Elon Musk has been behaving a little bizarrely of late.
When he’s not accusing Thai cave rescuers of being paedophiles, or getting high on podcasts while Tesla’s stock goes down, he’s stepping down as Telsa’s chairman and paying a $20 million fine to the SEC over an ill-advised tweet.
But still, it’s perhaps not that surprising that someone at Twitter thought Musk’s account had been compromised when he started posting some bizarre tweets earlier this week.
That last tweet from Elon Musk was particularly asking for trouble, as there have been many many reports of scammers pushing Bitcoin scams on Twitter while pretending to be the Tesla founder.
Sure enough, Twitter locked Elon Musk out of his account, a fact which appeared to delight the entrepreneur:
“Twitter thought I got hacked & locked my account haha”
It’s an odd state of affairs when the bogus Elon Musk accounts offering bitcoin giveaways appear more legitimate than the real Elon’s tweets.
For further discussion of this, and other stories from the world of security and online privacy, be sure to check out the “Smashing Security” podcast:
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey, there's a niche for everything, right?
Oh, it exists. Yes, Rule 34.
I don't know what that means.
You don't know what Rule 34 means?
No.
Oh no, I have to be the one to tell you on air.
Should I Google it?
Oh yes.
I'm Googling.
Oh no. Oh no.
Smashing Security. Episode 101: Rule 34, Twitter Scams, and Facebook Fails with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 101. My name's Graham Cluley.
I'm Carole Theriault.
Hello, Carole.
Hello, Mr. Graham.
And we've got a returning guest, it's our family favorite, it's Maria Varmazis. Hello, Maria, as well.
Hello, everyone.
You should have let him keep going, see how high he could get in his pitch.
Hello! Hello everybody!
I have no doubt, Maria, that you can go get right up there.
Study on.
Anywho, I had a question for you, Graham.
Oh yes.
All right, so I haven't been watching the new Doctor Who because it's not in the States legally yet in ways that I can acquire. But I know one of the new companions' name is Graham. I want to know if your inner child is freaking out every time he comes on the show.
It's really weird because Graham isn't a name which I encounter that often. There aren't that many Grahams in the UK.
Yeah.
I would argue.
Yeah, there's no Graham Norton who's on TV almost every— He's one. He's one.
Wayne?
But Dave or something that's fairly common. So it's a little bit odd because I keep on hearing the name Graham when I listen to my Doctor Who podcasts.
And every time the Doctor says Graham, I presume she says it a few times. Isn't that like, if Captain Picard had ever met a Maria, I would have freaked out. I just would have.
Seriously, have you not watched any of the new Doctor Who?
I have not at all.
Oh my goodness. Not yet. I know. And I keep reading all the spoilers about them and I have not had a chance to actually watch them myself.
I haven't really been paying attention, but I've just gone to the website ranker.com and there's a lot of famous Grahams.
Okay. You're saying a lot of Grahams are rankers?
Yeah, there's a lot of them. Okay, quiz time, quiz time.
All right.
What percentage of data breaches originate from email?
Ooh, 7 out of 10. Ha, it's a pretty good guess, but you're way wrong. 96%. Because that's how they get your passwords.
That's how they get your passwords. So MetaCompliance make it easier to train and prepare your whole environment to stop these kind of attacks. They have information on phishing and cybersecurity and policy and privacy and incident management. There's all kinds of training out there. Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance.
That's smashingsecurity.com/metacompliance.
Hey Graham.
Hey Carole.
I have a question for you about these password manager things you keep talking about.
All right, go on then, shoot.
What happens if you forget your master password? What are you gonna do about that?
Oh, you think you're really clever, don't you?
Yeah.
You think if you've forgotten your master password, you can't access any of your other passwords anymore. Well, piff, paff, poof, Carole, because if you are running LastPass Enterprise, you can integrate your password manager with Microsoft Active Directory, and that means the same password that your employees are already comfortable with using to log into your system will unlock everything. It will unlock their passwords, it will unlock their work. Makes it super easy to bring LastPass into your enterprise.
Seriously? And it's still super safe?
It's still super safe.
Wow!
That's kind of cool.
It's a great way of getting new employees using passwords safer and more securely. Rock on, LastPass!
LastPass, I say.
And Carole, if you or indeed our listeners want to try it for themselves, all they need to do is go to lastpass.com/smashingsecurity. So let me take you to the city of Reading, Pennsylvania.
I've been.
Have you?
I have.
Oh, what can you tell us about it?
Not much.
Okay.
Okay.
Most people are asleep.
What am I wearing?
You tell us, girl.
The city of Reading, Pennsylvania. Guys, I'm trying to make this atmospheric. I'm setting the scene, all right?
You can probably smell the distant smell of cow manure wafting in over the land.
It's 1 o'clock in the morning. It's dark. Cows are mooing. Owls are hooting.
Yeah.
A cat meowing. Somewhere you hear the sound of a mosquito burning as it lands on a hot lamp. And a young female pizza delivery driver is on her way with a stack of pizzas to a home on Windsor Street. She's got a pile of pizzas worth $75. She walks up the path to the house.
Is this the Halloween edition of Smashing Security?
She rings the doorbell.
It's more of a zzz. Or dee dee dee dee.
But there's no answer. So she ends up going back to the restaurant and her boss, let's call him Luigi or something, tells her to try harder, right?
Tells her to try harder?
She calls the customer on her cell phone. And he says, oh yeah, I'll be waiting for the delivery outside the house. So she goes back to the house. It's now about half past one. Right? Again, noises. And you know what podcast you're on. You're on a cybersecurity podcast. A man steps out of the shadows and she says, oh, can I have $75 please for these pizzas?
Oh, that's not how it usually happens.
He rummages deep in his pockets and then a second man leaps out of the alley with a gun. Put the food down and give me all your money, he says.
That was— no.
Terrified. What?
Nothing.
Put down the food and give me all your money.
Jimmy Cagney.
I'm just holding my head in my hands. I'm just, you know.
Terrified, the delivery driver does what she's told and gives him the cash that she's carrying, which is just $35. And she scarpers, and the robbers take the food, and they clear off as well, right? Now back at her car, she calls the police. And the policemen come around, they search and everything, and there's no one in the house and they can't see any sign of these bad guys, right? And that is the end of the story.
Well, thanks very much.
That's a great segment for Smashing Security. Yeah, let me go into my story now.
Chapter 2. 26 days later, the pizza delivery woman receives a Facebook friend request. And she thinks, I know that guy, even though he's not holding a gun. It's the robber.
Dun dun dun!
And she thinks to herself, I bet that's not even your real Facebook profile. So he then sends her a new friend request from his real Facebook account. And of course she goes to the cops. She lends criminal investigator Buck Wendell her phone.
What a name. You're kidding. Criminal investigator Buck Wendell.
Buck Wendell on the case. Part of the Reading, Pennsylvania cops.
I so hope he's super cool.
Yeah, but he is cool.
Yeah.
And charged him with robbery, theft, and simple assault. That does seem he was a pretty simple fellow from the sound of things. Send the friend request. And this week, police have The cops say that Guzman wanted to apologize to the pizza lady. So I'm guessing he did this. arrested 26-year-old Jarrell Guzman.
Oh.
Oh, see, now that's your heart, isn't it? I'm guessing he just thought she was hot. As, you know, as hot as the pepperoni on his pizza.
Maybe he could get a bit of that as well as robbing her.
Get some of that on the side. Guzman, who isn't from Windsor Street, which is where the robbery took place, but on Moss Street, has been committed to the county prison in lieu of $20,000 bail. But what we don't know is how Guzman found the victim on Facebook. So having committed the robbery, how did he then make the connection? I was wondering about this and I thought, well, maybe he got her phone number when she called up his cell phone, possibly. Or maybe it's her link with the pizza restaurant. Maybe he found the pizza restaurant on social media.
Or maybe she said,
Or maybe she had a name badge on. Or who knows what.
Probably he got one of those Facebook suggestions, the friend suggestions. You've got all these phone numbers in your phone. Oh, we know who those people are.
I work there.
So maybe it's Facebook's artificial intelligence.
Probably, yeah, linking them together.
Big data.
It's the red string of fate, isn't it? It was meant.
Okay, so basically I don't really understand why there was a gun in this. Involved in this. Surely if the guy just went up and said, hey, give me the pizzas now or else, and there's two of them and you're outside and there's no one around, I just go, here you go, dude, take them.
Because America, that's why.
Because she might know karate or something that. Isn't that why they—
No, but who's gonna fight over her?
In America, Carole, pizza delivery women might actually be armed. They might be locked and loaded.
And they're going to be protecting the pizza with their lives. Is that what you're saying?
I'm just saying that obviously people go around carrying guns in America. You're just saying it's ridiculous. It's not ridiculous. It's not ridiculous.
I just say it's ridiculous that they felt that need for guns.
I have five guns on me right now. It's true. I have one on each leg. It's a thing.
Okay. Some of our listeners, can you just be clear that you're actually lying right now?
Am I?
This is a joke.
Haha, I'm gonna leave you wondering, am I lying?
And number 2, the guy, okay, so what, the guy felt bad and then reached out to say sorry?
No, he fancied her, come on.
Wow, cynical, cynical, 80-year-old Adrian.
No, I'm just a man. I know how it works. You know, you're gonna think, she was a bit hot, but I robbed her. I wonder if I apologise whether she'll then go out on a date with me.
I have a conversation starter.
Yeah, exactly. It is a conversation starter because that's often a challenge, isn't it? If you're trying to chat up a lady.
Tell you what, that would turn me on.
Would it?
Yeah.
No! I'm learning too much about you today. What you're wearing, what turns you on. Didn't need to know.
Someone has to lower the tone.
Anyway, lock down your privacy settings, folks. Be careful what you post or where you say where you might work, for instance. You know, don't share your phone number. Don't allow people to look you up by your mobile phone number either. Although in this case, it actually helped entrap a bad guy, didn't it? But normally it's bad news.
I'm actually surprised this hasn't happened more often. Anyone who gets a food delivery nowadays, the delivery driver calls you from their personal cell phone number. So I've had so many people call my house, and I don't know who they are, so—
You know why it doesn't happen more often? Because normally the relationship then flourishes. There's no reason to go to the police, because this is the way in which young people meet each other.
Oh, this is better than Tinder is what you're saying.
Exactly. This is how people meet each other.
And this is based on what evidence of yours, Graham?
Can I just say, I don't know what planet you guys live on.
Thank God you're entertaining.
That's all I got to say.
Hope you the sound effects.
How can I follow up to that? I'm not doing sound effects in mine. You guys can supply your own, but I don't think I can be that thrilling. I'm sorry.
Graham can jump in.
My story, instead of being about Facebook, is about another social network that's been causing a bit of agita, and that's Twitter. This is my own little bit of gumshoe reporting. I actually saw a scam going down on Sunday. No way. I did. Oh my God. Basically, what I saw on Sunday was a verified account that had renamed itself to say that it was Elon Musk. I'm giving 1,000 bitcoin to my followers. To identify your address, just 0.1 to 0.3 bitcoins to the address below and get 1 to 30 bitcoins back to your address, followed by the bitcoin address. And then, oh, if you're late, your bitcoin will be sent back to you. And I'm going, okay, how the heck did this appear in my timeline? How is this— how did this get past all of the Twitter quality controls? And who the hell would actually fall for something this? I mean, this is so obviously a scam. And thankfully, a lot of the comments in response were, this is a total scam.
And this wasn't just a tweet. This was a promoted— a promoted tweet. Yeah.
I'm sorry if I didn't clarify. It's a promoted tweet from a verified account, so it had one of those blue check marks next to the name. And I don't know how you get one of those. Graham, you have one of those, right?
I do, yes.
Yeah. What did you have to sign over for them to verify you?
You have to—
A lot of information. I actually stopped halfway through the verification process. I was like, geez.
Yeah, you have to enter the seventh circle of hell basically and sign over your youngest child.
It doesn't—
So it's hard to get one of these things and it gives you a lot of social cachet on the site. You know, ooh.
Huge cachet. Huge cachet if you've got one of those.
Yeah, it's people fall at your feet when they meet you kind of thing.
Graham glows now, he glows.
I can only imagine what it must be like to have one of those. I can just only dream. Yeah, and this account was verified, the tweet was promoted, and again, it was said it was promoted by Elon Musk right at the bottom. So how did this pass all of the Twitter flags? Anyway, so I saw this happening at about 1:00 PM on Sunday, and I figured this was gonna get taken down within minutes, so I screenshotted it. I checked on Monday morning, that tweet ran for at least 12 hours, which was that's a long time for a scam to run.
Did you report it?
I did. And a number of other people did, too. People were tagging Twitter support, that kind of thing. And I'm honestly surprised it took them 12 hours to take that down.
Well, it was a Sunday, right?
Yeah. You think they're not working on Sundays?
Yeah, I don't know. There may be less— there's always staff on Sundays in tech firms.
I'm less about the response time and more how did this even happen in the first place? My guess is that this verified account had really poor security on their own account. They didn't have two-factor authentication set up, somebody reused their credentials and they just abandoned their account at some point. Looks they hadn't tweeted anything since July. And these scammers said, well, we have an in. We can break into this account, we can figure out how to reuse this account without setting off any of the Twitter security flags and set off this very obviously scammy tweet. And I looked up the Bitcoin address and they actually— do you want to guess how much money they made in 12 hours from that one tweet?
Tell me.
Well, they had about 17 deposits made to their account.
Really?
Within those 12 hours. Yep. Most of them were really tiny, some of them worth about $10, but some of them were several thousand dollars. So—
Shut the front door.
Within 12 hours of that tweet going live with just 17 deposits, they made over $10,000.
Oh my goodness.
Yeah. It's good money if you can get it, right?
And Twitter doesn't get to see a penny of it.
But the ad was promoted, so someone paid Twitter, maybe with a stolen credit card or something. Something, but it wouldn't— they wouldn't have spent anything like that.
No, maybe $50 at most, maybe $100. It doesn't cost very much. I've done these before. It really costs very little money.
You've done these scams before?
I've done these scams before, yes. Just to be clear, I have not done these scams before. When I've promoted tweets, you pay per impression, so you're paying cents on the dollar. It's super cheap. So they made in 12 hours $10,000 or more less $50, which is great money if you can get it.
That's a lot more money than I make.
Oh, is it? Oh, I'm so unfortunate.
We need to rethink our careers is basically all I'm saying. And I noticed as of Monday morning, whoever has access to this bitcoin address already started making withdrawals in large chunks. So I figure they're going to start celebrating October 5th.
I mean, it's not even a sophisticated scam, is it?
No.
It's simply saying, fill up our bitcoin wallet and we'll give you more bitcoins back. And there are dumb people out there who—
who fell for it.
Yeah, guys, don't call them dumb. Why would you do that?
Gullible?
Just because they're giving lots of money away to something they don't really understand.
There's altruistic people out there and kind, generous people who are donating their bitcoins and they're never going to see them again.
I mean, maybe.
Yeah, but the tweet wasn't all emotional, was it?
It wasn't. No, I read it to you at the beginning. It's very, just give us bitcoins and maybe we'll give you some back. And maybe they forgot that bitcoins have some sort of monetary value. They're going, oh, half a bitcoin, what's that? A third of a bitcoin, it's nothing.
So they're basically being fooled by the Elon Musk, the verified tweet, the promotion of it.
All those cues. Yeah, those cues that usually indicate on Twitter that something's generally trustworthy.
Promoted by the real Elon Musk.
It was not.
I'm going to guess it was someone else who has that screen name, at the very least. And the promoted by line doesn't tell you whether that account owner is verified or not, so that's certainly one way maybe of tricking this system. The other thing is, though, did you see Elon Musk, what happened to him this week, is he had his real Twitter account closed for a while because Twitter— Did he really? Yes.
I did not know this.
Because Twitter identified that his account was acting strangely. His Twitter account had posted, I love anime, and posted an image with the text, wanna buy some bitcoin? And he said something about he's got a Wolverine named Chibi or something. So really bizarre tweets.
Interesting.
And then Elon Musk said, oh no, that really is me. He's clearly a bit crazy.
He's speaking the language of my people, but I'm amazed I didn't hear about this. That's incredible.
But it's a weird world where the fake Elon Musks on Twitter are more plausible than the real Elon Musk on Twitter.
Oh my God. Well, I mean, when I was looking at the account that got taken over, it's a Swiss life insurance brokerage app.
Right.
What? And so they'd been tweeting on and off for a few years about life insurance, sometimes in German, sometimes in English, but really, really dry stuff. And then they go silent for a few months. Perhaps their account had been taken over and they couldn't regain control, or perhaps they just abandoned their account. Who knows? And suddenly they're retweeting Elon Musk tweets about Bitcoin, and then suddenly they're tweeting about Bitcoin. And I'm just wondering why Twitter doesn't have anything in place to go, you know, that's really unusual to go quiet for that long and then start talking about something you haven't talked about before, especially from a verified account. You'd think they'd have stronger, I don't know, filters or something.
Is there any reason why Twitter wouldn't jump down this throat and try and take it offline really quickly?
They don't make money. I think the reason why this is happening is they are simply flooded with so much of this.
Yeah, yeah.
I think there's so much of this going on that they cannot cope with it.
But can't they just go, oh, that's a brand new account, maybe we'll hold off for a bit, or maybe we don't allow tweets right away if someone changes a password?
Well, they probably could do something, yes, or put people in limbo or, you know.
Yeah, previous accounts, they would try doing scams like this, they would actually rename the handle. And then that was a red flag. So I think Twitter has stopped allowing people to do— I think the verification goes away if you rename your handle.
That's right.
But in this case, they actually just changed the display name so that the handle was the same, but the display name said Elon Musk. And that doesn't set off any red flags, apparently.
So do you have any tips for people as to how to better protect their accounts?
Yes. So don't use your same password that you use on Twitter anywhere else. Keep a unique password on Twitter and turn on two-factor authentication. Between those two things, you're going to be much better off than a lot of folks. And selfishly, if you run a social media account for a company, make sure you don't abandon your Twitter account and just leave it sitting rotting in a corner. Somebody should always have access to that account because stuff like this can happen and you want to be able to regain control quickly before your company has egg on its face. I mean, I don't think Twitter is making that much money from these scams either. I don't think it's a selfish thing of, oh, we're making money, so we want to let the scammers do their thing. If anything, this is probably hurting credibility of the platform, which, you know, such as it is.
And Elon Musk's stellar reputation for PR and handling situations.
One must consider such things. Yes.
Stop picking on Elon Musk. He's not the only famous person on Twitter who's posted the occasional bizarre message, is he? Covfefe, right?
I was thinking more Kanye.
I was thinking more McAfee, not Covfefe. Where does it end?
Cluley.
Wait, stop that.
Stop that.
Fantastic. Well, Carole, take us from the craziness of Elon Musk and bitcoin scams to whatever you've discovered this week.
Thanks to things like disinformation or fake news, data breaches, ransomware, Russian hackers, a lot of us are getting uneasy around technology. You know, you keep hearing of people abandoning Facebook and such. One way to handle or tackle this problem is to stick to sites that you've liked and used for a long time. So if, for example, you like getting your news from the BBC and you've been doing that for years and you trust what they say and you like how they operate, you're going to continue doing so, right?
Mm-hmm.
Now BBC is a big site and it has a big robust tech team providing and protecting services that it offers. But of course, there's a zillion legacy websites that are much smaller operations than BBC. And some of these smaller legacy sites may not have updated their services and not be au courant with security infrastructure of today.
Oh, that was French, was it?
Au courant.
For a moment, I thought you said, oh, the Quran. I thought that's going to cause us some trouble. Okay, carry on, Carole.
So sites that have created themselves maybe a decade ago that have just been ticking over nicely may not have invested in security infrastructure or additional layers to improve their services.
Come, come, come, come. Nonsense.
There may be sites where you've shared some sensitive information. You may have put on your contact details or you've given them passwords or payment information or personal messages. But as you haven't had any trouble yet, you haven't really given a moment's thought. Well, this is your ding, ding, ding, ding. The wake-up call is here. Yeah, I'm doing sound effects.
Nice.
You're welcome. And I'm hoping this example, this recent data breach, will drive the point home.
For the next 100 episodes, every episode has some sound effects. I think they were establishing that with 101. No stories if you can't do a sound effect.
Okay, Graham, if you would take over sound effects from now on for me, because my topic might need some more advanced skills that I have. Okay, so this week Ars Technica reported on how 8 adult websites were hacked.
Oh, you're gonna do—
I'm not doing a sound effect for Ars Technica.
What about adult websites?
Don't work. Yeah, there you are. Oh wow.
Wow. Wow.
Might need some oiling.
Was that the zipper coming undone? What was that?
Get some WD-40. Oh God.
Good luck, girl. Okay, good luck.
Okay, now where was I? So Ars Technica reported on how 8 adult websites were hacked and the personal data of its users was slapped online. The attackers exploited a script that was used on all these 8 sites, including IndianSex4You.com, NudeAfrica.com, NudeLatins.com— do you see a trend here?— NudeMen.com, and White Wifeposter.com.
Oddly.
Here's a sound effect.
Wife? Wife poster?
Yes.
Posters of your wife.
It's a site where you can order a poster of your wife rather than one of Bon Jovi or whoever it is you have on your wall.
It's unclear. This is pictures of users' spouses.
Yes.
Unclear whether the affected spouses have actually given consent to their images being made available online. Ooh.
Ooh.
Would I be correct in assuming that these pictures of women are of them scantily clad or in compromising positions rather than down the supermarket?
I think you
I think I have. Okay, carry on.
In the exposed data, there were IP addresses connected with the sites. There were user passwords that were hashed using a 4-decade-old crypto called DES crypt. could probably answer Uh-oh. 1.2 million unique email addresses were also picked up and displayed and exposed, although the owner says that only 10% of those people are actual users of the site. In any case, this is kind of dwarfed by the Ashley Madison 2015 hack where I think 35, 36 million users had their information stolen. And payment details were stored separately. that for yourself, Graham. So according to a statement from the owner of the affected toxic sites, they have not been compromised.
But still bad because this data might identify you as obviously a user of these rather dodgy websites, right?
Well, exactly. So when I heard about the fact that one of these sites was about posting images of your spouse, you're thinking, okay, well, maybe the pics of the spouse aren't identified and maybe the user who posted this picture used a unique username that was tied to a secondary unused email account and kind of protects his or her identity. Right? So I'm kind of thinking maybe the reputations of the spouse, of the users, yeah, could maybe not be associated in real life. Yeah, hot dog or something, right?
Yeah. So rather than my Graham Oxford.
Graham Cracker.
Graham Cracker. real name, I might have
However, turns out that on this site, customers were allowed to have two email addresses, one for public-facing interactions and a private one to manage their account, you know, pay money, whatever.
chosen a username, something.
And the bad news is the private one got nabbed and publicly ousted as well. Now, Dan Goodin from Ars Technica wrote that a simple web search of these private email addresses quickly returned accounts on Instagram, Amazon, and other big sites that give the users' first and last names or geographic location or information about hobbies, family members, and other personal details. So seriously not good.
No, not good.
Yeah. Now, it took the owner of these websites, a guy named Robert Angelini, so it took him 3 days to verify and confirm the breach. And he took down the site. Actually, he was contacted by friend of the show Troy Hunt, who actually was contacted. Yeah. So he's the one who got in touch with him saying, I think you've got a problem.
So it's just one guy running all these different websites, and all of them are basically insecure and not safe.
Yeah, basically, yeah. And the thing is this guy doesn't seem to be making a ton of money. He claims last year in his article that he only made $22,000 USD from the site. So this is one of the problems, right? He's basically saying, I'm taking the site down, it's now offline, and you know what, isn't going back up unless I get this whole problem fixed.
He should promote the sites on Twitter with a promoted ad from Elon Musk to help.
Yeah, it could help him out.
But there's a serious problem, right? Small companies this that just shut down and throw away the key because it's not that profitable and they don't care. That doesn't help the victims, right? The customers that have been paying the money, the customers whose basically lives have now been totally exposed. They're the ones who are up shit creek with identifiable personal escapades on show for the world to see. The other problem, these sites have been— he claims he's been running them for 21 years, and he sees them more as a hobby. And the piss-poor security kind of backs that up, doesn't it?
I'm just imagining at an icebreaker at a party, like, what are your hobbies? I run adult websites.
I run 8 adult websites, one called— yeah, let me show you.
Making $20,000 a year from all of these sites, might he not be better off trying to sell the domain names? Nude Latins, nude men. What was it?
You're looking to buy, Clue?
No, I'm not. But there presumably are porn, proper porn companies who would be interested in nude Latins. So that'd be like Julius Caesar, maybe, without his toga on. I wonder. Hey, there's a niche for everything, right?
Oh, it exists. Yes. Rule 34.
I don't know what that means.
You don't know what Rule 34 is? Oh no, I have to be the one to tell you?
On air.
Should I Google it?
Oh yes.
I'm Googling.
Oh no.
Okay, I'm going to find out live on air. Right, okay, let's see what this means. Rules of the internet. Okay, here we are. What does this mean? Okay, hang on a minute. Let's just see. It's loading.
It's like when somebody has never heard of Goatse before and you're like, well.
I've been told not to look at that.
Oh, you can Google that too if you like.
I've come to know Rule 34. Okay, I'm scrolling down. I don't understand. There is— oh, I see. There's— so it's— it's— there's porn for everything. Yes, basically.
Yes, basically somebody names two things that are just bizarre and you go, oh, that's gross, and you just say Rule 34, there's porn for it. And they're usually— I have yet to be proven wrong.
Is this a pastime, Maria?
Yes, this is my hobby. I— when I go to icebreakers, this is what I tell people. I've ruined their lives. So I'm looking at a mouse mat right now.
There's gonna be mouse mat porn. If I Google for mouse mat porn, I'm going to look for this right now.
Is safe computing on? You do have a child in the house.
I don't know what mouse whatever is, but okay, that's, I'm sure there is porn for it.
I've been taken to a Pinterest page.
Turn around now. Back out.
Back away. Backing off. I'm backing off. Let's, let's get back to the podcast.
No, I had to be the one to tell you about Rule 34. All right.
That's like a virginity being broken.
I'm so sorry.
Yeah, it's a bit gross.
Okay, now look, I—
So this site, this adult site's been around for 21 years. Just take a look. I put a link in for you guys. Just take a look at how the site looked just a few days ago.
Okay. All right.
Right. So you can see how modern it is. What I'm saying is this does reek of a site that's 20 years old, doesn't it?
Oh yeah, it looks like a sort of—
It's still loading.
It looks like Yahoo.com circa 1998.
Or like GeoCities or something like that. It does look— He probably creates this website in Edlin or some sort of text editor, doesn't he? I mean, it's— yeah.
And I hate to judge a book by its cover, but a site that looks like this would make me consider that perhaps their security is not the latest and greatest. Is that fair?
Online since 1997. I'm amazed that's not blinking. Yeah, yeah.
Foot lovers. I'm seeing monitor pics. Is that related to mouse?
The link is in the show notes for those that like to see it, because it's now offline right now. If you go to the site, for example, if you go to wifeposter.com, you will see their statement, which is basically saying we're not here. Now, problem number 2 then is that sites that have been around a long time that have built trust because they've been there for you day in, day out, may be hiding some nasty vulnerabilities because they're not being regularly patched, right? Even if it was state-of-the-art security at the very beginning, at the get-go, if it isn't properly managed, it goes out of date pretty quick.
Yeah, this is probably run out of some server in his basement. I mean, yeah.
So the icing on the cake here is that Robert Angelini Smashing Security has publicly speculated about the identity of the hacker that exposed all the data. Oh, what? He's pointed the finger at a family member, so he's actually attempting attribution. That's, that's, he's been fighting with a family member for two years and he's pretty convinced they know their way around the computer. I think they might have something to do with it. So the upshot here is delete accounts on sites that are not up to date. I think that's a fair statement. Check those— if you've got old Friends Reunited accounts out there— is Friends Reunited still even going?
I don't think— I don't know if it is actually. Got acquired.
Google it, Graham.
You're very good on the Google today.
In America, they have— is it Classmates, which is like Friends Reunited, isn't it? I think Friends Reunited was a British thing.
Yeah, it doesn't— oh, right, sounds familiar.
But basically there's a lot of old sites you might have been on 10 years ago that you've completely forgotten about, but those sites might still be going. Yeah.
MySpace.
And how do you even get off them if you don't even manage that email account anymore? I don't know.
Friends Reunited is dead. It was ultimately owned by DC Thompson, who of course are the publishers of the Beano comic for kids.
Oh, there you are.
There you go. But it is now dead. Fascinating.
Those are all words. I don't know what any of that means.
To be honest, I didn't hear most of today's podcast. Rule 34 has sort of blanked out everything else.
You should now Google Goat. See, you should just break the seal and do.
Many of us have worked in big companies, right? And we know that it only takes one person to make a boo boo to allow the hackers in. Imagine running a company, hiring new stuff and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare. That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise. LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory. As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus. Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
Jonna Mendez.
Hey, Clue.
Hey, Carole.
Did you listen to my little bit about MetaCompliance and their e-learning?
Oh yeah, I heard that earlier in the show. Yeah, nice one.
Did you?
Yeah. Okay, well, have you signed up yet?
Well, no, I've been doing the podcast, Carole. I haven't had time to sign up for it, have I?
Well, women know how to multitask. Surely you can get a move on and sign up. We get 10% off. Just go to smashingsecurity.com, you should know that website, /meta-compliance and enter the code smashing with a G.
SmashingSecurity.com/meta-compliance, enter the code smashing. Terrific.
With a G. Cool.
And welcome back and you join us at our favorite time of the show. It's the part of the show that we like to call Pick of the Week.
Pick of the Week.
The sound effect special episode. Pick of the week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Not security related necessarily.
It should definitely not be. We've done 100 of these. We know the rules now.
My pick of the week this week is a video which was put together by Wired magazine. It's rather fun. It is an interview with the former— a former CIA chief, specifically a chief of disguises.
Ooh. Huh.
Do you mean disguises? I'm now dressed as a hairdresser, I'm dressed as an engineer.
Yes, or a pirate or something like that.
Okay.
You needed to disguise yourself.
Is this—
This is just in time for Halloween.
CIA experts.
Yes.
Just in time for Halloween.
This is going to make my outfit.
It.
Unguessable.
Well, Ms. Mendez will explain in this video how disguises are used by the CIA and what aspects to the deception make for an effective disguise. And so it's a cute little video, very interesting, I thought. And give us a few tidbits.
Give us a few.
Well, she has a number of insights. First of all, she discusses how European and American people stand differently. So if you don't want to—
What, Americans are on one leg? Like flamingos?
Yes, flamingos.
Well, not like flamingos, but almost. Americans apparently shift their cargo over to one side and tend to lean a bit like Beyoncé on one hip.
Contrapposto, actually. It's the word. Thank you.
I didn't know that word either.
Contrapposto. It's an art word. Oh, what have you done? I'm just, I'm being defensive and American right now, okay?
Whereas Europeans apparently sort of balance between both legs.
They're just better.
Use both of them. Apparently, and I'm not so sure about this one, in the video she claims that Americans hold a cigarette between, they're two fingers on one hand.
Okay.
And she says that rather like Bond villains, Europeans hold a cigarette between their thumb and finger.
The pincer hold.
What? Maybe this is for mobsters or something.
Oh, I'll give you another one. Apparently we use knives and forks differently. So if you don't want to appear American—
Americans don't use them at all.
Yes, exactly.
Americans are like, "Yes, we do." I'm just kidding. No, this is true. We only use guns with our food. We shoot our food. We don't even bother with knives anymore.
Do you know what? In England, people regularly use knife and forks to eat a burger.
Of course.
Blasphemy.
Right? In America, you guys love eating with your hands. Sandwiches, pizza.
I personally don't, but yes, I know.
But it is true that Americans use a fork in the wrong hand, don't they? What? They do. Americans will put a fork in their right hand and then just shovel it in, shoveling the pasta or whatever. I've seen Americans do that.
I've seen you do that.
Well, yes, because I'm trying to make my North American friends feel more comfortable. I certainly was never taught to do that, and I would have been whacked for doing so.
Whacked?
Anyway, the thing is—
Whacked? Really? Rule 34 again.
Yeah, let's talk about this.
So a lot of this video appears to be about how to present yourself as not being American, which seems a little bit absurd to me, but—
You put a Canadian flag patch on your backpack. Everybody knows.
Was there any information on how to be skinnier?
Well, that's the thing. That's the thing, Carole, because she does say it's easier to make people fatter, older, and taller, but not the other way around.
Oh, okay. So there's no cool tricks about wrapping yourself in cling film or something?
I've been in disguise for a few years now. But the video's a little bit crazy because I do think, you know, if you're an American tourist in Europe, are you really going to go to all of these... Anyway, the most amazing thing of this whole video, and you should watch the video, is that she once wore a full face mask, Mission: Impossible style, as she briefed George H.W. Bush. And then she kind of ripped it off and went, "Haha, it's me!" And apparently he was fooled by this.
Did he choke on his pretzel when this happened? Yeah. So anyway, check it out. Interesting video.
What would you do, Graham?
That can be a useful thing if you're being tailed.
Breakaway pants.
He's suddenly in Speedos, covered in sun cream.
Everybody needs breakaway pants.
That is my pick of the week.
Maria, what is your pick of the week?
My pick of the week is The Good Place, which is a TV show in the States that you may have heard of, you may not have, I don't know. Controversial.
Okay, keep going, keep going.
Really, why is that controversial?
Let's talk about it first, then I'll tell you.
Well, it's a show that I can't give too much away about plot-wise because I don't want to ruin it for people who haven't seen it, but I don't generally watch network TV in the States, it's just not, none of it really appeals to me that much, and this is my exception.
I don't watch it.
I don't. I don't. What just happened?
I think he's having a heart attack.
Are you okay?
So I've seen the trailer, and that does give away a fair bit of the plot. I think you could probably explain the premise of the show.
Yeah, it's a show about heaven and hell, and about what it means to be a good person, which sounds really, really dull. But it generally, it's a comedy, isn't it? It is a comedy. It is really, really— it is really quite funny. It's funny in a cutesy way, I guess. And yeah, they— the writers of the show dive deep into a lot of philosophy stuff, college-level philosophy, I suppose. And they had an episode that won a Hugo in season 2 about the trolley problem, the ethics— the ethical trolley problem. It was a fantastic episode. So the trolley Yeah, so you're the conductor on a train. You don't know this, Graham? Really?
I was thinking of shopping trolleys.
No, no, no.
You mean the thing where you can redirect the train down different paths and kill one person? Yes, yes.
One person or three people die. Which one do you choose, right?
When you say trolley problem, I'm imagining a shopping trolley with a wonky wheel.
That is a trolley problem.
Right.
Yeah, that is quite a trolley problem.
People don't normally die. Now, this show stars the guy from Cheers and Three Men and a Baby, doesn't it?
Yeah, Ted Danson. Ted Danson.
Does, and, but the other folks on the show are all really great. So it's the only show that I tune into every week that, you know. See, I'm fascinated.
So I'm like meh on it.
How much have you seen?
I've tried it. I think I watched most of the first season.
I tried. You didn't finish the first season. You need to finish the first season. That's the thing everybody says.
I do know the end. I do know the twist. I just, I don't know. I just found it a bit too candy flossy, a little bit. I know it's part of its shtick.
That is part of the shtick.
I found it irritating, for me.
It does change a little bit in season 2 once the twist is revealed. And I feel I just ruined the show. But that is a bit part of the shtick. I think part of the appeal, especially for those of us in the States, is it is completely apolitical. So it's kind of a nice departure from the normal drumbeat of dread that surrounds a lot of books. That I can appreciate. Yeah, yeah. So it is, it is, it is.
Does Rule 34 apply to The Good Place?
It absolutely does. That is, that is the twist. Of course it does. I'm 100% sure that the porn has been written. Not only— well, in the last episode, one of the stars of the show, he took his shirt off and the Twitter went alight about how ripped he was.
So are people shipping Ted Danson?
I'm sure they are. I don't look this up, I'm just sure they are.
You guys live in a different world. I'm just going la la la la la, that doesn't happen in my world, la la la.
Well, if you live on the internet as I do, I just don't go looking around in the deep dark recesses.
Oh, okay, so it finds you sometimes. You don't rate it great, but Maria says it's fab.
I didn't hate it. I'm not— I'd maybe give it a 5 out of 10, 6 out of 10 for me. For me.
Okay, fair, fair enough. This is probably the most mainstreamy one I've ever recommended.
Says the woman who recommended the Star Trek Enterprise laptop. Crow, what's your pick of the week?
Okay, so do you ever get irritated by all the screens that are around? You're on an airplane. I hate it. There are screens, right? There are screens in waiting rooms, televisions in sports bars, hotel lobbies, everywhere. And it gets annoying. So this guy's got around it by creating this thing called IRL glasses, or in real life glasses, effectively sunglasses that block the light emitted from screens.
A polarizing lens. That's literally what it is.
Yeah.
Okay, don't be all snooty, guys.
I'm shitting on this because this has been known technology for a while, so there. Okay, I don't want, can I start again and everyone just cheer the fuck up?
I don't like where this is going. You guys are just fucking crazy. What is going on today?
I have not had enough coffee is the problem. Okay, I'm starting again.
Shut up, both of you.
Be nice.
Look, he put them on glasses. Cool idea, right?
Cool idea. You guys, the fuck is making me laugh?
No, I don't want to do it now. I don't want to.
So this dude pastes two polarized lenses to his eyes and he sells them for an obscene amount of money.
Okay, Carole, you do it.
That's a great pick of the week.
But I'm just thinking this could be a really good Christmas gift for my mom, right? So my dad loves watching action films really late at night. Really gritty detective stuff, that sort of stuff. Mom has trained him, right, to use headphones so the noise doesn't bug her while she's doing her reading. But still, she hates sitting in the same room because all the whiz-bang stuff. But then of course she has to read with sunglasses, which poses a whole new—
Yes, polarizing lens. They're very, very dark. I mean, anyone who's used a camera with a lens on it, proper old school style, they're quite dark. They make the sky look nice and blue. Nice, beautiful, nice scene.
Right, but if you had limited lighting in a room, it wouldn't work. Yeah, it wouldn't work. Don't ruin it. Oh, okay, back to the drawing board.
Yeah, yeah. I just wish people would just turn the damn things off.
I don't know.
Oh, I agree.
That's an easier solution.
I agree, but they don't, right? I imagine many first dates are just destroyed by someone just looking at the TV and the other person looking at the person going, seriously?
No, many first dates are ruined by the fact that you're there delivering pizza and it turns out he's trying to rob you instead of having a date. That's what goes wrong, Carole, these days.
And we've come full circle.
See, that's how you wrap up a show.
That was so bad.
And on that incredibly smooth transition, I—
Wow. Do you really want me to include that.
So, Maria, Maria, if people want to follow you online, what's the best way to do that? Follow me on Twitter, even though my story was about how bad Twitter is. Follow me on Twitter anyway. And you can also follow us on Twitter as well, @SmashingSecurity, no G. Twitter won't allow us to have a G. And you can check out our online store where we got some t-shirts, stickers, and a range of mugs as well at smashingsecurity.com/store. Thank you for tuning in. If you like the show, rate us on Apple Podcasts, tell your friends, and subscribe.
It really helps, guys. Please do.
It really does. So until next time, cheerio. Bye-bye.
Bye.
Bye.
Holy mother God, I'm sorry. I had to mute myself at a point. I was like, I can't stop laughing.
Life imitating Art?