In episode 452, a London-based YouTuber wins a landmark court case against Saudi Arabia after his phone was hacked with Pegasus spyware — exposing how a single, seemingly harmless text message can turn a smartphone into a round-the-clock surveillance device.
Plus, we go looking for professional hitmen online – only to uncover uncomfortable questions about why some crimes attract customers but very few complaints.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veteran and keynote speaker Graham Cluley, joined this week by special guest Joe Tidy.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And I spoke to the police about this and I said, what are you going to do about this? And he says, we haven't had any complaints, so there's no victims. Perfect crime.
Wow. Smashing Security, episode 452: The Dark Web's Worst Assassins and Pegasus in the Dock with Graham Cluley and special guest Joe Tidy.
Hello, hello, and welcome to Smashing Security episode 452. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 452. My name's Graham Cluley.
And I'm Joe Tidy.
Joe, welcome back to the show. Lovely to have you on again.
Of course, you are the author of Control Alt Chaos, the book which we were talking about last year about some of the astonishing hacking, particularly that case which happened with the Vastaamo Psychotherapy Clinic over in Finland and the chap who was behind all of that.
Of course, you are the author of Control Alt Chaos, the book which we were talking about last year about some of the astonishing hacking, particularly that case which happened with the Vastaamo Psychotherapy Clinic over in Finland and the chap who was behind all of that.
For my money, the cruelest cyberattack in history. I just think, you know, there hasn't been one that's been so nasty, insidious.
And, you know, the fact that he, Julius Kivimäki, went directly after the patients and emailed them and said, I've got your therapy notes, pay me or I'll publish them online.
You know, the impact that had on people was absolutely enormous. And that's what the book addresses.
And also this kind of cycle that we're in where young boys fall down a dark path towards cybercrime.
And, you know, the fact that he, Julius Kivimäki, went directly after the patients and emailed them and said, I've got your therapy notes, pay me or I'll publish them online.
You know, the impact that had on people was absolutely enormous. And that's what the book addresses.
And also this kind of cycle that we're in where young boys fall down a dark path towards cybercrime.
Yeah, it's a really interesting book. I've greatly enjoyed reading it.
Thank you.
And it's coming out in the United States.
Yeah, North America. So United States and Canada. It came out last year in the UK and Europe. And I think other places, Australia as well.
But yeah, big launch in the US and Canada now this week. Very excited.
But yeah, big launch in the US and Canada now this week. Very excited.
But that's not the only thing that's been keeping you busy because of course you are the cyber correspondent over on the BBC and you've also been pumping out some episodes recently of the Cyber Hack podcast too.
Yeah, it's Evil Corp.
So I'm sure the listeners of Smashing Security will know Evil Corp, the infamous Russian cyber gang I describe them as kind of the cockroaches of cyber because they just won't die.
They sort of evolve as the cybercrime underworld has changed and shifted. So they started off in banking Trojans in the early days, sort of 2009, 10, and then moved into ransomware.
Now there's pretty decent evidence that they could be working directly with the Russian state.
So we've done a whole podcast series all about it called, as you say, Cyber Hack Evil Corp.
So I'm sure the listeners of Smashing Security will know Evil Corp, the infamous Russian cyber gang I describe them as kind of the cockroaches of cyber because they just won't die.
They sort of evolve as the cybercrime underworld has changed and shifted. So they started off in banking Trojans in the early days, sort of 2009, 10, and then moved into ransomware.
Now there's pretty decent evidence that they could be working directly with the Russian state.
So we've done a whole podcast series all about it called, as you say, Cyber Hack Evil Corp.
Amazing, isn't it? And I think these are the guys who have... They've got Lamborghinis and they're sort of going around Moscow.
You've got it.
Am I right in remembering that you may actually have gone to Moscow to try and hunt one of them down?
I did.
And knocking on the front door of their father of one of them.
Yes, you're absolutely right. So it was just before the full-scale invasion. So it was end of 2021.
And actually, I remember it very vividly, lying on the sun lounger, my hammock in my garden one summer.
And I thought to myself, huh, there's another load of Russians here that have been named and shamed by the West as being cybercriminals. We never hear from these individuals.
And it was Maksim Yakubets was doing the rounds and Igor Turashev, these names, they have pictures everywhere saying these are guys responsible for hundreds of millions of dollars worth of damage.
Let's go there and try and find them. A stupid idea, obviously.
And actually, I remember it very vividly, lying on the sun lounger, my hammock in my garden one summer.
And I thought to myself, huh, there's another load of Russians here that have been named and shamed by the West as being cybercriminals. We never hear from these individuals.
And it was Maksim Yakubets was doing the rounds and Igor Turashev, these names, they have pictures everywhere saying these are guys responsible for hundreds of millions of dollars worth of damage.
Let's go there and try and find them. A stupid idea, obviously.
You're a braver man than me.
The BBC let me do it. And there was all sorts of safety concerns and all the rest of it.
Yes.
It was not a nice assignment. I found it intimidating. I really did not enjoy it at all. But we got pretty close.
So we managed to knock on lots and lots of doors around Moscow looking for these guys and elsewhere.
We went to a place called Yoshkar-Ola as well, 1,000 kilometres to the east of Moscow. Just shows how big Russia is. And we spoke to the father.
So that's actually, we've kind of dug up some of that material for this latest series that we've done on BBC World Service.
But, you know, we've done some new stuff as well, and we've told the story in much more depth and detail about this family.
And I co-presented it with Sarah Rainsford, who's the former Moscow correspondent at the BBC, speaks fluent Russian. She's an awesome lady, and we had a great time.
So we managed to knock on lots and lots of doors around Moscow looking for these guys and elsewhere.
We went to a place called Yoshkar-Ola as well, 1,000 kilometres to the east of Moscow. Just shows how big Russia is. And we spoke to the father.
So that's actually, we've kind of dug up some of that material for this latest series that we've done on BBC World Service.
But, you know, we've done some new stuff as well, and we've told the story in much more depth and detail about this family.
And I co-presented it with Sarah Rainsford, who's the former Moscow correspondent at the BBC, speaks fluent Russian. She's an awesome lady, and we had a great time.
Well, before we kick off, let's thank this week's wonderful sponsors: Passwork, CoreView, and Vanta. We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we're not going to be talking about how Windows PCs have been refusing to shut down after a buggy Patch Tuesday. Newsday Update.
You'll hear no discussion of how Russian-linked hackers are being blamed for an attack on the Polish power grid.
And we won't even mention how 31 more people have been arrested in connection with a malware scheme designed to steal money from ATMs.
So Joe, what are you going to be talking about this week?
This week on Smashing Security, we're not going to be talking about how Windows PCs have been refusing to shut down after a buggy Patch Tuesday. Newsday Update.
You'll hear no discussion of how Russian-linked hackers are being blamed for an attack on the Polish power grid.
And we won't even mention how 31 more people have been arrested in connection with a malware scheme designed to steal money from ATMs.
So Joe, what are you going to be talking about this week?
I'm going to talk about how Saudi Arabia is being asked to cough up after being found to hack a dissident living in the UK.
And I'm gonna be going on the hunt for online hitmen. All this and much more coming up on this episode of Smashing Security.
Well, we've got time right now to hear from one of our sponsors, Passwork. If you work in cybersecurity, you already know this. Most secrets don't get stolen, they leak.
Passwords pasted into chat tools, shared admin accounts, those spreadsheets everyone pretends don't exist. Passwork is built to stop that.
It's a password manager and secrets management platform designed for organisations that want on-premise deployment, meaning your sensitive data stays on your own infrastructure under your control.
That matters if you're dealing with regulatory requirements, data sovereignty, or simply don't want your most critical secrets living in someone else's cloud.
From a security perspective, Passwork uses a zero-knowledge architecture with strong, openly documented encryption, and its design is regularly tested by independent security researchers.
Operationally, it's built for real teams.
Role-based access control, integration with existing identity systems, support for MFA, highly available architecture designed to keep things running when parts of your environment fail.
And unlike those tools that look cheap until you start paying for them in time and stress, Passwork focuses on long-term stability, a public development roadmap, and a lower total cost of ownership.
Passwork, it's not just a password management platform, it's a secure, adaptable secrets manager built to meet your business needs.
To find out more, go to smashingsecurity.com/passwork. That's smashingsecurity.com/passwork. So Joe, I've got a question for you. Do you have a nemesis?
Well, we've got time right now to hear from one of our sponsors, Passwork. If you work in cybersecurity, you already know this. Most secrets don't get stolen, they leak.
Passwords pasted into chat tools, shared admin accounts, those spreadsheets everyone pretends don't exist. Passwork is built to stop that.
It's a password manager and secrets management platform designed for organisations that want on-premise deployment, meaning your sensitive data stays on your own infrastructure under your control.
That matters if you're dealing with regulatory requirements, data sovereignty, or simply don't want your most critical secrets living in someone else's cloud.
From a security perspective, Passwork uses a zero-knowledge architecture with strong, openly documented encryption, and its design is regularly tested by independent security researchers.
Operationally, it's built for real teams.
Role-based access control, integration with existing identity systems, support for MFA, highly available architecture designed to keep things running when parts of your environment fail.
And unlike those tools that look cheap until you start paying for them in time and stress, Passwork focuses on long-term stability, a public development roadmap, and a lower total cost of ownership.
Passwork, it's not just a password management platform, it's a secure, adaptable secrets manager built to meet your business needs.
To find out more, go to smashingsecurity.com/passwork. That's smashingsecurity.com/passwork. So Joe, I've got a question for you. Do you have a nemesis?
Plenty. How long you got? You know what? I don't.
You don't have to name them.
I have rivals and people that, you know, I hope to do as well as or better than. But no, I don't think I have a nemesis as such.
There's no one you'd actually to disappear?
Disappear, oof. A cartel person.
Go swimming with the fishes.
Give them an offer they can't refuse.
No.
No, I'm pleased to say I don't. Do you?
Well, you know, look, I'm asking the questions here, Joe.
You asked a journalist on, you know, this is how it goes.
But if you did want to hire a hitman, where would you go?
Well, I'd go the darknet, surely.
The darknet. It's the obvious place to go, isn't it? And if you went on the darknet, you may well stumble across a number of websites.
There are websites called things like Besa Mafia, Camorra Hitman, or my personal favourite, the delightfully unimaginatively named Number One Hitman Marketplace.
There are websites called things like Besa Mafia, Camorra Hitman, or my personal favourite, the delightfully unimaginatively named Number One Hitman Marketplace.
I wonder what they do there.
Yeah, exactly. I mean, this has great search engine optimisation.
Yeah, true.
It sounds like the kind of place you'd find on the high street, you know, between Cartridge World and Cartridge UK and a kebab shop and Poundland. Number One Hitman Marketplace.
You could imagine this. And these websites, they promise to connect you with professional assassins. 'Cause you don't want an amateur assassin.
If you're going to pay for the job, you want it done properly, right?
You could imagine this. And these websites, they promise to connect you with professional assassins. 'Cause you don't want an amateur assassin.
If you're going to pay for the job, you want it done properly, right?
Well, you'd hope so.
And the way in which it works is you upload a photograph of your target. So you hope that you've chosen the right image in your camera roll, rather than a selfie of yourself.
You provide them with the address of the target, maybe their daily routine. You specify how would you like them dispatched?
So, a typical one would be, make it look like a robbery gone wrong.
An unusual one would be, I want it to look like a steamroller has careered down the high street and flattened them. Whatever it may be.
You provide them with the address of the target, maybe their daily routine. You specify how would you like them dispatched?
So, a typical one would be, make it look like a robbery gone wrong.
An unusual one would be, I want it to look like a steamroller has careered down the high street and flattened them. Whatever it may be.
In my head now, I'm just imagining that Austin Powers scene with the steamroller, and it's moving really, really slowly, and the guard's saying, stop, please, stop!
And he just could walk out the way, but he doesn't do it. Of all the things, a steamroller, you wouldn't choose that.
And he just could walk out the way, but he doesn't do it. Of all the things, a steamroller, you wouldn't choose that.
What is there is, of course, the payment. And on these websites, you are asked to pay between $5,000 and $20,000 in cryptocurrency.
Of course, some people feel like they're going to get scammed. It's like, well, you know, this may be a con. How do I— I mean, you guys are criminals.
How do I know if I give you all this bitcoin that you're not just going to run away with it? And these sites can have escrow systems.
Because even legitimate murder-for-hire operations are keen on protecting their customers and their consumers. And so they say, well, we will keep it in escrow.
And so we won't get our hands on it until the job is done properly, which is obviously marvellous, right? Customer service.
Of course, some people feel like they're going to get scammed. It's like, well, you know, this may be a con. How do I— I mean, you guys are criminals.
How do I know if I give you all this bitcoin that you're not just going to run away with it? And these sites can have escrow systems.
Because even legitimate murder-for-hire operations are keen on protecting their customers and their consumers. And so they say, well, we will keep it in escrow.
And so we won't get our hands on it until the job is done properly, which is obviously marvellous, right? Customer service.
Admirable.
Admirable, isn't it? So it even gets better than that, though. These sites have referral programs.
So if you have a friend who wants someone murdered, you can get them to sign up on these sites and you will earn a 10% commission, apparently.
So you can hand out links to people and say, oh, you're looking for an assassin? I can't help you. Try this link. And you will then eventually get this payment.
And if you go to these sites, you'll even find customer reviews. I don't think they're on Trustpilot.
I don't think you'll see them there, but you'll see them listed on the actual website saying what a great job which they've done.
And these whole operations are being promoted by freelance search engine optimisation experts based in India.
They've been hired to make sure that Besa Mafia appears at the top of the Google search results if you look for hitman for hire and these other sites or pages which then tell you to install the Tor browser and go and visit.
So if you have a friend who wants someone murdered, you can get them to sign up on these sites and you will earn a 10% commission, apparently.
So you can hand out links to people and say, oh, you're looking for an assassin? I can't help you. Try this link. And you will then eventually get this payment.
And if you go to these sites, you'll even find customer reviews. I don't think they're on Trustpilot.
I don't think you'll see them there, but you'll see them listed on the actual website saying what a great job which they've done.
And these whole operations are being promoted by freelance search engine optimisation experts based in India.
They've been hired to make sure that Besa Mafia appears at the top of the Google search results if you look for hitman for hire and these other sites or pages which then tell you to install the Tor browser and go and visit.
I was going to say, so that if they're advertising on the clear web, but there must be links to Tor to click through and find them.
Yes, so they'll have to walk you through the process of how you're actually going to get there.
I suppose Google wouldn't accept a paid-for ad in that, you'd hope not, but they can use SEO to get to the top through other means, I suppose. Yeah, okay.
Yes. We would like to think that Google would not accept an ad.
Yeah, but then some of the stuff you see, I mean—
It's best to know. I mean, they no longer say, "Do no evil," but yeah, I would like to think that they wouldn't. That's probably against the rules. So, this is going on.
And what's just happened is that some authorities in Romania have just conducted raids in Bucharest and Râmnicu Vâlcea, a city which is so notorious for cybercrime that it is literally nicknamed Hackerville.
And what's just happened is that some authorities in Romania have just conducted raids in Bucharest and Râmnicu Vâlcea, a city which is so notorious for cybercrime that it is literally nicknamed Hackerville.
I've heard of this place.
That's what it's called.
Yes.
There's your next destination, Joe.
I know.
Come the summer holidays, head over to Hackerville. Bit of a busman's holiday.
For my summer holiday with the kids and the family. Sounds good.
Exactly. Do a little bit of work while you're out there. Why not? So, these cops, they've seized about $650,000 in cryptocurrency.
And they are questioning two men, aged 33 and 35, who they say are connected to a website called Online Killers Marketplace.
And this was done at the request of UK authorities who are investigating charges, including incitement to murder and money laundering as well.
And this is where it gets interesting, right? These websites are making money. They have customers. But also, these websites are almost certainly scams.
So when you go online, I'm afraid to anyone who did want to hire a hitman, if you go online looking for a hitman—
And they are questioning two men, aged 33 and 35, who they say are connected to a website called Online Killers Marketplace.
And this was done at the request of UK authorities who are investigating charges, including incitement to murder and money laundering as well.
And this is where it gets interesting, right? These websites are making money. They have customers. But also, these websites are almost certainly scams.
So when you go online, I'm afraid to anyone who did want to hire a hitman, if you go online looking for a hitman—
Bad news.
Bad, bad news. Because you're almost certainly going to actually be going to a scam website, which is conning you out of money. So no actual hitmen are ever dispatched.
This sounds a lot like— do you remember that story about The Kill List? I saw a TED Talk about it from the journalist that was involved in it.
Carl Miller was his name.
That's the guy. I bet you've had him on, haven't you?
I haven't had him on, but I should get him on.
Oh, he'll be next. He'll be next.
Yeah, so I remember with that one, a cybersecurity researcher found that the hitmen website on the darknet was really badly secured, so he could read all the messages.
Yeah, so I remember with that one, a cybersecurity researcher found that the hitmen website on the darknet was really badly secured, so he could read all the messages.
So the researcher, his name was Christopher Montero. He managed to get into the backend of the Besa Mafia site way back in 2016.
Found hundreds of names of what is known as the kill list. He exposed this person known only as Yura, who would string along customers with excuses.
So you'd pay your money for the assassination, then he'd say, "Well, look, the assassin's been a bit busy. He's got problems getting a flight.
Maybe you can hand over a bit more money.
He's just been arrested for cocaine possession, but I've got this other assassin who can step in, but he's gonna require a larger payment." And so they would con you out of further amounts of cash, rather like the romance scammers.
Found hundreds of names of what is known as the kill list. He exposed this person known only as Yura, who would string along customers with excuses.
So you'd pay your money for the assassination, then he'd say, "Well, look, the assassin's been a bit busy. He's got problems getting a flight.
Maybe you can hand over a bit more money.
He's just been arrested for cocaine possession, but I've got this other assassin who can step in, but he's gonna require a larger payment." And so they would con you out of further amounts of cash, rather like the romance scammers.
Yeah, pig butchering.
Yeah, exactly. So it's a clever scam operation, albeit somewhat niche in terms of who it's targeting.
And of course, the victims— I put them in quotes— the victims, the people who are trying to hire hitmen, it's not as though they're gonna go to the police, are they?
And of course, the victims— I put them in quotes— the victims, the people who are trying to hire hitmen, it's not as though they're gonna go to the police, are they?
No, no. It reminds me, and not to bring this back to my book, but it did genuinely remind me of this.
So the main cybercriminal in my book is Julius Kivimäki, this guy that hacked the Starmo psychotherapy chain. But he also did lots of other cybercrimes when he was a teenager.
And the most recent thing he's been accused of is super smart, and it's almost the perfect crime, similar to what you're describing here.
So what he did was he hijacked the Google pages for drugs marketplaces on the darknet, changed those Tor addresses to ones that he controlled.
It's all alleged, hasn't been proven in court. And then so people would search the clearnet for where to buy their drugs. They go on the darknet links.
It all looks the same as the actual real marketplaces that are in inverted commas legitimately selling drugs.
But of course, all the money that people are paying for the cannabis and MDMA and cocaine, it's going straight to him.
So the main cybercriminal in my book is Julius Kivimäki, this guy that hacked the Starmo psychotherapy chain. But he also did lots of other cybercrimes when he was a teenager.
And the most recent thing he's been accused of is super smart, and it's almost the perfect crime, similar to what you're describing here.
So what he did was he hijacked the Google pages for drugs marketplaces on the darknet, changed those Tor addresses to ones that he controlled.
It's all alleged, hasn't been proven in court. And then so people would search the clearnet for where to buy their drugs. They go on the darknet links.
It all looks the same as the actual real marketplaces that are in inverted commas legitimately selling drugs.
But of course, all the money that people are paying for the cannabis and MDMA and cocaine, it's going straight to him.
Yeah.
And I spoke to the police about this and I said, what are you gonna do about this? And he says, we haven't had any complaints, so there's no victims. Perfect crime.
Wow. Absolutely astonishing, isn't it? So yeah, I guess this is a problem with this one as well is who's actually going to complain.
So as I said, this researcher, he exposed this person called Eura. So he was outed. But then the researcher was on the receiving end of threats from Eura themselves.
So this person who claimed to be running a hitman-for-hire site started threatening the researcher.
He hired freelancers to create fake websites and blog posts claiming that Montero himself was actually running this hitman-for-hire website.
And in fact, back in February 2017, apparently he was eating pumpkin soup in his London flat. That's the kind of detail which I enjoy.
So as I said, this researcher, he exposed this person called Eura. So he was outed. But then the researcher was on the receiving end of threats from Eura themselves.
So this person who claimed to be running a hitman-for-hire site started threatening the researcher.
He hired freelancers to create fake websites and blog posts claiming that Montero himself was actually running this hitman-for-hire website.
And in fact, back in February 2017, apparently he was eating pumpkin soup in his London flat. That's the kind of detail which I enjoy.
We need that.
Of all the soups, he was eating pumpkin soup, and armed police smashed through his door, and they arrested him for running the very murder-for-hire website that he was trying to expose.
And now he was eventually released, but you can imagine spending years being on the hunt, unmasking a cyber scammer, and then find yourself arrested and being accused of the person who was actually doing it.
It's a bit if it happened to you, Joe.
And now he was eventually released, but you can imagine spending years being on the hunt, unmasking a cyber scammer, and then find yourself arrested and being accused of the person who was actually doing it.
It's a bit if it happened to you, Joe.
Yeah, well, you know, as a journalist, you know, I look at some pretty dark stuff online, and, you know, sometimes I have to be careful that we don't have the police knocking on my door.
Now, the team who exposed this, and the journalist who wrote about it as well, they eventually identified 175 live, paid-for kill orders.
And the investigation eventually led to around about 30 convictions around the world, and people were put in prison as a result of doing this.
Although it has since been claimed, in fact quite recently I believe, there may have been an additional 2,000 kill orders which had gone through that website.
Tragically, in at least one case, where a hired hitman predictably never materialized, the customer actually took matters into their own hands.
There was a Minnesota man named Stephen Allwine, church deacon. He paid $12,000 to have his wife, Amy, killed through the Besa Mafia website.
What he didn't know was that the site had been hacked by the security researcher and was passing the information to the FBI. The FBI went round to his house to warn his wife.
They sat down with his wife, with him in the room, and said, "We want you to know that someone has been on the internet trying to hire a hitman to kill you." The FBI didn't know that the actual person who'd done the hiring was there in the room.
And a few months later, she was killed by him. Absolutely ghastly.
The FBI is saying, "Oh, you wanna beef up your home security?" What they didn't know was there was the person right there and then who was ultimately gonna commit the crime. Wow.
Turned out he was also an active user of Ashley Madison. I don't know what we can read into that as well, but— Hmm.
And the investigation eventually led to around about 30 convictions around the world, and people were put in prison as a result of doing this.
Although it has since been claimed, in fact quite recently I believe, there may have been an additional 2,000 kill orders which had gone through that website.
Tragically, in at least one case, where a hired hitman predictably never materialized, the customer actually took matters into their own hands.
There was a Minnesota man named Stephen Allwine, church deacon. He paid $12,000 to have his wife, Amy, killed through the Besa Mafia website.
What he didn't know was that the site had been hacked by the security researcher and was passing the information to the FBI. The FBI went round to his house to warn his wife.
They sat down with his wife, with him in the room, and said, "We want you to know that someone has been on the internet trying to hire a hitman to kill you." The FBI didn't know that the actual person who'd done the hiring was there in the room.
And a few months later, she was killed by him. Absolutely ghastly.
The FBI is saying, "Oh, you wanna beef up your home security?" What they didn't know was there was the person right there and then who was ultimately gonna commit the crime. Wow.
Turned out he was also an active user of Ashley Madison. I don't know what we can read into that as well, but— Hmm.
There's a Venn diagram there somewhere.
I think there is, isn't there?
So, we've got this bizarre situation where a criminal scam designed to steal money from would-be murderers actually saved some lives by taking their cash and doing nothing.
But we also saw the researcher who exposed it getting arrested thanks to the scammers' superior SEO skills and the FBI warning murder victims about their potential impending death while the killer sat behind her.
It's just ghastly. And now we've had these latest raids in Romania encouraged by the UK authorities. It really sounds the same scam is happening once again.
Just as it happened before, other websites are being created claiming you can hire a hitman. And in fact, it's a scam.
You said, this is a cybercrime where there may be no reports of a scam actually happening because why would people ever do this?
So if you're listening to this and they've ever been tempted to search for a hitman on the darkweb, you're almost certainly going to get scammed.
And quite frankly, I'm pleased that you're going to get scammed.
So, we've got this bizarre situation where a criminal scam designed to steal money from would-be murderers actually saved some lives by taking their cash and doing nothing.
But we also saw the researcher who exposed it getting arrested thanks to the scammers' superior SEO skills and the FBI warning murder victims about their potential impending death while the killer sat behind her.
It's just ghastly. And now we've had these latest raids in Romania encouraged by the UK authorities. It really sounds the same scam is happening once again.
Just as it happened before, other websites are being created claiming you can hire a hitman. And in fact, it's a scam.
You said, this is a cybercrime where there may be no reports of a scam actually happening because why would people ever do this?
So if you're listening to this and they've ever been tempted to search for a hitman on the darkweb, you're almost certainly going to get scammed.
And quite frankly, I'm pleased that you're going to get scammed.
There's a Venn diagram there as well. Smashing Security listeners and people who want to hire hitmen.
Yeah, so your details have probably been logged. There's a chance that a researcher or a journalist or the cops are eventually going to come knocking on your door.
Well, famously, in the Silk Road case, yeah, the Ross Ulbricht one, that was a case of hitmen being hired by Ross Ulbricht.
That's right.
With or without the coercion of the US police, very controversial tactics were used in that case. But, you know, he wanted someone dead.
I think from memory, maybe it had been two people, and he went through the process of hiring them and paying the money.
And then the hitmen, who were the police, sent pictures back faking the murder.
Yeah, I don't know why people are trusting online hitmen to carry out the job you pay them for, because there's an absolutely enormous history of this going back now.
What was Silk Road, 2011, 2012?
I think from memory, maybe it had been two people, and he went through the process of hiring them and paying the money.
And then the hitmen, who were the police, sent pictures back faking the murder.
Yeah, I don't know why people are trusting online hitmen to carry out the job you pay them for, because there's an absolutely enormous history of this going back now.
What was Silk Road, 2011, 2012?
And he's now out now, of course he got pardoned, didn't he? I believe by the Trump administration.
Yes, he's on a sort of victory lap tour and he's become a hero to sort of the bitcoin community. And yeah, it's a very fascinating sort of arc for him.
No doubt he'll have a podcast next.
Oh, I bet he already does. I'm sure he does.
This episode of Smashing Security is sponsored by CoreView. Now, most security teams think they've got Microsoft 365 covered.
They can spot suspicious logins, they can see dodgy activity, they get the alerts. But here's the problem: detection isn't enough.
Because when an attacker gets into your Microsoft 365 tenant and starts quietly changing the settings, disabling conditional access, weakening Defender policies, elevating admin roles, the noise often stops.
And that's when the real damage begins. This is how Microsoft 365 tenant takeovers actually happen. According to CoreView, 63% of tenants are still handing out broad admin rights.
One compromised account and suddenly the attacker has the keys to the kingdom. And if those configurations get tampered with, your backups won't save you.
You could spend weeks trying to rebuild tenant settings by hand because Microsoft doesn't give you a native way to roll back tenant-level changes.
Attackers know this, they count on it. And that's why CoreView has published a new whitepaper called Total Tenant Takeover: The Microsoft 365 Disaster No One Is Ready For.
It looks at how these attacks unfold in the real world, where least privilege breaks down, and what it actually takes to recover a Microsoft 365 tenant.
Not just files, but the whole environment. You can download it right now at smashingsecurity.com/coreview. That's smashingsecurity.com/coreview.
So Joe, what are you going to talk to us about this week?
They can spot suspicious logins, they can see dodgy activity, they get the alerts. But here's the problem: detection isn't enough.
Because when an attacker gets into your Microsoft 365 tenant and starts quietly changing the settings, disabling conditional access, weakening Defender policies, elevating admin roles, the noise often stops.
And that's when the real damage begins. This is how Microsoft 365 tenant takeovers actually happen. According to CoreView, 63% of tenants are still handing out broad admin rights.
One compromised account and suddenly the attacker has the keys to the kingdom. And if those configurations get tampered with, your backups won't save you.
You could spend weeks trying to rebuild tenant settings by hand because Microsoft doesn't give you a native way to roll back tenant-level changes.
Attackers know this, they count on it. And that's why CoreView has published a new whitepaper called Total Tenant Takeover: The Microsoft 365 Disaster No One Is Ready For.
It looks at how these attacks unfold in the real world, where least privilege breaks down, and what it actually takes to recover a Microsoft 365 tenant.
Not just files, but the whole environment. You can download it right now at smashingsecurity.com/coreview. That's smashingsecurity.com/coreview.
So Joe, what are you going to talk to us about this week?
I'm going to talk to you about a story that's just landed about four hours ago, and I've been looking into it for the BBC.
Right.
It's about a Saudi Arabian dissident called Ghanim al-Masri, and he has been very successful in a UK high court in getting the judge to order Saudi Arabia to pay him more than £3 million.
Lovely.
In compensation because they hacked his phones with Pegasus spyware. So I'm sure you know about Pegasus spyware, Graham. It's the one that's made by the NSO Group, this Israeli firm.
And all the time NSO have said, "Look, we made this spyware, but it's only being sold to governments and it's only going to be used to bring down terrorists and organized criminals, that kind of thing." But we know now after so much evidence over the last four years or so that NSO Group has been selling to places that have been misusing it.
And it's been governments around the world, repressive regimes that have used NSO Group's Pegasus spyware to infect the phones of dissidents, political opponents, journalists, human rights activists, that kind of thing.
So we know this has been happening and it's just absolutely fascinating to me that here is a really solid case that's gone through the courts, and Saudi Arabia's now got this unprecedented fine of more than £3 million to pay to this guy.
And it also brought back to me some reporting I did on Pegasus back in, oh, it would've been about four years ago now, where I got one of my producers, brilliant producer called Jo Worley, I asked her to spy on me through my phones because I managed to get hold of some spyware that was similar to Pegasus.
And all the time NSO have said, "Look, we made this spyware, but it's only being sold to governments and it's only going to be used to bring down terrorists and organized criminals, that kind of thing." But we know now after so much evidence over the last four years or so that NSO Group has been selling to places that have been misusing it.
And it's been governments around the world, repressive regimes that have used NSO Group's Pegasus spyware to infect the phones of dissidents, political opponents, journalists, human rights activists, that kind of thing.
So we know this has been happening and it's just absolutely fascinating to me that here is a really solid case that's gone through the courts, and Saudi Arabia's now got this unprecedented fine of more than £3 million to pay to this guy.
And it also brought back to me some reporting I did on Pegasus back in, oh, it would've been about four years ago now, where I got one of my producers, brilliant producer called Jo Worley, I asked her to spy on me through my phones because I managed to get hold of some spyware that was similar to Pegasus.
Right.
So Pegasus is absolutely incredible. And it's the most invasive malware that you could ever imagine.
Because it can see everything that you're doing, right?
It's amazing. Yeah.
Websites you're going to.
Yeah.
Listen to your conversations.
It's they're over your shoulder.
Yeah.
They can see whatever's on your screen. So I put some spyware that has Pegasus-like powers on my phone. And the thing is that on an Android phone, this malware is there.
You can buy it. They pretend that they're selling it to parents to look out for their children. In some cases, people buy it legitimately.
I don't know if it's legitimate or not, but one of the use cases that they claim is that workers can be spied on or be monitored by their managers.
But of course, people use this stalkerware to spy on their spouses and things like that. So I put it on my phone following a really lengthy and pain-in-the-bum process.
It took me over 2 hours. I remember I had to call up customer support for this nasty company that was selling it. Anyway, got it on my phone and I said—
You can buy it. They pretend that they're selling it to parents to look out for their children. In some cases, people buy it legitimately.
I don't know if it's legitimate or not, but one of the use cases that they claim is that workers can be spied on or be monitored by their managers.
But of course, people use this stalkerware to spy on their spouses and things like that. So I put it on my phone following a really lengthy and pain-in-the-bum process.
It took me over 2 hours. I remember I had to call up customer support for this nasty company that was selling it. Anyway, got it on my phone and I said—
So it's not you can just pinch someone's phone for 30 seconds and—
No.
Maybe if you have the practice, would you have been able to do that? Or is it—
No.
It's still quite involved. Okay.
It is very involved. And that is the thing about Pegasus. Pegasus can do all the things I'm about to describe, but also Pegasus can infect a phone just by clicking on a link.
And in some cases it can be zero-click. So you can just make a phone call to somebody. They don't even have to connect with the phone call, just has to make a connection.
And then the phone gets infected with Pegasus. That is the secret sauce. That is the power of Pegasus.
And in some cases it can be zero-click. So you can just make a phone call to somebody. They don't even have to connect with the phone call, just has to make a connection.
And then the phone gets infected with Pegasus. That is the secret sauce. That is the power of Pegasus.
Yeah.
But all the other things that were on my phone actually, scarily is out there if you have enough time with the device. So Jo Worley was able to see exactly what was on my screen.
We made a video about it where she watched me in my pajamas, sat there watching telly, playing Candy Crush.
And then she saw through the cameras and listened to the microphones when I was in a shop buying stuff from a stationery.
She managed to see me on a map, a little dot on a map where I was when I was cycling around London. I mean, you name it, that phone could do it.
It became the ultimate espionage tool.
And that's what happened to this Saudi YouTuber, because as well as being a dissident, Ghanem, he started a YouTube channel in about, I think it was 2015.
We made a video about it where she watched me in my pajamas, sat there watching telly, playing Candy Crush.
And then she saw through the cameras and listened to the microphones when I was in a shop buying stuff from a stationery.
She managed to see me on a map, a little dot on a map where I was when I was cycling around London. I mean, you name it, that phone could do it.
It became the ultimate espionage tool.
And that's what happened to this Saudi YouTuber, because as well as being a dissident, Ghanem, he started a YouTube channel in about, I think it was 2015.
Yes.
He's been living in the UK since 2003 and he's a British citizen, but he started a YouTube channel where he took the mick out of the Saudi royal family and criticized human rights records, that kind of thing.
And then in 2018, that's when he had that infection with Pegasus and things started getting really, really weird for him.
And I've got here the court documents and I was gonna show you exactly what happened and how he got infected.
'Cause I think the listeners to Smashing Security would be interested in that, wouldn't they?
And then in 2018, that's when he had that infection with Pegasus and things started getting really, really weird for him.
And I've got here the court documents and I was gonna show you exactly what happened and how he got infected.
'Cause I think the listeners to Smashing Security would be interested in that, wouldn't they?
Oh yeah, absolutely.
So between the 20th of June, 2018 and 24th of June, 2018, the claimant received and clicked on the following text messages.
The message he received on his iPhone 7 was reported from someone called Nikalej, which is apparently a Middle Eastern newspaper.
The text message stated, in translation, it would have been in Arabic, of course.
The message he received on his iPhone 7 was reported from someone called Nikalej, which is apparently a Middle Eastern newspaper.
The text message stated, in translation, it would have been in Arabic, of course.
Yeah.
Now it's free to subscribe to Al-Khalej newspaper's text messaging service and continue to link to a web page with the URL mideast-today.com and then slash and then lots of numbers and letters.
And that was enough. So we clicked on that and that installed Pegasus. And the second one, just for good measure, I think they did it twice.
Oh no, this is a different phone, that's why. It was an iPhone X this time, and that is sent out a few days later. And it was a classic one that we get all the time from scammers.
Dear customer, your DHL shipment number is this.
And that was enough. So we clicked on that and that installed Pegasus. And the second one, just for good measure, I think they did it twice.
Oh no, this is a different phone, that's why. It was an iPhone X this time, and that is sent out a few days later. And it was a classic one that we get all the time from scammers.
Dear customer, your DHL shipment number is this.
Oh no.
Yeah, yeah, yeah.
I hope he didn't click on that one.
I'm afraid he did.
Oh dear.
But it was 2018. So, you know, I mean, it wasn't as known, was it, back then? And this is the clever bit as well.
It was, you can manage your delivery at http://tinyurl.com/blah blah blah. That's smart. And it contained a link to a webpage with the URL sundaydeals.com.
And that was it for this man, unfortunately. That was how he got infected with Pegasus.
And, you know, in some cases it's a really interesting cyber sort of story, cyber espionage story, but it's also a human story as well.
'Cause this guy, his YouTube channel was enormous and is enormous. He's done really, really well, 300 million views since he started it.
But it's also since 2018, he started noticing there were people turning up where he was.
So, for example, strange incidents where at one stage, someone was— he walked out of a shop in London, and there was a little kid singing a song about Saudi Arabia and how wonderful it is, and saying that critics will be punished, and then someone filming her singing at him.
And then other instances as well, where people just happened to be exactly where he was and shouting things at him.
He's not that famous, you know, he's not famous enough people stop him in the street.
It was, you can manage your delivery at http://tinyurl.com/blah blah blah. That's smart. And it contained a link to a webpage with the URL sundaydeals.com.
And that was it for this man, unfortunately. That was how he got infected with Pegasus.
And, you know, in some cases it's a really interesting cyber sort of story, cyber espionage story, but it's also a human story as well.
'Cause this guy, his YouTube channel was enormous and is enormous. He's done really, really well, 300 million views since he started it.
But it's also since 2018, he started noticing there were people turning up where he was.
So, for example, strange incidents where at one stage, someone was— he walked out of a shop in London, and there was a little kid singing a song about Saudi Arabia and how wonderful it is, and saying that critics will be punished, and then someone filming her singing at him.
And then other instances as well, where people just happened to be exactly where he was and shouting things at him.
He's not that famous, you know, he's not famous enough people stop him in the street.
But it sounds like a deliberate attempt to maybe make content which could be posted online, taking the mickey out of him.
Yes. And there were hashtags devoted to bringing him down and discrediting him and worse, you know, some threats to him.
And then there was a really nasty incident in 2018 where he came out of a cafe in Knightsbridge. Again, you know, how did they know he was there?
And he was assaulted by two men, punched and beaten up, and they shouted slogans at him and things like that. And one of them was wearing an earpiece.
So, I think what's interesting for me is, you know, this is a really nasty story, and I spoke to him and he said, you know, "Having the spyware on my phone was like a shadow hanging over me.
At all times, I felt watched and listened to." He's scared to go into central London. He hasn't been back in central London.
But it's also a case, now that it's been through all these courts, hearings, and now we've got this definitive ruling from the judge, it feels, wow, okay, here's a real kind of evidenced picture of what it's like to have Pegasus on your phone and to be stalked and harassed and in some cases assaulted.
You know, this is rare. This is a rare thing.
And then there was a really nasty incident in 2018 where he came out of a cafe in Knightsbridge. Again, you know, how did they know he was there?
And he was assaulted by two men, punched and beaten up, and they shouted slogans at him and things like that. And one of them was wearing an earpiece.
So, I think what's interesting for me is, you know, this is a really nasty story, and I spoke to him and he said, you know, "Having the spyware on my phone was like a shadow hanging over me.
At all times, I felt watched and listened to." He's scared to go into central London. He hasn't been back in central London.
But it's also a case, now that it's been through all these courts, hearings, and now we've got this definitive ruling from the judge, it feels, wow, okay, here's a real kind of evidenced picture of what it's like to have Pegasus on your phone and to be stalked and harassed and in some cases assaulted.
You know, this is rare. This is a rare thing.
Yes.
I have interviewed someone before who had Pegasus on his phone as well, an African political opponent.
But here's someone who lives in the UK, lives a normal life as a British citizen, but is being, you know, hacked and having their life really impacted by a government halfway across the world.
But here's someone who lives in the UK, lives a normal life as a British citizen, but is being, you know, hacked and having their life really impacted by a government halfway across the world.
Do we know how they found out that their phone had been hacked? At what point they realised?
Yeah, well, there's a group called Citizen Lab.
Yes.
They're really famous for being able to find out whether or not someone has Pegasus on their phone.
When you hear these stories about journalists and people having Pegasus on their phone, it's Citizen Lab who will take the device and they will do a search and they will scan it and they'll find it.
And that's how you get this trail of, the text message here led to all these URLs being accessed and then all this data exfiltrated, all that sort of stuff. So they confirmed it.
When you hear these stories about journalists and people having Pegasus on their phone, it's Citizen Lab who will take the device and they will do a search and they will scan it and they'll find it.
And that's how you get this trail of, the text message here led to all these URLs being accessed and then all this data exfiltrated, all that sort of stuff. So they confirmed it.
So he presumably was suspicious that maybe his phone could have been compromised. Right, okay. That's what I was wondering, right.
And what's interesting is the judge, although the judge can never be a thousand percent sure that this is true, they said, based on the evidence that's been presented, I'm convinced that the Kingdom of Saudi Arabia or agents on its behalf carried out not only the hack but also the assault on him as well.
Boy, oh boy. So there's been this ruling now in a British court.
Mm-hmm.
And how much money was it?
Three million. Hang on, I'll get the exact number. I can actually go to the copy that I wrote earlier. Let's see. This is unpublished at the moment, Graham.
So you've got a sneak peek of my unpublished reporting. Okay, so the total damages awarded by the court are £3,025,662.83. Where did that 83 pence come from?
How— Why did they put that in? I don't understand.
So you've got a sneak peek of my unpublished reporting. Okay, so the total damages awarded by the court are £3,025,662.83. Where did that 83 pence come from?
How— Why did they put that in? I don't understand.
Even with the 83 pence, that is pocket money for the Saudi royal family, I suspect. But what are the actual chances that this is ever going to actually be paid?
I mean, it's great that the judgment has happened.
I mean, it's great that the judgment has happened.
This is the problem. So Saudi Arabia tried to get political immunity from this court case way back in, I think it began in 2019, but in 2022 that was overruled.
And since then, since their political immunity has been removed, Saudi Arabia has not participated in any of the court hearings.
So the judge said that everything that's been decided is because Saudi Arabia doesn't seem to have any defense and doesn't seem to want to defend itself in any way.
Certainly, we're going to, as other journalists have, reach out to them and see if they've got anything to say on this.
But they've just remained silent ever since that immunity's been taken away. And I spoke to Ghannam and I said, congratulations, you've got the compensation potentially coming.
More importantly, you've got this ruling, but do you really think you're going to get paid? And he said he has no idea.
The Saudi Arabian government is very unpredictable, is how he described it. But he said that there are other mechanisms he can use.
So for example, he will try and go to the international courts if Saudi Arabia doesn't pay. You're right, it's peanuts. It's peanuts. But does it in some way—
And since then, since their political immunity has been removed, Saudi Arabia has not participated in any of the court hearings.
So the judge said that everything that's been decided is because Saudi Arabia doesn't seem to have any defense and doesn't seem to want to defend itself in any way.
Certainly, we're going to, as other journalists have, reach out to them and see if they've got anything to say on this.
But they've just remained silent ever since that immunity's been taken away. And I spoke to Ghannam and I said, congratulations, you've got the compensation potentially coming.
More importantly, you've got this ruling, but do you really think you're going to get paid? And he said he has no idea.
The Saudi Arabian government is very unpredictable, is how he described it. But he said that there are other mechanisms he can use.
So for example, he will try and go to the international courts if Saudi Arabia doesn't pay. You're right, it's peanuts. It's peanuts. But does it in some way—
It's still important.
Yeah, it's bad press in a sense if they pay, isn't it? But we will see. We will see how it goes.
I suppose one thing Ghannam can feel a little bit pleased about is at least the Saudis know his bank account details if they want to make the transfer.
They could just do it automatically. That's right. He'll just wake up one morning, it's there.
Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. You know how everyone's got an AI assistant these days?
Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you. That is Vanta.
It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that yes, you do take security seriously. Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies.
It also plugs into the tools you're already using and flags up issues before they become a right old mess.
So if that sounds something that might save you from a few sleepless nights, check out vanta.com/smashing. And if you use that link, you'll get $1,000 off.
So don't forget, vanta.com/smashing. And thanks to Vanta for sponsoring this week's episode. On with the show. And welcome back.
And you join us at our favourite part of the show, the part of the show that we to call Pick of the Week.
Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you. That is Vanta.
It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that yes, you do take security seriously. Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies.
It also plugs into the tools you're already using and flags up issues before they become a right old mess.
So if that sounds something that might save you from a few sleepless nights, check out vanta.com/smashing. And if you use that link, you'll get $1,000 off.
So don't forget, vanta.com/smashing. And thanks to Vanta for sponsoring this week's episode. On with the show. And welcome back.
And you join us at our favourite part of the show, the part of the show that we to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily. Well, my pick of the week this week is not security related.
I was on the Channel 4 on-demand streaming service and I found this movie. Came out a few years ago and it is a comedy drama martial arts coming of age fantasy.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily. Well, my pick of the week this week is not security related.
I was on the Channel 4 on-demand streaming service and I found this movie. Came out a few years ago and it is a comedy drama martial arts coming of age fantasy.
What else could you need?
Can you say that again? Comedy drama martial arts coming of age fantasy.
Wow. It's got everything.
It's got everything. It is set in the present day UK, features two young sisters, and it is called Polite Society. Have you seen Polite Society, Joe?
I have not, but now I want to see this coming-of-age drama comedy thingy-ma-bob with sci-fi elements.
Well, it's rather fun, I have to say, this British movie. One of the sisters, her name is Ria, she wants to be a stuntwoman.
Her older sister, Leena, is an art school dropout, and she's seduced into a marriage with a smarmy git. And her little sister is not at all happy about this.
And so, spurred on by her rather overactive imagination as to what this man might be like who is wooing her sister, she comes up with devious machinations as to how to ruin their relationship.
And she tries to engineer a breakup with the help of her school friends. This movie is utterly bonkers. And I promise you, you will watch it with an enormous smile on your face.
I found it incredibly charming. And just when you think this cannot get— I mean, there is lots of martial arts.
It's amazing kicking and it's all sisters together and all the rest of it. It's very funny, very stylishly done, a bit like a Bollywood movie in some ways.
And then in the third act of the movie, the last third, things go—
Her older sister, Leena, is an art school dropout, and she's seduced into a marriage with a smarmy git. And her little sister is not at all happy about this.
And so, spurred on by her rather overactive imagination as to what this man might be like who is wooing her sister, she comes up with devious machinations as to how to ruin their relationship.
And she tries to engineer a breakup with the help of her school friends. This movie is utterly bonkers. And I promise you, you will watch it with an enormous smile on your face.
I found it incredibly charming. And just when you think this cannot get— I mean, there is lots of martial arts.
It's amazing kicking and it's all sisters together and all the rest of it. It's very funny, very stylishly done, a bit like a Bollywood movie in some ways.
And then in the third act of the movie, the last third, things go—
Don't give it away.
All I'll say is things go absolutely batshit crazy.
Nice.
And you just think, wow, I thought this was just a comedy drama martial arts coming of age fantasy.
I was not expecting it to be a comedy drama martial arts coming of age fantasy with beep elements in it as well.
I was not expecting it to be a comedy drama martial arts coming of age fantasy with beep elements in it as well.
Okay.
So there's a bit of genre busting all the way through.
Intrigued.
It's really outlandish. It's unexpected, but go with it. I did, and I really, really enjoyed it. I found it charming. I looked it up on Wikipedia.
It had great reviews, but hardly made any money at all.
It had great reviews, but hardly made any money at all.
Yeah, I've never heard of it.
I just think, oh, what a shame. I don't know if it was the title, Polite Society. Maybe that didn't work. It's ridiculous fun. So I would recommend Polite Society.
If you can't see it anywhere else, it is currently on Channel 4. Of course, 4-player or whatever they call it. And I enjoyed it a great deal. So that is my pick of the week.
If you can't see it anywhere else, it is currently on Channel 4. Of course, 4-player or whatever they call it. And I enjoyed it a great deal. So that is my pick of the week.
How does it rank, Graham, in the list of films that suddenly take a real U-turn?
Oh.
Do you remember the film From Dusk Till Dawn?
Yes.
For me, that is the one that you just go, what?
Yep.
I mean, obviously you go into it knowing there's vampires in it, but if you didn't know it, you didn't really— Oh, wow. You must've had an experience.
I went to the cinema. Went to see— we didn't know what to watch. Went to see Dusk Till Dawn, and we thought it was just a road movie. And then, oh my flipping God, what happens?
Soon as the anaconda comes out, it all changes. It's so bizarre. It's a really good sort of tense, as you say, getaway road movie with two criminals.
Yeah.
Then they find themselves with their victims inside a barn in the middle of the US countryside, and then suddenly there's vampires everywhere.
Have you seen Sinners yet? Which is Oscar-nominated.
I was thinking, just think about Sinners, yeah. It does the same thing.
It does.
Although it's sort of like, it's a bit creepy throughout, isn't it?
So you know something's coming, but yeah, you have to get probably, what, 45 minutes in until there's some actual vampire action?
So you know something's coming, but yeah, you have to get probably, what, 45 minutes in until there's some actual vampire action?
At least, but yeah, I'd recommend Sinners as well.
I hated the ending of Sinners though.
Did you?
I won't say that, 'cause it'll annoy people who haven't seen it. I'm sure I'm in the wrong. It's gonna win every Oscar going, so I'm in the wrong.
Well, it may well do. But in the meantime, go and check out Polite Society, my Pick of the Week. Joe, what's your Pick of the Week?
My Pick of the Week is very random. So I've been on your show twice before, and I've picked— maybe 3 times— and I've picked extremely random things.
So I think I chose my pond once. Yes. And a wildlife camera where I managed to get a rat on camera. So this one's equally as random. I have become a 3D printing geek.
Over Christmas, I got myself a 3D printer.
So I think I chose my pond once. Yes. And a wildlife camera where I managed to get a rat on camera. So this one's equally as random. I have become a 3D printing geek.
Over Christmas, I got myself a 3D printer.
Yeah.
Quite a cheap one, actually. One, 4 generations ago type thing.
Yeah.
And I have— I just, I've loved it. So the amazing thing is, I didn't even sort of clock this until my wife pointed out that she wishes she'd have known this about me.
I used to be a real geek at sort of Games Workshop and Warhammer.
I used to be a real geek at sort of Games Workshop and Warhammer.
Oh yeah.
I used to buy— well, I used to pester my parents to buy me those little figurines, and then I would sit and paint them.
I never actually played them, but me and my kids for the last sort of 6 months have been coming up with an idea for a board game based around, you know, little miniatures.
And I thought instead of sending them off to be printed from someone else, I'm gonna make them myself. And I've just loved it. I've loved every second of it.
In fact, I've banned myself the last few days from using the 3D printer because I've just been so obsessed. There's something about it.
You just set it going and then 2 hours later you come back. Has it worked? Hasn't it worked?
I never actually played them, but me and my kids for the last sort of 6 months have been coming up with an idea for a board game based around, you know, little miniatures.
And I thought instead of sending them off to be printed from someone else, I'm gonna make them myself. And I've just loved it. I've loved every second of it.
In fact, I've banned myself the last few days from using the 3D printer because I've just been so obsessed. There's something about it.
You just set it going and then 2 hours later you come back. Has it worked? Hasn't it worked?
Yes.
The learning curve is obscene.
Right.
And some of my first few days of trying to successfully resin 3D print were just a shambles. And it gets everywhere, and it's really bad for you, and it's toxic and stuff.
The kids are well away from it. But I sort of hit a groove, and now I've got my little army of these little miniatures, which I've been setting out like a complete dork.
But I love it. I absolutely love it. And what's been a really interesting part of the process has been the use of AI.
So in the BBC, and I'm sure it's the same in many places, there's a very cautious outlook on using AI because it's potentially a security risk and it makes mistakes and stuff.
Yeah, but on my own, just unleashing the creativity, it's been absolutely incredible. So I've asked Google Gemini to create an alien soldier.
Then I've asked another program called Meshy to create that 2D image into a 3D model.
Then I've gone into another one that actually allows you to build the models in the 3D printing software.
The kids are well away from it. But I sort of hit a groove, and now I've got my little army of these little miniatures, which I've been setting out like a complete dork.
But I love it. I absolutely love it. And what's been a really interesting part of the process has been the use of AI.
So in the BBC, and I'm sure it's the same in many places, there's a very cautious outlook on using AI because it's potentially a security risk and it makes mistakes and stuff.
Yeah, but on my own, just unleashing the creativity, it's been absolutely incredible. So I've asked Google Gemini to create an alien soldier.
Then I've asked another program called Meshy to create that 2D image into a 3D model.
Then I've gone into another one that actually allows you to build the models in the 3D printing software.
Right.
It's all AI and I've got zero knowledge and I can do all of these things.
And it's actually informed my reporting a little bit because, you know, we talk about AI quite often, we talk about the downsides, but then actually, you know, it's opened up.
I wouldn't have been able to do this two years ago. There's no way.
And it's actually informed my reporting a little bit because, you know, we talk about AI quite often, we talk about the downsides, but then actually, you know, it's opened up.
I wouldn't have been able to do this two years ago. There's no way.
I can appreciate that. That's great. And obviously you'll have fun with your kids and that's terrific. And I love all of that. But don't you feel like you're not learning?
You know, it's like, if it does too much for you—
You know, it's like, if it does too much for you—
Yes.
Could your brain turn into the kind of mush which was being produced by your 3D printer in those early experiments you did?
Well, it's too late for that anyway, Graham. My brain is already mush. It's been mush a long time. But no, you're right.
I think, would I get more out of it if I actually did the illustrations for these things myself? Yes. Would I get more out of it if I somehow turned a 2D image into a 3D model?
Yes, that would make me so much more computer skillful. You know, I don't know how— I don't even know how you do it. But would I do it? No.
I think, would I get more out of it if I actually did the illustrations for these things myself? Yes. Would I get more out of it if I somehow turned a 2D image into a 3D model?
Yes, that would make me so much more computer skillful. You know, I don't know how— I don't even know how you do it. But would I do it? No.
Right.
I don't have the time. I don't have the inclination to do it. But here's a process now which has been completely opened up.
And I look back and I think about my poor parents and the hundreds and hundreds of pounds of their money, their hard-earned cash that I spent on these stupid little figurines, which I'm now knocking out, you know, in the space of a couple of hours in my garage.
And it's just fascinating to me. And I strongly recommend it. It's not crazy money. You know, I think the 3D printer was about £250.
And I look back and I think about my poor parents and the hundreds and hundreds of pounds of their money, their hard-earned cash that I spent on these stupid little figurines, which I'm now knocking out, you know, in the space of a couple of hours in my garage.
And it's just fascinating to me. And I strongly recommend it. It's not crazy money. You know, I think the 3D printer was about £250.
Which make of 3D printer did you get? I know you said it was a few generations old.
Yeah, I got an Elegoo Saturn 3. So I think Elegoo is a big Chinese firm. They're on Jupiter series or whatever. My one is a Saturn. I'm not doing an advert.
But you'd recommend it? If someone's brand new to 3D printing? Yeah, I would. Yeah.
But there are lots of others, and I'm sure you can get way better, and I'm sure there are better makes, but it's proving to be really fun, and I'm really enjoying it.
Well, that's good. Fantastic. And that just about wraps up the show for this week. Thank you so much, Joe, for joining us. Really appreciate you coming on. Spending your time with us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?
Well, I am one of the Twitter Exodus people, so you won't really find me on there. I'm on BlueSky, LinkedIn, Threads, Instagram, TikTok.
I mean, basically everything except Twitter these days. And you can find out about my book, Control or Chaos, just give it a Google. And I see Graham behind you on the bookshelf.
I see my book and it makes me very, very happy. Thank you very much. There you are. There it actually is.
I mean, basically everything except Twitter these days. And you can find out about my book, Control or Chaos, just give it a Google. And I see Graham behind you on the bookshelf.
I see my book and it makes me very, very happy. Thank you very much. There you are. There it actually is.
There it is.
Lovely.
Well, and we can follow Smashing Security on social media as well. Find me, Graham Cluley, on LinkedIn or follow Smashing Security on BlueSky and Reddit.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of over 450 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of over 450 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye.
Bye-bye.
Now then, you've been listening to Smashing Security with me, Graham Cluley.
Thanks so much to Joe Tidy for joining us this week, and to this episode's sponsors, Vanta, Password and CoreView.
And of course, to all of you chums who've signed up for Smashing Security Plus over on Patreon.
They get the benefit of ad-free episodes and early access to new episodes of Smashing Security as well, of course.
Those people include: Henry Warshaw, who sounds like he should be captain in a cricket team. Christophe Goossens, who almost certainly has strong opinions about beer.
Sonky Von Rappel, which feels like a Bond villain. Jay, who's decided to remain gloriously minimalist with just the one character.
Maya has brought her own explanation mark for emphasis. Ragnar Karlsson, Graham Cluley, who arrives wielding an axe and demanding better multifactor authentication.
Meanwhile, Richard Mortner owns a very serious fountain pen, and Mark Norman finishes things off like a man who's definitely reset your router at least once.
Would you like to hear your name read out at the end of the show from time to time? Well, Smashing Security Plus may just be for you.
Of course, I know not everyone can stretch to $5 per month, and that's perfectly fine if you can't afford to sign up for Smashing Security Plus.
There's absolutely no pressure to become a patron. What you could do is you could tell your friends that you really like Smashing Security instead.
Every little bit helps, and it really does make all the effort worthwhile. Well, I hope you've enjoyed this week's episode and are going to tune in for next week's as well.
Until then, cheerio, bye-bye.
Thanks so much to Joe Tidy for joining us this week, and to this episode's sponsors, Vanta, Password and CoreView.
And of course, to all of you chums who've signed up for Smashing Security Plus over on Patreon.
They get the benefit of ad-free episodes and early access to new episodes of Smashing Security as well, of course.
Those people include: Henry Warshaw, who sounds like he should be captain in a cricket team. Christophe Goossens, who almost certainly has strong opinions about beer.
Sonky Von Rappel, which feels like a Bond villain. Jay, who's decided to remain gloriously minimalist with just the one character.
Maya has brought her own explanation mark for emphasis. Ragnar Karlsson, Graham Cluley, who arrives wielding an axe and demanding better multifactor authentication.
Meanwhile, Richard Mortner owns a very serious fountain pen, and Mark Norman finishes things off like a man who's definitely reset your router at least once.
Would you like to hear your name read out at the end of the show from time to time? Well, Smashing Security Plus may just be for you.
Of course, I know not everyone can stretch to $5 per month, and that's perfectly fine if you can't afford to sign up for Smashing Security Plus.
There's absolutely no pressure to become a patron. What you could do is you could tell your friends that you really like Smashing Security instead.
Every little bit helps, and it really does make all the effort worthwhile. Well, I hope you've enjoyed this week's episode and are going to tune in for next week's as well.
Until then, cheerio, bye-bye.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Joe Tidy:
@joetidy.bsky.social
/ joe-tidy-1932764
Episode links:
- Sorry Dave, I’m afraid I can’t do that! PCs refuse to shut down after Microsoft patch – The Register.
- Russian state hackers likely behind wiper malware attack on Poland’s power grid – The Record.
- US charges 31 more suspects linked to ATM malware attacks – Bleeping Computer.
- Dark web arrests in Romania linked to portal which offered services including murder – ROCU.
- Romanian scammers ran fake hitman-for-hire site, lured desperate perpetrators as ‘incompetent assassins’ – Fox News.
- This Fake Hitman Site Is the Most Elaborate, Twisted Dark Web Scam Yet – VICE.
- Unlikely Assassin, The Murder of Amy Allwine – Rooster.
- Saudi dissident awarded $4.1 million by UK court for hacking, assault ‘by Saudi Arabia’ – Reuters.
- Stalkerware: The software that spies on your partner – BBC News.
- Using ‘stalkerware’ to spy on a colleague’s phone – YouTube.
- “Polite Society” trailer – YouTube.
- Elegoo Saturn 3 3D printer – Elegoo.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Passwork – a reliable secrets manager and password management solution.
- Coreview – Download “Total Tenant Takeover”, a white paper about the Microsoft 365 Disaster No One Is Ready For.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
