Listen early, and ad-free!

295: Slushygate, sextortion, and nano-targeting

With , ,

What is slushygate and how does it link to sextortion in the States? What is the most impersonated brand when it comes to delivering phishing emails?  And what the flip is nano-targeting?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by fan favourite Maria Varmazis.

Warning: This podcast may contain nuts, adult themes, and rude language.

No contortionists were hurt during the making of this episode.

Episode links:

Sponsored by:

  • Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Sealit - Zero Trust Data Protection: protect, share, and monitor confidential emails and files - without passwords. Integrated with Gmail, Outlook, and file systems. Learn more and take advantage of Sealit's special offer to "Smashing Security" listeners.

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a Patreon supporter for ad-free episodes and our early-release feed!

Follow us:

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Thanks:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.



GRAHAM CLULEY. All right, these weren't brand new recruits.


CAROLE THERIAULT. Yeah, no, Maria, calm down.


MARIA VARMAZIS. Calm down, Jesus Christ.


CAROLE THERIAULT. Okay, yeah, calm the fuck down.


GRAHAM CLULEY. What is going on this week?


CAROLE THERIAULT. Well, Marina are having a great time.


UNKNOWN. Smashing Security. Security Episode 295: Slushygate, Sextortion, and Nanotargeting with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 295. My name's Graham Cluley.


CAROLE THERIAULT. 295. I'm Carole Theriault.


GRAHAM CLULEY. And Carole, we've got a special guest, someone returning to the show this week. It is dot dot dot dot dot dot dot.


CAROLE THERIAULT. Maria Varmazis!


GRAHAM CLULEY. Hi!


MARIA VARMAZIS. Hi everyone.


GRAHAM CLULEY. Hi Maria, space correspondent on the CyberWire, of course, but I like to think that we discovered you. You didn't exist before you came on the Smashing Security podcast. Would that be fair to say?


MARIA VARMAZIS. I was but a fetus. I was just, yes, I was just a little fetus in the podcast world. Yes. Uh, well, I mean, yeah, actually you did discover me, so thank you for that. That's, that's not a lie. Yeah.


CAROLE THERIAULT. Well done, Graham.


MARIA VARMAZIS. That's pretty true actually.


GRAHAM CLULEY. Yeah.


MARIA VARMAZIS. I've started doing the, working on the CyberWire as their space correspondent, which is really cool. And last week I got to speak to some students at Amherst College. About cybersecurity, and, uh, the reason I was invited there was because of this show. So because they've heard me on Smashing Security, so if your ears were burning last week, I was talking about the two of you quite a bit and how much I love you both.


CAROLE THERIAULT. Ah, it galls me a little bit because I do a little work for the CyberWire, right? And I'm UK correspondent, and she's in charge of the entire space.


GRAHAM CLULEY. Infinity of space.


MARIA VARMAZIS. All of space and time.


GRAHAM CLULEY. Yeah.


CAROLE THERIAULT. I'm in her vortex. I'm within her realm. She must be my uber leader.


MARIA VARMAZIS. Yeah, they haven't made me the space and time correspondent yet, but I'm working on the time one.


GRAHAM CLULEY. Only a matter of, well, time, I suppose.


MARIA VARMAZIS. Meet me on Gallifrey.


CAROLE THERIAULT. Ha ha ha. Before we kick off, let's thank this week's sponsors, Bitwarden, Sealit, and Kolide. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?


GRAHAM CLULEY. Oh, I'm going to be getting slushy this week.


CAROLE THERIAULT. Okay, and what about you, Maria?


MARIA VARMAZIS. We're going to be talking about phishing.


CAROLE THERIAULT. And I will be asking, what the flip is nanotargeting? All this and much more coming up on this episode of Smashing Security.


GRAHAM CLULEY. Now, chums, chums, have either of you ever been to Louisville in Kentucky?


MARIA VARMAZIS. I have. Louisville, yes.


GRAHAM CLULEY. Oh, is it Louisville, not Louis—


MARIA VARMAZIS. I am not a native of the area, but my understanding is it's preferred as Louisville, but that may be pretentious and I could be wrong. So I don't know.


GRAHAM CLULEY. So confused because you get meet me in St. Louis.


MARIA VARMAZIS. That's a different place.


GRAHAM CLULEY. I know it's a different place, but I mean, what's going on? Anyway, in August 2018, something strange was happening in Louisville, Kentucky. It's known for Muhammad Ali and it's the home of Kentucky Fried Chicken, of course.


CAROLE THERIAULT. KFC now, please. Thank you.


GRAHAM CLULEY. That was about to become notorious for something else because people were calling up the cops. They were calling up the police and said they had a complaint. They said, oh, I've been attacked in an unusual way.


CAROLE THERIAULT. What?


MARIA VARMAZIS. Attacked in an unusual way?


GRAHAM CLULEY. In an unusual way. So let me explain what was going on. For just over a year, from August 2018 onwards, two people were driving around Louisville pretending to be Louisville Metro Police officers. So they had all the gear, they were sort of disguised, they had the uniforms, they had the guns. They had the donuts.


CAROLE THERIAULT. They were not cops, presumably.


GRAHAM CLULEY. They had— Carole, don't ruin the story. They had the— That'll get edited out.


MARIA VARMAZIS. She anticipated your denouement.


GRAHAM CLULEY. You're ruining my big reveal. They had all the gear, they had the uniforms, they had the guns, they had the donuts, they had the police radio, and they had beverages. Large beverages.


CAROLE THERIAULT. Is that like a euphemism?


MARIA VARMAZIS. Are these like Big Gulps?


GRAHAM CLULEY. That sounds like a euphemism.


MARIA VARMAZIS. It could be.


GRAHAM CLULEY. Up and down.


CAROLE THERIAULT. They have also Mega Gulps, just saying.


GRAHAM CLULEY. Okay, you'd know. Up and down they would drive, looking for targets on the sidewalk or near the street. When they thought they'd identified someone, they'd pull out their police radios and they'd say, we got 10-4. We got a problem in Houston. Eagle has landed. Someone's thirsty on the sidewalk, or we've We've got a thirsty fam situation. And do you know what they'd do then? They would throw their slushie, including the container, at the member of the public.


CAROLE THERIAULT. What?


GRAHAM CLULEY. Yeah, the drink would get thrown out of the car at these people. Sometimes it would actually be a car behind them. They may be in a convoy, right? So the first one would go, "Shut up, shut up, shut up, shut up, shut up. Got someone thirsty on the street." And then the following car would actually throw out the slushie.


CAROLE THERIAULT. And I'm not allowed to ask you whether these guys are legitimate cops or not?


GRAHAM CLULEY. It's a very good question. Who are these guys?


CAROLE THERIAULT. Oh, right. Now I could ask, who are these folks?


GRAHAM CLULEY. Well, they're not driving marked police cars, but it may surprise you to discover that they were actually policemen. And what's more, they were policemen who were also filming the assaults on their phones. And sharing it with their mates. So more than 40 of these videos existed of policemen, not young policemen.


CAROLE THERIAULT. So they were in like their bona fide cop cars with their bona fide guns and bona fide—


GRAHAM CLULEY. For some reason they were unmarked policemen.


MARIA VARMAZIS. But they were not in uniform.


GRAHAM CLULEY. No.


CAROLE THERIAULT. Well, they were wearing their— Yeah, were they wearing their uniforms?


GRAHAM CLULEY. But they were in their uniform and they had all the gear and they had their police radios.


CAROLE THERIAULT. And their guns.


GRAHAM CLULEY. They'd turn up to people. And the guns and everything else that police people carry in the United States.


MARIA VARMAZIS. Did they skip that day of training where they're not supposed to do that?


GRAHAM CLULEY. Or, I don't know.


CAROLE THERIAULT. Look, and there's a worker shortage, right? So maybe training's being skipped through really quick.


GRAHAM CLULEY. There's also a level of research which one does when compiling a story for Smashing Security, which—


CAROLE THERIAULT. Well, speak for yourself. Speak for yourself. Speak for yourself.


GRAHAM CLULEY. Anyway, so they were filming these things and they were sharing them with their cop buddies as well. And you might think these would be— Yeah, so they were being dicks. They were being dicks.


CAROLE THERIAULT. Okay, I'm making sure I understand that these guys, they were doing this— Were they— Can you tell me this? Because I don't know about how your level of research— Were they doing this during work hours or was this just a bit of fun on the side?


MARIA VARMAZIS. What was the weather like the days they were doing this? What was the music on their car radio?


GRAHAM CLULEY. All right, come down. These weren't brand new recruits.


CAROLE THERIAULT. Yeah, no, Maria, calm down.


MARIA VARMAZIS. Everybody calm down, Jesus Christ. Okay, yep.


GRAHAM CLULEY. Alright. Alright.


MARIA VARMAZIS. Cool. I'm just very excited.


CAROLE THERIAULT. Calm the fuck down.


GRAHAM CLULEY. What is going on this week?


CAROLE THERIAULT. Well, Maria and I are having a great time.


MARIA VARMAZIS. Well, I'm having a blast.


GRAHAM CLULEY. Now you might think, oh, these must be new cops. These have been new cops who've been given new guns and new cars and new orders about throwing slushies out of the car at people in the street. No.


CAROLE THERIAULT. That's not what I was thinking, but—


MARIA VARMAZIS. Just throw those drinks. It's part of your job now.


GRAHAM CLULEY. But one of these policemen was 40 years old and had spent 20 years in the Air Force. He'd done tours of duty in Iraq and Kyrgyzstan. I don't know if those are places where you throw out slushies at people or not. The other was in his mid-30s. So they were actual cops. And it turns out this isn't the kind of thing which the Louisville police in Kentucky think is a good way to go.


CAROLE THERIAULT. Shut the front door.


GRAHAM CLULEY. I know, it's a surprise. It's a surprise, 'cause all they were doing was helping people. Occasionally—


CAROLE THERIAULT. Yeah, people were dehydrated on the street and they were parched.


GRAHAM CLULEY. And let's face it, accidents happen. I remember doing cybersecurity conferences in the past. I remember being on the trade show floor, you know where they have all the booths. And this was back in the day when we had actual hard boxes full of software, right, containing multiple floppy disks. And they were pretty chunky kind of things. And I remember, you know, having a little competition with people in the audience and there'd be someone, you know, probably quite a few meters back who'd put up their hand and answer the question. And I would throw a box through the air and boom, it would go into their eye, giving them a black eye. I figure, I figure Look, if you're gonna come to a cybersecurity event, you're gonna get hurt. Maybe if you're walking the street in Louisville and a police car comes by, expect a slushie in your gob. It may happen.


MARIA VARMAZIS. Yeah, but usually when you get hurt at a cybersecurity conference, it's you've had too much to imbibe. Or maybe your feet are tired from a lot of walking. Something like that. Yeah. Not usually ransomware to the arm.


CAROLE THERIAULT. Or Graham's hurling rocks at you. Yeah. Can you imagine? It'd be like a boomerang, a floppy disk.


GRAHAM CLULEY. Woo, woo, woo, woo, woo, woo, woo, woo! The thing is, Thing is, I don't think you realise just quite how heavy these software boxes were. Because when I worked at Dr. Solomon's, we basically produced something which looked like a hardback encyclopedia.


MARIA VARMAZIS. Yeah, those things used to be quite big.


GRAHAM CLULEY. It was hard.


CAROLE THERIAULT. Yeah.


GRAHAM CLULEY. It had sharp edges. Yeah. So it was—


MARIA VARMAZIS. Okay, how many discs were in that box though? How many? Oh, phew.


GRAHAM CLULEY. By the end, it was probably about half a dozen if we were on 3.5-inch. Yeah. Anyway, listen, listen, listen, listen.


CAROLE THERIAULT. Oh, sorry, I fell asleep there.


GRAHAM CLULEY. It turned out, it turned out, Whoever's in charge of the cops in Louisville thought this was a bad thing. And so these cops were suspended for what they did. They were told, "You can't do that. We're gonna have to investigate this." Yes.


CAROLE THERIAULT. Oh yes, suspend them.


GRAHAM CLULEY. Yeah.


CAROLE THERIAULT. Yes.


MARIA VARMAZIS. With pay, of course.


GRAHAM CLULEY. And they, well, they weren't allowed to be cops anymore. They were told, "No, no, no, you can't carry on doing this. You're gonna have to leave. And we'll investigate this, you know, whether you've, whether there's anything, any federal charges about throwing beverages at pedestrians." out of the window.


CAROLE THERIAULT. Pretending to be cops.


GRAHAM CLULEY. Pretending to be cops. Well, not— they were cops. They were cops.


CAROLE THERIAULT. No, no, no, but okay, you're right.


GRAHAM CLULEY. They weren't pretending to be cops.


MARIA VARMAZIS. That's true.


CAROLE THERIAULT. That's true.


GRAHAM CLULEY. Yes. So that, in that way, they didn't commit a crime. Now, here's what you're probably wondering. You're thinking, hang on a moment.


CAROLE THERIAULT. You've been wrong so far with all of the things I've been wondering. But anyway.


GRAHAM CLULEY. If I've lost my job at the police force because I was helping people out with some slushies and filming things and squirting them in the face, What are you going to do with your time? Well, if you're one of these cops, 36-year-old Brian Wilson, not to be confused with anybody else called Brian Wilson. He was involved in this Slushygate incident, as the media called it. And he thought, oh, what can I do to fill up my time? He thought, I know what, I'll become a sextortionist.


CAROLE THERIAULT. What?


GRAHAM CLULEY. I have this— Not contortionist.


MARIA VARMAZIS. I was like, what he wants to do in his private time is none of my business.


CAROLE THERIAULT. I had my theory in my head was he was going to become a YouTube star doing this, you know, with fake cop stuff and make more money that way and say, I don't want to go back.


GRAHAM CLULEY. You know, Kroll, I actually wondered if that was the reason why they did all of this, whether they wanted to be the coolest social media cops.


CAROLE THERIAULT. Yeah.


GRAHAM CLULEY. And go viral.


MARIA VARMAZIS. Were they shouting Worldstar when they were throwing these things like, Worldstar!


GRAHAM CLULEY. WordStar? What, the old word processor? No.


MARIA VARMAZIS. Oh, never mind.


CAROLE THERIAULT. Yeah, just don't.


MARIA VARMAZIS. Mm-mm.


GRAHAM CLULEY. Mm-mm. So, this chap, Brian Wilson, he became part of a plot to stalk and extort young women online. And he hired a hacker.


CAROLE THERIAULT. What?


GRAHAM CLULEY. To break into people's Snapchat accounts and steal their naked photos and videos. And now, so far, so normal, right? People breaking into Snapchat, stealing videos of sexy, topless, whatever. Videos of people.


MARIA VARMAZIS. So to be clear, he's extorting people of sexual content. He is not doing sexual contortioning.


CAROLE THERIAULT. I misunderstood that too, actually, Maria. I really did.


MARIA VARMAZIS. All right.


CAROLE THERIAULT. Okay.


GRAHAM CLULEY. Yes. Sextortion isn't— Yes.


MARIA VARMAZIS. Okay.


GRAHAM CLULEY. Yes, exactly. Now, so far, so normal. But what makes this unusual is that, of course, he used to be a policeman and he exploited his background as a policeman when doing the hacks.


CAROLE THERIAULT. Jesus.


GRAHAM CLULEY. Because Because when he had been a policeman, he had had access to a police tool called Accurint.


CAROLE THERIAULT. Oh.


GRAHAM CLULEY. And Accurint, it's a rather controversial, powerful data gathering tool, which allows you to— it scoops up all kinds of information about people on the internet and makes all the links. And, you know, delves into the darkweb and onto social networks and finds out all kinds of like, ooh, this is, you know, who they are, this is where they live, this is what their mother's maiden name is.


MARIA VARMAZIS. And it's all public information, I'm sure, but it does it for you so you don't have to do the digging, right?


GRAHAM CLULEY. Absolutely. Okay. And so, the police make use of this in investigations. And—


CAROLE THERIAULT. So, all cops had access to this, or presumably at a certain level, you could have access to this, and it's pretty powerful.


GRAHAM CLULEY. Exactly. He had had access to it, and his passwords had not been revoked after Slushygate. So, he was able to entertain himself by logging into Accurint for months and months and months. Gathering information. Accurint claims to scan millions of websites, hundreds of social networking sites. It makes all these links. Clearly can be useful to law enforcement, but shouldn't be used by someone who's been throwing slushies at homeless people.


MARIA VARMAZIS. Oh man.


CAROLE THERIAULT. There's a big difference between being a sextortionist.


GRAHAM CLULEY. Mm-hmm.


CAROLE THERIAULT. I don't even like that word at all.


MARIA VARMAZIS. No, same.


CAROLE THERIAULT. Someone who extorts people through, what, sexual violence online, and someone who throws a slushie at somebody.


MARIA VARMAZIS. Yeah, he escalated it.


CAROLE THERIAULT. Yeah, it seems—


GRAHAM CLULEY. I think I'd agree with that.


MARIA VARMAZIS. Yeah. Well, it's a classic story though of an organization forgetting to revoke credentials after somebody leaves or is suspended. I mean, that happened. I'm sure that's happened to the two of you because it's happened to me after I've left a job. I still have access to tools that I shouldn't.


GRAHAM CLULEY. Oh yeah.


MARIA VARMAZIS. Yeah. Yeah.


GRAHAM CLULEY. So having grabbed rude photos, he would text the victims threatening to release them to their family, friends, coworkers. We've actually got an exchange in the court documents as to what he said take people, say, hey, I'm, I'm making you the focal point of this collage. Check out the pictures.


CAROLE THERIAULT. Oh, shame on this man.


GRAHAM CLULEY. And they'd say, well, who are you? And they'd say, oh, oh, do you mind if I post them? You know, I'm telling everyone I really love them. How did you get these? And he said, oh, I'm going to send them to your grandparents. I'm going to post them up on Pornhub. But you know, we can keep this between ourselves if you promise to send me a few more pics. And that way we can both benefit. What an asshole. He was an asshole. He called people dirty sluts, whores, and bitches. He's not very nice. He wasn't very charming about this.


CAROLE THERIAULT. Oh, if he had been charming, I would've given him a pass, Graham. If he'd called them darling and pussycat.


MARIA VARMAZIS. Said it nicely. Would've put a little bow on it.


CAROLE THERIAULT. Please.


GRAHAM CLULEY. If he'd been like Colin Firth or Mr. Darcy and been terribly polite about it, I think it would be absolutely fine.


MARIA VARMAZIS. Standing there in the rain looking a little bit sad.


GRAHAM CLULEY. Oh, bless him. Or standing there covered in a slushie. So, Brian Wilson did actually send sexually explicit images to a victim's employer. Apparently, it almost resulted in her termination. What? And some of his victims said they suffered real psychological trauma, as you can imagine.


MARIA VARMAZIS. I believe it, yeah.


GRAHAM CLULEY. So, the good news, good news, he's now been sentenced to a total of 30 months in a federal prison, which is more than the other chap who'd just done Slushiegate. So this is— they combined the crimes.


CAROLE THERIAULT. He was a member of the police force when he was doing this. He was on suspension and he gets 30 months.


GRAHAM CLULEY. I think he'd actually been let go. I think he wasn't just suspended at the time of the sextortion, but he was still using those credentials to access his system. But yeah, it doesn't feel like a very big sentence to me.


CAROLE THERIAULT. Well, I just feel compared to other sentences, I mean, hey, look, 3 days in jail would be a pretty horrific experience for most people. So, you know, I'm not putting— but it's just, it's just You know, some people seem to get like 25 to life for carrying a bit of junk in their pocket.


MARIA VARMAZIS. Anyway, yeah, these crimes are not taken seriously enough, that's for sure. But yeah, yeah, they're like, oh, that sounds inconvenient that your naked pictures might have gotten leaked. Oh well.


CAROLE THERIAULT. Yeah, you bitch.


MARIA VARMAZIS. Yeah, you deserve it or something because you took those photos in the first place, is sort of the other thing.


GRAHAM CLULEY. Is I don't— I don't understand why you would go to so much effort and hiring a hacker to help you, and you'd put all this energy into stealing people's Snapchat accounts and grabbing their photographs. Not to extort money out of them, not to get sexual favors, but in order to get hold of more photos. I mean, I guess—


CAROLE THERIAULT. God knows what he was doing with them!


MARIA VARMAZIS. Oh, you know what he was doing. Come on!


GRAHAM CLULEY. I think we know. I think we know what he was doing with them.


CAROLE THERIAULT. I just mean perhaps he was going beyond that, maybe selling them. Maybe there was a little black market going on with the pictures he was collecting.


MARIA VARMAZIS. It's a power trip. He knows that he's scaring people doing this and that he has a grip on them. Sorry. It's the fear. It's the power over other people. I don't— I think he could have done it for no money and not even public consumption, supposedly, just to terrify the shit out of these women and to know that he had them.


GRAHAM CLULEY. I think the power is the frisson, isn't it? Because it's not like there's a shortage of pictures of naked ladies on the internet.


MARIA VARMAZIS. Yeah, I hear they're perhaps a little bit plentiful on the internet, but I haven't checked to verify.


GRAHAM CLULEY. So, but yeah, no, it must be the power trip. And the slushies?


CAROLE THERIAULT. He's just an asshole.


MARIA VARMAZIS. Yeah, a total asshole. Exactly.


GRAHAM CLULEY. Maria, what's your story for us this week?


MARIA VARMAZIS. So I have a story about phishing, and I wanted to have a little coffee talk about it.


GRAHAM CLULEY. I'm a very busy person. I don't drink coffee.


MARIA VARMAZIS. A tea chat.


GRAHAM CLULEY. I'm more of a Pellegrino man, but okay, go ahead.


MARIA VARMAZIS. Pellegrino. Okay, that also works. Yeah. Open up that bottle. Uh, so there's a blog post that just came out from Check Point and they published their top 10 list of who is the most imitated company for the purposes of phishing in Q3 2022, which is right now. And this is worldwide stats. So not America focused, not UK focused.


CAROLE THERIAULT. Like who?


MARIA VARMAZIS. So I'm curious who you think is the number one most imitated company Is imitating the right word for this? Impersonated? In company-nated? That's not—


CAROLE THERIAULT. In the world.


MARIA VARMAZIS. In the world.


GRAHAM CLULEY. Would it be someone like eBay or Amazon?


CAROLE THERIAULT. I was thinking, isn't it the Alibaba one? Is that what it's called? There's a—


GRAHAM CLULEY. Yeah, the Alibabas. Yeah.


CAROLE THERIAULT. Yeah, same idea, right? Isn't it kind of Amazon?


MARIA VARMAZIS. I think that's a really good guess. I'm going to tell you both that neither of you are correct, but I'm going to give you a hint. About who might be in the top. So think about what's going on in Q3, what's happening specifically end of Q4, what people might be getting ready for.


GRAHAM CLULEY. Christmas.


CAROLE THERIAULT. Yeah.


MARIA VARMAZIS. So if somebody is getting ready for Crimbo, what are they probably doing?


CAROLE THERIAULT. Shopping.


GRAHAM CLULEY. Ordering shit online. Not shit.


MARIA VARMAZIS. Ordering lovely things online.


GRAHAM CLULEY. Yes, lovely things.


MARIA VARMAZIS. Fighting inflation with their hard-earned cash. If one can even do such a thing. So Think about who might be purveying such goods.


CAROLE THERIAULT. Alibaba.


GRAHAM CLULEY. Amazon.


MARIA VARMAZIS. eBay.


GRAHAM CLULEY. We've mentioned these.


MARIA VARMAZIS. Yeah, yeah, yeah. So not them, not them. Actually getting those items directly to the persons of interest.


CAROLE THERIAULT. Oh, the UPS.


MARIA VARMAZIS. FedEx. Yeah, you're on the right track.


GRAHAM CLULEY. DHL.


MARIA VARMAZIS. Ah, ding, ding, ding, ding, ding. It's DHL. DHL was the number one most imitated company for phishing purposes. 22%. Of all phishing attacks globally are using fake DHL emails. Yes. And apparently they were— DHL was specifically the target of a huge phishing campaign, especially over the summer. But they're still at the top of the list right now. But I'm just curious who you think is also on that list, because nobody that you've mentioned is on there in, say, the top 10.


CAROLE THERIAULT. Banks?


MARIA VARMAZIS. Yeah, uh, I don't— I see— I do see a bank at number 9 is HSBC.


GRAHAM CLULEY. PayPal?


MARIA VARMAZIS. PayPal? No PayPal. No PayPal.


CAROLE THERIAULT. Um, what about charities?


GRAHAM CLULEY. Charity, mate.


MARIA VARMAZIS. Charity. I, I feel like you're gonna, you're gonna be smacking yourself on the forehead when I tell you who the number 2 and 3 are, because it's— I feel like they're—


CAROLE THERIAULT. oh, like what about Netflix?


MARIA VARMAZIS. They're number 5 at 5%.


GRAHAM CLULEY. Oh, okay, okay. Well done, girl. Well done.


MARIA VARMAZIS. Oh, Apple.


CAROLE THERIAULT. Gaming centers.


MARIA VARMAZIS. Not Apple. I don't see Apple on here.


GRAHAM CLULEY. PlayStation.


MARIA VARMAZIS. Uh, no PlayStation. Do you want me to tell you? Yes. Put you out of your misery. Number 2. Number Number 2 at 16% is Microsoft.


GRAHAM CLULEY. Oh, I've heard of them.


MARIA VARMAZIS. Yeah, this little firm called Microsoft. And it's a lot of OneDrive, Microsoft OneDrive imitation email. Oh, cool.


GRAHAM CLULEY. Why didn't we think of that?


MARIA VARMAZIS. I don't know.


CAROLE THERIAULT. Because Microsoft?


MARIA VARMAZIS. That's probably part of it, right? And number 3 at 11% is the previous top in the Q1 and Q2, which is LinkedIn. I guess everybody looking for new jobs with this.


GRAHAM CLULEY. Bloody LinkedIn.


MARIA VARMAZIS. LinkedIn. And number 4 is Google.


CAROLE THERIAULT. So, uh, yeah, we say these—


GRAHAM CLULEY. Carole, we're imbeciles.


CAROLE THERIAULT. No, again, speak for yourself.


MARIA VARMAZIS. I did like that number 6 is WeTransfer. So people who are getting— where is there something? I don't know what they're downloading on WeTransfer. Videos? Number 7 is Walmart. So I don't know, do they ship globally? Number 8 is WhatsApp, which, uh, I feel like watch that space because there's been a whole bunch of fake WhatsApp imitators.


CAROLE THERIAULT. Interesting.


GRAHAM CLULEY. So you say DHL's number one. If someone's sending me a physical item, DHL don't get told my email address, do they? So, so why would I be tricked into clicking on— I can understand if I was sending something that maybe they would have my email address, but I'm not the customer in a way, am I? I'm the person receiving the good. Sent by the person who dealt with the— I don't understand why people would fall for that one.


MARIA VARMAZIS. Okay, so I have a few theories on DHL, but they are a little bit US-centric, admittedly. So I know that DHL is a huge purveyor of packages, but in the States, it's not because they don't do— they only do, I think, international package delivery at this point. So to me, when I do get an email from DHL, because I opted in ages ago to get email notification, so that is a thing you can do. That to me indicates I've got something coming from abroad, which is like, ooh, very exciting.


GRAHAM CLULEY. Exciting, exotic.


MARIA VARMAZIS. Yes. Yeah. It's not just my regular old Amazon delivery of oat milk or whatever. It's something like, oh, somebody sent me something from somewhere else. And that can be exciting.


GRAHAM CLULEY. But I know they're very cute. Proper chocolate, maybe, from Europe.


MARIA VARMAZIS. Maybe.


GRAHAM CLULEY. Something pleasant, which you can't get in— Proper cheese, maybe, which you can't get in America, right?


CAROLE THERIAULT. Hey!


GRAHAM CLULEY. That's not true. You don't get proper cheese in America. Yes, you do.


CAROLE THERIAULT. Do you?


MARIA VARMAZIS. That's—


GRAHAM CLULEY. no, no, no. Yes!


MARIA VARMAZIS. I will not stand for that blasphemy. Chocolate, yes, but not cheese. Cheese we've got.


GRAHAM CLULEY. All right.


MARIA VARMAZIS. Not just government cheese. We've got other cheeses. I live near Vermont. I mean, come on. Exactly. And Canada, which also has cheese. Yeah. So it, to me, it's like, ooh, there's something interesting arriving from DHL. And you can opt in to these package, UPS, FedEx, DHL. You can opt into a thing that'll tell you when you've got a package coming to you so you can tell them when to deliver it or to hold it for a bit. So, it's a possibility.


GRAHAM CLULEY. Oh, yeah.


MARIA VARMAZIS. But I don't think people are even thinking of it that much. Maybe they're just going, "Ooh, package." Doxing. Exciting. I mean, it's working if it's the number one most imitated brand right now for phishing purposes, it's probably because it's working, right?


GRAHAM CLULEY. Yeah, I guess so.


MARIA VARMAZIS. And what was interesting for over the summer when they were the target of a lot of phishing attacks, to me anyway, was one of the attack vectors was actually referring people to a fake landing page where the phish was done through a fake chatbot.


GRAHAM CLULEY. Whoa.


MARIA VARMAZIS. Yeah. So it wasn't just like, hey, put in your credit card information and, oh, it doesn't work. Oh, shucks. There'd be a whole thing where you'd had to talk to the DHL assistant chatbot, which is how a lot of brands are talking to people now, right? If you've got an issue, they want you to talk to that little chat thingy in the lower right of your screen. And that's actually where— and the chatbot would actually give responses that sort of made sense based on what the person was putting in. And then that would be what delivered the fish. So that to me was an interesting thing. I don't know if that's still happening right now in Q3, but that was happening over the summer. So yeah, yeah.


GRAHAM CLULEY. So, yeah, it's an interesting, more sophisticated way of doing it, I suppose, isn't it?


MARIA VARMAZIS. Yeah, it's adapting to the times because again, I feel like for a lot of issues that I've had with my phone company or other things, it's almost always a chatbot that they want me to talk to first. They don't want me emailing me. They want me calling. It's use that damn chatbot.


CAROLE THERIAULT. I've never used a chatbot yet.


MARIA VARMAZIS. Yet.


CAROLE THERIAULT. Yet.


MARIA VARMAZIS. They might shunt you towards one, one of these tickets. But yeah, yeah, I guess we have to be careful of what's on that.


GRAHAM CLULEY. So what's your advice, Maria?


CAROLE THERIAULT. Yes, space correspondent.


MARIA VARMAZIS. Yeah. Blast yourself into orbit and don't worry about these problems. No, I mean, phishing works because it works, right? It's people keep doing it. We tell people not to click links and then We've got malicious chatbots, so everybody needs to still be as careful as they can. And, uh, but I mean, even people who are very seasoned, sophisticated security types will, can, and do fall for phishing attacks. So, um, I don't think blaming users and being like, you're dumb if you fell for it, is going to help. Uh, so we all got to be careful, but, uh, you know, just be, be wary of who's asking and for what, but don't beat yourself up if it happens to you, I guess. I don't know if that's good advice. We all sound very troubled now.


GRAHAM CLULEY. Oh gosh. Yeah.


CAROLE THERIAULT. Don't worry, I'll cheer us up.


MARIA VARMAZIS. Yeah, cheer us up, please, please.


GRAHAM CLULEY. Growl, what have you got for us this week?


CAROLE THERIAULT. Okay, no, Graham. Graham, I want you to cast your mind back. I think it's about 8 years ago.


GRAHAM CLULEY. Oh my God.


CAROLE THERIAULT. You and I met up with a UK-based corporate hotshot in a London members club.


GRAHAM CLULEY. Oh yeah, I know who you're talking about, yes. Yes, yes.


CAROLE THERIAULT. You know, puffy eye, puffy eye.


GRAHAM CLULEY. That's his code name. Yes. No names.


CAROLE THERIAULT. And he talked excitedly about digital marketing based on location profiles. So I remember him, he was using a bassinet as an example, and he was like, if you try to flog them on Facebook, the approach you would use in New York to try and get mothers to buy this bassinet was wildly different from one that you would use if you were targeting moms in LA.


GRAHAM CLULEY. What is a bassinet? Sorry, I'm—


CAROLE THERIAULT. Like something you put babies in.


GRAHAM CLULEY. Oh, like a crib?


MARIA VARMAZIS. Little tiny baby. Yep.


GRAHAM CLULEY. A little baby, right? Okay.


CAROLE THERIAULT. Yeah. Teeny tiny baby, right? And this thing attached to the bed, and at the time it was new and it was all cool. And in New York, you'd talk about how it benefited the mother because the baby slept more soundly, so you'd get more sleep, etc., etc. And in LA, you'd talk about the organic materials and the safety features.


GRAHAM CLULEY. And in Europe, you'd say how it benefited the father because the mother would be happy and that would make your life happy.


CAROLE THERIAULT. And I remember when he was telling us this going, whoa, that's crazy, you know. And, uh, but boy, things have moved on at a pretty fast clip, okay. And now, while, uh, we welcome our second unelected prime minister, Richie Rich Sunak, right, the U.S., the U.S. faces a fierce midterm election fight, uh, in a few weeks to elect new members of Congress. Is that right, Maria?


MARIA VARMAZIS. Yep, yep, you've got your Finger on the pulse of what's going on over here. It's great. Great times in America.


GRAHAM CLULEY. Everything's going to be marvelous, isn't it?


CAROLE THERIAULT. Oh, we could swap. We could swap. It's really fun here too.


MARIA VARMAZIS. No, I know. It's, it's a just dumpster fire all the way down. I know. No.


CAROLE THERIAULT. And now the reason this is a hot topic is there's a grab for the midterm elections, right? So there's like a Senate race and there's like 6 states that could make or break it for one party or the other. And of course, there are many people out there, like from volunteers, employees, contractors, working their guts out so that you vote with their party, whichever one they're representing. And, you know, they hold rallies, go door to door, put up billboards, but they're also making huge strides through data mining. Okay, so I'm going to pivot here for a moment. Okay, so we're going to go back to 2019. This was an article in The New York Times by Kashmir Hill, and it's called "I Got Access to My Consumer Score." And you can get yours too. So it's a great article talking about, you know, these specialist data mining companies that have these consumer scores for you to help them better provide you access to the goods and services that they're trying to flog. And the score might be something between 1 and 10, 1 and 100, whatever, right? And there's a variety of different data points. And prior to 2019, it was near impossible to get your hands on a report detailing what they knew about you. But that changed. And in 2019, Hill put in a request for her consumer profile from a company called Sift.


MARIA VARMAZIS. Sift.


CAROLE THERIAULT. Sift.


GRAHAM CLULEY. Sift.


CAROLE THERIAULT. Uh-huh. Sift. And what returned blew her mind. Let's see if it blows yours.


GRAHAM CLULEY. Okay, go ahead.


CAROLE THERIAULT. I'll just read a few paragraphs here. She goes, quote, I got mine and I found it shocking. More than 400 pages long and it contained all the message I'd ever sent to hosts on Airbnb. Years of Yelp delivery orders, a log of every time I'd open Coinbase app on my phone. Many entries included detailed information about the devices I used to do these things, including my IP address at the time. She goes on: SIFT knew, for example, that I used my iPhone to order a chicken tikka masala, vegetable samosas, and garlic naan on Saturday night in April 3 years ago. It knew that I used my Apple laptop to sign into Coinbase in January 2017 to change my password. SIFT knew about a nightmare Thanksgiving I had in California wine country as it captured my messages to the Airbnb host of a rental called Cloud Nine. Mind blown or mind blasé?


MARIA VARMAZIS. Oh, I wish I was more surprised by this.


GRAHAM CLULEY. Yeah, I'm sort of more mind resigned, I think. I think I've— yes, there's been so much of this that you begin to get worn down, don't you? You begin to think, well, this is the norm, which it shouldn't be. Of course we should be outraged. We should have pitchforks and blazing torches and walking in the street.


CAROLE THERIAULT. But, you know, but I think for 99.999% of us, what we assume they're collecting, I think it's vastly— yes, huger and much bigger than we can ever even imagine. And if knowledge is power, then profiling data is, you know, the mecca. So let's move back to the midterms which are coming. Okay.


MARIA VARMAZIS. They sure are.


CAROLE THERIAULT. A new article in New York Times talks about government representatives taking advantage of the vast reach of these data mining companies. Of course they are. Yeah, to mobilize what they call desirable voters. And they do this through voter scores and voter profiles rather than the undesirable.


GRAHAM CLULEY. Desirable, isn't that what—


CAROLE THERIAULT. well, yeah, you don't want that. You don't mobilize the undesirable.


GRAHAM CLULEY. Something like that, wasn't it?


MARIA VARMAZIS. The deplorables?


GRAHAM CLULEY. I think that's the one. It was something like that.


MARIA VARMAZIS. Yes. Desirables versus deplorables. Gotcha.


CAROLE THERIAULT. So as you probably can guess, voter scores are intended to predict the likelihood that an individual agrees or disagrees with a particular party or political stance, right? Like a belief in gun control. Or they might also be used to predict a person's likelihood of voting.


GRAHAM CLULEY. Has bought red baseball cap. That kind of thing.


CAROLE THERIAULT. Uh-huh. Gets way more granular than that. So to your point, Graham, things like there are voting on hot button issues like racial resentment scores, trans athletes should not participate scores, and even UFOs distrust government scores. What? Okay.


GRAHAM CLULEY. There are a lot of illegal aliens out there, aren't there? Yes.


CAROLE THERIAULT. Yeah. Lots more information in New York Times, links in the show notes. Okay, so all these scores help make up a voter profile. So let's say that I'm one of these firms tasked with finding out how people in a particular state think about legalizing jazz cigarettes. Okay, because let's say that my party wants to use that as maybe part of its platform.


GRAHAM CLULEY. You mean cannabis, marijuana.


CAROLE THERIAULT. Right. Mary Jane, whatever.


MARIA VARMAZIS. Mary Jane.


CAROLE THERIAULT. Whatever the kids call it these days. So first, I might want to get some voter profiles. So I would first use commercially available data like you were talking about earlier in your story, Graham. So I would want to find out the net worth, the education level, the occupation, the home value, the number of children in one's household, gun ownership, pet ownership, political donations, hobbies, habits, cooking, woodworking, gambling, smoking, whatever. You know, things that you can purchase from data aggregators like customer loyalty card records, for example.


GRAHAM CLULEY. Would some of that information indicate whether you were likely to be pro-drugs? So for instance, if you had bought a Terrapin once? That suggested you must be on drugs because one day it's going to be absolutely huge and taking over your living room.


CAROLE THERIAULT. Kinda, Graham, kinda. Because once I've kind of got this whole glut of information that I can legally get my hands on, I can then survey a representative sample of voters, some as large as 150 million strong. Jeez.


MARIA VARMAZIS. Yep.


CAROLE THERIAULT. Scoring respondents based on their views on marijuana legalization. I would then apply machine learning to identify common characteristics.


MARIA VARMAZIS. Oh, there's that phrase again.


CAROLE THERIAULT. Calculate the scores on each topic for each voter profile so I can build voter profiles and create groups that are likely to respond desirably to my messaging. So back to my little Mary Jane example, I want to identify which desirable voters in my camp want to hear about my plans to legalize weed. There may be some that are into that, but there may be others that aren't. But they're both still potential voters for me. But I can bury the message for those that don't like it and really call it to the fore for those that do.


GRAHAM CLULEY. So you could send campaign leaflets about legalizing certain drugs, for instance, to the people who are keen on that. And maybe those leaflets could also double up if they rolled them up, they could make an enormous spin.


CAROLE THERIAULT. I was wondering why you're saying leaflets. Yeah, it's also online. It's all the ads that you you might be seeing across the internet. And then you could smoke your leaflet as a doobie. God, I'm from the '70s. Can you tell? Right. Okay. So the upshot of all this is that these voter scores and profiles make it much easier for candidates to surgically, and this word was used and I love it, surgically target messages to mobilize the most receptive voters into voting. So a few little concerns that I thought of.


GRAHAM CLULEY. Yeah. Is this bad? Is this bad, Carole?


CAROLE THERIAULT. Yeah. Is this bad? What do you think? Actually, I should turn to you guys. What do you think could go wrong?


MARIA VARMAZIS. Okay. They could make a wrong assumption about somebody, but they're doing that anyway when they sort of broadly leaflet as it is. So I am always getting political text messages, phone calls, flyers on my door, flyers in the mail. For political parties with whom I would never vote if my life depended on it, which in two years it might.


GRAHAM CLULEY. So you would like it to be more targeted?


MARIA VARMAZIS. No, I don't want any of this shit. I want them to leave me alone. The thing that I really hate is I get political messages that are hyper-targeted at my deceased father to me. Yeah. Which is really, really dark every time I get an email to my dad. So it's like, it's like whatever they're doing, it's definitely not correct. So I don't know if this meant that I got less of this crap, then I'd be— I don't want to say I'd be okay with it, but I want less. I'm getting just inundated and I don't even live in a battleground state. My family that— my families that do, it's absolutely relentless. So I don't know. I'm exhausted from all of it, to be honest.


CAROLE THERIAULT. And like, think about it. So good point, Maria. So they get the information wrong, let's say.


MARIA VARMAZIS. Very wrong in my case, yeah.


CAROLE THERIAULT. Right? And let's say that information does get into the wrong hands, like an employer, foreign agent, whatever. And also this pseudo-anonymized, I don't know if I can use that term here, but it feels to me pseudo-anonymized data, right? Because there's so many data points, I think you can practically just say, "And that's you." You know, you could have a game show on this.


MARIA VARMAZIS. You know, this reminds me of something. Can I just go on a little tangent?


CAROLE THERIAULT. Yeah, please.


MARIA VARMAZIS. Yeah, this reminds me of, back when a lot of us were much more active on Facebook, maybe 5, 6 years ago, personally. And there was an option where you could see what ad attributes Facebook had assigned to you based on what you had read and clicked. And I remember digging it. I think actually it was, maybe it wasn't that long ago, 'cause I wanna say that you actually told me about this. And I dug into it and it was like everything they had assigned to me was wrong. It was wildly off. And I, I heard the same thing from a lot of people that they would say, based on what you read or clicked like on or whatever, they would say, oh, we think we know how you would vote or your political party. And a lot of people, it's just super, super wrong.


CAROLE THERIAULT. So yeah, and then you're like, okay, so that's why people are trying to predict elections are getting it so fucked up.


MARIA VARMAZIS. Yeah, I, I need to know. But it's just like there's an element of, based on certain data people who like this kind of food or watch this kind of show tend to vote this way. And I know in broad strokes that might track, but maybe I'm just a corner case.


CAROLE THERIAULT. The other— one more thing, though. The other thing that bugs me on this, you know, if you think back to like Cambridge Analytica and that whole drama with Facebook and them secretly gathering information through forms and stuff, and, you know, on unsuspecting users to target them with ads, Isn't the government kind of doing the same thing right now?


MARIA VARMAZIS. Oh, they absolutely are doing the same thing.


CAROLE THERIAULT. Government Accountability Office, they came out with a report saying, maybe we need to put some regulations in place here. Eh. It feels less like wooing to me now in terms of getting someone into a party, but more like duping. And I don't like that.


MARIA VARMAZIS. It'll never happen. It'll never happen because the folks that were in the private sector, they get money to go to the public sector and fix this stuff. And then they kind of bounce back and forth. Anything that gives politicians more money in their pockets. Sorry, I'm so cynical, but at least in the States, I have zero trust that it'll happen.


CAROLE THERIAULT. Yeah, no, I have hope. I have hope.


MARIA VARMAZIS. Oh, that's nice. What's that feel like?


GRAHAM CLULEY. Hang on a minute. Hang on. Couldn't— I can see a positive in all this, right? Because it's a real nuisance having to go down to the polling station to vote every few years. If they know this much about us, could they just leave us out of the whole voting process? Could they just not look at all the data and say, well, he's obviously a Tory, he's a Labour, you know, they're Republican. They're a Democrat. They're an independent.


CAROLE THERIAULT. We don't even have to bother him. Let's not bother him with voting. We've got this.


GRAHAM CLULEY. Yeah, exactly. And they could just work it all out. They just build an algorithm. Why not do that?


MARIA VARMAZIS. Who needs representative government when we have AI? Yeah, right.


GRAHAM CLULEY. Exactly. Exactly. I think we've solved the problem there. Fantastic.


MARIA VARMAZIS. Can't be any worse than what we have now, right?


GRAHAM CLULEY. We all know that data is the most important asset of any business. And the value and usage of information makes data very tempting to thieves. With Sealit, however, you can protect, share, and monitor confidential emails and files without passwords. And it's all integrated with Gmail, Outlook, and file systems. Deploy Sealit across your organization within minutes and achieve peace of mind thanks to its end-to-end encryption that relies on the Zero Trust security model. Get the right tool to own your data and gain great Sealit benefits. Plus, Seelit is offering a very special deal for all Smashing Security listeners. Anyone who signs up for the professional plan before 2nd of December, 2022 can grab 30% off Seelit for a year. And if you sign up to Seelit, listeners can also grab a free Seelit signature no trust t-shirt.


MARIA VARMAZIS. Woo-hoo!


GRAHAM CLULEY. Check out more about Seelit and take advantage of these offers at smashingsecurity.com/seelit. That's smashingsecurity.com/seelit. Sealit. And thanks to Sealit for supporting the show.


CAROLE THERIAULT. Bitwarden's open source password manager that is trusted by millions of individuals, teams, and organizations around the world has just announced its October release. And it is chock full of goodies, which include password protected encrypted export. Which allows you to export your vault in an encrypted format using the password of your choice. Plus, there's the mobile username generator. It's finally here. They also have DuckDuckGo email aliases available. And here's a little insider scoop for you. They're working with DuckDuckGo to get macOS browser integration in the forthcoming DuckDuckGo macOS browser. Want to try these features out? I don't blame you. Visit bitwarden.com/smashing. That's bitwarden.com/smashing. And thank you to Bitwarden for sponsoring the show.


GRAHAM CLULEY. The challenge with endpoint security has always been that it's difficult to scale. And when remote work took over, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets. But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide. Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system. Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't. And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack. You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's k-o-l-i-d-e dot com smashingsecurity.com. And thanks to Clyde for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.


CAROLE THERIAULT. Pick of the Week.


MARIA VARMAZIS. Pick of the Week.


GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, that book they've read, TV show, movie, record, podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily.


CAROLE THERIAULT. Better not be.


GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. Excellent. Pick of the Week this week is all about idioms, but idioms which have gone wrong.


CAROLE THERIAULT. Ah.


GRAHAM CLULEY. Someone has— now, this is a problem that we can face here on the podcast because sometimes we're just shooting our mouths off, talking a whole load of cobblers, and you just stumble over your words and you say something and it doesn't really make sense.


CAROLE THERIAULT. Oh, I do it all the time.


GRAHAM CLULEY. Thankfully, the Mixed Idioms website at mixedidioms.co.uk are collecting such malapropisms.


CAROLE THERIAULT. That's a big word for you, Graham.


GRAHAM CLULEY. It was. I took a good run-up at it, but I think I did it all right. Yes.


MARIA VARMAZIS. Malapropisms, a great word. Yes, love that word.


GRAHAM CLULEY. So, if you've ever danced a flamingo.


CAROLE THERIAULT. Instead of flamenco, I guess. Yeah.


GRAHAM CLULEY. Right. If you're worried about the worst case Ontario.


CAROLE THERIAULT. Worst case scenario.


GRAHAM CLULEY. If you've got a baby in the oven. Or if you've told someone to get rich or try dying. Then you might well enjoy this collection of malapropisms, eggcorns, mondegreens, Escher sentences, mixed idioms, and malaphors.


MARIA VARMAZIS. Maybe a spoonerism in there somewhere.


GRAHAM CLULEY. There quite possibly is, yes, a queer old dean in there as well. Who knows? You could well get one of them in there too. Some of it's quite funny because, I mean, I don't know if you've ever listened to a song and you've been very, very wrong about The words?


MARIA VARMAZIS. Oh, yes. Oh, yes.


GRAHAM CLULEY. Dancing queen, young and sweet, only 7 teeth.


MARIA VARMAZIS. I've never heard that one.


GRAHAM CLULEY. Every time you go away, you take a piece of meat with you. So, you know, there's—


CAROLE THERIAULT. Really?


GRAHAM CLULEY. These are all documented up on this website. And I think it's rather fun. And that is why mixedidioms.co.uk is my pick of the week. Maria, what's your pick of the week?


MARIA VARMAZIS. Mine is space-related. I know, big surprise. Um, it wasn't intentional actually. It's for a book that I just bought for myself, and I'm, I'm recommending it to anyone else who might be interested in this kind of thing. This book is called Apollo Remastered, and if you are a space nerd, you probably already know about it. If you are really into photography, this actually also might be of interest to you. Um, because this book— if you don't want to buy the book, go to the website apolloremaster.com and read about how they made this project. So Andy Saunders, who's an amazing photographer and a photo restorer, worked with NASA to, uh, basically rescan and remaster a lot of the original film that was taken from the moon landings, which has been in frozen storage for 50 years. So Basically, a lot of the images that we've seen from that historical landing, they were sort of scanned and processed at the time with the technology that was available at the time. And we've just sort of reused those images since then. But we obviously have much better scanning technology now and a lot more things that we can do with film. I'm not a film buff, so apologies, people who know more about this than me. But he basically rescanned, reprocessed some of this stuff. And I think he did some processing with, like, Um, oh gosh, she did some stuff with film. I don't know, read the project page, it's really fascinating. And the, the images are like crystal clear there. You've never seen the pictures like this before. And he also looked at some of the film, like the actual moving film that the astronauts took, and, and got some stills from those that we've never seen before. Um, so I think for people who like space stuff, they'd be interested in this. This is like a huge coffee table book. But even if you're just really into photography the project page where they describe how they remastered all this and got the film out of frozen storage in Houston. I thought that was really cool.


CAROLE THERIAULT. And you can buy prints on the website as well. So they're from like £165 in England. But yeah, so there's like this, you can actually purchase from there too if you want a part of it. So that's amazing photography.


GRAHAM CLULEY. Maria, I really like this. I think it's great. I'm rather obsessed with photographs of the moon. In fact, I follow a chap called Cosmic Background online. He has a website, cosmicbackground.io. He hasn't been up in space like NASA, but, or indeed you, but he has a decent telescope in his back garden and he takes incredible photographs of the moon and in extraordinary detail on the sun and the planets. And I'm rather obsessed with it all. So I will check this out. This sounds like a terrific book and a great website.


MARIA VARMAZIS. Yeah, these photos, we've seen them all before, but not like this. It's like high def basically. So I really hope everyone just give it a look. It's really fascinating.


CAROLE THERIAULT. See, a cool thing technology's done for us.


MARIA VARMAZIS. Mm-hmm.


GRAHAM CLULEY. There you go. Carole, what's your pick of the week?


CAROLE THERIAULT. My pick of the week this week is a podcast from Pushkin called Death The Birth of an Artist. Have either of you heard it?


MARIA VARMAZIS. I have not. No.


CAROLE THERIAULT. It centers on two artists, a Cuban refugee called Ana Mendieta, and she was a cutting-edge body artist, probably best known for her Silueta series, where she inserts her own silhouette into landscapes. It's amazing stuff. And she's no wallflower, like, does some incredibly disturbing, important scenes revolving around women, sexual violence in the mid-'70s. Some big stuff. And we should be kind of enjoying her work today, but we cannot because she died rather dramatically. And the question is, did she throw herself from a, I think, 16th floor New York balcony, or did her husband, artist Carl Andre of minimalist little squares, if you've been to MoMA, you'll see a load of those, did he shove her off in a fit of pique?


GRAHAM CLULEY. Oh, crumbs.


CAROLE THERIAULT. And so we hear of their work in the podcast. I think it's 6 episodes, but you hear about Anna's work and you hear about Carl's work. You hear about their relationship. You hear about the art world at the time. You hear about the murder— sorry, death. And how—


GRAHAM CLULEY. Spoilers.


CAROLE THERIAULT. And how the art world was split in two and remains split in two. For those that think that Anna was murdered and those that support Karl and think it was a tragedy. Okay, so the story is fascinating. It's really nicely produced, as most of the things from Pushkin are, and it's told exceptionally well by Helen Molesworth, who was the chief curator of the Museum of Contemporary Art, MOCA, in Los Angeles, where she was until 2018, when she was abruptly fired. And she speaks—


GRAHAM CLULEY. Oh, I thought you were going to say she was pushed off a building as well. Oh no. I've been a serial artist.


MARIA VARMAZIS. Spoilers.


CAROLE THERIAULT. Yeah, but I think because she got free of that role, she was able to tell this story because she didn't have, um, pressure from other people to not tell the story. So she speaks about this whole drama of being fired and the whole drama between these two artists and what happened and what she thinks. And I found the whole thing rather moving, and I heartily recommend it. Um, so that is called Death of an Artist from Pushkin.


GRAHAM CLULEY. Find it in all good podcast apps. Yeah. Cool. Well, that just about wraps up the show for this week. Maria, I'm sure lots of our listeners would love to follow you online, find out what you're up to. What is the best way for folks to do that?


MARIA VARMAZIS. Well, they can continue to follow me on Twitter @mvarmazis while Twitter still exists, if Elon Musk allows it to, or you can listen to me on the CyberWire and wherever fine podcasts are found.


GRAHAM CLULEY. And you can follow us on me on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G, and we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.


CAROLE THERIAULT. And huge, huge shout out to our episode sponsors, Kolide, Bitwarden, and Seelet, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog, blog with more than 294 episodes, check out smashingsecurity.com.


GRAHAM CLULEY. Until next time, cheerio. Bye-bye.


CAROLE THERIAULT. Bye-bye.


GRAHAM CLULEY. Bye. I say bye to the phone.

-- TRANSCRIPT ENDS --