Smashing Security podcast #394: Digital arrest scams and stream-jacking

I get the whiff of horse st through all this phone call. When you're dealing... Oh, you're so bold now, aren't you? You're so bold. When there was an American policeman in New Hampshire, Carole, while we were driving through it, and he was telling you to stop and pull over, you weren't so bold then, were you? No, you pulled over then, didn't you?

There was a gun on his hip, that's why.

Smashing Security, episode 394, Digital Arrest Scams and Streamjacking, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 394. My name's Graham Cluley. And I'm Carole Theriault. And, Carole, we're joined today by a very special guest. Very VIP. Yes, delighted to welcome back Maria Vamasis. Hello, Maria. Hi. Thanks

for having me back. She had a voice change. And you squealed with delight. Welcome back, Maria. Thank you.

Maria, obviously in your day job, you're working on N2K Space Daily, T0. What on earth is it called? Something on it. There's so many names.

T-minus Space Daily. That's the show I host. That's it. That's the one.

And she's on Hacking Humans a lot.

I'm also on Hacking Humans, yes. Yes. Yes.

How about we kick the show off? But first, let's thank this week's wonderful sponsors, 1Password, Vanta and ThreatLocker. Now, coming up on today's show, Graham, what do you got?

I've got a digital arrest drama worthy of a Bollywood movie. And what about you, Maria? Bits gets streamjacked.

And I've got Granny Daisy to the rescue. All this and much more coming up on this episode of Smashing Security.

Now, chums, I want to take you over to India today, where an extraordinary story is unfolding about how scammers have weaponized people's fear of law enforcement. Are you scared of police at all? You know, if Roscoe P. Coltrane, you live in the States. I do. Maria? if someone were to stop you, pull you over to one side?

I've had some experiences with law enforcement. I mean, their job is to intimidate. Yeah, I don't enjoy it. I don't, but I don't think I'm supposed to.

Graham, we had a, I don't know, friendly chat with a highway cop once when I was driving.

We were driving through New Hampshire, weren't we? A little bit quickly. and the police over in the states have guns and he was standing in the middle of the freeway telling us to stop wasn't he anyway so picture this right we're in india you are a respected neurologist in Lucknow india you are dr rachika tandon an associate professor you're at the top of your game. You are, aren't you? Life's going well. You recently came back from a conference in Goa. Neurology, that is your bag. You are an expert in it. You are competent. You are professional. That's how I'm picturing you both. That's a respected neurologist. I'm all right with that. And then your phone rings. I guess I didn't have to do the sound effect. But anyway, the phone rings and you pick up the phone. And it's the telecoms regulator on the phone to you. They're saying, apparently your number has been used to send harassing messages. Harassing? Yes. messages of harassment have been sent from your phone number 22 times. There have been complaints. 22 times? That's a lot of complaints. That's more than we had about last week's episode, isn't it? That's a lot of complaints. moments later a senior policeman joins the call i don't know if he wrestles the phone off the telecoms operator he accuses dr rachika of using a joint bank account with her mother to launder money for the trafficking of women and children

as a respected neurologist if this is true this has got to be quite a difficult situation to be in

It is a bit of a sticky pickle, isn't it? It is. I mean, Maria, have you ever been accused of laundering money for the trafficking of women and children? Not yet, but there's still time. And it would make you nervous, wouldn't it? If you had been, if you were pulled over by a cop, let's imagine on the telephone rather than on the freeway. Pulled over by the cop on the phone. And while this conversation is going on and you're feeling a bit nervous, what's all this about? You hear this chorus of voices shouting in the background, arrest her, arrest her, arrest her, arrest her. I would think it's a prank call. Well, she's feeling upset. She thinks it can't be true.

Right. I'd be that, too. And this policeman on the other side says, well, the police are going to come in five minutes to arrest you. All of our police stations have been alerted to you. Don't go on the run. She says, it can't be true. And he says, don't worry, don't worry, he says. Because I am calling from India's federal detective agency, the CBI, the Central Bureau of Investigation. And he says, this is a matter of national secrecy, he says. And because of the high stakes involved, I will try and talk to my colleagues and I will persuade them not to put you in physical custody, says this policeman.

Okay. Can I go to the bathroom? Oh, oh. Well, there are rules, Carole. There are rules, which I shared with you. And some of the rules include you have to place the phone everywhere you go in the house, while you're cooking, while you're sleeping, even when you go to the loo. But this all hinges on her complying with what they're saying, and they're not there in person. So they're just assuming that she's one of those rule follower types. But if you're not a rule follower, this just falls apart.

No, but frankly... I get the whiff of horse shit through all this phone call. When you're dealing... Oh, you're so bold now, aren't you? You're so bold. But when there was an American policeman in New Hampshire, Carole, while we were driving through it, and he was telling you to stop and pull over, you weren't so bold then, were you? No, you pulled over then, didn't you? There was a gun on his hip. That's why. Oh, was it really a gun or was it a water pistol? Was he really a policeman or was he wearing fancy dress? We don't know. It could have been anything. I think he doth protest too much, and I'm right. Yeah. Now, the problem was that Dr. Rachika has got a rubbish phone. It doesn't have a camera on it. It's an old-fashioned phone. So she's told by the policeman, right, he says, what you're going to do is you're going to drive down to the store and buy a smartphone right now. And this respected neurologist does exactly that. She goes down to the store, she buys herself a smartphone, and she begins obeying the rules. This new smartphone with its camera on is watching her every move. She lies to her workplace. She says, I'm too ill to come into the hospital where I work. She told her relatives she was too sick to see them. When her uncle popped around to her house, she hid under the bed with her phone camera running all the time. So she wasn't answering the door. She didn't want him to see her through the windows. Hid under the bed. Jesus. She even wakes up her medical students at night asking them to go out and buy extra data for her phone to keep the digital arrest going. This goes on with this long list of rules for seven days. Oh, my God. Oh, this poor woman. Oh, my God. All the time she's been questioned about her life and work. And they've reassured her that they're legitimate because they know all about her. They know where she's been. They know she's been at this conference. They know stuff that they found on social media. And the scammers and yes newsflash and I know this will be a shock to you they were scammers what never they even faked a trial done via Skype there was a fake court online where she was ordered to dress in white to show respect to the judge because judges are real sticklers for dress codes

They committed to the bit okay yeah And the court is saying well look, we need to make sure we've got the right person here. You have to verify your identity. So could you transfer your savings temporarily? It's only just for government verification. She lived a nightmare, this poor woman.

Well, this is the thing. Even if she had the wish of wanting to call the cops, she was kind of terrorized in her own home because she mentally fell into their trap.

Well, she thought she was talking to the cops. So why would you call the cops on the cops?

There must have been something where you're going, I can't believe cops do this. Yeah, but genuinely, who would you call? Yeah. And this was it. Because after this happened and she thought, this is a bit strange, I don't seem to be in digital custody anymore. They don't seem to be carrying on with the trial. Where's my money? Where's my money? There was no laughter in this one at all.

That's a lie. That was hysteria. That was a mixture of upset. The emotions were bubbling out of me. So the problem is so big last month Prime Minister Modi of India warned about it during his monthly radio address. But the scammers behind this, they are believed to run call centers in Cambodia, Myanmar, Laos, and possibly the individuals who are working in these call centers are actually working against their will. We've talked before about these pig butchering scams and other scams where the people working in the call center have had their passports taken away from them and they're effectively slaves. It's horrendous, but lots of people are falling for this. Another guy who fell for this was actually a guy who was writing the autobiography of the Prime Minister. And again, he was duped. And he says, well, they knew all about me. They found out information about them. They appear to be genuine police. Sometimes they actually have video calls with you and they're dressed up as policemen wearing their little uniforms.

High school theater club stuff. Their dreams. We can't make it on Broadway, so we're going to make it in scams. We're going to do it our way, damn it.

It's astonishing, isn't it? So the Indian cops have arrested some people in connection to these digital arrest frauds, but it seems there's quite a lot of it going on. So I think they've probably only grabbed some of the people. The Indian Prime Minister, he's given some advice. Three steps to digital security, he says. Stop, he says. Don't panic. Don't give away your personal information. Think, he says. Does it really sound like something a government agency would do? Would they threaten you on the phone? If it smells fishy, it probably is, which is good advice, unless you have actually bought some fish. Is that what he said? I don't know if that's verbatim.

Well, okay.

Sorry. No, I'm not quoting. I thought you were quoting. He said, stop, think, and take action. Call the National Cyber Helpline. He said, report the crime, inform your family all about this. And maybe we've done our little bit, because we've got a lot of listeners in India. Maybe we've done our bit to raise awareness of this as well. Yes, and I'm actually talking about phone scams as well. So, double-dose this week. Interesting. So, do you think this could happen to you? Well, of course. Of course this could happen to us. And it would just be a way that would, you know, I look at this one and go, oh, I wouldn't fall for that. But of course, there's a billion things I would fall for. Maria, what's your story for us this week?

So are either of you familiar with Bitz?

Bitz, as in an eighth of a byte.

Oh, that kind of bits. What if I told you that Bitz was a person? Bitz the person. The person Bitz.

Is it with a Z? With a Z, yes. Oh, my God. How did I know? I just, in which case, I definitely wouldn't know about them. I would have avoided them because that's a stupid way to spell bits. Who is Bitz with a Z?

Bitz with a Z, as I would say, as a yank. Bitz is a YouTuber with at least 63,000 subscribers and he's one of those gaming YouTubers where he streams himself for hours as he plays video games, which is a thing.

Okay.

So a lot of folks, it's a career. It's a career. It's perfectly, I'm in the wrong line of work because I love video games and I'm just like could I make money just playing Civilization all day with people watching me as I swear at Gandhi. I mean, it could happen. Maybe I'm doing, maybe. But you like talking, Maria. And I do. I do like the gap. I'm just rethinking my career right now as I'm speaking to you. Wait a second. Maybe I should do this. Yeah. So Bitz is a YouTube gaming streamer. And he's got a lot of followers. He's worked really hard over many, many years to build up his account. It is a career. People make money doing this somehow. His stream is very cozy. He's sitting in his gamer chair. There's a lot of obligatory LED lights behind him making it look very much like a gaming cave. But then there's a fireplace in the background. Very cozy. Like a gaming lodge.

I can imagine kids watching that would just be like, one day that's gonna be me. One day. And me as a not a kid going one day that's gonna be me. Like and subscribe everybody.

Oh, I've just clicked through to his channel. He has an enormous fire running in the background, doesn't he? Is that for real?

You know, I've actually been wondering, is that a gas fireplace, what the deal is? Because it looks quite nice.

Is he aware there's so much fire in his living? I mean, that looks dangerous. I'd want to warn him. There's a lot of creosote in your room, sir. That can't be good for your gaming setup. Yeah, it's going to be to promote something or advertise to all those 63,000 people who follow him.

Yes. What, what, what pray tell could somebody with bad intentions be wanting to redirect people to do or purchase or any, any, any currency scam? Yes, you did it. I was—

Going to say swilling, isn't there the new fad on TikTok, swilling oil in order to, you know, cure all. Yeah. You swill oil in your mouth for like a minute or two. Like diesel? Like, like, like mouthwash. Like, and then, yeah, anyway, whatever. Okay. Okay, right. Crypto. It's crypto. It's eventually, it's a crypto scam. It's a very, very long way of getting to a crypto scam.

His fireplace would have logged out. His fireplace logged out, as one's fireplace often does. Hashtag dad jokes. Yes. It's his livelihood. Because this is his whole life, his whole existence. It is. This is a YouTube channel. It is. Yep. And his whole identity of his YouTube channel also changed pretty much immediately. The channel's name, the banner up at the top of the channel, even the email address and his password all pretty much instantly changed, and started live streaming crypto-related videos. Oh, a snot curl? Oh,

Sorry. I thought you said colorful. Oh. It's not? Yeah, I would presume that it is. I will say that the happy ending to the story is it took only 12 hours for him to get through to YouTube support and recover his account. And the reason I say it's happy is in many cases, streamers who have been stream jacked as Mr. Bits did, they never get their accounts back. Many people have said their account just basically is nuked. And these are people who get hundreds of thousands of subscribers and they can never get that back after years and years of work. So it's just gone in an instant, which, you know, so terrible. So 12 hour recovery is pretty great. And yeah, he uploaded this video to let his followers know if you ended up clicking any of that stuff, you need to check out your stuff right away because you probably have malware. So how did this all happen and how did this stream jacking occur? Because this is the thing that I also found super interesting. He had received through his email an NDA through DocuSign for a sponsorship deal and it all looks totally legit. It was a real legitimate DocuSign document. The organization was all legit. It all passed the initial sniff test, however it wasn't he was he was he was misled by someone with bad intentions. And signing that NDA caused him to download a malicious file to his machine that then essentially cloned his browser and its sessions. That allowed the attacker to get access to all of his sessions across his browser, everything he was logged into. Because what he had noted on his— Oh my god. Right. What he had noted on his video was that he smartly has a separate email account for every single one of his social media things. So YouTube has its own email. Twitter has its own email. Twitch has its own email. So if one of those gets compromised, he doesn't lose the whole lot. So he thought, I'm good. I've not heard of that before. It's clever. Yeah. It is. Now that I know about that. Except in this case, they were able to completely bypass that. Apparently, he had two-factor authentication on.

Well, it sounds like maybe they'd grabbed the session cookies from his browser. Yeah. So they're sort of able to replicate. As he was logged into all of those accounts, maybe they were to replicate being logged into the accounts themselves.

Sounds like it. So they just snurfed it all up, and they were able to just log into all his things that he was logged into. So given all that, it's quite amazing that he was actually able to recover anything at all, because to me, that's just, the keys to the kingdom are gone. But I guess he was able to outrun some of the attackers to somewhat change some of those passwords before they could get to it. But in any case, he was able to recover his account. But yeah, this whole thing just revealed to me, I didn't know stream jacking was a thing. I had no idea. But yeah, in the end, it was all a crypto scam. But my goodness. In the meantime, people who have large YouTube followings or followings on any social media, just beware of unexpected NDAs and deals coming into your inbox. The fact that it even went around his two-factor authentication, I suppose it would give you a false sense of security. But if it's hijacked your browser sessions, then, yeah, that's, wow.

And a lot of these cryptocurrency scams, which I've seen lately, have used the face or the name of Elon Musk as well, haven't they? They sure have. It's strange how they've sort of embraced him and used him. Isn't he the doggy coin guy? Doge. Well he's, well yeah I mean, I mean the thing is, I mean he's taking on this new position isn't he? He's going to be very very busy. I don't think he's got time just to hand out cryptocurrency.

You laughed at me on air when I said that was happening. You said he's not gonna take that role, are you insane or something along those lines.

Oh and the question is how long will he last? Yes.

How long will he be in it? Yeah, no, I do the same. I do the same. You Clu? Yeah, yeah, straight to voicemail. Really? If you don't recognize it? Even if it could be a journalist you don't recognize?

Nah, these days, I just think, who the hell are you calling me? I look at the area code as well. Oh, well. That might be an indicator. Who calls?

I call people. I'm old school. I don't email. I don't do anything else. I guess I can't ask you guys how many scammy or nuisance calls you get because you have no idea because you don't take them.

No I get a lot. That's part of the reason I get so many every day, daily, daily probably about five or six and that's after subscribing to one of the services that's supposed to help filter them out so I probably get even more than that but yeah.

And you think in these crazy days of, you know, advanced tech, the powers that be would have figured out a way to address the spam call epidemic because it seems it is an epidemic and it's getting bigger and bigger all the time. So I'll sprinkle a few numbers so you can get an idea of how big of a thing it is. But in the U.S., TrueCaller states Americans have received 2.9 billion calls every month. That's their average, 2.9 billion. And more than a third of calls from non-contacts in the US are unwanted or spam calls, nuisance calls. The FTC show that consumers reporting losing more than 10 billion to fraud in 2023, the highest ever recorded. And calls are a big part of that.

And in some US states, you probably get those robo calls, don't you, from politicians or political groups. Oh, yeah. To vote one particular way. I imagine they don't care about some states, but in key battleground states, they would have done that. Yes. That must be really irritating. Yep.

And the UK, it's not much better. The UK reported it has the highest fraud call rate in Europe. 27% of calls being fraudulent are classified as nuisance. Wow. But the recorded losses seem to be much less, even if you take into account population ratio. So UK Finance figures for last year recorded losses of 136 million. But another report said 70% of people who have faced this scam situation have never reported it. Yeah so 70%.

I probably wouldn't report it. Yeah same here. Yeah I'll be honest.

And especially if you spotted it and nothing happened. Let's say you know it was obviously a scam and you hung up. Yeah you probably wouldn't call right? Because it's a pain in the ass to call or you imagine it's going to be a long process, complicated. I don't have time, I gotta go make dinner.

I think, I think in some cases you can forward the number, can't you, to addresses and things. But yeah, I feel bad about it, but I probably wouldn't.

And worldwide, it's not much rosier. USA Today just reported that in the last 12 months, we've hit a new high, a global loss to scam calls of $1 trillion. So in short, scam calls are annoying. They waste time. They can dupe you into parting with your hard-earned cash. Banks don't like it. Telecom companies don't like it. Nobody likes it, except for the scammers that win. So what can you do? What can you do about all this? Well, this year, the UK seems to have made a concerted effort into educating the public about scams and how to avoid them. Graham, you may have seen the national campaign, which is similar to the one that you mentioned earlier in India, Stop Think Fraud, which launched earlier this year. You may have seen that around London or in buses, public transport, that sort of thing. And the Home Office is working with stakeholders across a variety of industries. You've got banks like Barclays and telecom companies like BT and O2 and the Royal Mail and TikTok. So loads of people are involved in this. And they even held their first fraud summit in London this year. And then there was the big arrest. Last August, the National Crime Agency reported that they shut down the platform Russian comms, which was used by hundreds of criminals to defraud victims across the world through scam calls. They estimate 170,000 people across the UK were believed to be victims. And financial losses in the tens of millions. And this platform allowed criminals to basically hide their identity by appearing to come from pre-selected numbers, most commonly financial institutions or telecom companies or law enforcement agencies, very similar to what you were saying earlier, Graham.

Yeah, this is where it really can be convincing, is it looks like it is a phone call coming from your telephone operator, for instance, or coming from your bank or a text message, which may appear to come from them as well. So, yeah, that's a real nuisance, isn't it?

And I mean, according to the adverts shared across social media for Russian comms, the service included unlimited minutes, hold music, encrypted phone calls, instant handset wipe, and 24-7 support. Hang on, whoa,

Whoa, whoa. What's this instant handset wipe? Is that because people are worried about getting infected by a dirty telephone, by the Golga Frincham?

I imagine it means wiping the number or whatever you're pretending to be from the handset, I imagine. There's a lot of efforts going on. There's a smattering of work going on that I've certainly noticed when I'm out and about in London. But there's a new effort in the UK that has launched this week from telecoms company O2. Meet Daisy the AI granny and head of O2's scammer relations. So she's been designed to answer phones and keep the fraudsters on the line. The idea being to waste their time and keep them away from you. Because if they're on the phone with them, they may not be on the phone with you. So O2 tout that Daisy is so lifelike that she has successfully kept numerous fraudsters on calls for 40 minutes at a time. So that could be three. Numerous, I don't know. Where does numerous? What's numerous?

Numerous means a number, I think. I think that is the strict definition of numerous. I'd imagine more than one. Ideally, it'd be more than one, yes.

I'd like to think so. So let's see what we think.

Hello, scammers. I'm your worst nightmare. I'm an AI created by O2 to waste phone scammers' time. I think your profession is bothering people, right? I'm just trying to have a little chat.

It's nearly been an hour, for the love of...

Gosh, how time flies. Because while they're busy talking to me, they can't be scamming you. And let's face it, dear, I've got all the time in the world.

So what do you guys think Maria?

Yeah if I didn't know I should be suspicious about it, that might fool me.

I could see that from my days of doing tech support of elderly relatives that sounds very convincing actually, sort of phone call I could imagine myself being on.

I mean she is winding up something fierce as well right? Just having circular conversation and I do like it. Because it is a bit funny. It educates. And it's compelling. They have a great ad, which I'll put in the show notes if you want to see it in action. And we all like seeing someone get wound up when they've been doing something shitty, attempting to scam a granny, right?

Well, the great thing is that this is using up a scammer's time, isn't it? Which they could have been spending attacking someone else and scamming someone else out of their money. So it could have been a real granny they were talking to rather than Daisy.

Yeah, exactly. And apparently they did a survey and 70% of folks said they wish they could get their own back against scammers that have duped them or a loved one, but maybe they didn't necessarily have the time to go do the scam baiting thing and didn't have the technical expertise. So rather than trying to scambate a scammer, which I do not recommend, leave that to the people that know what they're doing, what you can do is if you think you've got a scam, do report the scam. So in the UK, you would do this to Action Fraud. The number is 7726. That's what you text. And I very much support this. And O2 say, and I love this, they say, by reporting dodgy calls and messages, telecoms companies are able to investigate and block the mobile numbers used by fraudsters. And they can also use scam text to help refine these blocking services to make it easier to identify and stop new trends faster in future. They boast that they blocked 89 million texts last year alone, thanks in part to Action Fraud 7726 and people like us reporting it.

Very good. Well done, Daisy.

I know. Yeah, well, why don't we let Daisy have the last word here.

It's showing me a picture of my cat, Fluffy. It's showing you the picture of your cat, Fluffy. Stop calling me dear, you stupid... Got it, dear.

Do zero-day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker. Imagine taking a proactive deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action for risk management and compliance. Onboarding and operation is fully supported by their U.S.-based support team. Stop the exploitation of trusted applications within your organization to keep you running efficiently and securely. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit smashingsecurity.com/ThreatLocker. That's smashingsecurity.com/ThreatLocker. And thank you to ThreatLocker for sponsoring the show.

By automating questionnaires and demonstrating your security posture with a customer-facing trust centre, all powered by Vanta AI. Over 7,000 global companies like Atlassian, FlowHealth and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off. Quick question: do your end users always and I mean always without exception work on company-owned devices and approved apps? I didn't think so. So my next question is how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well one password has an answer to this question and it's called extended access management. 1Password extended access management helps you secure every signing for every app on every device because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing that's 1password.com/smashing and thanks to the folks at 1Password for supporting the show. And welcome back and you join us at our favorite part of the show the podcast show that we like to call pick of the week pick of the week pick of the week pick of the week is the part of the show where everyone chooses to send their note could be a funny story a book that they've read a TV show a movie a record a podcast a website or an app whatever they like it doesn't have to be security related necessarily. My pick of the week this week is not security related. My pick the week this week is social media related. For all I know, you're a huge fan of social media. You can't stop yourself.

Are you talking about Blue Sky like every other person on the planet?

So my pick of the week this week is Blue Sky. There it is. So it kind of escaped your notice, gentle listener, that there's a new... Well, it's not that new. It's been around for a few years. I had an account on it for a while as well, but I haven't been very active on it until the last couple of weeks, because I've decided to close my Twitter account.

Huzzah! Me too. Ah, excellent. Yeah, mine's gone. I deleted it.

Yep. Maria, I know you're on Mastodon. I'm on Mastodon as well.

Yes. I've never really embraced Mastodon entirely. I've not completely got into it. I'm enjoying Blue Sky, though.

Have people been leaving X have there been any in droves?

Yes. The Guardian newspaper left X as they like to call it. The Clifton Suspension Bridge in Bristol they...

I've been waiting for that one. I believe that Shatner and Mr. Sulu and various other members of Star Trek, LeVar Burton, Geordi LaForge, have made the jump to Blue Sky as well. So people are leaving. And Mark Hamill. Yes, Mark Hamill. Yes, he is. He's there. Mark Hamill left. Yes, he's there. He's a superstar.

I just have real friends, you know.

Well, all right. I was just going to say we need to get Sticky Pickles on Blue Sky, but maybe not. I don't know.

Well, no, you can do that. Okay.

I'm still on Mastodon too, though. I just want to say I them both. Yes. They're just very different. Yeah, yeah.

I Mastodon too. It's just at the moment Blue Sky is a little bit more engaging for me. Yes. Maria, what's your pick of the week this week? So it's been a little while since I've been on the show, and I've been watching a lot of TV. The two of you know I'm pretty sure that I recently moved houses, so I haven't been able to get out in the world and do things. My only entertainment has basically been just TV when, you know, I'm exhausted from a long day of unpacking or throwing boxes out. Right. How do you spell Dan Da Dan?

Dan Da Dan, Dan Da Da Dan Da Da Dan. Oh okay. Okay yep cool. It's a lot of fun.

All right, check it out. Carole, what's your pick of the week?

So my pick of the week is a book called Butter by Asako Yuzuki. It was published in Japan in 2018 and this year was made available in English and it's a novel, it's a fiction book. And the central character is Manako and she's this curvaceous femme fatale and foodie and lover of butter and she's in detention and awaiting trial for having killed three men. Oh, okay.

A bit of a turn.

And they seem to have died from things heart attacks and maybe natural causes but she was always involved.

Uh-oh. Eating too much butter. High cholesterol.

And then we've got this journalist named Rika, and she wants this woman's story, right? She wants to do the true reveal, you know, the piece about this foodie killer. But the problem is the foodie killer doesn't want to talk to the press until the journalist writes her with a request for a beef stew, right? So that's how it all kicks off. And it's a thrilling search for what happens to actually these men, but also there's a lot about food. So if you food and reading about food, this is a great fun book to read. It touches upon Japanese society as well and demanding beauty standards that Japanese women are expected to maintain and fat phobia and all kinds of things. Plus, Butter is based on a real life case of the Konkatsu killer, which was a con woman and talented home cook called Kijima. And she was convicted of poisoning three of her male lovers. Blimey. So it's a fat book of 500 pages. It's great. The holidays are coming around the corner. Get it for your foodie friends who to read. So Butter by Asako Yuzuki, my pick of the week.

Wow. Excellent. Well, that just about wraps up the show for this week. Maria, thank you for joining us. I'm sure lots of our listeners love to find out what you're up to and follow you online. What's the best way to do that?

You can find me on T-Space Daily every day, wherever you find your great podcast. And I also am on Hacking Humans.

And you can find Smashing Security on Blue Sky as well, unlike Twitter, which wouldn't give us a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast apps such as Apple Podcasts, Spotify and Pocket Casts. And huge,

huge thank you to our episode sponsors, 1Password, Vanta and ThreatLocker. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list and the entire back catalogue of more than 393 episodes, check out smashingsecurity.com.

Until next time, cheerio bye bye bye

Bye tiny boys bye Thank you.