Smashing Security podcast #358: Hong Kong hijinks, pig butchers, and poor ransomware gangs

Why is it always the people in the finance department who are getting targeted by the scammers? I wonder why that might be.

Really? Do people ask that? I think—

Really? So just one of those great life mysteries, isn't it? You know, why would they aim for such a target? Why? Hi!

Smashing Security, episode 358, Hong Kong hijinks, pig butchers, and poor ransomware gangs, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 358. My name's Graham Cluley. And I'm Carole Theriault. And Carole, we are joined this week by somebody new, somebody who hasn't been on the podcast before. Great pleasure to invite them to the show. Leanne Potter of the Compromising Positions podcast.

Hello. Thank you so much for having me. It's great that you're here.

Yeah. Now, Leanne, Compromising Positions. What's that about?

Yeah. Compromising Positions, protecting your assets. Big emphasis on the ass of assets. Never leaving you exposed. We're a new podcast and our aim is to interview non-cyber security people about cybersecurity. So it's kind of part therapy session, part deep dive into how do we do things better. So basically every week I get someone in from a non-cybersecurity background. Every week, we have lots of really nice takeaways for people working in cybersecurity to take away and make their security controls actually work, which is what we really wanted to happen.

I think that's a really lofty goal and a good one, I think.

I can hope so. Yeah. It's been really great. I've had some really fantastic people, some sort of personal heroes of mine on the show already. So yeah, the reception has been great. We were big in Denmark for a week. Don't know how, don't know why. But for a week in Denmark, we were charting in the top 20. Well, they're people of taste. Tak, Denmark, tak.

Let's thank this week's wonderful sponsors, Collide and Vanta. It's their support that helped us give you this show for free.

I'm going to be discussing what could be a case of Hong Kong phooey.

Okay, that gives a lot away. What about you, Leanne?

I've got a real sob story for you here. Ransomware gangs, unfortunately, they're feeling pinched just as much as we are.

Okay, and I'm going to be looking for love in all the wrong places. All this and much more coming up on this episode of Smashing Security.

Now chums, chums, I've got a question for you and it's this. Is this the real life? Is this just fantasy? Why are you ruining a classic? Caught in a landslide, I don't know, escape from reality. I won't do anymore, thank you, appreciate it. Yeah, thank you. Let me take you by the hand and lead you through the streets of Hong Kong where a multinational firm has, well, one of its many offices all around the world, but they've got a significant presence in Hong Kong, shall we say. And we are told that a massive fraud has recently taken place. According to Hong Kong police, a company has lost 200 million Hong Kong dollars, and for those of you not familiar with the exchange rate, that's about 25 million US dollars or in British pounds, let me work that... That's about 900 billion at the moment. So it's a lot of money. After one of its staff fell victim to a scam. Now, this particular employee worked in the finance department at this Hong Kong branch of this big multinational. Okay. And you may be thinking, well, you know, people may ask, well, why is it always the people in the finance department who are getting targeted by the scammers? I wonder why that might be. Really? Do people ask that?

Really? So just one of those great life mysteries, isn't it? Why would they aim for such a target? Why? Why, Graham?

Because that's where all the money is, of course. So that's where all the money is. That's where people are targeting. If they were after data, if they were after information about your personnel, then they might go for the HR department. But if they're just strictly after the money, why not go to the finance department, particularly in these days of business email compromise and CEO scams and those sort of things. It's not that uncommon. So in the middle of last month, in the middle of January, this person in Hong Kong received a message from what they believed was their UK-based CFO, the chief financial officer, asking them to transfer some money. Now, you know, instantly we have multiple alarm bells going off.

Well, I don't know. No? I don't know. Really? If you're used to getting those, right? If it's a normal occurrence that the guy goes, throw 10K into this account pronto, chop, chop, you wouldn't bat an eyelid if he made that request.

I would think in many organisations there may be more of a procedure rather than just receiving a message from the CFO via something which is potentially insecure like email. There may be a little bit more double checking.

The amount of time it takes to just get any expenses authorised, you know, for 20 quid or something in an organisation, let alone... This just happens. This is so unfair. Why can't I have it this easy?

I remember years ago, the company I was working for sent me overseas to do some work for a few weeks at one of our other branches. And so I put my expense claim in for my cat to go into a cattery because I was going... Oh, yeah, it was a nightmare. Couldn't get them to pay for my cat. Was I being unreasonable? I don't know. I'm thinking... I'm thinking. I don't know.

It is an expense you have to incur.

It's an expense I had to incur. But do people

Do it with their children? If you go away for two weeks, do you?

As far as I'm aware, Carole, childcare isn't that cheaper than doggy daycare is, for example? Yeah, exactly. I'm just about to put my dog through doggy daycare. And I'm thinking about claiming back on expenses through that.

Obviously, it wasn't the cheapest cattery. You know, it's the jewel-encrusted water bottle. It was, you know, I had... I'm sure your cat loved that. Would have loved all that. Anyway, so yes, so claiming expenses can be really difficult. It's amazing how companies can just cough up $20 million to move into someone's account. Anyway, so this request came through claiming to be from the UK-based CFO. And I think probably at this company, because it's a big multinational, there were rules about this kind of thing. This person was working in finance. They say, oh, you know, I have to be sure because this could be a fraudulent email. Okay, smart. Right? Yeah, so they're smart. So they're thinking, I need to double check this. I need to make sure that this instruction is legitimate.

Makes sense. Yeah, I like that. So how would you do that? How would you check? I would say, look, I'm just going to give you a bell on your cell phone. We'll have a little chat. Just want to get all the ins and outs, right?

You could do that. Yeah. Yeah, that's certainly potentially possible if you have their mobile phone. And in this particular case, the email contained a link to a video call service. So maybe they're using Teams, maybe they're using Zoom or whatever, where they could have a chat to describe what was going on. And we have described many times before how it's possible to create fake videos of people saying what someone else wants them to say. So deepfake videos. So you have to be careful on a video call. But a video call, I would argue, is perhaps a little bit more convincing because you're having a conversation with somebody.

Yeah, and it gives you more away than just a phone call, right? Because you also have a visual reference.

Yes, yeah. And because you're interacting with them and you can ask them questions.

If you called me up, Cluley, and said, look, I need £1,000, I would first die and go, what? And then I'd be, then I might call you up on Zoom and go, what are you talking about? What do you need £1,000 for?

You would never call me on Zoom. You would never turn on the video camera.

I call you on our normal channels.

We wouldn't turn on video would we? Would we turn on video?

I might make you go on video to promise that you pay it back right with a pinky swear.

But there could be someone lurking in the corner of my office with a gun with a silencer pointed to my head or something.

Why doesn't it have a silencer? It's good for me I suppose. My ears won't, you know.

Anyway, I said anyway, so I mean yes, scams occur. But in this particular case, this person was a little bit suspicious and they weren't sure. We've discussed this many times before possible to create fake videos. You know, the TV game show Countdown on Channel Four used to have Carole Vorderman on it, now it's Rachel Riley, where they have their little quiz with the numbers. She picks, you know, three big ones and two small ones. And can you make them all count up to 793 or something, right? And Rachel Riley is a maths wizard. And five years ago, five years ago, you think deepfake is a new thing. Poppycock, five years ago, HSBC made a video showing how it was possible to make Rachel Riley say that she was bad at maths. And that answers to tricky maths puzzles were being fed into her earpiece.

I'm bad at maths. That's not true. HSBC did that to show just how sophisticated fraudsters can be. I'm bad at replying to people. I'm bad at maths. I get fed the answers in my earpiece. So this isn't you.

What did HSBC have to gain from besmirching that poor woman's reputation?

Well, HSBC, also known as, by the way, as the Hong Kong Shanghai Banking Corporation. We don't know the name of the company which was affected in this case. So make your own guesses. They wanted to warn their staff and indeed they wanted to warn customers as well about the dangers of deepfaked video and how this was possible and how you shouldn't necessarily trust someone just because you can see them saying something.

Right. But still, come on. When does it stop? Right. When do you go, oh, okay, you're serious? Would someone have to come on and say, look, I'm really hurt. Look, my leg's pumping out blood, you know, and you'd have to show that in order for people to believe you?

That seems a bit extreme. In this particular case, so the employee had reason to be suspicious. They thought, hang on a minute, this isn't my first rodeo. I'm going to join this Zoom call. But what allayed their fear is when they joined the video call, they found it wasn't just with the CFO. It was with multiple other people inside the organization, other senior members of staff and some outsiders as well. And according to the cops, the company employees on this call looked and sounded like people the targeted employee did recognize inside the organization.

So this guy clicks on the Zoom call or whatever, the video conferencing thing. And then there's all these people Brad from Accounts and Sheila. And then they're all, yeah, yeah, no, no, buy-buy, sell, sell. You're wrong.

I don't know. They're, maybe they're, you're on mute. You're on mute. Can you hear me over there? You're having the usual video call problems.

But when do you ever get all the execs in one place at the same time anyways? When would that happen? When you want 20 million, I guess.

Maybe when you're moving that much money into an account and saying, look, it's very important, but we've chosen you to do this.

I don't think I could just be like, oh, I'll just click on a Zoom link and just say, hey, just call in the CFO right now. I bet he's not busy.

Oh, well, I think they sent an invite. They said, join us at this time because we're going to have a conference call where we can discuss it.

That would work for me. As we all know, I now know I can fall for these kind of scams. So I imagine if I joined one of these calls with all these people yabbering on, I'd be like, ooh, okay, this is serious.

So according to the Hong Kong police, there is a senior superintendent, Baron Chan Shun Ching. He says that in previous cases, the scam victims have been tricked in one-on-one video calls. And this, of course, was a multi-person video call. And everyone that they saw was fake. They said the scammers were able to generate convincing representations of targeted individuals that looked and sounded like the actual people.

It's smart, too, because you're going to ask a lot less questions if there's 15 people on the call than if there was just one, right? Because you don't want to look like an idiot.

And maybe you won't say something like, stand on one leg. Recite the alphabet backwards quickly. You know, you wouldn't ask any of those test questions.

I don't think you've been into any of my meetings, Graham.

So this employee, over the course of a week, they made 15 transfers, totaling over 200 million Hong Kong dollars to five different accounts.

What kind of oversights were going on in this company? 15 transfers.

So I guess because there was a limit, maybe, as to how much you could move at once. I mean, it can happen, can't it? That you'd probably not set off alarm bells.

But it's someone chopping off one of your digits, your fingers or your toes. I don't know why I'm so dark today. My week of the week is also very dark. I don't know what's going on in February. But you know, you would notice, you would just notice that's a lot of money. Most people would notice.

You'd to think so. Well, now this was interesting to me. So the police say that they've carried out an investigation and they have found that the meeting participants had been digitally recreated by the scammers, as I described, using publicly available video and audio footage of those individuals. And they imitated the voice of their targets reading from a script. So it's quite sophisticated, this, what they've done here. And apparently on the call, they asked the victim, you know, when you go around, you say, okay, if everyone can introduce themselves. And so they got the victim to introduce themselves, but they didn't interact with them at that point. And the meeting ended rather abruptly after they gave the instructions, but it was enough to do that. But here's my actual question. I said, is this Hong Kong phooey? How do the police actually know that what they're saying happened, happened? They haven't made any arrests. How do they know that these were deep fakes? How do they know that, for instance, it wasn't the real CFO and his colleagues telling this employee to move the money into these bank accounts?

Where's the money now? Exactly.

Was the employee in on it? Or are they just saying they were fooled by deep fakes? Because what a wonderful, it's a bit saying, we were attacked by a state-sponsored hacking group, and therefore we don't have to admit. It's super serious. Yes, it was very, very serious. It's very convenient, isn't it? Oh, well, it was deep fakes. That's how I got due.

Oh, this is hard, though. I mean, you're doing exactly what we're telling people to do, trust nothing. Right? But you do sound a crazy person.

Oh, thank you very much. So I'm just asking the questions. Anyway, the police say if you're not sure if someone is a fake or not on a video they've come up with some advice. And their advice they said is ask the person to bobble their head around a bit. Now I don't think that's going to always work. I think if it's a pre-recorded video, maybe it would work. But these days, with deep fakes, you could have an actor actually playing the part and then having a deep fake face munged on top of them to fool you. So they could bobble their heads.

Yeah, but you still get that weird halo sometimes, though, don't you, with the deep fakes? Bad connection, bad connection, Leanne. I think it's good advice. You know, do that thing that you did in PE, you know, at the start when you're in primary school and then you do the chin roll. So put your head right into your chin, roll around. You should get everyone in the meeting to do that. And then you've got a nice workout as well.

That never looks good on a webcam, I have to say. It depends where your webcam is.

I'm sure a few weeks ago we talked about doing jumping jacks, getting people jumping jacks as soon as they come on or something.

I think the scammers are going to be onto that.

The deep fake craze and the fitness craze could really get together on this. I really do think so.

Hong Kong police have also said that you should use their Scameter service. So this is an online service. I'll put a link in the show notes. cyberdefender.hk it is we can enter the details of an account and see if it is connected to past scam activity they call it the one-stop scam and pitfall search engine but a little word of warning because last year scammers sent messages to people saying oh you know we're the police we've recovered more than 50 million dollars from a past scam if you want to check whether you're one of the people who are going to get your money back this link go to the fake version of the scam eater app which will steal your money and your personal information as well. The future is bright Leanne, what's your story for us this week?

Oh get out the tissues, this is a really sad one. The ransomware gangs are really feeling the pinch just like the rest of us. It turns out that payments have dropped down to a new low of 29%.

So less than a third of companies are paying the ransom demands.

Correct, yeah. So there's a company called Coveware and they've been tracking this for some time since 2019. Now, when they first started tracking this trend, it was that 85% were choosing to pay these ransomware gangs. But however, they said on a recent analysis of the data, in the last quarter of 2023, 29% dropped to a brand new low, so about 85% to 29% in just in the space of a few years, which is pretty good. And obviously, there's lots of moral and ethical questions about whether you should pay or not, which you've gone through on the show many a time. But what this report suggests is the reason why these payments are going down is due to awareness, which, you know, pat on the back, everyone, with the messages getting out there, where people are listening. And it's awareness in the sense that people are understanding that ransomware or being hit by ransomware is not a question of if, but a question of when. And, you know, as such, people are starting to take heed to the things we've been saying for ages, which is more robust backups.

But isn't it the case that a lot of these ransomware attacks now aren't encrypting your data? So they're just stealing it with the threat of releasing it. So is it that these companies don't care if the data is released because there've been so many data breaches, everyone's had their personal information exposed in the past and what's a little bit more?

Yeah, customers won't care that all their data has been stolen. That's the issue, right?

Yeah, well, you do see that time and time again, don't you? So when a big company has a breach, there is a drop in their share prices for a little bit. But if you watch the trends of companies that have had a breach, it kind of just it goes back to normal quite quickly. And by quite quickly, I mean, in the space of sometimes weeks, sometimes months, or sometimes it even does better because then people think, oh, well, actually they're reinvesting into security. So, you know, you see the likes of Uber who, you know, have quite a lot of breaches and then lots of job adverts the next day come out for cybersecurity professionals. So you can kind of see how that might be a thing. But this article suggests that unfortunately it isn't the security team people are listening to about that message of have good backups. It's actually just because mainstream media, which is great, so not your tech publications, the things your BBC News, your Guardians, et cetera, making cybersecurity issues and ransomware headline news. And in particular, what's really kind of convincing people that they're less likely to pay is because of the stories where ransomware groups are not returning the data after it's been paid. So they're not keeping up to their end of the bargain.

Right, so they're getting the payment and then still releasing the data afterwards, losing the trust, breaking that bond of... That seems really bad business sense by the ransomware gang.

Shouldn't they provide a higher level of customer service than that if they want to carry on having, quote, customers?

Well, I've owned my own business in the past and when there's a big industry-wide scandal, it just takes a few bad eggs to make your business model look rubbish. So I feel really sorry for these legitimate, quote-unquote, ransomware gangs who do have good practices of managing and keeping up to their end of the bargain. And it's just a few of these bad ransomware gangs that are just really letting it down for everyone else. And as a result, there's this big drop in ransomware payments.

Do you think we need a service like Trustpilot where people can review the quality of the ransomware gang that they've been infected by and whether they did their part of the bargain? And then we'd know, maybe each ransomware gang could have a points out of five, five-star rating or something, say, look, we're really trusted, whereas the bad guys wouldn't be trusted. And so you'd know that you were likely to get your data back or likely to have them destroy it properly.

I think that would be a really good idea because there's the TripAdvisor effect, isn't there? You know, when there's a new restaurant that's open, it has really good reviews, and all the restaurants around it want to kind of compete and up their game. So yeah, that'd be really good for ransomware gangsters to kind of up their game and rebuild the trust back into the community, into businesses that, you know, when they do ransomware, is that we're actually going to get what we paid for back.

But I wonder if it is a question of, you know, if they don't get their money, if they're not getting their payoff, then they're going to go through a type of recession, same as the tech industry is. There'll be layoffs in the ransomware world. Oh, bless them.

See, that's what I mean. Absolute sub star. The impacts will be far-reaching. One thing I'd like to think about, though, is will this mean they pivot into something else? Because, you know, the whole idea of it is, you know, ransomware is really low cost, really great return on investment. And if that's not working, what's the next thing that they're going to turn to that has such a good return on investment? And that's probably where you're going to see, I'm going to say it because it's not been really said yet, AI and things into the mix to kind of make it still, you know, low cost, high gains for them. But what was also interesting about this article was there was a second part of the section which says the person who's done the study, so Coveware, said let's enjoy this downturn naturally because one of the other conversations people have been having is about banning ransomware payments altogether. Now, they say that according to their research, when places like Florida, which I wasn't aware, actually, that Florida has banned ransomware payments. They have done so since 2022. They've not seen any noticeable difference in the number of attacks they've got. So that's the number of attacks, not payments. And according to this article that they're saying, if we ban it, then it just kind of shows the cyber criminals that we're unable to kind of look after ourselves. Whereas if we keep it as is and people keep practicing this good security hygiene, then slowly it might fizzle out on its own accord anyways.

I'm so cynical today. Oh, yeah, today. I don't know what's wrong with me. So how do Coveware know that the number of companies paying the ransom has gone down?

Coveware are a ransomware response and negotiation company.

Oh, so their business has gone down. Oh, right. They're suffering. I see. We're all suffering. Carole, what's your story for us this week?

Well, we have a very special day fast approaching us. One that, you know, loving couples, brand new and old alike, like to celebrate. And I'm talking about Valentine's Day, or is it St. Valentine's Day? What do you say?

I just think it's a lot of old tosh, isn't it?

I usually just say, ugh.

I know we just call it Tuesday or something.

Okay, so you have no interest in celebrating any love in your life.

No, excuse me, of course I celebrate love in my life. Let's say this very quickly in case anyone's listening. But the whole idea that the entire country has to go out to an Italian restaurant and book, that doesn't seem terribly romantic to me. Much more romantic, obviously, just to, you know, sort of slob around on the sofa and put something in the microwave and say, there you go.

You see the older man's version of Netflix and chill. There you go. So you kind of resent, you resent that people are being forced to do it, basically.

No, I don't resent other people being forced to do it. I resent me being forced to do it. So I don't like that. Right. And Leanne, what about you?

I agree. My birthday is on Halloween and I resent having to kind of be forced into Halloween. So having another day where you have to just surround yourself with hearts and flowers. And you say, Graham, overpriced special Valentine's Day menus. You know, you could be going to your favourite restaurant, but no, they've added a surcharge on top of that. And with ransomware payments the way they are these days, I don't know if I can afford it. It's hard, though, to come up with a way that's not cheesy, but also kind of recognizing if you have someone in your life you want to high five, right? In my case, do I buy the Yeti a razor, right? Is that a good gift? He obviously doesn't have one. Good for you, maybe. But maybe good for me, definitely. Speaking of big fish, can I just put a shout out there to gentlemen who are putting on their dating profiles? Please don't put the big fish photo on there. You're holding a big fish. They do.

They do, don't they? It's like look at this huge fish I've caught yeah.

Even from a security point of view it's not a good idea catching a big fish is it? It's never someone sitting on a sofa eating a family size bag of cheetos or whatever. But the first port of call these days is you go online. You don't tend to go down your local super drug, see someone cute and approach, because it could be pretty dangerous depending on what they're trying to buy. I don't know if a conversation opener of, "Hi, you itchy?" is a good idea.

Works for me every time.

And then you dive into this online dating pool and try to find someone who's a good fit for you. I don't know, what would you be looking for? You'd probably, Graham, you'd be looking for someone who looks like a dead actress from the 50s, I'm sure.

Diana Rigg. That's right. Yes, circa 1968. I'd be going for a Danny DeVito clone, you know. That's pretty much what you've got, isn't it, at the moment? Your guy is quite short.

But, you know, whatever your pleasure. And the aim of the game is to find love. And if you start now, maybe in a week's time, when Valentine's Day is upon us, you might already be starting to feel that warm sparkle feeling of a budding relationship. I'm here to say stop right there people, because according to Lloyds Bank this past weekend, romance scams have increased more than 20 percent in 2023 compared to 2022. And I have a few questions for you just for fun. So what age group do you think is reporting losing the most money, averaging 13,000 on average in this age group, almost doubling the average across all romance scam reports in the UK?

Is it 54-year-old male podcast hosts? No, it's not. Okay. Thank God.

I want to say probably millennials. And the reason why, just because we've grown up with the likes of Dirty Dancing and stuff like that. We're looking for love. We're looking for that dance partner to really take us onto that nostalgia train.

Oh, and I suppose they're all on the TikToks and things as well, aren't they? So they might get what's called a thirst trap. Is that not what's happening?

It's older people. It's 65 to 74. They're the most trusting. Which group do you think were most likely to report falling for a romance scam?

Not the oldies, I'm guessing. Young people.

That was much closer to your original one. It's 55 to 64. It's more people over middle age that are falling for these. And in Canada, things are much, much worse. According to the Canadian Anti-Fraud Centre, romance scams cost 945 victims more than 50 million, an average of 53,000 per victim. We're way too trusting, Canadians.

It's extraordinary isn't it? That's a huge amount. I've actually received an email today from someone who says that their friend has been exchanging messages from Mark Ruffalo, you know the Hollywood actor Mark Ruffalo, who's the Hulk or something.

He'll be on my list for sure.

And this person says she's never spoken to him, they've never seen pictures of each other, it's purely been text, and her friend is completely hook, line and sinkered and ready to give them a fortune, completely convinced. And she was saying what can I do about this? It's horrendous. And you can imagine people giving a huge amount of money because they think, oh, but it's going to be love.

Yeah, they often use fake photos, they often refuse to meet up, and common excuses may involve working away in the armed forces or international aid or charity work.

In Mark Ruffalo's case he's just got very angry and is now 14 foot tall and ripped with green muscles.

Yeah, and his muscles are so big, he can't actually reach the keyboard very well.

He hasn't got a reliable pair of trousers. He can't go out like that on a date. He's got plenty of excuses. The scary thing, though, is that scams can last a seriously long period of time. And that's what allows the fraudster to build trust with the victim. So in your case, right, this may have gone on for months and it might carry on until he asks for money. And usually the claims are family issues, medical bills, needing money to arrange to meet up because their money's all tied up. And what douchebag wouldn't help out a brand new potential partner, especially when you've been talking to them daily for months and want to meet? I hadn't heard it.

Oh, I thought we'd done it on the show before, pig butchering.

Oh, maybe I just... we will stop listening. Don't listen to that podcast. I'm just going... interesting. I'm sure it was one of your stories actually. Hang on, I'll have a quick search through the past episode...

Oh no, don't say that! Don't say "oh no"! We figured out that she's the deepfake! So okay, so pig butchering so it means basically priming the victim in preparation for financial slaughter. So like fattening the pig. It's so disgusting. Very evocative. Yeah, but it's so gross because people are doing what people do, looking for someone to connect with, right?

Or they're generating them with, dare I mention the letters AI again, in which case they may not be anywhere else on the web already. And the scam is really occurring when people begin chatting though, isn't it? It's not necessarily even on the dating site. The dating site is the initial hook, but then they're chatting to you on WhatsApp or whatever it is. And you know, it may be months and months down the line before they say, "Oh, I've got this great investment in cryptocurrency. You should really do it too. Because I love you so much. Why don't you get some of your money and I'll do it for you. If you like, if you don't know how to just wire me this money." Bam.

Yeah. And one of the things as well, I was reading and I have a link in the show notes from a CBC article where someone was trying to catfish this woman and then eventually explained why he did what he did and how he did it. But one of the things he mentioned is, "I create a new profile on Instagram, I go out and try and lure in as many women as I can that fit the profile that I'm trying to get. And then I need to get them off Instagram as soon as possible. Because if someone finds out and reports that the account gets taken down. And then I've lost contact with all the other people I've worked on." But it's kind of scary so during this romantic time keep your wits about you if you meet someone new. Don't not tell your friends and family so at least in your case you were reporting earlier Graham they've told a friend and family but they're not listening to the friend and family saying take heed no.

They're not listening to them yeah take heed. That's the hard part isn't it is when they don't listen because the reason why they're so good at what they do is because they really make you believe that you are the one and they are the one and it's really hard to kind of convince people otherwise. Because when they say you know you make first impressions you know within the first microseconds of meeting someone it's really hard actually then to go back on that.

Yeah, I agree. And I think, you know, my best advice is literally rather than, you know, attack someone super drug, wait for them outside. Right. A comfortable distance away and then say something romantic. Like when they walk out, say something like, "Hey, did you get what you came for?" And wink or something at work, right? So...

You're going to mug me. It sounds like you're going to mug me. What's going on? I think you've been out of the game for a bit too long, Carole.

Yeah, she found her guy at the zoo. Could not gain access to your assets, it would effectively lock them out. Welcome to Collide, a world where access is only given to approved, secure devices.

Of their costs for SOC 2, ISO 27001, HIPAA, GDPR, Custom Frameworks and more. And with Vanta's 200 plus integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta. Just go to vanta.com slash smashing to claim your discount. That's V-A-N-T-A dot com slash smashing. And thanks to Vanta for supporting the show. And welcome back and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week! Pick of the Week is the part of the show where everyone chooses something. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website or an app, whatever they like. It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not security related. I am trying to stop my brain turning into mush. Started a bit late. Well, yes, possibly. But I realized I need to do more than just play chess badly. So I've also been playing a little bit of Sudoku, which I'm sure you guys have all played in your time. But, you know, I was doing a bit of Sudoku and I thought I'm not entirely happy with this app. So I went into the app store and I was looking at Sudoku apps and they've got bad user interfaces or they've got intrusive ads. They're really unforgiving because if my fat fingers happen to press the wrong button or the wrong square, it goes, "Oh no, you've made a mistake. If you make another mistake, you're going to forfeit the game." It's like, no, I know what I was trying to do. I just pressed the wrong button. Don't be so mean, I'm thinking.

Are you not worried about your stress levels and your heart, as opposed to your brain mushiness?

A little bit. And also, you know, we were all worried when King Charles had really sausage fingers. Is everything okay?

I think I don't. Yeah. Oh, that's true. Yeah. I could go get checked out.

Go check out my sausage. Be careful about going to Superdrug though, so it might come on to you.

Anyway, I thought there must be something which doesn't have a bad user interface, doesn't have intrusive adverts, can handle your sausage fingers. And I found it at sudokuexchange.com, which is a lovely, beautifully designed little website with lots of Sudoku exercises. It suits all of my requirements. I'm very happy using it. I'm not very good at Sudoku. I've got to get up to speed. My partner, much faster at it than me. But I like this little website, so that's what I'm using. So my pick of the week is sudokuexchange.com.

Very good. You could have got the same from a Sudoku book as well.

Yeah, right. Books, schmooks. I have something for you, Graham. What you could do. This is what my parents-in-law do. Every morning when they wake up, they both have the same, two copies of a Sudoku book and they race each other. They go, "Okay, we're doing number 59. Go." And that's what they do before they leave.

Anyway, yes. Back to the drugstore. Leanne, what's your pick of the week? Moving on quickly.

So my pick of the week this week is for people to get used to being a bit more comfortable with the unknown and to inject a bit of spontaneity into their lives. So, oh hello yeah, Carole, Graham, picture this: you're both on stage and the crowds look at you and the host of the event says, "Now how do these two people know each other?" So you and Graham, and the voices in the audience all call out but one's louder than the rest and they say, "Co-worker!" Great. So the host nods and then asks another question. "So where do they work?" And then you hear a choral sound and the sound is "In an abattoir!" they demand. And then the host then turns to you and says, "Right, you're both co-workers who work in an abattoir. Begin your scene in the style of a 1950s musical." How would you both feel about that situation?

I'm not super familiar with 1950s musicals, so I would feel out of my depth a bit on that. But I do love a bit of improv. That's exactly what it is. So for the past two years, I've been spending my time getting used to situations like that, not working in an abattoir, which is the most requested place of work in a scene. Absolutely gross! Not in real life, I think, only in improv situations. Just in improv. And I bet it helps a lot with podcast life too, right? Because during interviews and when you're chatting with people, you can just listen and then think at the same time. I think that's almost the skill. It's like you need to take in and also come up with something. Yeah, so the first few weeks you just get trained on two principles. So one is listening and then the other one is a principle called "yes and."

It's like "yes and" principle is, yeah, when people come up to you in the business and say, "We want to do something," instead of just say, "No, we can't," "Yes, and maybe we can look at it from this security angle" would be a really useful thing to do. So that is my pick of the week. Learn improv if you can. And if you can, learn it at Laugh at Leeds.

Sounds like you are a perfect candidate for Sticky Pickles, just saying. You can pick on your feet. That's what you need.

I was told some years ago, I should go and do an improv course because it would help with my public speaking. So I did go on one. And at the end, they were going around to everyone and saying, you know, "You were really good at this, you were good at that." And they said, and you, they said, pointing to me, "You're really good at bullshitting." They said, "You're really good at just..."

Well, obviously not if they spotted it. You know, that's not how bullshit works. Touché. Carole, what's your pick of the week? As I warned you, I have a gruesome recommendation for my pick of the week. I wanted something extremely anti-Valentine's-y, right? To counterpoint my story that I mentioned earlier. So this is a TV series, not a new one. I think it came out first in 2017 called Mr. Mercedes. It's based on a famous trilogy by a horror god, Stephen King. Now, as a kid, I read a lot of Stephen King. I really like this book. Yeah, right. I just loved it. Anyway, so this book, Mr. Mercedes, is what King calls his first hard-boiled detective story. So you have this retired detective, Bill Hodges, played by Brendan Gleeson, who is haunted by his old unsolved case, Mr. Mercedes. And this is where a nutjob stole a Mercedes and drove it through a line of job seekers at a local jobs fair, killing 16 people.

Oh. Horrible, right?

Cheery, yes, like you said. Right, I know. I told you, not cheery. I warned you. And the guy driving the Mercedes and killed all those people was never caught. And we have a retired detective who is curious about tying loose ends up and starts asking questions, giving this Mr. Mercedes a brand new person to toy with. And the game goes pretty dark pretty quickly. I cannot underline enough how dark this is. And I could not watch scenes at all. I even had, my husband and I last night, we were watching the last episode, literally where I was humming. He was reading the text to himself. He wasn't telling me and I was humming and my eyes were shut and my fingers were in my ears because the scene was just too disturbing. But the best thing for me is the soundtrack. It's so good. So your detective has a moody blues soundtrack that's always playing some old country, really gorgeous stuff, curated so well. And your psychopath is more into the alternative indie rock with punkish overtones, stuff from the 90s. And both of them, great tunes. I loved it, loved it, loved it. So if you like that kind of music you want something super dark and non-romantic at all my pick of the week Mr. Mercedes currently streaming on Disney now.

Is there an actual resolution to this if I'm going to invest into this series? Well is it okay?

I just found out doing research for this that actually the series I watched which I thought was a one-off is actually one of three.

But the first series is sort of encapsulated.

The first one ended well, yes.

Okay, okay, well, that's good then.

All right. So I have no idea where it goes from now, but yeah, there you go.

Okay. Well, thank you for that, Carole. Very cheery. And that just about wraps up the show for this week. Leanne, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What is the best way for folks to do that?

I'm on LinkedIn. I'm the one with the really humble headline banner you can find me Leanne Potter and you can also listen to me every Thursday on my podcast Compromising Positions we accept listeners from anyone outside of Denmark as well.

And you can follow us on Twitter at Smash Insecurity no G Twitter on the house have a G and Smash Insecurity is also on Mastodon and don't forget to ensure you never miss another episode follow Smash Insecurity in your favourite podcast apps such as Apple Podcasts, Spotify and Overcast.

And big fat thank yous to our episode sponsors, Collide and Vanta. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list and the entire back catalogue, more than 357 episodes. Check out smashingsecurity.com.

Until next time. Cheerio. Bye bye. Bye. Bye. Thank you, Leanne.

No worries. Thank you, Leanne. How was it? Oh, I loved it. Thank you so much. I was so incredibly nervous to start with, but thank you.

Oh, you didn't sound nervous at all. So that's cool.

That's the improv in it. There you go. Thank you.