Strange goings-on on LinkedIn, Ukraine publishes a list of alleged Russian FSB agents, and police in Pittsburgh investigate an odd report of an active shooter.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Lazarus Heist's Geoff White.
Visit https://www.smashingsecurity.com/268 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Geoff White.
Sponsored By:
- Keeper Security: Keeper Security’s enterprise password management platform locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization.
- Sign up for a Keeper free trial for your organization today, and get a free 3-year personal plan, at keepersecurity.com/smashing
- Kolide: Kolide is a SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Kolide is perfect for organizations that want to move beyond a traditional lock-down model and move to one where employees are educated about security and device management while fixing nuanced problems. We call this approach Honest Security.
- You can try Kolide on an unlimited number of devices with all its features for free and without a credit card for 14 days.
Links:
- North Korea tests its ‘largest intercontinental ballistic missile’ — YouTube.
- LinkedIn Professional Community Policies — LinkedIn.
- Community Report — LinkedIn.
- The latest marketing tactic on LinkedIn: AI-generated faces — NPR.
- List of FSB agents — Ukraine Ministry of Defence.
- How the Dutch foiled Russian 'cyber-attack' on OPCW — BBC News.
- Boris Nemtsov: Murdered Putin rival 'tailed' by agent linked to FSB hit squad — BBC News.
- Police: Autocorrected text triggered large police presence on Pittsburgh’s North Side — WPXI.
- Pickle me up: Hilarious autocorrect fails, from Krispy Koreans to wet, sloppy kids — Daily Mail.
- After Life — Netflix.
- After Life trailer — YouTube.
- "Time on Rock - A Climber's Route into the Mountains" by Anna Fleming — Canongate Books.
- Severance — Apple TV.
- Severance trailer — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Yeah, sometimes cyber attacks can be like farts though - silent but deadly. Well, this is the thing, there's a
GRAHAM CLULEY. Huge amount going on in the background. I know there have been fears of chemical warfare, but that's gone a step too far.
GEOFF WHITE. Maybe that's what did for Roman Abramovich in that negotiating. Maybe it wasn't a chemical attack, maybe just a huge air biscuit that someone floated. But anyway.
GRAHAM. Smashing Security, episode 268. LinkedIn deepfakes, doxing Russian spies, and a false alarm. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 268. My name's Graham Cluley.
CAROLE. And I'm Carole Theriault.
GRAHAM. And we are joined by podcast royalty. It is... The king! The Lazarus Heists, Geoff White.
GEOFF. Hello, how are you both?
GRAHAM. The Lazarus Heist, it's not just a podcast, is it? It's going to be something else.
GEOFF. It is now a book. It will be a book in June. I wrote the book in four months, which was tight. Yeah. So that's going to be out in June. And it doesn't just go to the podcast, it goes the whole hog and does loads of other stuff about North Korean cyber war, North Korea's alleged computer hacking campaigns, full nine yards. And there are just some bonkers stories and it just gets more and more outlandish the more you cover it in that story.
CAROLE. Well, we're going to read all about it because we've pre-ordered.
GEOFF. Yay, which you can do now.
CAROLE. Well, we have. Yeah, both of us have. Yeah, we'd like it signed. Of course, of course. Next time we see you.
GRAHAM. I've got a question for you, Geoff. Considering all the trouble that Sony Pictures got into after The Interview, that movie, which sort of made fun of the North Korean leader, are you a bit worried about publishing this book?
GEOFF. I do hate this question because, I mean, the answer obviously is yes. Yes. We take a lot of measures and steps to try and protect ourselves. And yeah, the irony of reporting on a major media company that did something North Korea didn't like and then got hacked as a major media company reporting on something North Korea doesn't like, the irony on both the BBC and Penguin, the publisher of the book, was not wasted. So we have made strenuous efforts. But look, you never say never. I mean, you know, nobody's 100% secure, are they? So all I can say is, so far, we seem to be safe and we fully intend to keep ourselves that way.
GRAHAM. Yeah, well the cover is not giving anything away though.
GEOFF. No, well Kim Jong-un on the cover was a sort of bold move I would say. So there was discussions about that about how that would work and what was tolerable and what wasn't tolerable and could we sort of, you know, change the colour of his face to fit. The thing is that, no, we're not sure about that. So there's lots of discussions about what you can do to Kim Jong-un's face basically.
GRAHAM. So it's a flattering photograph. Surely he won't mind, as long as it makes him look good.
GEOFF. Given the subject matter, it's difficult to get a flattering photograph, I think, of Kim Jong-un.
GRAHAM. Be very careful, Geoff. This is when the hack is going to begin.
GEOFF. Did you see the video of their latest missile launch, the astonishing video they put out?
CAROLE. I heard of it, but I did not see it. No.
GEOFF. Oh, God. It was almost... I really had to double check. I thought, I want to retweet this, but I have to double check that it's not a parody. Because it really, really looks like a parody. It's sort of, you know, it's like Fast and Furious meets, well, meets Pyongyang. It's just weird. Wow. And that's the thing, the problem is these videos that, you know, it's hard not to find entertaining but obviously there is a nuclear threat behind it all so you have to really sort of balance your emotions on that.
CAROLE. Shall we get this show on the road, boys?
GRAHAM. Why not? Yay.
CAROLE. Let's first thank this week's sponsors Collide and Keeper Security. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM. I'm thinking of linking.
CAROLE. Okay. Nice. Nice, Graham. What about you, Geoff?
GEOFF. We're going to take a trip to Ukraine.
CAROLE. Ooh, and I'm taking a trip to sunny Pittsburgh. All this and much more coming up on this episode of Smashing Security.
Now, chums, are you on LinkedIn?
GRAHAM. Yeah. Oh, yes. Yes, but no. Yeah, Carole, your situation on LinkedIn is a little bit odd, isn't it? Because you have an account. I sometimes tag you in my posts. But you've got a challenge.
CAROLE. I'm on there very rarely. I go in maybe once a quarter or once every six months and respond.
GEOFF. I'm not even connected with you. Wait, I'm connecting now. There we go.
CAROLE. Oh, yeah. Okay. Well, it'll take a while. Yeah. Take a while to be accepted.
GRAHAM. Well, I used to be really strict about who I connected with on LinkedIn. I didn't like to accept LinkedIn requests from any old Thom, Dick or Harry. I didn't even accept LinkedIn requests from people who worked at the same company as me, or even in the same department. I had a very simple rule, which was I'd only accept a LinkedIn connection if it was someone who I would feel comfortable coming round to my house and having dinner at my dinner table.
GEOFF. So Graham and the two people. The smallest LinkedIn following in the world goes to Graham, clearly.
GRAHAM. 100% attendance. Well, all of that changed when I became a freelancer. And I loosened up a bit. And I realized, you know what? I'm going to link in with bloody everyone. I'm going to pretend to be friends with people who I don't know. I'm going to accept LinkedIn requests from just about everyone.
Not quite everybody, but pretty much. I mean, obviously, people who are sort of into blockchain and stuff like that, I refuse their connections. But generally...
CAROLE. Do you do upon request job recommendations?
GRAHAM. I could maybe, hang on, maybe I could make a bit of Wonga. I could monetize there. I haven't thought about that.
CAROLE. Just look, insert name here.
GRAHAM. Okay, let's brainstorm that after the podcast. I quite like that idea. But yeah, it doesn't matter if I've never heard of you, never met you, we'll never meet you, the more the merrier.
But sometimes people break etiquette. Sometimes people send me a LinkedIn connection, right, and that's fine, but then they tried to talk to me. And that's okay, I guess, if they want to say something nice about the podcast or book me to speak at an event, but it's pretty tedious when they say, oh, maybe we could set up a call sometime to talk about your requirements as a company or can I come and work for your company? It's like I'm a one-person band.
CAROLE. It's a business connection site. That's the whole point.
GEOFF. I get that too, though. People say, oh, Geoff, you know, I've heard you're hiring information analysts. It's like, have you? With what money? I'm one person.
CAROLE. And now you understand why I'm never on it.
GRAHAM. Well, I think a lot of people are probably a lot more patient than I am. Because I just instantly, if someone does that, if someone does that and it annoys me, I just remove the connection. I just think, oh, clearly you're using this for some ulterior purpose. Whereas I definitely wasn't.
But some people don't do that. Some people are more willing to connect. Like Renee DeResta of Stanford University, for instance. She received a LinkedIn message from a woman called Keenan Ramsey. And Keenan said she was a member of the same LinkedIn group as Renee. And she sent her a little cheery greeting. Hi there. And some grinning emojis.
And after a bit of chit-chat, she swiftly moved on to the sales pitch. And she said, oh, quick question. Have you ever considered or looked into a unified approach to message video and phone on any device anywhere? Who hasn't?
Cut and paste. Yeah exactly. And you just think, oh here we go.
GEOFF. Have you ever, that's the worst. Have you ever question ever, isn't it? Have you ever?
CAROLE. Because if you say yes, you engage. And if you say no, well let me tell you all about it.
GRAHAM. Yeah. Because anyway, so Keenan's profile revealed to Renee that she worked for RingCentral and has been working there since September 2019. And RingCentral, if you don't know, they're a business communication solution offering web meetings and video calls. It's a bit like Zoom, all that kind of jazz.
CAROLE. Like for businesses, though?
GRAHAM. Yeah, for businesses. Right. And prior to that, Keenan, according to her profile, worked at a cloud firm, Mirantis. Prior to that, she was a marketing specialist at a firm called Language.io. And she's got a degree in business admin from New York University. She's got 300 odd connections. It all kind of checks out.
CAROLE. Legit, legit, legit. Yeah, no red flags.
GRAHAM. At the moment. Well, apart from the fact that I'm mentioning this on the podcast. Yes. Which instantly...
CAROLE. I was just trying to build some tension, Graham.
GRAHAM. Yes. It sets your antenna off, doesn't it? You think this isn't a norm. Why would Graham be speaking about this otherwise?
So Renee DeResta, who received this message, she wondered, what's going on here? She was a bit suspicious about it. She thought, is this an attempt to fish some sensitive information? Maybe there's going to be a click here to set up a meeting kind of link.
GEOFF. That's what I was thinking. Yeah.
GRAHAM. Is it just business or is there an intention to steal information or something like that? She thought that particularly when she received an identical LinkedIn message with the same emojis from someone else claiming to work at RingCentral.
CAROLE. Oh. Well, I mean, lots of call centres have scripts. So there may be, there could be a marketing script.
GRAHAM. Right. Maybe. And then Renee received an email, an email, not a LinkedIn message, from a third RingCentral employee, which referenced the message sent to her initially by Keenan Ramsey.
GEOFF. God, I'm getting hives. It's just a swarm.
GRAHAM. They're really keen on Renee DeResta. And the thing is about Renee DeResta of Stanford University is she has a very particular set of skills, skills she's acquired over her career, skills that mean she is one of the few people in the world who can spot the telltale signs of an AI generated image. She's an expert in deep fake imagery.
So she looked at the profile picture that Keenan had used on her profile and she thought, she's only got one earring. Right. Okay, that's not unusual really. Well apparently on LinkedIn it's a little bit unusual your profile picture, most people will have more than one earring.
GEOFF. Remember both earrings, yeah.
GRAHAM. Balanced out. Otherwise you have a lopsided image, right? What do you like? Also, her eyes were aligned precisely in the centre of the photograph, right, in the middle of the picture. So imagine you had an image which was 500 pixels by 500 pixels. The eyes are bang right where you would expect them to be, right?
That could be a cropping thing, though. It could be, but it's a level of professionalism. The background was blurred and vague, didn't look like anything in particular. And some strands of Keenan's hair appeared to blur into this background.
And so it just got René's spider senses tingling. She knew something odd was going on. She thought, this is weird. This is weird.
So what she did was she contacted Ring Central. And she said, can I speak to Keenan Ramsey, please? And RingCentral said, oh, we don't have any employee by that name. Ding, ding, ding.
And then she spoke to Language.io and they said, oh, no, we've got no records of her ever having worked for us. Marantis, the company she worked for allegedly between Language.io and RingCentral, they said they couldn't share any employee information without written authorization from the employee.
Now, I don't know how you get that written authorization when the person is a fake. You would think the company would say, oh, no, we haven't had anyone called that here. But anyway.
CAROLE. Yeah. Well, they're not an employee if they haven't worked there. Therefore, that's null and void.
GRAHAM. Yeah. You would think so, wouldn't you?
New York University. They said, no, nobody called Keenan Ramsey has ever received a degree here. Now, people lie on their CVs and LinkedIn profiles all of the time. Right, Carole?
CAROLE. I don't know. I don't hang out there. Are you suggesting I lie? Is there anything you want to point out to me? Maybe we should take a look at it right now. Maybe we should. I'm very happy.
GRAHAM. Go for it. You're in school uniform, Carole, on your LinkedIn profile. Probably. That's how old it is. It's not actually a photograph. It's a brass robin. It's that old.
GEOFF. You're wearing a puffball skirt and pixie boots. When was this taken?
GRAHAM. So what happened then was René decided, well, I'm going to look up the LinkedIn profiles of the other people who contacted me claiming to work for Ring Central. Of course. Yeah.
Same story. Work and educational histories didn't pass the sniff test, the image appeared to be deep faked. And the third contact she had, the email from a RingCentral employee that referred to the email from the fake Keenan, that was a genuine worker at RingCentral.
So why are fake people being used by RingCentral to get people to make contact?
CAROLE. So it's fake, fake, real was the way it worked. So the email was real and then to Fenton.
GRAHAM. Exactly. Exactly. Exactly.
So René got together with one of her colleagues at Stanford University, a chap called Josh Goldstein. They started investigating. They found more than 1,000 accounts that appear to use AI-generated images, which is a breach of LinkedIn's rules.
And when they searched for evidence that those people actually existed on the internet, they found no evidence that they were real. So normally, if you find someone on LinkedIn, you can find other evidence that they exist.
CAROLE. I don't, I just, I kind of get the idea of people using deep fakes in order to hide their real ugliness? Yeah, maybe ugliness or also that you wouldn't mind someone that approximates you, but it's not exactly you just to obfuscate yourself from AI recognition software. I don't know.
GRAHAM. It seems a little bit uncomfortable if you're going to get into some sort of business trust relationship with someone. If you're, I mean, presumably you're also lying about your name, are you? You're comfortable with your name, but not with your photographs. Mm, yeah.
Like I said, it's against LinkedIn rules. I mean, there have been studies done which said that people trust average kind of faces more. So if you are particularly odd. Sorry, Graham.
Well, if you have some sort of peculiarity in your face, whether it be astounding beauty and handsomeness, or whether it be you're a bit fugly, then people are less likely to trust you. But if you're sort of average, then it works.
GEOFF. But you're going to have a meeting with these people at some stage where you turn up and they go, wait, you're not a cross between Brad Pitt and George Clooney, you're fugly. And at that point, any trust you've worked up is going to vanish pretty damn quickly.
GRAHAM. Are you going to have a meeting though, Geoff? Are you going to have a meeting? Because these days it's all remote, isn't it?
GEOFF. I suppose that's true, you could go on Zoom. Yeah,
CAROLE. And your foot's in the door, right?
GEOFF. Right, yeah, hideously ugly foot's in the door then.
GRAHAM. You monster claw.
So what the Stanford researchers found was that most of these fake accounts all had similar kind of jobs. They said we're business development managers, we're sales development, we're demand generation. So it's all about getting leads.
And as a great report in NPR describes, the researchers, René and Josh, they discovered this whole undercover industry of firms that create fake LinkedIn profiles that then reach out to potential customers and set up meetings for in-house salespeople like RingCentral.
CAROLE. Is that because it's a time saver and a resource saver? So you have what, AI-generated profiles? Or they're just fake profiles in case someone reports them. They're like, oh, we don't know. They don't exist here.
GRAHAM. Well, it's not. I don't understand. It's not being done directly by the company which eventually gets the sales lead. So the companies which are interested in the sales lead, they sort of farm them out to service companies and third parties. They don't really care how they get the leads. It's just like, if you can help us, that's great. And we'll turn a blind eye to what you're doing.
GEOFF. Well, that's true. I can understand that. If you've got thousands of people on LinkedIn who are potential leads and you want to narrow those down to the sort of 500 hot leads. The company that says, look, we've got 500 people who said yes to a meeting. They're the people you want to contact, not the thousands of people who would never respond. It's just a filtering exercise, isn't it? It's an AI filtering exercise.
GRAHAM. It is, but they're claiming to work for RingCentral. They're claiming to have all this background and all this fake information on their CV.
CAROLE. Yeah, there's a credibility question.
GRAHAM. It's like, why aren't they using their own images? Is it because they're too ugly? Why aren't they saying who they really work for?
CAROLE. Now, what does RingCentral say? They say, oh, yeah, yeah, no problem.
GRAHAM. Well, they've issued a kind of apology. They said, while this may have been an industry-accepted practice in the past, going forward, we do not think this is an acceptable practice and is counter to our commitment to our customers. So, sorry, not sorry. Kind of, yeah. NPR, they didn't give up in their investigation, and they contacted a whole load of companies who were offering this kind of service and each one they contacted were like, oh, no, no, no, we don't do that anymore. We used to do that. We used to do that with fake profiles. And they removed evidence of it from their website. The RingCentral employee who contacted René, he's very helpfully left the company and isn't returning any messages. So he's disappeared. It's all a big, nothing to see here, nothing to see here. For its part, LinkedIn, they say in their latest transparency report that they've removed more than 15 million fake accounts. Although most of those, that was in the period of six months during 2021. Most of those happen at the time of registration rather than later once you're active. They're looking for suspiciousness there. So it does appear there's a fair amount of that going on. And what was interesting to me when I read this report, and it is worth reading and digging a little bit more into it, was that this is the use of deep fake AI imagery, not for disinformation and misinformation, but for something rather more mundane, just a way of generating leads. And, you know, it's fascinating that the technology is now being adopted by just about anybody because it's so easy to create fake images of realistic looking people.
CAROLE. Graham, we have to make full circle now. So how many of your connections on LinkedIn do you think? I know. We have to start looking at their central eye positioning. Wait.
GEOFF. I'm looking at Carole's picture here. The eyes are in the middle.
CAROLE. How do you know I'm a cyclops?
GRAHAM. Geoff, what have you got to talk about this week?
GEOFF. I am going to take us to the Russia-Ukraine conflict, which is in a lot of ways a very dreary topic. However, there is something absolutely stunning that's come out of the last couple of days which I just think is really worth having a look at because it sort of indicates where we are with the kind of cyber conflict. Because I think a lot of people were assuming when there was another big war that cyber would be, you know, it'd be a cyber war, you know, we'll see all these cyber attacks and, you know, robotic tanks and all that kind of thing. We just haven't seen it, frankly, so far that we know of in Ukraine.
GRAHAM. Yeah, sometimes cyberattacks can be like farts, though, silent but deadly.
GEOFF. Well, this is the thing. There's a huge amount going on in the background.
GRAHAM. I know there have been fears of chemical warfare, Carole, but that's gone a step too far.
GEOFF. Maybe that's what did for Roman Abramovich and that negotiating team. Maybe it wasn't a chemical agent, maybe just a huge air biscuit that someone floated. But anyway, look, so what's interesting about this is there's been a leak, a massive leak of information from the Ukrainian government. This is the details of 625, I think it is, FSB agents, so Russian Secret Service agents. And they've published it on their website. I'm looking at it right now. And it's just lists of people's names, dates of birth, passport numbers, addresses, mobile phone numbers. It is absolutely astonishing.
GRAHAM. So this isn't something which has accidentally leaked from the Ukrainian government, they've published it, they basically doxed 600 Russian spies? This is on their website?
GEOFF. This isn't without precedent. You'll remember there was an incident back in 2018 when a bunch of Russian agents turned up in The Hague and tried to hack into the OPCW, the Organisation for the Prohibition of Chemical Weapons. This was after the poisoning attack in the UK and there's this idea that the Russians were going to OPCW trying to interfere with the investigation. They got caught and left The Hague but they couldn't arrest them because these guys were on diplomatic passports.
CAROLE. But it must be so frustrating.
GEOFF. My god I know you can imagine oh damn it what they did do the authorities they released the details the passports said like these were passports they were traveling on so Bellingcat the investigative website went and found these passports on a Russian database and the passports were registered to a particular address. And there was a whole thing about people's cars being registered to this particular address. And clearly FSB agents were registering their cars to the FSB headquarters.
So they did a reverse search and said, OK, show me all the other cars that are registered here and got a list of 305 Russian agents who had all registered their cars to the office address. But that was a leak of information that was then turned by Bellingcat into a database whereas this is just the Ukrainian government going here you go and what's remarkable I mean obviously I've been doing a bit digging into this list and for a start some of these guys are on WhatsApp so I was going to send them an invite to Farmville I thought you know they're clearly under the cosh these poor chaps and you know they might need a bit of
CAROLE. Entertainment a bit of distraction
GEOFF. Yeah come and plant a courgette with me
CAROLE. So that's the whole point. So there's nothing unclear about it. They are posting all this information to say, hackers of the world, here you go.
GEOFF. Well, this is the thing. I wonder, we've now got a database here, apparently, of, I should say, alleged Russian agents, FSB agents, because this is covering the Ukrainian government. But if it's right, we've got a list of mobile phone numbers here. I mean, as we know from the NSO Pegasus mobile phone malware story, targeting mobile numbers of foreign operatives is something that you can do if you've got the malware. So that's one option.
I haven't caught up on whether the whole SS7 mobile phone problems have been sorted, but there was a period of time where you could track people's mobile numbers and send them text messages via the SS7 system. Again, is that going to happen? Also, if I'm a foreign government now and I'm thinking, right, I want to know if I've got any FSB agents in my country, I can take these mobile numbers, give them to the sort of tier one mobile phone provider like BT in the UK, for example, and say, right, if these mobile numbers pop up on our network, could you please let us know because we've got Russian agents in the company. All sorts of stuff you can do with this.
Oh, and the other thing that's crazy about this is there's little notes on some of these profiles as well. So there's one which is called, now what's the name of it? Hang on. Dima. I'm just going to refer to him as Dima because I don't want to name the guy just in case he gets sued and everything. But it says Dima, the terrible lieutenant in inverted commas and it's got his address here. There's one that says, FSB operative late payments on loans. So clearly somebody, Gorbinev Maxim is behind on his payments. Just astonishing detail in this leak. Absolutely amazing.
Do we know where the Ukrainians got this data from? No, that is a very good question and one to which we don't know the answer, at least not as far as the stuff I've seen.
CAROLE. Yeah, we're waiting for people like MI5 and the CIA to come out and go, Oh, Frank. Yeah, yeah. Surge. Yeah, yeah.
GRAHAM. Well, I wonder if it'll be annoying to other secret services because they may have had access to this information already. And maybe we're trailing and tracking some of these mobile phone numbers. Now, basically, the balloon's gone up, hasn't it, to all those agents changing mobile phone numbers.
CAROLE. And what if some of them are double agents, right? Oh, that's a good thought. And how that hurts the contacts with maybe information. The other thing is, I mean,
GEOFF. Russia does seem to be a very leaky place data-wise. I mean, there's an investigation on BBC the other day, which BBC and again, Bellingcat, this investigative journalist's investigative outfit, where what they've done is they got travel documents and they tracked the movements of Russian opposition activists, and then they tracked who was on the same plane and the same train at the same time, and effectively worked out who was tracking these guys around the world, and say, OK, here's an FSB agent who's basically on the same plane and same train as this opposition activist at exactly the same time. They're clearly being tailed and this is in advance of the poisoning of Alexei Navalny.
But they got a lot of the information. Bellingcat says that some of the information came from Russian databases that are just being sort of bought and sold and freely traded. So it does seem like in Russia you know if you've got deep pockets you can get hold of information passport information, travel information flight information that in the UK just would not be able to get hold of you know it's a leaky place and I suspect people's sort of willingness perhaps to make a cheap buck by leaking information is slightly higher in Russia than it is in a lot of other countries so yeah interesting
CAROLE. Yeah totally gosh Graham what have you got for us this week? I have a story that has a really big fat takeaway, one that's, I think, fairly obvious and should all give us pause. In fact, at the end, you guys tell me if you think you know what it is. I'll ask you the question. Okay, so buckle in, because we're heading to Pittsburgh.
GEOFF. Got to pay attention now. Yeah, okay. He's going to be looking at Twitter for the next couple minutes. Okay,
CAROLE. So we're heading to Pittsburgh. This is a high-stake drama. Have either of you ever been to Pittsburgh? I've never been.
GRAHAM. I have not. No. No.
CAROLE. Okay. So we can't give the city any color, but it is Friday in late March 2022, and it's lunchtime at Nova Place. This is a new multi-million dollar redevelopment in the north side of downtown Pittsburgh. And it boasts restaurants and a fitness center and Pittsburgh's largest co-working space. So you've got people chilling, eating, meeting, sweating. You've probably got a subway. They're probably yellow cabs. Exactly. And then suddenly, city and county cops screech into the scene.
And police start swarming around. And according to one worker at one of the restaurants at Nova Place, said, we heard this emergency alarm go off. And cops started telling people there was 911 call saying there was an active shooter on the premises. Not good. And I'm sure there was probably a Columbo-style detective there, Graham.
GRAHAM. Oh, okay. Now you've got my interest. You're doing this just to keep me engaged, aren't you?
CAROLE. Uh-huh. So I want you to wear the Columbo hat, okay?
GEOFF. Yeah, okay. He doesn't wear a hat.
CAROLE. Okay, a coat, coat, whatever.
GEOFF. Wrinkly mac was Columbo, wasn't it?
CAROLE. Just one more thing. That's right. Yeah. A guest at Nova Place, Ted Uminski, said three cops, guns drawn, and they're like, did you guys see anything? And we said no, and they're like, get out of here now. Wow. And so, okay, you're eating at a restaurant, right? Do you just get up and leave? Do you leave 20 bucks? Do you leave money or do you hide in the bathrooms? Do you think, what do you do? I'd take the food with me. Would you?
GEOFF. I'd be running out, chowing down. I wouldn't get it. You know, I wouldn't stop eating. I'd run and eat. Two mitts full of spaghetti bolognese. Exactly. It's just jamming it into my face as I head for the exits. I mean, you've got to get calories if you're going to run that fast.
CAROLE. You might get shot. You'll look like you've been eating brains.
GRAHAM. The tomato ketchup may look like blood. That's the Dania. Cheers.
CAROLE. So, okay, there's this alarm screeching. There's a gaggle of cops with weapons in hand. There's a frantic public being told to get out of Dodge. Nearby elementary schools were also placed in lockdown. I mean, this is not what you hope for for, you know, pleasant Friday time lunch.
GRAHAM. No, no, it's not normally, no. It's chaos. Yes. It's chaos. Although you've avoided paying for your lunch. So there is that. Some of us left it behind.
CAROLE. Some of us shoved it in our pockets. So for the next two hours, cops looked for signs of the shooter in the vicinity. Everyone's on high alert, but they come up with nothing. And so everyone's frustrated. I'm sure the stress was palpable.
GRAHAM. Where's a man with a gun when you want one? You kind of expect you're in America. It shouldn't be hard to find someone acting suspiciously with a weapon, but on this particular occasion, they can't find anybody.
CAROLE. Look blank. So, okay, Columbo. Columbo, you're in charge of this operation. What do you do now? You've been told by, on a 911 call, there's a shooter. You're there.
GRAHAM. Well, who left this 911 call? Can we find out who they were?
CAROLE. Yes, yes. So it seems that the frantic 911 caller reported that shots were heard in the Nova Place office building redevelopment. And this is the call that made the cops hightail it over. But it turns out the caller was off-site. Right. So how did they get the information?
GEOFF. How far off-site are we talking?
CAROLE. So what happened to them is that they received a text from one of their buds who was hanging out at Nova Place with the words, firearm. So the caller calls the sender, right, to go, what the hell is going on? But there's no answer. So just from the message, firearm. I mean, I don't know how dangerous Pittsburgh is. Apologies to, you know, but maybe if someone in the state says firearm, you take it seriously.
GRAHAM. But it could be an autocorrect error or something. It could have been something.
GEOFF. Oh, could it? Yes. Well, the thing is, you know, surely the quicker way to text is to go, gun, rather than firearms. I think it's a Glock nine millimeter word. No, gun, gun, the exclamation mark. So I'm already skeptical as to why someone would just type firearm. That's very peculiar.
CAROLE. Yeah, it's kind of an unusual word. Totally. And so, Graham, very good to say autocorrect. What could it have really been, do you think?
GRAHAM. I'm looking on my phone keyboard now. Okay, I need to find an autocorrect generator. Firearm.
CAROLE. Firearm. Okay, now remember there's a noise, there's a screeching noise.
GRAHAM. Tire.
CAROLE. Tire. An alarm screeching.
GRAHAM. Oh, fire alarm?
CAROLE. Fire alarm. Yes! Fire alarm. So what they meant to write was fire alarm at Nova Place, not firearm at Nova Place. Right. Sending a huge gaggle of cops with guns drawn scaring the shit out of people having a nice Friday lunch.
GRAHAM. I do feel like the world took a step backwards evolutionary wise when the iPhone came along and started autocorrecting everything. Because when you had BlackBerrys and you had a full bloody keyboard, and you could actually write out words, and you would never write U as just the letter U. You'd write Y-O-U, which is the proper way to do it. And you'd always put a space after a full stop, and you'd use capital letters at the beginning of sentences. I just think those were better times, and you wouldn't have had this kind of thing happen. It's a trip down memory lane, isn't it?
CAROLE. I was a much better typist on the BlackBerry because I think you can feel where you are. You're not on a flickery screen. You can kind of count the buttons almost unconsciously. Like, oh, I'm at the E. You don't even have to look. You can just feel your way across.
GEOFF. God, I can't believe the power of you wanting a BlackBerry back. I do. Jeez, jeez, Louise. It's just like, I mean, I'm not exactly a spring chicken, but this is like listening to my mom waxing lyrical about her flip phone that we just had to replace. Well, it had buttons. Yes, mom, this doesn't have buttons. No, mom, it doesn't. When we had paper tape and
GRAHAM. Eight inch floppy disks, those were the days.
GEOFF. Shall I read you out just for entertainment? My mum's first text that she sent me. Yes. Ever? No, on the smartphone. Okay, okay. Okay, here we go. So no punctuation, all one sentence. Sorry, I was so rushed last night. Woo, just discovered the word thingy that comes up. Tried taking a photo last night, but took a video instead. Stead, have you any idea how little tulips move? B, please, no idea what is happening now. Kiss, kiss.
GRAHAM. It sounds to me like she sent you an end-to-end encrypted message there. I think even Priti Patel couldn't crack that one.
CAROLE. And the lesson is just read a text before you send it, especially if you're in a bit of a panic, because this is what the scammers, tangential tie to security, tend to take advantage of, right? I did some recon on other types of autocorrects that happen. Do you have to guess what they tried to say?
Oh okay, all right. This is in text messages, so between two lovers. My love is so strong I wish I could buy you a casket.
GEOFF. If I could, castle?
CAROLE. Yes, castle, yes. Come on, good one. Okay, I devoured a baby in a cab.
Oh, bagel? Nope. Kebab? No, it's the verb actually that's wrong. What do you do with a baby?
GEOFF. Well, mostly devour them, but that's just me. Deliver?
CAROLE. Oh, it's still quite exciting. Deliver, right. Okay, and then there's one: Are you sitting down? Your brother was adopted. And actually turned out to be accepted to Yale.
And then the final one: Do you think you can pickle that up?
GEOFF. Pick all that up? Pickle that up. Pick it up. Sticky pickles.
There was one I remember. Do you remember Flirt Divert? Do you ever hear of this service?
CAROLE. No.
GEOFF. Flirt Divert was if somebody was chatting you up in a club and you weren't interested and they asked for your number, you could give them the number for I think it was a radio show. And so the text messages and calls would be received and then sort of read out on air the next day.
CAROLE. That's outrageous.
GEOFF. And there was one woman who basically gave this number to the guy who was trying to chat her up, and then the next day they read out the text. It was a while later actually I think, read out the text and said, "Please call me. I think you may have given me Arabs."
CAROLE. Which?
GEOFF. Crabs. Yes, yeah, exactly. May have given me crabs. But I had this image of guys turning up on horseback with big scimitar swords. You've given me Arabs.
GRAHAM. Collide sends employees important, timely and relevant security recommendations for Linux, Mac and Windows devices right inside Slack. Collide is perfect for organisations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com slash collide.
That's smashingsecurity.com slash K-O-L-I-D-E. Enter your email when prompted and you will receive a free Collide goodie bag after your trial activates.
You can try Collide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com slash Collide.
That's smashingsecurity.com slash K-O-L-I-D-E. And thanks to Collide for supporting the show.
So imagine this scenario. You're out of the office unexpectedly and a colleague pings you because they need access to some system you have credentials for.
Now, listeners would never send passwords over email or Slack, but what about your co-workers? How many organisations out there are sending logins back and forth in plain text?
Worse yet, how many just store all of their logins on a shared spreadsheet? We all know that human errors are the biggest threat to your organisation's security, but did you know that weak or stolen passwords account for over 80% of all data breaches?
There are tools out there that allow you to share credentials, set access permissions and monitor the dark web for stolen logins. Keeper Security's enterprise password management platform does just that.
Keeper locks down logins, payment cards, confidential documents, API keys and database passwords in a patented zero knowledge encrypted vault. And it takes less than an hour to deploy across your organization.
Sign up for a Keeper free trial for your organisation today and get a free three-year personal plan. It is not security related.
Good. As you know, I to keep my finger on the pulse.
I to keep up to date with the latest culture, the latest shows that are coming out. Obviously, I've pre-ordered a copy of The Lazarus Heist.
So I'm all ready for that as soon as it comes out pre-ordered. Thank you very much.
Great. But I wasn't quite so quick when it came to watching the Netflix show with Ricky Gervais, Afterlife.
Yeah.
CAROLE. No, I haven't watched the whole thing. I've watched the first season.
GRAHAM. Well, okay, let's talk about that. So, I thought, oh, I'm not sure I that.
I don't know. The premise is, it's all about Ricky Gervais' character dealing with life after his wife dies of cancer.
And I thought it's going to be cloying in a bit mawkish, maybe. And I thought, oh, is it just going to be a bit too on the nose?
I don't know. But actually, it's rather lovely.
So, I've just finished watching the first series, and apparently there are three series. But I feel I've seen enough, probably.
I feel, and I find this with a lot of TV shows, is that I to watch the first series, Killing Eve, for instance. And I think, okay, that was great.
I don't want to ruin it now. I feel you've told the story.
You've wrapped it up with a little bow. I've seen enough.
I don't need to see more of the same. So I'm very gingerly going to start the second series, but I wouldn't be surprised if I stopped.
But I don't think that should stop other people from checking out Afterlife because... Just because you have no attention span.
I to think I'm just too sophisticated. Really?
You think.
CAROLE. Sophisticated is the right word?
GRAHAM. I only had to watch the first series of Game of Thrones and I thought, all right, I've seen enough boobs and dragons now. I don't need to see more.
Discerning would be, would that be the better.
GEOFF. Word, Graham? You're a discerning audience, yeah.
GRAHAM. Geoff I really do recommend everyone pre-orders Geoff's book. Oh my god you guys.
Anyway have either of you seen Afterlife? You've seen a bit of it.
Well I've seen the first series.
CAROLE. But yeah I haven't been moved to see the second one yet weirdly. I don't know.
GEOFF. I find it quite touching and I think it's quite good. I think with second series and any third series, you need to kind of say where it's going next, what's going to be different, how it's going to be different, and make that very clear.
So we watched Fargo, we watched the TV series Fargo which is astonishing because every one of those series is completely different to the one that went before era wise, directorially and stuff. So that was quite, but there was a jolt when we watched each new series and we thought oh this is different to what we had before, but we ended up really enjoying it. But at least you've demarcated the difference on where it's gonna move next and it's not just gonna be the first series again, it's gonna be something else again.
GRAHAM. I'm thinking Breaking Bad. I did watch all of Breaking Bad and I thought that sort of maintained consistency and I thought it was still great to watch.
Okay, well, anyway, Afterlife is my pick of the week. There you go. Geoff, what's your pick of the week?
GEOFF. I'm going to pick a book for my pick of the week, which I finished and I quite enjoyed, which is a book called Time on Rock by a writer called Anna Fleming, who is a rock climber. And the book is about her time as a rock climber and how it goes.
She's fight it and smash it and grip it, and you're conquering you, conquering the rock, you know, a big epic man. And she sort of, it's interesting because she in the end stops fighting the rock. She's no, don't fight against it. You know, that's not the way you're gonna...
And I found that really interesting. And suddenly her climbing improves and her enjoyment of the thing improves. And I thought, yeah, that's actually really interesting. You know, there's a great quote, which is the best climber in the world is the one that's having the most fun.
So often we're trying to, not just in climbing and lots of things, I must, can't go and smash it. It's yeah, but are you really enjoying it? And actually learning to not fight and learning to love it, remembering when you loved it is worth doing.
So that's Time on Rock by Anna Fleming. I highly recommend it. It's a good little book.
CAROLE. Can I ask, are you a climber? How did this book come in your echo chamber?
GEOFF. Yes, I am a climber.
CAROLE. Oh, I didn't know that.
GRAHAM. Yes, yes, yes. Cool. Geoff looks a climber. He's got that sort of wiry physique right, yes. I couldn't, I can exactly, he's ropey is what I'd say.
GEOFF. Yeah, when you say look a climber I thought you're gonna say bruised, bleeding because that's certainly how we end up.
GRAHAM. There is something amazing about, I mean I'm absolutely petrified of heights so I couldn't possibly climb at all, and water and ice and most things. But I do find climbing quite fascinating. And I haven't read books about it, but I've seen some amazing documentaries about climbing. And years ago, I went to see a talk by Joe Simpson, of course, who was the Touching the Void chap, which was quite an experience too.
GEOFF. Yeah, yeah, another incredible story and incredible film as well. I just want to point out as well, what I also love about Time on Rock is Touching the Void, a film you talked about, and the one Free Solo, the Alex Honnold film, which a lot of people will have seen. Most of these films are about climbing, being terrifying and death defying. That's not why we climb. And if you read Anna Fleming's book, Time on Rock, it's the same thing. You know, it's not all about Sylvester Stallone clinging on with one hand before you die. That's not why we do it.
CAROLE. That movie was terrifying. Oh, my goodness. Could you do that, though? Could you, if you suddenly, if you were clinging on with one hand, could you hoist yourself up?
GEOFF. The one arm pull up? I don't think so. Adrian! Adrian!
GRAHAM. Different movie, Geoff.
GEOFF. Anyway, Time on Rock by Anna Fleming. My pick of the week. It's a lovely book.
GRAHAM. Awesome. Carole, what's your pick of the week?
CAROLE. Mine is also a TV series, a brand new one. It's actually not even the full first series is not already out yet. It's we've still got two episodes left.
So this is on Apple TV and it's a show called Severance. And it's basically a high concept show that takes the whole concept of work-life balance and puts it to the extreme.
So you're in this office type building and you don't really know what you're doing. You're working though. And that's how the series starts.
And it turns out that our workers in this nondescript department are innies. And they're called innies because they've somehow been chemically severed from their outies themselves, but on the outside of work hours.
Is this thing to do with belly button? Yeah. Yeah.
So you go to work, you go through the elevator, and you completely forget about your life outside. And you totally focus on your crazy job that you have no idea what it is.
And then you go home at night and the person outside has no idea who your work person is. The whole idea is that they can't communicate at all or know anything about each other.
But of course, a few glitches happen in the story that causes cracks to appear and it all goes a bit nuts. Pretty great cast.
You've got Adam Scott, Patricia Arquette, John Turturro. How do you say? I'm going to say his name right. Turturro.
Turturro, yeah. Yep. And obviously the famous Christopher Walken's in it as well.
Currently, time of recording, we're on episode seven on Apple TV. So if you want to be in the know when stuff is hot, this is a time for a little binge session.
GRAHAM. It doesn't sound like a barrel of laughs, Carole. It doesn't sound like it's really jolly.
CAROLE. Well, it's not a comedy show, but it's fascinating and it's not dark. I don't think it's dark and creepy.
No? Okay. It's kind of interesting on how it's the opposite of what we've done to ourselves now, where we're carrying our work phones all the time with ourselves and their laptops and bringing our work everywhere. And we've totally meshed in.
And I think they've just turned that on its head to say, well, what would be the opposite way? And it turns out not great.
So you want to check it out? It's called Severance. It's from Apple TV. And it is my pick of the week.
GRAHAM. Marvelous. Well, that just about wraps up the show this week.
Geoff I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that and find out more about your upcoming book?
GEOFF. Oh yes I'm on Twitter's best way. Geoff White so G-E-O-F-F white like the color and 247 because I'm Geoff White 24-7.
GRAHAM. And you can follow us on Twitter at Smash Security no G, Twitter and mouse have a G and we also have a Smashing Security subreddit and don't forget to ensure you never miss another episode follow Smashing Security in your favorite podcast app such as Overcast, Apple Podcasts, and Spotify.
CAROLE. And high five to this episode's sponsors, Collide and Keeper Security. And of course, to our wonderful Patreon community.
It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 267 episodes, check out smashingsecurity.com.
GRAHAM. Until next time, cheerio.
CAROLE. Bye-bye. Bye.
GEOFF. Bye.
-- TRANSCRIPT ENDS --