's only when the FBI came knocking that they started playing ball.
And it's only when the FBI came knocking that they started playing ball.
Yeah.
And the worrying thing for me, what it suggests, is it's really hard to get your money back if you've been scammed on these platforms. The support isn't there, and that sucks.
Yeah, yeah.
But it does show that if you share your story of how you have been scammed or almost scammed, it can help other people, but it also can lead to arrests. So hat tip to Ali Conti.
Although it took 4 years. It's taken 4 years for this guy to be... It's a long time, isn't it?
I mean, excellent work by the journalist for doing this and well done to the FBI for investigating this. Obviously it was complicated or whatever, but it's—
I mean, excellent work by the journalist for doing this and well done to the FBI for investigating this. Obviously it was complicated or whatever, but it's—
But, you know, if you're an Airbnb-er, maybe look at Google Maps, you know, use Google Maps to see the property beforehand.
That's a way maybe of just checking that it actually exists because in some places, you know, they couldn't even find the property and if they put you under pressure, try and ask you to switch up your reservation, just cancel it, and it puts you in a much stronger negotiation position.
Because seriously, who wants to go away expecting a little she-she bijou something-something and end up in some crappy shithole shed flop house, whatever?
So you Airbnb-ers out there, take heed. This episode of Smashing Security is sponsored by Kolide.
Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization's SaaS apps and other resources?
Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets. It would effectively lock them out.
Welcome to Kolide, a world where access is only given to approved secure devices. As the administrator, you can manage every operating system, even Linux, from a single dashboard.
Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment.
Kolide is the device trust solution for companies with Okta. Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps.
Learn more at kolide.com/smashing. That's k-o-l-i-d-e.com/smashing. And huge thank you to Kolide Security for sponsoring the show.
That's a way maybe of just checking that it actually exists because in some places, you know, they couldn't even find the property and if they put you under pressure, try and ask you to switch up your reservation, just cancel it, and it puts you in a much stronger negotiation position.
Because seriously, who wants to go away expecting a little she-she bijou something-something and end up in some crappy shithole shed flop house, whatever?
So you Airbnb-ers out there, take heed. This episode of Smashing Security is sponsored by Kolide.
Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization's SaaS apps and other resources?
Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets. It would effectively lock them out.
Welcome to Kolide, a world where access is only given to approved secure devices. As the administrator, you can manage every operating system, even Linux, from a single dashboard.
Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment.
Kolide is the device trust solution for companies with Okta. Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps.
Learn more at kolide.com/smashing. That's k-o-l-i-d-e.com/smashing. And huge thank you to Kolide Security for sponsoring the show.
Shortcut compliance without shortchanging security. That's what Vanta can bring your company.
Expanding the scope of your security program with Vanta's market-leading compliance automation, saving your business time and money.
Vanta has over 5,000 customers around the globe who are saving over 300 hours in manual work and up to 85% of their costs for SOC 2, ISO 27001, HIPAA, GDPR custom frameworks, and more.
And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.
From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time.
And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta. Just go to vanta.com/smashing to claim your discount. That's vanta.com/smashing.
And thanks to Vanta for supporting the show. And welcome back and join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Expanding the scope of your security program with Vanta's market-leading compliance automation, saving your business time and money.
Vanta has over 5,000 customers around the globe who are saving over 300 hours in manual work and up to 85% of their costs for SOC 2, ISO 27001, HIPAA, GDPR custom frameworks, and more.
And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.
From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time.
And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta. Just go to vanta.com/smashing to claim your discount. That's vanta.com/smashing.
And thanks to Vanta for supporting the show. And welcome back and join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone can choose something they like.
Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related. In fact, it's maybe not even a Pick of the Week. It might actually be a Nitpick of the Week.
Oh. Oh, gotta find that sting.
Yeah, well, back—
Starting 2024 with a bang, Graham.
Back in the day, I used to work with Carole Theriault at a security firm. And this is just an example of something which niggles me because it has to do with percentages.
Because Carole and I, we used to do a press release each month. This is many years ago. This is 20 years ago.
Because Carole and I, we used to do a press release each month. This is many years ago. This is 20 years ago.
Oh my God.
It's not that I'm serving up an old grievance here or anything.
No, no, no. Airing of grievances was last month during Festivus, Graham. You're a little late.
We would do a press release maybe saying the dirty dozen spam-spewing countries. And there were a number of anecdotes regarding that. Let's not mention the Pitcairn Islands.
But anyway, the trouble we got into with them.
There would be something, for instance, oh, you know, India has risen from 28% to 37% of all, as a percentage of all the spam spewed in the last month.
But anyway, the trouble we got into with them.
There would be something, for instance, oh, you know, India has risen from 28% to 37% of all, as a percentage of all the spam spewed in the last month.
Basically a bunch of stupid numbers.
A bunch of stupid numbers, as Carole would mention.
But it got so much attention every time. Yes.
It was an easy way of getting coverage for the company we were working for.
Yeah, 100%.
So we would mention that a number would rise from, I don't know, 5% to 20%. You'd want to explain that in some way.
And Carole would come back and she'd say, 5% to 20%, it's risen 15%. And I knew you'd be on this, Maria, because Maria's a maths nerd. And she knows 5% to 20% is not a rise of 15%.
It's 15 percentage points.
And Carole would come back and she'd say, 5% to 20%, it's risen 15%. And I knew you'd be on this, Maria, because Maria's a maths nerd. And she knows 5% to 20% is not a rise of 15%.
It's 15 percentage points.
Indeed.
You have to be careful to say 15 percentage points. It's actually a 300% rise if you go from 5% to 20%, because how many 5s have you got, right? Sorry for being boring about this.
Anyway, I'm not sure what my nitpick really is. Is my nitpick people who get percentages wrong in that way, percentage rises and percentage falls in that—
Anyway, I'm not sure what my nitpick really is. Is my nitpick people who get percentages wrong in that way, percentage rises and percentage falls in that—
Are you kidding me? Are you kidding me?
No, I don't know.
So you went back 15 years to talk about something we had to do every fucking month that we hated. And you're like, no reason I brought that up.
Oh, oh, oh, is my actual problem, is my actual nitpick of the week with mathematics itself? Because maybe maths should simply be different.
Maybe Carole is right that a rise from 5% to 20% should be able, you should be able to say that's a 15% rise. I wonder if I'm just being too pernickety.
I wonder if I've got this wrong. I'm just questioning all of reality right now. Maybe maths itself is wrong and it should be reinvented.
So my nitpick of the week is percentages, but more specifically, mathematics.
Maybe Carole is right that a rise from 5% to 20% should be able, you should be able to say that's a 15% rise. I wonder if I'm just being too pernickety.
I wonder if I've got this wrong. I'm just questioning all of reality right now. Maybe maths itself is wrong and it should be reinvented.
So my nitpick of the week is percentages, but more specifically, mathematics.
It's existence.
Which I think it just needs to be corrected. Maria, what's your pick of the week?
Okay, Graham, for your nitpick, there was an interview with an author I heard on the radio. Her name is Eugenia Chang, and she wrote a book called Is Math Real?
And I think you gotta read that book. I'm gonna make that a sort of semi-pick, 'cause it's—
And I think you gotta read that book. I'm gonna make that a sort of semi-pick, 'cause it's—
Is math real?
Yeah, is math real? Yeah, and she's a mathematician, so.
All right, we'll put a link in the show notes so people can read it and then tell me what it said.
She gave a really fascinating interview on Science Friday, which is a great show here in the US, highly recommend.
My pick of the week is a television show that just completed its second season, and it is called Julia.
And some people might be able to guess that, yes, it is about Julia Child, the—
My pick of the week is a television show that just completed its second season, and it is called Julia.
And some people might be able to guess that, yes, it is about Julia Child, the—
Ooh! Yes!
She was the pioneering television chef who was really, really popular in the '60s especially, but beyond, you know.
And she broadcasted on US public television from WGBH in Boston, which is my home station. She is very beloved here in the Boston area where I live.
And she's very famous in North America, I would say. I don't know if she's as well known outside.
And she broadcasted on US public television from WGBH in Boston, which is my home station. She is very beloved here in the Boston area where I live.
And she's very famous in North America, I would say. I don't know if she's as well known outside.
Yeah, she basically went to France with her husband. He worked, she decided to become a cook.
She turned out she was amazing at it, came back home and did the show, and it was like a superstar.
She turned out she was amazing at it, came back home and did the show, and it was like a superstar.
So she's America's equivalent to Delia Smith or Fanny Craddock or something like that.
Basically like a biopic, TV series. So it's really taking its time with Julia Child's story, starting about how did she end up becoming a TV chef.
And the interesting thing is, she is being played by Sarah Lancashire, who is a British actress and absolutely nails Julia completely.
So, I had no idea that she was not American, but she did a great job.
And aside from the fact that the story is fascinating and the series is extremely well done, one of the reasons I love it is they actually— this series has taken pains to get things accurate in terms of how it looks.
They filmed a lot of the show right here in the Boston area.
So, there are many scenes at a diner that is in my city that I sit in with my my daughter all the time, and I recognize it. And Julia Child is very much like a beloved Boston hero.
And so the fact that they actually didn't say, we're just going to put it all on the soundstage in LA, and they filmed it out here, to me adds a lot to the color and the flavor of the story.
So, I've really enjoyed it so far. It's honestly been one of my favorite TV shows I've watched in a while.
It's available in the US through HBO, and I believe in the UK you can watch it through Apple TV.
I have no idea outside of those two, I'm sorry, but it's widely available, so I recommend it highly. It's just called Julia.
And the interesting thing is, she is being played by Sarah Lancashire, who is a British actress and absolutely nails Julia completely.
So, I had no idea that she was not American, but she did a great job.
And aside from the fact that the story is fascinating and the series is extremely well done, one of the reasons I love it is they actually— this series has taken pains to get things accurate in terms of how it looks.
They filmed a lot of the show right here in the Boston area.
So, there are many scenes at a diner that is in my city that I sit in with my my daughter all the time, and I recognize it. And Julia Child is very much like a beloved Boston hero.
And so the fact that they actually didn't say, we're just going to put it all on the soundstage in LA, and they filmed it out here, to me adds a lot to the color and the flavor of the story.
So, I've really enjoyed it so far. It's honestly been one of my favorite TV shows I've watched in a while.
It's available in the US through HBO, and I believe in the UK you can watch it through Apple TV.
I have no idea outside of those two, I'm sorry, but it's widely available, so I recommend it highly. It's just called Julia.
I have not seen it, but I'll keep my eyes open.
I think you might really like it, Carole. I really do.
It sounds up your street, Carole, because you're a big chef, aren't you?
Thanks, Maria. You got it, Carole.
Carole, what's your pick of the week?
Well, mine is a detective series. So for some reason, when my cousin was over during the holidays, we started talking about that show Naked Attraction. Do you remember that, Graham?
Graham Cluley.
Yeah, right.
I think we've talked about it in the show, people, old-timers out there, you'll remember we've talked about this, but basically I assumed it had been canceled right after the first season because who would?
But no, it's still going. There's 7 series.
I think we've talked about it in the show, people, old-timers out there, you'll remember we've talked about this, but basically I assumed it had been canceled right after the first season because who would?
But no, it's still going. There's 7 series.
I'm surprised the whole channel hasn't been canceled. It was basically for exhibitionists, wasn't it?
That's the point of the show was they would pull up a little drawbridge to reveal your— So it was a dating show, but based initially upon whether you fancied someone's genitals or not.
That's the point of the show was they would pull up a little drawbridge to reveal your— So it was a dating show, but based initially upon whether you fancied someone's genitals or not.
Well, it's a dating show where you have 3 potential dates, and you get to gauge which one you choose based on their nude bodies. Completely nude. Junk and stuff nude.
Basically, if you want to check out naked bodies, you want to see people in the nude, this show is for you.
Basically, if you want to check out naked bodies, you want to see people in the nude, this show is for you.
No!
But that's not my pick of the week, okay?
Oh, okay, all right.
Because we watched one show, and we're, oh my God, look! He's so— look at his penis. And then we got bored.
How many penises can you look at? That's true, right?
Graham, don't answer that.
We were scouting around Channel 4 and I found this show called Before We Die.
Oh my God.
Now don't let the name put you off. Before We Die is a British crime drama series based on a Swedish series of the same name by Nicholas Rockstrom.
Sounds cheery already. Yes.
I know, I know. Okay. Series 1 opens with the DI Hannah Lang, that's played by Lesley Sharp, and she launches a manhunt when her secret lover, also a cop, goes missing.
And then, soon, it seems that a Croatian mafia-esque family known as the Mimica, are involved. And maybe there's also a leak inside the cop house, maybe.
And I can't tell you anything about series 2 'cause it continues the same storyline. But I love the Croatian angle, right?
'Cause I love the sound that accent makes, and the actors are Croatian. And I love Mama Mimica. She's the head honcho family. Just great playing the mom queen.
And you're both very quiet. You've fallen asleep.
And then, soon, it seems that a Croatian mafia-esque family known as the Mimica, are involved. And maybe there's also a leak inside the cop house, maybe.
And I can't tell you anything about series 2 'cause it continues the same storyline. But I love the Croatian angle, right?
'Cause I love the sound that accent makes, and the actors are Croatian. And I love Mama Mimica. She's the head honcho family. Just great playing the mom queen.
And you're both very quiet. You've fallen asleep.
I'm just listening.
Normally I'd be on the phone to someone else chatting while you're talking, but no, on this occasion I'm just listening to you. Sorry about that.
I'm just wrapped. I'm listening. Okay, okay.
I found it quite fun, and I hated the title, Before We Die, but we got it from Channel 4 streaming service.
Or failing that, if this sounds really boring, you can also find Naked Attraction there, and you can look at boobies and dongs.
I'm just giving, you know, no judgment, just whatever your thing is. Yeah, Rule 34.
Or failing that, if this sounds really boring, you can also find Naked Attraction there, and you can look at boobies and dongs.
I'm just giving, you know, no judgment, just whatever your thing is. Yeah, Rule 34.
Mega pass.
Well, one of those suggestions was a great Pick of the Week, and the other one could have been a Pickle of the Week. Who knows?
But not a sticky pickle though.
Boom!
That just about wraps up the show for this week. Maria, I'm sure lots of listeners would love to follow you online or find out what you're up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
Well, I host a daily show for space professionals called T-Minus Space Daily, which you can find at space.n2k.com.
And I also am on Sticky Pickles with Carole, so you can look up either T-Minus Space Daily or Sticky Pickles, either one, you'll hear my damn voice.
And I also am on Sticky Pickles with Carole, so you can look up either T-Minus Space Daily or Sticky Pickles, either one, you'll hear my damn voice.
So, beautiful voice.
Tremendous. And you can follow us on Twitter at Smashing Security, no G, Twitter allows us to have a G, and you can also look up the Smashing Security subreddit.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
And massive shout out to our episode sponsors, Vanta and Collide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 353 episodes. Check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 353 episodes. Check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye, au revoir.
Maria, super! Oh, thank you for having me on. Always a delight.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Episode links:
- Chief executive of collapsed crypto fund HyperVerse does not appear to exist – The Guardian.
- Crypto hedge fund CEO may not exist; probe finds no record of identity – Ars Technica.
- BUSTED: Fake HyperVerse CEO Who Stole $1.3 Billion Unmasked! – YouTube.
- Hyperverse’s Steven Reece Lewis outed as Steve Harrison – Behind MLM.
- HyperVerse crypto promoter ‘Bitcoin Rodney’ arrested and charged in US – The Guardian.
- GenAI could make KYC effectively useless – TechCrunch.
- Airbnb Grifter Busted for $7.5 Million ‘Bait-and-Switch’ Scam, Feds Say – The Daily Beast.
- I Accidentally Uncovered a Nationwide Scam Run by Fake Hosts on Airbnb – Vice.
- Percentage Point vs. Percent Difference – Macroption.
- “Is Math Real?” – Book by Eugenia Cheng.
- “Julia” trailer – YouTube.
- Watch Before We Die – Channel 4.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
