What happens when eager computer enthusiasts unknowingly download a trojanized hacking tool and find themselves on the wrong side of cybersecurity? A former employee’s actions led to chaos and raise urgent questions about the security of cultural treasures. And join us as we explore the alarming trend of social media influencers staging fake kidnappings.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Lianne Potter from the “Compromising Positions” podcast.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
There is a slight twist to this tale.
You're as predictable as an M. Night Shyamalan movie, I have to say, Graham.
Smashing Security, episode 402: Hackers Get Hacked, The British Museum IT Shutdown, Ransomware and social media kidnaps with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 402. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 402. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined this week by a very special guest returning to the show. It's my great pleasure to bring back to the guest—
Smashing Security.
Oh yes, that's it. Thank you. Bring back to the Smashing Security sofa, Lianne Potter from the Compromising Positions podcast. Hello, Lianne.
Hello. Well, what a comfy sofa it is. It's a chaise lounge of security. Thank you for having me back.
Do you like the colour? Graham chose the colour.
The colour is a bit much, you know, and I'm prone to spilling things. So, you know, it's a bit too decadent for me, but I will live. I will live.
I blame past guests for the colour of the sofa, actually. I know Dave Bittner, he had an unpleasant spillage once. As long as you found a clean patch, that's good for us, Lianne.
I have indeed. I have indeed. It's lovely. I will just avoid that weird stain there.
Okay. And I'm just going to run off and thank this week's wonderful sponsor, 1Password, and Tailscale. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be telling you how there's no honour amongst thieves.
Okay. And what about you, Lianne?
Well, we've got another disgruntled employee taking down a much-loved British attraction.
Oh, and I'm going to discover what woes befall the social media influencer. All this and much more coming up on Smashing Security.
Now, chums, chums, bad, bad news, I'm afraid, because 18,459 computers around the world have been compromised in a malware attack.
Not the biggest number in the world, let's be honest.
There have been times when there have been much bigger outbreaks, but this particular story is about 18,459 PCs which, according to the researchers at cybersecurity outfit CloudSec, have unwittingly become infected with spyware.
The computer enthusiasts who own those PCs have found that they're now compromised.
They can be spied upon, their data can be exfiltrated, their passwords stolen, snapshots can be taken of their screen, their registry can be fiddled with, and all of this can be commanded from a Telegram-based command and control server.
At the bidding of hackers. Nasty, nasty little botnet capable of stealing information.
Not the biggest number in the world, let's be honest.
There have been times when there have been much bigger outbreaks, but this particular story is about 18,459 PCs which, according to the researchers at cybersecurity outfit CloudSec, have unwittingly become infected with spyware.
The computer enthusiasts who own those PCs have found that they're now compromised.
They can be spied upon, their data can be exfiltrated, their passwords stolen, snapshots can be taken of their screen, their registry can be fiddled with, and all of this can be commanded from a Telegram-based command and control server.
At the bidding of hackers. Nasty, nasty little botnet capable of stealing information.
Ruh-roh.
Yeah.
We haven't talked about botnets and spyware in a long time, Graham.
Yeah, well, it's—
Having a comeback. It's having a comeback. You know, everyone goes through peaks and troughs. It's having a comeback.
Yeah.
And central to these things is often this command and control server, you know, which is what the hackers use to send messages to the compromised computers all around the world to get them to do their bidding.
It's a communication channel, effectively. It's not just for sharing pictures of your cat or whatever it is you may be doing.
You know, those sort of things are happening via these messaging systems.
And the hackers have successfully stolen via this spyware browser credentials, system information, Discord tokens to hack into people's Discord accounts, Telegram data from computers around the world.
And the worst-hit computers are in Russia, the United States, India, Ukraine, and Turkey.
So it's not as though it's— you know, sometimes we see attacks where Russian computers aren't attacked, for instance.
And central to these things is often this command and control server, you know, which is what the hackers use to send messages to the compromised computers all around the world to get them to do their bidding.
It's a communication channel, effectively. It's not just for sharing pictures of your cat or whatever it is you may be doing.
You know, those sort of things are happening via these messaging systems.
And the hackers have successfully stolen via this spyware browser credentials, system information, Discord tokens to hack into people's Discord accounts, Telegram data from computers around the world.
And the worst-hit computers are in Russia, the United States, India, Ukraine, and Turkey.
So it's not as though it's— you know, sometimes we see attacks where Russian computers aren't attacked, for instance.
That is interesting.
Yeah, they don't seem to care. They'll infect people anywhere. These guys have got no qualms at all.
Well, in a world where, you know, lots of DNI initiatives are being torn up, it's nice to see equal opportunity hacking across the board. I'm very pleased about that.
I'm just waiting. I'm just waiting because all this sounds very average at the moment, and I'm waiting for the twist in the tale because Graham always has it.
Do I?
Yes.
Well, the research done by these CloudSec guys, it discovered that the hackers who use names like Shiny Enigma and Millennium Rat, they have stolen so far over 1 gigabyte of browser credentials from infected devices.
So they've gathered a fair haul of data, which of course they will be exploiting. We can expect that to happen. So it's bad, bad news. Now, Carole, your spider sense.
So they've gathered a fair haul of data, which of course they will be exploiting. We can expect that to happen. So it's bad, bad news. Now, Carole, your spider sense.
Yes.
I think it may have tingled correctly, because there is a slight twist to this tale.
You're as predictable as an M. Night Shyamalan movie, I have to say, Graham.
You know what? When I went to see The Sixth Sense, I'd been told in advance, oh, there's a twist in it.
Oh, I hate that. I hate that when that happens, because you're always looking out for it.
Well, yeah, I was sat in the cinema, and right at the beginning, Bruce Willis gets shot.
And I'm like, "Oh, so he's dead then." And I had to sit through the rest of the movie thinking, "Well, that's why no one else is talking to him, because he's already dead." So it was completely wasted on me.
And I'm like, "Oh, so he's dead then." And I had to sit through the rest of the movie thinking, "Well, that's why no one else is talking to him, because he's already dead." So it was completely wasted on me.
I had the spoiler revealed to me when I saw it for the first time as well. It kind of takes the fun out of that movie, doesn't it? It's still a good movie, I have to admit.
But yeah, it does take the fun out of it.
But yeah, it does take the fun out of it.
Sorry if we've just ruined it for everyone who listens to Smashing Security who hasn't seen it yet. You've got to catch up.
You've got to be current on your Bruce Willis movies before listening to Smashing Security.
So there is a twist in the tale, and that is that there is something that links all the victims of this attack.
You've got to be current on your Bruce Willis movies before listening to Smashing Security.
So there is a twist in the tale, and that is that there is something that links all the victims of this attack.
Aha, here we go. Here's the meat. Okay.
Because it turns out they all appear to have downloaded a particular piece of software from the net.
Okay.
They all seem to have installed a piece of software called XWorm RAT Builder. Not your typical piece of software. So what does that mean?
What does that do? To me, it has my spidey senses tingling. That doesn't sound like something I'd want to download.
Yes, something called XWorm RAT Builder.
Yeah, yeah, it sounds a bit Trojan-y to me. Yes.
So it turns out that these people who downloaded this piece of software, they appear to be script kiddies, new to cybersecurity, novices who are perhaps keen to explore the dark side of the internet and maybe keen to play around a little with malware themselves.
It appears they downloaded this software after reading tutorials online about hacking other people's computers, which they may have viewed on Telegram and other channels, or watching YouTube videos that pointed them towards this particular download, which was up on file sharing services like Mega, is on GitHub repositories.
So these guys were downloading the XWorm RAT builder, thinking it would help them hack other people.
It appears they downloaded this software after reading tutorials online about hacking other people's computers, which they may have viewed on Telegram and other channels, or watching YouTube videos that pointed them towards this particular download, which was up on file sharing services like Mega, is on GitHub repositories.
So these guys were downloading the XWorm RAT builder, thinking it would help them hack other people.
Oh, there's no honour amongst thieves, is there? Hee baggum.
So exactly, so XWorm RAT, the real one, promises to deliver advanced capabilities like reconnaissance, data exfiltration, command execution.
Something very handy if you wanted to steal data or plant ransomware.
But the bad news for these people, these 18,000-odd people, was that the XWorm RAT builder that they downloaded was in reality trojanised. So, oh yes, sad trombone.
Something very handy if you wanted to steal data or plant ransomware.
But the bad news for these people, these 18,000-odd people, was that the XWorm RAT builder that they downloaded was in reality trojanised. So, oh yes, sad trombone.
Wop, wop, wop. Yeah, so yeah, okay, this is a difficult one. I'm trying to get the ethics of it — do I feel bad?
Yeah.
For these guys because they were duped.
Right. I think that's a very interesting discussion. How should we feel about this?
I mean, they are victims, but they were planning to perpetrate some kind of cybercrime, we assume, themselves.
I mean, they are victims, but they were planning to perpetrate some kind of cybercrime, we assume, themselves.
Or they were learning.
Yeah, they could have been perhaps wannabe security researchers — that is possible.
It turns out this particular malware would detect if it was being analysed, if it was being run in a virtual system, and it would refuse to do its bad stuff because it was trying to avoid detection.
They were told that this was a way to use the RAT Builder for free, downloading it from these sites. But in fact, of course, it did infect their systems with malware.
It turns out this particular malware would detect if it was being analysed, if it was being run in a virtual system, and it would refuse to do its bad stuff because it was trying to avoid detection.
They were told that this was a way to use the RAT Builder for free, downloading it from these sites. But in fact, of course, it did infect their systems with malware.
Did they read the small print, Graham?
I don't know how small the small print was, but it must have been infinitesimally small in white writing on a white background. I don't think it actually existed.
Oh, come, come.
I don't think the bad guys tend to do that, Carole.
Well, I'm just saying, can I ask, do we know who trojanised, quote unquote, the RAT Builder?
Well, we think it is these groups who call themselves Shiny Enigma or Millennium Rat — we don't know any more than that at the moment.
But the guys at CloudSec, they did do an analysis. What they did was they studied the malware in detail, working out how it operated, looking at Telegram, looking at the botnet.
They also managed to get hold of the images that had been captured from infected devices.
So these were screen captures and they did an OCR on those images — so optical character recognition, it's CSI, this.
But the guys at CloudSec, they did do an analysis. What they did was they studied the malware in detail, working out how it operated, looking at Telegram, looking at the botnet.
They also managed to get hold of the images that had been captured from infected devices.
So these were screen captures and they did an OCR on those images — so optical character recognition, it's CSI, this.
Right.
So they did the OCR. They were able to filter out the URLs that were on people's screens and work out the various URLs where the malware had been distributed from.
So it's quite clever from that point of view.
And then, of course, they could contact those providers, those service providers online and get those URLs shut down to prevent further distribution of the malware.
The other thing which CloudSec did is they found a way to deactivate and uninstall the malware on those 18,459 computers, at least attempt to.
So when they did their in-depth analysis of the trojanised version of the RAT, they discovered that it had an inbuilt command to uninstall itself.
So it's quite clever from that point of view.
And then, of course, they could contact those providers, those service providers online and get those URLs shut down to prevent further distribution of the malware.
The other thing which CloudSec did is they found a way to deactivate and uninstall the malware on those 18,459 computers, at least attempt to.
So when they did their in-depth analysis of the trojanised version of the RAT, they discovered that it had an inbuilt command to uninstall itself.
Right.
And so what they were able to do was they were able to send messages to the Telegram bot with each individual machine ID.
So each machine, when it gets infected by the malware, is given a unique identifier. It's like a 4-digit number.
And then if that computer was online and it received the uninstall command, their computer would be cleaned up. So that's what CloudSec did.
They sent every number from 1 to 9,999 to the botnet telling them to uninstall, which didn't work perfectly.
Because first of all, infected PCs had to be online at the time that CloudSec were sending the messages. But also Telegram rate limits how many messages can send at once.
So you can't send 10,000 all at once. CloudSec had to do them in batches.
So each machine, when it gets infected by the malware, is given a unique identifier. It's like a 4-digit number.
And then if that computer was online and it received the uninstall command, their computer would be cleaned up. So that's what CloudSec did.
They sent every number from 1 to 9,999 to the botnet telling them to uninstall, which didn't work perfectly.
Because first of all, infected PCs had to be online at the time that CloudSec were sending the messages. But also Telegram rate limits how many messages can send at once.
So you can't send 10,000 all at once. CloudSec had to do them in batches.
And you know, they would be doing this to computers that they're not authorized to access as well.
This is the other interesting discussion, is it?
Right.
So what's your opinion, you guys?
Is it right for security companies to clean up people's computers, whether they be potential villains or not, without displaying anything, without popping up any messages?
Is it right for security companies to clean up people's computers, whether they be potential villains or not, without displaying anything, without popping up any messages?
No, they should not, in my view.
You don't think so?
No.
It is a very ethical grey area, isn't it?
Because, you know, that thing they've downloaded, they might be stopping the spread of it, you know, going further, because who wants to stop them going to their mates?
It's like, "oh, I downloaded this great tool to do some hacking with. Here, do you want a copy?" And then start moving it along. Yes.
But yeah, yeah, I don't know how I feel about, it's kind of saving the day, but I wouldn't want someone just to access my computer.
What if I was a security researcher and I was also doing that? So, you know.
Because, you know, that thing they've downloaded, they might be stopping the spread of it, you know, going further, because who wants to stop them going to their mates?
It's like, "oh, I downloaded this great tool to do some hacking with. Here, do you want a copy?" And then start moving it along. Yes.
But yeah, yeah, I don't know how I feel about, it's kind of saving the day, but I wouldn't want someone just to access my computer.
What if I was a security researcher and I was also doing that? So, you know.
Right, right.
You've ruined my investigation.
Yes, yes, maybe there were rivals to CloudSec who were doing a similar ransomware, maybe their honeypot grabbed this thing and suddenly CloudSec are going in.
And they're like, "oh, for goodness sake, you know, we were analyzing this and now you've uninstalled it."
And they're like, "oh, for goodness sake, you know, we were analyzing this and now you've uninstalled it."
Yeah.
Technically, you could argue that is a computer crime in itself, isn't it? Unauthorized modification of someone else's computer.
I think it is in the UK under the Misuse Act.
Yeah. Yeah. Yeah. I think in many countries around the world.
Also, when a regular person or their computer gets hit by a piece of malware and they clean up, they get a message or their antivirus comes along there's a bit of a life lesson which is learned, right?
About—
Also, when a regular person or their computer gets hit by a piece of malware and they clean up, they get a message or their antivirus comes along there's a bit of a life lesson which is learned, right?
About—
Ah, yes, good point.
Being more careful online, about learning how to behave better so that you don't have a problem in future.
These particular script kiddies, as they're known, these people who are inexperienced at doing this or begin to dip their toe in, there's two life lessons they're not learning.
They're not learning a lesson which they could have learned about being safer online if they'd had to deal with it themselves.
But they've also not learned the repercussions of getting involved in the murky world of cybercrime and what can go wrong. Because unbeknownst to them, they've been sorted out.
These particular script kiddies, as they're known, these people who are inexperienced at doing this or begin to dip their toe in, there's two life lessons they're not learning.
They're not learning a lesson which they could have learned about being safer online if they'd had to deal with it themselves.
But they've also not learned the repercussions of getting involved in the murky world of cybercrime and what can go wrong. Because unbeknownst to them, they've been sorted out.
What would be interesting is to check forums and message boards to see if these script kiddies are like, "Hey, what happened to this piece of software I downloaded?
Have they gone broke or something like that?" It'd be interesting to see if they think it's just the company themselves taking it off rather than the security research team just swooping in, saving the day.
What's the moral of the story though? Is it, be careful, wrong ones might do wrong things?
Have they gone broke or something like that?" It'd be interesting to see if they think it's just the company themselves taking it off rather than the security research team just swooping in, saving the day.
What's the moral of the story though? Is it, be careful, wrong ones might do wrong things?
I think we all need to be careful, don't we? But Carole, you seem to have come down on the side against what CloudSec did. You feel that that's wrong.
What countries are these computers in? What jurisdictions do they have? What is CloudSec's right to those computers?
All over the world.
Right. So they've just kind of gone in and randomly accessed these systems based on whatever intentions, good or bad, I don't think that's the issue.
It's more that you should not do that. It's against the law. So, yeah.
It's more that you should not do that. It's against the law. So, yeah.
Would it have been for the greater good if the information CloudSec had collected had been passed on to law enforcement around the world for them to take action?
Or do we then think that would have taken months and months or years or would have been impossible?
And I mean, sometimes we do see law enforcement doing this kind of thing as well, don't we? Where they're the ones who clean up the computers.
Or do we then think that would have taken months and months or years or would have been impossible?
And I mean, sometimes we do see law enforcement doing this kind of thing as well, don't we? Where they're the ones who clean up the computers.
Tell the journalists, tell the cops, make a big show and dance about it. Put a pop-up on the machine. That's a bit like malware.
Maybe they could have popped up a message saying, oi, stop being so naughty, we're on to you. You shouldn't be doing stuff like that.
Yeah, but I would also be like, what the hell is that? That is so creepy. Who are these people?
Or we could have a community hacker engagement liaison.
So someone coming into these hacker forums and saying, hey, just a little heads up, what you've just downloaded might not be kosher, so just be careful. It's interesting, isn't it?
So someone coming into these hacker forums and saying, hey, just a little heads up, what you've just downloaded might not be kosher, so just be careful. It's interesting, isn't it?
I don't think there's an easy answer to this one, but certainly what CloudSec did was very clever. I think the jury's out as to whether it was the right thing to do or not.
I think there'll be opinions on both sides. Lianne, what's your story for us this week?
I think there'll be opinions on both sides. Lianne, what's your story for us this week?
Well, I've got two questions for you. The first one is, have you ever got revenge on a previous employer? And do you want to admit it on the show?
I don't know that I've wanted to wreak revenge on a previous employee. I can't think—
Employer, Graham. Employer.
Oh, sorry. Employer. I don't think so.
No, I don't think so either.
Very good. Well, I'm very pleased to hear that. You must have had wonderful, brilliant jobs.
Oh, I wouldn't say that.
Well, we just don't admit it, of course.
Yeah, yeah, of course. Of course, yeah. I don't want you to get into trouble or anything.
The other question I was gonna ask you is, have either of you ever been to the British Museum?
The other question I was gonna ask you is, have either of you ever been to the British Museum?
Yes.
It's fantastic, isn't it? It's a gem.
And one of the things, I've just come back from a trip away, and one of the lovely things I love about going to London is how most of the museums are completely free, and the British Museum being one of them.
And one of the things, I've just come back from a trip away, and one of the lovely things I love about going to London is how most of the museums are completely free, and the British Museum being one of them.
It's a great way to see treasures which have been stolen from around the world and looked after by good old Britain. On their behalf, whether they like it or not.
So, for anyone who's not been to the British Museum, yes, as Graham says, a lot of it has been pilfered from around the world.
But you can go see— my favourite one is to go see Egyptian exhibits. They're absolutely stunning things there. But, oh, they had a bit of trouble the other week.
Well, the other day, actually.
They had a disgruntled employee who was recently dismissed coming on an evening and shut down several of the systems, including its ticketing platform.
But you can go see— my favourite one is to go see Egyptian exhibits. They're absolutely stunning things there. But, oh, they had a bit of trouble the other week.
Well, the other day, actually.
They had a disgruntled employee who was recently dismissed coming on an evening and shut down several of the systems, including its ticketing platform.
Okay.
So it was an IT contractor. They were dismissed, then they trespassed. So, in my eyes, this is the closest we've got to, in British history, to a Jurassic Park incident.
If anyone remembers what happened in Jurassic Park, well—
If anyone remembers what happened in Jurassic Park, well—
Hang on. There was something preserved in amber or something. Didn't they reanimate it? So—
Wasn't it a mosquito?
I'm thinking this guy, he goes into the British Museum, he goes up to one of the Egyptian mummies or something like that, takes a bit of DNA, reincarnates Nefertiti to launch an attack on everybody.
Well, what happened? Well, how's this like Jurassic Park, Lianne?
Well, what happened? Well, how's this like Jurassic Park, Lianne?
It's like Jurassic Park because if you don't look after your employees or look out for the signs that your employees are unhappy, then bad things can happen.
But also just giving someone so much access to be able to shut things down.
So I think one of the weakest parts of your security posture is putting someone in charge of the delete button, really.
And so this person was able, even after they were dismissed... You'd think if someone was dismissed, that's different from someone just leaving.
You know, sometimes people have lax offboarding processes, can take a little bit while.
But if you are thinking this person's gonna be dismissed, you need to turn off their access as soon as that meeting is over.
But also just giving someone so much access to be able to shut things down.
So I think one of the weakest parts of your security posture is putting someone in charge of the delete button, really.
And so this person was able, even after they were dismissed... You'd think if someone was dismissed, that's different from someone just leaving.
You know, sometimes people have lax offboarding processes, can take a little bit while.
But if you are thinking this person's gonna be dismissed, you need to turn off their access as soon as that meeting is over.
But if he just turned off the machines, is that what you said?
But he had access to the IT system, so he was actually going in and turning off the IT system.
Oh, I see. Okay.
So, I had a quick look. For the most part, the British Museum is completely free to enter. However, what did get affected was, the British Museum do exhibitions.
Uh-huh.
Right. And that's 25 quid a pop.
Yeah.
So what happened is, people couldn't go see it. 'Cause they couldn't scan the tickets and things like that, couldn't pay for tickets.
Right.
British Museum actually lost out on quite a lot of money over the last few days.
When you talk about him being able to access the systems, he actually physically came in.
Yes.
This is the thing, 'cause we've heard, of course, about IT people in the past who've still got their passwords, still able to log in remotely.
Yeah.
It's alleged that he had the audacity to actually come into the building and access the systems physically by hand.
Yep. So you can just imagine the scene. You get dismissed, and you think, "Right, that's it. I'm gonna take my revenge. How dare they get rid of me?
I am king of the IT." Could be a queen.
I am king of the IT." Could be a queen.
Don't be sexist, Lianne.
Well, it does say it's a man in his 50s. He could call himself a queen. And I would be very fine with that.
Could be a drag queen. Could be a drag queen.
Could be indeed.
Lianne.
It could be.
They should have spotted that as he gets past reception.
Okay, Piers Morgan.
Just imagine the scene.
So, "Well, I'm going to go back in, and I'm going to teach the British Museum a lesson." And you go past Dave on reception with your key card, and he's like, "Oh yeah, I've not heard anything about you being dismissed." Yeah.
And then goes in, and with organizations I've worked in, you know, to get into high-secured areas, you got to use your card again to get into places, logs in.
So, "Well, I'm going to go back in, and I'm going to teach the British Museum a lesson." And you go past Dave on reception with your key card, and he's like, "Oh yeah, I've not heard anything about you being dismissed." Yeah.
And then goes in, and with organizations I've worked in, you know, to get into high-secured areas, you got to use your card again to get into places, logs in.
Yes.
That not monitored there, you know, was just speculating here, that's not monitored, and is able to cause quite a lot of havoc.
Huh. I was just recently in the Ashmolean, different museum entirely, but, you know, I was noticing secure areas, everyone had key fobs to get in, right?
Mm-hmm.
You know, and they all have these cards, I guess, to get into the private areas. So yeah, he must have just been able to replicate that and just get in everywhere.
Or maybe blag it. You know, I wonder whether the human element is really key here.
I wonder whether someone who's just been dismissed the following morning, for instance, they come in and you simply go, "Oh yeah, you know, I've left my card at home or whatever.
Can you just buzz me in?" And they've been working with this guy for months or maybe years.
And so they wouldn't necessarily know this was now an ex-employee, or even if they did know they'd left, they may not know that it was on bad terms.
I wonder whether someone who's just been dismissed the following morning, for instance, they come in and you simply go, "Oh yeah, you know, I've left my card at home or whatever.
Can you just buzz me in?" And they've been working with this guy for months or maybe years.
And so they wouldn't necessarily know this was now an ex-employee, or even if they did know they'd left, they may not know that it was on bad terms.
Yeah, you'd be like, "Oh, Kate, you know, they just let me go, but the thing is, I left some porn on the computer. Can you help me go delete it, please?" Right?
Or, "I'm coming in 'cause they've asked me to return my laptop," or something like that.
So you could come across as quite innocent and say, "Oh yeah, I left yesterday, but I'm just returning a few things." Yeah.
"Can you buzz me in 'cause I've got a meeting with Brian?" I want to empty out my locker.
So you could come across as quite innocent and say, "Oh yeah, I left yesterday, but I'm just returning a few things." Yeah.
"Can you buzz me in 'cause I've got a meeting with Brian?" I want to empty out my locker.
I want to get my mug.
Sure.
So, Lianne, this guy, obviously, so they know who he is, and he's arrested. This is a crime, right? Yeah, he's been arrested.
Arrested, he's going to be questioned.
One of the interesting things I was reading around the subject about malicious insider threats, most insider threats do tend to be the non-malicious kind, AKA boo-boos, screw-ups, where people don't mean to do wrong, but they do.
But malicious insider threats, apparently they did a survey, cybersecurity professionals more concerned with that last year than they were of any other type of threat up by 74%, which I thought was really interesting.
Now, normally malicious insider threats are financially motivated, sometimes a little bit of espionage, but actually it's relatively low for grudges to be the reason why.
But I guess the moral of the story is, you know, treat your employees right.
And even through that kind of offboarding process, particularly if it's a negative offboarding process, maybe, you know, you've had discussions with someone saying, "Hey, either you're going to be made redundant or there's been a performance issue or something like that," it's just make sure that they don't have access.
Having your offboarding, please hand in your badge, your laptop, and your vendetta at the end of the day. Thank you.
One of the interesting things I was reading around the subject about malicious insider threats, most insider threats do tend to be the non-malicious kind, AKA boo-boos, screw-ups, where people don't mean to do wrong, but they do.
But malicious insider threats, apparently they did a survey, cybersecurity professionals more concerned with that last year than they were of any other type of threat up by 74%, which I thought was really interesting.
Now, normally malicious insider threats are financially motivated, sometimes a little bit of espionage, but actually it's relatively low for grudges to be the reason why.
But I guess the moral of the story is, you know, treat your employees right.
And even through that kind of offboarding process, particularly if it's a negative offboarding process, maybe, you know, you've had discussions with someone saying, "Hey, either you're going to be made redundant or there's been a performance issue or something like that," it's just make sure that they don't have access.
Having your offboarding, please hand in your badge, your laptop, and your vendetta at the end of the day. Thank you.
Hand in your vendetta. Carole, what have you got for us this week?
I'm going to talk about social media influencers. And let me start with this premise. Would you agree with this or disagree? They are basically glorified salespeople, aren't they?
They market a lifestyle or a persona, gimmick, a fund, whatever.
They market a lifestyle or a persona, gimmick, a fund, whatever.
Yes. If you saw a post by me and I said, "Oh, this Ozempic is really great, hashtag ad," you know, I'm selling.
And then you're sitting there with a full picture of you and your little skivvies going, "Hello, 6 makes bank."
I was actually imagining myself with a bucket of Kentucky Fried Chicken, but which would be more like reality. But yeah, yes, yes, they are salespeople, right?
Because they're securing followers in order to sell stuff, and the idea is that everyone makes bank.
So selling a lifestyle, yes, selling a dream, the definition of advertising, isn't it? Yeah.
And it's a legit job. Selling stuff is a legit job, totally. But it's not one that I typically would imagine kids dreaming of doing. Right?
Like, what kid goes, oh, one day I'll be able to sell my very own vacuum cleaners?
Like, what kid goes, oh, one day I'll be able to sell my very own vacuum cleaners?
I don't think they think of it that, though. I think they're looking at the Instagram influencers and thinking, oh my God, I want to be Kim Kardashian or whoever it might be.
They're living the dream. They're going to expensive hotels. They're flying around the world. They've got luxury cars.
They're living the dream. They're going to expensive hotels. They're flying around the world. They've got luxury cars.
They're rich.
Yeah. They're not seeing the hassle of dealing with the advertisers and invoicing people.
Okay, maybe you're right. Let's see what you guess here, okay? Kids 8 to 12 were asked what they want to do when they grow up. Okay, and they have choices. They have 5 choices.
So teacher. Okay, teacher.
So teacher. Okay, teacher.
No.
Professional athlete.
Yeah, maybe.
Musician.
Yeah, maybe.
Astronaut.
Definitely.
That was always a top one for me.
Right? Or a vlogger slash YouTuber.
Yeah, 98%.
Yeah.
They want to be YouTubers.
Not quite 98%. But a third, 1 in 3, right? 1 in 3 want to have a modern-day sales rep job à la social media influencer, then jet off into space.
How many of those want to be influencer astronauts though?
Oh, that would be good, wouldn't it? We've had one. We've had one. What was his name?
Chris Hadfield.
Yes, Chris Hadfield.
With his tash.
With his tash. Gosh, I got all distracted there. So, okay, yeah, you were talking about that. Why do kids buy into this? It's the riches, it's the glamour. What is it?
It's the not having to actually do anything. It's the perception is you just loll around on holiday and you get paid a ridiculous amount of money.
I think that's attractive, isn't it?
I think that's attractive, isn't it?
And with all these things, you only ever see the good side of it, don't you? So it just looks so idyllic and idealised.
And they really know how to market the joie de vivre, don't they? A lot of influencers.
And I think it's the social alphaness of it all, you know, the fact that there's people there, they're doing stuff, and people are volunteering to follow them and learn everything about them.
It's you're a big alpha dog.
And I think it's the social alphaness of it all, you know, the fact that there's people there, they're doing stuff, and people are volunteering to follow them and learn everything about them.
It's you're a big alpha dog.
I imagine that validation piece, because that's what it's all about, isn't it? The likes and the shares and the how many views have I had.
That's becoming ever more important, isn't it, in valuing our social. So I imagine that plays a lot into that.
That's becoming ever more important, isn't it, in valuing our social. So I imagine that plays a lot into that.
So am I right, though, that I don't think many parents would be super thrilled if their kid was all about becoming an influencer?
Parents would not be "Oh, thank God," if they said they wanted to become, I don't know, a lawyer or a doctor, the stuff of when I was a kid.
Parents would not be "Oh, thank God," if they said they wanted to become, I don't know, a lawyer or a doctor, the stuff of when I was a kid.
Well, it depends, 'cause quite a lot of parents are influencers themselves nowadays. It's the family business.
That's true.
Yes.
That's true. 'Cause I'd to think that we're maybe parents are older and very much wiser and they can see the hidden costs to being a social media influencer. It is a lot of work.
You've got to build content all the time.
You've got to build content all the time.
Yes, we all three of us know what a grind that is.
But, you know, one of them that was at the height of his game described it quite well.
He said, "You know, the scary thing is you never know how long it's going to last, and that's what I think eats us up at night. You know, what's next?
How long can we entertain everyone for? How long before no one cares?"
He said, "You know, the scary thing is you never know how long it's going to last, and that's what I think eats us up at night. You know, what's next?
How long can we entertain everyone for? How long before no one cares?"
And what if that life wasn't worth living? You always see a spate of, for example, YouTube is where I get most of my quote-unquote influencer content.
You see all these YouTubers and they're all just burning out saying, "I'm taking a break from the channel," and things like that.
You see all these YouTubers and they're all just burning out saying, "I'm taking a break from the channel," and things like that.
Right, burnout.
And I, yeah, I think burnout is real for these people, but at the same time, it's not like they're working down a tin mine.
Not many people are. You sound like my dad is, "I used to have to walk to school." But there are many much worse jobs which are not as well compensated.
So I mean, it's hard to feel the largest amount of sympathy.
Do you think the average influencer actually makes a buck?
Oh no, I'm sure they do. I think there's lots of wannabes who would like to.
The people at the top of the tree, the MrBeasts and the Kardashians of this world, they're obviously making an absolute fortune.
The people at the top of the tree, the MrBeasts and the Kardashians of this world, they're obviously making an absolute fortune.
Yeah, but they're a very, very small percentage. But I think some of them are really struggling to make a tiny bit of money.
Which is why you go and do something else.
Uh-huh. Uh-huh. Because also, you know, you can get a blip, right?
You might get a video that gets nearly 200,000 views and it be all exciting for a week, your 15 minutes of fame, but then, you know, your view count starts to drop and then you have to build more content.
And if you can't, it's a hard pill to swallow. But it seems to be all based on greed in a way, right? This insatiable need to secure more followers.
That's why you are driven to do more content. And whether you're 10,000 followers or a million followers, the relevance of you, it seems in this world, is measured on growth.
You're going up or you're going down.
You might get a video that gets nearly 200,000 views and it be all exciting for a week, your 15 minutes of fame, but then, you know, your view count starts to drop and then you have to build more content.
And if you can't, it's a hard pill to swallow. But it seems to be all based on greed in a way, right? This insatiable need to secure more followers.
That's why you are driven to do more content. And whether you're 10,000 followers or a million followers, the relevance of you, it seems in this world, is measured on growth.
You're going up or you're going down.
I agree with that.
Maybe that's why people in the influencer sphere tend to do some bonkers things to maintain or grow their following. What about fake kidnapping? Well, it's crazy.
Last month, Instagram model Victoria Rose, better known, Graham, as Woah Vicky.
Last month, Instagram model Victoria Rose, better known, Graham, as Woah Vicky.
Sorry, why are you saying better known, Graham?
Woah Vicky.
I think, oh, Graham will now know who this is.
Just in case. Just in case.
Woah, woah, Vicky.
Whoa, come on, you don't know it.
Whoa, whoa, Vicky.
That was as bad as those hacker names earlier.
But she apparently sparked outrage after admitting to fabricating a kidnapping story.
Okay, the influencer had previously posted a series of tweets claiming she'd been kidnapped and held at ransom in Nigeria. One of the tweets read, I have kidnapped Vicky.
She is with me in Nigeria. I am demanding $1 million for her release. And this, of course, caused widespread panic amongst her followers.
And then during an Instagram Live on Sunday, she confessed that the entire ordeal was made up.
She says, quote, "We kind of got carried away with the joke, you know, and we just have fun and joke.
You know, I don't drink or go to the club, so this is how I find my entertainment." I mean, if I rang up a school and said I'd planted a bomb, then I'd expect the police to come round, right?
And say, you can't do things like that. So why don't the police—
Okay, the influencer had previously posted a series of tweets claiming she'd been kidnapped and held at ransom in Nigeria. One of the tweets read, I have kidnapped Vicky.
She is with me in Nigeria. I am demanding $1 million for her release. And this, of course, caused widespread panic amongst her followers.
And then during an Instagram Live on Sunday, she confessed that the entire ordeal was made up.
She says, quote, "We kind of got carried away with the joke, you know, and we just have fun and joke.
You know, I don't drink or go to the club, so this is how I find my entertainment." I mean, if I rang up a school and said I'd planted a bomb, then I'd expect the police to come round, right?
And say, you can't do things like that. So why don't the police—
She's not the first, right? She's not the first. Even a few years ago, you have the mom influencer, Kate Sorensen.
She falsely claimed that a couple tried to kidnap her kids at a craft store in an Instagram video. And she even went to the cops and filed a false police report.
She falsely claimed that a couple tried to kidnap her kids at a craft store in an Instagram video. And she even went to the cops and filed a false police report.
What?
The police should have known something was up. People who go to craft stores, they're usually very nice.
I agree.
I agree. And she ended up facing jail time for this, quote, you know, prank.
So while some influencers outright lie about kidnappings, about things as serious as kidnappings, some actually find themselves, well, kidnapped.
This week, a financial content creator in India known as The Stock Exploder was on his way to a Coldplay concert. And he's sitting there on a private bus.
So while some influencers outright lie about kidnappings, about things as serious as kidnappings, some actually find themselves, well, kidnapped.
This week, a financial content creator in India known as The Stock Exploder was on his way to a Coldplay concert. And he's sitting there on a private bus.
To be honest, I'd rather be kidnapped than go to a Coldplay concert. It's a lucky escape, if you ask me.
And along the way to his Coldplay concert, Cybercell officers pull him over. There are five of them.
And they forcibly remove him from the private bus, saying they're investigating a complaint. One of his followers has suffered excessive losses due to Stock Exploder's advice.
So he followed Stock Exploder's advice and he's now in the hole, right?
And they forcibly remove him from the private bus, saying they're investigating a complaint. One of his followers has suffered excessive losses due to Stock Exploder's advice.
So he followed Stock Exploder's advice and he's now in the hole, right?
Okay.
So the Cybercell officers then transport him to an undisclosed location, an undisclosed location. And here the true intentions are revealed.
These are not Cybercell officers at all, but data thieves. And they want access to his social media empire. So you see, Stock Exploder apparently operates his business on Instagram.
That's where his crews are. Telegram and Instagram are his business places, apparently.
But he runs this through a network of 16 mobile phones with an iPhone serving as the primary server.
And the perps got their hands on two of his phones and managed to link their own SIM cards to his social media accounts to access his follower base.
And the ultimate goal, as the police think, is to defraud the followers. And, you know, poor Stock Exploder. Not only is his business impacted, but, you know, he missed Coldplay.
And that's pretty bad.
These are not Cybercell officers at all, but data thieves. And they want access to his social media empire. So you see, Stock Exploder apparently operates his business on Instagram.
That's where his crews are. Telegram and Instagram are his business places, apparently.
But he runs this through a network of 16 mobile phones with an iPhone serving as the primary server.
And the perps got their hands on two of his phones and managed to link their own SIM cards to his social media accounts to access his follower base.
And the ultimate goal, as the police think, is to defraud the followers. And, you know, poor Stock Exploder. Not only is his business impacted, but, you know, he missed Coldplay.
And that's pretty bad.
Small mercies. So did this actually happen or not? Or is this just nonsense?
No, no, no, it's not nonsense. This has happened. My question is, this is day one. So are we going to find out that this is real or not real in a few days?
And that's the problem with people doing pranks, right? Some people doing pranks on trying to get more viewers by, you know, lying about a kidnapping. So now I'm doubting what—
And that's the problem with people doing pranks, right? Some people doing pranks on trying to get more viewers by, you know, lying about a kidnapping. So now I'm doubting what—
Oh, I see.
So what you're saying is because there has been a history of influencers faking things like kidnappings, when someone genuinely gets kidnapped, people are going to think, "Yeah, yeah, right, pull the other one." Right.
So what you're saying is because there has been a history of influencers faking things like kidnappings, when someone genuinely gets kidnapped, people are going to think, "Yeah, yeah, right, pull the other one." Right.
Well, let's wait and see what happens.
So I guess if you and Graham get kidnapped, we need a safe word, make sure it's genuine, or should we just call you out for the charlatans that you are for faking your own kidnapping?
Everyone these days has a VPN as a sponsor, but Tailscale isn't those.
This isn't about hiding your browsing habits from coffee shop owners, and it's not about watching Netflix in any other country.
This isn't about hiding your browsing habits from coffee shop owners, and it's not about watching Netflix in any other country.
That's right. Tailscale is a modern networking solution for connecting your applications, your services, and devices securely.
It's great for companies and it's great for self-hosters too. And it's fast, really fast. It's private, it's easy to deploy, zero config, no fuss VPN. Plus it means zero trust.
Every organization can use this.
It's great for companies and it's great for self-hosters too. And it's fast, really fast. It's private, it's easy to deploy, zero config, no fuss VPN. Plus it means zero trust.
Every organization can use this.
Thousands of companies already use Tailscale like Instacart, Hugging Face, LastPass, Duolingo, and more. So why not try Tailscale for free today?
You'll get 100 devices and 3 users for free with no credit card required. Want to learn more? Visit smashingsecurity.com/tailscale. That's T-A-I-L-S-C-A-L-E.
And thanks to Tailscale for supporting the show.
You'll get 100 devices and 3 users for free with no credit card required. Want to learn more? Visit smashingsecurity.com/tailscale. That's T-A-I-L-S-C-A-L-E.
And thanks to Tailscale for supporting the show.
Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security podcast, and this week we want to tell you about how 1Password's extended access management can help your business.
This is the first security solution that brings all the unmanaged devices, apps, and identities used in your company under your control, and it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
'Cause 1Password Extended Access Management solves the problems traditional IAM and MDMs can't.
It's security for the way we work today, and it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.
'Cause 1Password Extended Access Management solves the problems traditional IAM and MDMs can't.
It's security for the way we work today, and it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.
1Password's award-winning password manager as well is trusted by millions of users and over 150,000 businesses from IBM Slack, and now they're securing more than just passwords with 1Password Extended Access Management.
Find out more right now. Go to 1password.com/smashing, and thanks to 1Password for supporting the show. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?
Find out more right now. Go to 1password.com/smashing, and thanks to 1Password for supporting the show. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related. My Pick of the Week is a tool which I run on my Apple Mac computers. And it is called Raycast.
Have either of you heard of Raycast?
Have either of you heard of Raycast?
No.
Not a dickey bird, no.
Oh, it's wonderful. Well, it's an incredibly versatile tool for improving productivity for Mac users. And you know, Carole, you've got a Mac, haven't you?
Mm-hmm.
And you know, there's a thing called Spotlight Search, which maybe you sometimes for finding apps. All the time. Yeah. Okay. All the time. Right.
So at first I thought it was just a replacement for Spotlight Search, but it's turned out to be much, much more than that. You can use it for pretty much anything.
So you can search for apps, you can search for files on your computer, you can search on the internet, you can manage tasks, manage apps, you can create and install as well custom extensions to tailor this tool to do anything you want.
So I've got, for instance, now keyboard shortcuts to turn my studio lights on and off.
If I'm doing a webinar or something, I can just press a button on my keyboard and it will do that. All through this program, Raycast. I can do window management.
I can place windows around my desktop, you know, say, oh, send that one over to this screen, send that one over there, go on that half of the screen. I can turn on or off my webcam.
I can do translation. I can do dictionaries. I can work out the times between different dates. I can track flights. I can have code snippets.
So if there's a piece of text which I'm often writing, I can just have it as a shortcut. Have a clipboard history.
So at first I thought it was just a replacement for Spotlight Search, but it's turned out to be much, much more than that. You can use it for pretty much anything.
So you can search for apps, you can search for files on your computer, you can search on the internet, you can manage tasks, manage apps, you can create and install as well custom extensions to tailor this tool to do anything you want.
So I've got, for instance, now keyboard shortcuts to turn my studio lights on and off.
If I'm doing a webinar or something, I can just press a button on my keyboard and it will do that. All through this program, Raycast. I can do window management.
I can place windows around my desktop, you know, say, oh, send that one over to this screen, send that one over there, go on that half of the screen. I can turn on or off my webcam.
I can do translation. I can do dictionaries. I can work out the times between different dates. I can track flights. I can have code snippets.
So if there's a piece of text which I'm often writing, I can just have it as a shortcut. Have a clipboard history.
This is pretty exciting.
It replaces lots of other tools which I have on my Mac. So I have everything in this one thing and I found it's really streamlined my work. So Raycast, I find really easy to use.
I keep on finding new functionality and there are all these custom extensions you can add on to it to do more and more things. And it's free forever with—
I keep on finding new functionality and there are all these custom extensions you can add on to it to do more and more things. And it's free forever with—
Hey, that was going to be my question. You know, how much brass is it?
It's free forever with almost all of the functionality. And I did use it for a while for free, very happily.
And then out of curiosity, I thought, oh, they're saying you can try it with those extra little bits for 14 days and then it becomes $8 per month.
And so I've now actually upgraded to the pro plan because I am finding it gives me more $8 worth of value for some additional functionality, like syncing between my devices, like an unlimited clipboard, AI integration as well, if you want to use some AI functionality.
But it's changing the way I use my Mac and my workflow. And it's a really cool little thing. So it is called Raycast. The geek in me is absolutely loving it.
So that's my pick of the week, Raycast. Cool.
And then out of curiosity, I thought, oh, they're saying you can try it with those extra little bits for 14 days and then it becomes $8 per month.
And so I've now actually upgraded to the pro plan because I am finding it gives me more $8 worth of value for some additional functionality, like syncing between my devices, like an unlimited clipboard, AI integration as well, if you want to use some AI functionality.
But it's changing the way I use my Mac and my workflow. And it's a really cool little thing. So it is called Raycast. The geek in me is absolutely loving it.
So that's my pick of the week, Raycast. Cool.
Very nice.
Okay, Lianne, what's your pick of the week?
So my pick of the week is something I came across over the Christmas period. So the Christmas period is, I always treat as a very nice downtime for me.
I'd like to call myself a gamer, but in actual reality, I just don't have time anymore.
I'd like to call myself a gamer, but in actual reality, I just don't have time anymore.
Yeah.
But I'd love to sit down, and that's when Christmas really comes into play, and I play a lot of video games over Christmas, really get it in.
And I came across this really fantastic game, and it's by a company that did a really brilliant game back in 2019, and some of your listeners might have had to play around with it, which was called Untitled Goose Game, where you played a goose and terrorised the neighbourhood.
And I came across this really fantastic game, and it's by a company that did a really brilliant game back in 2019, and some of your listeners might have had to play around with it, which was called Untitled Goose Game, where you played a goose and terrorised the neighbourhood.
Oh yes.
Yes, it was a fantastic game. Brilliant.
Great fun.
Well, this company have brought out a new game, and if anyone's caught my accent during this episode, you'll see why I also think it's wonderful.
My pick of the week is a game called Thank Goodness You're Here.
My pick of the week is a game called Thank Goodness You're Here.
It's very northern, isn't it? Thank goodness you're here.
It's very northern. Thank goodness you're here.
Very northern, and it's a fake town called Barnsworth, which I believe is a bit like Barnsley because I've been to Barnsley myself and it kind of looks like that.
But thank goodness you're here is a beautiful and hilariously funny game. It's almost to me like an interactive story.
Your gaming really involves you going to the fishmongers and having to stamp on all the fish's heads until cigarettes come out of them. That's one of the tasks you get to do.
But what really makes this a really special game. It comes in about— I completed it in 3 and a half hours. Yep, there isn't much game there, but what is there is absolute gold.
When you're just walking around, the joy of it is just to look at the artwork, to look at the inside jokes, to listen to the story.
I've not laughed so much playing a game in so long. It is really brilliant. It is very Northern. You get a choice at the start of the game to how Northern you want it.
I put on max because I can understand the language and the lingo.
Very northern, and it's a fake town called Barnsworth, which I believe is a bit like Barnsley because I've been to Barnsley myself and it kind of looks like that.
But thank goodness you're here is a beautiful and hilariously funny game. It's almost to me like an interactive story.
Your gaming really involves you going to the fishmongers and having to stamp on all the fish's heads until cigarettes come out of them. That's one of the tasks you get to do.
But what really makes this a really special game. It comes in about— I completed it in 3 and a half hours. Yep, there isn't much game there, but what is there is absolute gold.
When you're just walking around, the joy of it is just to look at the artwork, to look at the inside jokes, to listen to the story.
I've not laughed so much playing a game in so long. It is really brilliant. It is very Northern. You get a choice at the start of the game to how Northern you want it.
I put on max because I can understand the language and the lingo.
Wonderful.
But you do have the option to tone that down a little bit so you can still follow along. It's absolutely hilarious and brilliant and I really recommend it.
And it comes sometimes as a bundle on Steam, so you can buy Untitled Goose Game, which I absolutely recommend as well, as a kind of bookend to that.
But thank goodness you're here is absolutely brilliant and I can't recommend it enough.
And it comes sometimes as a bundle on Steam, so you can buy Untitled Goose Game, which I absolutely recommend as well, as a kind of bookend to that.
But thank goodness you're here is absolutely brilliant and I can't recommend it enough.
I have had this game recommended to me before, I think by a listener who got in touch saying, "Oh, you'd really like this." I haven't played it, but I've seen some videos of it, and it does look hilarious, great fun.
I've got a theory that the North is really into surrealism. Because you got things like Vic Reeves. He's from the North. League of Gentlemen.
It's got a very League of Gentlemen vibe to it as well. Quite a lot of them are from the North as well.
If you like The League of Gentlemen, you know, the early days of Vic and Bob and things like that, I think you'll love this game.
It's got a very League of Gentlemen vibe to it as well. Quite a lot of them are from the North as well.
If you like The League of Gentlemen, you know, the early days of Vic and Bob and things like that, I think you'll love this game.
It's got a really fantastic sort of comic book or cartoon-like feel to it as well, doesn't it? It really does look great.
It's beautiful. It's a beautiful looking game. As I say, belly laughs throughout. All I would say is some people might be like, oh, this might be suitable for kids. It's not really.
There is some quite rude jokes in it. But yeah, it's excellent.
There is some quite rude jokes in it. But yeah, it's excellent.
I'm tagging this for my next date night with the Yeti. Yeah, we'll do this. Perfect.
Terrific. Carole, what's your pick of the week?
Mine is a little bit more serious. It's a podcast called The We Society hosted by Will Hutton. Will Hutton, well-known journalist in the UK, writes a regular column for The Observer.
And this podcast, The We Society, has been going for a number of years. It just launched season 7.
And this podcast, The We Society, has been going for a number of years. It just launched season 7.
How do you spell we, Carole? Is that as in French?
W-E, us.
Oh, just one E. Oh, okay. Right. Now I've got you. Yeah.
I didn't even think that way, Graham.
It's because of Lianne and her rude Northern game. My mind has gone there.
No, this is more about discussing the bigger questions about society or looking at big questions through this social science lens.
So things like, should we and how do we improve education, or what is the future of democracy? Big things like that. Hate crime, how do we stop it? War on drugs. So big topics.
And Will Hutton has experts and researchers on who share their specific insight on the realities of the situation and then explore, how did we get here? Where are we going?
What should we do? Basically, that's the way I would say it.
So things like, should we and how do we improve education, or what is the future of democracy? Big things like that. Hate crime, how do we stop it? War on drugs. So big topics.
And Will Hutton has experts and researchers on who share their specific insight on the realities of the situation and then explore, how did we get here? Where are we going?
What should we do? Basically, that's the way I would say it.
Big heady stuff.
It's heavy, but also relevant. And I find it hopeful as well.
So, you know, in a world where lots of headlines are very bad all the time, it's nice to have something where you learn from it, but also that you enjoy and you find a little bit more uplifting.
So it's The We, just W.E. Society with Will Hutton. And that's my pick of the week.
So, you know, in a world where lots of headlines are very bad all the time, it's nice to have something where you learn from it, but also that you enjoy and you find a little bit more uplifting.
So it's The We, just W.E. Society with Will Hutton. And that's my pick of the week.
Nice. I'll check that out.
Fantastic. I feel like we've covered it all this week in pick of the week. We've got the whole gamut there, haven't we? So that just about wraps up the show for this week.
Thank you so much, Lianne, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?
Thank you so much, Lianne, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?
On LinkedIn all the time. But if you want to hear some more of my shtick, Compromising Positions is the podcast. Put Compromising Positions Podcast into Google.
Do not just put in Compromising Positions. Nothing but the worst things you might see will come up if you don't put in podcast as well. I can't be held responsible.
Do not just put in Compromising Positions. Nothing but the worst things you might see will come up if you don't put in podcast as well. I can't be held responsible.
Anyway, you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, 1Password and Tailscale. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 401 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 401 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye. Bye.
Lianne, tell me about your new podcast.
Like a little exclusive here, we've got a new podcast coming out in summer this year. So if you follow us on Compromising Positions, we will let you know when that comes out.
But it's going to be called Tech Film Noir, and we're going to be going through films, so your Terminators, your Lawnmower Mans and things like that, and putting them in the historical context.
And we'll also be geeking out, so we'll be looking at what kernels they're using as well, do a deep dive into the code.
So it's a good mix of if you like your films and you like your tech, you're going to enjoy Tech Film Noir.
But it's going to be called Tech Film Noir, and we're going to be going through films, so your Terminators, your Lawnmower Mans and things like that, and putting them in the historical context.
And we'll also be geeking out, so we'll be looking at what kernels they're using as well, do a deep dive into the code.
So it's a good mix of if you like your films and you like your tech, you're going to enjoy Tech Film Noir.
That sounds a lot of fun. Carole and I, we once did with Maria Varmazis a commentary on Zardoz, which—
Against my will. Against my will.
But Carole, you know, he's such a hairy beast and someone who's also a fan of some hairy beasts.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Lianne Potter
Episode links:
- No Honour Among Thieves: Uncovering a Trojanized XWorm RAT Builder Propagated by Threat Actors and Disrupting Its Operations – CloudSEK.
- British Museum forced to partly close after alleged IT attack by former employee – The Guardian.
- Chart: What Do You Want to be When You Grow Up?– Statista.
- Tikked off: What happens when TikTok fame fades – Vox.
- Influencer burnout is real – Vox.
- Influencer slammed for staging fake kidnapping plot because she was ‘bored’ – Mirror Online.
- “Mom influencer” Katie Sorensen sentenced to jail for falsely claiming couple tried to kidnap her kids at a crafts store – CBS News.
- Stock market influencer on the way to Coldplay concert kidnapped by data theft gang – The New Indian Express.
- Raycast.
- “Thank Goodness You’re Here” video game.
- The We Society Podcast – Academy of Social Sciences.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Tailscale – Tailscale is perfect for work or personal projects, making networking simple. Its free plan covers up to 100 devices and 3 users. Get started at tailscale.com and be up and running in less than 10 minutes!
- 1Password – Secure every app, device, and identity – even the unmanaged ones at 1password.com/smashing.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
