Seized cryptocurrency is stolen from the DEA, blue-ticks are being exploited, a bath full of dollar bills, the comfort offered by an ostrich's head, and how Graham is refusing to call Twitter "X".
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- The DEA Accidentally Sent $50,000 Of Seized Cryptocurrency To A Scammer - Forbes.
- Stranger sent dick pics so I convinced him he was dying - YouTube.
- Creeps Airdropping Dick Pics Is the Latest Air Travel Nightmare - Vice.
- Airdrop scam tokens - Trezor.
- Brother of Criminal Bitcoin Mixing CEO Pleads Guilty to Stealing 712 Bitcoins From IRS - CoinDesk.
- Blue-tick scammers target consumers who complain on X - The Guardian.
- Infinite Mac.
- Classic Mac OS - Wikipedia.
- Perplexity AI - chatbot.
- CrazyGames.
- Braingle.
- 40 Weirdest Things on Amazon That People Actually Love to Buy - Good Housekeeping.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Beyond Identity – Enables companies with the ability to completely eliminate reliance on passwords and protect against password-based breaches, fraud, and ransomware attacks. Get a free demo.
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Confusingly, this phrase is used in two different ways. So airdrops related to cryptocurrency are one thing. What you're thinking about can be associated with threats. For instance, people send unsolicited dick pics to people on the train or on their bus.
UNKNOWN. Isn't the reply always, "Sorry, I don't smoke"? Isn't that what— Smashing Security, episode 1. Episode 337: The DEA's Crypto Calamity and Scammers' Blue Tick Bonanza with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 337. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Now, Carole, I am dashing off to the airport. I've got to catch a plane to Sweden where I'm giving a talk.
CAROLE THERIAULT. Very exciting for you.
GRAHAM CLULEY. Well, it is exciting, obviously. Perhaps more exciting for me than it will be for people in the audience. But maybe we should just get this thing done and August will be over.
CAROLE THERIAULT. Yes. Okay. Before we kick off, let's first thank this week's wonderful sponsors, Collide and Beyond Identity. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I've got a cock-up. I've got a crypto cock-up.
CAROLE THERIAULT. Ooh. And I've got a customer complaint problem. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, Chum Chum, I was reading Forbes. I was reading Thomas Brewster, who's cybersecurity journalist there. He's got some good scoops. And my eye was caught this week by a report from him, which perhaps underlines that anyone can fall for a scam. So let me tell you what happened. Back in May, The US Drug Enforcement Agency, the DEA, seized over half a million dollars worth of cryptocurrency from two Binance accounts.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And they did this because they thought that the proceeds of drug sales were being funneled through these cryptocurrency accounts.
CAROLE THERIAULT. Right. So they seized the cash thinking this is up to no good. This is illegal earnings. Yeah.
GRAHAM CLULEY. They just ripped it away, I suppose, from the drug dealers or whoever was using this. And, you know, good news, right? Criminal enterprise, drug proceeds nabbed by the law. We've seen similar things take place many times in the past, not just against drugs, but also ransomware groups, even terror organizations.
CAROLE THERIAULT. Absolutely, sure.
GRAHAM CLULEY. You know, so this is the world we live in today where they are using cryptocurrency to exchange their funds, to launder their ill-gotten gains. That's not to say, of course, that all cryptocurrency transactions are dodgy, because they're not. It's just real-world cash. It can be used for good as well.
CAROLE THERIAULT. Except they're unregulated. So, you know, keep that in mind.
GRAHAM CLULEY. Well, certainly, yeah, it's harder to do things, isn't it? So the story doesn't end there. It doesn't end with the seizure of the cash. If it did, it would really mean that I'm rushing to the airport.
CAROLE THERIAULT. Exactly. I was going to say, you're really late. Okay, well, good story.
GRAHAM CLULEY. I haven't packed my backpack yet. Can't find my toothbrush. But I'll do that in a minute.
CAROLE THERIAULT. What's new? Every single time we've traveled together, there has always been a journey to some Marks & Spencer's version to get Graham some pants or to Boots to get a toothbrush. You always forget.
GRAHAM CLULEY. Zagreb.
CAROLE THERIAULT. Or cables. That's the other thing.
GRAHAM CLULEY. Zagreb. Yeah, Zagreb, I forgot my underpants, didn't I? So we had to go and get some, I think, there. But anyway, yes.
CAROLE THERIAULT. So you're welcome, by the way.
GRAHAM CLULEY. Thank you very much. So the story doesn't end there though, because cryptocurrency, it's now in the Fed's hands, right? It's in their hands, but what are they going to do with it? And of course, one of the important things is they need to secure it. It needs to be securely held because this is the matter of an investigation.
CAROLE THERIAULT. Yeah, you're not going to leave it on the counter at McDonald's, right? No, no, no.
GRAHAM CLULEY. So what they do is, it's quite sensible, they store it in a hardware wallet, like those made by Trezor, rather than an online exchange, which get hacked all the time or suffer some kind of security breach. And so that hardware wallet, that thing which plugs in via USB stick, is stored somewhere at Drug Enforcement Agency HQ. It's located in a secure facility. No one unauthorised is likely to be able to just wander into the building and plug it in and steal the money from it. They'd still need all the keys and things.
CAROLE THERIAULT. The thing is, we should remind listeners, of course, if you use this type of thing, you cannot lose that little piece of hardware, right? Let's not misplace that down the couch.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Right? Don't let it fall out of your pocket when you're on the loo or something.
GRAHAM CLULEY. Don't let it slip down any cracks at all, unless you're trying to hide it from law enforcement, I imagine. But yeah, don't do anything like that. But also, they had to move the funds, because it's not up to the DEA to store the funds. So they can't keep it forever in that cryptocurrency wallet.
What they needed to do was pass it over to the US Marshals, who handle the funds, right? So they're the ones with the big buckets of bitcoin or whatever. And so what the DEA did — they decided, well, we're going to have to do a cryptocurrency transaction. And so what you do is you send a very small test amount to the cryptocurrency wallet, which is owned by the US Marshals.
So they had the US Marshals cryptocurrency wallet address, and they transferred $45.36 worth of cryptocurrency to the US Marshals. So they're waiting for that $45.36 to be returned to them by the US Marshals.
CAROLE THERIAULT. Or acknowledged and saying, yeah, yeah, the test works, all good.
GRAHAM CLULEY. We've got that. Yeah. Now send the rest of the money or something like that.
Yeah. So you expect something that to happen just to make sure there's no little screw-up on the way. But there is, with cryptocurrency, this thing called the blockchain. And the blockchain is public. And so anyone is able to look at the transactions which are being moved between different wallets.
Wallets on the blockchain.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And so this is no secret transaction from the DEA to the US Marshals. You may not know that it's the DEA sending it to the US Marshals unless you happen to know their cryptocurrency wallet addresses, but you see the movement of the funds.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And what the scammers did, because there are scammers involved in this story. No! I know, it's a shock. It's a shock on Smashing Security when scams come up.
So what the scammers did, is what's known as an airdrop scam. Now, have you heard of this airdrop scam before?
CAROLE THERIAULT. No, I know what airdrop is from the Apple parlance. Is that the same kind of thing?
GRAHAM CLULEY. No. So confusingly, this phrase is used in two different ways. So airdrop scams related to cryptocurrency are one thing.
Airdrops, as what you're thinking about them, can be associated with threats. For instance, people send unsolicited dick pics to people on the train or on their bus via AirDrop. So you get a message pop up on your iPhone saying someone's trying to AirDrop you a picture and you look and you go, oh my goodness gracious, I don't want that.
CAROLE THERIAULT. Isn't the reply always, sorry, I don't smoke? Isn't that what?
GRAHAM CLULEY. Well, one woman received a dick pic recently and she said, oh my God, you know, thank you very much. That's very flattering, but I think you need to see a doctor. And she claimed to be a medical expert and said that she'd spotted some unpleasant mark on his sort of, I don't know, lower abdomen, which suggested he was going to— anyway, he managed to completely scare this guy.
CAROLE THERIAULT. But you digress.
GRAHAM CLULEY. But I digress. Anyway, normally, unsolicited dick pics sent via AirDrops. There was last summer a pilot on a Southwest Airlines flight who said he was refusing to take off until someone stopped sending naked photos to other passengers. And I've actually got some audio of that right here. So here's the deal. This continues while we're on the ground. I'm going to have to pull back to the gate. Everybody's going to have to get off. We're going to have to get security involved. And it's vacation that's going to be ruined. So you folks, whatever that airdrop thing is, quit sending naked pictures. Let's get yourself to a car home. He's keeping very calm, that pilot. I think he's handling it. He sounds like my parents.
CAROLE THERIAULT. This is insane. Okay.
GRAHAM CLULEY. Okay. So that's not the kind of airdrop we're talking about. What we're talking about in the context of cryptocurrency is an airdrop scam is different.
A scammer creates a new cryptocurrency wallet which looks similar to the one used by, in this case, the US Marshals. So it has the same first 5 and last 4 digits of the US Marshals cryptocurrency wallet address. Because cryptocurrency wallet addresses are really long.
CAROLE THERIAULT. But I didn't know that you could choose your number, like a kind of license plate or something. Like, presumably it's assigned to you, or have you stolen it from someone else, a similar one on purpose?
GRAHAM CLULEY. I don't know. I don't know.
CAROLE THERIAULT. Yeah, okay, sorry. Okay, pretend that never happened.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Okay, shh, shh, shh.
GRAHAM CLULEY. Because people can't remember 30-character-long cryptocurrency wallet addresses, but they do sometimes, quite often, look at the first few characters and the last few characters and say, "Oh yeah, that's it. That's them." So what the scammer did was he saw this transaction, and then he sent an identical amount of funds into the DEA's cryptocurrency account.
Right? So he sends an identical amount, which the DEA sent to the US Marshals.
CAROLE THERIAULT. Right. Saying, hey, money received. Here it is back. All good. But he's the scammer.
GRAHAM CLULEY. And then what happened is the person at the DEA just copied and pasted the entire cryptocurrency wallet address.
CAROLE THERIAULT. Job's done. Let's go home. It's fajita night. Yep.
GRAHAM CLULEY. Rather than typing it out. And they sent $55,000 worth of cryptocurrency. Thankfully not the full half million.
CAROLE THERIAULT. Okay, right.
GRAHAM CLULEY. So they were sending just a chunk of it. And by the time they realized, the two different agencies realized, hang on, we've sent you the cash. No, you haven't sent us the cash. Blah, blah, blah, blah. By that time, the money had been moved out the scammer's account.
CAROLE THERIAULT. I mean, you would move pretty fricking quickly if you pulled that off, wouldn't you? You'd be like, go, go, go, go, go, go, go, go, go.
GRAHAM CLULEY. So the FBI is now investigating. They've associated two Gmail addresses with the cryptocurrency wallets, which were held on Binance.
CAROLE THERIAULT. Okay, wow.
GRAHAM CLULEY. In the hope that they might find out more who was behind the heist. Now, this isn't the only time the authorities have actually had cryptocurrency scammed from them. For instance, earlier this year, a guy called Gary Harmon, he pleaded guilty to stealing 712 bitcoins, which is quite a lot.
CAROLE THERIAULT. Yeah, that's a chunk of change.
GRAHAM CLULEY. Yeah. From the IRS. Anyone ever gets money from the Inland Revenue. Hard to imagine.
CAROLE THERIAULT. Oh, he must have gone to prison for a long time. That's the one people you don't screw with, right?
GRAHAM CLULEY. The thing is, this money had initially been seized by the IRS from his older brother, Larry.
CAROLE THERIAULT. And he was so pissed off.
GRAHAM CLULEY. So Gary and Larry.
CAROLE THERIAULT. You can't make it up.
GRAHAM CLULEY. Now, unfortunately, Gary, who stole the money from the IRS, he might have not been caught so quickly if he hadn't been quite so extravagant with the money. He'd spent it at strip clubs, private jet flights.
CAROLE THERIAULT. Nice.
GRAHAM CLULEY. Even taking photos of himself in a bathtub full of cash, smiling broadly as there were scantily clad dancers around.
CAROLE THERIAULT. Bought himself a Lamborghini.
GRAHAM CLULEY. Yeah. Yes. Oh my God. Do you know what he spent $100,000 on?
CAROLE THERIAULT. Belt buckle?
GRAHAM CLULEY. I don't know. Well, he spent over $100,000 to swim in a pool, a swimming pool with 100,000 $1 bills in it. Surrounded by dancers, which presumably weren't very useful as $1 bills at the end of that process.
CAROLE THERIAULT. Right, so he's keeping a low profile then. That's cool.
GRAHAM CLULEY. He's keeping a low profile, but he'd managed to get money out of the Inland Revenue. So I don't know if that's a modern Robin Hood or not.
CAROLE THERIAULT. Oh yeah, it's very modern. Don't share the money with anybody. Keep it for yourself and dance around kissing it and making, you know, sweet, sweet love to it. Oh God. Robin Hood.
GRAHAM CLULEY. Carole, what's your story for us this week?
CAROLE THERIAULT. Well, customer complaints. Okay, Graham, let's say you are feeling rather chuffed with yourself.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And you even feel that you should get yourself a little something to celebrate.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Right? A little present. A little present-to-me day.
GRAHAM CLULEY. Right. Yeah. Okay.
CAROLE THERIAULT. And you've narrowed down the choice to two different products from well-respected online retailers.
GRAHAM CLULEY. Yes. Yes.
CAROLE THERIAULT. Right? And I've put them in the show notes for you to take a look at both of them. Okay. Both of these and make your final decision of which one you're going to want to purchase.
GRAHAM CLULEY. Yes. Okay. So I can— do you want me to describe these pillows?
CAROLE THERIAULT. Yep, yep. I think they're probably worth describing. Yeah.
GRAHAM CLULEY. So the first one is called the Ostrich Pillow.
CAROLE THERIAULT. Well, it's for the man who has everything, of course, right?
GRAHAM CLULEY. For the man who has everything. This is a travel essential, it says, and it's some sort of— is that actually a sort of stuffed toy? You put it over your head a balaclava, but it looks an ostrich. So you've— so that means I can just lay my head down anywhere in any direction.
CAROLE THERIAULT. On a lap, on your tray, if you're on a plane.
GRAHAM CLULEY. It looks rather cumbersome, I have to say. Might get a bit sweaty under there.
CAROLE THERIAULT. Yeah, but this is on your top list. So there's this one, or—
GRAHAM CLULEY. Oh yes. And let's scroll down. Oh, okay. So you've got something. It's a— It's interesting. So it's sort of, it's a, it's a cat, it's a cat tissue holder. And you pull tissues out of its butt.
CAROLE THERIAULT. It's actually called the Cat Butt Tissue Holder.
GRAHAM CLULEY. Right. For the man who's got everything.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Home-X Cat Butt Tissue Holder. Lovely. Are they sponsors this week?
CAROLE THERIAULT. So which one are you going to go for?
GRAHAM CLULEY. I'm not sure I do. I'm not sure I ever particularly— Oh, the cat butt tissue holder only costs $40 at Amazon, whereas the ostrich pillow is $99.
So I'm going to go for the $40 butt tissue. Are they tissues for my butt, or is it called butt tissues because they come out of the cat's butt?
CAROLE THERIAULT. These are things that you've obviously pre-researched when you put them on your shortlist. Okay, so you have decided on the cat butt tissue holder.
Fantastic. It arrives on time. You open the box excited, but the product is defective.
It has no butthole. Okay? But they have taken the payment. So that's annoying, right?
GRAHAM CLULEY. And so what do you need to get? Well, I'd probably reach for the corkscrew, I suppose. I mean, it's easier than waiting for a replacement.
CAROLE THERIAULT. It is made of ceramic, so that might be complicated.
GRAHAM CLULEY. Oh, is it ceramic? Oh, it wasn't clear from the photograph.
Okay, that's obviously why it costs so much. Well, I suppose I'd say, hey, you know, can I make a complaint here?
My butt appears to be— sorry, my cat butt tissue holder appears to have some sort of malfunction.
CAROLE THERIAULT. Right. And you might do— when do you hit the socials?
Because if I recall, you're quite good at getting problems sorted out on Twitter. For fuck's sake, I mean X.
GRAHAM CLULEY. Oh, just call it Twitter. I don't like calling it X.
I don't think we should go along with that game. Anyway, but how, when do I?
Well, it would normally take me a few weeks of interaction before I get so frustrated that I think it's time.
CAROLE THERIAULT. So you'd send things directly, you'd get no reply, you'd get annoyed, and you'd hit the Twitter. And by then you're simmering.
You're kind of just like, "Fuck's sake, I want my cat hole butt holder to work."
GRAHAM CLULEY. I want to put tissues in it and pull them out. There's no point having tissues inside a cat if you can't pull them out through its—
CAROLE THERIAULT. But where did you find this complaints? It's in the show notes, everyone, the list of 42 weird items available on the internet.
Now, complaints can range, right, from I don't know, shoddy customer service or products or delays or payment problems, whatever.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And many people take to online in order to bellyache about one of these problems. I couldn't help myself.
It is August. I was feeling a little frivolous, so I thought I'd check out some of the more hilarious complaints that have been made on socials.
So one guy complained to Domino's that his pizza came with no toppings, right? Just bread.
He's annoyed, right? And Domino's replies, dude, we're really sorry, you know, and give him the address to contact.
And then he went, oh, forget it, I'd open the box upside down. Oh, what?
GRAHAM CLULEY. That's a joke.
CAROLE THERIAULT. It must be a joke. There was one to Waterstones.
There was one to Waterstones, someone's saying, I've been locked inside your Trafalgar Square bookstore for 2 hours now. Please let me out.
You know, and I'm just thinking she should have added a threat like, I'm gonna streak in the buff in front of the book displays, you know, until someone shows up.
GRAHAM CLULEY. I've been stuck in here with no lavatory paper. I haven't got a cat butt tissue holder. I'm going to have to—
CAROLE THERIAULT. Charles Dickens is proving very useful. Anyhow, the whole point of complaining is to get a response.
Well, you know, one that acknowledges the complaint, perhaps even solves the problem. Right?
GRAHAM CLULEY. That'd be nice. Yeah.
CAROLE THERIAULT. If you get this stellar rep that helps you slalom through all the bureau crazy stuff, it's an amazing feeling because it's a pain in the ass otherwise. So getting back to your purchase of your cat butt tissue holder, you take it to Twitter, X, whatever, and you get this amazing response, right? And you're a security boffin. You happen to notice the blue tick and you're like— and this is of course from reputable online retailer.
GRAHAM CLULEY. Well, anyone having a blue tick on Twitter is instantly suspicious these days. You know that.
CAROLE THERIAULT. Oh, I was going to say, because yeah. So can you care to enlighten us on the tick changes?
GRAHAM CLULEY. Well, there's been this switcheroo because, of course, blue ticks used to mean that your account had been verified by somebody to suggest that you were a person of either some prestige or an official company. It was meant to differentiate you from scammers so people could find the real post. But now, of course, our good friend Elon Musk, he's so desperate for money that he's primarily, it appears, given it to racists and misogynists and unpleasant people spreading conspiracy theories. And so now your temptation is actually to block anyone who has a blue tick because there's just so much nonsense going on with them.
CAROLE THERIAULT. There's a fee now, monthly fee with the blue tick, isn't there? £11 or something. Is that right?
GRAHAM CLULEY. Yeah. And there may be some advantages of doing that. I mean, other than the tick, there are some functions which would be useful and things which used to be available for free, access to TweetDeck, for instance, which is how I used to access Twitter. And now you have to pay for it. But I simply object on principle now to giving any money to Elon Musk. I just think it's just gone so downhill that I just, I can't bring myself to give him $10 a month.
CAROLE THERIAULT. But they have also introduced new additional checkmarks, right? There's the gold and the gray one. So gold is for verified organizations and it costs a whopping £950.
GRAHAM CLULEY. Isn't that per month, I think?
CAROLE THERIAULT. I think that's a monthly fee.
GRAHAM CLULEY. Yeah. It's astonishing. Yeah.
CAROLE THERIAULT. And the whole Twitter claims that the changes to verifications are required to reduce fraudulent accounts and bots. So yeah, I was going to say, is that smart? Is that bullshit?
GRAHAM CLULEY. Hmm.
CAROLE THERIAULT. Well, funnily enough, Graham, it has not been all smooth sailing since this change has taken place.
GRAHAM CLULEY. Come, come, surely not.
CAROLE THERIAULT. I know. But as predicted by some, are indeed going awry thanks to the way this paid-for X verification service works. So Andrew Thomas was contacted by a verified account from Booking.com after posting a complaint on Twitter/X. Quote, I'd been trying since April to get a refund for our holiday flights which were canceled and frankly resorted to X. Right, similar to what you said, right? You're trying to go direct, you're not getting anywhere, you hit the socials. So quote, I received a response asking me to follow them. I DM'd or direct messaged them with the contact number. They called me via WhatsApp asking for my reference number so they could investigate. Later they called me back and said that I'd be refunded by their payment partner, for which I needed to download an app.
GRAHAM CLULEY. Hmm.
CAROLE THERIAULT. This is when Mr. Andrew Thomas became suspicious and checked the Twitter X profile, and he says it looked the real thing, but I noticed that there was an unexpected hyphen in the Twitter handle and that it had only joined X in July 2023. That's a pretty dead giveaway. If you have someone Booking.com, right?
GRAHAM CLULEY. Oh, absolutely. You'd expect them to have a social media presence for much longer than that, right?
CAROLE THERIAULT. And this is at this point where he says, "I then checked the WhatsApp caller ID and found it was a Kenyan number." So lucky for Andrew, Booking.com refunded him after The Guardian intervened. But this is happening more and more, particularly it seems in the travel and hospitality and banking.
GRAHAM CLULEY. Well, you know what? I've just remembered this has actually happened to me.
What? In the last, yes, in the last few months, because I was having a bit of an issue with an energy company where the account had changed into someone else's name and they'd screwed up. And despite numerous phone calls over many months, they kept on fouling up and trying to charge me tens and tens of thousands of pounds.
And it's like, "You really haven't understood, have you, what's actually happened?" And eventually, after plenty of emails, I did go on to Twitter and post a message. And they said they'd get back to me.
But I got this other message saying, "Oh, we're looking into this again. Can you please follow this link?" And it was from a scammer. So they obviously had a bot set up or something looking for references to this particular company. And then they would jump in with their fake account.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. Thankfully, I didn't give them any sensitive information. I didn't fall for it, but it was extremely convincing.
CAROLE THERIAULT. Yeah. And this is just in June, passengers who were planning to go on holiday on EasyJet and BA flights— these flights have been canceled.
They were targeted by cybercriminals with fake profiles after they resorted to X to demand refunds after the people whose flights had been canceled. And both airlines told The Observer that fraudulent accounts are reported to X.
I don't know who's reading those reports. And BA even pinned a tweet alerting users to fake accounts on X. But that's the thing, who should be held accountable, right? And what advice do we have other than delete X and stop using it?
GRAHAM CLULEY. Well, I think that's really good advice. And maybe the big—
CAROLE THERIAULT. I know, but you have a complaint.
GRAHAM CLULEY. Well, that's true. Yeah, that is true. I mean, it should be easier to get in touch with companies to get a response to a genuine problem.
You shouldn't have to go onto social media to try shame them into some kind of rapid reaction to the issue that you're having. But I would expect many of these brands are getting pretty fed up with this kind of fraudulent behavior happening on Twitter.
CAROLE THERIAULT. Are they worried about it enough to actually invest in their customer service department?
GRAHAM CLULEY. Well, they might be beginning to think we're not going to advertise any longer. And maybe we're going to pin a message up saying, "If you want to get in touch with us, then here's our— Go to Instagram."
"Here's our online forum, or here we are on Threads, or wherever it is." People might begin to do that instead. I don't know. But it doesn't feel like it's very good for Twitter's long-term success to not get a proper handle on this problem.
CAROLE THERIAULT. And it doesn't even have that name anymore. The Guardian went out and tried to get a comment from Twitter.
X. Yeah, of course they didn't even reply. Seems like no one's home. Anyway, there you are. There's my story.
GRAHAM CLULEY. Thing is, normally if you email Twitter's PR department, they reply with a poop emoji. You'd probably need one of your butt tissues to clean it up.
CAROLE THERIAULT. Exactly. I think you could use your cat butt tissue for something like that.
GRAHAM CLULEY. 80% of breaches are the result of stolen credentials. Why does your organization still rely on passwords? Hackers don't break in, they log in. Which is why organizations are moving to zero trust authentication, a key requirement for zero trust architecture. What if you could continuously authenticate every user and device accessing your system, ensuring that they are who they say they are and that they are using secure devices? Well, Beyond Identity gives companies the ability to eliminate reliance on passwords and protect against password-based breaches, fraud, and ransomware attacks.
Go to smashingsecurity.com/beyondidentity for a free demo. That's smashingsecurity.com/beyondidentity. And thanks to Beyond Identity for sponsoring the show.
CAROLE THERIAULT. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT.
The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
GRAHAM CLULEY. And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they like. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my pick of the week this week is not security-related. It is a website. And I am a bit of a fan of all things retro.
CAROLE THERIAULT. I think most regular listeners know that.
GRAHAM CLULEY. I think they probably do. Now, you've got a MacBook, I believe, or a Mac computer of some description, don't you?
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And so have I. And it's been many years and we've been running versions of Mac's operating system called Mac OS X. Do you remember what came before Mac OS X?
CAROLE THERIAULT. No.
GRAHAM CLULEY. It's not that hard to work out. It was Mac OS 9. But the thing is—
CAROLE THERIAULT. Sure. But it might be 9.8 or 9.5.1 or something.
GRAHAM CLULEY. That's right. But the thing is that over time the Mac operating system has greatly changed, and it used to be this thing called System 6 and System 7 and things like this. Now, if you go to this website, which is my pick of the week, called infinite-mac.org, it is a collection of classic Mac system releases and software.
And you're thinking, how dull is that, Graham, just to get the software? Well, no, no, no. What this is, is it has emulated old versions of the Mac operating system inside your browser.
CAROLE THERIAULT. I'm looking at it right now. I'm trying to find Paint.
GRAHAM CLULEY. So if you can go back as far as 1984, the initial version of the Mac operating system, which was shipped way back then. And it's amazing to see how the user interface has changed. And not only can you play around, and this is a proper emulation of the software.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. But there's also accessibility to CD-ROMs. So earlier on, I was using my fairly modern computer to emulate a computer from about 1990, where I was running an ancient version in black and white of a 3D chess game. All through an old version of the Mac operating system. And I found it all rather charming. I've got to say, it felt like time travel.
CAROLE THERIAULT. I really love opening it up though and hearing that beep because I had one of these. We had, I can't, I can't.
GRAHAM CLULEY. Oh, did you?
CAROLE THERIAULT. It must have been the '86 one because I remember also the yellow IBM color or whatever it was.
GRAHAM CLULEY. Oh, like of the actual monitor, the frame.
CAROLE THERIAULT. Yeah, the monitor, the frame. And yeah.
GRAHAM CLULEY. And of course, this is way before Windows came along. And what Apple were doing was certainly on the home computer market was really innovative to do all this. So I think this is a real labor of love, and I love that websites like this exist because they're not making any money. They're just asking for donations if you really enjoy it.
But you can play around with this, and it's a good way to, you know, time-suck a good 90 minutes or so playing around in a very slow game of chess of dubious quality. And yeah, I really enjoyed it. And that is why InfiniteMac.org is my pick of the week.
CAROLE THERIAULT. All right, pretty cool.
GRAHAM CLULEY. Crow, what's your pick of the week?
CAROLE THERIAULT. Well, Graham, I also decided to go into a different unusual pick of the week this week for me. Because, you know, many, we're all in the last throes of summer, many of us, right? And kids might be getting a bit bored and you might be feeling a bit broke because you've gone to Legoland or on holiday or whatever you've done.
And you might want your kids to do something fun, but also start stretching their brain muscles before getting ready for the onslaught of learning that's about to come.
GRAHAM CLULEY. 'Cause they're gonna get such a shock, aren't they?
CAROLE THERIAULT. When they get back to school. No, you can't go to bed at 10:30 anymore. So I found with the help of my friendly perplexity.ai chatbot tool, which I'm testing out, very fun.
Yeah, you can check that out. That's in the show notes if you wanna have a look. I found a few brain teaser sites for you to try out. So one of them is called crazygames.com.
So there's a link in the show notes if you want to go there while I describe it, Graham. So this is basically a site filled with basic graphic games, everything from cards, card games, racing games, building, adventuring.
But they also have this game called Brain Teaser that tests your thinking by providing a set of questions.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And it says you need to think of out of the box if you don't want to get stuck. And I utterly I did so badly. Do you want to have a try?
GRAHAM CLULEY. Well, I have just failed on the first question I've tried.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. It put up some pictures on the screen. It had one an apple and a strawberry and a watermelon. And it said, which one is the biggest? And the biggest one on the screen was a strawberry. So I clicked automatically on the strawberry. Anyway.
CAROLE THERIAULT. I did exactly the same thing. Did you?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And then you go, oh, that little thing's the watermelon.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. Anyway, great fun, but there's loads of games on there. So if you go home, you can see there's hundreds and hundreds, maybe even thousands.
GRAHAM CLULEY. Oh yeah, there's some fun ones here.
CAROLE THERIAULT. Yeah, yeah, totally. I saw there's mahjong card game, that kind of thing. It's all building, it's all kinds of stuff.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. The other one that I want to bring to your attention is called braingle.com.
GRAHAM CLULEY. Braingle?
CAROLE THERIAULT. Braingle, like B-R-A-I-N-G-L-E. And this is like, includes brain teasers, riddles, trivia games, like basically a place to solve puzzles and give your brain a workout, basically.
So for example, Graham, you can do this wee game, which I found for you, where you try to identify a celebrity by only seeing a small part of their face. Now, I think if I'm correct, you can choose right now between their eyes and their mouth.
GRAHAM CLULEY. Eyes and their mouth, yes. Which should I choose?
CAROLE THERIAULT. So you choose whatever one you and have a crack.
GRAHAM CLULEY. Okay, I'm gonna go for mouth. All right, okay.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And it says, who is this? So I've got someone's mouth and it says, is it Travolta, Tobey Maguire, Prince Charles? It's not Prince Charles. Denzel Washington. Definitely not Denzel Washington. Steve Jobs or Walt Disney? I'm going to say it's Tobey Maguire. And it was John Travolta. Okay, never mind.
CAROLE THERIAULT. And it's so much fun. So there you go.
GRAHAM CLULEY. Is it fun, Carole, or is this something just to send the kids off to school happy? They're thinking, thank God we're not playing that brain game.
CAROLE THERIAULT. Maybe that'll work. But there's lots of other brain games.
GRAHAM CLULEY. Hang on, they're not even gonna know who John Travolta is, are they?
CAROLE THERIAULT. Well, there are other games that may be more suitable for your kids, right? Geez, don't be pissing on my beautiful parade. There's puzzle games, there's a lot of chess games, for example, and strategy games.
GRAHAM CLULEY. How desperate are you to get me to endorse your pick of the week by mentioning chess? Although that does actually work.
CAROLE THERIAULT. I'm gonna now have a look, see what chess games — So there you go, two wonderful sites jam-packed with fun puzzles for the whole family. I mean, Graham's, you know, middle-aged and you know he's going back to play a little chess. You know he's going back. So that is my pick of the week.
GRAHAM CLULEY. Wonderful. And that just about wraps up the show for this week. You can follow us on Twitter. We don't call it X. @SmashingSecurity, no G. Twitter won't allow us to have a G. And we're also on Mastodon. And don't forget, you can ensure you never miss another episode by following Smashing Security in your favorite podcast app. Go on, do it. Such as Apple Podcasts, Spotify, and Overcast.
CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors, Kolide and Beyond Identity. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsor links, sponsorship information, guest list, and the entire back catalog of more than 336 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye.
CAROLE THERIAULT. Bye. So I actually bought you the ostrich head pillow thing.
GRAHAM CLULEY. And what is it, Steve? Does it not have a hole in it? How am I going to put my head in it? What's the — am I going to have to contact them via Twitter to — The ostrich head pillow.
CAROLE THERIAULT. Like, imagine seeing that on a plane.
GRAHAM CLULEY. Lovely.
CAROLE THERIAULT. My dad went on Crowdsource or some crowdfunding site and bought this thing to help him sleep in a plane.
GRAHAM CLULEY. No.
CAROLE THERIAULT. Thing was like basically a strap that held you by the forehead and the chin, and you would wrap it behind your seat, right, to hold up your head so you could just kind of lean forward and be dangling. The problem that no one thought about is, of course, people's TV screens are in the back of —
GRAHAM CLULEY. Oh, so the strap, right?
CAROLE THERIAULT. Yeah. So just, if you guys are thinking of buying one of these, it's a good idea, maybe think again.
-- TRANSCRIPT ENDS --