Smashing Security podcast #409: Peeping perverts and FBI phone calls

Okay, if I were Nick, yeah, I'd be, oh yeah, really? Yeah, FBI, scam-bi, goodbye. That's what I would do.

Smashing Security, episode 409, Peeping Perverts and FBI Phone Calls, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 409. My name's Graham Cluley.

And I'm Carole Theriault.

Hello, Carole. Here we are back again for another show.

I know.

No guests this week again. We're going to have to get a guest in soon, aren't we?

I think we definitely will, but not this week because I'm sick, Graham. I'm sick.

Oh, what's wrong? What's wrong?

I have a flu. So if my voice is all scratchy, just know that I'm being a soldier, not skipping a week. You know what, I think we should kick the show off. But first, let's thank this week's wonderful sponsors, Vanta, Drata, and Acronis. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got? Ooh, and I'm talking about short-let nightmares coming back to haunt you, a scary episode. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, actually specifically you, Carole, have you ever hidden somewhere for a long time?

Not by choice.

Maybe when you were a kid? Did you hide in a cupboard under the stairs?

Funny you should say cupboard. My brothers both locked me in, I don't know how, tricked me into getting into this toy box we had in the basement of our house.

I'm going to Right.

And I got in and then they locked it shut.

Oh. be talking about

With rope and stuff, and then went off to watch cartoons upstairs. So I do have claustrophobia, and I wonder if that's associated.

a lurking horror of hackers. How old were you? In your 30s or what? How old were you when this happened?

No, maybe more eight.

Oh, that's a horrible story. You know, I remember when we and a large group of your friends were— I think you organized some great big party in the country. And we all decided to play a game of hide and seek.

Graham.

And one by one, one by one, people were found in about an hour. You know, it was the end of the game. You know, it's all fun and games, you know, in a strange big house, hiding different places and people would go, oh, here you are. And all that sort of thing. And the game finished as games do. We know how to have a wild time. And then about an hour after the game finished, someone came into the room feeling rather—

No! We found the person in the room.

Did we?

Yes. Well, not we. I and someone else found them in a bedroom. We'd forgotten about them. It was awful.

No one had noticed they were missing.

It had nothing to do with the person at all. It's just there were tons of people.

No, no, no. Now imagine what could have happened if she'd had provisions and a supply of loo paper. She could have stayed there for weeks, couldn't she, if we had never noticed? And she'd still have been playing that game. And I was reminded of this when I heard a story this week about some Chinese hackers who had allegedly sat undetected. That's what the headline said. This says Chinese hackers sat undetected in a small Massachusetts power utility for months.

Okay.

And I thought, that's a long time to sit undetected, isn't it? I mean, you'd have thought people would have noticed the pizzas being delivered. Of course, that's not what it meant. It wasn't that they were actually sitting in there undetected. They were virtually there, Carole. They were virtually there.

Oh.

Yes.

Thanks for clarifying. Yeah.

I felt I should. Yeah. Our story actually begins in November 2023.

Okay.

And it's a Friday night in the small town of Littleton, Massachusetts. And there's not a lot of people who live in Littleton or in its neighbouring town of Boxborough. In all, it's about 15,000 people. So it's not huge.

Right.

And not a lot goes on there. Maybe there's the odd cake sale at the town hall or a marrow growing competition if it's anything like English towns. Just something like that going on. And on this particular Friday night, a guy called Nick Lawler received a phone call at his home in Littleton. And he's not happy about this because he wants to relax. It's a Friday night, right? The weekend's ahead. He's been busy all week being general manager of the Littleton Electric, Light, and Water Department.

He deserves a beer.

Of course he does, right? And he's thinking, who's calling him? Anyway, he gruffly answers the phone, and the person on the other end says that he works for the FBI. And Nick's thinking, what? Why are the FBI calling me? Did someone forget to pay the electricity bill at FBI headquarters? Why are they ringing me? Why are they doing this?

Okay.

And the FBI guy says that the Littleton power network has been compromised by hackers. And according to the FBI on this phone call, Littleton's electric company had been hosting some uninvited guests, members of the Volt Typhoon gang, who'd been lounging around their network for up to 10 months.

Okay, if I were Nick, can I say what I would do right now? I'd be like, oh yeah, really? FBI? ScamBI, goodbye.

That's a bad idea. Well, that's interesting. That's interesting. Because Nick's a little bit suspicious. He thinks, who'd want to hack his electric company? They don't have access to any large critical infrastructure. They just distribute the power. You couldn't imagine they would be a target. But the man on the phone insists that they have been targeted, claims they are on a list of 200 utility organizations that have been breached by the hackers. And the guy on the phone says, look, Nick, can you give me your personal email address? Because what I'd like to do is I'd like to send you a link where you can read more about the hackers, and that will help diagnose the severity of the hack.

No.

Now, Carole, I think you've already given me a clue as to how you're going to respond.

Yeah, nice try, bucko.

Well, Nick had a similar approach, although a little fruitier in his language. What he said was, go fuck yourself. Oh, yes. I'm not going to click on a link. You must think I'm an idiot. Right. What's your name again?

Nick's probably a big listener of the show. Well done, Nick.

Well done, Nick. Nick, if you're listening, we admire you for that approach.

This is all going to go wrong. I know.

I know. And as the Register describes, Nick hung up and he called— and this again, bonus points for doing this, Nick— Nick called up the FBI field office in Boston directly.

Smart.

Not using the phone number he was given on the call. Rings them up, and what do you know? The same FBI agent answers the phone. Oh! But Nick is still a little bit concerned. He thinks, "Well, that's a bit odd." And so he still refuses to hand over his personal email address. He says, "Look, if this is really that important, you can show up at my place of work at the electric company on Monday morning and tell me face-to-face." Great! Because it's the weekend. It's the weekend before Thanksgiving. He's gonna go to his kids' sports games. He's gonna get on with family life. And he pretty much over the weekend forgets about the phone call.

He's assuming this is not time critical.

Well, you know, come on, it's Lyttelton.

Thanksgiving.

It's Thanksgiving. It's the weekend, for God's sake. He's got a beer in his hand.

Maybe.

Forgets all about it. Until Monday, when who should turn up at his place of work but the FBI with a printed out PDF all about the Volt Typhoon Gang. Now, as I said, this was the start of Thanksgiving week in 2023. And it transpired the hackers had been on the network of Lyttelton's electric, light, and water departments for over 300 days, almost a year.

Wow.

That's about 1,200 times longer than that person hid during our game of hide and seek. So—

Good maths.

Thank you. It's a very, very long time indeed. And all that time, the hackers had been able to access sensitive systems without detection. And one of the challenges that this little electric company had faced was that it was such a small operation. It didn't have the resources. It didn't have the people power. It didn't have the technology to properly defend itself from attacks. For instance, it had struggled because it had limited visibility into its OT network, the operational technology network. Those are the bits of your network which manage and control physical devices in industrial environments, right?

Yeah. This bugs me though, because this just says, oh well, guess it's only megacorps that can do all the big serious jobs now. And I can see that it's a resource issue. Like what? Because you're delivering energy, you need to have Fort Knox of security.

Well, unfortunately, if you're just one link in the chain, then, you know, if you get knocked out, that could have big impact, couldn't it? And the Volt Typhoon hackers, they had been really sneaky. They are a group which typically doesn't use malware, right? Typically doesn't do that kind of thing. What they do is they use living off the land techniques. And this is a technique which is used increasingly by hackers where they won't use their own malware. They will use tools which you already have on your network. So there are tools on your network like PowerShell, which are ways to automate various functions on your network, do lots of helpful things. And what the hackers will do is they'll use that tool to do their dirty work for them, to copy files around or zip them up and then begin to exfiltrate them. And living-off-the-land attacks have become very, very popular because there's much less risk of being detected.

Well, exactly.

By an antivirus compared to when you install your own malware.

No, exactly. And even if you think of it, in the earlier days when we had, when these viruses had payloads, which would basically say, haha, got ya, you're kind of giving away the game early on.

Yes, it's announcing, yes, it's like a ransomware attack. It obviously has to announce the fact that it's hit you. These attackers aren't interested in a ransomware attack, at least not at this point. They're mostly interested in spying and seeing how your network works. And if it should come to it, then maybe breach it. So the concern is, and one of the concerns about the Volt Typhoon Gang is that they are believed to be operating should the political situation change. So if, for instance, China and America were to become more openly hostile to each other, if, for instance, China were to attack Taiwan and America got embroiled in that, which is a scenario you could imagine happening, then these Chinese hackers are thought to have already done the prep work breaking into utilities and critical infrastructure in America, just biding their time, because should that come to pass, then they could cause a lot of disruption and damage. But you have to wonder, what was the FBI playing at? So imagine you're at an FBI office that identifies a security breach at a piece of critical infrastructure. What do you do? You call the facility, ask for a private email address, and tell them to click on a link to download a program. Well, what do they do?

Well, that's not what they did. They called them at home. It's even worse, right?

They called him at home. They called him at home, asked for his AOL account.

Yes.

And said, we're going to email you something, click on it and run a program, download a program, diagnose what's going on.

But you can understand from their point of view as well.

Yes.

How do they legitimize themselves in a suspicious world?

And where there's urgency as well. How can people verify that it's legit? You want to have a secure channel for communicating with someone, maybe. You're concerned that the phone network at the organization or the email system at the organization has been compromised. And so they're looking for another method. But at the same time, what kind of lesson is this teaching people? Because there's a danger you're normalizing something very, very risky as being acceptable practice. Because normally, I'm sure Nick is a regular listener judging by his response to the FBI, normally we'd say treat that kind of thing with extreme caution and suspicion.

Well, we did give them gold stars, right, for some behaviours.

We did. We did. Absolutely. Yes. But I think ideally, I think most of us would feel more comfortable if an FBI agent turned up on our doorstep. But then how would you know it's an FBI agent? It could be just someone who's been down the fancy dress shop and is pretending to be, couldn't it? Waving a badge at you.

I like the idea of showing up in the office on a Monday morning. I think that's just old school, you know.

You think hackers can't get up early enough in the morning on a Monday?

That's basically what I'm saying.

Yeah. That's what you're saying. Okay. Carole, what's your story for us this week?

So I saw a story in The Independent, and it occurred to me that we hadn't touched on the subject in a while on Smashing Security. So I thought it was time to bring it back. So let me just set the scene.

Right.

It's 2018. And Jane, her true identity is masked. Okay. But we're going to call her Jane. She's just rented a one-bedroom with ensuite bath. In a 300-square-foot Long Beach residence. Right? She did this via a site called Roomies.com.

Okay.

And the landlord, a 74-year-old whose first name is apparently Bond.

Bond?

Yep, Bond.

Okay, all right.

So landlord Bond has a number of properties and rooms for rent in the area. He's maybe a property baron of sorts. So cool, cool. Jane gets the room, has the only set of keys, and keeps the door locked. But things get weird.

Right?

About 3 weeks into Jane's rental, our landlord Bond reportedly starts making comments to Jane about her body. I'm assuming the hubba hubba type of comments. And a few weeks later, he asks her whether she would consider trading personal favors for rent.

Oh my God.

And I'm not sure that means ironing his shirts.

No.

So Jane doesn't get into a flap, apparently. She brushes him off, probably thinking the equivalent of perv.

Yeah.

Right?

Pervy old man.

Right. And whatever. I've brushed him off, but the comments keep coming. Anyway, so soon after she moves in, she leaves for a two-week vacay, and landlord Bond apparently soothes her by saying, "You know I would never put a camera in your room, right?" Well, that would spook you out, wouldn't it? You'd be like, "What?"

Sorry, what? I wasn't thinking Yeah. "I'm not gonna scoop your eyeballs out with a spoon, right? You know that." Okay, yeah, freaky. you would until you happened Yes. Yes. And Jane changes the locks on her bedroom door before jetting off. So she has put the new lock in, new keys, everything, everything. to actually mention it. All right. Are you allowed to do that if it's a rental?

Mm, good question. I'm not sure. I suppose you have to still give the landlord access if they want to inspect or something. Yeah, an interesting legal quagmire for another show, perhaps. Yeah.

Yes, yes. Tune in to Smashing Security for answers to that question.

Ding, ding. So while Jane is away, the landlord contacts her and he says, "Oh, Jane, Jane, Jane, there's a leak in your bathroom. And in order to fix it, a locksmith would have to unlock your door." Oh, yeah. And when she returns, she finds that in fact the whole lock has been changed outright. So, okay, this wouldn't sit well with me. The guy's a bit of a perv.

Yeah. Right. He's changed the locks. Okay.

Right. Icky. Well, it's good that she was able to do that. Imagine if she'd paid a year in advance or something. Yeah, yeah. That would be awful.

Yeah.

Okay. So we fast forward now. We fast forward 6 years to February 2024. Okay. So about this time last year. All right. And Jane, maybe at a local coffee shop, maybe at the dog park, I don't know, but somehow gets chatting to an old friend of ex-landlord Bond.

Okay, what's their name? Moneypenny?

Yeah, sure. And the friend mentions something along the lines of Bond having installed smoke detectors with cameras and had recorded Jane both in the nude in her bedroom as well as engaging in intimate situations with her guests.

Hey, okay, obviously that is horrific. And that would be disturbing. What is Bond doing telling people that he's— Well— And why is this person his friend?

It's "I'm not gonna murder I mean, first, welcome to Yuckville, right? Because it would be just horrific news. you in the night, right? And 6 years have passed, okay, without her even having any knowledge of this.

Yeah. Is it possible it's a very slow Wi-Fi connection? So any pictures which were transmitted from her room have only recently arrived on Bond's computer.

You know that." The friend says the landlord Bond had actually shown him the videos, which were forwarded from the smoke detector cameras, according to this article in The Independent, to the landlord's phone and email. And the friend was not the only one to see them. So in other words, landlord Bond was passing them around. Okay, so again, this is pretty horrific news to be hearing. Not only just hearing it, but 6 years later as well.

It's not just an indictment on this Bond chap, but all of his associates. I mean, there were so many people who could probably have blown a whistle and gone to the police, you know.

Short time later, Jane confronts the landlord about his actions, and weirdly, he admits to Jane that he secretly installed the surveillance cameras, took the illegal videos, and showed the illegal videos to his friends.

Okay.

It's worse than that. Jane learns that the landlord sent the illegal videos to a male porn star and secretly tried to arrange a meeting between Jane and this individual so he could secretly record them.

Oh, so, okay, hang on a minute. So Bond arranged for a male porn star to bump into Jane and maybe—

Oh, hello, I'm here to fix your taps.

Exactly.

I heard you had a problem.

'Oh, there's a problem with the washing machine. Let me just—' 'Yeah, okay, I'm the pizza delivery guy.' Okay, and so— And in order that Bond could film both of them covertly. Yes.

Or maybe he was going to give a cut to the porn guy. Who knows?

It feels— Yeah, it feels rather an elaborate scheme. Yes.

Well, Jane has finally taken Bond to civil court, asking the judge to hand down an injunction blocking—

Don't just take him to civil court. Just call the cavalry. Well, right.

Right. And she wants them banned from distributing further videos, et cetera, et cetera. And Jane, of course, is not alone, right? I've been doing this research for this story. I saw dozens of reports of people finding out that they've been secretly recorded. Others, you know, people who are finding these things in smoke detectors or in Wi-Fi extenders and all sorts of things. And Jane only found out because someone ratted out the sleaze of an ex-landlord 6 years later. But how many don't even know? Last year, Airbnb announced that the company would ban the use of surveillance cameras in its rentals, right? So the news was welcomed by those concerned about privacy, including someone like me. And since 2022, another rental platform, VRBO, big in the States, has banned the use of indoor cameras except those that are disclosed to guests and can be deactivated by them. American Hotel and Lodging Association, they represent 80% of all franchised hotels in the US. They said surveillance cameras in hotels should be limited to common areas, so lobbies, pools, and that's just for security purposes.

Yes, you wouldn't expect to have— I mean, you wouldn't expect to have a camera in your hotel room, would you? But, yeah, I suppose it'd be all right in a corridor or something.

Every state has the law apply slightly differently, but at the federal level, there's this Video Voyeurism Prevention Act of 2004, which prohibits knowingly videotaping, photographing, filming, recording by any means without an individual's consent where someone has a reasonable expectation of privacy.

You know when you do rent a property and you've got all these forms you have to sign? Yeah, yeah, yeah, sign here, sign there. You know, of course I haven't read them. I suppose they could sneak in a little paragraph saying, you don't mind us photographing you in the nude, do you? Right? I'm 78 years old and I'm a bit of a pervert.

You could probably contest that if it was in the small print.

Right.

Okay. But basically, my point here is the powers that be, so the companies and the government, they all seem to be on the same side. You know, don't surreptitiously record your guests without consent. Who's selling these devices which are disguised in this fashion? So I was researching the story and I look for things spy camera rental landlord, you know, court case, that kind of thing. And maybe there's 2 links on that kind of topic and the rest are either porn sites basically doing some kind of spycam cutie cutie something something bit dirty, or they're selling the spycams. Just do your own research and see. There's so many links about that stuff.

It's horrible, isn't it?

Mm-hmm. Reason I'm talking about this too is I've just been to a rental property for a group holiday. Okay. And there was tech all over the place.

Yeah, I know. I was able to watch you. I know. I saw you.

You know, there's a smart heating system. There's a Wi-Fi router, Wi-Fi extenders, Roombas, smart TVs, the whole lot. And any one of those things could have been retrofitted, right? And even with the teeny bit of infosec technology that I have, I wouldn't know where to start if I wanted to ensure I wasn't being recorded without my consent. Security pundits at Global Threat Solutions, they told The New York Times, right? So they had some advice, right? They said you gotta do a common sense search of a location. So quote, "This includes looking for small recording devices." Do you do that?

Of course you don't. And let's not forget that these cameras can be absolutely tiny. So my phone, right, has a camera on its front screen. There's a little pinprick of a hole. It's a very good camera. I can barely see it when I'm looking straight at it to work out it's there. You would never notice that.

You do have tiny eyes, right? Wow. Just kidding. More advice from this Global Threat Solutions is if you're uncertain, just throw a towel over the electric device or tape over the outlets. Or over yourself.

And then it doesn't matter where the camera is.

Yeah. Fire hazard anyway.

Fire hazard. Yes.

You know, let's just put blankets all over the electrical stuff.

This is insane.

Now they say because many recording devices require an internet connection to stream images, check the Wi-Fi network for any connected devices and ask what they are. It mentions apps such as Network Analyzer and Ubiquiti Wi-Fi Man, both apps I've not used, but apparently they will scan networks and detect connected devices. So that's kind of interesting. I didn't know that.

Yeah, but the connected device may just say smoke alarm. It won't necessarily— you don't have to name it like smoke alarm and spy camera, do you?

So what if you find a hidden camera in a hotel room or short-term rental, right? What do you do? The advice is gather evidence by taking pictures or videos and contacting the police. And then find, of course, new accommodations, right? Like pronto. Airbnb directs guests to report privacy violations to its customer support team, and Vrbo does the same. But you know what? I think I'd contact the cops first and then contact the Airbnbs and Vrbos of the world. I think the fact that it's reported means that they have more incentives to take action.

Yeah. What do you think? No, I agree. I agree. I mean, this is absolutely heinous, isn't it? And how horrendous.

And you don't know how often it's happening because, you know, if you don't know, you're none the wiser. I think the trick to not being surveilled is just to be stupidly boring. It's not my forte, obvi, right? But, you know, keep it dull, keep all your clothes on all of the time, say nothing, don't react, just to create the most boring footage in existence. And then it probably won't circulate. So what a dreamy vacation that would be.

Or if you're going on holiday, just stay in a tent. Stay in a tent.

Yeah. Make your own one of woods and twigs. Yes. You don't want to have any smart fibers in the tent. Smashing Security is sponsored this week by the Acronis Threat Research Unit. They're a dedicated team of cybersecurity experts inside Acronis specializing in threat intelligence, AI, and risk management.

That's right, Acronis's Threat Research Unit stays ahead of cyber risks to keep MSPs and their clients safe from attack, releasing security updates, threat intelligence, and monitoring the global threat landscape around the clock.

So if you wanna learn about emerging threats, get security insights, and support your IT teams with guidelines, incident response, and educational workshops, go to smashingsecurity.com/acronis. That's smashingsecurity.com/acronis. And thanks to Acronis for sponsoring the show.

Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralise security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash Smashing Security. Smashing. And thanks to Vanta for sponsoring Smashing Security. If you're leading risk and compliance at your company, you're likely wearing 10 hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.

But GRC isn't just about checking boxes. It's a revenue driver that builds trust, reduces trust, accelerates deals, and strengthens security. That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program.

With Drata, you can automate security questionnaires, evidence collection, and compliance tracking. You can stay audit-ready with real-time monitoring, and you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistant.

Instead of spending hours proving trust, build it faster with Drata. Ready to modernize your GRC program? Visit drata.com/smashing to learn more. That's drata.com/smashing. And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security related necessarily. Better not be. Now, it's been said from time to time that my picks of the week are not necessarily erudite enough. They're not cultural enough. I don't think I've ever said that. Well, I think sometimes people have thought, Graham, you don't read books. Graham, you don't seem to have seen a lot of movies. You aren't recommending classical music.

It's more like, Graham, you haven't spent a lot of time preparing your pick of the week.

This week, my pick of the week is related to a chap called William Shakespeare. Who's that? He was a chap, a ginger chap with a beard, a Brummie from Birmingham, or more accurately Stratford-upon-Avon, which is quite close to Birmingham. And not very long ago, I visited Stratford-upon-Avon and I went to the Royal Shakespeare Theatre. Lardy-dyke. Yeah, lardy-dyke, put on a play or two. My wife was kind enough to pop into the shop at the Royal Shakespeare Theatre, and she bought me a t-shirt. And it's a t-shirt covered in insulting Shakespearean language.

Oh, cute!

It turns out that insults aren't what they used to be. And I think that we've become rather lazy in the insults that we use in modern-day life. And maybe it's time to pick up some of the ones we used to use hundreds of years ago. And so I thought I would share with some of our listeners this week some of the insulting language, see how they like it.

Okay.

And maybe they can use it in their day. Right. So I've got a few for you, Carole. Okay. A lewdly inclined footlicker.

Lewdly inclined footlicker.

You Banbury cheese. You beetle-headed flappy-eared knave. You poisonous bunch-backed toad. And this was my favourite. Not so much brain as earwax.

Ah, yeah, I don't know if these would land very well today, do you think?

Well, they had them rolling around in the aisles. Apparently. Back in the days of Shakespearean plays, they thought this was— I don't know if you've ever seen a Shakespearean comedy.

I have.

But these, trust me, these are probably the best lines they have. So that is my recommendation for this week, are the insults of William Shakespeare, because I think it's time that we got a little bit more creative with our insults rather than calling everyone a— well, I won't say what I was going to say. Carole, what's your pick of the week?

Well, it's interesting that you mentioned a bearded, redheaded William Shakespeare because this is the time of year that we see a number of art societies host exhibitions. Yes. And I entered a piece called "The Rusty Sage" for the Oxford Art Society 2025 Spring Exhibition. Oh, yes. Let me show it to you. So this is— I put it in the show notes there. So this is what I entered. It's obviously this. You don't see it framed and mounted, but it is.

Oh, this is fabulous, Carole.

Do you like it? Does it remind you of anybody?

It reminds me a little bit of your husband, but he's not ginger. The Yeti.

Well, he used to be. Oh, did he?

Oh, before he became grey. Yeah, they married me. He certainly has an impressive beard. Oh, he's only got one ear that I can see. Is it Van Gogh supposed to be?

Maybe you can put it on Blue Sky and you can share it with our listeners. What's interesting is how these things happen. So I'm a member of the society, but still, when they open their exhibitions, you know, an open call, you have to fill out a form, pay a small fee, and then get your work all ready for sale. And then you have to bring it in in person. And then it's only referred from then on by a special number. And it is presented to a judging panel of 5 people.

Oh, so they don't know you painted it. So there's no favoritism.

No. Oh, I see. So it would come up, it would be, say, it would come up to them and it would say the number 2377 Rusty Sage. Watercolor. And then the judges would go, yay, nay, yay, yay, yay, or yay, yay, yay, yay, yay, or nay, nay, nay, nay. And so my rusty sage got in, which is great.

Yeah, I really that. I think it's terrific.

Well, thanks. And one of the big problems with art, right, is how you price it. So I priced it and I put it in for 500 quid. And doesn't that sound a huge amount of money? But the society gets 25%. The framing and mounting costs 75. So it's 300 quid.

Is what you'll get if it sells. If it sells.

Anyway, so listeners, anyone feeling flush and interested in purchasing a beautiful piece of art made by yours truly.

An original unique Theriault.

That's right. Yeah, exactly. So that's my pick of the week, is me and my Rusty Sage making it into the Oxford Art Society's members spring exhibition, yada yada yada yada.

Are you going to put this on your website or something that so we could link to that?

Yes, yes, but remember I'm ill. I've got a big list of stuff I have to do. Yes, it will. It'll go on my website, promise.

Very good. Well, good luck, Carole. I'm sure it will sell because it looks fabulous.

Thank you very much, Graham.

Well, that just about wraps up the show for this week. You can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge thank you to our episode sponsors, Fanta, Drata, and Acronis. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 408 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye. Very impressive. I mean, £500 sounds a lot, but then you just think, how many hours did you put in learning how to paint? People can't do it, and it's cool.

And I the title because, Rusty Sage, or Rusty—