Smashing Security podcast #419: Star Wars, the CIA, and a WhatsApp malware mirage

For goodness sake, he travels for 111 days, 8,000 miles and a bit of cardboard effectively, halfway across the Pacific. Good for him! Well, good for him! And you're saying, oh dear, what a trial it will be to watch a movie with the occasional ad in it. Smashing Security episode 419 Star Wars the CIA and a WhatsApp malware mirage with Carole Theriault and Graham Cluley hello hello and welcome to Smashing Security episode 419 my name is Graham Cluley. And I'm Carole Theriault. And Carole, this week we are joined by a special guest who hasn't been on the show for a while. It's our pleasure to welcome back to the stage, Ransomware Sommelier. It's none other than Alan Liska. Hello, Alan.

Hello. Thank you for having me.

Hi, Alan. I missed you all so much. It's so good to be back. Yep, wait for that one next week, folks. What's coming up this week, Carole? Well, first, before we kick off, let's thank this week's wonderful sponsors, Meta Compliance, 1Password, and Vanta. It's their support that help us give you this show for free. I'm going to be asking the question, why does the cute Star Wars fan website now redirect to the CIA?

Okay, what about you, Alan? I'm going to talk about a country full of call scam centers that you may not be aware of. Okay. And I'm looking at what's up and what new scams are hitting it.

Now, chums, chums, are we all Star Wars fans? How do we feel about Star Wars?

Yeah. I'm a Star Wars fan. Yeah. Well, a Die Hard?

Do you have the Lego?

So, funny story. My local library has a Lego club. Right. The kids there had been building TIE Fighters and other dark side ships, and I could not let that stand. And I found out that the only way they build ships is if they're donated. So I went and I bought a bunch of Rebel Lego ships and donated them to the library because I cannot allow the local library to be a harbinger of the dark side.

Yeah, you don't want that. That's not where the library belongs, for sure. Wow. OK, well, there are, of course, lots of websites devoted to Star Wars, which have cropped up, I suppose, ever since websites existed. Okay, well, crack on.

Last year, Reuters revealed they had located on the Internet Archive, you know, that place where you can go in the way back machine and see old versions of websites. It located a now defunct network of websites that were used by spies and informants in various countries around the world to covertly communicate with the CIA.

What? So instead of using a messaging app, you would use a weird website? Who would use a messaging app? These messaging apps could have backdoors. Right. So instead, they use a forum?

Well, I will review a lot. Okay. Okay. I'm sorry. Sorry. According to this Reuters report, they found that at least 20 Iranian spies and potentially hundreds of informants had been exposed by using a vulnerable messaging system hosted on this network of websites. One man said he was captured by the Iranian authorities. He was imprisoned for a decade and subjected to torture. Really horrible stuff.

Because he did what?

Because he was using one of these websites to communicate with the CIA. He was an informant inside Iran. And he got caught.

And he got caught doing it.

Okay. And each website created by the CIA was assigned to just one spy. Each spy or informant had their own little website. Now, it wasn't messagethecia.com. Instead, it would be something StarWarsWeb.net.

Oh, they weren't all Star Wars sites.

No, they weren't all Star Wars. I was just thinking that's a bit of a giveaway. I don't know. For instance, there was one called IranianGoals.com, which was designed for Iranian football fans. And if you went there, you could see lots of messages about football and videos and message boards and chatting about soccer. But if you looked at its code, you found some JavaScript located where its search box was. So like any of these web forums, I'm sure you've been on lots of these things over the years, Carole and you too, Alan. You get a little search box, right? And you type in whatever it is that you want to search. Something that you're interested in, right? I go right for Jar Jar Binks content. Right. Gross. It's you that we have to blame for Jar Jar Binks. You make the SEO happen. Me so unhappy, you big Jar Jar Binks fan. So if you looked at the code of the website, you found this little bit of JavaScript where that search box was. And if you look at the script, you'd find that the search box, they'd actually called it password. That was the identifier they used on the search box because all the informant had to do was go to the website and in the search box, enter a password. And if they entered the right password, a secret messaging window would pop up on this normally completely legitimate looking Star Wars or Iranian goals website. And through that, they could covertly communicate with their handlers at the CIA. They could write their message and the CIA could communicate back with them via this website. The bad thing was that the code, as I said, wasn't very well hidden because it identified that that search box was a password. And in fact, the password was hard coded into it. So it was possible for anybody to go to the website and with a little bit of kung fu in their browser, they could actually unlock and cause this messaging window to pop up. So there were lots and lots of websites which were all using the same or similar code. So there was Iraniangoals.com, for instance, which was set up for one informant. There was this Star Wars website set up for another. There was another one called Iranian Goal Kicks. And so it went on and on and on. And the CIA had made it too obvious which of these websites had actually been meddled with. And furthermore, another one of the mistakes the CIA made. I mean, this is basic kind of OPSEC fail was that the IP addresses pointing to these sites were sequential, meaning that after discovering one, it was pretty straightforward for anyone investigating to find others that were very likely in the same network. You must see problems like that all the time, Alan, when you're hunting down these ransomware gangs.

Yeah. I mean, it sounds like a combination of Google dorking and a little bit of quick searches and you find those. And we find stuff like this all the time when, in fact, that's how we can sometimes connect ransomware groups. Like, oh, they're basically just using the same code. So the authorities in Iran are thought to have found out about these websites around about 2011, 2012. And apparently they'd intensified their hunt for informants after Barack Obama publicly outed a secret Iranian nuclear facility in 2009.

Well, I imagine they probably tapped, you know, certain people in Iran to find out where they were going.

Maybe, but with help from Google, they were able to find out all the other sites as well. Maybe they found one informant and then all the others tumble out because of all these clues which have been left lying around the net. Now, unfortunately, they did not responsibly disclose their discovery of the vulnerability to the CIA. Funny that, isn't it? And it was only when the CIA realised that quite a lot of its informants were being rounded up or weren't making contact anymore, for reasons you can probably understand, that they closed down the operation in 2013. And it wasn't just Iran. Authorities in China, they'd also caught on between 2011 and 2012, more than two dozen CIA assets were reportedly executed in China. So this has serious consequences.

Do you not think every country's kind of doing a version of this, though?

Well, hopefully if they are, they're not doing such bad OPSEC to make it so obvious what the websites are and how to unlock them.

Yeah, it's hard for me to remember back in 2012 what the OPSEC would have and should have been, you know, what was expected. Because, of course, I'm putting on my 2025 hat on and going, how hilarious.

It's always a problem, isn't it? And the thing is, you may have made a mistake in the past and then subsequently fixed that mistake. But if your website is getting archived, if someone's able to dig around in old versions of the website where maybe you had been a bit more careless, that's not so good, is it? I mean, this is one of those things that seems like a really good idea on the surface, right? This is the type of covert communication makes a lot of sense. Right, absolutely. Now, one researcher, a committed Google stalker called Ciro Santilli, he has now taken it upon himself to go digging for these websites. He's fascinated to know which websites were being created and run by the CIA on the quiet. So using tools like the Wayback Machine, IP history lookups, DNS records, he's managed to uncover many more CIA-affiliated domains. And they all had these sort of sequential IP addresses, had telltale URL structures. They often included the word news in the domain. And interestingly, some even targeted US allies like Brazil, Germany, France and Italy. So it wasn't just nations which would normally be considered hostile to the United States, like, I don't know, Canada at the moment, Greenland. It wasn't just them who were being targeted. The situation today is that more than 350 such websites have been identified due to the CIA's carelessness, including beauty websites, fitness websites, entertainment websites, a fan page for Johnny Carson of all people.

Can you imagine I have to go every day because I'm some secret informant. I got to go to some internet cafe back in 2011, right, and go look at beauty reviews. Or go and write about Johnny Carson, right. I'm not surprised. I'm not surprised at all. It's like newspapers. That's what it was before the internet, right? Yes, in the classifieds. So you just bury it in the haystack and tell someone where to find it.

Does anybody then try to offer up a piña colada for getting caught in the rain? Feel free to cut that. That was just a really bad joke that I really wanted to get in there. I think that joke will go down really well with people of my demographic. I'm not sure all of our listeners will have understood it. Probably a few.

Hi, how are you doing? Well, it could be

encoded as well, you know, to send to somebody. It's another way of communicating. And you think, well, what might the CIA itself use, right? So the CIA set up the Star Wars website and et cetera to send these things. But, well, maybe we can learn a lesson from General David Petraeus. He's a former director of the CIA. He was having a bit of a naughty affair with the woman writing his biography. Of course. Not wanting to be found out, they struck upon a way of communicating. They didn't email each other or text or WhatsApp. Instead, they shared a Gmail account. And what they'd do is one of them would go into the account, write a message for the other one. And save it as a draft. It's a draft method. So never get sent. The other one would go in later, read the draft, write their response. Unfortunately for them, in that particular case, a family friend of Petraeus reported to the FBI that she thought she was receiving harassing emails from someone. And the FBI investigated, found the IP address of the person sending them, ended up back with Petraeus's biographer. Maybe she was getting a bit jealous of this friend of Petraeus. And they discovered that that person was logging into David Petraeus' Gmail account and saving drafts when communicating with him. All kind of embarrassing. It's just ridiculous. Well, if the CIA can't get it right for their informants, it seems they also can't get it right for themselves either. And so it's complicated. Just go to StarWars.com. because if you go to starwarsweb.net, if you enter that right now, you will end up on the CIA's homepage. Alan,

What have you got for us this week? Well, when we think of scam centres, like big call centres filled with people that launch scams around the world, what countries do you think of? Myanmar is spoken about a lot, isn't it? Myanmar is a big one. Laos. Yeah. We see some in Thailand, but where a lot of people don't know about them is Cambodia. And there's a new report out about Cambodia becoming the center of the global scam economy, largely driven by Chinese organized crime, like same thing in Myanmar, where it's still the Chinese organized crime that's running it. But Cambodia really is becoming a huge part of this global scam network. And in fact, the estimates are that it accounts for about 50% of the GDP in Cambodia now. 50%? Yes. Wow. And now that's just one report. So we take that into account, but roughly $75 billion annually. Obviously, those are huge numbers, and they're so big that basically it allows the people who run them to control whatever politicians and law enforcement and everything else and be able to operate kind of unscathed. Are these people

That have kind of been tricked into working there or maybe working there because they've chosen to, and they're basically scamming people around the world and defrauding them somehow?

Right. And the estimate is that the Cambodia scam economy has about 150,000 coerced workers. Wow. Workers is, that's a very loose use of the word workers when we talk about it. So it is a huge, huge problem in Cambodia. I mean, it's a huge problem in many parts of the world, but I think Cambodia doesn't get the kind of attention that Myanmar and Laos normally do. So, again, these Chinese criminal gangs are able to operate there because they're able to control so much of the government because they make so much money. And it's one of these things where, and I know you all have talked about this before, where it's bad for everybody involved. Obviously, the people around the world getting scammed, it's terrible. But the people who are forced to do this scamming also are in horrible conditions and often can be killed if they try and leave or try and escape or anything like that. They are

Essentially slaves. Right. We can't underline that enough. These people are not doing this willingly at all. No. And if you've seen, I think it was the New York Times that did an expose on this, but there was these huge, vast camps of these huge warehouses where they're all working.

Right. Right. Because all their passports are seized. Yep. Modern slave labor. And so that's 150,000 essentially slaves in Cambodia. And then you multiply that by however many are in Myanmar. Yeah. There may be as many as a million people who are being basically forced into slave labor to carry out these attacks. But, you know, that's a million people. How many are they reaching out to every day? And how many people are getting scammed that we just don't know about? Because it's so underreported as well.

And do you think that Cambodia has the resources and the expertise to deal with this on its own? Can it handle it? Or is this something where they need help from other bodies internationally?

I think this is something where other bodies are going to have to step in, and they're going to have to step in broadly. I mean, we saw this just a few months ago where the authorities in Thailand raided one of these compounds in Myanmar and rescued 7,000 people that were being held captive there. 7,000 just in one compound in Myanmar, you know, it's going to take the larger governments to step in and do this. And yes, because it's the right thing to do, but also protect your own damn citizens, you know, who are getting scammed by this.

Yeah, totally. And China was kind of, I think, putting pressure on Thailand to deal with it. And I wonder if that will happen again, because their interests may be different in this case. Yeah.

Right. Well, you know. So it is interesting that on one hand, the Chinese government stopped being in to try and help. On the other hand, they're not stopping the actual Chinese mafia from setting up these centers and so on. So this same can be said for any government where on one hand, they're trying to help with one thing. But on the other hand, they're causing the problem. Certainly not the U.S. government. We never go around the world causing problems. But other governments do not engage in that.

It's a bit like the end of Gramps' story. It's complicated. It's complicated.

Exactly Carole, what have you got for us this week? I'm talking WhatsApp. Do you guys use it? I can't stand it. I have recently had to start using it because there's some groups who insist upon using it like my son's football team and that sort of thing.

Okay, Alan, what about you?

Same. I get dragged kicking and screaming into it because it's so pervasive in the world, but it is not my first, second, third, or fourth choice of communication.

In some parts of the world, though, I mean, WhatsApp absolutely dominates. It is how people do business with each other. It's how they communicate, it's how you order things, it's how you buy things in some parts of the world. Thank goodness I'm not living in one of those, but it is everywhere.

It apparently accounts for 36% of the world's population, 2.95 billion monthly active users as of early 2025. Wow. Huge. Apparently there's 140 billion messages exchanged daily. Do you know that WhatsApp was turned down by Facebook way back in 2009?

Oh, they tried to sell it to them then, did they?

Facebook were like, no, thanks. No, thanks. But then they acquired it for 19 billion in 2014.

Yeah. And I think the WhatsApp founders, didn't they fall out with Mark Zuckerberg later? And they walked away, didn't they? They weren't happy with what Meta's plans were for it. Yeah, and there was a bit of irony because soon after the sale, the WhatsApp co-founder, Brian Acton, defended his decision to sell the company while encouraging students at Stanford to delete their accounts. BuzzFeed quote Acton saying, you go back to the Silicon Valley culture and people say, well, could you have not sold? And the answer is no, he said, referring to the decision to make the rational choice to take a boatload of money. Non-English? Yeah. America. Russia. Oh. Russia, which is interesting. But India, by far, has the most users. So 535 million users in India, and the next country is Brazil with 148 million. So India really dominates with the WhatsApp. Oh, I've heard of similar. Is this something where it's, oh, you can turn WhatsApp pink. You've just got to do this.

Yes. Yeah, my goodness. It's a pink makeover. Yeah. And it was for the Android, but downloading it installed malware. In fact, the scam presented itself as an official update. So users were warned not to click the fake APK download link that was spreading around on the WhatsApp groups. But a smattering of news articles from India this morning reported that a new WhatsApp threat is doing the rounds, one that has a nasty financial twist. So here I'm thinking that this could be perhaps a good story for Smashing Security. We haven't covered WhatsApp in a while and this attack seems to have a new twist. And the reports are all coming out of India where we know WhatsApp is incredibly popular. But I have concerns that perhaps the story is a little light in the loafers. And maybe you two cyber detectives will show us how to sniff that out. All right. So we have Madhya Pradesh, a 28-year-old guy from Javipur. And let's imagine perhaps he was chilling out somewhere, right? He's chilling out. Maybe he's enjoying a delicious mango lassi on his break. Okay. And he receives a WhatsApp message. And the thing is, he doesn't recognize the number, right? He doesn't recognize the number, but Madhya can see the message. And the message is asking if he knows the person in the attached photo. Okay. And then his phone rings from the same number. But Madhya doesn't answer the phone, right? And it rings again. He doesn't answer. Right. So how's Madhya feeling right now, right? He's probably a bit nervous because, you know, he's enjoying his mango lassi. And now it's his phone's ringing. Messages are coming in. But you want to know who that person is because maybe you do know them, right? Okay. You're curious. All right. Alan, I mean, would you be, I mean, if you take off your I know everything about cybersecurity hat off.

Quite a large hat. Think of

your dad or your mom or someone.

Right, right. Yes. If it was one of my parents or maybe one of my kids, despite all the warnings I've given them, they would absolutely need to know and investigate. I would fall for it if it was, you know, can you tell me about this bottle of wine? Right. It is a bit gamified, right? It presents you with a quest of sorts. Who knows who you're going to see in that picture, where it's going to lead?

Sounds like a vulnerability in WhatsApp. I mean, they have had vulnerabilities before where you could send certain images or sequences of characters.

Theoretically, they had one in 2019. A CVE was raised about an innocent looking GIF greeting that was able to hack your smartphone. So WhatsApp patched this critical security vulnerability in its app for Android, which had remained unpatched for at least three months after it had been discovered. And had it been exploited, it could have allowed remote hackers to compromise Android devices and potentially steal files and messages. Now, all the reports I've seen, they've only come out today. There's a smattering of all the reports are in the show notes, but they're all papers that I can validate, but I can't verify as well as the ones that I can do in my own country.

I'm a little bit cautious. There'd have to be a vulnerability in the WhatsApp client to actually run the code which was hidden inside the image. Now, that is technically possible, and there have been vulnerabilities found like that in the past. But it would be interesting to hear what WhatsApp have to say about this. I would imagine that if there is such a vulnerability, they'd be rolling out a patch pretty darn quickly.

So when you download the image, it's still rendering in WhatsApp though, right? You're not downloading it. I mean, I know this is going way, way back, but I mean, that used to be a common exploit vector for Internet Explorer. It's one of the reasons why nobody uses Internet Explorer anymore is, you know, you were constantly finding in the image rendering process, you were constantly finding new vulnerabilities to the point where it just, you know, became almost impossible for Microsoft to keep up with the patching. But it is really rare now. I'm guessing the articles didn't mention, but did they say what kind of image it was? Because there are certainly some types that are here to do this, but others like whether it's a JPEG or a

TIFF or... I've just done some Googling on this guy, Madja Kroll, and there are some reports. I found one from April the 17th, so that's about six weeks ago now. I'm dubious. I think that if this had been confirmed, we would be hearing quite a lot about this from other sources, including Meta itself. Now, sometimes these hoaxes can spread a lot. Everyone seems to be mentioning the same guy as well, this magic.

Well, that's my next thing that makes me worried, right? Because when you start doing a round, why is there only one person that's happened to? So that means what?

Yeah, it means everyone's repeating the same story. I'm wondering if this person lost a whole load of money and is thinking, oh, crumbs, you know, I've lost some money or I've spent it on the horses. Maybe I can blame it on a hacker instead. I don't know, you know. I'm just sceptical. I'd love to hear what Meta and WhatsApp have to say about it.

Okay, so I'm going to say good detective work, boys. I think we have to assume it's hogwash. And that maybe one media outlet wrote it up and other papers are just copycatting, which means you effectively only have a single source. And you have to ask yourself, is that single source trustworthy? And you can't assume that because other news outlets cover it, that it is trustworthy. The problems we have here are that all the articles are extremely light on technical details. Like what kind of image? Is it a vulnerability that was being exploited? The article cite one guy, Madhya Pradesh, but in none of the articles did I see him quoted. There's no comment or response from WhatsApp, as you say, Graham. And unnamed security experts and their companies. I mean, give me a break. Who in the cyber spokesperson rat race would not want their name in lights? Now, if you are a WhatsApp user, reluctant ones like us or avid fans like 99% of my mom friends, here are a few safety tips that you should definitely consider. Enable two-factor authentication by using the secret pin provided by the WhatsApp service. Check your privacy settings, so you can control who can see your personal info. Control groups. So WhatsApp groups change all the time. New members come in. Members decide to leave. Make sure you remove old or unknown contacts regularly. And block unwanted or unknown contacts. But yeah, in this case, I think we need to wait for further evidence before we believe there is a current WhatsApp image scam that will steal all your money.

I mean, if you think about it, just a few months ago, you all reported on Troy Hunt falling for a scam. I mean, all of us are susceptible to it. I think the thing that we benefit from is we're aware that we're susceptible to being able to fall for things like this. And if this does turn out to be a mistake or a false report, it's good to get out there that this thing is floating around that may or may not be true.

And don't forward warnings like that unless you're absolutely sure it is legitimate. It's easy to fool for these kind of things, Carole. I mean, I can imagine lots of people doing it. I can understand. But well done you. Well done on you for realising this probably isn't true. Now, the folks at MetaCompliance know that real cybersecurity starts with your people. That's why their approach is different. They don't just deliver generic cybersecurity training, they personalise it.

That's right. Every employee gets content tailored to their role, location and level of risk. It's engaging, it's relevant, and most importantly, it drives real behaviour change. MetaCompliance has created a free security awareness planner, your 12-month roadmap to building a culture of cyber awareness. It's designed to save you time, increase staff engagement, and make it easy to plan meaningful campaigns that reduce risk.

Whether you're just starting out or looking to improve your current programme, this planner gives you a clear, structured path to follow, and it's completely free. Download it today and take the first step towards smarter, more effective cyber awareness. Just visit metacompliance.com slash planner. That's metacompliance.com slash planner. And thanks to Metacompliance for sponsoring the show. Now, Carole, according to Vanta's latest state of trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to five times faster and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

Stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com slash smashing to learn more. That's vanta, V-A-N-T-A dot com slash smashing. And thanks to Vanta for sponsoring Smashing Security. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?

Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy and every app is visible.

So secure every app, device and identity, even the unmanaged ones, go to 1password.com slash smashing. That is 1password.com slash smashing. And welcome back. Can you join us for our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story or book they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security-related necessarily. My pick of the week this week is not security related. Have either of you heard of the Kon-Tiki? Or a Norwegian fella called Thor Heyerdahl?

Oh, this guy was a hero when I was a child. I remember hearing about this guy.

And the other day, my lovely wife and I were cuddled up on the sofa and we thought, what should we do? How should we entertain ourselves? And we started talking about the Kon-Tiki. Let me tell you what it was. In 1947, there was a journey made by a Norwegian explorer called Thor Heyerdahl. And what he did was he led an expedition. He decided to cross the Pacific Ocean between South America and the islands of Polynesia. It's about 8,000 miles. And he did it on a primitive raft made out of balsa wood with no nails, using only tools that would have been available to people a couple of thousand years ago. And he wanted to demonstrate that ancient South Americans could have settled Polynesia rather than the theory which had been at the time that they had come from Asia. And so he set off on this little raft for 8,000 miles. It took him 111 days, but they managed it. And it is an incredible story of both endurance and death defiance, because they really could have come a cropper a number of times. And there is on YouTube the actual film of the expedition, which won the Oscar in 1951 for Best Documentary. It's brilliant.

I know. I've just, I've known you a long time. Right. There's a lot of words that I would use to describe and ascribe to you. But adventurous person, you know, world wanderer with an adventurous spirit is not one. But maybe you live vicariously, I see.

I'm doing it from the comfort of my sofa on this occasion. That is why I'm so impressed by these people who do. I mean, these guys could have died. I mean, even when they got to the islands, well, first of all, they had to land. There was a coral reef. They realized they could have died. They were dealing with these huge sharks and whales, which were attacking them as well. So it's all in the movie. And they had a little parrot as well called Loretta. But it is an incredible story. Once they eventually got to the islands, of course, it was uninhabited. And so they then had to try and make contact with locals because they had nothing with them to help them to prove that they'd managed it. It's an incredible story. You can watch it on YouTube. It's called Kon-Tiki. K-O-N-T-I-K-I. And I'd really recommend it. It's an hour spent, if you don't mind, watching old movies in black and white.

And how many ads? Well, barely any adverts. There may be about three or four ad breaks in the hour. It was fine. It was worth it. For goodness sake, he travels for 111 days, 8,000 miles, on a bit of cardboard, effectively, halfway across the Pacific. And you're saying, oh dear, what a trial it will be to watch a movie with the occasional ad in it.

But I love old black and white films.

Where were you just now when she was slagging me off? You could have chirped up then, couldn't you? And said, yes, Graham, this sounds like a wonderful documentary. I'm going to watch it as soon as I hang up on this call.

It does sound like a wonderful documentary. And I'm going to watch it as soon as I hang up on this call.

Good man.

He's lying to you, Graham. He's lying. Alan, what's your pick of the week? My pick of the week, continuing the travel theme, is season 10 of Still Standing is now out on Amazon Prime.

I don't even know what Still Standing is.

What is Still Standing? I'm sure it's going to be very, very good because I actually appreciate your picks of the week. Alan, what is Still Standing?

We live our lives in misery, right? We're constantly dealing with attacks and scams and all this other stuff. And sometimes you just need a little bit of happiness. And so Still Standing is a Canadian show with host Johnny Harris. He basically travels to small towns in Canada and does a profile of them. And at the end of his profile, he does a five-minute sitcom set. But basically the idea is, you know, there are all these small towns in Canada that are struggling, but they're finding ways to survive and change and adapt, you know, as factories close, as fisheries close, etc. They're finding ways to continue to survive and even thrive. And we get to go to all these amazing small towns in Canada, not on a cardboard raft. We get to put Johnny traveling with his crew and we get to meet all of these cool people in these small towns doing fun, interesting things. Maybe they're making dream catchers. They're doing all of these fun things and they're just really filled with interesting people. And it's just after a day of misery, it's just so nice to sit back and watch happiness. And it makes me want to go visit every small town in Canada.

It sounds heartwarming, Alan. Sounds lovely. Where are you watching this, Alan?

I can watch it on Amazon Prime in the US.

Okay. I'll take a look for that here in the UK.

But I think it's also on the CBC website. I just don't know if it's available to watch outside of Canada on the CBC website. But Amazon Prime in the US has all 10 seasons of it. And this is Still Standing. Season 10, yes. But all of the seasons are wonderful. And I love Johnny Harris because he is so sincere and just so interested in all of these people's lives that it just adds to the enhancement.

Who is Johnny Harris? Is he a Canadian institution? Is he someone you've heard of, Carole?

No.

So he is the star of something called the Murdoch Mysteries. So he is a Canadian actor, but I don't think he's well known outside of Canada.

We have a lot of very special treasure that we keep just for the Canadians. And because I don't live there anymore, I don't even get access.

Some of them are allowed out, though, aren't they? Like William Shatner and Mike Myers. You, yes.

Ryan Adams, Michael J. Fox. Celine Dion. I just watched Eurovision. She was supposed to show up. She never did. It's very sad. It's got to be a downer, haven't it? Carole, what's your pick of the week? My pick of the week is a just-opened exhibition at the Somerset Hauser & Wirth Gallery. So the Yeti and I were away this weekend in this tiny town called Bruton, B-R-U-T-O-N, in Somerset. And it's a tiny foodie village and is home to one of the Hauser & Wirth galleries. And it's a pretty swank village. The spa looks like Whole Foods, right? The spa is your corner shop where you go get your whatever. And this gallery is so beautiful and it's home to mega contemporary art exhibitions. And we went to see the Niki de Saint Phalle and Jean Tinguely Myths and Machine exhibition, links in the show notes. Saint Phalle is known for her huge dazzling female sculptures, often outside, maybe 15, 20 feet tall. And they're covered with a mosaic of tiles or mirrors. And they just make you smile and love life. And her partner in art crime, Tinguely, was more focused on recycling dead machine parts into new configurations. They were big in the 80s. And these configurations are pretty scary. They move as well. It's a free exhibit. Go for free. You don't even have to book. Just walk around, take a few hours and enjoy it. And then you can spend your coppers at their fancy farm shop or their fancy bookshop or their fancy cafe restaurant. And you walk around the gardens. It was great. It's home to Godminster Cheddar Cheese as well, so you can go by there. So highly recommended pick of the week is the Somerset Hauser & Wirth Gallery showing Saint Phalle and Tinguely, Myth and Machines Exhibition. And it's available till the 1st of February, 2026.

So a museum with a farm shop and a bookshop? I mean, I can't imagine, you know, if you had a wine bar there, then I might just move in.

And kids love it. There's loads of place for the kids to run around and it's just really a special spot. It was really great.

Fantastic. Well, that just about wraps up the show for this week. Thank you so much, Alan, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?

You can follow me on Blue Sky at ransomwaresomelier.com.

Terrific. And you can find Smashing Security on Blue Sky as well, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify and Pocket Casts.

And huge thank you to our episode sponsors, Meta Compliance, 1Password and Vanta. And of course, to our wonderful Patreon community. It's their support that help us give you this show for free. For episode show notes, sponsorship info, guest list and the entire back catalog of more than 418 episodes, check out smashingsecurity.com.

Until next time. Cheerio. Bye bye. Bye. Take care.