Why is a cute Star Wars fan website now redirecting to the CIA? How come Cambodia has become the world’s hotspot for scam call centres? And can a WhatsApp image really drain your bank account with a single download, or is it just a load of hacker hokum?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Allan Liska.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
For goodness' sake, he travels for 111 days, 8,000 miles, on a bit of cardboard, effectively, halfway across the Pacific.
Good for him!
Well, good for him! And you're saying, oh dear, what a trial it will be to watch a movie with the occasional ad in it.
Smashing Security, episode 419: Star Wars, the CIA, and a WhatsApp malware mirage with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 419. My name's Graham Cluley.
Smashing Security, episode 419: Star Wars, the CIA, and a WhatsApp malware mirage with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 419. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, this week we are joined by a special guest, someone who hasn't been on the show for a while. It's our pleasure to welcome back to the stage ransomware sommelier.
It's none other than Allan Liska. Hello, Allan.
It's none other than Allan Liska. Hello, Allan.
Hello, thank you for having me.
Hi, Allan.
I missed you all so much. It's so good to be back. I'm a little disappointed that I couldn't get episode 420, but, you know, I'll take 419.
Yep, wait for that one next week, folks. What's coming up this week, Ro?
Well, first, before we kick off, let's thank this week's wonderful sponsors, MetaCompliance, 1Password, and Vanta. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be asking the question, why does the cute Star Wars fan website now redirect to the CIA.
Okay, and what about you, Allan?
I'm gonna talk about a country full of call scam centers that you may not be aware of.
Okay, and I'm looking at WhatsApp and what new scams are hitting it. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, are we all Star Wars fans? How do we feel about Star Wars?
Yeah, I'm a Star Wars fan.
Yeah, well, are you a diehard? Do you have the Lego?
So, funny story, my local library has a Lego club, and the kids there had been building TIE fighters and other dark side ships, and I could not let that stand.
And I found out that the only way they build ships is if they're donated.
So I went and I bought a bunch of Rebel LEGO ships and donated them to the library because I cannot allow the local library to be a harbinger of the dark side.
And I found out that the only way they build ships is if they're donated.
So I went and I bought a bunch of Rebel LEGO ships and donated them to the library because I cannot allow the local library to be a harbinger of the dark side.
Yeah, you don't want— yeah, that's not where a library belongs for sure.
Wow. Okay. Well, there are, of course, lots of websites devoted to Star Wars, which have cropped up, I suppose, ever since websites existed.
The films themselves have been going for so many, many years. There's lots of them out there. There's the official ones, and there's the ones created by the community as well.
For instance, there's a website called starwarsweb.net.
And if you went to starwarsweb.net, where once you saw pictures of R2-D2 and Lego sets and kids dressed up as Jedis, now you will be redirected to the CIA's website.
The films themselves have been going for so many, many years. There's lots of them out there. There's the official ones, and there's the ones created by the community as well.
For instance, there's a website called starwarsweb.net.
And if you went to starwarsweb.net, where once you saw pictures of R2-D2 and Lego sets and kids dressed up as Jedis, now you will be redirected to the CIA's website.
Okay.
And it's an interesting story as to why that actually happened. And that's what I'm going to be sharing today.
Okay, well, crack on.
Last year, Reuters revealed they had located on the Internet Archive, you know, that place where you can go in the Wayback Machine and see old versions of websites.
It located a now defunct network of websites that were used by spies and informants in various countries around the world to covertly communicate with the CIA.
It located a now defunct network of websites that were used by spies and informants in various countries around the world to covertly communicate with the CIA.
What? So instead of using a messaging app, you would use a weird website?
Who would use a messaging app? These messaging apps could have backdoors.
Right.
The intelligence services could be wise to these messaging apps.
So instead they use a forum?
Well, I will reveal all.
OK, OK. Sorry, sorry.
According to this Reuters report, they found that at least 20 Iranian spies and potentially hundreds of informants had been exposed by using a vulnerable messaging system hosted on this network of websites.
One man said he was captured by the Iranian authorities. He was imprisoned for a decade and subjected to torture. Really horrible stuff.
One man said he was captured by the Iranian authorities. He was imprisoned for a decade and subjected to torture. Really horrible stuff.
Because he did what?
Because he was using one of these websites to communicate with the CIA. He was an informant inside Iran.
And he got caught, I bet.
And he got caught doing it. Each website created by the CIA was assigned to just one spy. Each spy or informant had their own little website. Now it wasn't messagethecia.com.
Instead, it would be something starwarsweb.net.
Instead, it would be something starwarsweb.net.
Oh, they weren't all Star Wars sites.
No, they weren't all Star Wars. I was just thinking that's a bit of a giveaway.
I don't know.
For instance, there was one called iraniangoals.com, which was designed for Iranian football fans.
And if you went there, you could see lots of messages about football and videos and message boards and chatting about soccer.
But if you looked at its code, you found some JavaScript located where its search box was.
So any other of these web forums, I'm sure you've been on lots of these things over the years, Carole, and you too, Allan.
And if you went there, you could see lots of messages about football and videos and message boards and chatting about soccer.
But if you looked at its code, you found some JavaScript located where its search box was.
So any other of these web forums, I'm sure you've been on lots of these things over the years, Carole, and you too, Allan.
You get a little search box, right? And you type in whatever it is that you want to search, something that you're interested in, right?
Okay.
I go right for Jar Jar Binks content.
Right. Gross.
It's you that we have to blame for Jar Jar Binks.
You make the SEO happen.
Me so, I'm happy. You're a big Jar Jar Binks fan. So if you looked at the code of the website, you found this little bit of JavaScript where that search box was.
And if you look at the script, you'd find that the search box, they'd actually called it password.
That was the identifier they used on the search box because all the informant had to do was go to the website and in the search box, enter a password.
And if they entered the right password, a secret messaging window would pop up on this normally completely legitimate looking Star Wars or Iranian goals website.
And through that, they could covertly communicate with their handlers at the CIA. They could write their message and the CIA could communicate back with them via this website.
The bad thing was that the code, as I said, wasn't very well hidden because it identified that that search box was a password. And in fact, the password was hardcoded into it.
So it was possible for anybody to go to the website and with a little bit of kung fu in their browser, they could actually unlock and cause this messaging window to pop up.
So there were lots and lots of websites which were all using the same or similar code. So there was IranianGoals.com, for instance, which was set up for one informant.
There was this Star Wars website set up for another. There was another one called IranianGoalKicks. And so it went on and on and on.
And the CIA had made it too obvious which of these websites had actually been meddled with.
And furthermore, another one of the mistakes the CIA made— I mean, this is basic kind of OPSEC fail.
Was that the IP addresses pointing to these sites were sequential, meaning that after discovering one, it was pretty straightforward for anyone investigating to find others that were very likely in the same network.
You must see problems that all the time, Allan, when you're hunting down these ransomware gangs.
And if you look at the script, you'd find that the search box, they'd actually called it password.
That was the identifier they used on the search box because all the informant had to do was go to the website and in the search box, enter a password.
And if they entered the right password, a secret messaging window would pop up on this normally completely legitimate looking Star Wars or Iranian goals website.
And through that, they could covertly communicate with their handlers at the CIA. They could write their message and the CIA could communicate back with them via this website.
The bad thing was that the code, as I said, wasn't very well hidden because it identified that that search box was a password. And in fact, the password was hardcoded into it.
So it was possible for anybody to go to the website and with a little bit of kung fu in their browser, they could actually unlock and cause this messaging window to pop up.
So there were lots and lots of websites which were all using the same or similar code. So there was IranianGoals.com, for instance, which was set up for one informant.
There was this Star Wars website set up for another. There was another one called IranianGoalKicks. And so it went on and on and on.
And the CIA had made it too obvious which of these websites had actually been meddled with.
And furthermore, another one of the mistakes the CIA made— I mean, this is basic kind of OPSEC fail.
Was that the IP addresses pointing to these sites were sequential, meaning that after discovering one, it was pretty straightforward for anyone investigating to find others that were very likely in the same network.
You must see problems that all the time, Allan, when you're hunting down these ransomware gangs.
Oh yeah.
I mean, it sounds like a combination of Google doxing and a little bit of quick searches and you find those and we find stuff like this all the time when in fact that's how we can sometimes connect ransomware groups like, oh, they're basically just using the same code.
I mean, it sounds like a combination of Google doxing and a little bit of quick searches and you find those and we find stuff like this all the time when in fact that's how we can sometimes connect ransomware groups like, oh, they're basically just using the same code.
Yeah. So the authorities in Iran are thought to have found out about these websites around about 2011, 2012.
And apparently they'd intensified their hunt for informants after Barack Obama publicly outed a secret Iranian nuclear facility in 2009.
So they went looking, thinking, who's doing this informing? And with a little help from Google, they discovered these suspicious sites.
And apparently they'd intensified their hunt for informants after Barack Obama publicly outed a secret Iranian nuclear facility in 2009.
So they went looking, thinking, who's doing this informing? And with a little help from Google, they discovered these suspicious sites.
Well, I imagine they probably tapped certain people in Iran to find out where they were going.
Maybe, but with help from Google, they were able to find out all the other sites as well.
Sure.
Maybe they found one informant and then all the others tumble out because of all these clues which have been left lying around the net.
Now, unfortunately, they did not responsibly disclose their discovery of the vulnerability to the CIA. Funny that, isn't it?
And it was only when the CIA realised that quite a lot of its informants were being rounded up or weren't making contact anymore, for reasons you can probably understand, that they closed down the operation in 2013.
Now, unfortunately, they did not responsibly disclose their discovery of the vulnerability to the CIA. Funny that, isn't it?
And it was only when the CIA realised that quite a lot of its informants were being rounded up or weren't making contact anymore, for reasons you can probably understand, that they closed down the operation in 2013.
And it wasn't just Iran. Authorities in China, they'd also caught on. Between 2011 and 2012, more than two dozen CIA assets were reportedly executed in China.
So this has serious consequences.
So this has serious consequences.
Do you not think every country's kind of doing a version of this, though?
Well, hopefully if they are, they're not doing such bad OPSEC to make it so obvious what the websites are and how to unlock them.
Yeah, it's hard for me to remember back in 2012 what the OPSEC would have and should have been, you know, what was expected.
Because of course, I'm putting on my 2025 hat on and going, how hilarious.
Because of course, I'm putting on my 2025 hat on and going, how hilarious.
But yeah, it's always a problem, isn't it? And the thing is, you may have made a mistake in the past and then subsequently fix that mistake.
But if your website is getting archived, if someone's able to dig around in old versions of the website where maybe you had been a bit more careless, that's not so good, is it?
But if your website is getting archived, if someone's able to dig around in old versions of the website where maybe you had been a bit more careless, that's not so good, is it?
I mean, this is one of those things that seems a really good idea on the surface, right? This is the type of covert communication makes a lot of sense.
You don't have to have a lot of expensive technology. You don't have to use apps that may be hacked. But the execution is just as important as the idea.
You don't have to have a lot of expensive technology. You don't have to use apps that may be hacked. But the execution is just as important as the idea.
Right.
Absolutely. Now, one researcher, a committed Google dorker called Ciro Santilli, he has now taken it upon himself to go digging for these websites.
He's fascinated to know which websites were being created and run by the CIA on the quiet.
So using tools the Wayback Machine, IP history lookups, DNS records, he's managed to uncover many more CIA-affiliated domains, and they all had these sort of sequential IP addresses, had telltale URL structures.
They often included the word news in the domain. And interestingly, some even targeted US allies Brazil, Germany, France, and Italy.
So it wasn't just nations which would normally be considered hostile to the United States, I don't know, Canada at the moment, Greenland.
It wasn't just them who were being targeted.
The situation today is that more than 350 such websites have been identified due to the CIA's carelessness, including beauty websites, fitness websites, entertainment websites, a fan page for Johnny Carson, of all people.
He's fascinated to know which websites were being created and run by the CIA on the quiet.
So using tools the Wayback Machine, IP history lookups, DNS records, he's managed to uncover many more CIA-affiliated domains, and they all had these sort of sequential IP addresses, had telltale URL structures.
They often included the word news in the domain. And interestingly, some even targeted US allies Brazil, Germany, France, and Italy.
So it wasn't just nations which would normally be considered hostile to the United States, I don't know, Canada at the moment, Greenland.
It wasn't just them who were being targeted.
The situation today is that more than 350 such websites have been identified due to the CIA's carelessness, including beauty websites, fitness websites, entertainment websites, a fan page for Johnny Carson, of all people.
Can you imagine? I have to go every day because I'm some secret informant. I gotta go to some internet café back in 2011, right? And go get beauty reviews.
Or go and write about Johnny Carson.
Right? Ugh.
Now, all this got me thinking, what other ways have people tried to covertly communicate with each other without being spotted by intelligence agencies and law enforcement?
And there've been all kinds of techniques.
In 2015, there were sources inside Israel's spy agency Mossad, which claimed that members of ISIS and al-Qaeda had been sending coded messages through eBay, for instance.
And there've been all kinds of techniques.
In 2015, there were sources inside Israel's spy agency Mossad, which claimed that members of ISIS and al-Qaeda had been sending coded messages through eBay, for instance.
I'm not surprised. I'm not surprised at all. It's like newspapers. That's what it was before the internet, right?
Yes, in the classifieds.
So you just bury it in the haystack and tell someone where to find it.
Does anybody then try to offer up a piña colada for getting caught in the rain? Feel free to cut that. That was just a really bad joke that I really wanted to get in there.
I think that joke will go down really well with people of my demographic. I'm not sure all of our listeners will have understood it.
Probably a few. Probably a few.
There's also been talk of online video games being considered a viable covert communications channel. Obviously, some games have got their own in-game chat system.
That'd be fairly obvious.
But you could also have a real-time strategy game where if you made certain troop movements, or in-game actions that might transmit a message or send a message covertly to someone else.
Or I even was thinking, well, you know, these games where you explore the environment, you could take over a lighthouse in a video game and send Morse code messages by flashing the light to someone on the other side of the gaming world.
Yeah. So these things are possible. I was also reading some other ideas people had. If you were in close vicinity to your contact, right?
Imagine you wanted to communicate with someone who was fairly close, but you didn't want to use the phone.
That'd be fairly obvious.
But you could also have a real-time strategy game where if you made certain troop movements, or in-game actions that might transmit a message or send a message covertly to someone else.
Or I even was thinking, well, you know, these games where you explore the environment, you could take over a lighthouse in a video game and send Morse code messages by flashing the light to someone on the other side of the gaming world.
Yeah. So these things are possible. I was also reading some other ideas people had. If you were in close vicinity to your contact, right?
Imagine you wanted to communicate with someone who was fairly close, but you didn't want to use the phone.
Or my mouth.
Or you couldn't use your mouth or SMS or send them a letter. You couldn't use the internet.
Pigeon.
Pigeon. You could rename your Wi-Fi network to communicate discreetly. You could put messages in your hotspot name.
Hi, how are you doing?
Well, it could be encoded as well. Well, you know, to send to somebody. It's another way of communicating. And you think, well, what might the CIA itself use, right?
So the CIA set up the Star Wars website and etc. to send these things. But, well, maybe we can learn a lesson from General David Petraeus. He's a former director of the CIA.
He was having a bit of a naughty affair with the woman writing his biography.
So the CIA set up the Star Wars website and etc. to send these things. But, well, maybe we can learn a lesson from General David Petraeus. He's a former director of the CIA.
He was having a bit of a naughty affair with the woman writing his biography.
Of course. Of course.
Not wanting to be found out, they struck upon a way of communicating. They didn't email each other or text or WhatsApp. Instead, they shared a Gmail account.
And what they'd do is one of them would go into the account, write a message for the other one, and save it as a draft.
And what they'd do is one of them would go into the account, write a message for the other one, and save it as a draft.
Mm-hmm.
It's a draft method.
So, it never gets sent. Yeah. And the other one would go in later, read the draft, write their response.
Unfortunately for them, in that particular case, a family friend of Petraeus reported to the FBI that she thought she was receiving harassing emails from someone, and the FBI investigated, found the IP address of the person sending them, ended up back with Petraeus's biographer.
Maybe she was getting a bit jealous of this friend of Petraeus, and they discovered that that person was logging into David Petraeus's Gmail account and saving drafts when communicating with him.
All kind of embarrassing.
Unfortunately for them, in that particular case, a family friend of Petraeus reported to the FBI that she thought she was receiving harassing emails from someone, and the FBI investigated, found the IP address of the person sending them, ended up back with Petraeus's biographer.
Maybe she was getting a bit jealous of this friend of Petraeus, and they discovered that that person was logging into David Petraeus's Gmail account and saving drafts when communicating with him.
All kind of embarrassing.
It's just ridiculous. It's just ridiculous.
Well, if the CIA can't get it right for their informants, it seems they also can't get it right for themselves either. And so it's complicated.
It's complicated.
Just go to starwars.com. Because if you go to starwarssweb.net, if you enter that right now, you will end up on the CIA's homepage. Allan, what have you got for us this week?
Well, when we think of scam centers, big call centers filled with people that launch scams around the world—
Yes.
What countries do you think of?
Myanmar is spoken about a lot, isn't it?
Mm-hmm. Myanmar's a big one. Laos.
Yeah.
We see some in Thailand, but where a lot of people don't know about them is Cambodia.
And there's a new report out about Cambodia becoming the center of the global scam economy, largely driven by Chinese organized crime.
It's the same thing in Myanmar, where it's still the Chinese organized crime that's running it. But Cambodia really is becoming a huge part of this global scam network.
And in fact, the estimates are that it accounts for about 50% of the GDP in Cambodia now.
And there's a new report out about Cambodia becoming the center of the global scam economy, largely driven by Chinese organized crime.
It's the same thing in Myanmar, where it's still the Chinese organized crime that's running it. But Cambodia really is becoming a huge part of this global scam network.
And in fact, the estimates are that it accounts for about 50% of the GDP in Cambodia now.
50%?
Yes.
Wow.
And now that's just one report, so we take that into account, but roughly $75 billion annually.
Obviously those are huge numbers and they're so big that, you know, basically it allows the people who run them to control whatever politicians and law enforcement and everything else and be able to operate kind of unscathed.
Obviously those are huge numbers and they're so big that, you know, basically it allows the people who run them to control whatever politicians and law enforcement and everything else and be able to operate kind of unscathed.
Are these people that have kind of been tricked into working there or maybe working there because they've chosen to and they're basically scamming people around the world and defrauding them somehow?
Right. And the estimate is that the Cambodia scam economy has about 150,000 coerced workers. Workers is— that's a very loose use of the word workers when we talk.
So it is a huge, huge problem in Cambodia.
I mean, it's a huge problem in many parts of the world, but I think Cambodia doesn't get the kind of attention that Myanmar and Laos normally do.
Again, these Chinese criminal gangs are able to operate there because they're able to control so much of the government because they make so much money, right?
And it's one of these things where— and I know you all have talked about this before where it's bad for everybody involved.
Obviously, the people around the world getting scammed, it's terrible.
But the people who are forced to do the scamming also are living in horrible conditions and often can be killed if they try and leave or try and escape or anything like that.
So it is a huge, huge problem in Cambodia.
I mean, it's a huge problem in many parts of the world, but I think Cambodia doesn't get the kind of attention that Myanmar and Laos normally do.
Again, these Chinese criminal gangs are able to operate there because they're able to control so much of the government because they make so much money, right?
And it's one of these things where— and I know you all have talked about this before where it's bad for everybody involved.
Obviously, the people around the world getting scammed, it's terrible.
But the people who are forced to do the scamming also are living in horrible conditions and often can be killed if they try and leave or try and escape or anything like that.
They are essentially slaves, right? We can't underline that enough. These people are not doing this willingly at all.
No.
And if you've seen, I think it was the New York Times that did an exposé on this, but there was these huge, vast camps of these huge warehouses where they're all working, you know.
It's just a bunch of computers in there and people, you know, without passports, right?
And if you've seen, I think it was the New York Times that did an exposé on this, but there was these huge, vast camps of these huge warehouses where they're all working, you know.
It's just a bunch of computers in there and people, you know, without passports, right?
Right, because all their passports are seized. Modern slave labor. And so that's 150,000 essentially slaves in Cambodia, and then you multiply that by however many are in Myanmar.
Yeah, there may be as many as a million people who are being basically forced into slave labor to carry out these attacks. But, you know, that's a million people.
How many are they reaching out to every day, and how many people are getting scammed that we just don't know about because it's so underreported as well.
Yeah, there may be as many as a million people who are being basically forced into slave labor to carry out these attacks. But, you know, that's a million people.
How many are they reaching out to every day, and how many people are getting scammed that we just don't know about because it's so underreported as well.
Yeah.
And do you think that Cambodia has the resources and the expertise to deal with this on its own?
Can it handle it, or is this something where they need help from other bodies internationally?
Can it handle it, or is this something where they need help from other bodies internationally?
I think this is something where other bodies are going to have to step in and they're going to have to step in broadly.
I mean, we saw this just a few months ago where the authorities in Thailand raided one of these compounds in Myanmar and rescued 7,000 people that were being held captive there.
7,000 just in one compound in Myanmar. You know, it's going to take the larger governments to step in and do this.
And yes, because it's the right thing to do, but also protect your own damn citizens, you know, who are getting scammed by this.
I mean, we saw this just a few months ago where the authorities in Thailand raided one of these compounds in Myanmar and rescued 7,000 people that were being held captive there.
7,000 just in one compound in Myanmar. You know, it's going to take the larger governments to step in and do this.
And yes, because it's the right thing to do, but also protect your own damn citizens, you know, who are getting scammed by this.
Yeah, totally. And China was kind of, I think, putting pressure on Thailand to deal with it. And I wonder if that will happen again, right?
Because their interests may be different in this case.
Because their interests may be different in this case.
Yeah, right.
Well, you know, it is interesting that on one hand the Chinese government stepping in to try and help, on the other hand they're not stopping the actual Chinese mafia from setting up these centers and so on.
So this same can be said for any government where on the one hand they're trying to help with one thing, but on the other hand they're causing the problem. Certainly not the U.S.
government. We never go around the world causing problems, but other governments engage in that.
Well, you know, it is interesting that on one hand the Chinese government stepping in to try and help, on the other hand they're not stopping the actual Chinese mafia from setting up these centers and so on.
So this same can be said for any government where on the one hand they're trying to help with one thing, but on the other hand they're causing the problem. Certainly not the U.S.
government. We never go around the world causing problems, but other governments engage in that.
It's a bit like the end of Graham's story. It's complicated. It's complicated.
Exactly. Carole, what have you got for us this week?
I'm talking WhatsApp. Do you guys use it? Do you like it?
I can't stand it. I have recently had to start using it because there's some groups who insist upon using it, like my son's football team and that sort of thing.
It's like, oh, really? Do I have to use this? To be honest, I think I'm a bit old for all the learning new apps now, Carole. It's a bit of a struggle.
It's like, oh, really? Do I have to use this? To be honest, I think I'm a bit old for all the learning new apps now, Carole. It's a bit of a struggle.
Okay, Allan, what about you?
Same. I get dragged kicking and screaming into it because it's so pervasive in the world, but it is not my first, second, third, or fourth choice of communication.
I would rather go to StarWarsWeb.net.
I would rather go to StarWarsWeb.net.
In some parts of the world, though, I mean, WhatsApp absolutely dominates. It is how people do business with each other. It's how they communicate, how you order things.
It's how you buy things in some parts of the world. Thank goodness I'm not living in one of those. But it is everywhere.
It's how you buy things in some parts of the world. Thank goodness I'm not living in one of those. But it is everywhere.
It apparently accounts for 36% of the world's population, 2.95 billion monthly active users as of early 2025. Huge. Apparently there's 140 billion messages exchanged daily.
Do you know that WhatsApp was turned down by Facebook way back in 2009?
Do you know that WhatsApp was turned down by Facebook way back in 2009?
Wow.
Oh, they tried to sell it to them then, did they?
And Facebook were like, no thanks, no thanks. But then they acquired it for $19 billion in 2014.
So, yeah. And I think the WhatsApp founders, didn't they fall out with Mark Zuckerberg later? And they walked away, didn't they? They weren't happy with what Meta's plans were for it.
Yeah.
And there was a bit of irony because soon after the sale, the WhatsApp co-founder Brian Acton defended his decision to sell the company while encouraging students at Stanford to delete their accounts.
BuzzFeed quote Acton saying, "You go back to the Silicon Valley culture and people say, 'Well, could you have not sold?' And the answer is no," he said, referring to the decision to make the rational choice to take a boatload of money.
So I don't know, maybe a moral quandary. Perhaps, but I digress. Okay. What was the first non-English market, do you think? I love having a little few weirdo facts.
And there was a bit of irony because soon after the sale, the WhatsApp co-founder Brian Acton defended his decision to sell the company while encouraging students at Stanford to delete their accounts.
BuzzFeed quote Acton saying, "You go back to the Silicon Valley culture and people say, 'Well, could you have not sold?' And the answer is no," he said, referring to the decision to make the rational choice to take a boatload of money.
So I don't know, maybe a moral quandary. Perhaps, but I digress. Okay. What was the first non-English market, do you think? I love having a little few weirdo facts.
Non-English?
Yeah.
America. Russia.
Oh, Russia, which is interesting. But India by far has the most users. So 535 million users in India. And the next country is Brazil with 148 million.
So India really dominates with the WhatsApp. So it's a big, fat, well-used service.
And of course, as we've seen again and again, when something becomes effectively ubiquitous or is used by a huge glut of people, it becomes a sexy target for baddies.
So India really dominates with the WhatsApp. So it's a big, fat, well-used service.
And of course, as we've seen again and again, when something becomes effectively ubiquitous or is used by a huge glut of people, it becomes a sexy target for baddies.
Yes.
So over the years, we've seen a number of scams and malware attacks targeting WhatsApp users from the get-rich-quick schemes, a la crypto scam, or romance scams.
You know, that move targets to WhatsApp to get more cozy and personal. And there was that pink theme scam. Do you remember that? This was in 2021.
You know, that move targets to WhatsApp to get more cozy and personal. And there was that pink theme scam. Do you remember that? This was in 2021.
Oh, I've heard of similar— is this something where it's oh, you can turn WhatsApp pink, you've just got to do this?
Yes. Yeah, my goodness, it's a pink makeover. Yeah, and it was for the Android, but downloading it installed malware.
In fact, the scam presented itself as an official update, so users were warned not to click the fake APK download link that spreading around on the WhatsApp groups.
But a smattering of news articles from India this morning reported that a new WhatsApp threat is doing the rounds, one that has a nasty financial twist.
So here I'm thinking that this could be perhaps a good story for Smashing Security. We haven't covered WhatsApp in a while, and this attack seems to have a new twist.
And the reports are all coming out of India, where we know WhatsApp is incredibly popular.
In fact, the scam presented itself as an official update, so users were warned not to click the fake APK download link that spreading around on the WhatsApp groups.
But a smattering of news articles from India this morning reported that a new WhatsApp threat is doing the rounds, one that has a nasty financial twist.
So here I'm thinking that this could be perhaps a good story for Smashing Security. We haven't covered WhatsApp in a while, and this attack seems to have a new twist.
And the reports are all coming out of India, where we know WhatsApp is incredibly popular.
Yes.
But I have concerns that perhaps the story is a little light in the loafers. And maybe you two cyber detectives will show us how to sniff that out.
All right.
So we have Madhya Pradesh, a 28-year-old guy from Jabalpur. And let's imagine perhaps he was chilling out somewhere, right? He's chilling out.
Maybe he's enjoying a delicious mango lassi on his break.
Maybe he's enjoying a delicious mango lassi on his break.
Okay.
And he receives a WhatsApp message. And the thing is, he doesn't recognize the number, right? He doesn't recognize the number, but Madhya can see the message.
And the message is asking him if he knows the person in the attached photo.
And the message is asking him if he knows the person in the attached photo.
Okay.
And then his phone rings from the same number, but Madhya doesn't answer the phone, right? And it rings again and he doesn't answer. So—
Right.
So how's Madhya feeling right now, right? He's probably a bit nervous because, you know, he's enjoying his mango lassi and now his phone's ringing, messages are coming in.
But you want to know who that person is because maybe you do know them, right?
But you want to know who that person is because maybe you do know them, right?
Okay.
You're curious.
All right. Yes.
I think, am I, Allan? I mean, would you be? I mean, if you take off your, I know everything about cybersecurity hat off.
Quite a large hat, I imagine.
Think of your dad or your mom or someone.
Right. Right. Yes. If it was one of my parents or maybe one of my kids, despite all the warnings I've given them, they would absolutely need to know and investigate.
I would fall for it if it was, you know, can you tell me about this bottle of wine?
I would fall for it if it was, you know, can you tell me about this bottle of wine?
Right. It is a bit gamified, right? It presents you with a quest of sorts. Who knows who you're going to see in that picture, where it's going to lead?
Anyway, Madia's probably hovering his finger over the image and decides, you know, I got to see who it is. And in doing that, he downloads the image.
And this ends nowhere good because within minutes, Madia's phone was reportedly compromised, and unauthorized transactions drained the equivalent of about $2,000 from his bank account.
Anyway, Madia's probably hovering his finger over the image and decides, you know, I got to see who it is. And in doing that, he downloads the image.
And this ends nowhere good because within minutes, Madia's phone was reportedly compromised, and unauthorized transactions drained the equivalent of about $2,000 from his bank account.
Just by viewing the image?
By viewing the image, because he downloaded it.
And it seems investigations revealed that malware had secretly infiltrated his phone via the image file, so that when Magyar downloaded the image, it was game over.
The malware was silently installing on his device.
And it seems investigations revealed that malware had secretly infiltrated his phone via the image file, so that when Magyar downloaded the image, it was game over.
The malware was silently installing on his device.
Hmm.
So they're saying it's hidden inside the image itself.
Sounds like a vulnerability in WhatsApp. I mean, they have had vulnerabilities before where you could send certain images sequences of characters.
Yes, theoretically. They had one in 2019. A CVE was raised about an innocent-looking GIF greeting that was able to hack your smartphone.
So WhatsApp patched this critical security vulnerability in its app for Android, which had remained unpatched for at least 3 months after it had been discovered.
And had it been exploited, it could have allowed remote hackers to compromise Android devices and potentially steal files and tap messages.
Now, all the reports I've seen, they've only come out today.
They're all— there's a smattering of all the reports are in the show notes, but they're all papers that are— I can validate, but I can't verify as well as the ones that I can do in my own country.
So WhatsApp patched this critical security vulnerability in its app for Android, which had remained unpatched for at least 3 months after it had been discovered.
And had it been exploited, it could have allowed remote hackers to compromise Android devices and potentially steal files and tap messages.
Now, all the reports I've seen, they've only come out today.
They're all— there's a smattering of all the reports are in the show notes, but they're all papers that are— I can validate, but I can't verify as well as the ones that I can do in my own country.
I'm a little bit cautious. There'd have to be a vulnerability in the WhatsApp client to actually run the code, which was hidden inside the image.
Now that is technically possible and there have been vulnerabilities found like that in the past, but it would be interesting to hear what WhatsApp have to say about this.
I would imagine that if there is such a vulnerability, they'd be rolling out a patch pretty darn quickly.
Now that is technically possible and there have been vulnerabilities found like that in the past, but it would be interesting to hear what WhatsApp have to say about this.
I would imagine that if there is such a vulnerability, they'd be rolling out a patch pretty darn quickly.
So when you download the image, it's still rendering in WhatsApp though, right? You're not downloading it.
I mean, I know this is going way, way back, but I mean, that used to be a common exploit vector for Internet Explorer.
That's one of the reasons why nobody uses Internet Explorer anymore is, you know, you were constantly finding in the image rendering process, you were constantly finding new vulnerabilities to the point where it just became almost impossible for Microsoft to keep up with the patching.
But it is really rare now. I'm guessing the articles didn't mention, but did they say what kind of image it was?
Because there are certainly some types that are you have to do this with others.
I mean, I know this is going way, way back, but I mean, that used to be a common exploit vector for Internet Explorer.
That's one of the reasons why nobody uses Internet Explorer anymore is, you know, you were constantly finding in the image rendering process, you were constantly finding new vulnerabilities to the point where it just became almost impossible for Microsoft to keep up with the patching.
But it is really rare now. I'm guessing the articles didn't mention, but did they say what kind of image it was?
Because there are certainly some types that are you have to do this with others.
Nope.
Like whether it's a JPEG or a TIFF or— Mm-mm. I've just done some Googling on this guy, Madja Krol, and there are some reports.
I found one from April 17th, so that's about 6 weeks ago now. I'm dubious. I think that if this had been confirmed, we would be hearing quite a lot about this.
From other sources, including Meta itself. Now, sometimes these hoaxes can spread a lot. Everyone seems to be mentioning the same guy as well, this Madja.
I found one from April 17th, so that's about 6 weeks ago now. I'm dubious. I think that if this had been confirmed, we would be hearing quite a lot about this.
From other sources, including Meta itself. Now, sometimes these hoaxes can spread a lot. Everyone seems to be mentioning the same guy as well, this Madja.
Well, that's my next thing that makes me worried, right? Because when you start doing a round, why is there only one person that's happened to? So that means what?
Yeah, it means everyone's repeating the same story.
I'm wondering if this person lost a whole load of money and is thinking, oh crumbs, you know, I've lost some money or I spent it on the horses.
Maybe I can blame it on a hacker instead. I don't know, I'm just skeptical, I'd love to hear what Meta and WhatsApp have to say about it.
I'm wondering if this person lost a whole load of money and is thinking, oh crumbs, you know, I've lost some money or I spent it on the horses.
Maybe I can blame it on a hacker instead. I don't know, I'm just skeptical, I'd love to hear what Meta and WhatsApp have to say about it.
Okay, so I'm going to say good detective work, boys. I think we have to assume it's hogwash.
All right.
And that maybe one media outlet wrote it up and other papers are just copycatting, which means you effectively only have a single source.
And you have to ask yourself, is that single source trustworthy? And you can't assume that because other news outlets cover it, that it is trustworthy.
The problems we have here are that all the articles are extremely light on technical details. Like what kind of image? Is it a vulnerability that was being exploited?
The articles cite one guy, Madhya Pradesh, but in none of the articles did I see him quoted. There's no comment or response from WhatsApp, as you say, Graham.
And unnamed security experts and their companies. I mean, give me a break. Who in the cyber spokesperson rat race would not want their name in lights?
Now, if you are a WhatsApp user, reluctant ones like us or avid fans like 99% of my mom friends, here are a few safety tips that you should definitely consider.
Enable two-factor authentication by using the secret PIN provided by the WhatsApp service.
And you have to ask yourself, is that single source trustworthy? And you can't assume that because other news outlets cover it, that it is trustworthy.
The problems we have here are that all the articles are extremely light on technical details. Like what kind of image? Is it a vulnerability that was being exploited?
The articles cite one guy, Madhya Pradesh, but in none of the articles did I see him quoted. There's no comment or response from WhatsApp, as you say, Graham.
And unnamed security experts and their companies. I mean, give me a break. Who in the cyber spokesperson rat race would not want their name in lights?
Now, if you are a WhatsApp user, reluctant ones like us or avid fans like 99% of my mom friends, here are a few safety tips that you should definitely consider.
Enable two-factor authentication by using the secret PIN provided by the WhatsApp service.
Yes.
Check your privacy settings, so you can control who can see your personal info. Control groups. So WhatsApp groups change all the time. New members come in, members decide to leave.
Make sure you remove old or unknown contacts regularly and block unwanted or unknown contacts.
But yeah, in this case, I think we need to wait for further evidence before we believe there is a current WhatsApp image scam that will steal all your money.
Make sure you remove old or unknown contacts regularly and block unwanted or unknown contacts.
But yeah, in this case, I think we need to wait for further evidence before we believe there is a current WhatsApp image scam that will steal all your money.
I mean, if you think about it, just a few months ago, you all reported on Troy Hunt falling for a scam. I mean, you know, all of us are susceptible to it.
I think the thing that we benefit from is we're aware that we're susceptible to being able to fall for things like this.
And if this does turn out to be a mistake or, you know, a false report, it's good to get out there that this thing is floating around that may or may not be true.
I think the thing that we benefit from is we're aware that we're susceptible to being able to fall for things like this.
And if this does turn out to be a mistake or, you know, a false report, it's good to get out there that this thing is floating around that may or may not be true.
Yeah. And don't forward warnings like that unless you're absolutely sure it is legitimate. It's easy to fall for these kind of things, Carole.
I mean, I can imagine lots and lots of people doing it. I can understand. But well done, you. Well done on you for realizing this probably isn't true.
Now, the folks at MetaCompliance know that real cybersecurity starts with your people. That's why their approach is different.
They don't just deliver generic cybersecurity training, they personalize it.
I mean, I can imagine lots and lots of people doing it. I can understand. But well done, you. Well done on you for realizing this probably isn't true.
Now, the folks at MetaCompliance know that real cybersecurity starts with your people. That's why their approach is different.
They don't just deliver generic cybersecurity training, they personalize it.
That's right. Every employee gets content tailored to their role, location, and level of risk. It's engaging, it's relevant, and most importantly, it drives real behavior change.
MetaCompliance has created a free security awareness planner, your 12-month roadmap to building a culture of cyber awareness.
It's designed to save you time, increase staff engagement, and make it easy to plan meaningful campaigns that reduce risk.
MetaCompliance has created a free security awareness planner, your 12-month roadmap to building a culture of cyber awareness.
It's designed to save you time, increase staff engagement, and make it easy to plan meaningful campaigns that reduce risk.
Whether you're just starting out or looking to improve your current program, this planner gives you a clear, structured path to follow, and it's completely free.
Download it today and take the first step towards smarter, more effective cyber awareness. Just visit metacompliance.com/planner. That's metacompliance.com/planner.
Download it today and take the first step towards smarter, more effective cyber awareness. Just visit metacompliance.com/planner. That's metacompliance.com/planner.
And thanks to MetaCompliance for sponsoring the show.
Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.
Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.
So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.
Head to vanta.com/smashing to learn more. That's vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security.
Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? Oops, I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
Head to vanta.com/smashing to learn more. That's vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security.
Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? Oops, I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control.
It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
So secure every app, device, and identity, even the unmanaged ones. Go to 1password.com/smashing. That is 1password.com/smashing.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related. My Pick of the Week this week. Have either of you heard of the Kon-Tiki? Nope. No.
Or a Norwegian fella called Thor, or Thor Heyerdahl? Oh, this guy was a hero when I was a child. I remember hearing about this guy.
And the other day, my lovely wife and I were cuddled up on the sofa and we thought, what shall we do? How shall we entertain ourselves? And we started talking about the Kon-Tiki.
Let me tell you what it was. In 1947, there was a journey made by a Norwegian explorer called Thor Heyerdahl. And what he did was he led an expedition.
He decided to cross the Pacific Ocean between South America and the islands of Polynesia. Right, it's about 8,000 miles.
Or a Norwegian fella called Thor, or Thor Heyerdahl? Oh, this guy was a hero when I was a child. I remember hearing about this guy.
And the other day, my lovely wife and I were cuddled up on the sofa and we thought, what shall we do? How shall we entertain ourselves? And we started talking about the Kon-Tiki.
Let me tell you what it was. In 1947, there was a journey made by a Norwegian explorer called Thor Heyerdahl. And what he did was he led an expedition.
He decided to cross the Pacific Ocean between South America and the islands of Polynesia. Right, it's about 8,000 miles.
Wow.
And he did it on a primitive raft made out of balsa wood with no nails, using only tools that would have been available to people a couple of thousand years ago.
And he wanted to demonstrate that ancient South Americans could have settled Polynesia rather than the theory which had been at the time that they had come from Asia.
And so he set off on this little raft for 8,000 miles. It took him 111 days, but they managed it.
And it is an incredible story of both endurance and death defiance because they really could have come a cropper a number of times.
And there is on YouTube the actual film of the expedition, which won the Oscar in 1951 for best documentary. It's brilliant.
And he wanted to demonstrate that ancient South Americans could have settled Polynesia rather than the theory which had been at the time that they had come from Asia.
And so he set off on this little raft for 8,000 miles. It took him 111 days, but they managed it.
And it is an incredible story of both endurance and death defiance because they really could have come a cropper a number of times.
And there is on YouTube the actual film of the expedition, which won the Oscar in 1951 for best documentary. It's brilliant.
I know, I've just, I've known you a long time.
Right.
And there's a lot of words that I would use to describe and ascribe to you.
Thank you very much.
But adventurous person, you know, world wanderer with an adventurous spirit is not one. But you, maybe you live vicariously, I see.
I'm doing it from the comfort of my sofa on this occasion.
That's true.
That is why I'm so impressed by these people who do. I mean, these guys could have died. I mean, even when they got to the islands, well, first of all, they had to land.
There was a coral reef. They realised they could have died. They were dealing with these huge sharks and whales, which were attacking them as well. This is all in the movie.
And they had a little parrot as well called Lorita. But it is an incredible story. Once they eventually got to the islands, of course, it was uninhabited.
And so they then had to try and make contact with locals because they had nothing with them to help them to prove that they'd managed it. It's an incredible story.
You can watch it on YouTube. It's called Kon-Tiki, K-O-N-T-I-K-I. And I'd really recommend it. It's an hour spent, if you don't mind watching old movies in black and white.
There was a coral reef. They realised they could have died. They were dealing with these huge sharks and whales, which were attacking them as well. This is all in the movie.
And they had a little parrot as well called Lorita. But it is an incredible story. Once they eventually got to the islands, of course, it was uninhabited.
And so they then had to try and make contact with locals because they had nothing with them to help them to prove that they'd managed it. It's an incredible story.
You can watch it on YouTube. It's called Kon-Tiki, K-O-N-T-I-K-I. And I'd really recommend it. It's an hour spent, if you don't mind watching old movies in black and white.
And how many ads?
Oh, barely any adverts.
All right.
There may be about 3 or 4 ad breaks in the hour. It was fine. It was worth it.
For goodness' sake, he travels for 111 days, 8,000 miles on a bit of cardboard, effectively, halfway across the Pacific.
For goodness' sake, he travels for 111 days, 8,000 miles on a bit of cardboard, effectively, halfway across the Pacific.
Good for him.
Well, good for him. And you're saying, oh dear, what a trial it will be to watch a movie with the occasional ad in it. Anyway, it's my pick of the week. I greatly enjoyed it.
And can I tell you, Mrs. Cluley greatly enjoyed it as well. So we had a good old time.
And can I tell you, Mrs. Cluley greatly enjoyed it as well. So we had a good old time.
Sounds fabulous.
Thank you very much. That is my pick of the week. Allan, would you want to have watched a documentary that?
I would, but I love old black and white films, so—
Well, where were you just now when she was slagging me off? When she was saying, why have you been watching that? You could have chirped up then, couldn't you?
And said, "Yes, Graham, this sounds a wonderful documentary. I'm going to watch it as soon as I hang up on this call."
And said, "Yes, Graham, this sounds a wonderful documentary. I'm going to watch it as soon as I hang up on this call."
It does sound a wonderful documentary, and I'm going to watch it as soon as I hang up on this call.
Good man. Okay, Allan.
He's lying to you, Graham. He's lying.
Allan, what's your pick of the week?
My pick of the week, continuing the travel theme, is season 10 of Still Standing is now out on Amazon Prime.
I don't even know what Still Standing is.
What is Still Standing? I'm sure it's going to be very, very good because I actually appreciate your picks of the week, Allan. So what is Still Standing?
We live our lives in misery, right? You know, we're constantly dealing with hacks and scams and all this other stuff, and sometimes you just need a little bit of happiness.
And so, Still Standing is a Canadian show with host Johnny Harris.
He basically travels to small towns in Canada and does a profile of them, and at the end of his profile, he does a 5-minute sitcom set.
But basically the idea is, you know, there are all these small towns in Canada that are struggling, but they're finding ways to survive and change and adapt, you know, as factories close, as fisheries close, etc.
They're finding ways to continue to survive and even thrive. And we get to go to all these amazing small towns in Canada, not on a cardboard raft.
We get to go with Johnny traveling with his crew, and we get to meet all of these cool people in these small towns doing fun, interesting things.
Maybe they're making dream catchers.
They're doing all of these fun things, and they're just— It's just really filled with interesting people, and it's just— after a day of misery, it's just so nice to sit back and watch happiness, and it makes me want to go visit every small town in Canada.
Ah!
And so, Still Standing is a Canadian show with host Johnny Harris.
He basically travels to small towns in Canada and does a profile of them, and at the end of his profile, he does a 5-minute sitcom set.
But basically the idea is, you know, there are all these small towns in Canada that are struggling, but they're finding ways to survive and change and adapt, you know, as factories close, as fisheries close, etc.
They're finding ways to continue to survive and even thrive. And we get to go to all these amazing small towns in Canada, not on a cardboard raft.
We get to go with Johnny traveling with his crew, and we get to meet all of these cool people in these small towns doing fun, interesting things.
Maybe they're making dream catchers.
They're doing all of these fun things, and they're just— It's just really filled with interesting people, and it's just— after a day of misery, it's just so nice to sit back and watch happiness, and it makes me want to go visit every small town in Canada.
Ah!
It sounds heartwarming, Allan. Sounds lovely.
Where are you watching this, Allan?
I can watch it on Amazon Prime in the US.
Okay, okay. I'll take a look for that here in the UK.
But I think it's also on the CBC website. I just don't know if it's available to watch outside of Canada, or, you know, outside of the CBC website.
But Amazon Prime in the US has all 10 seasons of it.
But Amazon Prime in the US has all 10 seasons of it.
And this is Still Standing. Season 10, you said? Season 10.
Season 10, yes. But all of the seasons are wonderful.
And, you know, and I love Johnny Harris because, you know, he is so sincere and just so interested in all of these people's lives that it, you know, that it just adds to the enhancement.
And, you know, and I love Johnny Harris because, you know, he is so sincere and just so interested in all of these people's lives that it, you know, that it just adds to the enhancement.
Who is Johnny Harris? Is he a Canadian institution? Is he someone you've heard of, Carole?
No.
Right?
So, he is the star of something called The Murdoch Mysteries. So, he is a Canadian actor, but I don't think he's well known outside of Canada.
Okay. All right.
We have a lot of very special treasure that we keep just for the Canadians. And because I don't live there anymore, I don't even get access, so.
Some of them are allowed out though, aren't they? Like William Shatner and Mike Myers. Me? You, yes.
Bryan Adams, Michael J. Fox.
Celine Dion. Oh, I just watched Eurovision. She was supposed to show up. She never did. It's very sad.
Always got to be a downer, haven't you? Carole, what's your pick of the week?
My pick of the week is a just-opened exhibition at the Somerset Hauser Wirth Gallery.
So the Yeti and I were away this weekend in this tiny town called Bruton, B-R-U-T-O-N, in Somerset.
And it's a tiny, tiny foodie village and is home to one of the Hauser Wirth galleries. And it's a pretty swank village. Like, the Spar looks like Whole Foods, right?
The Spar is like your corner shop where you go get your whatevers. And this gallery is so beautiful, and it's home to mega contemporary art exhibitions.
And we went to see the Niki de Saint Phalle and Jean Tinguely Myths and Machines exhibition. Links in the show notes.
Saint Phalle is known for her huge, dazzling female sculptures, often outside, maybe 15, 20 feet tall, and they're covered with a mosaic of tiles or mirrors.
And they just make you smile and love life. And her partner in art crime, Tinguely, was more focused on recycling dead machine parts into new configurations.
They were big in the '80s. And these configurations are pretty scary. They move as well. It's a free exhibit. Go for free. You don't even have to book.
Just walk around, take a few hours and enjoy it. And then you can spend your coppers at their fancy farm shop or their fancy bookshop or their fancy cafe restaurant.
And you can walk around the gardens. It was great. Home to Godminster cheddar cheese as well. So you can go by there.
So highly recommended pick of the week is the Somerset Hauser Wirth Gallery showing Saint Phalle and Tinguely Myths and Machines exhibition, and it's available till the 1st of February, 2026.
So the Yeti and I were away this weekend in this tiny town called Bruton, B-R-U-T-O-N, in Somerset.
And it's a tiny, tiny foodie village and is home to one of the Hauser Wirth galleries. And it's a pretty swank village. Like, the Spar looks like Whole Foods, right?
The Spar is like your corner shop where you go get your whatevers. And this gallery is so beautiful, and it's home to mega contemporary art exhibitions.
And we went to see the Niki de Saint Phalle and Jean Tinguely Myths and Machines exhibition. Links in the show notes.
Saint Phalle is known for her huge, dazzling female sculptures, often outside, maybe 15, 20 feet tall, and they're covered with a mosaic of tiles or mirrors.
And they just make you smile and love life. And her partner in art crime, Tinguely, was more focused on recycling dead machine parts into new configurations.
They were big in the '80s. And these configurations are pretty scary. They move as well. It's a free exhibit. Go for free. You don't even have to book.
Just walk around, take a few hours and enjoy it. And then you can spend your coppers at their fancy farm shop or their fancy bookshop or their fancy cafe restaurant.
And you can walk around the gardens. It was great. Home to Godminster cheddar cheese as well. So you can go by there.
So highly recommended pick of the week is the Somerset Hauser Wirth Gallery showing Saint Phalle and Tinguely Myths and Machines exhibition, and it's available till the 1st of February, 2026.
So wait, a museum with a farm shop and the bookshop? I mean, I can't imagine, you know, if you had a wine bar there, then I might just move in.
And kids love it. Like, there's loads of place for the kids to run around, and it's just really a special spot. That was really great.
Fantastic. Well, that just about wraps up the show for this week. Thank you so much, Allan, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?
You can follow me on Bluesky at ransomwaresommelier.com.
Terrific. And you can find Smashing Security on Bluesky as well, unlike Twitter, which wouldn't let us have a verified account.
And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, MetaCompliance, 1Password, and Vanta. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 418 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 418 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye.
Take care.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Allan Liska – @ransomwaresommelier.com
Episode links:
- How I found a Star Wars website made by the CIA – Ciro Santilli on YouTube.
- How the CIA failed Iranian informants in its secret war with Tehran – Reuters.
- Isis and al-Qaeda sending coded messages through eBay, pornography and Reddit – Independent.
- Games Without Frontiers: Investigating Video Games as a Covert Channel – IEEE.
- General David Petraeus used clever Gmail trick during affair – Network World.
- Cambodia is home to world’s most powerful criminal network: report – SCMP.
- How to protect yourself from suspicious messages and scams– WhatsApp.
- Is WhatsApp Safe? Tips for Staying Secure – WhatsApp.
- Hacked on WhatsApp – how to stay safe when using the messaging app – BBC.
- Just a GIF Image Could Have Hacked Your Android Phone Using WhatsApp – The Hacker News.
- Kon-Tiki: The Epic Raft Journey Across the Pacific – YouTube.
- Still Standing with Jonny Harris – CBC.
- Niki de Saint Phalle & Jean Tinguely – Myths & Machines – Hauser & Wirth.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsored by:
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- MetaCompliance – MetaCompliance’s Security Awareness Planner is your free 12-month roadmap to reduce risk and build a culture of cyber awareness.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
