A Russian bank tells its customers to stop installing security updates, an Apple employee ends up in hot water, and learn our tips to avoid being virtually kidnapped.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Anna Brading.
Visit https://www.smashingsecurity.com/267 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Anna Brading.
Sponsored By:
- Kolide: At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
- Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
- Try Kolide Free for 14 Days; no credit card required.
- Drata: Is your organization finding it difficult to achieve compliance and scale its security posture? As G2’s highest rated cloud compliance software, Drata streamlines your SOC 2, ISO 27001, PCI DSS, GDPR & HIPAA compliance and provides 24-hour continuous control monitoring so you focus on scaling securely. Drata is also the only compliance automation platform with a private tenant database. That’s like having your cake and securing it too
- Countless security professionals from companies including Notion, FullStory, & BambooHR have shared how crucial it has been to have Drata as a trusted partner in the compliance process.
- Listeners of Smashing Security can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata
Links:
- Smashing Security 263: Problèmes de Weefeee, AI artists, and Web 3.0 — In which Mark Stockley discusses the NFT he created in Smashing Security's honour.
- Graham or Carole? - Untitled Collection #173407394 — OpenSea.
- Mark Stockley reveals the Smashing Security NFT is being resold... for $3 million — Twitter.
- Секрет Шехерезады. Яхта Путина за 75 000 000 000 ₽ — YouTube (best watched with the subtitles on...)
- ‘Mysterious’: the $700m superyacht in Italy some say belongs to Putin — The Guardian.
- "The road from Moscow to Kyiv passes through Belgravia" — Video from Led By Donkeys, posted on Twitter.
- Burger King owner says operator in Russia refuses to shut shops — The Guardian.
- Pitcairn Islands relays most spam per person, reveals Sophos — Sophos.
- Pitcairn spam haven, North Korea definitely isn't — The Guardian.
- Sabotage: Code added to popular NPM package wiped files in Russia and Belarus — Ars Technica.
- Activists are targeting Russians with open-source "protestware" — MIT Technology Review.
- JavaScript library updated to wipe files from Russia systems — The Register.
- After ‘protestware’ attacks, a Russian bank has advised clients to stop updating software — The Verge.
- Irish petrol station offers 24-7 laundry service — Petrol Plaza.
- Clip from Mel Gibson movie "ransom", starring Mel Gibson — YouTube.
- FBI warns of ‘virtual kidnapping’ scheme executed on Miami couple — Local 10.
- FBI Chicago Warns Public About Virtual Kidnapping Scams — FBI.
- Former Employee Charged With Defrauding Apple, Money Laundering, And Tax Crimes — Department of Justice.
- U.S. charges former Apple buyer with defrauding more than $10 million from company — Reuters.
- Mandy — BBC iPlayer.
- Diane Morgan as Mandy — YouTube.
- Heardle — The daily musical intros game.
- Color wheel, a color palette generator — Adobe Color.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. She should feel very grateful that the police are ringing in advance to say, oh, by the way, we're coming around. That drugs thing you've been involved with, we're going to be popping around between 2 and 3 next Tuesday to arrest you. Could you make sure you're in?
ANNA BRADING. Yes.
ROBOT. Smashing Security, episode 267: Virtual Kidnapping, Two Hallipads, and a Security Apple employee with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 267. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, we're joined this week by fan favorite. Yes, she's back. Anna Brading. Hello, Anna.
ANNA BRADING. Hello.
GRAHAM CLULEY. Sorry, not Maria.
ANNA BRADING. Yeah, exactly. Just call me not Maria.
CAROLE THERIAULT. She's my favorite. Oh, Carole. She helped me start Sticky Pickles. She'll always be my favorite.
GRAHAM CLULEY. Oh yeah, that's true. Hey, talking of fan favorites, I wonder if you saw the latest developments on the Smashing Security NFT.
ANNA BRADING. I saw this.
CAROLE THERIAULT. It's not real. Is it real?
GRAHAM CLULEY. Well, as real as any NFT is. So a friend of the show, Mark Stockley, he created a Smashing Security NFT, which combined my face with Graham Cluley's in a rather gruesome human caterpillar style fashion.
CAROLE THERIAULT. And he talked about it all on the show.
GRAHAM CLULEY. He did. He did a while back. And astonishingly, someone actually purchased it for $330.
ANNA BRADING. £335. £335.
GRAHAM CLULEY. £335.
ANNA BRADING. Obviously it's lovely, because it's a lovely photo of you two, but wow.
GRAHAM CLULEY. Well, they don't get the photo, remember.
ANNA BRADING. They only get—
GRAHAM CLULEY. That was right, yeah.
ANNA BRADING. Such an idiot.
GRAHAM CLULEY. Now, the person who bought it is now trying to sell it, and he's upped the price a little bit. He's now trying to sell it, this mystery person.
CAROLE THERIAULT. Ooh, £500.
GRAHAM CLULEY. No.
CAROLE THERIAULT. No.
GRAHAM CLULEY. $3 million. Oh.
ANNA BRADING. Has anyone bought it?
GRAHAM CLULEY. Not for $3 million. Not yet.
CAROLE THERIAULT. Oh, they're lining up.
ANNA BRADING. Well, I just need to talk to my bank.
GRAHAM CLULEY. Link in the show notes if you want to make that purchase. So we don't—
ANNA BRADING. you don't know who bought it?
GRAHAM CLULEY. Well, we only know his sort of like code name, his username, which doesn't really tell us anything.
ANNA BRADING. Graham, is it you?
GRAHAM CLULEY. No, it— no.
CAROLE THERIAULT. Oh gosh, it probably is. We should thank this week's sponsors, Collide and Drata. It's their support that help us give you the show for free. Now coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. Oh, I'm gonna be taking a look at good old trusty, or should that be rusky, open source software.
CAROLE THERIAULT. Ooh, sounds exciting. I love the pun there. And Anna, what about you?
ANNA BRADING. I am gonna be talking about virtual kidnappings.
CAROLE THERIAULT. Ooh, and I'm talking about how not to steal from a tech giant. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, I don't know if you've noticed, but in the last last few weeks. I don't know if you've seen them all, the politicians, the journalists, they've been quite frankly causing quite a bit of trouble, stirring up aggro, making a big song and dance out of rich Russian oligarchs, claiming that they're doing something wrong by generously investing their billions in London property or Premier Division football clubs. Have you seen this going on?
CAROLE THERIAULT. Yeah, but I'm not sure what your point is. Like, so they're just saying, oh, look, look at all these people buying up all bits of London.
GRAHAM CLULEY. As if it's a bad thing. As if it's a bad thing.
CAROLE THERIAULT. Well, they haven't just started doing this.
GRAHAM CLULEY. This has been going on for quite a while. Exactly. So why are they making the big fuss now, right? They've been enjoying it up until now. They've been enjoying the riches in London. They've been enjoying, you know, waving at Vladimir Putin, motoring around on his $700 million superyacht with two helipads, currently moored in Italy, apparently.
CAROLE THERIAULT. I really need two helipads. Not one, I need two.
GRAHAM CLULEY. Have either of you been on a boat? I've been on a boat.
ANNA BRADING. What, with two helipads?
GRAHAM CLULEY. No, I've been on a pedalo, I've been on a ferry, and I've been on a sort of sailboat thing.
ANNA BRADING. My dad used to have a boat.
CAROLE THERIAULT. Yeah, mine too.
GRAHAM CLULEY. It's not pleasant. I don't understand why these billionaires buy boats.
ANNA BRADING. Yeah, but they're not— that's not like a pedalo, Graham.
GRAHAM CLULEY. No.
ANNA BRADING. His superyacht with two helipads.
CAROLE THERIAULT. Yeah, you have a place to have a poo.
ANNA BRADING. It's probably—
CAROLE THERIAULT. Yeah. Or five.
ANNA BRADING. Probably slightly less choppy than your pedalo.
GRAHAM CLULEY. Yeah, it's just— it's just like, how is this fun? No exercise, Graham, either.
CAROLE THERIAULT. It's not like you've got to— motor yourself with your feet either, right?
ANNA BRADING. Yeah. Someone does that for you.
GRAHAM CLULEY. Well, the journalists, the politicians in the West have been saying this is somehow a bad thing. And it stinks of ungratefulness, doesn't it, by the West, really? I mean, these philanthropic investments made by Russian billionaires, saving our Premier Division football clubs from ruin, investing their billions in property. It's no wonder that some feathers have been rustled in Moscow.
CAROLE THERIAULT. Ruffled, you mean?
GRAHAM CLULEY. What did I say?
ANNA BRADING. Rustled? No, I like that. That's fine. They're rustling the feathers.
GRAHAM CLULEY. Yes. Anyway, people are annoyed in Moscow because of the sanctions and freezing of assets outside Russia.
CAROLE THERIAULT. Yeah.
ANNA BRADING. And there's no McDonald's anymore.
GRAHAM CLULEY. Well, yeah, but there is Burger King apparently.
ANNA BRADING. Oh, is there?
GRAHAM CLULEY. Oh gosh. Because I think it's because of the franchise arrangement. So Burger King isn't actually run by Burger King. It's run by— Vlad and Dmitry, you know, instead.
ANNA BRADING. Got it. Got it. Yeah.
GRAHAM CLULEY. So do either of you have any business dealings in Russia at all? Do you have offices based over there?
ANNA BRADING. Not that I want to talk about.
GRAHAM CLULEY. Do you have any money squirreled away in Russian bank accounts?
CAROLE THERIAULT. What, like I have a bank account full of rubles?
GRAHAM CLULEY. Well, hopefully not rubles because they're worth pigeon feed at the moment, aren't they? Well, it might be an issue if you do, and not just because it's become rather unfashionable, but also because of a real cybersecurity challenge. So if you remember, Putin has said that any Western companies who quit Russia, sort of pull out, they face the prospect of having their local operations taken over by the state. In other words, Vladimir will come round, and who knows what information he'll be able to extract from your offices if he takes over your property and maybe takes over your servers. Have you wiped your databases? Have you got rid of all the keys which you had lying around there? If you left in some haste, you may not have scorched the earth on your way out to prevent a data leak. So that's a real problem.
CAROLE THERIAULT. And this is for Western companies that have a base in Russia.
GRAHAM CLULEY. Who have offices in Russia and then say, oh, we're not going to operate here anymore, we're out.
ANNA BRADING. Yeah, right. Yeah.
GRAHAM CLULEY. Potentially someone else could move in.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And so you want to make sure that they don't have any access to your other infrastructure and you haven't left any data there. You know, it's more than just shredding files. You maybe need to securely wipe the data off any servers which you have out there as well, and computers.
CAROLE THERIAULT. I wonder if it's like a big cloud problem. I mean, you know, if they're using the cloud, it wouldn't be that hard, right? It's a password job effectively.
GRAHAM CLULEY. Well, as long as you haven't got the passwords, you know, stuck with a sticky note on the wall.
ANNA BRADING. You haven't left your USB keys around.
GRAHAM CLULEY. Right. I mean, imagine it, right? Imagine how much stuff you would have in an office lying around and making sure— remember, you're doing this remotely because you're thinking, oh crikey, we've got 20 people in that office. We're the IT department out in Los Angeles. How are we going to get over there to make sure that they've cleaned up properly?
ANNA BRADING. And I remember your desk, Graham, and it was— there'd be a lot to clear there.
CAROLE THERIAULT. You just wouldn't want to touch it, actually. It's its own hazard in itself.
ANNA BRADING. Actually, that's true. It would be quite safe. No one would want to touch it.
CAROLE THERIAULT. Yeah, exactly.
GRAHAM CLULEY. So there are real security issues for businesses which are operating in Russia or maybe coming out of Russia. And as we discussed in last week's wonderful episode, serious considerations for companies in the West who might be using Russian software, such as Kaspersky.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. But it's not just the West that needs to be worried about what might be coming in their next software update. So what we've seen in recent weeks are activists who are using software updates to target Russia. So earlier this month, there were some widely used open-source libraries which had added to them some unexpected functionality. So whoever maintains those libraries up on GitHub or where, or npm, that they included some new functionality which broadcast calls for peace, for instance. So anti-Russian messages or messages telling them to clear off out of Ukraine. Or demanding some sort of peaceful resolution to all the ghastliness which is going on out there.
CAROLE THERIAULT. Yeah, was this the case where you were sending it off to random email addresses on a daily basis that had.ru at the end or something?
GRAHAM CLULEY. That's something else. So there have been websites which have been set up which basically allow you to spam people in Russia.
CAROLE THERIAULT. Right, yep.
GRAHAM CLULEY. With messages saying, do you know what your government is doing on your behalf? And there's also a website, It's called something like Fuck Russia or something like that anyway. But there is a website where you can press a button and it will randomly call a Russian phone number so you can have a geopolitical discussion with the person who answers it.
CAROLE THERIAULT. Is it global translators that are joining the call?
GRAHAM CLULEY. No, no, no.
CAROLE THERIAULT. No, no.
ANNA BRADING. You can just do that with Google Translate.
CAROLE THERIAULT. That's right, so easy.
ANNA BRADING. It's fine.
GRAHAM CLULEY. They give you some phonetic scripts to read out, or you could just adopt a Russian kind of accent and hope that that's the translation. That's how I speak French. After all, just do the accent.
ANNA BRADING. Speak a bit of French to Carole. She understands.
GRAHAM CLULEY. Oh, bonjour Carole. Comment allez-vous?
CAROLE THERIAULT. I don't understand what he says ever.
GRAHAM CLULEY. Son livre qui vend 3 000— Oh, okay. So there were some which broadcast messages for peace, but others went further. Some deliberately wiped files on computers.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. If they worked out via the IP address that they were based in Russia or Belarus, they overwrote files with a heart symbol. Now, you've got to be careful with that, haven't you? I remember back in the day— are we ready to talk about our top spamming nations report, which we did for a security company long ago? Oh, we used to produce a dirty dozen list of the top spamming nations, and our labs would give us information as to where the spam was being relayed from based on the IP address. And if I recall correctly, we once found out from the stats that a disproportionate amount of spam was coming from the Pitcairn Islands.
CAROLE THERIAULT. Which had the smallest number of people.
GRAHAM CLULEY. There were about 12 people there and one computer. And there might have been a goof with the IP lookup table. So you have to be careful. Yeah. They were very angry, the Pitcairn Islands.
CAROLE THERIAULT. Well, no, but they knew that they hadn't because they had to pay a fortune for every transmission. So they knew, they, you know, they knew that no one was doing this. And it was an extremely, it was an embarrassing situation all round. Yes.
GRAHAM CLULEY. Yeah, we're still persona non grata in the Pitcairn Islands, I think. So pretty nasty, overwriting your files. The problem is, of course, that you might be running a piece of software which used one of those open source libraries and not realized it had been converted into protestware or you could argue actual malware, and you might be using software which you don't know relies upon those open source libraries. 'Cause that's the thing, programmers don't like to do their own coding, they steal other people's code.
CAROLE THERIAULT. I think that's like 99% of the time.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Right? You don't know where the code came from. You just know that it came in a package. Yeah.
GRAHAM CLULEY. That's right.
CAROLE THERIAULT. You don't even know how much pieces of code are in it. You don't even know the supply chain, you know nothing.
ANNA BRADING. Yeah.
GRAHAM CLULEY. And if a library gets updated, you just use the latest library 'cause you assume it's better. You assume it's got a bug fix and you trust it. Now, one of the chaps behind one of these malicious updates is a chap called Brandon Miller, and he's defended the functionality he added in what he calls the Peace Not War module, because he says, well, I was upfront about it. It's all public. It's documented. It's licensed. It's open source.
CAROLE THERIAULT. Did you not read the release notes?
GRAHAM CLULEY. Well, exactly. Did you not check the source code?
CAROLE THERIAULT. Did you not read the privacy agreement? Oh, oh, I don't know why you're using that stupid voice, Graham.
GRAHAM CLULEY. Okay. Wow. Well, I did the French accent earlier. I thought I'd do something that might be a bit closer to home to you. So, because, you know, so he says, we know it's open source, it's open source. You know, how can anything open source ever be wrong, right? Because you could always check it, can't be bad.
CAROLE THERIAULT. So what you're saying is just because you can check it doesn't mean people do check it.
GRAHAM CLULEY. Of course they don't. Of course they don't. Other than you, Carole, you're the only person I know who checks the privacy and the terms and conditions and all those sort of things. Would you look at the source code of a program to check?
ANNA BRADING. No.
GRAHAM CLULEY. Ah, right.
CAROLE THERIAULT. But I would, yeah, I would read the privacy statements.
GRAHAM CLULEY. Okay, all right.
CAROLE THERIAULT. I would. All right. But yeah, no, I wouldn't look at the source code. I wouldn't even know what I was doing there.
GRAHAM CLULEY. No, no. Well, so here's the thing.
CAROLE THERIAULT. I could say yes to you, but it would mean nothing to me.
GRAHAM CLULEY. So here's the thing. Here's the thing. And this is why I asked if you had any money hidden away in Russian banks, because There is a Russian bank called— I don't know how to pronounce this— Sber. Sber. Sber. And Sber has told its customers to stop installing software updates for any applications.
CAROLE THERIAULT. So that's crazy. So a bank—
GRAHAM CLULEY. Who you would think would care about security.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And not want their customers to be phished. Or have any malware on their computers.
CAROLE THERIAULT. But they don't have jurisdiction over the whole machine. They just are in charge of their own little website or app.
GRAHAM CLULEY. They're not enforcing it, but they're giving this advice to their customers. They're telling their customers, "Stop installing any software updates for any applications because it might contain malicious code targeted against Russians." For the bank's app itself?
ANNA BRADING. No, for any software.
GRAHAM CLULEY. For anything. Because if there was something running in the background on your computer, which you'd installed, it may then impact the bank. At the moment, they've got about, well, every person has about 28 million rubles at the moment. So it's about £2.80 and potentially a problem.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. They've said various content and malicious code can be embedded in freely distributed libraries used for software development. In other words, those open source libraries we're talking about. And the use of such software can lead to malware infection of personal and corporate computers as well as IT infrastructure. And they're saying, if you absolutely must use a piece of software and update it, scan it with an antivirus or carry out a manual review of its source code. The thing that— Oh God.
ANNA BRADING. There you go, Carole.
GRAHAM CLULEY. The thing that even Carole Theriault refuses to do.
CAROLE THERIAULT. Well, no, not refuse, just wouldn't be very useful.
GRAHAM CLULEY. Well, of course, who could do that?
CAROLE THERIAULT. Review the source code.
GRAHAM CLULEY. And it's not as though the source code is going to have a comment in it saying, now we're going to do the deletion. It's going to be obscured and obfuscated.
CAROLE THERIAULT. And I wonder whether this information being given to its customers would encourage people to leave comments in sites or quotes saying, this is great, super cool, don't worry, thumbs up, thumbs up, I love it.
GRAHAM CLULEY. We love Putin.
CAROLE THERIAULT. He's the best.
ANNA BRADING. Jesus.
GRAHAM CLULEY. Or whether people will think, oh, this is such a pain. I'll just take all my money out of the bank. Might be a good idea anyway, and hide it under the mattress instead. Convert it into gold or porridge or whatever the new form of currency is.
ANNA BRADING. Or whether most people just won't listen to the bank and won't install updates because they never do anyway.
GRAHAM CLULEY. Oh, cynic.
CAROLE THERIAULT. Or whether people are already set up to automatically get updates and don't have any idea how to turn that off.
ANNA BRADING. Very true.
CAROLE THERIAULT. Well, this is a pickle. So does that mean— Last pickle. Does that mean—
ANNA BRADING. She's trying to get it in everywhere.
CAROLE THERIAULT. Does that mean that if someone does happen to update their software and it does have an impact on the bank, that the bank can penalize that individual?
GRAHAM CLULEY. Well, I don't know in the case of Smashing Security.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. With some banks in the past, they have claimed that customers have been careless with their personal security and that's why their accounts may have been phished or had money extracted from them. So they might try and use that argument. Certainly, I don't know why these guys, if they really want want to cause some pain to Russia, rather than affecting regular Igor on the streets of St. Petersburg, why don't they target these oligarchs instead? Why not write malware? By the way, I'm not giving this advice. Why not write malware?
ANNA BRADING. Sounds like you are.
GRAHAM CLULEY. Which targets superyachts instead.
CAROLE THERIAULT. To do what?
GRAHAM CLULEY. Take over their navigation system and make them automatically sail to, I don't know, Washington or something. Is Washington by the sea?
CAROLE THERIAULT. So automatically put up the sails and know what the weather's like and be able to tack across the ocean to wherever.
ANNA BRADING. Carole, this is why Graham has only used a pedalo.
CAROLE THERIAULT. That's right. Yes. So where are they gonna be going? Where do you want them to automatically go?
GRAHAM CLULEY. Well, anywhere. To the police. To the police run by a decent—
ANNA BRADING. To the police.
CAROLE THERIAULT. To the police island. Okay.
ANNA BRADING. I think the police know where the oligarchs are, don't they? I don't think that they're on the run.
GRAHAM CLULEY. There's some fascinating research going on at the moment trying to locate some of these superyachts. By the way, these superyachts don't all have sails, Kroll.
CAROLE THERIAULT. No, you said sail. You said sail. As you will see in your edit.
GRAHAM CLULEY. If you change it, I will know. To sail, to motor— It's a generic term for movement of a yacht. Yes. Doesn't— Anyway. Ugh. Just—
ANNA BRADING. He gets his knickers in such a twist.
CAROLE THERIAULT. No, I just—
GRAHAM CLULEY. I tried to make this very interesting. You've ruined it all.
CAROLE THERIAULT. You've done amazing.
GRAHAM CLULEY. Anna, what have you got for us this week?
ANNA BRADING. Okay, so I'll invent some names. Because although the story is true, these people don't want their names to be revealed.
GRAHAM CLULEY. Are these people you know?
ANNA BRADING. This is a story about a woman called Carole.
CAROLE THERIAULT. Oh no.
ANNA BRADING. No, let's call her Sue.
CAROLE THERIAULT. Sue.
ANNA BRADING. Maybe it's Carole, maybe it isn't. Can't say. Okay, so Sue is at home one day and she gets a phone call from an unknown number. Now this feels like I'm talking on a Sticky Pickles podcast, but I'm not. Um, so she, uh, she's looking for a job, so she wouldn't normally answer, um, an unknown phone number, but she thinks, oh, maybe, maybe this is my job, maybe this is my job that I'm gonna get.
GRAHAM CLULEY. Exactly.
ANNA BRADING. So she answers it. It's not a job, uh, it's the Social Security office telling her that she's about to be arrested. Because her identity has been used in drug trafficking and money laundering. Now, can you imagine how Sue feels? She's a bit—
CAROLE THERIAULT. Has she? Is she a big heroin dealer?
GRAHAM CLULEY. She should feel very grateful that the police are ringing in advance to say, "Oh, by the way, we're coming round." Warning her. "We're coming round. That drugs thing you've been involved with, we're going to be popping round between 2 and 3 next Tuesday to arrest you. Could you make sure you're in?" Yes.
ANNA BRADING. So Sue is in a panic, actually. She's quite worried about this. And she's got, no, no, no, no, no, that's not me, that's not me. But luckily, the Social Security office are very understanding. That's nice, isn't it? So they say to fix this stuff, all she needs to do is set up a new financial account, specifically a secure bitcoin account, to cover up for the fact that she has had her identity used in all her deals.
CAROLE THERIAULT. Red flag.
ANNA BRADING. Red flag.
CAROLE THERIAULT. Red flag all the way. Ransomware shop.
ANNA BRADING. Okay, hold on. You have the benefit of being involved in infosec for a long time. Sue has not.
CAROLE THERIAULT. Right, okay, fair enough.
GRAHAM CLULEY. So she's been told, set up a bitcoin account, buy an NFT from the Smashing Security podcast for £335, for $3 million.
ANNA BRADING. Um, no, what she has to do is— that, like, this sounds absolutely fine. All she needs to do is move $12,000 from her run-of-the-mill normal Chase bank account and deposit it into a bitcoin machine in a petrol station. I didn't actually know they had bitcoin machines in petrol stations.
CAROLE THERIAULT. Do they?
GRAHAM CLULEY. Yeah, I think, I think there have been some in the— yes, I've heard about it.
CAROLE THERIAULT. Like a Costa Coffee dispenser, and then beside that you have your bitcoin machine, and then you have your coin counting machine, right, that helps, you know, that you throw all your coins in.
ANNA BRADING. Well, the bitcoins actually come out. Yeah, that's right.
GRAHAM CLULEY. I was speaking to a guy the other night who has sold, um, outside laundry. Have you seen these sort of laundry machines which are outside at petrol stations?
ANNA BRADING. No.
GRAHAM CLULEY. You can rock up to a petrol station and put your clothes in and it will wash and dry them.
ANNA BRADING. I think that's smart, actually. I mean, it is, although most people probably use their ones at home.
CAROLE THERIAULT. No, actually it's not that smart because the last thing you want to do is spend 3 hours or however long it takes for your laundry to wash and dry at a petrol station. Like, what do you do?
GRAHAM CLULEY. Well, apparently these sell a lot in Ireland. I asked that question. He says, actually, it's quite a good a day out for people in Ireland. They like to go to the petrol station, wash their clothes, and there'll be a little attached restaurant as well.
ANNA BRADING. Oh, I see.
CAROLE THERIAULT. Right, and you go for a little walk. Yeah.
GRAHAM CLULEY. They make a day of it. And this is— But the problem is that some people try and launder their horse blankets, and so the machines get clogged up with horse hair. Sorry, this is a bit of a digression. You digress.
ANNA BRADING. I don't think there's any laundry involved in this story. Right. So, the Social Security office very understanding, very lovely, warn her that there's a risk that her husband is going to be implicated in this identity theft situation. So together they agree not to tell him anything at the moment. Yeah, so Sue, she's in a panic. Um, and also you should know she's a new mother, so she's got a baby. So at the same time as she's taking the call from the Social Security office, she's also probably trying to shake a rattle, change a nappy, clear up sick, and breastfeed, breastfeed, wipe the baby's nose, all that sort of thing at the same time.
GRAHAM CLULEY. And frankly, when you've had a baby, I mean, you've sort of pooed your brains out anyway, aren't you? You're so exhausted.
ANNA BRADING. Yes, that's what happens. That's how you have a baby.
GRAHAM CLULEY. You can't think of anything.
CAROLE THERIAULT. Yeah, Graham understands these things because he's had a baby himself and he knows.
GRAHAM CLULEY. I'm currently working on one.
ANNA BRADING. Yeah. Good, lovely. Well, that's something you can do while you're laundering your clothes at the petrol station. So while she's doing all this baby entertaining, changing nappies and everything, the Social Security officer being so nice, but they're actually a bit worried about the baby because they hear it crying. So what they do is they ask Sue to send a picture of the baby to them just to check if the baby's okay because they're a bit worried.
CAROLE THERIAULT. What? Okay, red flag number 2.
ANNA BRADING. Like, don't forget, Sue's just had a baby. She's pooed her brains out, as Graham says.
CAROLE THERIAULT. You've had a baby in real life. Would you kind of go, oh yeah, no problem, here's a picture of my kid?
GRAHAM CLULEY. I think it depends on how proud you are of the beauty of the baby.
ANNA BRADING. That's true.
GRAHAM CLULEY. The baby is quite ugly.
ANNA BRADING. It's a very beautiful— yeah, it's true.
GRAHAM CLULEY. You wouldn't want send anyone a picture. But if you're one of those proud parents saying, oh yes, here is the photograph, here's my adorable cherub.
ANNA BRADING. So she sends it anyway because she's a new mum. So while that's going on, across town, Sue's husband, let's call him Greg, sees a text message pop up on his phone screen. So it's a photo of his baby with the message, do you want your baby back or not? He gets a phone call to tell him that his wife and baby have been kidnapped. Now, my God, it's definitely his baby in the photo. Okay, I know most babies are the same.
CAROLE THERIAULT. Okay, what would you do now, Sticky Pickle style? And the answer would be call my wife.
ANNA BRADING. No, because he's so worried.
GRAHAM CLULEY. You're so worried you don't contact your wife.
ANNA BRADING. What's the point in calling her if she's being kidnapped?
GRAHAM CLULEY. She's busy being kidnapped.
CAROLE THERIAULT. She's probably not going to answer her phone, and she's doing the breastfeeding and the diapers and the rattle.
ANNA BRADING. Exactly. And he's thinking, she's pooed her brains out, she can't cope with anything.
GRAHAM CLULEY. This entirely plausible that she could have been kidnapped.
ANNA BRADING. Exactly.
GRAHAM CLULEY. This is the kind of thing that happens to her.
ANNA BRADING. Yes, exactly. And so then another text pops up, ransom demand, and the words, "You are responsible for your family." Okay, so yeah, what would we do at this situation? Graham?
GRAHAM CLULEY. Oh gosh.
ANNA BRADING. What would you do?
GRAHAM CLULEY. Do, do, do, do I like my wife and child, or have—
ANNA BRADING. am I looking for, you know, um, I would say In this situation, Graham, for the purposes of this story, yes, you like your wife and children.
GRAHAM CLULEY. Okay, all right. Well, I mean, I think the traditional thing is to call the police, isn't it? And say, I appear to have received a sort of ransom demand for the kidnapping.
ANNA BRADING. No, because they tell you not to. In every single ransom film— have you ever seen a kidnapping film? They always say, don't tell the police.
GRAHAM CLULEY. I saw the one with Mel Gibson where he goes on TV and he offers a bigger ransom for anyone who can capture the kidnappers. Oh, yes, I've seen that. Do you remember that? That was very exciting. When that—
ANNA BRADING. I mean, obviously I haven't seen it, but I've seen clips of it, so I don't watch films. Yeah, but it's, uh, so yeah, anyway, so he's got this. So Graham, you, you would, you'd call the police?
GRAHAM CLULEY. Well, absolutely. I'm a law-abiding, sort of upstanding sort of chap, and I'd say, look, can you sort this out for me? I'm very busy. I've got a podcast tour at it.
ANNA BRADING. Yes, sorry guys.
GRAHAM CLULEY. So could you handle the kid?
ANNA BRADING. I haven't got a lot of time right now. Yes. Carole, what would you do?
CAROLE THERIAULT. What I would do is call my wife and go, uh, hello, right? But assuming I don't work in security and I'm feeling a little stressed out, I'd be like, what do you mean? I would engage. I would engage. I go, what?
ANNA BRADING. I mean, actually, there is— there's a horrible point in this, uh, saga where the scammers tell the man Greg that his wife and kid were in the back seat of a car in a particular location. So he races to the location and there's no car, and he's just running from car to car checking the back seats. At that point, he thought, hey, I could call the police. So So, he calls them.
CAROLE THERIAULT. Okay.
ANNA BRADING. And they track his wife down using her mobile phone, and she—
GRAHAM CLULEY. Can I just interrupt for a second?
ANNA BRADING. Yes.
GRAHAM CLULEY. Did this actually happen?
ANNA BRADING. Well, I read it on a news site, Graham, so—
GRAHAM CLULEY. Oh, okay.
ANNA BRADING. It wasn't the Daily Mail.
GRAHAM CLULEY. Okay. Oh, whoa. In which case— This is horrifying. So this man, he got this message that his wife and child had been kidnapped.
ANNA BRADING. Yep.
GRAHAM CLULEY. He races to try and rescue them, presumably with— a bag full of cash. He can't find them.
ANNA BRADING. Yeah.
GRAHAM CLULEY. And yeah, not very good.
ANNA BRADING. So then he calls the police. So, they intercept her car using mobile phone signals. They find her.
GRAHAM CLULEY. Triangulate, triangulate.
ANNA BRADING. And intercept her car. She's on the move, probably in the boot. So they— they—
GRAHAM CLULEY. argh!
ANNA BRADING. They screech to a halt. They've caught the kidnapper. But instead they just find Sue and her baby in the car, probably driving to the petrol station with their bitcoin cash machines.
CAROLE THERIAULT. About to do some laundry.
ANNA BRADING. Laundry, yes. So of course it's all a scam. Sue's not been kidnapped. There's no drug trafficking, no identity theft, nothing. He's almost had a heart attack. It's a virtual kidnapping invented by scammers preying on someone's worst fear. That's not the only case. There are loads of them. I was reading it earlier. There was one where the father receives a phone call about his daughter that's at uni saying she's been kidnapped, but actually she's just away at university. But he doesn't find out until he'd paid $4,000. Oh boy.
GRAHAM CLULEY. It's a kidnapping for lazy people, really, isn't it? People who can't be bothered to actually pull off the kidnapping. App.
ANNA BRADING. Well, why bother? You don't need to. Anyway, the FBI has warned people. So these are the signs to watch out for. If you get a call from someone that's been kidnapped but it's not their phone number, call their phone number. The caller will try and keep you on the phone as long as possible. They might— well, because they use social media to try and connect all the dots, they will probably be able to answer simple questions about who's been kidnapped and what they look like. And they also might ask for the ransom to be wired to several different accounts in small amounts. So yeah, don't, don't send money to people you don't know. Um, if your wife gets kidnapped, call her. And don't send photos of your child to Social Security.
CAROLE THERIAULT. I actually have advice if you are kidnapped.
GRAHAM CLULEY. Oh, is this from personal experience?
ANNA BRADING. Yes.
CAROLE THERIAULT. No.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. But it's a really good— okay, tell me what you think of the idea.
ANNA BRADING. Is it about if you're in the boot?
CAROLE THERIAULT. No, no, no, no. So you're— so say you're at home, some person comes in and you're in a house arrest situation. And, you know, it's been a while. It's been a while. It's been a few hours. And you got to go, you know, at some point, you're like, "Hey, is anyone hungry?" "I can call for a pizza. Shall I do that?" And they'll go, "Yeah, do it." Right at gunpoint, maybe. And then you call 999 or 911, and then you order the pizza, and they apparently will immediately go, "Are you in trouble?" And you go, "Yeah, mushrooms. Definitely pepperoni, pepperoni." And they will ask questions, and you'll say yes or no to them in order to then, you know, figure out what's going on.
ANNA BRADING. Right, there you go. That's good advice.
CAROLE THERIAULT. Thanks.
ANNA BRADING. First of all, a couple of things, couple of things.
CAROLE THERIAULT. If your hands are tied, are you doing this hands-free? Why—
ANNA BRADING. oh, the kidnapper's not ordering the pizza.
CAROLE THERIAULT. They're holding the gun.
ANNA BRADING. And secondly, why don't they use Deliveroo?
CAROLE THERIAULT. That's true.
ANNA BRADING. I did hear you're supposed to kick out the lights, aren't you, if you're in a boot? Really? You're supposed to kick out the brake lights so then you can put your hand out, wave to the people. I've been kidnapped.
GRAHAM CLULEY. I thought you were supposed to to befriend the kidnapper and sort of, you know, start a relationship with them. Not necessarily get married or anything, but just sort of—
ANNA BRADING. Ask them if they want pizza.
CAROLE THERIAULT. Stockholm syndrome style.
GRAHAM CLULEY. Yeah, well, yeah, exactly. You just say, oh, you know, oh, I love your blue eyes. That kind of thing. You know, just love these.
ANNA BRADING. Yeah.
GRAHAM CLULEY. Do you work out? And just sort of—
ANNA BRADING. I love your gun.
GRAHAM CLULEY. Chat them up. Cool. I'd love to. I've never held a gun myself. Maybe I could have, you know, after a few minutes, maybe you could turn the tables. Just an idea.
CAROLE THERIAULT. Can I just say categorically, no one should take any advice from us at all on these things.
GRAHAM CLULEY. Absolutely not.
ANNA BRADING. No.
CAROLE THERIAULT. Call the police.
ANNA BRADING. Yes.
GRAHAM CLULEY. Please, not the pizza company, Crow. Crow, what story have you got for us this week?
CAROLE THERIAULT. Okay, so you guys have been around the block once or twice, you know, the corporate block, so to speak, the technology block. So let me ask you this: have you ever stolen from a company?
GRAHAM CLULEY. No. Oh, no, definitely not.
ANNA BRADING. No.
CAROLE THERIAULT. Because my next line says anyone who says no is a liar.
GRAHAM CLULEY. Oh, definitely not a laptop.
CAROLE THERIAULT. Have you not stolen maybe a pen or office sundries from the cupboard or like a sticky note notepad?
GRAHAM CLULEY. Is it stealing or is it taking advantage of a loan, a long-term loan?
CAROLE THERIAULT. Yes. Do you give it back?
ANNA BRADING. Yes.
GRAHAM CLULEY. Well, maybe the loan hasn't yet expired. Maybe it's something— maybe it's like a library book.
ANNA BRADING. If you work from home a bit, maybe you need the sticky notes at home. As part of your job.
CAROLE THERIAULT. But that's not stealing then, is it?
ANNA BRADING. Well, no, exactly.
CAROLE THERIAULT. Ah, and you know, you sent maybe yourself internal files or documents by email because you got to do the call from and you can't get the information from another place. Or, you know, some people even steal face towels from hotels, I've heard, right? So I did that once actually, because I put my— I rubbed my eyes on it, it was full of mascara.
ANNA BRADING. What, yours?
CAROLE THERIAULT. I was embarrassed to leave it. Oh.
ANNA BRADING. Yes.
CAROLE THERIAULT. I was embarrassed to leave the white face cloth that now was black. But I don't— isn't that ridiculous? So I stole it. I stole it.
ANNA BRADING. I just don't know what to do.
CAROLE THERIAULT. Sorry, Hilton.
GRAHAM CLULEY. Because that's less embarrassing than leaving a dirty one they can wash, is to just steal it.
ANNA BRADING. You definitely did the right thing there, Carole. Thanks.
CAROLE THERIAULT. Actually, I know someone who was accused of stealing a company laptop after leaving a company. And they sent the cops round to search his house.
GRAHAM CLULEY. What?
CAROLE THERIAULT. And they didn't find it. And strangely enough, within a few months, they ended up rehiring the guy as a consultant because he was a super great iOS programmer. Wow. And he said yes because he'd upped his salary by, like, a factor of 3. So, there you go.
GRAHAM CLULEY. That is so juicy.
ANNA BRADING. That is. I'd say yes.
GRAHAM CLULEY. Yeah?
CAROLE THERIAULT. It was bleep bleep bleep bleep.
GRAHAM CLULEY. They sent the police around to his house.
ANNA BRADING. Yes!
CAROLE THERIAULT. Now speaking of thieving employees and all things Apple, let me introduce you to Apple employee, or ex-Apple employee, Dhirendra Prasad is his name. Now he's 52, lives in San Joaquin County, and was employed by Apple for 10 years, 2008 to 2018. And for most of that time, he worked as a buyer in Apple's global service supply chain. So he was responsible for purchasing parts and services from vendors, doing the, you know, the whole supply chain stuff. Okay. And Mr. Prasad is alleged to have exploited his position by engaging in multiple different schemes to defraud Apple. Stealing stuff. So it turns out some people are pretty brazen when it comes to taking stuff from, you know, their employers. Versace is being accused of taking kickbacks, stealing parts, and causing Apple to pay for items and services it never received. Get this, to the tune of more than $10 million.
GRAHAM CLULEY. That's more than a few envelopes and Post-its, isn't it?
CAROLE THERIAULT. Right? That's not just a Bic pen, right? Like, yeah. So why— okay, a few questions at this point. Why did they take 10 years to notice this? Presumably maybe he wasn't up at it for the whole time. Was he— you know, is it likely that he was a disgruntled employee thinking he was underpaid and under-resourced and he was going to take a bit back? Or what does it say about Apple's scrutiny of the books? Like, $10 million is not chump change.
GRAHAM CLULEY. Yeah, I mean, I know it's a chump change in their humongous financial ocean, but yeah, but I mean, it depends how much he's ordering, I suppose, each month and how much is coming past his desk, if it is a vast amount, then maybe $10 million wouldn't get noticed over that period of time.
CAROLE THERIAULT. Yeah. I mean, I know Robert De Niro right now, he's been in this huge lawsuit with his former PA. Apparently, he claims she stole like $6 million worth of crap, including air miles from him. And she says he was a super shitty boss who underpaid her. And I wonder if Prasad had that, felt undervalued, which helped motivate his— or he was just in it for the win. Why not? You know, skim off the top. Unfortunately though, he now faces 5 criminal counts for exploiting his position of trust and making off with this $10 million worth of wanga. There's a few things that he did that makes these charges, these federal charges, a little bit more severe. Okay, okay. So he steals stuff from Apple, right? And he does that through wire and transfer fraud. And just for that, being caught for that, he is facing 5 to 20 years in the link.
GRAHAM CLULEY. Ouch.
CAROLE THERIAULT. If he's found to be guilty, says the DOJ.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. But he's also accused of conspiring with others to launder the money because he needs to figure out a way to make all these sudden riches look legit.
ANNA BRADING. Yeah.
CAROLE THERIAULT. So you have all this dirty money and you try to clean it, make it look legal. And this is where two co-conspirators, Robert Gary Hansen and Don M. Baker, come These two owned vendor companies that did business with Apple. They were charged with conspiring with Prasad to commit fraud and money laundering. And this is super bad for Prasad's case because they were each earlier charged in separate federal criminal cases, and they both admitted to their involvement, right? So the prosecutor's office already has all that.
GRAHAM CLULEY. So these were companies which were supplying Apple with goods.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. They were supplying them via this first chap.
CAROLE THERIAULT. Yeah, he was working— he was like maybe the negotiator from Apple, right? So he was kind of like, hey, hey, hey, I've got a deal, you guys want in? You guys are my buddies over drinks, right? And they're like, yeah, okay, yeah, no problem. And they'll get a piece of the pie.
GRAHAM CLULEY. We'll claim you ordered 50 million Post-it notes or something like that. Yes, I see.
CAROLE THERIAULT. And so for that, for conspiring with these two guys, if he's found guilty of it, he faces an additional 20 years each. Okay, so now he's facing 60 years in the clink.
GRAHAM CLULEY. How much time would you be expected to spend in jail if you stole, for instance, a face towel from a hotel? Which you've covered in mascara. If you had conspired with your husband and told him that you were taking that face towel as well, would that add an extra 20 years to your sentence?
ANNA BRADING. Yeah, what if you gave it to Graham and he washed it for you?
GRAHAM CLULEY. Hey, leave me out! Whoa, whoa, whoa, whoa, whoa.
ANNA BRADING. Sorry, sorry, sorry.
CAROLE THERIAULT. Yeah, but conspiring with someone to do something bad is huge. I learned that from the jury case I did earlier this year. So they didn't even get away with the cash, but the fact that they— that more than one person kind of negotiated on how to go about it, and they got caught in the act, is huge in terms of the law. But the other big thing is that— and the reason why I think this is a federal case— is the tax evasion angle. The U.S. wants a piece of your pie, whether you earned it or stole it. It. So you have to pay tax on illegal earnings.
ANNA BRADING. So you're expected to declare your illegal earnings, right? Right. Yeah, that'll happen.
CAROLE THERIAULT. You can also take deductions for costs relating to criminal activities. So someone is like, okay, well, now I'm defending myself in court, um, I'm gonna use the criminal earnings as my financial backdrop for these court proceedings. And apparently there's a legal loophole that makes that happen. So there you go. Fascinating.
ANNA BRADING. Wow.
CAROLE THERIAULT. Wow. Okay, so, so he—
ANNA BRADING. that's—
CAROLE THERIAULT. so now he's facing 60 years. So the tax evasion thing comes two more charges: attempt to defraud the US and tax evasion. So 5 years each. So now our guy is facing 70 years, and, uh, that's kind of like a scary situation to be in, which is why he's probably not commented in the press to how he's feeling about his trial, which starts today, Thursday, March 24th.
ANNA BRADING. Would you expect them to get that for that much money? Money?
CAROLE THERIAULT. Well, they've, they've seized his assets. Bought a few houses, has loads of bank accounts. They say there's about $5 million in all those, so those are all frozen. But it's like, look, if you're gonna steal, I think maybe sticking to pens is the way to go, or maybe the occasional stapler if you really want to branch out.
ANNA BRADING. Or face cloth.
CAROLE THERIAULT. Or a face cloth. Not a bath towel. Not a bath towel.
ANNA BRADING. No.
GRAHAM CLULEY. This advice is not endorsed by all of the hosts of the Smashing Security podcast. Collide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
CAROLE THERIAULT. Is your organization finding it difficult to achieve compliance and scale its security posture? At G2's highest-rated cloud compliance software, Drata streamlines your SOC to your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance. Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database. They say it's like having your cake and securing it too. Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to to have Drata as a trusted partner in their compliance process. Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.
GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
ANNA BRADING. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. I, the other day, rang up my good bud, bud, Carole Theriault, and I said to her, is there anything good on TV at the moment? At the moment?
CAROLE THERIAULT. Actually, you were sitting on my sofa.
GRAHAM CLULEY. I was sitting on your sofa. I didn't phone you from my— from your sofa to the other sofa.
CAROLE THERIAULT. No.
GRAHAM CLULEY. Yeah. Okay. I was around for dinner at my pal Carole Theriault's the other day, and I said, is there anything good on TV? And she said, oh, I know what you might like. You might like this show called Mandy.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. And Mandy—
CAROLE THERIAULT. My husband loves this show. Like, really loves it.
GRAHAM CLULEY. I have to say, it was a most excellent recommendation.
ANNA BRADING. Yes.
GRAHAM CLULEY. So Mandy is a BBC comedy starring Diane Morgan. Now, you may not be familiar with the name Diane Morgan, but you may know her as Philomena Kunk. Or possibly Kath in Afterlife. Yeah. The Ricky Gervais thing.
ANNA BRADING. She's in Motherland as well.
CAROLE THERIAULT. Yeah, Motherland, yeah.
GRAHAM CLULEY. Oh, is she? Right, okay.
CAROLE THERIAULT. That's funny. You might like that, Graham.
GRAHAM CLULEY. Okay, well, Diane Morgan is hilarious.
ANNA BRADING. Isn't she?
GRAHAM CLULEY. And she plays, and apparently wrote as well, she's the originator of this entire TV show. She plays a character called Mandy, Mandy, who is a young jobless woman who ends up in a series of utterly daft adventures.
CAROLE THERIAULT. She walks and holds her mouth in a way that is astounding to know that she could do that for the length of time that she does. It is astounding.
GRAHAM CLULEY. Her facial expression and her gait, the way in which she walks in her very tight jeans and boots. Is just something to behold. Anyway, she gets up to a— she gets into a variety of scrapes and has jobs ranging from being an arachnid control operative at the banana factory to being an applicant to be the first human to travel to Mars. The programme starts off fairly sort of pedestrian in a way.
CAROLE THERIAULT. Well, edgy BBC comedy, but—
GRAHAM CLULEY. Funny, yes. In the second series, it goes completely and utterly bonkers.
CAROLE THERIAULT. I think it was the pandemic. I think it just— people were just like, "Go for it. Just go for it." And it is brilliant.
GRAHAM CLULEY. Have you seen this at all, Anna?
ANNA BRADING. No, I haven't, but I've heard of it, and I keep meaning to watch it, so I'll do that tonight, yeah.
GRAHAM CLULEY. It's worth it.
CAROLE THERIAULT. And it's short, right? It's only like 25 episodes, 25-minute episodes.
GRAHAM CLULEY. Yeah, yeah. Each episode's only about 25 minutes. That's right. Diane Morgan is— she's just wonderful. Absolutely brilliant.
CAROLE THERIAULT. She's getting an OBE.
ANNA BRADING. The BBC comedies are so— there's so many that are so good.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. There are some which are terrible, but there are jewels out there as well. But yeah, Diane Morgan, I think in just about everything I've seen, because she was in Charlie Brooker's Screenwipe, wasn't she?
CAROLE THERIAULT. Yep.
ANNA BRADING. Yeah, she was. That was Philomena Cunk, wasn't it?
GRAHAM CLULEY. Yeah, that's Philomena Cunk. That's what started off Philomena Cunk.
ANNA BRADING. Yeah.
GRAHAM CLULEY. She's very good at keeping a straight face. Very funny. Anyway, so Mandy on BBC is my pick of the week.
CAROLE THERIAULT. Well, my husband's, but yeah.
GRAHAM CLULEY. Yeah, alright, borrow it. Anna, what's your pick of the week?
ANNA BRADING. So, my pick of the week. So, everyone who was anyone was playing Wordle at the start of the year. Graham, were you playing Wordle?
GRAHAM CLULEY. Nope.
ANNA BRADING. Carole, you weren't?
CAROLE THERIAULT. I'm nobody.
GRAHAM CLULEY. Nope, refused.
ANNA BRADING. Okay, so that's the end of that. I play every day still. I do. Um, I do have a habit of hopping on anything that's faddy, so when I saw it on Twitter, I had to try it out. But I never shared my scores to Twitter.
GRAHAM CLULEY. Oh, that's all right.
CAROLE THERIAULT. Graham loves it, by the way, if people, uh—
ANNA BRADING. Oh, he does. He's a secret player. He's like me.
CAROLE THERIAULT. Yeah, he likes the scores.
GRAHAM CLULEY. Yeah, I just find it repulsive when people— Mark Stockley, um, tweets their Wordle.
CAROLE THERIAULT. Listeners, if you would like to tweet your Wordle performances to Graham, do not tag me. He is very—
ANNA BRADING. tag him.
CAROLE THERIAULT. He wants to be tagged.
ANNA BRADING. Yeah, it's just— yeah, I, I feel like no one cares.
GRAHAM CLULEY. What you want to do in the privacy of your own home is fine, just don't do it in front of me with your wordles.
ANNA BRADING. Okay, all right, well noted. Um, so since it arrived, obviously then everybody was doing lots and lots of alternatives. So there was swerdle, my personal favourite.
CAROLE THERIAULT. Yes, I heard of that. Brilliant.
ANNA BRADING. Yes, well, you guess your favourite swear words. Then there was There was QWODL, which is 4 Wordles in 1, which is just basically, I'm better than anyone else, d'ol.
CAROLE THERIAULT. Oh, that's one for my husband.
ANNA BRADING. Oh yes, you should. I tried it once. It's just taking the fun out of it. It's just too hard. Yeah, yeah, yeah. Anyway, so I thought, oh, I'll have a look what other alternatives there are. So I came across one called HEARDL. So it's not really Wordle-related at all, other than you get 6 guesses and it ends in d'ol. But the aim of this— I think they're jumping on the bandwagon. So the aim of the game is to guess the songs from the first few bars of the song.
CAROLE THERIAULT. Oh, I like that.
ANNA BRADING. So you get first second, and then the next second, then you get two seconds, and a bit more, and a bit more. So you get 6 guesses.
GRAHAM CLULEY. I actually like that idea. I'm all right with that.
ANNA BRADING. Do you want me to send— I'll drop it into the show notes. Yeah.
GRAHAM CLULEY. Yeah.
ANNA BRADING. Hold on. This is going to take a while.
CAROLE THERIAULT. See, I would not be great at that because I don't actually know most names of songs that I like. Like, I don't know what they're called.
GRAHAM CLULEY. But if you hear the start of it, you can sort of sing along. Yeah, yeah. Until you get to the title, can't you?
ANNA BRADING. But also it's quite good, because you can type it in and it auto-populates. So you don't have to get it completely right. You can be like, oh, I think that's a Britney Spears song. And then you get a choice.
CAROLE THERIAULT. Okay, that's kind of cool.
ANNA BRADING. So have a go.
GRAHAM CLULEY. Okay, I'm gonna have a go. I'm going in. Listen to the intro, blah, blah, blah. Right, okay, here we go. Okay, play.
CAROLE THERIAULT. Play.
GRAHAM CLULEY. Uh-huh. Well, that was nothing. It was just like— That was it.
ANNA BRADING. Annoyingly, my husband got it at that part, at that point. That's just irritating. I did not.
CAROLE THERIAULT. Did he? Okay, okay.
ANNA BRADING. Yeah.
GRAHAM CLULEY. How do I get it to play more than 1 second?
ANNA BRADING. Then you do skip 1 second or something. There's a button, you can skip it.
CAROLE THERIAULT. Michael Jackson's Bad?
ANNA BRADING. Nope.
GRAHAM CLULEY. Oh. This is Beyoncé or Destiny's Child. It's the one where it's—
CAROLE THERIAULT. That's what would happen to me all the time.
GRAHAM CLULEY. Is that it?
ANNA BRADING. Yes, it is it. What's it called?
CAROLE THERIAULT. Independent Women?
ANNA BRADING. Yes.
CAROLE THERIAULT. All the women? Independent Women?
ANNA BRADING. Independent Women, yeah.
GRAHAM CLULEY. Oh my goodness.
ANNA BRADING. Yeah, that's what I got it on the third one.
GRAHAM CLULEY. He got that on the first second.
ANNA BRADING. He went, "Oh, this is a Destiny's Child song." Ugh. Oh, he's good. He's just really irritating.
CAROLE THERIAULT. Oh, I like him a lot.
ANNA BRADING. But really, it's fun, and you only get one a day. So it's the same as Wordle.
CAROLE THERIAULT. Oh yeah, you've got to spell things properly, it turns out.
GRAHAM CLULEY. Well, yeah, you have to spell things properly in Wordle as well, Krow. It does just automatically, doesn't it?
ANNA BRADING. I mean, it does bring up a list of songs for you, Carole. So, how bad are you getting this spell wrong?
GRAHAM CLULEY. Does the— but this doesn't have you then tweet how impressive you were on Twitter about it.
ANNA BRADING. I think there is a share button, so you probably could.
GRAHAM CLULEY. Oh, for goodness' sake. Oh, I see, got it.
ANNA BRADING. So you can do that if you want now, Graham.
GRAHAM CLULEY. No, I'm not going to, because I'm not that desperate. Okay, hurdle. Brilliant.
ANNA BRADING. Yeah, that's my Pick of the Week.
GRAHAM CLULEY. Cool.
CAROLE THERIAULT. Good Pick of the Week, Anna.
ANNA BRADING. Thank you.
GRAHAM CLULEY. Thank you, Crow. What's your pick of the week?
CAROLE THERIAULT. Uh, mine is also cool. So let's say you're decorating a room, or, you know, want a color scheme for a website, or anything where you need help choosing the right colors to go together, you know. And I know a lot of people have that drama. So let me introduce Adobe Color. I've used this site forever. So you can see this at color, spelled American style, so c-o-l-o-r.adobe.com. And it's super simple. You have basically this huge color wheel there, and you'll see there's like 5 little circles on the color wheel, and there's one with a tiny little triangle. There's one like— yeah, that's your master color. Oh, oh, so you click that one and then put it to whatever color you like for that particular— so I'm gonna go some kind of yellow. Yeah, so I'm something. Now at the top you'll see it says Color Harmony Rule, and there's a downward pull-down menu.
ANNA BRADING. Oh yeah.
CAROLE THERIAULT. So then you can choose what kind of color rule you want to apply. So you can go monochromatic, you can do a triad, and then you can, you know, or you can do squares, and you'll know that all these colors will fit together. Oh, and you can adjust your main color at the bottom they have like these RGB or whatever scales. They have a number of different scales, CMYK and all of them. And you can then change slightly the hues and the tones and the saturations to get exactly very harmonious color scheme.
ANNA BRADING. Oh, that's great.
GRAHAM CLULEY. Very cool.
ANNA BRADING. Yeah.
CAROLE THERIAULT. And it's totally free. It's— and there's— it's just nice, nice little thing to do if you're doing some kind of decorating. And there's people that have built loads of them, so you can actually go and, you know, scooch around and see what kind of palettes people have built or whatever. So quite fun. And you don't have to log in or anything. You can and then keep, you know, your list of colors. So if you're into art or whatever, you may have a bunch of different schemes that you wanna keep, but otherwise you can just drop in, drop out, and just know you're doing the right thing.
GRAHAM CLULEY. One of the things I see that you can do with this is you can upload an image if there's a color you like in an image. Mm-hmm. And it will show you what colors will go with that image. That's quite handy, isn't it?
ANNA BRADING. Oh, that's clever. Yeah. Yeah.
CAROLE THERIAULT. That's a much better way to do your room. Find a really nice piece of art and then make your room work around the art. That's what I say. So guys, you can find it at Color, spelled American-style,.adobe.com. And that is my pick of the week.
GRAHAM CLULEY. Marvelous. Well, that just about wraps up the show for this week. Anna, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
ANNA BRADING. I'm on Twitter @AnnaBrading.
GRAHAM CLULEY. Simple as that. Thank you so much for coming on the show. And don't forget, folks, you can also follow us on Twitter @SmashingSecurity, no G, which allows us to have G, and we also have a Smashing Security subreddit. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
CAROLE THERIAULT. A big shout out to this episode's sponsors, Kolide and Drata, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 266 episodes, check us on SmashingSecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
ANNA BRADING. Bye-bye.
CAROLE THERIAULT. I said bye like you before you said it.
ANNA BRADING. Ah, bye-bye. Bye-bye.
GRAHAM CLULEY. Bye-bye.
ANNA BRADING. I've just also worked out that it's hurdle, not hurdle, which is what I've been calling it all day. So thank you, Graham, for correcting me there. Nurdle.
CAROLE THERIAULT. Yeah, hurdle. Murdle.
GRAHAM CLULEY. Murdle. Murdle. Nurdle.
ANNA BRADING. Nurdle.
CAROLE THERIAULT. Don't talk about yourself that way, Granny.
-- TRANSCRIPT ENDS --