I'd put Dave in drag at some sort of bar close to your house.

Right.

See if he could lure, so he could be a sort of agent provocateur.

Yeah, because Dave and I look very different from each other, so you know, that might work.

Well, especially if I was in drag, I look very different from you. But I would add irresistible.

Smashing Security, Episode 282: Raising Money Through Ransomware, China's Mega Leak, and Hackers for Hire with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 282. My name is Graham Cluley.

And I'm Carole Theriault.

And this week on the show, Carole, we are joined by CyberWire's Dave Bittner. Hello.

Nice to be back. Thank you for inviting me. Always fun to join you. Pleasure is mine.

Exactly. We're so glad to have you here.

It's an honor and a privilege.

How about we thank this week's sponsor, Bitwarden? It's support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?

I'm going to be explaining how to make money from a ransomware infection.

Okay, great. What about you, Dave?

I've got the story of upward of a billion records being released on the dark web.

Oh God, it's going to be a fun show. And I'm delving into the murky world of digital mercenaries. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I want you to cast your mind back to Christmas 2019, those innocent, heady days. The snow is falling, the bells are jingle-jangling. Yes. Before lockdown, there was some sort of news about bad things going on in China, but we thought, that's a long way away from us. It's never going to reach us.

Well, you did. You thought that.

Yeah, right.

Despite me telling you repeatedly. Yes, we have that on record, I think, as well.

And when you think about Christmas, I don't know about you, but I sort of think of European Christmas markets going around, having a little tangerine with a candle sticking out the top, the smell of cinnamon.

Mulled wine.

Yes. Santa hats. It's a wonderful thing. Maybe you'd go somewhere like Maastricht in the Netherlands. Would you enjoy that? Ever been to Maastricht?

No.

No, nor me.

Can't say I've had the pleasure.

I'm sure it's lovely. And on the 23rd of December, 2019, the University of Maastricht was hit by a ransomware attack. The buggers had waited until just before Christmas before unleashing their attack, the Clop ransomware. I love that, Clop. I do, I do. There is something about me which quite likes the Clop ransomware purely from its name. Whereas you get some ransomware which has really sort of macho names, you know, sort of darkness or black matter and all those sort of things. I think something which sounds a little bit like you dropping off kids at the swimming pool The sound of a clop, I think, is rather good. But of course, it's not that pleasant. It's not as pleasurable as what I'm describing, because the Clop ransomware was deployed to 267 Windows servers at Maastricht University and encrypted all their files and demanded a ransom be paid for their recovery.

So same old, same old so far.

Yeah, same old, same old. Well, there's— No such thing as a good time for an organisation to be hit by a cyberattack. And the Christmas holidays pose a particular challenge. Many staff had to change their plans. They decided to come in rather than hang out with their families over the Christmas season.

Actually, we have to remember— yeah, I was just going to say, we have to remember that we've all gone through that now. But back in 2019, this was a brand new thing. You would have felt very put upon the fact that you wouldn't be able to leave and go see your family, wouldn't you?

Well, I think some people, if you've got the prospect of being trapped with your family between Christmas and New Year, they'd actually, oh, problem in the office? Yeah. Oh dear, oh dear, what a shame. Yes, I'll definitely come in. I'm very keen.

Line me up. Triple pay, I'm there.

Yeah.

So as many as 200 employees apparently from University of Maastricht, they came in. They didn't spend their Christmas holidays snoozing on the sofa watching movie repeats. They worked instead. And everyone was pulling together to try to get ready for the return of 19,000 students who were due to show up at the university on the 6th of January.

I wonder if their bosses gave them a roast dinner in a can or Christmas dinner in a can or something just to help them celebrate a little bit.

I'm sure they would have done. They would come round with a trolley, wouldn't they, and handed out something.

A tray of processed meats and cheeses and crackers.

Yeah, it would be. I'm sure they would have done that. Now, the obvious question arose, should the university pay the ransom or not? And they concluded that they should. They said, our decision— well, they said their decision was entirely focused on the interests of the students, the staff, and the institution. They said, obviously, we don't like paying the bad guys, but students will suffer. You know, they had little idea as to how students were going to suffer just a few months later because of the pandemic, but they thought, "Students are gonna suffer. We're not gonna be able to educate them easily with all this ransomware around."

It's locked up our servers, so we're gonna pay the money. We should clarify though, when you say they obviously encrypted their files, they also had access to their files presumably as well, right? Because they encrypted them. So all that information in there, do you know if it was PII stuff? I don't know. I don't know. It certainly locked up the computers.

And back in 2019, were they doing the double extortion yet? I'm trying to remember when that kicked in, right? Were they threatening to put the information out there in public, or have we not crossed that path, crossed that threshold yet?

Certainly not as popular as it is today as a technique. I think we can safely say that. So the university, they paid €200,000, $220,000, in the form of cryptocurrency ransomware. Nice little earner, nice Christmas present for the hackers. And so the university got the decryptor, was able to bring the students back, welcome them back on the 6th of January, conducted their exams for the kids, more or less as planned, little or no irreparable damage. Huzzah, huzzah, huzzah. And you can read about this at the time. And actually, I think the university did a really good job. You can watch a presentation they gave all about what had happened. They were very transparent. They worked with a Dutch cybersecurity firm called Fox IT, who are very good. It was a really great example of how to handle it. Although some people won't have liked that the ransomware was actually paid.

Although they were paid.

Exactly. And some people don't like that.

Yeah, I don't like that.

You don't like that.

Okay. All right.

Yeah. Well, who needs an education, right? That's what you're thinking. Yeah. Oh. Now, of course, the story doesn't end with the payment of the ransom. Because a crime had been committed. And the cops would love to collar those responsible. As well as the university, they want to know as well. And it was the following year in 2020 when investigators managed to track down some of the cryptocurrency. It was sitting in the crypto wallet of a Ukrainian money launderer.

So, okay, I'm going to guess what happened.

Well, well, well.

Because it's still in the crypto wallet now.

Well, let's come to that. So when they found it in this cryptocurrency wallet, there was only about $40,000. So it's a fifth of the total money that the University of Maastricht had paid, but it was something at least. So they got the wallet frozen. So the bad guys couldn't access it, so it wasn't possible for them to take any of that money out, and they initiated legal processes to try and see how they could actually get the money returned to them so they could do something with it. But since 2020, what's happened is that the price of bitcoin has not remained static. In fact, according to the university, although it was only worth $40,000 when they froze it, it now contains over $500,000. I know bitcoin prices have fallen in the last couple of months, but certainly—

That's what I was going to say. So is it $5 now?

Well, that's the thing. It's gone down from its height. But according to Maastricht University, they say there is currently $500,000 in there, which means— because remember, they spent about $200,000. So it means, although they could have spent £200,000 on their students and facilities back in late 2019, they've now more than doubled their money, if they can get their hands on it. So rather than keeping it in the bank and gaining some meagre interest, they've actually got cybercriminals to hold on to their money. And it might be one of the best investments they've ever made. Because currently it's $500,000. So if they're right about these numbers, and obviously they may have goofed, but if they're right about these numbers, then they could have made a great deal of money. And talking of successful crypto investments, there's also another fascinating story on Kaspersky's blog. I don't know if you read Kaspersky's blog. No one's buying their software anymore, so you might as well read their articles. And Kaspersky's blog— they talk about a scam which is going on on YouTube at the moment. They say that there is a fake cryptocurrency exchange website and word is spreading on YouTube in the form of videos and comments saying that people are saying that this cryptocurrency exchange website has a bug on it. The claim that's being made is that this particular exchange site has a vanishing decimal point bug or a bug in the exchange rate, which means that if you give them money, if you put money into the wallet on this exchange site, you can get more than 10 times your money back if you follow their instructions.

Well, sign me up.

Right, exactly. So they're using this idea of vulnerabilities, which we're hearing about all the time, and bugs in crypto sites, which we hear about all the time, saying, hey, quick, act fast. And the fraudsters are using bots to post comments which are full of thanks and gratitude for the inside knowledge and say, oh, thank you so much. I've used this and it definitely works. And the bots are all sort of liking and upvoting each other's comments so that they appear higher and higher on the cryptocurrency videos, which they're— difficult to find.

It's just such a cesspit of shit, isn't it? It's just— God.

So getting back to the story about the university, though, if – so here's something I'm curious about. So suppose the university pays, what was it, say €200,000 in cryptocurrency. So suppose they catch the bad guys and they say to the bad guys, you must pay restitution to this university. Are the bad guys responsible to pay the €200,000, or are they responsible to return the same number of bitcoin that was sent to them?

Well, because they paid in bitcoin.

I mean, they paid in bitcoin. Yeah, exactly.

Right. Right. What I'm getting to here is, does the university either take the loss or the windfall depending on the direction that bitcoin goes, or could they get their, the original value back of what they had paid? I'm not sure how you would go after them, how the law enforcement folks would go after them.

Yeah, do they take the cream on the top or just go to law enforcement? We'll just take the rest.

I would certainly imagine that Maastricht University would ask for more than the ransom to be returned to them because of course they had other costs as well. So even with the $500,000, although that's a nice bump, it won't actually cover all of their costs. Yes, it won't cover all of the other costs which may have occurred. But yeah, it's interesting. And I think we've seen cases before where law enforcement authorities have sort of frozen cryptocurrency wallets or had money transferred to them while it's decided where it ends up. And in the meantime, have made quite a pretty packet. And it's all kinds of opportunities there for some corruption, isn't there? Especially in the dizzyingly complex world of cryptocurrency, which not many of us understand as to where money could be squirreled away.

It's fascinating to me how one of the selling points that the fans of cryptocurrency will claim is how it is out of reach of regulation and, you know, it operates in its own little world. And that seems to be true right up until the moment when it's not – right? And law enforcement can, as you say in your story here, they are able to freeze it. And so how are they able to do that? I think at the outset, that's probably something that the folks who came up with a lot of these cryptocurrencies thought they were out of reach of law enforcement, and that was one of the benefits. But that's proven to not be true.

And we've seen cases like Colonial Pipeline, where money was stopped from getting to the bad guys. And of course, I don't know if you're aware of this, but criminals aren't entirely trustworthy. So it may be that if more than one person is involved, in a particular criminal activity, they may choose to blab a little bit, mightn't they, to the authority sometimes? Yeah. Not release your data. You just can't get an honest criminal these days. You can't trust them.

There is no honor among thieves these days. Yeah, it's true.

Dave, what story have you got for us this week?

So over the weekend, the folks at security company Binance, they posted on Twitter that they're Threat Intelligence had detected a billion resident records for sale on the dark web. They're saying it was likely due to a bug in an Elasticsearch deployment by a government agency. So these are records of citizens in China. Oh my goodness. And it includes names, addresses, their national ID, mobile, but very interesting police and medical records. So a lot of personal information. This could be one of the biggest breaches in history. Although interesting that it's— and I'm curious what your take on this, the two of you, because do we consider this to be a breach if it is the result of a misconfiguration? As they're saying that someone messed up doing this Elasticsearch database deployment and left things available online, if someone stumbles across that, is that a breach? Is this a distinction without a difference? What do you think?

I think it is a breach, but I think you have to assume that there's been a failure of security and the privacy of that data has been breached in some way. It's no longer confidential. Over a billion, you said?

Mm-hmm. Over a billion records.

I mean, China has about, what is it? It's about 1.5 billion people, I think, live in It's an astonishing number really, isn't it?

It is. It's hard to imagine. And they're saying that this is most likely from the Shanghai National Police. And you too can purchase this data for about $200,000 on the dark web.

What's interesting about this for me is I know that China has a really good method for getting all the information pieces from all the different governments and agencies that run into one big pot, right? So that you have— then that's why this is quite interesting. So you have all the medical records, the police information, the mobile, the national ID. You have everything about a person.

In a way, it's the communist ideal though, isn't it? It should be that everyone gets treated exactly the same. So if one person's going to get breached, why not breach every single person in the country? You know, it would be unfair if only some people got that benefit.

Yeah. Now, the Wall Street Journal has done some follow-up on this story. They've actually spot-checked a few of the names by calling some of the people whose phone numbers appear in the records that are available, and they check out. So at least the people that they've called, it seems to be authentic. I don't know. I don't know what you do with this. I mean, it would— A billion records. How do you even come at that?

And I was just thinking in my head, what you do is the government buys it back, right? But then I come back to Graham's story where I said you should never pay. Damn you! Damn you!

It's a thing the government should buy it with a little bit in the contract saying you agree not to sell it to anybody else. Yes! Because I can see how this could be weaponized. I mean, okay, you may not want to target a billion people. But if there are particular individuals in China you wanted to target, if you know their name and address, well, now you know their mobile number as well. And so you could target some spyware against them, for instance.

But also, you could also probably go through it and go look for the word cancer in the medical records, target them with one attack.

Venereal disease.

Sorry, Dave, why are you mentioning that?

Sorry, it's my Tourette's.

No, Carole, what have you got for us this week?

Well, perfect segue, because I want you guys to imagine that you're two private dicks. I'm sorry, what? And you have been hired by me because I want dirt on my husband because I think he's been stepping out on me. But when I ask, you know, he's blank-faced and reassuring. So as private detectives, what tactics might you employ to find out whether he's— Hang on.

First of all, can I just establish which one of us is the cool, handsome one and which one of us is the bumbling oaf?

That'll all come out in the wash.

Okay, all right, okay. So— I'm thinking Cagney and Lacey or Dempsey and Makepeace or something like that is the scenario I'm thinking. Okay, so what tactics are we going to use to spy on your partner.

Yeah, because I want, you know, I want to find out whether he's mashing his face up against someone else's chest or something, right? So I want to know.

Yeah. Well, first thing I'd do is I'd put Dave in drag at some sort of bar close to your house, right? See if he could lure— so he could be a sort of agent provocateur.

Yeah, because Dave and I look very different from each other, so, you know, that might work.

Well, especially if I was in drag. I look very different from you. But I would add irresistible. So it would be a good honeypot there to try to catch him for sure.

We could hack into his email or his social media. We could plant a tracking device on his car, maybe.

Yes, that's what I was going to say. The real, the sexy one these days is stick an Apple AirTag on him.

Right. Okay, so you guys would definitely consider hacking him to find out. So you might look for a hacker for hire, for example. Interesting, because that's what we're going to talk about, because Reuters issued last week a long-form investigative piece all about hackers for hire or digital mercenaries, because they got their mitts on a treasure trove of more than 80,000 emails sent by an Indian hacker-for-hire company over a 7-year period. These emails were sent, and Reuters and a few security companies including Google and Amazon combed through these emails to come up with a few interesting little tidbits. Before we get in, so who are these hacker-for-hire folks, right? One key characteristic is that they're people, obviously, who are experts in compromising accounts in order to exfiltrate data. And they do this as a service for someone else, a bit like you bring your car to the mechanic when something is awry, right? Because your mechanic is an expert in this stuff and experienced. So the same goes for hackers for hire. Why, you know, why let lack of skill stop you from hacking somebody? And of course there's different types of hackers, right? So you have individuals and organizations, so some are openly marketing their services to anyone who pays up. And I don't know how that exists. Is it 'cause we just don't know where they are? But you know, they can go out and go, come to us. We'll do it for whatever, $100, and we'll hack whoever's account that you want us to. We don't care.

Yeah, I would think it would have to be that way because otherwise you're gonna— well, certainly here in the States, you're gonna run afoul of the Computer Fraud and Abuse Act.

Right, but you know, is anyone even looking at these things? I wonder, because there's so many of them. And of course you have others that stay totally under the radar and they only sell their services to limited audiences. And according to the report, there's a crazy hacker-for-hire structure. So they work with third parties, generally private investigation services, which act as a proxy between the customer and the threat actor. The supply chain gives you less and less privy knowledge, right? So you can kind of just go, I don't know, I don't know where that came from, you'll have to ask Bob. And Bob will go, I don't know, you'll have to ask Rik, and it just goes down the line. So who is typically targeted? So the short answer is, you know, anybody can be targeted because some fee structures are very affordable. So this is where a disgruntled spouse, right, or a family member might want to dig into someone's messages to see what they've been up to. And more common targets for this type of thing, for hackers for hire, are political activists, journalists, human rights activists, and what they dubbed as high-risk users around the world. This is from TechTarget. So it's an interesting word, high-risk users is the word they used.

Would that be celebrities? Would a celebrity be a high-risk user?

I guess these people tend to be disruptive to a particular geography or people, or they're disruptive because they're telling the truth. Whistleblowers could probably be in there as well.

Whistleblowers, you can imagine political activists. I mean, obviously we have seen celebrities hacked in the past, sometimes by newspapers to try and get scoops.

Package delivery?

And of course there's also, you know, corporate espionage and industrial secrets. Now, thanks to this lengthy investigation headed up by Reuters, it turns out that lawyers and attorneys are now at significant risk because hackers are hired to target them ahead of anticipated lawsuits or during litigation. So they give a number of examples, right? So basically somewhere around two enemy companies bickering about who has the rights to sell here or do X or whatever, or to prove that someone has been colluding with another person or another company or another entity, and that's illegal. There's also, you've been successfully subscribed to YouPorn, which is fantastic. Sexy videos, yes. Or you may want to get a jump on what the other party is going to present in court. And, you know, basically just why not hire a lawyer that hires a private investigation firm that hires a hacker to get the information for you? And then lo and behold, just before you're about to go to court, maybe the data miraculously surfaces on the digital sphere, right, like you were just saying in your story, Dave, where this data is now available for $200 grand, and this rejigs the whole court case. And what's interesting about this is, you know, you may suspect the other side is responsible for the leak, but you can't prove it. Hollywood's Scarlett Johansson's latest leaked sex scandal. So yeah, please find attached the relevant documents. So anyway, very interesting. And they also say, how do they attack their targets? And this is just a very good reminder for all of us because basically it's email phishing, and email phishing and email phishing. It is all about email box compromise and data exfiltration. And that means they don't need malware, they just need social engineering tricks. And that's where this whole treasure trove of emails got so interesting because Reuters shared some of the contents. So do you want to guess at some of the typical subject lines that you might see here?

Oh, I'm seeing one here. It says, "Time traveling is possible. American scientists simulate time travel with photons." That would totally get me. I would open that.

Yes, of course. Who wouldn't? But they also saw loads targeting law firms, right? So they are in legal eagles. So it was like Forbes issues top powerful lawyers US, or lawyers who lead by example. Wall Street Journal asking about logistics solutions in law practice. So it's almost like, hey, you have a press inquiry.

I'm curious, Graham, as a cybersecurity person of some note, does it happen to you quite often or occasionally that people come to you and say, oh, Graham, could you help me get into my spouse's phone? Or, oh, I've lost— we've lost our password. Or do people reach out to you for that kind of service?

Several times a week. Yeah, okay. If I could make some money by referring them to this hacking company in India, if I could earn some commission, that'd be terrific. But yes.

Do you know, Graham, that's how we became friends, you know? Was it?

Very good. Yeah.

Yeah. Because remember I had this guy, it was around Valentine's Day and I had somebody sending me all these woo-woo messages.

Oh, you had a Romeo, didn't you?

Well, I will endeavor to do better than that, as difficult as it may be. So, I will have the story of two-time Academy Award winner, Emma Thompson. Mm.

A Romeo chat.

That was the email address too. It was Romeo something at Gmail or something like that. Yeah. And I wanted to know who it was. And because they started getting a little bit like, "I don't know if they work here." I thought I knew who it was, and then they kind of indicated that it wasn't that person, and I started freaking out. And then I was like, "I have to go talk to that big-mouth guy." And then look at us now.

Look at us now.

Hacking brought us together. What a delightful meet-cute story.

Yes. And it wasn't me sending you the emails, just to stress that.

I never learned. Right.

How can I get Carole to come talk to me? I could listen to that. It's very nice.

So what can you do? The answer, of course, is things like multifactor authentication, password managers like Bitwarden, for example. But I have one I wanted to ask you guys about actually before we go. So what I think makes email dangerous is that if they got into it, most people have what, decades of email in an address book.

I mean, it's not Emma Thompson standing in front of a mirror nice, but it is nice.

So would it be smart for people to just clear out everything? I mean, how often do people look at emails that are over a year old? Maybe 1% of the time?

It's not James Mason either.

Well, I certainly know some of the tabloid newspapers in the UK were very keen to delete some of their old emails because there might be evidence that they've been hiring hacking companies. So, and private investigators.

I just wonder whether people should think about exporting those messages if they don't want to, you know, press the delete forever button. They could just put them on a local hard drive and only access them, you know, in a different way and just have a much smaller amount of emails, you know, smaller treasure trove.

If you're going to do it, do it in coordination with your IT department because there might be rules and regulations regarding keeping some past messages and things.

But it's so easy to be a digital packrat these days because data storage is practically free, certainly when it comes to your email. And if you have Google Drive or something like that, it's so cheap that there's really no bad— there's no downside to just hanging on to things except for exactly what you're saying here, Carole, that it can come back to bite you. So I think the idea of going through quarterly or a couple times a year or even once a year, just pick a date and clear everything out, put it somewhere where it's not available online so it's still there if you need it, but it's not just sitting there in that massive database that is your email account.

Exactly, because you may be smart now about security, but were you 10 years ago when you were using email? Just saying. But anyway, good story. It's nice to see the other side, and we're not nice to see it the other side. So be wary out there. It's all about phishing emails. I wonder what's going on with my brain today. Now you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Bitwarden is transparent and secure, using end-to-end and zero-knowledge encryption with source code that can be scrutinized. Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan. And the thing I like about this, a good password manager is robust and cost-effective as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise. Go to bitwarden.com/smashing. Start your free password manager trial today.

And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Better not be. Well, in stereo, my pick of the week this week is not security-related. Carole, you're a fan of the cat, le chat. By le chat, I don't mean William Shatner, of course. Dave, are you a fan of cats?

No, no, I— Oh! No, I don't have anything against cats, but I've never had a cat. I would say I don't have enough— No, I would not. I don't have enough self-confidence to be a cat owner. I really, I need the unconditional love of a dog. I could not face the coming home from a day of work and facing the total indifference of a cat versus the adoration that comes from a dog. I'm a dog person.

Yeah. Yeah. If you're married, you're already used to the utter indifference when you come back from work. You don't need a cat as well.

Wow.

Sorry, am I just speaking personally here?

I'm just not going to comment on that.

But my pick of the week this week is the work of Franz Dieter Muafidine, who is producing a collection of work which has been described as giant cats disturbing civilization. So what Franz Dieter does on their Instagram account is they take pictures of people's cats and they then Photoshop them so the cats are huge into, I don't know, a Godzilla-style scene in some sort of metropolis. So I'm looking right now at a cat which is sort of perched on its hind legs on a bridge, stopping waves and waves of traffic. Or you might see another one where it's climbed up the post office tower in London. An homage to the goodies in the 1970s, something like that. And Carole, as you're a cat lover, I thought you might quite like this. I know you don't have a cat at the moment.

You're really scraping the barrel on— What do you mean I'm scraping the barrel?

No, because if anyone out there— Look, I know 50% of people in the universe either like cats or hate cats. But either way, they know people who do love cats. And so they might want—

Because there's not enough cats on the internet.

Here's yet another way. Because Franz Dieter will take your picture of your cat. Oh, and we'll turn it into a giant cat.

Will she? Will she do that with my, my now dead cat if I sent her a pretty picture?

For about $10, they will.

Will you do it for me as my friend?

Oh, what, you're not prepared to pay $10 for this? You're not that interested in it? Got a birthday coming up? Yeah, yeah, right. Anyway, I think you might want to go and check out their work. I will put some links in the show notes. Carole, you need to check it out as well because then maybe you'll actually be convinced as to the rather cool nature of some of this. And that is why that is my pick of the week. Yeah, Dave, what's your pick of the week? And try and make it better than my— I was going to say pussy action, but it just felt wrong. Did it feel wrong?

Did it? It did.

That's why I haven't said it.

Oh, love Emma.

I love Emma too. We all love Emma, I think. Doesn't everyone love Emma?

Everyone loves Emma.

Wouldn't you love to have her as a friend? Don't you think she'd be just— So much fun to hang out with. She's funny. She's charming. She's smart. She is sexy. Yes. Yes.

She's all things. She is just the whole package. So she just came out with a new movie. It's on Hulu. It's called Good Luck to You, Leo Grande. I was just gonna say, you wouldn't kick him out of bed for eating crackers, would you? No, you—

No, you would not. No, you would not. And this— it's just a delightful movie. It is funny, it is serious, it is sad, it is sexy. Of course, Emma is fabulous, and the range of emotions that she takes us through, the interpersonal relationship of these two as they get introduced to each other, as they get to know each other, the evolution of their intimacy— it's really delightful. I enjoyed it very much. And of course, you know, watching Emma Thompson do anything is time well spent. So I highly recommend it. Not for kids. It is a little bit sexy, but for the grownups in the audience, check it out.

There's a little bit of nudity I heard, I think, in this movie. Would that be correct? There is. There is.

And actually, you know, it's an interesting thing because Emma Thompson is being lauded for her bravery of the amount of nudity. Yes. No longer being a spring chicken, she's getting a lot of credit for the nudity. And I don't know how I feel about that in that it seems to me a shame that that needs to be something that someone's brave about. I mean, so— Well, she's not 20.

Does Darryl McCormack get his tackle out? He does. He does. I would be much more worried about— Yes, I think I'd find that rather unnerving to get that out on camera, I think.

Not if you look like Darryl McCormack, Graham.

No. Yeah. It's true.

There was a New York Times article featuring Emma Thompson about this whole movie, and she said it was the scariest bit of her life. There's apparently a scene where she has to stand naked in front of a mirror for a while. And she said that was the hardest thing she ever had to do in her whole acting career.

I have to do that most mornings. Terrifies me.

Are you doing that on YouTube though, as a livestream? Only for Patreon supporters.

Oh, God.

That explains the numbers.

But it's all handled in a very delightful way, and it's one of those films you— This could be a play. It's shot as if it's a play. It's really just the two of them in the hotel room together, but it's funny, and it's moving, and it's touching. So, that is why Good Luck to You, Leo Grande is my Pick of the Week.

Beautiful. Terrific. Sounds great. Carole, what's your Pick of the Week?

My Pick of the Week is a twofer. So number one is a podcast, now not an audio drama. So in fact, Graham, Dave, I think actually you both might like this one despite the name, because it is called This Is Love, created by Lauren Spohrer and Phoebe Judge. Now Phoebe Judge, do either of you— does that ring a bell for either of you?

Yeah, you've mentioned her before. How do I know her?

So she's the host. She also hosts another podcast called Criminal, and I think she does a story at bedtime or something. I don't remember the exact name of that one, but I'll argue she has one of the greatest radio voices I've heard. So I've put a link in the show notes so you guys can have a listen and see what you think.

That's pretty strong down the gauntlet when we have Dave Bittner on the show, Carole.

Well, Dave, I think you'd agree. I think he'd agree. [Unknown voice speaking] There's an anthropologist named Dr. Helen Fisher. She studies love. She's been at it for more than 40 years. And she says love is very simple. She said timing is important. Proximity is important. Wow. No, definitely not James Mason. So this podcast, This Is Love, okay, it's a bunch of vignettes or stories, and the stories are peppered with little interviews, and they're all about communing. Mystery is important. She tries to understand what it means to be in love. [End of unknown voice] So it's not just lovers. There's, of course, stories of lovers, but there's also people that become friends or connecting with the world or family members. It's kind of just on the border of Fromageville or Cheesetown without stepping over the line.

Are they places in Canada?

Yes, that's right. So it's where we get our poutine from. And it's perfect for when you're maybe walking the dog or you need a little story before bedtime. And you don't want your brain to go into a tailspin afterwards. So the podcast is called This Is Love, and you can find it wherever you get your podcasts. It's great. But I said I was sneaking in another pick of the week. Well, on one of these episodes— yes, it's an episode called Cain's Jawbone. Does that ring a bell to either of you, that term? Oh, Cain's Jawbone.

Yes. Don't look it up, Graham.

No, no, no, I can't remember. Now this does ring I think we've talked about this maybe before.

Okay. Detective book written in 1932. And its big thing is that all the pages are out of order. And your job is to put the 100 pages in the right order and find out who the killer is or are. And if you do, you are to send the information to the publisher. And only 3 people are known to have solved it.

Only 3 people could be asked. Gotta have a gimmick.

It kind of fell out of publication or kind of favor, but it got revived. Surprise. Thanks to TikTok. Can't imagine why. And I learned all about it on This Is Love, because there's an episode called Cain's Jawbone, and it's fascinating. And I'm buying the book for my husband because that's something he's good at. He's gonna crack this before he dies.

Is he gonna have to tear the pages out of the book?

Yes, they have— apparently, it's the only way. They're not perforated anymore, but they, you know, but they have little lines. I just think PDF, right? We need a PDF of this because then you just print it out.

I find it fascinating that you're buying this for someone else to solve. Typical.

Graham, you can totally— you totally see that he has the right brain. Apparently there's loads of cryptic crossword clues in it as well, right? It's totally for his kind of brain. 100%. I think he'd love it. I love it. So that's my double pick of the week, and I'll let you guys know how I get on once he receives it, see if he, you know, kicks his heels together. Terrific. Well, that just about wraps up the show for this week.

Well, you can find me on Twitter. It's @Bittner, B-I-T-T-N-E-R, and everything else is over @thecyberwire.com. Marvelous.

And you can follow us on Twitter @SmashingSecurity, no G, Twitter and LastPass have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Google Podcasts, or Spotify.

And huge, huge thank you to this episode's sponsor, Bitwarden, and to our wonderful Patreon community. Idiots. Thanks to them all, this show is free for episode show notes, sponsorship info, guest list, and the entire back catalog of more than 281 episodes. Check out smashingsecurity.com until next time. Cheerio. Bye bye.

Bye bye.

Bird is a word.

That's what I normally have to listen. than two people.

No. I saw the Elvis movie over the weekend, by the way.

Oh really? Now tell me about that. It's all right. It's a bit long and a bit— and it's a bit, a bit of a mess, but I Baz Luhrmann as a director.