Honestly, he'd been running it for years, selling them from his space on the shop floor, and he only found out because one day someone smelt it and not one of his colleagues would grass him up.

Smashing Security, episode 112: Payroll scams, gold coin heists, web giants spanked with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 112. My name is Graham Cluley.

I'm Carole Theriault.

And we're joined today by a special guest, someone who's new to the show.

Brand new.

It's Jenny Radcliffe. Hello, Jenny.

Hi guys. Yay. Pleased to be here.

Now Jenny, if anyone out there doesn't know you, and shame on them, what do you do and why are you here and why were you born?

Is that what you're asking her?

Jeez. So yeah, so I'm a social engineer. I do lots of talks on the topic, people hacker on social media, and podcast, fellow podcaster.

Yes, you do the Human Factor podcast, don't you?

The thing is, everybody has a podcast these days.

Exactly. Yes, exactly. And everyone also has a Reddit page. Well, we do now. And this is something we wanted to quickly plug. If people want to go and follow us on Reddit, they can now join in conversation and chat with the hosts.

In other words, let me translate for Graham.

Yes, please do.

Graham is spending a lot of time on Reddit and he's lonely. If you want to go spend some time with Graham, go to the Smashing Security sub and hang out with Graham, especially if you want to talk about chess or Doctor Who.

No, I'm doing that in the Smashing Security post. Anyway, the quick URL for it is smashingsecurity.com/reddit, and later in the show we'll also be telling you all about how to find The Human Factor as well and subscribe to that. So Carole, what have we got coming up on the show this week?

We've got a pretty interesting lineup this week. Graham, you are talking about new types of scams where hackers get on the payroll. Jenny has this wacky story about how a ginormous gold coin was stolen and it all used human hacking to do it. And I talk about the most fun topic of all, GDPR and fines. No, I'm not kidding. And I promise I make it interesting. All this and more coming up on Smashing Security.

Recorded Future believes that every security team can benefit from checking out their free Threat Intelligence Handbook, which offers practical steps for applying threat intelligence in any organization. For anyone who is baffled by threat intelligence and the benefits it can bring to your company, this is the book for you. It's an easy-to-read guide. It'll help you understand why threat intelligence is an essential part of every organization's defense against the latest cyber attacks. Download your free copy now by visiting smashingsecurity.com/intelligence.

Are you not running a password manager in your organization? What are you thinking? Check out LastPass Enterprise. Just go to this URL: lastpass.com/smashing. God, I find that so hard to say. LastPass.com/smashing. Here you can learn all about what password managers can do for your firm. You can download a Forrester report all about the topic, and you can learn more about LastPass Enterprise. I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, then put on your digital skates and slide on over to LastPass.com/smashing. I use them, I heart them, so you should check them out. On with the show.

Now, chaps, I wanted to know from you, have you ever had a boss from hell?

Yes. Many times.

Well, I used to be your boss, Carole, so you've had some fantastic bosses as well, haven't you?

I have had one or two amazing bosses.

Any who particularly stood out as being good?

One was Swedish who liked to spend time in saunas. Do you remember him?

Yes, I do. It was great.

I've had horrible bosses.

Have you?

In fact, it's one of the reasons I don't have a boss anymore.

Yes, here, here to that.

Yeah, I mean, I have some nice bosses as well. You know.

Well, there are bosses out there who it's very difficult to say no to. They just won't accept it, will they? If they want something done, then you've got to do it and you almost live in fear of them. And this is something, of course, which scammers take advantage of via business email compromise, where someone forges your boss's email address, or worse, has actually managed to compromise your boss's email account. And they might send you a fraudulent message, maybe asking you to transfer money into a bank account under a hacker's control, or forward sensitive information. We talked about this, if you remember, in episode 104, where we described how the Netherlands branch of the Pathé cinema chain, they got scammed out of millions.

Oh yeah. That was a great story.

That one. Over and over again, they were scammed thinking their boss was telling them to move money because of a business deal, and they kept going on doing it and they never checked with the boss face to face. So that is something which can be a problem. There are giveaways, of course. Sometimes if a boss suddenly begins to say please and thank you, that can be a clue that it isn't your real boss because they're speaking in an unusual or different way, right? That's one of the giveaway signs. So work can be pretty stressful and a boss from hell can make it pretty stressful as well, I think. But so is buying a house, right? That's another stressful thing which happens to you. I know houses I've bought in the past, you know, solicitors have left for 6 weeks on an unexpected skiing trip without warning me, or real estate agents, you know, they're all fairly sort of vile and slimy anyway, aren't they?

I'm so trying to figure out where you're going with this. You've talked about evil bosses.

Yes.

And now you're talking about house buying. I'm just trying to preempt you, but I can't.

Well, the thing is that the bad guys can pretend to be a boss. They could also pretend to be an estate agent.

Yeah.

Or a solicitor. No, the process of buying a house, certainly in our country, is protracted enough and painful enough. The last thing you want is a scammer getting involved in the process, which they sometimes do. Increasingly, estate agents are, for instance, getting targeted by the scammers. And what they will do is they will pretend to be either the purchaser or the solicitor. And they say, just so you know, just before the purchase goes through, we've changed our bank account details. So when the big wallop in sum of money comes through, put it into this account rather than the one we may have told you about in the past.

Oh yeah, that's not suspicious. Well, you have to be a pretty small firm not to go, hmm.

It happens an incredibly large amount. You know, millions have been lost.

But here's the thing, here's the thing with something like that. When you're in the middle of that stressful situation and a problem appears, you know, one of the things we do in social engineering is we present the target with an easy way out. And if the easy way out is, look, it's very simple, just change the bank account and that's that, they probably— your decision-making capacity is very low when you're emotional.

Right.

So I can totally see how that would work.

And this, like the boss one, is really all about social engineering, isn't it? Either it's done on the phone or it's done via an email, a hacked email address, but the outcome is the same. Money ends up in the wrong bank account.

And someone's been seriously duped.

Right. Now, there are other ways in which these kind of scams can happen. One that we see is that the bad guys will pretend to be one of a company's many suppliers. So you may have a big company with many contractors and firms working for you, working on big, big projects. And what the scammers will do is they will break into an email account. They may observe what projects you're working on, and they will then create almost like a bogus company with a bogus bank account in the name of that company. And they will actually send an invoice to your accounts department for a project that they know has just completed because they've been observing the emails.

Sneaky, sneaky.

Well, companies have lost tens of millions through exactly this kind of scam.

Again, because they're idiots.

Well, oh, that's nice, isn't it, Carole? Just call them idiots.

Well, maybe they should just keep better logs so they can keep track of their money trails.

Yeah, but this is a real thing which is being paid for, right? A project which has happened. You are expecting an invoice to come in. And even if the finance department contacted the individual in charge of the project and said, can you confirm that Project Moon Landing has occurred?

And they'd have a PO number. There'd be a PO number if they hacked into the email, so they'd even know that number.

Yeah, it's not that a mark is ever stupid necessarily. I think one of the things that's really starting to annoy me in the security industry is people saying how these attacks are not very sophisticated and that people fall for them because they're dopey or they're not very clever. If the take is of a decent size, it's really worth executing that con very well. And so, spend a lot of time and effort making things look convincing, making sure that you hit the right kind of timings. The observation stage of any con is the longest stage. We spend longer on that than execution, much more than a lot of more basic cons, because yeah, you can always play the percentages on the smaller ones, but the bigger ones that you're talking about, those tens of millions, it needs more time and elegance. Elegance is what I keep telling people. There's no elegance in this.

Right.

Scammers hacked into his email and sent him bogus bills. His business nearly lost more than $300,000. As Pam Zechman reports, the FBI believes this scam is growing and costing U.S. businesses billions. I'm in trouble. How bad was the trouble? The trouble was very bad. Amit Diamond imports metal cutting machinery from Taiwan.

His email system was apparently hacked by scammers who monitor business emails and then redirect payments. So that's another way in which the bad guys can get your money. Now, what I want to talk to you about this week is a different way in which this similar kind of thing can happen. And what can happen is the fraudsters can actually get themselves onto the payroll of your company.

Shut the front door.

So it's like they've been hired by you as a permanent employee. This can happen in a number of ways. One way is they can target the email account of one of your employees. And we've got some examples which we're linked to from a company called Agari. Agari? I'm not sure how you say it, but anyway, Agari. Hello, Gary. Anyway, so Agari, they've done some research into this and they've actually included some screenshots and things of exactly these kind of emails being sent to HR departments, claiming to come from an employee saying, "I've recently changed banks. I'd like to change my direct deposit details to my new account. Can you sort this out for me?"

Yeah.

They will send that through, you know, just as a PDF or something, say, "Here you go, here are the details," and the HR department will just update their database. But the other challenge is that many companies these days have a sort of self-service system where you can log into your own company intranet and maybe change your own payment details. Because why would you need to speak to HR to do that? Why can't they trust you? So a lack of proper authentication there can mean that your employees log in, or someone posing as your employee logs in and changes their details. And it may again take weeks or even months before someone notices they haven't been paid. You know, depends on who they are.

Has anyone fallen for this? Have you seen any stories where someone's actually been duped by this and not gotten their salary and gone, "Hey guys, I think you owe me my salary?"

So that's what Agari are talking about and that they're linking to, and they've come across examples of this and they also postulate, and I'm unclear whether they're saying this has actually happened or not, but that they were clearly thinking about what the next generation of these kind of attacks are. See, the challenge is with what I've just described, obviously people are going to notice if they don't get paid, whether you're in the US government shutdown.

Yeah.

Or, you know.

Yeah, they're noticing every single day, I bet.

Most people are going to notice at the end of the month if their salary hasn't arrived. It may be too late for that month, but it's not an ongoing campaign. It's also something which would be hard for a scammer to do multiple times inside the same company, although they might do it in multiple companies to, you know, one or two people in lots and lots of companies.

Yeah, I don't know if you could do this at scale. I don't know.

It sounds risky. Yeah, it sounds like a lot of contact.

Yeah, a lot of contact, a lot of legwork for one payment really that might work.

Yes, but more payments than maybe the typical scam.

It depends, I guess, who you manage to get, right?

Exactly. You know, maybe you get more if you target someone who's C-level, for instance.

Didn't we have a boss once who went to a younger employee and showed— went up to her with his P45 because he was obviously quite well paid. He was a big VP. And he kind of said, "Oh, look, my taxes are higher than your salary."

He goes, "Isn't this disgraceful? Look how much tax I have to pay. That's more than you get paid a year."

Sounds lovely.

Yeah.

So not all bosses are great.

No, he was pretty rubbish, wasn't he? But anyway, the next scale of attack. So I've just mentioned that, but Agari security chaps, they are talking about fictional phantom workers. So they postulating that maybe you could actually get someone on the books of HR who doesn't actually exist in the company. So if you have a big enough organisation using hacked emails—

Have you seen Frank? I've never said— you seen Frank, the big guy?

I think this is entirely possible. I've worked for companies who were paying people who were dead, who were paying people who'd retired. It just— they just forgot to take them off the payroll. And that— now that is dozy, right? That is stupid.

No, there's a difference between— there's a difference between being dozy and being dead, Jennifer. I mean, if you prod someone enough times, you should be able to— it reminds me a little bit of that, do you remember that Michael J. Fox movie? This is really going to date me. The Secret of Success, where he starts in the mailroom and he finds— it's probably about 9 years ago.

I've totally seen this, but it's a long time ago.

It's a long time ago. It had music by Yello, "oh yeah," and all that. Anyway, it was great. He finds an empty office and he basically sort of moves into it. And just through using the same kind of techniques that you probably use, Jenny, to break into companies and find their weaknesses, everyone assumed he was quite high up in the company. Put a name on the door, started telling people to do things, soon had a secretary and built himself up and complained to HR his salary wasn't arriving. Everyone, just because of his sheer brass, he got away with it. And I think that would be this kind of attack as well. I don't know if it's happened, but you can imagine in particularly large disorganised organisations, it might be possible to actually get a fake person on the books who gets paid automatically every month, and the money goes straight to the scammers.

I work for one company and I noticed a health and safety violation. There was quite a big one. There was an obviously heavily pregnant girl, young woman, lifting a heavy crate. It was when I worked in factories. And so I went and reported to the head of the factory. He said, well, who's their boss? I said, well, I don't know. It's not me. I'm head of operations. Not me. Is it you? No. I said, well, who is it? Well, nobody could find out. Nobody knew who she reported to. She didn't know who she reported to. And so nobody— there was always no one to blame for the fact that she clearly hadn't had the training in health and safety. Nobody really knew anything about her. And actually, I'm not sure how that panned out. I know she disappeared. Yeah, but I'm not sure how it panned out. But I've worked for companies of that kind of size and complexity that there was all kinds of stuff going on that people didn't know about. Lots of scams that we uncovered. Someone who was making bacon sandwiches and selling them from the factory floor, nobody knew about that. False walls in warehouses. I mean, if physically you can hide people and bacon sandwich factories and parts warehouses.

Bacon sandwich factories.

I'm sure they're virtually—

Pigs are stuffed into the locker rooms.

Honestly, he'd been running it for years, selling them from his space on the shop floor, and he only found out because one day someone smelt it and not one of his colleagues would grass him up.

Well, no, it's bacon sandwiches. You wouldn't, would you?

Because they were cheap.

Well, we have to move on, Jenny, but this pregnant woman who said, oh, I don't know who my boss is, and no one else seemed to know. Is it possible she was actually a thief and she wasn't pregnant? She just had a monitor stuffed up the front of her jersey and was pinching it. And maybe she was being brassy, maybe she was claiming, oh yes, could you help me lift this thing into the back of my car? And off she would go.

I'd love to think that that was the case and that I missed a fellow social engineer in full flow, but I really don't know.

Like ships in the night.

Yeah.

Yeah. If that's true and you're listening to this, do contact me and tell me, because, you know, I'd give you an interview on my show.

Jenny, what have you got for us this week?

Oh, so I love, love this story. I am talking about the giant gold coin theft in Berlin.

I don't know anything about this, okay?

I haven't heard about this. What happened?

Oh God, this is so good. So this week, 4 men have gone on trial because in 2017, 4 miscreants managed to break into the Bode Museum in Berlin and steal the biggest ever legal tender coin, which was solid gold. It was worth €3.75 million.

So bring that down the chippy.

The size of a car tire.

Buy you a lot of bacon sandwiches.

How do you lift that? You just roll it down the road?

So you roll it. That's why, you know, human ingenuity, drain covers and things are round so you can roll them, right? You don't have to lift it. Anyway, it's the size of a tire, it weighs 100 kilos, and they stole it. And I just love this story. So there's so many elements. They wheeled the coin through the museum on a rollerboard, right? Smashed through a bulletproof cabinet, and then they used a rope and a wheelbarrow to transport it across the railway tracks, through a park, to a getaway car. But it stuns everyone, right? It's actually a Canadian legal tender. But I love this line in the article which I sent you the link for that I'm sure you'll post, but it says it stunned the German public, not least because of its audacity and old-fashioned simplicity and the fact that no alarms have been triggered. Well, it turns out that no alarms have been triggered because just weeks before one of their oldest friends from school started work as a contract security guard.

Oh, fancy that.

Insider.

Pure coincidence.

I love it. They're looking at 10 years, but I mean, I love it because it's pure social engineering. It's old-fashioned sort of heist, the type of stuff that I do legally. Obviously, we replicate. Just how theatrical and wonderful is that? But they got caught, so.

Yeah, it's amazing to think that they thought they could get away with it.

Well, if it hadn't been for them pesky German authorities.

Yeah, yeah. Wheelbarrow, love it.

Oh yeah, any crime committed with a wheelbarrow. So this is legal tender in Canada?

Yeah, you just got to get it there, apparently.

That's what I'm thinking is you'd have to check it into the plane, wouldn't you?

You're a pretty good swimmer, Graham, actually. You could probably just, you know, backpack it.

It seems that it was made to break the record for the largest ever legal tender. I don't know whether that's largest physically or just in amount, because, you know, it could be both.

But what do you do with it? Well, I mean, you can't buy it.

You roll it in, you roll it into a real estate agent's, right?

No, no, I mean, it's obviously been melted down and sold on. I mean, you need a fence, Graham, come on.

Right, I suppose so. Yeah, if you tried to get in a cab with it, it'd say, 'I haven't got change for that,' wouldn't it?

It wouldn't be. But it was hidden in the wheelbarrow.

Who knew? Carole, what's your story for us this week?

So reading recent tech headlines, it certainly seems like the internet giants are having a bit of a comeuppance in 2019. And we are lucky enough to have a back row seat. We don't have a full picture of what's going on, but some of the information is making its way downstream to us mere users. And I wanted to speculate with you guys, do we think the actions we're going to talk about here are going to make any difference? In other words, are Facebook or Google going to mend their ways?

I've got a theory already, but let's hear what's happening to them.

So this week we saw France's data protection regulator, CNIL, get it?

As in senile.

Aha. I don't know if you're supposed to say CNIL or not. Anyway, CNIL, we're going to call it that, issued Google with a €50 million fine. So that's just shy of $60 million US for failing to comply with its EU's General Data Protection Laws, also known as GDPR. This is the first GDPR fine that has at least 7 zeros.

Thankfully, it's not just zeros. There's a non-zero at the front, right?

So other ones have included a Portuguese hospital, which was fined €400 grand after its staff used bogus accounts to access patient records. We've had €20,000 being fined to a German social media and chat service for storing social media passwords in plain text. And there's even a small Austrian business they would fine 5 grand in October for having a security camera that was filming a public space. I know, I'm surprised that fits in under GDPR, but there you are.

Yeah.

Data protection regulator CNIL stated that Google failed to provide enough information to users about its data consent policy. And didn't give them enough control over how their information was used. So just to reiterate, under GDPR, companies are required to gain a user's genuine consent for collecting information, which means making consent an explicitly opt-in process that's easy for people to go, right? Now GDPR fines can be set as high as 4% of a company's annual turnover. Okay, not profit. So Google, or parent company Alphabet, reported revenues of $33.7 billion last summer in 3 months alone. And that was up 21% from the previous summer.

Not bad.

Let's extrapolate and do a little math here, Graham. Math.

Maths.

Maths.

Oh, I'm outnumbered.

Maths.

So let's say Google are raking in about $100 billion a year, right? So if they're making 30, yeah, right, $100 billion a year, it's probably $120, but let's say $100 billion a year, that 4% fine would be $4 billion.

$4 billion. Yes, absolutely. Well done. Yes, this is good. Easy so far.

So while this current GDPR fine of $50 million sounds impressive, it's a bit like having $100 and someone fining you 5 cents for flagrantly ignoring the rules.

Yes, it's not— well, yes, it's not a huge— yes, you're right. Yeah.

For us, for users, it sounds huge, right? It sounds really impressive. But really, in the grand scheme of things, from their point of view, this is probably less than they pay their lawyers in a year.

It's probably less than they spend on sugar lumps in a year.

I do seem to remember reading a story which said that Facebook and Google had lost $100 million to business email compromise scammers in the last few years. So you're quite right to say that this is something they can probably deal with quite easily.

What was interesting is when I was researching the story, I decided to go and use a rarely used browser this morning to do a bit of Google News searching. And I was presented with this pop-up, which said, basically, it's a data protection law alert. And it was warning me of my settings and checking whether I was still cool with them. So I don't know if this is a response, because obviously I'm based in Europe, to this fining in this case. But it's interesting, it just popped up this morning.

Even though it may be a relatively small percentage, no one wants to keep on getting fined, do they? And the fine might, of course, escalate over time. So I think they want to be seen at least to be warning people, go and approve our data policy, which of course they know hardly anyone's going to read.

So this is France bringing this fine, this is CNIL bringing the fine to Google.

We?

Presumably other EU countries can do the same thing.

Yes.

You know, where does the money go? The money goes to France's data protection regulator. Does it go to the EU? So I don't know that.

Oh, I see. So what you're saying is France has had a go and presumably they get the money. But, or—

And wouldn't that encourage other, you know, Greece?

27 or other countries. Greece, yes.

Spain.

That's a good one. I think Britain might want to get in quickly, actually.

I was just thinking that.

TikTok Britain.

We could do with some cash.

There you've seen an answer.

Across the pond to the US of A, we are seeing social networking platform Facebook in the FTC hot seat. According to The New York Times, there are 5 commissioners that have been assigned to look into whether Facebook violated the binding user privacy agreements during the Cambridge Analytica scandal. FYI, guys, I say they did.

Yes, she said that. I never said that.

Now, and there are rumors that the ICO may be planning to issue a record-setting fine. Now, in theory, the FTC could fine Facebook up to $40,000 per violation, though considering there are millions and millions of users affected by this breach, that would run into the trillions and not be viable. Could you imagine a world without Facebook?

Go on, do it!

Plunk, flush, Facebook!

Oh, that'd be so awesome, wouldn't it? You know what, if they did that, everyone in Europe would end up, we'd be like Arabian oil magnates. Imagine the money flooding into Europe if we could fine 40%—

This is the FTC. This is in the US.

Oh, okay. Well, anyway, they could be really rich as well. That's terrific.

That's right. But as soon as it gets to those sort of levels, counterarguments are going to come in that this is now part of society. This is something that people rely on. And also it's sort of anti-business. And I mean, right at the beginning of the— I can't even bear talking. I can't believe you've got me talking about GDPR. But right at the beginning of it, I mean, you so owe me drinks now because I just don't talk about it and it's too early for me to actually drink. If this was my podcast, I'd have a drink if someone mentions this. But back in the early days—

What is your— what is your problem? What is your problem with GDPR?

Because it's boring, Carole.

Oh, I don't find data privacy boring.

Well, that's lovely.

Well, it's—

Your story is exciting, and I hate to bring

No, no, you go ahead, Jenny. I think I like this. Let's have a big cat fight.

hostility into the proceedings. I'm not talking about you. You have to take a drink if you may. I've interviewed privacy professionals who are not allowed to say a friend of mine said to me, there will be a huge case, a huge case, and it'll involve one of the giants. Don't make it all about you. And when that happens, it'll be the lawyer train, and it'll go on so long, and so much will happen during that process that whatever starts, it's going to be irrelevant by the end. And I think they're probably right, because you've got companies like Facebook that've got so much money to drag it out, to argue it, to lobby appeals. That it won't be as straightforward as perhaps some of us would like to see, to sort of show that this is actually a serious thing. And I am joking with you, Carole, but that it's a serious thing that does need taken seriously.

I don't, and I think my story is being exciting. Yeah, no, I agree. And GDPR does sound very dull, I agree. But as we'll see, maybe we're in a much better state than some of the Americas, for example, in terms of what—

If I was making GDPR the action movie, you know, with Bruce Willis and Arnold Schwarzenegger and all that, really trying to make it dramatic in order to keep everyone interested in the subject of GDPR. Well, I was just thinking the final twist at the end, you know, that moment in Seven when he opens the box and he realizes it's Gwyneth Paltrow's head or something like that. The final twist at the end would be that some scammers, just as Facebook is transferring the $300 trillion—

They change the bank account.

Exactly. Someone comes in and goes, oh, hello, we are the French people. We are from CNIL. We would like you to know that we have changed our bank account details. And Zuckerberg, he's got his finger over the enter button. He clicks and the money goes in the wrong account. They say, haha, you've got to pay again, buddy. You just gave it to the baddies.

Or they divide it between all of the users and we all get a check.

We should write movies, you and me, Jen. We don't need to do podcasting.

No, no, I think you both should. I can't wait to see them. They sound great. So my question is, would we agree that these fines aren't necessarily going to have any financial impact on these giants? Do we feel that these companies are too fat and powerful to regulate or not? Because what's stopping them? They've had carte blanche. They haven't had any legislation. And it turns out that they've not necessarily behaved very well with our user data.

Well, how big do you think the fine should be?

Well, maybe it's legislation and not fines that has to happen.

Exactly. This is completely not what we would do if we were trying to take someone down. You don't hit them in a place where they're not vulnerable. They're not vulnerable financially. You're not going to wipe them out.

I would force them to help create the policies and the legislation that needs to take place in order to protect user privacy. And they're not going to behave on their own, right? So you need to get legislators. And I guess the legislator's arm at the moment is financial. It's a fine, right? But they have been taking the piss. And so I say maybe we should support local legislators that are willing to tackle these giants because there's a few in the States, there's a few here in the UK. And maybe it's time for them to pay the piper. And maybe that is legislation, not fines.

I think it's a start.

Yeah, it is a good start.

I agree too.

I think it is a good start.

Well, I think if any of our listeners have thought of alternative ways in which we could punish tech companies for being sloppy with our data, they should let us know either by dropping us a line at or on our Twitter or on our Reddit as well. It'd be great to hear from you.

I'd love to hear. And you see, this is why I do GDPR, because now Pick of the Week is so much more exciting.

You do realize I'm keeping a tally. That's 8 drinks between you and me.

That's easy. I can do that. And welcome back. Can you join us at our favourite part of the show? Pick of the Week.

I'm sorry, was I supposed to say it too?

Oh, it's like that, is it?

Okay. Pick of the Week. Thank you. So Pick of the Week is the part of the show where everyone chooses something they like.

It doesn't have to be security-related necessarily.

No, it definitely should not be.

Well, mine is not security-related this week.

Good.

This weekend I sat down with my little son and we played— we, I think we've mentioned before that we like to play on the old Nintendo Switch.

Does he really enjoy it, or do you enjoy it and force him to play with you?

He really does, and I think it's good to get away from the sort of sniper A game. So we have been playing a game, a short little game, but it's really fun and it was quite cheap in the Nintendo store. And you can also get it for iOS, Android, and on Steam. And it is called The Office Quest.

Okay.

And The Office Quest is all about having a very, very dull job in your office and you're so bored.

Who chose this game?

And, but it's very charming. And basically you escape from the office, you get away from your boss out into the world, and then it all becomes more and more surreal. I give you an idea of the— it's beautiful art in this game, but everyone in the game, it's completely unexplained, is wearing a kind of animal onesie. So there's people—

So for furries. And I saw it was sheep. They're just these are all the sheep, and they're I thought, is this a coded message about compliance? Not bloody GDPR compliance. There you go, you get one back. But about compliance exercises we do to show that people can be easily scammed. What is this?

They look like furries. It is a bit furvertish, but let's not soil my son's childhood.

There's one dressed as a banana.

Yes, well, there you go. It does happen, Carole. Anyway, so The Office Quest, really fun. There's no dialogue in it whatsoever. It's all done— so it doesn't make— I guess that made it really easy to translate or whatever. But it's not just a point-and-click, it's also at one point a platformer. And there's a lot of sort of logical puzzles as well, and we really have to think. And it was a real brain bender. We finished it in a weekend. It was good fun. It only cost us about £10, and that is why I recommend The Office Quest to be my pick of the week.

I'll give you that. It's very beautiful, actually. I love the designs. I'm just checking out the website. That's right up my street.

Yeah, very nice. But it's got a real style about it. Jenny Radcliffe, what's your pick of the week?

Oh, so this is what I think about in the long, dark hours sometimes. And this isn't even a particularly new— this isn't even particularly new, but I'd had a particularly bad day and Brexit and all these things is going on and you think it couldn't get any worse. And you should know that as Shakespeare said, whilst you can say this is the worst, the worst it is not, or words to that effect. So I'm just browsing actually through Reddit, so there you go. And I see something along the lines of, just when you thought things couldn't get any worse, there are several countries in the world that have got radioactive wild boars in them wandering around. Yes.

Not boring people.

No, no, as in the sort of pig.

Oh, boars like in Asterix, sort of the things which snuffle up truffles.

Yes, indeed. So in the Czech Republic, there is still fallout from Chernobyl.

Wow.

And it has turned a certain type of mushroom toxic from caesium-137, and the boars eat the mushrooms, and then the boars are killed for goulash, which— and the article I read said, but you'd have to eat an awful lot of goulash for this to be an issue. I don't even want to eat any goulash if I think that the thing's radioactive.

They're in the Czech Republic. All they're going to be eating is goulash from my experience.

Maybe we need to start walking around with a Geiger counter and checking our dinners.

Perhaps unsurprisingly, when people had to evacuate Fukushima in Japan six years ago, or however long ago, the wild boar population there has done really well. So there's lots of them inhabiting Fukushima.

What do you mean they've done really well? They've sort of grown extra heads or something?

It doesn't seem to have affected their breeding in a detrimental way. So the population has exploded, and now they are, but they are much more radioactive than the ones in the Czech Republic. So they are 300 times higher than the safe level.

Oh my goodness.

So wild boar is a delicacy in Japan, but not when it's 300 times.

And apparently, yeah, this is when you don't buy local.

And so apparently, one of the other side effects is they've not seen humans for a long time, so they're really aggressive. So if you thought you were having a bad day, imagine if you were— and I mean, I'm not trying to say this in poor taste, as it were, to poor people who suffered a terrible disaster, but if you were trying to return to your home, one of the things you probably didn't think you'd have to deal with would be a wild boar that is radioactive. Preventing you from re-entering the region. So I just thought, you know, sometimes we need a break, don't we, from security topics. And actually, in a way, it is a security topic because if you were going to have anything protecting your premises, I think even I would avoid breaking into somewhere with that.

So can I just check your pick of the week?

Yeah.

It's a miserable story about the plight of wild boars, which are radioactive because of humans messing up.

How perfectly English.

And this is what cheered you up because of Brexit.

You dissed me. You threw shade about the radioactive boars.

Threw shade. What are we, 14?

No, we were living in 2019. Language evolves, Graham.

It's an interesting pick of the week.

Carole, moving on, what's your pick of the week?

Well, I have chosen Maniac. It's a season with 10 episodes written by Patrick Somerville, the writer of the first True Detective series. I don't know if either of you saw that, but I thought it was a bit of a masterpiece. It stars Emma Stone and Jonah Hill. Now, the whole thing is a bit nutso. It's fast-paced, tightly scripted, and it's basically— I guess the best way to explain it is two people who kind of meet and juxtapose at a really wacky medical trial designed to remove all pain and suffering from humankind.

Once you begin to appreciate the structure of the mind, there's no reason to believe that anything about us can't be changed. The mind can be solved.

I know it sounds a bit depressing. It's not at all. It's kind of a cocktail of comedy, sci-fi, murder, horror, bit of philosophy, bit of ethics. It's really, really weird and lovely. Now, I thought everyone would love it, but Wired absolutely hated it. I'm going to put a link to their review because it's quite— they're outraged. But I really enjoyed it. So I think if you watched Life on Mars, I would say that's a very good UK equivalent of what it's— and how I found it. Yeah, so check it out. Maniac, Netflix, came out in September 2018, and I think it rocks.

Intriguing. Well, thank you very much, Carole. And I think that just about wraps it up for this week. Jenny, I'm sure plenty of people would like to follow you on the social media. What's the best way for people get in touch with you or find you on social networks?

Twitter @Jenny_Radcliffe, or you can go to the website, which is currently, and soon to change, but currently is still JennyRadcliffe.com.

Okay, and on Twitter you can follow us at Smashing Security, no G, Twitter won't allow us to have a G, and you can check out our online store to grab t-shirts and stickers and mugs and things like that at SmashingSecurity.com/store.

Thank you as always for listening to the show, and thank you to our sponsors this week, Recorded Future and LastPass.

Until next week, cheerio, bye-bye, bye-bye.

Hey guys, I'm sneaking in an extra pick of the week here because it's kind of security related. If you're interested in Russia's IRA, or Internet Research Agency, in its effort to amplify conspiracy thinking and partisan conflict in the US, check out Sam Harris's podcast called Waking Up. It's episode 145 called Information War, and it features Renee DiResta. She really knows her stuff. Anyway, there you go. Don't tell Graham.