Graham offers some security and privacy advice for those exodusing Twitter to Mastodon, and Carole slams the door shut on a notorious scammer with a huge Instagram following.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who aren't joined by a guest this week.
Warning: This podcast may contain nuts, adult themes, some snorting, and rude language.
Episode links:
- Mastodon: What you need to know for your security and privacy - Graham Cluley.
- Follow Graham Cluley on Mastodon.
- Hushpuppi: Notorious Nigerian fraudster jailed for 11 years in US - BBC.
- Influencer involved in $1.1 million Qatar school financing scam jailed - Alarabiya.
- Influencer ‘Ray Hushpuppi’ jailed over plan to launder $300m - The Guardian.
- Hushpuppi’s wife, Imams write judge as US court sentences fraudster today - Premium Times.
- Living trailer - YouTube.
- Kleo - Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Sealit - Zero Trust Data Protection: protect, share, and monitor confidential emails and files - without passwords. Integrated with Gmail, Outlook, and file systems. Learn more and take advantage of Sealit's special offer to "Smashing Security" listeners.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Is it worse if I duped you into giving me all your money versus me sneaking into your house and stealing all your money? What's worse?
GRAHAM CLULEY. Well, I wouldn't hopefully store all of my money at home.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Uh, what? So are you having an asthma attack? What's going on?
CAROLE THERIAULT. No, uh, I would of course have many different accounts around the world, and it would be very difficult, in fact impossible, for you to get all my money.
UNKNOWN. However, Smashing Security Smashing Security, episode 297, Mastodon 101 and the Hush Puppy Saga with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 297. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault. It's a big number, isn't it, Graham?
GRAHAM CLULEY. Well, it's a bigger number than last week and the week before, and that's the way numbers work, Carole. They just keep on going up and up until we die, until we drop dead. And there's no more podcast. What a shame. Cheery.
CAROLE THERIAULT. Cheery. So cheery that we haven't a guest today.
GRAHAM CLULEY. No.
CAROLE THERIAULT. Today is a very big day in North America, midterm elections on the day of recording.
GRAHAM CLULEY. We tried to get a leading politician, didn't we, from America to come along and appear on the show, but they were busy.
CAROLE THERIAULT. They were busy. So it's just us this week. Don't worry, we've got some good stories.
GRAHAM CLULEY. Maybe we'll get Joe another week. Anyway, never mind.
CAROLE THERIAULT. But before we kick off, let's thank this week's sponsors. Bitwarden, Sealit, and Kolide. It's their support that helps give you this show for free. Now coming up in today's show, Graham, what do you got?
GRAHAM CLULEY. Mastodon, Mastodon, Mastodon. I'm going to talk about Mastodon.
CAROLE THERIAULT. Okay. And I'm going to find out if Hushpuppi is actually now hushed. All this and much more on this episode of Smashing Security.
GRAHAM CLULEY. Now, chum chum, what a big week it has been. In the Twittersphere.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. It's all gone very smoothly, hasn't it? I mean, we talked about it last week in some depth, that the turmoil that has been caused by Elon Musk's takeover of Twitter.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Which has had an unexpected consequence.
CAROLE THERIAULT. One? I think more than one.
GRAHAM CLULEY. Well, yeah, a number of consequences, a number of consequences. Obviously, the man-child billionaire that is Elon Musk is causing havoc on Twitter. With his pronouncements, with his bizarre behaviour, particularly in election week. But never mind, let's not focus too much on that. As we all know, at least I thought I knew, I thought I knew what Elon Musk was spending $44 billion on.
CAROLE THERIAULT. Did you?
GRAHAM CLULEY. I thought he was spending $44 billion on buying Twitter. Turns out that's not the case.
CAROLE THERIAULT. Is it not?
GRAHAM CLULEY. No.
CAROLE THERIAULT. What's he buying?
GRAHAM CLULEY. What he's actually done is he's spent $44 billion promoting another service, which many people won't have heard of before, called Mastodon. And Mastodon is a sort of Twitter without all the bad stuff. It's where you go if you liked Twitter, but you're worried that Twitter's going down the pan.
CAROLE THERIAULT. Right, it's like the next evolution, perhaps.
GRAHAM CLULEY. Well, Twitter is evolving at an enormous rate, but maybe not in a good direction.
CAROLE THERIAULT. Devolving, perhaps.
GRAHAM CLULEY. Perhaps, perhaps. Curiously enough, Mastodon, of course, is named after a— wasn't the mastodon, wasn't that a great big woolly mammoth or something? I think in the— oh, I'm not an archaeologist. I'm not someone who digs up fossils.
CAROLE THERIAULT. Don't worry, you carry on. I'll find out.
GRAHAM CLULEY. All right. You find out while I'm talking about this. But anyway, yes, Mastodon is an unusual alternative to Twitter, which has proven in the last few days to have enormous success. Because floods of people, I wouldn't say they're necessarily closing their accounts on Twitter, but what they are doing is they're worried and they're trying out Mastodon.
CAROLE THERIAULT. So they're worried that, like, how are they going to live? Like, they need to sleep, eat, go to the bathroom, and tweet?
GRAHAM CLULEY. Well, well, here's the thing. You can still tweet, obviously, on Twitter. You can do that. But rather than tweeting on the loo, wouldn't you rather toot? Because that's what Mastodon allows you to do. It allows you to toot. Now, I personally don't like the verb to toot. It sounds a little bit like—
CAROLE THERIAULT. I don't know what you mean to toot. What do you mean?
GRAHAM CLULEY. On Mastodon, the official terminology for a post is a toot, just like on Twitter, it's a tweet.
CAROLE THERIAULT. Right. Thanks. That's good. Now I'm not going to look so stupid when I talk about it.
GRAHAM CLULEY. So now I personally prefer to say post. And in fact, on my Mastodon app, I've managed to change the button. So it says post rather than toot, because it just pleases me more because I'm of a certain classy nature.
CAROLE THERIAULT. Tweetiness. Yeah.
GRAHAM CLULEY. Yeah, maybe. But no, I don't think that's— I think what people are concerned about is a whole variety of things, right? Elon Musk bought Twitter and said, we need to have freedom of speech, right? He's very big on freedom of speech. And other people are saying, you know what? Twitter's pretty nasty as it is, even with thousands of people moderating the content and getting rid of the unpleasantness. Do we really want complete free-for-all here? And what's happened is Elon has fired a lot of Twitter staff, something like 50% of his staff have gone.
CAROLE THERIAULT. Yeah, 3,700, I read.
GRAHAM CLULEY. Is it? It's a huge number, isn't it?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Huge number of people have gone. Many of them were involved in moderation. It was reported that use of the N-word, I don't have to tell you what the N-word is, we're not gonna say it on this show, but use of that rise something like 500% after Elon Musk bought the site and people began testing just how much they could get away with. So people are concerned there's going to be even more toxicity on Twitter. Plus, Elon, of course, is trying to make money out of Twitter, not only with verified accounts, but he's also looking to monetize advertising more. So to get more information out of you. In fact, one of the ways in which he's actually promoting the verified accounts He's saying, if you get yourself your little new blue tick, which you pay maybe $8 a month for, then what we will do is you'll only see half the number of ads. And he's saying, if you pay the money, you'll also, you'll have more targeted ads, he says. The ads will be better, he says, than the ones used for the masses.
CAROLE THERIAULT. We know, I think we know about him, that he's not someone who kind of sits around and ponders for very long periods of time before he starts blue sky thinking. Right. And that's worked for— in his favor in some respects, certainly. But it's also led to some, you know, rather insane behaviors.
GRAHAM CLULEY. Yes. Yes.
CAROLE THERIAULT. To me, this sounds fairly logical though. If he had to purchase something that he didn't want to buy after he changed his mind and flip-flopped because, you know, he's a high-stakes roller, um, he's going to want to recoup as much money as possible. And he seems to be doing it like crazy, like fire staff, charge people more, everything's going go, great, no one's going to leave.
GRAHAM CLULEY. Yeah. Well, people are leaving and people are concerned.
CAROLE THERIAULT. But how many people are leaving? Like 1%? Probably not even, right?
GRAHAM CLULEY. Well, at this stage, maybe. But what struck me is that I've encountered a number of people over the last few days who've been saying to me, what's this Mastodon thing then? People who work outside of cybersecurity, people who aren't addicted to Twitter. I turned on the radio, I went to the supermarket earlier today. What were they talking about? They were talking about Mastodon on the radio. And I think if you remember when Twitter became really popular, Twitter became really popular, I think when Ashton Kutcher started going on about it all the time and it sort of reached that critical mass and the numbers of people who've been switching to Mastodon and the impact that's had on Mastodon sites with sites slowing down because of the deluge of traffic. And I've had a Mastodon account for years 'cause I'm a bit geeky and nerdy. And to be honest, for years and years, All I ever did there was—
CAROLE THERIAULT. I just love how you say that as though the listeners don't know that.
GRAHAM CLULEY. All I did was I was tooting at Maria Vamarcis, the only other person I really knew who was on Mastodon, right? Yeah. And so we would exchange toots, right, back and forth, and that would be about it. Now I am getting more messages on Mastodon than I do on Twitter. I'm getting more engagement, more people replying to my messages. I'm having hundreds and hundreds of new people following me every day on Mastodon. And that's crazy because I had a lot of followers on Twitter, but Mastodon works much better. It seems to be a nicer place.
CAROLE THERIAULT. So, okay, you, you had access to Mastodon for a long time and it took the huge shove of Elon Musk kind of destroying the camp for you to go, okay, then, oh, this is really nice. Like you've been there a long time and you haven't waxed lyrical till now.
GRAHAM CLULEY. No, no, no. I knew it was nice before, and I have written about it before and spoken about it before. The problem was there weren't very many people up on it. And it's like many of these sites, until you have a critical mass of people, they don't take off. And it's always that chicken and egg. How are you gonna get people to come along if there's— if they don't know anybody there? It's a bit like getting—
CAROLE THERIAULT. You were basically this kid in the sandbox playing on your own with some sand, and now there's some other kids now going, hey, you wanna play in the sandbox?
GRAHAM CLULEY. I want to stress, not just me, but there weren't a huge number of people.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. But now their numbers have grown enormously and every hour there are thousands and thousands and thousands of new users of Mastodon, which is actually according to Twitter's own stats. So it produces annual stats of how many users are added every day. Mastodon is getting more users every day than Twitter is.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And of course, people will be leaving Twitter as well because of the ads, because of the messing around with the timeline, not showing you stuff stuff in chronological order, et cetera, et cetera, et cetera.
CAROLE THERIAULT. Okay. I'm asking you a question here. Do you think, I want you to put your name on the line. Do you think that Mastodon's gonna be the next TikTok?
GRAHAM CLULEY. I don't know that it'd be the new TikTok.
CAROLE THERIAULT. For old people.
GRAHAM CLULEY. Oh yeah, exactly. 'Cause TikTok's not for me. I don't want videos. So I don't know about that, but I think Mastodon has just become another big player, but an unusual one because Mastodon, unlike the Twitters, unlike the Facebooks, is not owned by one entity. It's not owned by one billionaire. It's a decentralized network, which means no one can ever buy it. No one can ever decide we're going to have ads on it. No one can ever scoop up everyone else's data and information. And try and exploit it. And I think people quite like it. Now, as we're seeing lots of people coming on to Mastodon, what I thought would be useful— I know we have a slightly nerdy audience. Well, people who are interested in technology listen to Smashing Security, and I thought it'd be useful, as many of those people might be considering checking out Mastodon, just running through a few of the things you should consider.
CAROLE THERIAULT. Right. Okay.
GRAHAM CLULEY. Security and privacy-wise. Okay. Some of these are bleeding blind and obvious to you and me, maybe not to all Mastodon users. And if you've got, you know, friends and family who are going on to Mastodon, these are things to bear in mind as well. Some of them you may not have realized and are like, whoa, that's a bit weird. All right. So let's begin.
CAROLE THERIAULT. Let's go.
GRAHAM CLULEY. Here's the most obvious one. Passwords.
CAROLE THERIAULT. Yeah, yeah, yeah.
GRAHAM CLULEY. On Mastodon. All right. All right. On Mastodon. Choose a strong, unique password, right?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Don't use the same password, right? Don't use your Twitter password. Otherwise Elon might log into your account.
CAROLE THERIAULT. Store it in your handy password vault.
GRAHAM CLULEY. Have a password manager, actually a password vault. Securely store your password. So that's, you know, kind of like what we say all the time, isn't it? Have strong passwords, right? But that, of course, is the first step. With Mastodon, you can also enable two-factor authentication where it's not just going to ask you for your password, it's going to ask you for a one-time time-based password, and that's generated by an app on your phone or maybe your password manager, et cetera, et cetera. Again, something we talk about a lot.
CAROLE THERIAULT. And good that they have it.
GRAHAM CLULEY. Yeah. Good that you can do it. And in fact, you can do it even better. You can actually also enable a hardware authentication key. So if you have something like a YubiKey, which you use, and some people who are really concerned about security and privacy have those, 'cause it's like an extra step beyond the authentication app. Well, Mastodon handles that too. All right. Cool. Now, this is an important one, which is direct messages.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Now, direct messages, they work differently on Mastodon than you might expect.
CAROLE THERIAULT. Are they called direct toots?
GRAHAM CLULEY. Uh, no, no, they're called direct messages. Unimaginatively. They could have—
CAROLE THERIAULT. they could have had so much fun.
GRAHAM CLULEY. So a direct message. Isn't really private. It's not encrypted. The messages are stored in clear text on your Mastodon server. Everyone logs into it. Well, not everyone, but there's lots of different Mastodon servers. As I said, it's not just one site, but the server which you've chosen to associate your account with, they could see your messages. So if you're messaging someone, just be aware someone else could read that. And to their credit, they actually display a message saying, don't share any sensitive information over Mastodon and don't, you know, on your direct messages, you know, don't say something which you wouldn't want someone else to see. Instead, what you should do, of course, is use a secure messaging system like Signal. Another thing that we've tried to get people to switch to but hasn't reached critical mass. So everyone's on bloody WhatsApp instead. Owned by Mark Zuckerberg or some other ghastliness. Right, so that's a fairly simple message, right? Which is that the messages aren't encrypted, they could be read by someone else, the direct messages. But there's a bigger danger with Mastodon direct messages. So imagine this, imagine that me and Maria are talking on Mastodon, right? In a direct message.
CAROLE THERIAULT. Right, you're going, "You know what Karl did yesterday? Let me tell you what Karl did. You won't believe it." Exactly.
GRAHAM CLULEY. And if I had gone Oh, that bloody @Carole, right? If I'd mentioned your username with the little symbol in front of it, it copies you in on the bloody message.
CAROLE THERIAULT. Isn't that— doesn't Twitter do that?
GRAHAM CLULEY. Not in a direct message, it doesn't.
CAROLE THERIAULT. Ah, I see. I see. So you think you're alone in your little world and then I'm suddenly just hoovered in to see the message of you bitching about me. Exactly. Or completely.
GRAHAM CLULEY. Exactly. So this is specifically about Ucrol. It doesn't happen with any other username. It's specifically if anyone's— no, of course it does. It happens with any username. So if you mention anyone else, so the example, I've written a blog post about this and I'm imagining that the Beatles are arguing at Abbey Road, for instance, and George and Paul are bantering around, slagging off Ringo's drumming, and they make the mistake of tagging Ringo. And before you know it, The Liverpool lover from Liverpool, you know, can see that his bandmates are slagging him off.
CAROLE THERIAULT. This is a very good reason to have nicknames for people like "the dweeb" or—
GRAHAM CLULEY. But imagine this. Imagine you weren't just slagging off a friend. Imagine you were saying, I've just received a really creepy message from this user or from this guy. And you included his account name in the person you were telling it to, like, watch out for this guy, he just posted a dick pic at me or something.
CAROLE THERIAULT. Yeah. Yeah.
GRAHAM CLULEY. And he would then get included in that, which you don't want. So if it, so there is a serious side to this. It's not just a bit of, oh dear, it suddenly your abuser could know that you're complaining about them.
CAROLE THERIAULT. Is this something they're dealing with or is this something?
GRAHAM CLULEY. This has been the case for years and I don't know if there are any plans. I mean, as it becomes more mainstream, I think historically they've kind of thought, well, we warn people about this and we tell people, you know, don't do these things because it could be— it's more of a conceptual way of how these so-called direct messages work, I think, because it's really a post. It's really a post which you've said only this person with this user ID can see. So if you mention someone else's user ID, it includes them On the visibility to the post. Does that make sense?
CAROLE THERIAULT. I completely understand what you're saying. I think our listeners are probably following too. What I'm wondering is why offer direct message at all? Because that's not what it should be called.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. It's more like, um, I don't know.
GRAHAM CLULEY. What is it? Yeah. I think people are expecting a direct message facility because they're used to it from other services. But, um, It's a problem. I would like to see them somehow address this.
CAROLE THERIAULT. I would call it mini broadcast.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Instead of a mega broadcast.
GRAHAM CLULEY. Yeah, yeah. Maybe a silent but deadly toot, perhaps. Something which warns people.
CAROLE THERIAULT. I don't, yeah, I'm not sure about the name toot. I think that's also—
GRAHAM CLULEY. That boat has sailed. That boat has sailed.
CAROLE THERIAULT. Where are they from?
GRAHAM CLULEY. Where's who from?
CAROLE THERIAULT. Macedon. Where was it conceived?
GRAHAM CLULEY. A German guy originally.
CAROLE THERIAULT. Oh, well.
GRAHAM CLULEY. But now it's open source.
CAROLE THERIAULT. They're very smart people, so.
GRAHAM CLULEY. They are, they are, they're intelligent.
CAROLE THERIAULT. They are.
GRAHAM CLULEY. Bit of tooting, you know, all that sort of thing. So, okay, I think that's quite a biggie for people to be aware of. Yeah. You jump in, you think it's just a Twitter replacement and suddenly, uh-uh.
CAROLE THERIAULT. Don't bitch about Karol, yeah. Right. You never know, I might be on there.
GRAHAM CLULEY. Okay, now another one. Elon Musk keeps talking about verified accounts, right? He's got himself in Broad and all of that, the so-called blue tick thing, flogging it to people. And blue ticks have historically been given to public figures, celebrities, top cybersecurity podcasters, that kind of thing, journalists, that sort of thing to verify their identity. Of course, he's now gonna be charging. People want to be verified on Mastodon as well to say, yes, this really is me, right? This isn't, a fake Graham Cluley.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. Some people, I saw Maria Vamarsis do this, she added an emoji of a blue tick to the end of her username. So every time her name appears, you also see the blue tick symbol. It's actually a white tick on a blue background, but you get the idea.
CAROLE THERIAULT. I mean, it's very clever, but it's not like someone couldn't do that. Yeah. Yeah.
GRAHAM CLULEY. But to the casual user, they might be fooled by that. Well, don't be fooled by that or any other kind of emoji. But what Mastodon does do is it doesn't have a verified program like Twitter used to. It does let you self-verify yourself. So what you can do is in your profile, you can include links like a link to your website, for instance, if you have one. And so I link to my website. I say, here's my website, grahamcluley.com, blah, blah, blah, blah, right? Meanwhile, on my website, that links back to my Mastodon account. And so the two see each other and it says, oh, Graham is pointing here and he's pointing back to here. And because only Graham presumably can administer his website, this must be the real Graham. That's interesting.
CAROLE THERIAULT. Yeah, yeah, yeah. That's interesting. That's rather cute. Yeah.
GRAHAM CLULEY. So, so you can at least see if you go to someone's profile and look in their about information, if they have something there which they haven't just included a link, but it's got a little green ticker it, that means that it's been verified as they actually have control over that domain. So I have control over Graham Cluley conferences. And if we created a Smashing Security Mastodon account, we would, we would do the same thing with that as well. So why else is this important? This is my final really big tip on Mastodon is you are leaping onto Mastodon and you're looking for people to follow and maybe you're looking for famous people, maybe you're looking for celebrities. That you used to follow on Twitter, because that was a big reason why people like to use Twitter to see what celebs were doing. Well, it's really easy for anyone right now to create an account using the names of famous people on Mastodon, people who may not have established a presence on Mastodon. So make sure you go to their profile and look for a verified link to their official website, one with the little green tick mark. Because otherwise it might be a fraudster who's at work and they could post disinformation, cryptocurrency scams, malicious links, whatever it might be. So just be careful because I think what happens is people go on to Mastodon, they're looking for people to follow, and Lord knows how many people right now are creating accounts in the name of Elon Musk.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. So it's pretty fun. I think play with it, but be careful. Obviously, the usual rules apply for any website you're posting on. Be wary of links that are shared. Don't trust everything you read. Never share your password. Take care about being phished.
CAROLE THERIAULT. Or, you know, take a break from social media.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. Just calm down a bit.
GRAHAM CLULEY. Well, it's easy for you to say, Carole. Why?
CAROLE THERIAULT. Because I'm on the other side saying, hey guys, it's really fun. I also say that about, you know, yoga.
GRAHAM CLULEY. I mean, you are just better than us. You're better than all the rest of us.
CAROLE THERIAULT. I'm not better than you. You guys are just in some weird Warpville.
GRAHAM CLULEY. I wouldn't believe all that stuff people have been writing about you on Mastodon in my direct messages. Don't worry about it.
CAROLE THERIAULT. I'm not.
GRAHAM CLULEY. Don't worry about it. Nice try though. Carole, what have you got for us this week?
CAROLE THERIAULT. Do you remember Hushpuppi? Hushpuppi with an I. Ray Hushpuppi.
GRAHAM CLULEY. Not the things you put on your feet. You're talking about— This guy was an extraordinary Instagram influencer who got into a spot of bother.
CAROLE THERIAULT. If you tell the whole story right now, it's gonna be quite a short story. Just want you to know that.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Just go, yeah, yeah, I do, I do.
GRAHAM CLULEY. Hushpuppi, yeah, Ray Hushpuppi. I remember him. Yes. I think we've talked about him before, haven't we? Yes.
CAROLE THERIAULT. Do you remember his real name?
GRAHAM CLULEY. No, no, no, no.
CAROLE THERIAULT. Raymond Abbas. Okay. Raymond Abbas. And quite the Instagram influencer, wasn't he? Insta. He was Insta Man.
GRAHAM CLULEY. He had all the luxury brands, he was flying around the place.
CAROLE THERIAULT. Yeah, yeah, 2.5 million followers, so not bad. And yeah, most of his stuff on his site seemed to be him looking really rather smug, very well groomed, with that kind of shiny complexion that can only come from— I don't know what the rich put on their skin. You know, spoiled, deserving, looking deserving. Yeah. And maybe you're just saying this is why people join social media to go look at these kind of people. So he has 2 million followers because people want to see pictures of a smug, rich, spoiled, and deserving looking person. Is that right?
GRAHAM CLULEY. You're being a little bit unfair, Carole. He's having a fantastic life. He's seeing the world. If you are living in Doncaster and it's raining all the time, you might want to see someone having a fantastic time on a private jet flying to Paris expensive watches, you may just like, oh, that's, that's great, how good for him, you know, guy having a great old time.
CAROLE THERIAULT. Just watch a travel ad. Well, I suppose the thing is, when you look at this, it's going, well, where you're getting all your money, right? This is an expensive lifestyle. We're talking, you know, yachts and, you know, swanky cars and the clothes and the threads and everything. And he publishes this, of course, by cybercrime and money laundering, specifically BEC scams, because Hushpups— Hushpups isn't into lonely grannies anymore.
GRAHAM CLULEY. Hang on, hang on. Are you on first name terms with Hushpups? Well, no, mind you, you're not calling him Ray, you're calling him Hushpups.
CAROLE THERIAULT. Yeah, that's my nickname for him.
GRAHAM CLULEY. Okay, great.
CAROLE THERIAULT. You see, now I can gossip about him on Mastodon and he would never be the wiser. You see? Smart. Anyway, Hushpupps, he's not into lonely grannies anymore. This is how apparently he cut his teeth though, in the cyber underworld. But now he's into the big time where the fishies are fatter, juicier, richer. And he used these BEC compromises to do businesses, you know, and you know how it works. You know, you pretend you're someone legit in order to get someone to hand over money to you, right? And then they feel screwed.
GRAHAM CLULEY. Yeah. So this is where companies are fooled into transferring money into a scammer's bank account because they think it's someone they're doing business with also. Yeah. Okay. Yeah.
CAROLE THERIAULT. But you know, I was thinking when I was writing this, I was like, what's worse? Is it worse if I duped you into giving me all your money versus me sneaking into your house and stealing all your money? What's worse?
GRAHAM CLULEY. Well, I wouldn't hopefully store all of my money at home.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. But, but, sorry, are you alright? Are you having an asthma attack? What's going on?
CAROLE THERIAULT. No. 'Cause could we just— I would of course have many different accounts around the world and it would be very difficult, in fact impossible, for you to get all my money. However, to answer your question, I wouldn't want Ray Hushpuppi coming into my home.
GRAHAM CLULEY. That'd be quite scary in the middle of the night. I wouldn't enjoy that. No, I wouldn't want anyone coming into my house uninvited.
CAROLE THERIAULT. But being duped is extra because you still end up with no cash. Yeah, but someone's basically snaked their way into your trust field and convinced you to give them all your money.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And the thing is that, you know, Hush, Hushie, was quite successful at his, uh, new nickname, his criminal craft, to the tune of $24 million. On top of that, he has been called, uh, one of the most prolific money launderers in the world.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. We've talked about some of these things before, but he helped his handful of cohorts to launder millions of pounds stolen from a Premier Football Club in the UK.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. He also got a New York-based law firm to transfer nearly $923,000 to a criminal account. This is how he affords his fast cars and the like, right?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. In 2019, he helped launder $14.7 million stolen by a North Korean hacker group. From a bank in Malta. And he funneled the money through banks in Romania and Bulgaria.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. He also tried to defraud someone in Qatar by selling a $15 million loan to build a school. And I said tried because this was the beginning of his downfall. And we covered this— by we, I mean you covered this in episode 265. Do you remember the story?
GRAHAM CLULEY. Oh, one of my favorites. Well, I, of course, I remember every single word that I said.
CAROLE THERIAULT. Do you? No, but do you remember this one? Or do you want me to Give me a little, little hint.
GRAHAM CLULEY. Well, maybe, maybe I'd love, I'd love to hear your telling of it, Carole, rather than, you know, people get bored of my voice.
CAROLE THERIAULT. I never remember my stories either. Isn't that crazy? So this is where Hushpuppi and co. apparently faked the financing of a Qatari school by playing the roles of bank officials and creating a bogus website. And he and one of his conspirators, Vinny, Vinny fell out mid-swindle. Hey.
GRAHAM CLULEY. Hey, Vinny, Vinny.
CAROLE THERIAULT. Yeah, that's exactly what he did on that show as well. Cause I listened to it earlier today.
GRAHAM CLULEY. Okay. Okay.
CAROLE THERIAULT. And Vinny got pissed off with him and he snitched.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. On Hushpuppi to the Qatari target. But then Hushpuppi bribed a fellow Nigerian Instagram influencer, Dirty Supercop, to bring Vinny down. Okay. You can hear the whole story in episode 265, cause it is a crazy story. You couldn't make it up.
GRAHAM CLULEY. It is an extraordinary story. Yeah. And he was tied up with the North Koreans, as you said, and the Lazarus Group. And it's, there's more to read about this in Geoff White's book as well. If you grab a copy of The Lazarus Heist. Yeah.
CAROLE THERIAULT. Yeah. There you go.
GRAHAM CLULEY. Plug for you, Geoff.
CAROLE THERIAULT. Yes. Good plug. Good plug. Anywho, Hushpuppi, aka Ramon Abbas, he was arrested in 2020 in Dubai, then flown to the US in June 2020 to face charges of multimillion-dollar fraudulent schemes, including bank cyber heists. In 2021, he reportedly pleaded guilty to money laundering in an LA court.
GRAHAM CLULEY. Mm-hmm.
CAROLE THERIAULT. And this week he was scheduled for sentencing. And before getting his sentencing, he worked very hard to get his sentence reduced.
GRAHAM CLULEY. Well, that's what I was thinking. Cause you said he was found guilty in 2021 and he's only been sentenced now.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. I suspect in the interim he has been helping the authorities a little bit.
CAROLE THERIAULT. Yes, he may have been helping the authorities, but he's also begging.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. So 40-year-old Hushpuppi has personally sent a handwritten letter to the judge giving assurances that he is a changed person and promising to make full restitution in excess of the benefits he derived from the crimes to the victims.
GRAHAM CLULEY. Hmm.
CAROLE THERIAULT. Which I'm sure if you parse that legally means probably not doing too much of that. Apparently, two imams also wrote to the judge in Los Angeles appealing for leniency, saying he regularly helped out widows and orphans, as well as donating things to feeding programs.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And his wife wrote in too, saying his arrest has plunged her into hardship, noting that she has to do overtime in order to pay for their children's private education. I bet you feel her pain, Clew.
GRAHAM CLULEY. She could possibly send them to state-funded schools instead, couldn't she? If she's really hard up.
CAROLE THERIAULT. She could. Yeah. If you're feeling hard up, that is the solution, isn't it?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Yeah. So this guy is now saying, I'm a real Robin Hood. I did hone my skills by duping and robbing our grannies and then went to businesses. But please, please, pretty please, please. However, he was still sentenced to what they were expecting, 11 years. Ooh. And he sports a $2 million restitution hole in his pocket. Which he needs to pay back. So, there you go. Do you trust him? Do you think he's changed? Do you think he's turned a new leaf, become a good guy?
GRAHAM CLULEY. Well, he's got 11 years to ponder about it, hasn't he? And, you know—
CAROLE THERIAULT. Like, what's annoying is he stole tons of money. It's not like he was giving all this money to good causes. No. He's obviously helped a few people, but he did hurt a huge amount of people and businesses. And then showed off.
GRAHAM CLULEY. Yes. And what to think about all those poor Instagram followers who are no longer going to be entertained? Is he going to be— is he going to be posting pictures or is he going to be tooting from the prison cell, I wonder?
CAROLE THERIAULT. Will Hushpuppi be hushed up? Find out next time.
GRAHAM CLULEY. He'll have fun smuggling the phone in, I expect. That's what normally occurs, from what I've been told. We all know that data is the most important asset of any business. And the value and usage of information makes data very tempting to thieves. With Sealit, however, you can protect, share, and monitor confidential emails and files without passwords. And it's all integrated with Gmail, Outlook, and file systems. Deploy Sealit across your organization within minutes and achieve peace of mind thanks to its end-to-end encryption that relies on the Zero Trust security model. Get the right tool to own your data and gain great Sealit benefits. Plus, Sealit is offering a very special deal for all Smashing Security listeners. Anyone who signs up for the professional plan before 2nd of December, 2022 can grab 30% off Sealit for a year. And if you sign up to Sealit, listeners can also grab a free Sealit signature no trust t-shirt.
CAROLE THERIAULT. Woo-hoo!
GRAHAM CLULEY. Check out more about Sealit and take advantage of these offers at smashingsecurity.com/sealit. That's smashingsecurity.com/sealit. Com slash S-E-A-L-I-T. And thanks to Sealit for supporting the show.
CAROLE THERIAULT. Smashing Security listeners, did you know that Bitwarden is the only open-source cross-platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds, and every A free Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial. Of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
GRAHAM CLULEY. The challenge with endpoint security has always been that it's difficult to scale, and when remote work took over, Malware, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets. But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide. Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system. Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't. And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack. You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's kolide.com/smashing. And thanks to Kolide for supporting the show. And welcome back. And you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my pick of the week this week is not security-related. Last night I popped out onto the puddled streets of Oxford to go to the cinema to see a film.
CAROLE THERIAULT. In the cinema? What is this, 1999?
GRAHAM CLULEY. The cinema. Actually there, surrounded by people. Someone actually was chomping on popcorn. There was a lady in front of the popcorn chomper who got very upset and turned around. This isn't as dramatic a story as to what happened to you, Carole, in the Viennese opera. But it was—
CAROLE THERIAULT. No, but obviously really dramatic in a movie theatre that someone says, "Do hush with the popcorn eating." For Oxford, it was quite dramatic.
GRAHAM CLULEY. Anyway, I was there to see a movie, a movie starring Bill Nighy. Is that how you say it, Bill? Bill Nighy.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And I like Bill Nighy. Do you like Bill Nighy?
CAROLE THERIAULT. Me too.
GRAHAM CLULEY. Yes. I do too.
CAROLE THERIAULT. I don't know why, but I've always liked him.
GRAHAM CLULEY. He's just got that irascible sort of rogue sort of thing about him, hasn't he? He talks a bit— That's quite a good impression.
CAROLE THERIAULT. Did he do the Nescafé ads? Did he do those or that's the other one? I mix them up with something.
GRAHAM CLULEY. Are you thinking of the professor from Buffy? He used to do them.
CAROLE THERIAULT. Yeah, exactly. I mix them up. But I think Bill Nighy did— Did Bill Nighy do them too?
GRAHAM CLULEY. Probably. I don't remember Bill Nighy doing coffee adverts, but maybe he has. Anyway, the movie I saw was called Living. L-I-V-I-N-G. And Bill Nighy's not doing his usual shtick of being Bill Nighy. I think quite often he's asked to be Bill Nighy, right? He's got certain quirks about him.
CAROLE THERIAULT. What?
GRAHAM CLULEY. I've seen him in Love Actually, and I've seen him in About Time, and I've seen him in Doctor Who. And, you know, I think he's, I think he's got quite a lot going for him, but he's quite often a little bit, you know, sort of like aging rock star kind of thing. Anyway, he is superb in this. He gives such a measured, gentle, quiet, unshow-offy performance. And he's actually—
CAROLE THERIAULT. He always does. He's excellent at it.
GRAHAM CLULEY. All right. I think he's, I think he's doing something different in this one. Anyway, let me tell you. About the story. It is set in the 1950s. And it is set in London. And Bill Nighy is working at the London City Council, as it was then. And he's told that he has a fatal illness. He's gonna die, right? He's only got 6 months to live. And—
CAROLE THERIAULT. This is a comedy?
GRAHAM CLULEY. And it inspires him to change some of his life and cram a bit of fun in and spread a little bit of good.
CAROLE THERIAULT. Oh, are you getting a message before you get on your announcement? You're going to start having fun now?
GRAHAM CLULEY. What? Before I get—
CAROLE THERIAULT. Start living the dream?
GRAHAM CLULEY. Before I go to the doctors, you think? It's rather lovely. And he meets up with a sunny young female colleague. I pictured you and me actually, Krow. I thought, here I am, here I am, the aging, irascible veteran. And the young flighty thing, you. And she has all this pep. She has all this vim and zest and ignites something. And they don't get off. There's no smuttiness going on. There is a belly dancer at one point. But other than that, there's nothing like that. But it's lovely. The screenplay is by Kazuo Ishiguro, who did The Remains of the Day, and it is based upon a film which came out in 1952 in Japan called Ikiru.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Which Kazuo Ishiguro loved. And apparently that is based on a story by Leo Tolstoy from 1886. But anyway, it is a delightful movie. I really liked it. It's called Living, and I recommend it.
CAROLE THERIAULT. Right. And how are you—
GRAHAM CLULEY. There are no superheroes. There's no great big punch-ups. There's no car chases. And that's how I like my movies.
CAROLE THERIAULT. Well, you're not going to like my pick of the week.
GRAHAM CLULEY. Oh, what's your pick of the week, Kroll?
CAROLE THERIAULT. Well, mine is Netflix series called KLEO. I think I've told you about this. I don't know if you've dived in yet, Clew.
GRAHAM CLULEY. KLEO like Cleopatra? Is this set in Egypt thousands of years ago?
CAROLE THERIAULT. No, K-L-E-O. So it's actually set in Berlin, late '80s, early '90s.
GRAHAM CLULEY. Oh, Berlin. In the '80s, I see.
CAROLE THERIAULT. And we have Helle Hasse. She is playing Cleo Straub, who is an unregistered agent for top-secret Stasi department. And her main job is to nip from East Berlin to the West to eliminate enemies of the state.
GRAHAM CLULEY. Ooh, this sounds juicy.
CAROLE THERIAULT. Yes. And she does this with cold, calculating, unflinching demeanor, right? So she's a real killer machine.
GRAHAM CLULEY. Does she do kickboxing or anything like that? Does she do a high kick?
CAROLE THERIAULT. She's just got that real kind of stillness about her when she's in the zone. But then she morphs into like quirky, cute, sassy kind of character. So it's a bit Villanelle from Killing Eve.
GRAHAM CLULEY. Oh, Killing Eve. Yes.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. She's an assassin, isn't she? Yes.
CAROLE THERIAULT. Oh, wonderful. Yes. So it has a similar hook to that, I think. And basically Cleo, Wants revenge on all those that hurt her, and she finds unusual sidekicks to help her along because it's pretty, you know, it's a bit of a thriller killer revenge story until these two who provide a bit of comedic relief show up in the story. So you have Thilo. He's kind of, I think, the metaphor for West Germany because he's kind of just this kid jumping as in pastry. No, Thilo as in T-H-I-L-O.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Yeah. And then there's this cop, there's this cop, undercover cop from the West that she meets up with called Sven. And they both end up bringing unusual twists to the story. And of course, the backdrop is late '80s, early '90s. So the Wall's coming a-tumbling and the entire communist regime is falling apart in East Berlin. And the production is stylish, edgy, fun.
GRAHAM CLULEY. And this is a series, is it, on Netflix?
CAROLE THERIAULT. Yes, series. There's 8 parts. I really enjoyed it. If you like Killing Eve and miss it, this is a very good substitute.
GRAHAM CLULEY. Hmm.
CAROLE THERIAULT. So that is Cleo, and you can find it on Netflix. And that is my pick of the week.
GRAHAM CLULEY. So there you are. You can choose between—
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. 1980s Berlin assassin Or my civil servant having a very quiet, gentle time as he faces his—
CAROLE THERIAULT. I think it says a lot about our personalities, Clew.
GRAHAM CLULEY. It really does, doesn't it?
CAROLE THERIAULT. It really does.
GRAHAM CLULEY. And that just about wraps up the show for this week. You can follow us on Twitter. We're still there. We haven't created a Mastodon account yet. @SmashingSecurity, no G. Which wouldn't allow us to have a G. And we also have a Smashing Security subreddit. And don't forget, we would love you to never miss another episode. And the way to do that is to follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors, Bitwarden, Kolide, and Seelet. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, contact and sponsor information, and free access to the last 296 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye!
CAROLE THERIAULT. Clue: I have a little idea for you. Why don't you walk me through creating a Mastodon account and we could record the process and all my feelings and all the frustrations and we can slap it up for our Patreon listeners. So if anyone wants to create one, they can do one with you telling them how to do it.
GRAHAM CLULEY. We could do that. Yeah.
CAROLE THERIAULT. You know what I mean? As a kind of maybe Xmas special or something.
GRAHAM CLULEY. Yeah, that could be fun as well.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. You'd get exasperated with me.
CAROLE THERIAULT. Oh, and I suspect you with me as well. Patreon supporters, you like this idea? Let us know.
-- TRANSCRIPT ENDS --