Listen early, and ad-free!

101: Rule 34, Twitter scams, and Facebook fails

With , ,
October 24, 2018
Read the transcript

A Facebook friend request leads to arrest, Twitter scams ride again via promoted ads, and adult websites expose their members. Oh, and Graham finds out what Rule 34 is.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guest: Maria Varmazis.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Hey, there's a niche for everything, right?

MARIA VARMAZIS. Oh, it exists. Yes, Rule 34.

GRAHAM CLULEY. I don't know what that means.

MARIA VARMAZIS. You don't know what Rule 34 means?

GRAHAM CLULEY. No.

MARIA VARMAZIS. Oh no, I have to be the one to tell you on air.

GRAHAM CLULEY. Should I Google it?

MARIA VARMAZIS. Oh yes.

GRAHAM CLULEY. I'm Googling.

CAROLE THERIAULT. Oh no. Oh no.

UNKNOWN. Smashing Security. Episode 101: Rule 34, Twitter Scams, and Facebook Fails with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 101. My name's Graham Cluley.

CAROLE THERIAULT. I'm Carole Theriault.

GRAHAM CLULEY. Hello, Carole.

CAROLE THERIAULT. Hello, Mr. Graham.

GRAHAM CLULEY. And we've got a returning guest, it's our family favorite, it's Maria Varmazis. Hello, Maria, as well.

MARIA VARMAZIS. Hello, everyone.

CAROLE THERIAULT. You should have let him keep going, see how high he could get in his pitch.

MARIA VARMAZIS. Hello! Hello everybody!

CAROLE THERIAULT. I have no doubt, Ria, that you can go get right up there.

GRAHAM CLULEY. Study on.

MARIA VARMAZIS. Anywho, I had a question for you, Graham.

GRAHAM CLULEY. Oh yes.

MARIA VARMAZIS. All right, so I haven't been watching the new Doctor Who because it's not in the States legally yet in ways that I can acquire. But I know one of the new companions' name is Graham. I want to know if your inner child is freaking out every time he comes on the show.

GRAHAM CLULEY. It's really weird because Graham isn't a name which I encounter that often. There aren't that many Grahams in the UK.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. I would argue.

CAROLE THERIAULT. Yeah, there's no Graham Norton who's on TV almost every—

GRAHAM CLULEY. He's one. He's one. How many others are there compared to Johns or James or Waynes and things? Well, maybe not Waynes.

MARIA VARMAZIS. Wayne?

GRAHAM CLULEY. But Dave or something like that, right? That's fairly common. So it's a little bit odd because I keep on hearing the name Graham when I listen to my Doctor Who podcasts.

MARIA VARMAZIS. And every time the Doctor says Graham, I presume she says it a few times and I can't get everything and say the Doctor, she, yeah, isn't that like, if Captain Picard had ever met a Maria, I would have freaked out. I just would have.

GRAHAM CLULEY. Seriously, have you not watched any of the new Doctor Who?

MARIA VARMAZIS. I have not at all.

GRAHAM CLULEY. Oh my goodness. Not yet.

MARIA VARMAZIS. I know. And I keep hearing, I keep reading all the spoilers about them and I have not had a chance to actually watch them myself. So I'm really excited. I hear they're great.

CAROLE THERIAULT. I haven't really been paying attention, but I've just gone to the website ranker.com and there's a lot of famous Grahams.

GRAHAM CLULEY. Okay. You're saying a lot of Grahams are Rankers?

CAROLE THERIAULT. Yeah, there's a lot of them. Okay, quiz time, quiz time.

MARIA VARMAZIS. All right.

CAROLE THERIAULT. What percentage of data breaches originate from email?

GRAHAM CLULEY. Ooh, 7 out of 10.

CAROLE THERIAULT. Ha, it's a pretty good guess, but you're way wrong. 96%. Oh, bloody. And one of the big things that companies have to worry about is phishing scams, because that's the kind of way that hackers and other baddies break into your company.

GRAHAM CLULEY. Because that's how they get your passwords.

CAROLE THERIAULT. That's how they get your passwords. So MetaCompliance make it easier to train and prepare your whole environment to stop these kind of attacks. They have information on phishing and cybersecurity and policy and privacy and incident management. There's all kinds of training out there. Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com. Smashingsecurity.com/metacompliance.

MARIA VARMAZIS. That's smashingsecurity.com/metacompliance.

CAROLE THERIAULT. Hey Graham.

GRAHAM CLULEY. Hey Carole.

CAROLE THERIAULT. I have a question for you about these password manager things you keep talking about.

GRAHAM CLULEY. All right, go on then, shoot.

CAROLE THERIAULT. What happens if you forget your master password? What are you gonna do about that?

GRAHAM CLULEY. Oh, you think you're really clever, don't you?

MARIA VARMAZIS. Yeah.

GRAHAM CLULEY. You think if you've forgotten your master password, you can't access any of your other passwords anymore. Well, piff, paff, poof, Carole, because if you are running LastPass Enterprise, You can integrate your password manager with Microsoft Active Directory, and that means the same password that your employees are already comfortable with using to log into your system will unlock everything. It will unlock their passwords, it will unlock their work. Makes it super easy to bring LastPass into your enterprise.

CAROLE THERIAULT. Seriously? And it's still super safe?

GRAHAM CLULEY. It's still super safe.

MARIA VARMAZIS. Wow!

CAROLE THERIAULT. That's kind of cool.

GRAHAM CLULEY. It's a great way of getting new employees using passwords safer and more securely. Rock on, LastPass!

CAROLE THERIAULT. LastPass, I say.

GRAHAM CLULEY. And Carole, if you or indeed our listeners want to try it for themselves, all they need to do is go to lastpass.com/smashingsecurity. So let me take you to the city of Reading, Pennsylvania.

MARIA VARMAZIS. I've been.

GRAHAM CLULEY. Have you?

MARIA VARMAZIS. I have.

GRAHAM CLULEY. Oh, what can you tell us about it?

MARIA VARMAZIS. Not much.

GRAHAM CLULEY. Okay. The city of Reading, Pennsylvania. It's 1 o'clock in the morning. It's dark.

MARIA VARMAZIS. Okay.

GRAHAM CLULEY. Most people are asleep.

CAROLE THERIAULT. What am I wearing?

MARIA VARMAZIS. You tell us, girl.

GRAHAM CLULEY. Guys, I'm trying to make this atmospheric. I'm setting the scene, all right?

MARIA VARMAZIS. You can probably smell the distant smell of cow manure wafting in over the land.

GRAHAM CLULEY. Cows are mooing. Owls are hooting. There's a dog barking in the distance.

MARIA VARMAZIS. Yeah.

GRAHAM CLULEY. A cat meowing. Somewhere you hear the sound of a mosquito burning as it lands on a hot lamp. And a young female pizza delivery driver is on her way with a stack of pizzas to a home on Windsor Street. She's got a pile of pizzas worth $75. She walks up the path to the house.

MARIA VARMAZIS. Is this the Halloween edition of Smashing Security?

GRAHAM CLULEY. She rings the doorbell.

MARIA VARMAZIS. It's more of a zzz. Or dee dee dee dee.

GRAHAM CLULEY. But there's no answer. So she ends up going back to the restaurant and her boss, let's call him Luigi or something like that, tells her to try harder, right?

CAROLE THERIAULT. Tells her to try harder?

GRAHAM CLULEY. She calls the customer on her cell phone. And he says, oh yeah, I'll be waiting for the delivery outside the house. So she goes back to the house. It's now about half past one. Right? Again, noises.

CAROLE THERIAULT. And you know what podcast you're on. You're just on cybersecurity podcast. You know exactly where you are.

GRAHAM CLULEY. A man steps out of the shadows and she says, oh, can I have $75 please for these pizzas?

MARIA VARMAZIS. Oh, that's not how it usually happens.

GRAHAM CLULEY. He rummages deep in his pockets and then a second man leaps out of the alley with a gun. Put the food down and give me all your money, he says.

MARIA VARMAZIS. That was— no.

GRAHAM CLULEY. Terrified. What?

MARIA VARMAZIS. Nothing.

GRAHAM CLULEY. Put down the food and give me all your money.

MARIA VARMAZIS. Jimmy Cagney.

CAROLE THERIAULT. I'm just holding my head in my hands. I'm just, you know.

GRAHAM CLULEY. Terrified, the delivery driver does what she's told and gives him the cash that she's carrying, which is just $35. And she scarpers, and the robbers take the food, and they clear off as well, right? Now back at her car, she calls the police. And the policemen come around, they search and everything. And there's no one in the house and they can't see any sign of these bad guys, right? And that is the end of the story.

CAROLE THERIAULT. Well, thanks very much.

MARIA VARMAZIS. That's a great segment for Smashing Security. Yeah. Let me go into my story now.

GRAHAM CLULEY. Chapter 2. 26 days later, the pizza delivery woman receives a Facebook friend request. And she thinks, I know that guy, even though he's not holding a gun. It's the robber.

MARIA VARMAZIS. Dun dun dun!

GRAHAM CLULEY. And she thinks to herself, I bet that's not even your real Facebook profile. So he then sends her a new friend request from his real Facebook account. And of course she goes to the cops. She lends criminal investigator Buck Wendell her phone.

CAROLE THERIAULT. What a name. You're kidding. Criminal investigator Buck Wendell.

GRAHAM CLULEY. Buck Wendell on the case. Part of the Reading, Pennsylvania cops.

CAROLE THERIAULT. I so hope he's super cool.

GRAHAM CLULEY. Yeah, but he is cool. And this week, police have arrested 26-year-old Jarrell Guzman.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. And charged him with robbery, theft, and simple assault. That does seem like he was a pretty simple fellow from the sound of things. Send the friend request. The cops say that Guzman wanted to apologize to the pizza lady. So I'm guessing he did this.

CAROLE THERIAULT. Oh.

GRAHAM CLULEY. Oh, see, now that's your heart, isn't it? I'm guessing he just thought she was hot. As, you know, as hot as the pepperoni on his pizza.

CAROLE THERIAULT. Maybe he could get a bit of that as well as robbing her.

GRAHAM CLULEY. Get some of that on the side. Guzman, who isn't from Windsor Street, which is where the robbery took place, but on Moss Street, has been committed to the county prison in lieu of $20,000 bail. But what we don't know is how Guzman found the victim on Facebook. So having committed the robbery, how did he then make the connection? I was wondering about this and I thought, well, maybe he got her phone number when she called up his cell phone, possibly. Or maybe it's her link with the pizza restaurant. Maybe he found the pizza restaurant on social media.

CAROLE THERIAULT. Or maybe she said, I work there.

GRAHAM CLULEY. Or maybe she had a name badge on. Or who knows what.

MARIA VARMAZIS. Probably he got one of those Facebook suggestions, the friend suggestions. You've got all these phone numbers in your phone. Oh, we know who those people are.

GRAHAM CLULEY. So maybe it's Facebook's artificial intelligence.

CAROLE THERIAULT. Probably, yeah, linking them together.

GRAHAM CLULEY. Big data.

MARIA VARMAZIS. It's the red string of fate, isn't it? It was meant.

CAROLE THERIAULT. Okay, so, so basically I don't really understand why there was a gun in this. Yeah, involved in this. Like, surely if the guy just went up and said, hey, give me the pizzas now or else, and there's two of them and you're outside and there's no one around, I just go, here you go, dude, take them.

MARIA VARMAZIS. Because America, that's why.

GRAHAM CLULEY. Because she might know karate or something like that. Isn't that why they—

CAROLE THERIAULT. no, but who's gonna fight over her?

GRAHAM CLULEY. In America, Carole, pizza delivery women might actually be armed. They might be locked and loaded.

CAROLE THERIAULT. And they're going to be protecting the pizza with their lives. Is that what you're saying?

GRAHAM CLULEY. I'm just saying that obviously people go around carrying guns in America. You're just saying it's ridiculous. It's not ridiculous. It's not ridiculous.

CAROLE THERIAULT. I just say it's ridiculous that they felt that need for guns.

MARIA VARMAZIS. I have like 5 guns on me right now. It's true. I have like one on each leg. It's a thing.

CAROLE THERIAULT. Okay. Some of our listeners, can you just be clear that you're actually lying right now?

MARIA VARMAZIS. Am I?

CAROLE THERIAULT. This is a joke.

MARIA VARMAZIS. Haha, I'm gonna leave you wondering, am I lying?

CAROLE THERIAULT. And number 2, the guy, okay, so what, the guy felt bad and then reached out to say sorry?

GRAHAM CLULEY. No, he fancied her, come on.

CAROLE THERIAULT. Wow, cynical, cynical, 80-year-old Adrian.

GRAHAM CLULEY. No, I'm just a man. I know how it works. You know, you're gonna think, she was a bit hot, but I robbed her. I wonder if I apologize whether she'll then go out on a date with me.

CAROLE THERIAULT. I have a conversation starter.

GRAHAM CLULEY. Yeah, exactly. It is a conversation starter because that's often a challenge, isn't it? If you're trying to chat up a lady.

CAROLE THERIAULT. Tell you what, that would turn me on.

GRAHAM CLULEY. Would it?

CAROLE THERIAULT. Yeah.

MARIA VARMAZIS. No! I'm learning too much about you today. What you're wearing, what turns you on. Didn't need to know.

CAROLE THERIAULT. Someone has to lower the tone.

GRAHAM CLULEY. Anyway, lock down your privacy settings, folks. Be careful what you post or where you say where you might work, for instance. You know, don't share your phone number. Don't allow people to look you up by your mobile phone number either. Although in this case, it actually helped entrap a bad guy, didn't it? But normally it's bad news.

MARIA VARMAZIS. I'm actually surprised this hasn't happened more often. Anyone who gets a food delivery nowadays, the delivery driver calls you from their personal cell phone number. So I've had so many people call my house, and I don't know who they are, so—

GRAHAM CLULEY. You know why it doesn't happen more often? Because normally the relationship then flourishes. There's no reason to go to the police, because this is the way in which young people meet each other.

MARIA VARMAZIS. Oh, this is better than Tinder is what you're saying.

GRAHAM CLULEY. Exactly. This is how people meet each other.

MARIA VARMAZIS. And this is based on what evidence of yours, Graham?

CAROLE THERIAULT. Can I just say, I don't know what planet you guys live on.

GRAHAM CLULEY. Thank God you're entertaining.

CAROLE THERIAULT. That's all I got to say.

GRAHAM CLULEY. Hope you like the sound effects.

MARIA VARMAZIS. How can I follow up to that? I'm not doing sound effects in mine. You guys can supply your own, but I don't think I can be that thrilling. I'm sorry.

CAROLE THERIAULT. Graham can jump in.

MARIA VARMAZIS. My story, instead of being about Facebook, is about another social network that's been causing a bit of agita, and that's Twitter. This is my own little bit of gumshoe reporting. I actually saw a scam going down on Sunday. No way. I did. Oh my God. Basically, what I saw on Sunday was a verified account that had renamed itself to say that it was Elon Musk. I'm giving 1,000 bitcoin to my followers. To identify your address, just 0.1 to 0.3 bitcoins to the address below and get 1 to 30 bitcoins back to your address, followed by the bitcoin address. And then, oh, if you're late, your bitcoin will be sent back to you. And I'm going, okay, how the heck did this appear in my timeline? How is this— how did this get past all of the Twitter quality controls? And who the hell would actually fall for something like this? I mean, this is so obviously a scam. And thankfully, a lot of the comments in response were like, this is a total scam.

GRAHAM CLULEY. And this wasn't just a tweet. This was a promoted— a promoted tweet. Yeah.

MARIA VARMAZIS. I'm sorry if I didn't clarify. It's a promoted tweet from a verified account. So it had one of those blue check marks next to the name. And I don't know how you get one of those. Graham, you have one of those, right?

GRAHAM CLULEY. I do, yes.

MARIA VARMAZIS. Yeah. What did you have to sign over for them to verify you?

GRAHAM CLULEY. You have to—

CAROLE THERIAULT. A lot of information. I actually stopped halfway through the verification process. I was like, geez.

GRAHAM CLULEY. Yeah, you have to enter the seventh circle of hell basically and sign over your youngest child.

CAROLE THERIAULT. It doesn't—

MARIA VARMAZIS. like, so it's hard to get one of these things and it gives you a lot of social cachet on the site. You know, ooh.

GRAHAM CLULEY. Huge cachet. Huge cachet if you've got one of those.

MARIA VARMAZIS. Yeah, it's like people fall at your feet when they meet you kind of thing.

CAROLE THERIAULT. Graham glows now, he glows.

MARIA VARMAZIS. I can only imagine what it must be like to have one of those. I can just only dream. Yeah, and this account was verified, the tweet was promoted, and again, it was said it was promoted by Elon Musk right at the bottom. So how did this pass all of the Twitter flags? Anyway, so I saw this happening at about 1:00 PM on Sunday, and I figured this was gonna get taken down within minutes, so I screencapped it for, I checked on Monday morning, that tweet ran for at least 12 hours. Which was like, that's a long time for a scam to run.

CAROLE THERIAULT. Did you report it?

MARIA VARMAZIS. I did. And a number of other people did, too. People were tagging Twitter support, that kind of thing. And I'm honestly surprised it took them 12 hours to take that down.

CAROLE THERIAULT. Well, it was a Sunday, right?

MARIA VARMAZIS. Yeah. You think they're not working on Sundays?

CAROLE THERIAULT. Yeah, I don't know. There may be less— there's always staff on Sundays in tech firms.

MARIA VARMAZIS. I'm less about the response time and more how did this even happen in the first place? My guess is that this verified account had really poor security on their own account. They didn't have two-factor authentication set up. Somebody reused their credentials and they just abandoned their account at some point. Looks like they hadn't tweeted anything since July. And these scammers said, well, we have an in. We can break into this account. We can figure out how to reuse this account without setting off any of the Twitter security flags and set off this very obviously scammy tweet. And I looked up the bitcoin address and they actually— do you want to guess how much money they made in 12 hours from that one tweet?

CAROLE THERIAULT. Tell me.

MARIA VARMAZIS. Well, they had about 17 deposits made to their account.

GRAHAM CLULEY. Really?

MARIA VARMAZIS. Within those 12 hours. Yep. Most of them were really tiny. Some of them worth about $10, but some of them were several thousand dollars. So—

CAROLE THERIAULT. Shut the front door.

MARIA VARMAZIS. Within 12 hours of that tweet going live with just 17 deposits, they made over $10,000.

GRAHAM CLULEY. Oh my goodness.

MARIA VARMAZIS. Yeah. It's good money if you can get it, right?

CAROLE THERIAULT. And Twitter doesn't get to see a penny of it.

GRAHAM CLULEY. But the ad was promoted. So someone paid Twitter, maybe with a stolen credit card or something. Something, but it wouldn't— they wouldn't have spent anything like that.

MARIA VARMAZIS. No, maybe, maybe $50 at most, maybe $100. It doesn't cost very much. I've done these before. It really costs very little money.

GRAHAM CLULEY. You've done these scams before?

MARIA VARMAZIS. I've done these scams before, yes. Just to be clear, I have not done these scams before. When I've promoted tweets, it's— you pay per impression, so, you know, you're paying cents on the dollar. It's super cheap. So they made in 12 hours $10,000 or more less $50. Which is great money if you can get it.

CAROLE THERIAULT. That's, that's a lot more money than I make.

GRAHAM CLULEY. Oh, is it? Oh, I'm so unfortunate.

MARIA VARMAZIS. We need to rethink our careers is basically all I'm saying. And I noticed as of Monday morning, whoever has access to this bitcoin address already started making withdrawals like in large chunks. So I figure they're going to start celebrating October 5th. Yeah.

GRAHAM CLULEY. I mean, it's not even a sophisticated scam, is it?

MARIA VARMAZIS. No.

GRAHAM CLULEY. It's simply saying, fill up our bitcoin wallet and we'll give you more bitcoins back. And there are dumb people out there who—

MARIA VARMAZIS. who fell for it.

CAROLE THERIAULT. Yeah, guys, don't call them dumb. Why would you do that?

GRAHAM CLULEY. Gullible?

CAROLE THERIAULT. Just because they're giving lots of money away to something they don't really understand.

GRAHAM CLULEY. There's altruistic people out there and kind, generous people who are donating their bitcoins and they're never going to see them again.

MARIA VARMAZIS. I mean, maybe.

CAROLE THERIAULT. Yeah, but the tweet wasn't all emotional, was it?

MARIA VARMAZIS. It wasn't. No, I read it to you at the beginning. It's very, just give us bitcoins and maybe we'll give you some back. And maybe they forgot that bitcoins have some sort of monetary value. They're going, oh, half a bitcoin. What's that? A third of a bitcoin. It's nothing.

CAROLE THERIAULT. So they're basically being fooled by the Elon Musk, the verified tweet, the promotion of it.

MARIA VARMAZIS. All those cues. Yeah, those cues that usually indicate on Twitter that something's generally trustworthy.

GRAHAM CLULEY. Promoted by the real Elon Musk.

MARIA VARMAZIS. It was not.

GRAHAM CLULEY. I'm going to guess. It was someone else who has that screen name, at the very least. And the promoted by line doesn't tell you whether that account owner is verified or not. So that's certainly one way maybe of tricking this system. The other thing is, though, did you see Elon Musk, what happened to him this week, is he had his real Twitter account closed for a while because Twitter— Did he really? Yes.

MARIA VARMAZIS. I did not know this.

GRAHAM CLULEY. Because Twitter identified that his account was acting strangely. His Twitter account, his Twitter account had posted, I love anime, and posted an image with the text, wanna buy some bitcoin? And he said something about he's got a Wolverine named Chibi or something. So really bizarre tweets.

MARIA VARMAZIS. Interesting.

GRAHAM CLULEY. And then Elon Musk said, oh no, that really is me. I'm just He's clearly a bit crazy.

MARIA VARMAZIS. He's speaking the language of my people, but I'm amazed I didn't hear about this. That's incredible.

GRAHAM CLULEY. But it's a weird world where the fake Elon Musks on Twitter are more plausible than the real Elon Musk on Twitter.

MARIA VARMAZIS. Oh my God. Well, I mean, when I was looking at the account that got taken over, it's a Swiss life insurance brokerage app.

GRAHAM CLULEY. Right.

MARIA VARMAZIS. What? And so they'd been tweeting, on and off for a few years about life insurance, sometimes in German, sometimes in English, but really, really dry stuff. And then they go silent for a few months. Perhaps their account had been taken over and they couldn't regain control, or perhaps they just abandoned their account. Who knows? And suddenly it's— they're retweeting Elon Musk tweets about Bitcoin, and then suddenly they're tweeting about Bitcoin. And I'm just wondering why Twitter doesn't have anything in place to go, you know, that's really unusual to go quiet for that long and then start talking about something you haven't talked about before, especially from a verified account. You'd think they'd have stronger I don't know, filters or something.

CAROLE THERIAULT. Is there any reason why Twitter wouldn't jump down this throat and try and take it offline really quickly? Is there any?

GRAHAM CLULEY. They don't make money. I think the reason why this is happening is they are simply flooded with so much of this.

MARIA VARMAZIS. Yeah, yeah.

GRAHAM CLULEY. I think there's so much of this going on that they cannot cope with it.

CAROLE THERIAULT. But can't they just go, oh, that's a brand new account, maybe we'll hold off for a bit, or maybe we don't allow tweets right away if someone changes a password?

GRAHAM CLULEY. Well, they probably could do something, yes, or put people in limbo or, you know.

MARIA VARMAZIS. Yeah, previous accounts, they would try doing scams like this, they would actually rename the handle. And then that was a red flag. So I think Twitter has stopped allowing people to do— I think the verification goes away if you rename your handle.

GRAHAM CLULEY. That's right.

MARIA VARMAZIS. But in this case, they actually just changed the display name so that the handle was the same, but the display name said Elon Musk. And that doesn't set off any red flags, apparently.

GRAHAM CLULEY. So do you have any tips for people as to how to better protect their accounts?

MARIA VARMAZIS. Yes. So don't use your same password that you use on Twitter. Anywhere else. Keep a unique password on Twitter and turn on two-factor authentication. Between those two things, you're going to be much better off than a lot of folks. And selfishly, if you run a social media account for a company, make sure you don't abandon your Twitter account and just leave it sitting rotting in a corner. Somebody should always have access to that account because if some stuff like this can happen and you want to be able to regain control quickly before your company has egg on its face. I mean, I don't think Twitter is making that much money from these scams either. I don't think it's a selfish thing of, oh, we're making money, so we want to let the scammers do their thing. If anything, this is probably hurting credibility of the platform, which, you know, such as it is.

CAROLE THERIAULT. And Elon Musk's stellar reputation for PR and handling situations.

MARIA VARMAZIS. One must consider such things. Yes.

GRAHAM CLULEY. Stop picking on Elon Musk. He's not the only famous person on Twitter who's posted the occasional bizarre message, is he? Kovi-fi, right?

CAROLE THERIAULT. I was thinking more Kanye.

MARIA VARMAZIS. I was thinking more McAfee, not Kovi-fi. Where does it end?

CAROLE THERIAULT. Cluley.

GRAHAM CLULEY. Wait, stop that.

MARIA VARMAZIS. Stop that.

GRAHAM CLULEY. Fantastic. Well, Carole, take us from the craziness of Elon Musk and bitcoin scams to whatever you've discovered this week.

CAROLE THERIAULT. Thanks to things like disinformation or fake news, data breaches, ransomware, Russian hackers, a lot of us are getting uneasy around technology. You know, you keep hearing of people abandoning Facebook and such One way to handle or tackle this problem is to stick to sites that you've liked and used for a long time. So if, for example, you like getting your news from the BBC and you've been doing that for years and you trust what they say and you like how they operate, you're going to continue doing so, right?

GRAHAM CLULEY. Mm-hmm.

CAROLE THERIAULT. Now BBC is a big site and it has a big robust tech team providing and protecting services that it offers. But of course, there's a zillion legacy websites that are much smaller operations than BBC. And some of these smaller legacy sites may not have updated their services and not be au courant with security infrastructure of today.

GRAHAM CLULEY. Oh, that was French, was it?

CAROLE THERIAULT. Au courant.

GRAHAM CLULEY. For a moment, I thought you said, oh, the Quran. I thought that's going to cause us some trouble. Okay, carry on, Carole.

CAROLE THERIAULT. So, so sites that have created themselves maybe a decade ago that have just been ticking over nicely may not have invested in security infrastructure or additional layers to improve their services, et cetera, et cetera.

GRAHAM CLULEY. Come, come, come, come. Nonsense.

CAROLE THERIAULT. There may be sites like this where you've shared some sensitive information. You may have put on your contact details or you've given them passwords or payment information or personal messages. But as you haven't had any trouble yet, you haven't really given a moment's thought. Well, this is your ding, ding, ding, ding. The wake-up call is here. Yeah, I'm doing sound effects.

MARIA VARMAZIS. Nice.

CAROLE THERIAULT. You're welcome. And I'm hoping this example, this recent data breach, will drive the point home.

MARIA VARMAZIS. For the next 100 episodes, every episode has some sound effects. I think they were establishing that with 101. No stories if you can't do a sound effect.

CAROLE THERIAULT. Okay, Graham, if you would take over sound effects from now on for me, because my topic, my topic might need some more advanced skills that I have. Okay, so, so this week Ars Technica reported on how 8 adult websites were hacked.

MARIA VARMAZIS. Oh, you're gonna do—

GRAHAM CLULEY. I'm not doing, I'm not doing a sound effect for Ars Technica.

MARIA VARMAZIS. What about adult websites?

GRAHAM CLULEY. Don't work. Yeah, there you are. Oh wow.

MARIA VARMAZIS. Wow. Wow.

GRAHAM CLULEY. Might need some oiling.

MARIA VARMAZIS. Was that the zipper coming undone? What was that?

CAROLE THERIAULT. Get some WD-40. Oh God.

MARIA VARMAZIS. Good luck, girl. Okay, good luck.

CAROLE THERIAULT. Okay, now where was I? So Ars Technica reported on how 8 adult websites were hacked and the personal data of its users was slapped online. The attackers exploited a script that was used on all these 8 sites, including IndianSex4You.com, NudeAfrica.com, NudeLatins.com— do you see a trend here?— NudeMen.com, and White Wifeposter.com.

GRAHAM CLULEY. Oddly.

MARIA VARMAZIS. Here's a sound effect.

GRAHAM CLULEY. Wife? Wife poster?

CAROLE THERIAULT. Yes.

MARIA VARMAZIS. Posters of your wife.

GRAHAM CLULEY. It's a site where you can order a poster of your wife rather than one of Bon Jovi or whoever it is you have on your wall.

CAROLE THERIAULT. It's unclear. This is pictures of users' spouses.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Unclear whether the affected spouses have actually given consent to their images being made available online. Ooh.

MARIA VARMAZIS. Ooh.

GRAHAM CLULEY. Would I be correct in assuming that these pictures of women are of them scantily clad or in compromising positions rather than down the supermarket?

CAROLE THERIAULT. I think you could probably answer that for yourself, Graham.

GRAHAM CLULEY. I think I have. Okay, carry on.

CAROLE THERIAULT. In the exposed data, there was IP addresses connected with the sites. There were user passwords that were hashed using a 4-decade-old crypto called DEScrypt. Uh-oh. 1.2 million unique email addresses were also picked up and displayed and exposed, although the owner says that only 10% of those people are actual users of the site. In any case, this is kind of dwarfed by the Ashley Madison 2015 hack where I think 35, 36 million users had their information stolen. And payment details were stored separately. So according to a statement from the owner and of the affected toxic sites, they have not been compromised.

GRAHAM CLULEY. But still bad because this data might identify you as obviously a user of these rather dodgy websites, right?

CAROLE THERIAULT. Well, exactly. So when I heard about the fact that one of these sites was about posting images of your spouse, you're thinking, okay, well, maybe the pics of the spouse aren't identified and maybe the user who posted this picture used a unique username that was tied to a secondary unused email account and kind of protects his or her identity. Right? So that I'm kind of thinking maybe the reputations of the spouse, of the users, yeah, could maybe not be associated in real life.

GRAHAM CLULEY. Yeah. So rather than my real name, I might have chosen a username, something.

CAROLE THERIAULT. Yeah, like hot dog or something, right?

GRAHAM CLULEY. Graham Oxford.

MARIA VARMAZIS. Graham Cracker.

GRAHAM CLULEY. Graham Cracker.

CAROLE THERIAULT. However, turns out that on this site, customers were allowed to have two email addresses, one for public-facing interactions and a private one to manage their account, you know, pay money, whatever. And the bad news is, is the private one got nabbed and publicly ousted as well. Now, Dad Goodin from Ars Technica wrote that a simple web search of these private email addresses quickly returned accounts on Instagram, Amazon, and other big sites that give the users' first and last names or geographic location or information about hobbies, family members, and other personal details. So seriously not good.

GRAHAM CLULEY. No, not good.

CAROLE THERIAULT. Yeah. Now, it took the owner of these websites, a guy named Robert Angelini, so it took him 3 days to verify and confirm the breach. And he took down the site. Actually, he was contacted by friend of the show Troy Hunt, who actually was contacted. Yeah. So he's the one who got in touch with him saying, I think you've got a problem.

GRAHAM CLULEY. So it's just one guy running all these different websites, and all of them are basically insecure and not safe.

CAROLE THERIAULT. Yeah, basically, yeah. And the thing is, is that this guy doesn't seem to be making a ton of money. He claims last year, and one, you know, in his article, that he only made $22,000 USD from the site. So this is one of the problems, right? He's basically saying, I'm taking the site down, it's now offline, and you know what, isn't going back up unless I get this whole problem fixed.

GRAHAM CLULEY. He should promote the sites on Twitter with a promoted ad from Elon Musk to help.

MARIA VARMAZIS. Yeah, it could help him out.

CAROLE THERIAULT. But there's a serious problem, right? Small companies like this that just shut down and throw away the key because it's not that profitable and they don't care. That doesn't help the victims, right? The customers that have been paying the money, the customers whose basically lives have now been totally exposed. They're the ones who are up shit creek with identifiable personal escapades on show for the world to see. The other problem, these sites have been— he claims he's been running them for 21 years, and he sees them more of as a hobby. And the piss-poor security kind of backs that up, doesn't it?

MARIA VARMAZIS. I'm just imagining at an icebreaker at a party, like, what are your hobbies? I run adult websites.

CAROLE THERIAULT. I run 8 adult websites, one called— yeah, let me show you.

GRAHAM CLULEY. Making $20,000 a year from all of these sites, might he not be better off trying to sell the domain names? Nude Latins, nude men. What was it?

CAROLE THERIAULT. You're looking to buy, Clue?

GRAHAM CLULEY. No, I'm not. But there presumably are porn, proper porn companies who would be interested in nude Latins. So that'd be like Julius Caesar, maybe, without his toga on. I wonder. Hey, there's a niche for everything, right?

MARIA VARMAZIS. Oh, it exists. Yes. Rule 34.

GRAHAM CLULEY. I don't know what that means.

MARIA VARMAZIS. You don't know what Rule 34 is? Oh no, I have to be the one to tell you?

CAROLE THERIAULT. On air.

GRAHAM CLULEY. Should I Google it?

MARIA VARMAZIS. Oh yes.

GRAHAM CLULEY. I'm Googling.

MARIA VARMAZIS. Oh no.

GRAHAM CLULEY. Okay, I'm going to find out live on air. Right, okay, let's see what this means. Rules of the internet. Okay, here we are. What does this mean? Okay, hang on a minute. Let's just see. It's loading.

MARIA VARMAZIS. It's like when somebody has never heard of Goatse before and you're like, well.

GRAHAM CLULEY. I've been told not to look at that.

MARIA VARMAZIS. Oh, you can Google that too if you like.

GRAHAM CLULEY. I've come to know Rule 34. Okay, I'm scrolling down. I don't understand. There is— oh, I see. There's— so it's— it's— there's porn for everything. Yes, basically.

MARIA VARMAZIS. Yes, basically somebody names two things that are just bizarre and you go, oh, that's gross, and you just say Rule 34, there's porn for it. And they're usually— I have yet to be proven wrong.

CAROLE THERIAULT. Is this a pastime, Maria?

MARIA VARMAZIS. Yes, this is my hobby. I— when I go to icebreakers, this is what I tell people. I've ruined their lives. So I'm looking at a mouse mat right now.

GRAHAM CLULEY. There's gonna be mouse mat porn. If I Google for mouse mat porn, I'm going to look for this right now.

CAROLE THERIAULT. Is safe computing on? You do have a child in the house.

MARIA VARMAZIS. I, I don't know what mouse whatever is, but okay, that's, uh, I'm sure there is porn for it.

GRAHAM CLULEY. I've been taken to a Pinterest page.

MARIA VARMAZIS. Turn around now. Back out.

GRAHAM CLULEY. Back away. Backing off. I'm backing off. Let's, let's get back to the podcast.

MARIA VARMAZIS. No, I had to be the one to tell you about Rule 34. All right.

CAROLE THERIAULT. That's like a virginity being broken.

MARIA VARMAZIS. I'm so sorry.

CAROLE THERIAULT. Yeah, it's a bit gross.

MARIA VARMAZIS. Okay, now look, I—

CAROLE THERIAULT. so this site, this adult site's been around for 21 years. Just take a look. I put a link in for you guys. Just take a look at, um, how the site looked, um, just a few days ago.

GRAHAM CLULEY. Okay. All right.

CAROLE THERIAULT. Right. So you can see how modern it is. What I'm saying is this does reek of a site that's 20 years old, doesn't it?

GRAHAM CLULEY. Oh yeah, it looks like a sort of—

MARIA VARMAZIS. It's still loading.

CAROLE THERIAULT. It looks like Yahoo.com circa 1998.

GRAHAM CLULEY. Or like GeoCities or something like that. It does look— He probably creates this website in Edlin or some sort of text editor, doesn't he? I mean, it's— yeah.

CAROLE THERIAULT. And I hate to judge a book by its cover, but a site that looks like this would make me consider that perhaps their security is not the latest and greatest. Is that fair?

MARIA VARMAZIS. Online since 1997. I'm amazed that's not blinking. Yeah, yeah.

GRAHAM CLULEY. Foot lovers. I'm seeing monitor pics. Is that related to mouse?

CAROLE THERIAULT. The link is in the show notes for those that like to see it, because it's now offline right now. If you go to the site, for example, if you go to wifeposter.com, you will see their statement, which is basically saying we're not here. Now, problem number 2 then is that sites that have been around a long time that have built trust because they've been there for you day in, day out, may be hiding some nasty vulnerabilities because they're not being regularly patched, right? Even if it was state-of-the-art security at the very beginning, at the get-go, if it isn't properly managed, it goes out of date pretty quick.

MARIA VARMAZIS. Yeah, this is probably run out of some server in his basement. I mean, yeah.

CAROLE THERIAULT. So the icing on the cake here is that Robert Angelini Smashing Security has publicly speculated about the identity of the hacker that exposed all the data. Oh, what? He's pointed the finger at a family member, so he's actually attempting attribution. That's, that's, uh, he's been fighting with a family member for two years and he's pretty convinced they know their way around the computer. I think they might have something to do with it. So the upshot here is delete accounts on sites that are not up to date. I think that's a fair statement. Like, check those— if you've got old Friends Reunited accounts out there— is Friends Reunited still even going?

GRAHAM CLULEY. I, I don't think— I don't know if it is actually. Got acquired.

MARIA VARMAZIS. Google it, Graham.

CAROLE THERIAULT. You're very good on the Google today.

GRAHAM CLULEY. In America, they have— is it Classmates, which is like Friends Reunited, isn't it? I think Friends Reunited was a British thing.

MARIA VARMAZIS. Yeah, it doesn't— oh, right, sounds familiar.

CAROLE THERIAULT. Um, but basically there's a lot of old sites you might have been on 10 years ago that you've completely forgotten about, but those sites might still be going. Yeah.

MARIA VARMAZIS. MySpace.

CAROLE THERIAULT. And how do you even get off them if you don't even manage that email account anymore? I don't know.

GRAHAM CLULEY. Friends Reunited Crawl is dead. It was ultimately owned by DC Thompson, who of course are the publishers of the Beano comic for kids.

CAROLE THERIAULT. Oh, there you are.

GRAHAM CLULEY. There you go. But it is now dead. Fascinating.

MARIA VARMAZIS. Those are all words. I don't know what any of that means.

GRAHAM CLULEY. To be honest, I didn't hear most of today's podcast. Rule 34 has sort of blanked out everything else.

MARIA VARMAZIS. You should now Google Goat. See, you should just break the seal and do.

GRAHAM CLULEY. Many of us have worked in big companies, right? And we know that it only takes one person to make a boo boo to allow the hackers in. Imagine running a company, hiring new stuff and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare. That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise. LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory. As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus. Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.

CAROLE THERIAULT. Hey, Clue.

GRAHAM CLULEY. Hey, Carole.

CAROLE THERIAULT. Did you listen to my little bit about MetaCompliance and their e-learning?

GRAHAM CLULEY. Oh yeah, I heard that earlier in the show. Yeah, nice one.

MARIA VARMAZIS. Did you?

CAROLE THERIAULT. Yeah. Okay, well, have you signed up yet?

GRAHAM CLULEY. Well, no, I've been doing the podcast, Carole. I haven't had time to sign up for it, have I?

CAROLE THERIAULT. Well, women know how to multitask. Surely you can get a move on and sign up. We get 10% off. Just go to smashingsecurity.com, you should know that website, /meta-compliance and enter the code smashing with a G.

GRAHAM CLULEY. SmashingSecurity.com/meta-compliance, enter the code smashing. Terrific.

CAROLE THERIAULT. With a G. Cool.

GRAHAM CLULEY. And welcome back and you join us at our favorite time of the show. It's the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

GRAHAM CLULEY. The sound effect special episode. Pick of the week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Not security related necessarily.

CAROLE THERIAULT. It should definitely not be. We've done 100 of these. We know the rules now.

GRAHAM CLULEY. My pick of the week this week is a video which was put together by Wired magazine. It's rather fun. It is an interview with the former— a former CIA chief, specifically a chief of disguises.

MARIA VARMAZIS. Ooh. Huh.

GRAHAM CLULEY. Jonah Mendez.

CAROLE THERIAULT. Do you mean like disguises like what? Like I'm now dressed as a hairdresser, I'm dressed as a engineer.

GRAHAM CLULEY. Yes, or a pirate or something like that.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. You needed to disguise yourself.

MARIA VARMAZIS. Is this—

CAROLE THERIAULT. this is just in time for Halloween.

MARIA VARMAZIS. CIA experts.

CAROLE THERIAULT. Yes.

MARIA VARMAZIS. Just in time for Halloween.

CAROLE THERIAULT. This is going to make my outfit.

MARIA VARMAZIS. It.

CAROLE THERIAULT. Unguessable.

GRAHAM CLULEY. Well, Ms. Mendez will explain in this video how disguises are used by the CIA and what aspects to the deception make for an effective disguise. And so it's a cute little video, very interesting, I thought. And, um, give us a few tidbits.

CAROLE THERIAULT. Give us a few.

GRAHAM CLULEY. Well, she has a number of insights. First of all, she discusses how European and American people stand differently. So if you don't want to—

CAROLE THERIAULT. What, Americans are on one leg? Like flamingos?

MARIA VARMAZIS. Yes, flamingos.

GRAHAM CLULEY. Well, not like flamingos, but almost. Americans apparently shift their cargo over to one side and tend to lean a bit like Beyoncé on one hip.

MARIA VARMAZIS. Contrapposto, actually. It's the word. Thank you.

CAROLE THERIAULT. I didn't know that word either.

MARIA VARMAZIS. Contrapposto. It's an art word. Oh, what have you done? I'm just, I'm being defensive and American right now, okay?

GRAHAM CLULEY. Whereas Europeans apparently sort of balance between both legs.

CAROLE THERIAULT. They're just better.

GRAHAM CLULEY. Use both of them. Apparently, and I'm not so sure about this one, in the video she claims that Americans hold a cigarette between, they're like two fingers on one hand.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. And she says that rather like Bond villains, Europeans hold a cigarette between their thumb and finger.

MARIA VARMAZIS. The pincer hold.

CAROLE THERIAULT. What? Maybe this is for mobsters or something.

GRAHAM CLULEY. Oh, I'll give you another one. Apparently we use knives and forks differently. So if you don't want to appear American—

CAROLE THERIAULT. Americans don't use them at all.

GRAHAM CLULEY. Yes, exactly.

MARIA VARMAZIS. Americans are like, "Yes, we do." I'm just kidding. No, this is true. We only use guns with our food. We shoot our food. We don't even bother with knives anymore.

CAROLE THERIAULT. Do you know what? In England, People regularly use knife and forks to eat a burger.

GRAHAM CLULEY. Of course.

MARIA VARMAZIS. Blasphemy.

CAROLE THERIAULT. Right? In America, you guys love eating with your hands. Sandwiches, pizza.

MARIA VARMAZIS. I personally don't, but yes, I know.

GRAHAM CLULEY. But it is true that Americans use a fork in the wrong hand, don't they? What? They do. Americans will put a fork in their right hand and then just shovel it in, shoveling the pasta or whatever. I've seen Americans do that.

MARIA VARMAZIS. I've seen you do that.

GRAHAM CLULEY. Well, yes, because I'm trying to make my North American friends feel more comfortable. I certainly was never taught to do that, and I would have been whacked for doing so.

MARIA VARMAZIS. Whacked?

GRAHAM CLULEY. Anyway, the thing is—

MARIA VARMAZIS. Whacked? Really? Rule 34 again.

CAROLE THERIAULT. Yeah, let's talk about this.

GRAHAM CLULEY. So a lot of this video appears to be about how to present yourself as not being American, which seems a little bit absurd to me, but—

MARIA VARMAZIS. You put a Canadian flag patch on your backpack. Everybody knows.

CAROLE THERIAULT. Was there any information on how to be skinnier?

GRAHAM CLULEY. Well, that's the thing. That's the thing, Carole, because she does say it's easier to make people fatter, older, and taller, but not the other way around.

CAROLE THERIAULT. Oh, okay. So there's no cool tricks about wrapping yourself in cling film or something?

GRAHAM CLULEY. I've been in disguise for a few years now. But, um, video's a little bit crazy because I do think, you know, if you're an American tourist in Europe, are you really going to go to all of these Anyway, the most amazing thing of this whole video, and you should watch the video, is that she once wore a full face mask, Mission: Impossible style, as she briefed George H.W. Bush. And then she kind of ripped it off and went, "Haha, it's me!" And apparently he was fooled by this.

MARIA VARMAZIS. Did he choke on his pretzel when this happened? Yeah.

GRAHAM CLULEY. So anyway, check it out. Interesting video. And if you ever do need to disguise yourself or do the quick change, which is the other thing if you can quickly dramatically change your appearance within like 20 or 30 seconds.

CAROLE THERIAULT. What would you do, Graham?

GRAHAM CLULEY. That can be a useful thing if you're being tailed.

MARIA VARMAZIS. Breakaway pants.

CAROLE THERIAULT. He's suddenly in Speedos, covered in sun cream.

MARIA VARMAZIS. Everybody needs breakaway pants.

GRAHAM CLULEY. That is my pick of the week.

CAROLE THERIAULT. Maria, what is your pick of the week?

MARIA VARMAZIS. My pick of the week is The Good Place, which is a TV show in the States that you may have heard of, you may not have, I don't know. Controversial.

CAROLE THERIAULT. Okay, keep going, keep going.

MARIA VARMAZIS. Really, why is that controversial?

CAROLE THERIAULT. Let's talk about it first, then I'll tell you.

MARIA VARMAZIS. Well, it's a show that I can't give too much away about plot-wise because I don't wanna ruin it for people who haven't seen it, but I don't generally watch network TV in the States, it's just not, none of it really appeals to me that much, and this is my exception.

GRAHAM CLULEY. I don't watch it.

MARIA VARMAZIS. I don't. I don't. What just happened?

CAROLE THERIAULT. I think he's having a heart attack.

MARIA VARMAZIS. Are you okay?

GRAHAM CLULEY. So I've seen the trailer, and that does give away a fair bit of the plot. I think you could probably explain the premise of the show.

MARIA VARMAZIS. Yeah, it's a show about heaven and hell, and about what it means to be a good person, which sounds really, really dull. But it generally, um, it's a comedy, isn't it? It is a comedy. It is really, really— it is really quite funny. It's like funny in a cutesy way, I guess. Um, and yeah, they, they— the, the writers of the show dive deep into a lot of like philosophy stuff, like college-level philosophy, I suppose. Uh, and they had a— they had an episode that won a Hugo in season 2 about the trolley problem, the ethics— the ethical trolley problem. It was a fantastic episode. So the trolley Yeah, so you're the conductor on a train. You don't know this, Graham? Really?

GRAHAM CLULEY. I was thinking of shopping trolleys.

MARIA VARMAZIS. No, no, no.

GRAHAM CLULEY. You mean the thing where you can redirect the train down different paths and kill one person? Yes, yes.

MARIA VARMAZIS. One person or three people die. Which one do you choose, right?

GRAHAM CLULEY. When you say trolley problem, I'm imagining a shopping trolley with a wonky wheel.

MARIA VARMAZIS. That is a trolley problem.

GRAHAM CLULEY. Right.

MARIA VARMAZIS. Yeah, that is quite a trolley problem.

GRAHAM CLULEY. People don't normally die. Now, this show stars the guy from Cheers and Three Men and a Baby, doesn't it?

CAROLE THERIAULT. Yeah, Ted Danson. Ted Danson.

MARIA VARMAZIS. Does, and, but the other folks on the show are all really great. So it's the only show that I tune into every week that, you know. See, I'm fascinated.

CAROLE THERIAULT. So I'm like meh on it.

MARIA VARMAZIS. How much have you seen?

CAROLE THERIAULT. I've tried it. I think I watched most of the first season.

MARIA VARMAZIS. I tried. You didn't finish the first season. You need to finish the first season. That's the thing everybody says.

CAROLE THERIAULT. I do know the end. I do know the twist. I just, I don't know. I just found it a bit too candy flossy, a little bit. I know it's part of its shtick.

MARIA VARMAZIS. That is part of the shtick.

CAROLE THERIAULT. I found it irritating, for me.

MARIA VARMAZIS. It does change a little bit in season 2 once the twist is revealed. And I feel like I just ruined the show. But that is a bit part of the shtick. I think part of the appeal, especially for those of us in the States, is it is completely apolitical. So it's kind of a nice departure from the normal drumbeat of dread that surrounds a lot of books. That I can appreciate. Yeah, yeah. So it is, it is, it is.

GRAHAM CLULEY. Does Rule 34 apply to The Good Place?

MARIA VARMAZIS. It absolutely does. That is, that is the twist. Of course it does. I'm, I'm 100% sure that the porn has been written. Not only— well, in the last episode, one of the stars of the show, he took his shirt off and the Twitter went alight about how ripped he was.

GRAHAM CLULEY. So are people shipping Ted Danson?

MARIA VARMAZIS. I'm sure they are. I don't look this up, I'm just sure they are.

CAROLE THERIAULT. You guys live in a different world. I'm just going la la la la la, that doesn't happen in my world, la la la.

MARIA VARMAZIS. Well, if you live on the internet as I do, I just don't go looking around in the deep dark recesses.

GRAHAM CLULEY. Oh, okay, so it finds you sometimes. You don't rate it great, but Maria says it's fab.

CAROLE THERIAULT. I didn't hate it. I'm not— I'd maybe give it like a 5 out of 10, 6 out of 10 for me. For me.

MARIA VARMAZIS. Uh, okay, fair, fair enough. This is probably the most mainstreamy one I've ever recommended.

GRAHAM CLULEY. Says the woman who recommended the Star Trek Enterprise laptop. Crow, what's your pick of the week?

CAROLE THERIAULT. Okay, so do you ever get irritated by like all the screens that are around? Like you're on an airplane. I hate it. There are screens, right? There are screens in waiting rooms, televisions in sports bars, hotel lobbies, everywhere. And it gets annoying. So this guy's got around it by creating this thing called IRL glasses, or in real life glasses, effectively sunglasses that block the light emitted from screens.

MARIA VARMAZIS. A polarizing lens. That's literally what it is.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Okay, don't be all snooty, guys.

MARIA VARMAZIS. I'm shitting on this because this has been known technology for a while, so there. Okay, I don't want, can I start again and everyone just cheer the fuck up?

CAROLE THERIAULT. I don't like where this is going. You guys are just fucking crazy. What is going on today?

MARIA VARMAZIS. I have not had enough coffee is the problem. Okay, I'm starting again.

CAROLE THERIAULT. Shut up, both of you.

MARIA VARMAZIS. Be nice.

CAROLE THERIAULT. Look, he put them on glasses. Cool idea, right?

MARIA VARMAZIS. Cool idea. You guys, the fuck is making me laugh?

GRAHAM CLULEY. Okay, Crow, you do it.

CAROLE THERIAULT. No, I don't want to do it now. I don't want to.

MARIA VARMAZIS. So this dude pastes two polarized lenses to his eyes and he sells them for an obscene amount of money. That's a great pick of the week.

CAROLE THERIAULT. But I'm just thinking this could be a really good Christmas gift for my mom, right? So my dad loves watching action films really late at night. Really gritty detective stuff, that sort of stuff. Mom has trained him, right, to use headphones so the noise doesn't bug her while she's doing her reading. But still, she hates sitting in the same room because all the whiz-bang stuff. But then of course she has to read with sunglasses, which poses a whole new—

MARIA VARMAZIS. Yes, polarizing lens. They're very, very dark. I mean, anyone who's used a camera with a lens on it, like proper old school style, like they're, they're quite dark. They make the sky look nice and blue. It's Nice, beautiful, nice scene.

CAROLE THERIAULT. Right, but if you had limited lighting in a room, it wouldn't work.

MARIA VARMAZIS. Yeah, it wouldn't work. Don't ruin it. You'll still see the reflected light on your pages from the TV, so if it's lots of whiz-bang stuff, as you say, you're gonna have explosions on your pages.

CAROLE THERIAULT. Oh, okay, back to the drawing board.

MARIA VARMAZIS. Yeah, yeah. I just wish people would just turn the damn things off.

GRAHAM CLULEY. I don't know.

CAROLE THERIAULT. Oh, I agree.

MARIA VARMAZIS. That's an easier solution.

CAROLE THERIAULT. I agree, but they don't, right? I imagine many first dates are just destroyed by someone just looking at the TV and the other person looking at the person going, seriously?

GRAHAM CLULEY. No, many first dates are ruined by the fact that you're there delivering pizza and it turns out he's trying to rob you instead of having a date. That's what goes wrong, Carole, these days.

MARIA VARMAZIS. And we've come through a circle.

GRAHAM CLULEY. See, that's how you wrap up a show.

CAROLE THERIAULT. That was so bad.

GRAHAM CLULEY. And on that incredibly smooth transition, I—

CAROLE THERIAULT. Wow. Do you really want me to include that.

GRAHAM CLULEY. So, Maria, Maria, if people want to follow you online, what's the best way to do that?

MARIA VARMAZIS. Follow me on Twitter, even though my story was about how bad Twitter is. Follow me on Twitter anyway. M-V-A-R-M-A-Z-I-S is my handle, @mvarmazis. You can find—

GRAHAM CLULEY. and you can also follow us on Twitter as well, @SmashingSecurity, no G. Twitter won't allow us to have a G. And you can check out our online store where We got some t-shirts, stickers, and a range of mugs as well at smashingsecurity.com/store. Thank you for tuning in. If you like the show, rate us on Apple Podcasts, tell your friends, and subscribe.

CAROLE THERIAULT. It really helps, guys. Please do.

GRAHAM CLULEY. It really does. So until next time, cheerio. Bye-bye.

MARIA VARMAZIS. Bye.

CAROLE THERIAULT. Bye.

MARIA VARMAZIS. Holy mother God, I'm sorry. I had to mute myself at a point. I was like, I can't stop laughing.

-- TRANSCRIPT ENDS --