Smashing Security podcast #371: Unmasking LockBitsupp, company extortion, and a Tinder fraudster

He sounds a bit cuckoo.

Well I think he might be. I don't know, I haven't got a doctor's note. I'm not medically qualified myself. I doubt the doctor's note said cuckoo off for a month. Smashing Security, episode 371, Unmasking Lock Bits Up, Company Extortion, and a Tinder Fraudster, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 371. My name's Graham Cluley. And I'm Carole Theriault. And, Carole, we are joined this week by a special guest, someone who's been on the show before. It is the Ransomware Sommelier. It is Alan Liska. Hello, Alan.

Hey there. How are you doing today?

Fantastic. You have the best title, honestly. Ransomware Sommelier is the best. Thank you.

I hope your business cards say that. I don't have business cards anymore. I just, you know, people know me and I just say, look up Alan and Ransomware and I'll be the guy. You know, I'm almost Madonna at this point when it comes to Ransomware. You are Madonna. Very good. What about you, Alan?

Whoa, and I'm going to be telling the tale of Tinder scum. All this and much more coming up on this episode of Smashing Security. Now, chums, chums, we are all, I don't know if you feel comfortable describing yourself as this, but compared to the average person in the street, we are cyber security experts. fell for a scam about six months ago. Well, other than that, Carole, other than you screwing up on that occasion.

fantastic 100% cyber security are the saviors of humanity

We are we are I think I think I think the world should be grateful for us existing at all and when life throws us a curveball and sometimes life does do that we respond calmly and thoughtfully we pick ourselves up dust ourselves down and with good grace we move on we find something positive from a potentially negative experience, we don't hold any grudges.

Yes, that's exactly how I reacted when I got scammed. Yes, exactly. Yeah, that's what we do. So imagine, for instance, you were doing some consultancy work for a big publicly traded IT infrastructure services company, maybe looking for security holes and problems and vulnerabilities. A redundancy thing or you're fired? Well, yeah, it's a consultant. You know, you work for another company which has brought you into this company to do some work for them. My work's rarely subpar. I'd own up to it if it was. But, modest, modest. So you wouldn't have a tantrum. thing, right? Because they could just do the shading with the pencil and find out what I wrote before on the post-it note. It's a security thing. Oh, I see. You're

stealing just your pad of post-it notes. You're not going to the office supply cabinet and moving up the letter with all of the post-it notes. I think that's a bit of a different thing. No, I've never gone shopping inside the cabinet. Would you take a company chair, Carole?

No, I've never done that.

You haven't done anything that?

Why are you asking Alan?

I have a standing desk only, so I don't have a need for a chair. Okay. Would you threaten to publicly disclose the company's sensitive and confidential information unless you were paid $1.5 million? I do that for my current company now. Right, right. Live on air. So there is a chap. He's a 57-year-old cybersecurity expert. His name is Vincent Kennedy. And he's alleged to have done just that. Rather than updating his resume when he got the boot from this little contracting gig, he's said to have taken the concept of securing data a bit too far by copying it from his ex-employer's cloud drive to his own personal system and then threaten to share it with the world if his demands were met.

Can we just call him Vinny? Vinny Kennedy.

All right. So he has his contract terminated. And the company terminating his contract says, you know, your performance has been a bit poor, I'm afraid. Subpar. But you can have two weeks severance pay, which isn't phenomenally generous, to be honest, is it?

That's a US typical rate, though. Is it? Yeah, I think so. Yeah, that's about right. Two weeks. Really? If you're lucky. Seems a bit stingy to us Europeans, but we're often given all the luxury treatment over here. Hurtful, yes, that's a weird word. Well, as you'll discover, he's someone who can be quite, he's got quite sensitive emotions. He is emo. Yeah, but you don't have access to everything.

This is big stuff. I've been a consultant before. You do. You shouldn't, but you do have access to...

Okay. You see, I drink the Kool-Aid. I just think everything is beautiful out there.

So according to the company in question and the FBI who got involved in this, they say he didn't have permission to do that. When he started working for the company way back when, when the contract began, he had agreed when you leave employment, you have to return all the material and property, not disclose any information to third parties, standard sort of thing. And he's signed to that.

Yeah, of course you do, because you want a job, right? You just sign anything. Yes, of course you can have my firstborn child. Well, I read the Ts and Cs, as we all know. Right. Now, normally, when you leave a company, your colleagues might have a little whip around. I remember, you know, sometimes being involved in some of those or a leaving speech or something at companies I've worked in the past. You might have a nice card bought for you. You may even get taken out for lunch down the pub, you know, on your final day, just to say cheerio from your colleagues. Yeah, I think that's a very beautiful way of putting it. Bold choice.

Courageous decision, yes. Very brave. And so the company got in touch with them and they said, we've noticed that you seem to have shared a whole bunch of our files in our cloud storage directory with your personal, private cloud storage account. And this is the actual wording they sent to him. They said, as a result, as part of our normal procedure, we'd like to understand why this has happened. And we wanted to be sure you're going to protect and delete all the company data that has been shared. Please let us know when we can discuss this matter to better understand why this occurred and when you can delete all the data and confirm that it has been all deleted, which, you know, is quite polite of them really, isn't it?

Yeah, instead of like, listen, f\\\ up.

So what do you think Vinny's reply to that was? What his response was?

No. Sorry. Don't know what you're talking about.

You know, feigned ignorance. Well, not so much ignorance. He said that he was being discriminated against. He said, this is unfair. You're discriminating against me. And no, I cannot attend a meeting to discuss this. I can't talk to you due to my health for at least one month. Discriminated against? On what grounds, he doesn't say? He doesn't say. He just says that I'm being discriminated against.

The company doesn't like Vinny's. I think that's the problem.

Yeah. So two weeks pass. The company tries again. It emphasizes that there's some urgency now to arrange this meeting so that files could be confirmed to be deleted. And they also said, oh, could you send us a doctor's note for your mysterious health issue as well, which you're using as a fig leaf to protect you at the moment?

I wouldn't send my doctor's note over. Would you?

Well, if you're using it as an excuse why you can't confirm that you've done things which you said you would do for the company upon leaving the company, it's reasonable enough if he's using it. I think it's quite kind of them, actually, to say, hey, if you've got a doctor's note, then we'll be a little bit more sympathetic. I think it's reasonable enough, isn't it?

Well, they already are being sympathetic. The email you read sounded pretty gentle.

Well, it stops being quite so gentle. They then said, you've got to delete the files pronto, Vinny, and you're going to do it in a supervised setting. Someone is going to watch you do it and make sure that everything has been destroyed. Vinny, meanwhile, and he CC'd some journalists when he did this, he said, your legal threats are not sufficient to make me delete the files. You have to cough up some money. I'm going to keep these files, they're going to be used as part of my defense because you're now threatening legal action against me and he also said to the journalists who had copied and he said i've got a great business news story for you guys to share with your editors.

He sounds a bit cuckoo.

Well, I think maybe Vinnie might be. I don't know, I haven't got a doctor's note for him. I'm not medically qualified myself, said cuckoo no off for a month. So months and months pass and the matter isn't settled. Kennedy asks for five years worth of salary from the staffing company that placed him in the position. And he asked for another 10 years worth of salary for the emotional distress from the IT infrastructure firm, which has sent him these emails, asking him to leave the email. So he's basically arguing he worked very hard for this company and they've hurt his feelings. He says, you've got one and a half million dollars to pay up and you have 14 days to pay it. Or else what? Or else he's going to share this with journalists. He's going to write his report. In fact, what he says is he says he has got, he reckons he could make between $300,000 and $400,000 on a book deal, revealing the vulnerabilities. And he also says he could get a job on CNN or ABC News.

I'd say, knock yourself out, dude. Go, go, go. Let's see what happens.

As a result of all the information he's going to expose. So he says, I've worked very hard for you. You shouldn't have colluded to fire me after all the hard work I did for you. And now you're lying. We paid you every two weeks. Now you're saying my work's substandard and I'm going to sue you all because of this. And then you'll see me on CNN. And the company is saying, look, we just want our representative there to see you delete the files. He says, well, I'll do it over a Zoom call, but only after you've paid me the one and a half million dollars.

This is kind of ransomware, but in a different, you know.

Exactly. I mean, it is ransomware. Yeah, but internal. And of course, no attempt to disguise who's behind this because this guy was, you know, was being paid. He actually ends up telling the company's legal counsel, because this just goes on and on and on. You can read all about it. I am a cybersecurity forensic expert. I've been working in IT for over 29 years. You could have said almost 30. If your client had proper off-boarding, then we would not be talking right now. In fact, I moaned at the management that their off-boarding policy was too lax for proper cybersecurity standards. So he's complaining. He says, I moaned that this could happen because they don't properly get rid of people inside this company and allow them access to drives. And so I've exploited that access in order to try and then extort the company.

Yeah. So would you call this gray hatting?

This is, I mean, this is straight up black hatting. This is, you know, I mean, you know, what you're doing is illegal. And yes, it sucks that you were let go, but come on. Yeah. Yeah. Well, you know, you didn't have the authorization to back up the data to your personal hard drive, especially not after being let go.

So this chap could face up to 20 years in prison. The case continues, but from the sound of things it's just bonkers isn't it? I mean, there's no attempt to hide his identity whatsoever, seems to feel that he's in the right, but he's dug himself deeper and deeper and deeper into a big hole.

His feelings are hurt, Graham.

Well yes, I've got hurt feelings, tears of a rapper. Alan, tell us what's going on in the world of ransomware this week.

So what's going on in the world this morning of ransomware is I'd like you all to meet Dimitri Yurievich Kurosov. You may not be familiar with that name but you're likely familiar with his other alias, Lockbit's up, the man behind Lockbit. Yeah, that is the big news this morning that NCA in their ongoing diops campaign against Lockbit's up has revealed his name and along with that there's an indictment and sanctions and just a whole bunch of now security researchers combing through every forum post, every email address associated with him, trying to find every bit of history they can on this guy. So we have a name and we have a photo. And NCA, in their usual fashion, pick the dorkiest photo possible of the guy.

I'm just looking at it right now. And yeah, the way he's posed. Big elbow.

For me, the AirPods being askew is driving me a little nuts. But this is the guy, I was on Twitter spaces earlier today, and somebody pointed out that this is the guy that claimed that he was on a yacht with all the women in the world. And no, no, you weren't, man. You were in your mom's basement. We know where you were.

So for anyone who doesn't know obviously Lockbit notorious ransomware gang and they've been very outspoken in the past they've had big victims and they've had this leak site that was hijacked effectively by law enforcement wasn't it who've been trolling the Lockbit gang now for a couple of months or something like that I think. Yes so February 20th is when law enforcement, 17 law enforcement agencies led by the NCA, that's the National Crime Agency in the UK, really led this operation and I feel like they did it the most British way possible just constantly poking at them because they didn't just seize the site they made a copy of it and then where you would normally have the victims posted they posted what the different law enforcement agencies were doing. So they seized crypto wallets, they had some initial indictments, but now they've added more indictments to it, and of course, revealed Lockbit's name.

I wonder if that's a recruitment campaign, you know, because it'd be much more fun for people that know all about this to work for the NCA if they can have a bit of fun while they do their jobs.

Potentially not as financially rewarded.

Potentially. Yeah, that's why fun's important, you know?

But that's interesting that you say that because if you look at the indictment that was released today, apparently something like 60% of Lockbit's affiliates never made any money. And so we've often compared ransomware as a service to multilevel marketing. But I've always made the caveat, except that everybody makes money. It turns out it's exactly like multilevel marketing, where most of the affiliates never made a dime. So yeah, Lockbit made a lot of money. And a couple of the early affiliates made a lot of money. But most of it turned out, at least according to what law enforcement was able to track with cryptocurrency transactions, didn't make a dime for many of their victims.

So Lockbit's up. He's the kingpin of Lockbit, isn't he? We believe he's the Mr. Big.

Exactly right. So he is the one who started the ransomware as a service, but recently he's not an actual ransomware operator. He just administers the whole program and rents out his infrastructure to all of these people who give him money to sign up for his program.

Wow. So he's scamming the scammers as well.

I mean, he hasn't been scamming them. It's just if nobody pays you, nobody pays you. There's not a whole lot you can do about it.

Yeah, but pay your bills. Right. And he claims that he's been living the high life. He's been having a fantastic time. He's been sort of chortling away at the law enforcement's claims that they were on his trail. I'm not going to tell you what currency.

But this is going to curb his social life considerably because presumably he's not going to be able to fly internationally, is he? At least not to many countries.

That's correct. He's going to be very limited to where he can go.

Yeah. So where is he based? Do we know?

OSINT Twitter is at it already this morning, and they found several businesses registered with the email addresses that were listed by the DOJ in St. Petersburg, which has been where he's been rumored to be located in the past. So it makes sense. And we'll find out more as this continues to go. Somebody thinks they even found his LinkedIn profile, but we're not sure if it's the same person. A lot of Dimitris in Russia.

You're looking for those AirPods being askew. Right.

If I remember correctly, the NCA previously, they claimed that they knew all kinds of information about him, including what kind of car he drove or something, wasn't it? I think it was they were saying, oh, he's got a Mercedes car or something. And there's been a big bounty offered in the past, hasn't there, for information regarding the people behind Lockbit, a $15 million bounty. Do you think that someone may have claimed that bounty, may have provided information to law enforcement to help them unravel who's behind Lockbit?

Did not share whether or not a reward's been paid out. I've got ransom on the brain. Now, there is a $10 million reward for him specifically. So now they have, by name, he's got a $10 million reward. So now it's not just information about Lockbit, it's specific information about him. And I like the fact that, you know, the FBI taking cues from the NCA here, they set up the signal address to reach them to collect the reward as FBI sup. That's like Lockbit sup.

I can't believe the size of the reward, though. Like, surely a million would do. Like, $10 million. Is it like what Nomi, was that a model, Nomi? I don't get out of bed for less than 10,000 a day. Is that what we're talking about? It's now gone to 10 million?

Yeah. If you're a ransomware affiliate who hasn't been paid by LockBitSup and were expecting to make millions, then maybe it'd be quite tempting if you had information which might point towards what their identity was.

I understand, but you'd be tempted by like 25 grand maybe, or maybe not, but maybe 500 grand. I don't know. It seems like a lot of change.

Think about it, right? These guys are serious criminals. If you upset them, if you poke them with too much of a long stick, they could potentially come after you. You need disappear money. You might want to think, oh, I really need to disappear for a while. If by any way it were to come out that you were the one who helped catch a big cyber criminal like this.

Yeah, you definitely would want get out of Russia money and probably not get out of Russia from the normal legal methods. So I don't know that you need the full 10 million to do that, but it would certainly make it easier.

Yeah, you can have caviar when you arrive, wherever you are going.

Yeah. Fantastic. Well, we will put some links in the show notes where people can read more about this. And also, we will point them towards those bounties as well. So if any listeners have any information and fancy contacting the FBI via FBI SOP, they can do that. Carole, what's your story for us this week?

Well, we're hitting online dating. So let me start with this. So according to a Country Living article from a few years ago, there are more and less trusted UK accents. So the commission research asked more than 2000 people to listen to 15 different regional UK accents to decide which one was the most trustworthy. Now, I thought we'd have a little game. You've got to go more trusted, less trusted, or average. And I'm going to help out by naming some stars from that place to help you, Alan, right? Because I know you're not from our corner of the world. So, Welsh. So, you've got singer Thom Jones. He's Welsh. Would you say that's a trusted accent or less trusted? Welsh, definitely trusted.

Yeah. I would have said less trusted, except now that Welcome to Wrexham has been a worldwide phenomenon. I wonder if it is more trusted.

It is quite trusted. It's in the top five at number four. It's a friendly accent. What about a Boltonian, people from Bolton, like comedian Peter Kay?

Where would you put that? Definitely trusted. The more north you go, the more we're likely to trust them.

Very interesting. He's number six. So he's in the middle category. What about Essex? So Dermot O'Leary, that won't help you very much, Alan, but Dermot O'Leary, you'll know him, Graham.

Yeah, Essex is like what I'd call like a page three girl voice.

I don't think I am agreeing with that at all. No, a lot of page three girls come from Essex. I think millions of people live in Essex and have the accent. I'm just trying to frame it in a context which Alan may recognise, if he knows the voices of page three girls. Well, it's in the medium, but the low end. It's number 10. You've got the hometown of Ozzy Osbourne, Birmingham, or what we call Brummie, over in these parts.

I don't know if I trust Ozzy Osbourne. I definitely don't trust Ozzy Osbourne. If he was my designated driver, or if I needed him to look after me.

I don't even know if I trust him on the same bus as me, much less the designated driver.

Well, that Brummie is the last one on the list, number 15. What about Glaswegian? You know, John Barrowman? People from Glasgow? Very trusted.

What about that? No. Not trusted at all. So Edinburgh is very trusted. It's at number three. Edinburgh, yes. Because it's a little more classy in terms of, you know, round vowels. I don't know. Scottish listeners, it was Carole who said that, not me.

I've always preferred the Glasgow accent over Edinburgh, but I think it's fewer steps in Glasgow. Like Edinburgh, every place you go, you have to walk up 100 steps to get there. It's the Glasgow kiss, which slightly worries me. That's what I wouldn't want that happening. Dame Judi Dench comes from there. We all trust her, isn't that right? You haven't mentioned my accent yet.

Do you know what yours would be? Only person with it. You know what you... I would think, obviously, Her Majesty is no longer with us, but I like to feel that I've picked up the reins.

Well, look, I think you probably fit in at number two. And it's in this Country Living article. It's called Received Pronunciation. So dialect common to Hertfordshire, London and Kent.

I think I'm a little bit more estuary, to be honest. I'm quite slovenly with my voice. I would love to be received pronunciation. So Yorkshire came on top. And this may be why 35-year-old Peter Gray, hailing from West Yorkshire, found himself to be rather successful on the dating app Tinder. And while chatting to the ladies, he, I suppose like anyone else trying to find love online, attempts to show his best attributes, right? So he pummeled his matches with his loving, caring, and generous side. I mean, listen to what one of his online dates known as Jessica, she had to say that she had just come out of a six year relationship right in 2018 and decided to hit the Tinder to find her one true soulmate. And she met our West Yorkshire boy, Peter. And after a few dates, she said Peter was a good listener and that it was everything she needed at the time. And Hannah also landed dates with Peter, and she said he was calming and reassuring. Must have been the accent. Because it turns out that Peter was so much more than what these women appreciated. You see, Peter had a few tricks up his sleeve. On his third date with Jessica, he invited her to his house. And, you know, she goes in and maybe takes off her shoes and she puts her bag on the dining table and then goes chatting. And maybe she has to go to the loo at some point or she slips outside for a moment or whatever. But when she's out of the room, Peter decides to go through her bag, taking pictures of her driving license and bank cards. Someone from Yorkshire doing that? Yes, the calm, reassuring Peter Gray then used all this info to take out a £9,000 loan in her name. Hannah, the other girl who he dated a few years after Jessica, learned what Peter was really up to after she broke it off with him because she received a letter saying her £20,000 loan application was accepted. Oh, boy. And this is where that charming, trusting accent must come in, because Peter somehow convinced Hannah, after she discovered the successful loan application, she took him back a few months later. Oh, no. But there were still too many red flags inconsistencies for her to stay with him too long. However, he realized she was pregnant with his baby. Oh. Whoa, I know. So another one of Grey's targets, she's known as Elizabeth. She matched with Grey on Tinder in 2020. And no surprise, he tried to pull off the same exact con. And she started twigging that not always sunshine, lollipops and rainbows when she had her mortgage revoked two days before she was scheduled to move to a new home. Why? Grey had taken out a £10,000 loan using just her driving license. And she told the BBC, quote, Red flags popped up. But I just kept thinking, stop being silly. You need to be going for a guy that treats you nice. So. With a good Yorkshire accent. Yes, if I could do it, I would. But there you are. So Gray was thankfully brought to justice after two of the women he scammed invoked the domestic violence disclosure scheme. This is also known as Claire's Law, which asks police to do background checks on partners. What? Hang on, what's that? So it's the Domestic Violence Disclosure Scheme, and it's known as Claire's Law. Hang on, I'm writing this down. This could be useful for me. Law is C-L-A-R-E, right? Claire's Law. And this is where you can ask police to do background checks on potential partners that you're going to be dating or that you are dating.

And you can find out if they've been done for domestic violence.

Basically, you have the right to ask. And if the police checks show that your current or ex-partner has a record of violent or abusive behavior, or if they believe that you may be at risk, they may decide to proactively share that information with you. Okay. He ended up scamming 80 grand off the women he targeted on Tinder. He got nabbed and was sentenced to 56 months in prison this past February. Right. And given restraining orders in relation to the victims. Yeah. And this story is now hitting the headlines because these women have come forward speaking to the BBC to share their stories. The BBC also got a comment from Tinder. Now, Graham, we share a communications background back in the old days. So I'm looking forward to what you think of this particular statement Tinder spokesperson issued.

Okay, let's hear what Tinder has to say.

Tinder acts to prevent and warn users of potential scams or fraud by using AI tools to detect words and phrases and proactively intervene. Do you feel safe? No. Right? AI tools,

the key, mot du jour, right? Hang on, hang on. If he's from Yorkshire, what would he have been saying to these guys? He'd be like, hey, love, do you want to go down to Chippey? No, if he sounded like

that, I don't think anyone would have dated him, ever. What are they going to pick up? Anyway, a lot of his activity wasn't really happening on Tinder, was it? Right. So is it fair to blame Tinder for this? That was just the initial contact point. Yeah,

Right. I guess if you've had a relationship with someone who approached you on Tinder and something bad happened, maybe there should be a facility to warn the other people on Tinder. Yeah. Watch out for him. He's a wronger.

Yeah. But it's bigger than this, because few have summed up the core dilemma at the heart of, you know, all this stuff better than Margaret Atwood, because, you know, she says, quote, men are afraid that women will laugh at them. Women are afraid that men will kill them. So, you know, I think that's a very... What's worse? Yeah, what's worse, guys? But this might be a step in the right direction for Tinder. Late last month, Tinder announced a new Share My Date feature, which will enable users to share their date plans with friends and loved ones straight from the app. I'm not sure why from the app is better, but maybe it is because then everyone has the same log. This includes location of the date, time and a photo of the match.

Well, that's all good from the personal safety point of view, but it wouldn't have stopped these women falling foul of fraud, would it?

No. Other advice that might be worth considering that plays into these cases, you know, take yourself to and from dates. Always meet in a public place. It might be more difficult for them to take pictures of your license if you're sitting in a pub or in a cafe. Don't share any contact info until you feel safe. One of the victims started getting, you know, going, This is a bit weird when Mr. Gray sent her flowers to her address when he shouldn't have known it at that time. So, I mean, I would have been hmm. Oh. So don't share contact info until you feel safe. And report suspicious behavior to the dating app. If nothing else, even if they do nothing, you have a record that you did that. I would do it in writing so that you have a record. And, you know, if they ignore it, at least you can say, well, look, I tried to tell you. And if in the UK, report these scams to the Financial Conduct Authority and Citizens Advice. And most importantly, the most important thing of all, don't assume someone's a good guy because of their accent.

Right? Absolutely not. Absolutely not. It's a real problem, this.

Because I wouldn't watch my purse. I don't think I would be, you know, if I was on date three and the guy was all, you know, you're great. You're amazing. I'd be oh, finally, someone sees my true qualities.

I don't think they'd be saying that. I think they would, Graham. I think they would. I don't think they would. I don't think they would. Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk. Well, this podcast is sponsored by Kiteworks, who enable organisations to effectively manage risk in every send, share, receive and save of sensitive content. To do that, they've created a platform that delivers content governance, compliance and protection to customers, tracking, controlling and securing sensitive content as it moves within, into and out of organisations, all while ensuring regulatory compliance on all sensitive content communications. Kiteworks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure web forms, managed file transfer, and governed SFTP servers. Visit kiteworks.com to get started today. That's kiteworks.com, and thanks to them for supporting the show. If you are building a SaaS business, achieving compliance with ISO 27001, SOC 2, or other in-demand frameworks can unlock major growth for your company and establish customer trust. However, this process is often time intensive and costly. You've probably heard us talk about Collide before, but did you know Collide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first. For over a year, Collide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data. And that's what they're still doing, but now as part of 1Password. So, if you've got Okta and you've been meaning to check out Collide, now's a great time. Collide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of. Plus, you can use Collide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Collide is part of 1Password, it's only going to get better. Check it out at collide.com slash smashing to learn more and watch the demo today. That's K-O-L-I-D-E dot com slash smashing. And thanks to them for supporting the show.

I'm actually quite interested because I have the same problem as you. My phone flies out. I'm going around a roundabout, but I haven't put it in absolutely securely because sometimes you're in a rush. It flies out and either hits me in the face or hits the passenger side.

I promise you, Carole, this will work. It is the Omoton MagSafe car phone holder. It both has the magnetic thing because if you've got MagSafe, so you've got an iPhone, I happen to know, right? And I've got an iPhone as well. It's MagSafe compatible. And I think maybe some Android phones have that as well. I have no idea. Anyway, it works for an iPhone. And so you have the magnet holding. But what the Omoton MagSafe car phone holder also has is the most sucky sucker in the world. So not only does the magnet go on, but the sucker goes at the same time and completely secures your phone. So it is rock solid in place. Can you get your phone out again? Well, there's a knack to it. I'm dealing with one problem at a time here. No, you can. You can. It's a flick of the wrist. It can be done. It can be done. This is because you've been doing box fit now. That's why you're saying that. It's just like, yeah. Exactly. That's why I'm so fit now. But yes, it will secure it. And then you can get it off again. But the combination of sucker, suction pad and magnets, I have to say it works really very well indeed.

I'm looking at this right now. Yes. It's quite large.

No, it's not.

No? Do you have the one that sits on the top dashboard? Or do you have the one that sits in the vents?

I have the one which plugs into your air vent.

Okay, yeah. Okay, that's not so big. Yeah, the other one with the telescopic arm looks like a little takeover.

If you attach it to your windows, windscreen, or your dash – yeah, I can – no, mine goes on the vent. Now, there is a slight problem, which is that on my partner's car, when we use it, her vents – she's got – how can I put this delicately without insulting her? She does listen. She's got loose vents. Her vents flap around quite a bit and so although it is very securely in place on the holder the actual holder does move when the vent goes because of the weight of the phone so it does go sort of left and right a bit. Now that's probably a problem with her particular car and her vent but I can recommend as my pick of the week the Omoton MagSafe car phone holder and I'm not an affiliate. I'm not making any money out of this.

I like to say that we never made money a penny out of any pick of the weeks we've ever had, just for the record. 371 episodes, unless Graham has been doing this on the sly.

Shh, shh, shh. Alan, what's your pick of the week?

So mine is, and I'm sorry, it is, in fact, security related. Oh, that's okay. You're allowed. You're a guest. Oh, he's allowed to do it. Yeah, he's a guest. Okay. Thank you. So I'm looking forward to Annalee Newitz's new book, Stories Are Weapons, which is coming out in the U.S. on June 4th. And it's a book all about PSYOPS campaigns. And I've been kind of researching this because of what NCA has been doing with Lockbit, because it kind of sparked a question for me, which is, can you carry out a PSYOP campaign if you're just doing it out in the open, like NCA has been doing with Lockbit, where it's basically the government saying, yeah, we're messing with you and we're trying to get in your head, lols. Does that count as psyops? And it turns out, yes, that's absolutely, the psy part is the important part of this, that it's psychological warfare. And I feel like this is what NCA has really been trying to do with this Lockbit takedown. And so because of this, I've been trying to learn more about it. And there's a lot of really good books, but I love Annalee Newitz. Their writing is very good. And so I'm really looking forward to this book, Stories Are Weapons.

Cool. Yeah, I'm just looking at it now. It says, a sharp and timely exploration of the dark art of manipulation through weaponized storytelling. Very interesting.

Yeah, and it is interesting, this new frontier that we're seeing in the fight against cyber criminals, where some of the law enforcement agencies do seem to be spending a lot of time sort of trolling the criminals, don't they? And messing with their heads to try and disrupt them. Kind of like it.

Well, I mean, if we can't arrest them, then that's the option that we have is to so disrupt them psychologically that they can't continue carrying out attacks. Yep, yep.

Hopefully a lot of the ransomware affiliates out there will be more nervous of doing business right now, having seen the success against groups like Lockbit. Yep. So, Carole, what's your pick of the week?

Well, mine is also a book. It is a book I'm recommending without exception. It's called All the Beauty in the World by first-time author Patrick Bringley. So, Bringley spent 10 years working at the Met, Metropolitan Museum of Art in New York. It's a massive museum with a glut of gorgeous art. And you might think, oh, he must be a curator or an art historian, but he's not. He worked there as a guard for a decade. And he became a guard after his brother passed away at the tender age of just 26. And he decided that he wanted to be surrounded by beauty. And he thought, what is the most beautiful place I can think of? And it was the Met in New York City. And in the book, it's kind of like an essay. He recounts his interactions with other guards, the public, and of course, his take and his feelings in relation to specific artworks that he's protecting. So he moves from room to room throughout the book over 10 years. He looks after Picassos at some point. He looks after Impressionists. And then he talks about those works. So there's a bit of learning in there, too. But it's deeply, deeply moving. It's very unpretentious, and you can also learn some stuff. And if you're like me and you prefer to listen to your books, you have a treat because it is read by the author and his voice reveals more about the man behind the book. And I'm not alone in loving this book. It was named 2023's Sunday Times Art Book of the Year, Financial Times Best Book of 2023. It is in a word as beautiful as the works he surrounds himself with. So my pick of the week is All the Beauty in the World by Patrick Bringley. It's published by Vintage, and it's worth every penny. But actually, hey, if you're short on them, just hit up the library.

Fantastic. Carole, does he touch upon the Met Gala thing at all? You know where all these celebrities get together and they, because that's been in the news this week, hasn't it? Did you see the photos of all those celebrities? Yes, I did.

I did see some of the dresses. There's a lot of nudes. There's a lot of, yeah, it was a bit insane. A bit insane. I just love what I thought when I saw them, because I saw about five pictures, right? Of these women dressed fairly, not dressed, dressed. I don't know how you say it. And they must have all been pissed off at each other. Like, fuck, that was my idea. What are you doing? It was my idea to be nude. God.

I felt sorry for Taika Waititi, who is the boyfriend of Rita Ora. Because... Oh, he must have loved that job. He's a very cool guy. He's made some great movies. Darling, are you sure you want to wear that dress? Are you sure that's the best dress for this show? Well, she wasn't really wearing a dress at all, as far as I could see. But anyway, he was sort of following after her, trying to pick up the breadcrumbs or whatever she was leaving behind her. But anyway. Yeah, a little bit awkward. Well, that just about wraps up the show for this week. Alan, thank you so much for joining us. I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

You can follow me on Twitter at UUL and that's probably the best way to get in touch with me. Terrific. And you can follow us on Twitter at Smash Security. No G, Twitter doesn't allow us to have a G.

And of course, thank you to our episode sponsors, Vanta, Kiteworks and Collide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info guest list, and the entire back catalog of more than 370 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye. Bye. Thanks, Alan. Cheers, Alan. Thank you.

This is pretty early for you if you're in San Fran?

It's 8 a.m., so it's not too bad. Yeah, it's all right.

You poor child. Well, look, enjoy the rest of the day. I hope there are plenty more revelations to come about Logan.

I'm sure there are, and hopefully we'll be back and we'll talk about them together again.

Brilliant. We'd love to do that.

Thank you again so much. Cheers, mate. Bye. Bye. Bye-bye.