Graham explores how the Elusive Comet cybercrime gang are using a sneaky trick of stealing your cryptocurrency via an innocent-appearing Zoom call, and Carole goes under the covers to explore the extraordinary lengths bio-hacking millionaire Bryan Johnson is attempting to extend his life.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Oh yeah, because I have millions because—
Because you're a big crypto.
I'm a big crypto queen. Yeah, yeah.
Oh, not that one. We've identified Dr. Ruja is actually Carole Theriault. Smashing Security, episode 414. Zoom, just one click and your data goes boom.
With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 414. My name's Graham Cluley.
With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 414. My name's Graham Cluley.
And I'm Carole Theriault. Before we kick off, let's thank this week's wonderful sponsors, 1Password and Vanta. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
Zoom, just one click and your crypto went boom. Ransomware, etc.
Okay. And I'm talking biohacking, or is it? All this and much more coming up on this episode of Smashing Security.
Now, chums, Zoom, don't you just love it?
I do love Zoom. Yeah, COVID would not have been nearly as tolerable without Zoom in my book.
No, Zoom, Teams, what else is there? Google Meet. All of those things.
I don't know what I'd do without spending 5 minutes on every video call, either trying to tell someone else that they're on mute or me trying to find the unmute button myself.
I don't know what I'd do without spending 5 minutes on every video call, either trying to tell someone else that they're on mute or me trying to find the unmute button myself.
Really? That still happens?
It still happens.
That must be an age thing.
It must be.
Everyone understood that happening in the first year, 18 months of Zoom use.
No, it still happens. It still happens all the time for me. What'd be great would be, imagine you were a Zoom ninja and you knew it like the back of your hand.
Maybe you are, Carole, maybe you are a Zoom ninja. You could reach through your screen and press the unmute button on my keyboard or choose the option for me.
And that would help out people, wouldn't it? Rather than them floundering around trying to find the unmute button themselves.
Maybe you are, Carole, maybe you are a Zoom ninja. You could reach through your screen and press the unmute button on my keyboard or choose the option for me.
And that would help out people, wouldn't it? Rather than them floundering around trying to find the unmute button themselves.
I would charge quite a bit for that skill.
Would you?
Yeah.
Well, there is a feature called remote control in Zoom.
And it allows you to take control of another participant's screen during a meeting after they've given you permission, obviously.
And it allows you to take control of another participant's screen during a meeting after they've given you permission, obviously.
Screen, you mean desktop screen or Zoom settings screen?
The whole caboodle.
The whole caboodle.
So if they wanted to share something or, you know, if they wanted to highlight something in your document or on your spreadsheet.
Yeah, it may be very useful if you're talking to someone who's having a computer problem and they're not understanding your instructions. You can go, look, just give me permission.
I'll go in, I'll fix the problem. I'm out of there.
I'll go in, I'll fix the problem. I'm out of there.
Exactly, that way you can control their mouse, their keyboard. You can even copy text from their screen to yours should you wish to, you know, to fill in forms or—really handy.
You're absolutely right. If someone isn't quite as au fait as you are with what to do, and let's face it, not everyone knows how to do everything on their computer, do they?
You're absolutely right. If someone isn't quite as au fait as you are with what to do, and let's face it, not everyone knows how to do everything on their computer, do they?
Let me rephrase that. Nobody knows how to do everything on their computer.
Yeah, you're right. Doesn't matter if you're a head honcho of a firm or the HR head honcho of a firm.
Okay. I would never expect them knowing anything about computers, but okay.
Yeah, but they won't admit it normally, will they?
That's true.
There's no shame in not knowing how to do something or how to do everything with every piece of software. There's always going to be a struggle.
There's always going to be, oh, there's a new version of this that's come out. There's a new version of that. I don't know what to do. I've changed my mouse. I don't know.
You know, we can all have struggles.
There's always going to be, oh, there's a new version of this that's come out. There's a new version of that. I don't know what to do. I've changed my mouse. I don't know.
You know, we can all have struggles.
Yeah, we all have struggles, I would say.
So imagine, for instance, that you are... well, maybe you are, Carole. Maybe you are a leading light in cryptocurrency, for instance.
Yeah, you bet I am. Yeah.
Maybe you run a crypto firm, Carole.
Maybe I do.
Maybe you are an influencer riding the blockchain day and night.
Yeah. Surfing the blockchain, we call it. Yeah.
And you're flattered, aren't you?
You are flattered, very flattered when someone reaches out to you, recognising your status, your position, or maybe your company and how well you're doing in that industry.
You are flattered, very flattered when someone reaches out to you, recognising your status, your position, or maybe your company and how well you're doing in that industry.
Maybe. Yeah, I'm probably thinking, yeah. You recognise greatness.
Exactly. And maybe you've been contacted by a company like Orion Capital. They're a venture capital firm, right?
Admiring me, are they?
They're admiring you. And they send you a DM via Twitter. They say, hey, hey, hey, we'd love to chat to you about investing in your business.
Or maybe you're pinged by Bloomberg conferences and they say, you know what?
We'd really like you to speak at one of our events, or we'd like you to be interviewed by one of our reporters. Or maybe, and this frankly is the greatest flattering thing of all.
Maybe someone wants you to come on their podcast, Carole. Maybe you have been contacted by the On Chain Podcast. They've been in touch. You think, finally, I've been recognized.
They want you to be their guest on an upcoming episode. And quite frankly, you are flattered.
Or maybe you're pinged by Bloomberg conferences and they say, you know what?
We'd really like you to speak at one of our events, or we'd like you to be interviewed by one of our reporters. Or maybe, and this frankly is the greatest flattering thing of all.
Maybe someone wants you to come on their podcast, Carole. Maybe you have been contacted by the On Chain Podcast. They've been in touch. You think, finally, I've been recognized.
They want you to be their guest on an upcoming episode. And quite frankly, you are flattered.
Right. Okay.
You are flattered, but you think, it's about time.
This is what I've worked so hard for, for so many years, for this recognition.
This is the big time. This is the big one. All you have to do is click on a link to set up a time for a Zoom call.
Right.
Now, I know what you're thinking. Is the link malicious, Graham? Is it going to be one of those stories on Smashing Security this week?
I'm thinking, you know, I would never in a million years even read the email or the DM that suggested I should join the Zoom call if I didn't know the person.
So I would never be in this situation. But okay, yeah, I'd be thinking, I don't know. I don't know. Okay, so I say all that. Okay, okay, I'll play.
So I would never be in this situation. But okay, yeah, I'd be thinking, I don't know. I don't know. Okay, so I say all that. Okay, okay, I'll play.
Maybe you check out Orion Capital and you go and check out their podcast and you think, well, they have interviews with other people.
Sounds great.
Sounds great. But no, the link is not malicious, Carole. It really is a link to Calendly, which is a cloud-based scheduling platform for meetings. I'm sure many of us have used that.
Yep, I've used it.
You have to have the right time to have a call. Lots of people use that.
And before you know it, you've lined up a Zoom call with your potential new investors or the podcast host who wants to chat to you about how amazing you are and about all things cryptocurrency.
Now, I know what you're thinking. You're thinking, are they going to send you a malicious link for the Zoom call?
And before you know it, you've lined up a Zoom call with your potential new investors or the podcast host who wants to chat to you about how amazing you are and about all things cryptocurrency.
Now, I know what you're thinking. You're thinking, are they going to send you a malicious link for the Zoom call?
Are they?
They're not.
Okay.
They're not going to do that.
They are just going to send you the meeting ID number so you can enter into your own version of Zoom and dial into the Zoom call at the scheduled time to have a chat.
They are just going to send you the meeting ID number so you can enter into your own version of Zoom and dial into the Zoom call at the scheduled time to have a chat.
You mean click the link?
You can either click a link or what you get is you get a meeting ID number. You can open up Zoom and just enter in the meeting ID number.
Who does that? Who does that?
Well, you could do that, Carole.
No, but who does that? Do you ever do that?
Look, I'm not going to reveal anything about how I protect myself on my computer, but you have that option. Yes.
So they don't give me the link. They just give me the ID to plug into my Zoom. So I need to download Zoom if I don't have it already.
Presumably you have Zoom anyway. Yes.
Okay.
You're a head honcho. You're going to have Zoom installed, aren't you?
Yes.
Everyone's got Zoom, haven't they? They may not use it that often compared to Microsoft Teams or something, but everyone's got Zoom.
Okay.
Nothing malicious about this at all. It is a Zoom call via Zoom.
Okay. I'm totally with you.
So you've been invited by a VC company, Aurin Capital, or a news organization called Aurin News or Bloomberg, or you've been invited to have a chat for a podcast about the blockchain.
What could possibly go wrong? Well, as it turns out, you could be about to lose millions.
What could possibly go wrong? Well, as it turns out, you could be about to lose millions.
So, yeah, because I have millions because—
Because you're a big crypto.
I'm a big crypto queen. Yeah, yeah.
Yeah. Oh, not that one. We've identified Dr. Ruja is actually Carole Theriault.
Yeah.
And what you're about to do is lose millions to a cybercrime gang called Elusive Comet. Okay.
And they have been doing precisely this technique to steal millions and millions of cryptocurrency.
And they have been doing precisely this technique to steal millions and millions of cryptocurrency.
How does it go from here's a Zoom call to me losing millions?
Let me explain.
Okay.
Because it's all to do with what happens on the Zoom call. And it's not that they say, hey, would you mind transferring all this cryptocurrency into our wallet? They don't do that.
What they do is they use that little-known feature hidden within Zoom called remote control.
So the video conference begins, but a member of the crime gang has also joined the meeting. And here's the really sneaky bit. They don't use their real name.
Instead, they call themselves Zoom, and they use that account called Zoom to request remote control of your screen.
And what happens is, a pop-up appears on your screen, the victim's screen, asking you to grant remote control in what looks like a regular Zoom permission request.
So the actual words are, Zoom is requesting remote control of your screen. Approve or decline?
What they do is they use that little-known feature hidden within Zoom called remote control.
So the video conference begins, but a member of the crime gang has also joined the meeting. And here's the really sneaky bit. They don't use their real name.
Instead, they call themselves Zoom, and they use that account called Zoom to request remote control of your screen.
And what happens is, a pop-up appears on your screen, the victim's screen, asking you to grant remote control in what looks like a regular Zoom permission request.
So the actual words are, Zoom is requesting remote control of your screen. Approve or decline?
Yeah. So I'd probably say decline.
But I do imagine there are many a CEO with a lot of self-importance that would just go, yeah, yeah, yeah, yeah, yeah, let me get on the call and hear more about how great I am.
But I do imagine there are many a CEO with a lot of self-importance that would just go, yeah, yeah, yeah, yeah, yeah, let me get on the call and hear more about how great I am.
But the thing is, I think a lot of people just find it habitual, especially if the app asks for permissions.
So, yeah, yeah, yeah, I just want to go on this call because I'm going to make millions and millions by appearing on this podcast.
It's going to be very successful, or I'm going to get some venture capital. This is brilliant.
Now, there's a number of people who've been targeted by the elusive Comet hacking group in this way.
Cybersecurity research consultancy Trail of Bits, their CEO, Dan Guido, he was asked to invite in what presented itself as a Bloomberg Editorial interview, and thankfully he didn't fall for it.
He said that what made the attack particularly dangerous, as I was saying, is this permission dialog and the similarity to other harmless Zoom notifications.
So the fact that people were able to join a Zoom call and call themselves Zoom was in itself really, really risky.
It was a really clever bit of social engineering because people were tricked into clicking approve because they're so used to giving approval to apps to do things.
Another victim a guy called David Z. Morris. He is the author of Dark Markets. That is a newsletter about tech and finance.
He was targeted by the elusive Comet Gang again, this time posing as Orion Capital. Now, Orion Capital positioned itself as a real company. It had a website. It's now been taken down.
They had social media accounts. They had a news agency pumping out news all the time about cryptocurrency. They even had their own podcast.
Where they were pushing all these things out. So if you just did some casual research, you might think they were real.
So, yeah, yeah, yeah, I just want to go on this call because I'm going to make millions and millions by appearing on this podcast.
It's going to be very successful, or I'm going to get some venture capital. This is brilliant.
Now, there's a number of people who've been targeted by the elusive Comet hacking group in this way.
Cybersecurity research consultancy Trail of Bits, their CEO, Dan Guido, he was asked to invite in what presented itself as a Bloomberg Editorial interview, and thankfully he didn't fall for it.
He said that what made the attack particularly dangerous, as I was saying, is this permission dialog and the similarity to other harmless Zoom notifications.
So the fact that people were able to join a Zoom call and call themselves Zoom was in itself really, really risky.
It was a really clever bit of social engineering because people were tricked into clicking approve because they're so used to giving approval to apps to do things.
Another victim a guy called David Z. Morris. He is the author of Dark Markets. That is a newsletter about tech and finance.
He was targeted by the elusive Comet Gang again, this time posing as Orion Capital. Now, Orion Capital positioned itself as a real company. It had a website. It's now been taken down.
They had social media accounts. They had a news agency pumping out news all the time about cryptocurrency. They even had their own podcast.
Where they were pushing all these things out. So if you just did some casual research, you might think they were real.
I love it. It's like podcasts. They had a podcast. That's how real they were.
Only legitimate people have podcasts. It's not like everyone and their granny has a podcast these days.
It takes 2 seconds to put a podcast together with AI these days.
I know, I know that.
I know you know that.
But there it is. It's up on Apple Podcasts and the rest of it. You know, it could be all the reassurance you need.
And when you see other people being interviewed by the podcast who maybe are figures in the world of crypto, cryptocurrency, you may think, "Oh yes, I'd like that opportunity." Now, they could have grabbed that audio from elsewhere.
Anyway, David Z.
Morris, his spider sense was tingling, and he did some reverse image searching kung fu, and that told him that something was wrong because he saw Orion Capital's website, the sort of About Us page where it talked about their staff.
He found those pictures elsewhere on the internet. But his initial thought was, well, you know, it's just a Zoom call, he thought. What's the harm in doing this?
Now, thankfully for him, the call never happened, but he learned from others that if he had joined the call, a common trick which has occurred is that the friendly VCs who've contacted him via Zoom might have pretended that they couldn't hear him, and they then tell him, oh, you know, we can't hear you properly.
Can you give us remote control to change your settings, for instance, in Zoom?
And when you see other people being interviewed by the podcast who maybe are figures in the world of crypto, cryptocurrency, you may think, "Oh yes, I'd like that opportunity." Now, they could have grabbed that audio from elsewhere.
Anyway, David Z.
Morris, his spider sense was tingling, and he did some reverse image searching kung fu, and that told him that something was wrong because he saw Orion Capital's website, the sort of About Us page where it talked about their staff.
He found those pictures elsewhere on the internet. But his initial thought was, well, you know, it's just a Zoom call, he thought. What's the harm in doing this?
Now, thankfully for him, the call never happened, but he learned from others that if he had joined the call, a common trick which has occurred is that the friendly VCs who've contacted him via Zoom might have pretended that they couldn't hear him, and they then tell him, oh, you know, we can't hear you properly.
Can you give us remote control to change your settings, for instance, in Zoom?
Sneaky!
Or otherwise, they can also say, oh, if Zoom isn't working, here's a link to a different video meeting program.
And of course, you're under pressure now because you've got an hour slot in your calendar to talk to these people. The video call isn't working.
Let's use this other software which they're recommending because there's some kind of problem with Zoom. And video calls do sometimes go very wrong, don't they?
And of course, you're under pressure now because you've got an hour slot in your calendar to talk to these people. The video call isn't working.
Let's use this other software which they're recommending because there's some kind of problem with Zoom. And video calls do sometimes go very wrong, don't they?
Well, for you, they seem to go wrong a lot, but I think that might be, again, age-related. I'm just saying.
Charming. Well, and the outcome of this, of course, is that ultimately malware is installed on your computer. Your accounts get hacked. Your cryptocurrency wallet gets stolen.
Researchers at Smashing Security Alliance, they've been looking into this Zoom attack technique and the activities of Elusive Comet, they're advising everyone, do your due diligence to make sure that you're only communicating with legitimate profiles and not—
Researchers at Smashing Security Alliance, they've been looking into this Zoom attack technique and the activities of Elusive Comet, they're advising everyone, do your due diligence to make sure that you're only communicating with legitimate profiles and not—
Oh, come on. I can't even believe you're saying this.
Well, okay, why?
Are you serious? Look at how, look at all the effort they've gone in to try and screw with you. They've got a podcast, Graham. You even mentioned the podcast.
How are people supposed to detect that a company is a fraud if they have a podcast?
How are people supposed to detect that a company is a fraud if they have a podcast?
In which case, in which case, you might be wise to go into your Zoom settings and disable this remote control functionality entirely.
Okay. How do I do that? Let me just check right now.
Links in the show notes.
Oh, right.
To do that.
Okay then.
Now, some people might need them for accessibility reasons.
If you have some kind of disability or problem with your computer, it may be that you have a legitimate need to have that, in which case, obviously, you have to be very, very careful who you approve to allow access to use that remote control functionality.
If you have some kind of disability or problem with your computer, it may be that you have a legitimate need to have that, in which case, obviously, you have to be very, very careful who you approve to allow access to use that remote control functionality.
Yeah. Sneaky, though.
It's very sneaky. Carole, what's your story this week?
I want to talk to you about a guy called Brian Johnson. Have you heard of him? You may have heard of him. He's notably known for being the founder, chairman, and CEO of Braintree.
Oh, I have heard of this chap.
Okay. Okay.
He's a billionaire or something.
Yeah, we're going to get to all that.
Okay. All right.
So do you know Braintree?
In Essex? Yes.
No, no. Braintree. So they're known for mobile and web payment systems for e-commerce companies.
Right.
Now, Braintree acquired Venmo. This is way back in 2012.
Yeah.
For $25 million USD.
And Venmo's a payment thing, isn't it?
Payment app, exactly. And the very next year, this combined entity, Braintree plus Venmo, was scooped up by PayPal, then owned by eBay, for a sweet $800 million.
Yep.
And if you had to guess who might have received the biggest slab of this money cake, you're probably thinking the founder, chairman, and CEO, Brian Johnson.
Yeah, you'd think so, yeah.
Yeah, Time magazine published that Johnson walked away from the sale of Braintree Venmo with more than $300 million. So not bad.
Now, this was 12 years ago, and I'm sure Johnson had a rollicking good time spending some of his millions. But even that must get dull.
How many Armani suits can a man get excited about?
Now, this was 12 years ago, and I'm sure Johnson had a rollicking good time spending some of his millions. But even that must get dull.
How many Armani suits can a man get excited about?
None, in my experience.
But if you imagine— if you imagine you were very, very, very loaded. Not a little bit loaded, but very loaded. And you feel lucky. You feel smart. You feel strong.
Yes.
You want this to go on forever.
Yeah, yeah, yeah.
It's fun being the kingpin of the pond. But you know, you need something to motivate you because you need to feel alive, Graham.
Yes. Alive. Oh, that would be wonderful.
So what do you do? You could try and save the world from the Zika virus à la Microsoft guy Bill Gates.
Thank you, Bill.
Yes, thank you, Bill. You put up with a lot of grief trying to do that. Put a car in space and play high-ranking bureau twat. Sorry, bureau quat.
Bureau quat.
Bureau quat.
There we are. We got there.
Or perhaps you do what Johnson did 4 years ago when he launched his anti-aging effort that he refers to as Project Blueprint.
And this is where the term I've been bandying around, biohacker, comes in. Okay? It seems to refer to extreme anti-aging practices.
I don't think eating 5 a day or drinking just on the weekend would get you anywhere near the label biohacker, right? It's a little bit more extreme.
And this is where the term I've been bandying around, biohacker, comes in. Okay? It seems to refer to extreme anti-aging practices.
I don't think eating 5 a day or drinking just on the weekend would get you anywhere near the label biohacker, right? It's a little bit more extreme.
Yeah.
A few things about Johnson and his Project Blueprint. It's backed by an annual budget of $2 million dedicated to turning back his biological clock.
Oh, just specifically his?
Yep. Oh, yeah. It's all about him. He's kind of his very own lab rat.
Right. Okay. Right.
Johnson says he follows a strict dietary and lifestyle regimen, right, in pursuit of life extension. So things like after he wakes, he does audio and hair therapy.
What?
Before taking 50-odd pills with an energy drink he calls the Green Giant.
Right. Okay.
He's received plasma infusions from his 17-year-old son. All in the name of trying to achieve more youth.
Oh, lucky son.
He has posted something titled How I'm De-Aging My Penis, in which he points out ways to improve nighttime erections and reveals how he measures penis health.
Among the list were semen analyzations and ultrasound-based blood flow testing.
And he then claimed that Botox and shock therapy lowered his nighttime erection biological age to around 20.
Among the list were semen analyzations and ultrasound-based blood flow testing.
And he then claimed that Botox and shock therapy lowered his nighttime erection biological age to around 20.
Does he use Botox to make it less wrinkly? Is that how he de-ages it?
Well, maybe because he says his nighttime erections, the length of the Titanic, and his boners clock in at 3 hours and 14 minutes. Let's just pause to consider that.
Does that mean it's unsinkable?
At least while he's snoozing, it seems to be. On his very own YouTube channel, Johnson professes—
I don't want to see any of this on YouTube, Carole. No links in the show notes, I hope.
I'm just going to read a snippet of his about me because it's written in the third person. I don't know, do you do that? Do you write snippets as though you're a third party?
Not normally, but sometimes people will ask, you know, can you send us a bio of yourself or something?
So you don't just go, I'm Graham. Well, he does a similar thing. He goes through his Project Blueprint.
The 45, now 47, but at the time 45-year-old Johnson has achieved metabolic health equal to the top 1.5% of 18-year-olds.
Inflammation 66% lower than the average 10-year-old and reduced his speed of aging by the equivalent of 31 years. Now let's pause.
I'll say right now that Johnson's claims are not universally accepted.
It might be better to see him as a rich guy needing to do wacky shit in front of an audience and win at something. Maybe, maybe, I don't know.
Blueprint, I should mention, is also a company, one that sells health supplements, blood testing equipment, and other products tied to his personal diet and restrictions.
So he's also trying to, I guess, claw back some of that $2 million that he's put in to analyzing himself.
The 45, now 47, but at the time 45-year-old Johnson has achieved metabolic health equal to the top 1.5% of 18-year-olds.
Inflammation 66% lower than the average 10-year-old and reduced his speed of aging by the equivalent of 31 years. Now let's pause.
I'll say right now that Johnson's claims are not universally accepted.
It might be better to see him as a rich guy needing to do wacky shit in front of an audience and win at something. Maybe, maybe, I don't know.
Blueprint, I should mention, is also a company, one that sells health supplements, blood testing equipment, and other products tied to his personal diet and restrictions.
So he's also trying to, I guess, claw back some of that $2 million that he's put in to analyzing himself.
It sounds like he's spending an awfully large amount of his day working on this, so he might as well turn it into his career, I suppose.
Monetize it. Yeah, that's what he's doing. So to me, it all sounds a little bit bonkers, right?
And you would think that if he's as bonkers as he might seem, there would be people that have worked with him, people that have partied with him at Brigham Young, his alma mater, people that dated him, that these people would be spilling some beans, right?
Is there perhaps a different version of the truth than the one Johnson is peddling? But I just couldn't find much dissent, unless there's nothing to hide.
And you would think that if he's as bonkers as he might seem, there would be people that have worked with him, people that have partied with him at Brigham Young, his alma mater, people that dated him, that these people would be spilling some beans, right?
Is there perhaps a different version of the truth than the one Johnson is peddling? But I just couldn't find much dissent, unless there's nothing to hide.
Unless he has no friends at all, of course.
Sure, and he does nothing with nobody. He said he's a hermit, right? But what if I told you that Johnson, since 2020, has found a way to play master controller of the narrative?
How would one do that, do you think? How would you be master controller of your narrative?
How would one do that, do you think? How would you be master controller of your narrative?
A big legal team.
Yeah, confidentiality agreements, right? So basically, it seems he wanted his online persona and private one to be very separate indeed.
No need for his 4 million-odd subscribers on his social channels to know that he dropped acid with a date. But how to ensure that?
Well, whip out an NDA for her to sign before you drop the stuff.
No need for his people to know that he dumped his fiancée and fired her from one of his startups when he found out that she had stage 3 breast cancer.
It's not going to look good with his whole business, is it, really?
No need for his 4 million-odd subscribers on his social channels to know that he dropped acid with a date. But how to ensure that?
Well, whip out an NDA for her to sign before you drop the stuff.
No need for his people to know that he dumped his fiancée and fired her from one of his startups when he found out that she had stage 3 breast cancer.
It's not going to look good with his whole business, is it, really?
Allegedly, allegedly, allegedly, allegedly, allegedly. Can we— sounds like he's got a lot of money to sue people, Carole Theriault. Let's just remember that, shall we?
But I'm more interested in his work ethic. You see, a blueprint employment agreement with confidentiality terms at his company was 20 pages long, listing dozens of restrictions.
Some had to sign up to 3 separate agreements. And this is a company of about 30 employees.
Some had to sign up to 3 separate agreements. And this is a company of about 30 employees.
Wow.
Now, this is all according to The New York Times.
One was a rather unusual opt-in agreement, which is not a confidentiality contract, but does aim to protect the company from things like lawsuits.
And so this was sent to employees by email with instructions to sign as normal. Allegedly, allegedly. So under this agreement, employees had to attest that they were okay with Mr.
Johnson wearing little and sometimes no clothing. Oh, no underwear.
They also had to agree that his behavior was not unwelcome, offensive, humiliating, hostile, triggering, unprofessional, or abusive.
They also had to attest that they were okay with hearing discussions of sexual activities, including erections. Now we know from earlier that big boners are a big deal in his world.
And it was sent to them under the guise of here's just another thing you got to sign. So imagine having to agree to that prior to said behaviors, sign this, now I'll fart on you.
You can't do anything.
One was a rather unusual opt-in agreement, which is not a confidentiality contract, but does aim to protect the company from things like lawsuits.
And so this was sent to employees by email with instructions to sign as normal. Allegedly, allegedly. So under this agreement, employees had to attest that they were okay with Mr.
Johnson wearing little and sometimes no clothing. Oh, no underwear.
They also had to agree that his behavior was not unwelcome, offensive, humiliating, hostile, triggering, unprofessional, or abusive.
They also had to attest that they were okay with hearing discussions of sexual activities, including erections. Now we know from earlier that big boners are a big deal in his world.
And it was sent to them under the guise of here's just another thing you got to sign. So imagine having to agree to that prior to said behaviors, sign this, now I'll fart on you.
You can't do anything.
Charming.
And it turns out that his practices, including asking people to volunteer in a study, and by volunteer, apparently got them to pay $2,000-odd for the honor rather than follow clinical practices where people are chosen at random.
60% of people apparently, according to secret filings that The New York Times saw, suffered at least one side effect.
And he's released a documentary last year about his anti-aging venture where he claims that his age has reversed by 5.1 years.
But an internal range of studies on his health show his bioage had increased by as much as 10 years.
60% of people apparently, according to secret filings that The New York Times saw, suffered at least one side effect.
And he's released a documentary last year about his anti-aging venture where he claims that his age has reversed by 5.1 years.
But an internal range of studies on his health show his bioage had increased by as much as 10 years.
You can de-age yourself just by getting a haircut, can't you? I mean, 5 years, that sounds a bit feeble.
Yeah, I call it the blur function on Zoom.
But my point is this, my point is this: employees did not feel they could share the findings or the set of rules they had to live by because they had signed their rights away.
But my point is this, my point is this: employees did not feel they could share the findings or the set of rules they had to live by because they had signed their rights away.
Right.
And this is while he walks around half naked barking orders about nudging his pill popping routine.
Allegedly.
Allegedly. Now, I wonder how many companies are pushing the boundaries with what they can include in the small print in the agreements.
Because as you say, people rarely read them, despite my many reminders over the years. So why wouldn't companies have a crack at it?
And it seems these types of clauses are meant to isolate the employees so they can't even talk with other employees or friends or family about what concerns them, what they're involved in at work, you know, what a sham the whole thing might be.
And I wanted your opinion on something.
So, would you advise people about to sign contracts to maybe try AI, like a general or maybe even legal-focused AI, to isolate sections that might be contentious?
Because as you say, people rarely read them, despite my many reminders over the years. So why wouldn't companies have a crack at it?
And it seems these types of clauses are meant to isolate the employees so they can't even talk with other employees or friends or family about what concerns them, what they're involved in at work, you know, what a sham the whole thing might be.
And I wanted your opinion on something.
So, would you advise people about to sign contracts to maybe try AI, like a general or maybe even legal-focused AI, to isolate sections that might be contentious?
Oh, I think you've got to be careful about that.
Okay.
Ideally, you get someone knowledgeable to look at it. If you don't trust—
It costs a lot of wonga.
Yeah, well, if you don't have a friend who's got that kind of brain and you don't feel that you can do it yourself, then you're right. It could cost you a lot of money, couldn't it?
But the problem with sharing these things with the AI sometimes is both the AI may not be reliable, but also that you're sharing potentially confidential information with a large language model, which may learn things from it and spit them out again later.
So I'd be nervous of it, frankly.
I was having some conversations over the last week or so with people in my normal, non-tech life, and it's staggering how many people are using AI for everything in day-to-day life now.
But the problem with sharing these things with the AI sometimes is both the AI may not be reliable, but also that you're sharing potentially confidential information with a large language model, which may learn things from it and spit them out again later.
So I'd be nervous of it, frankly.
I was having some conversations over the last week or so with people in my normal, non-tech life, and it's staggering how many people are using AI for everything in day-to-day life now.
So Johnson might be feeling the wobble right now because it sounds like it might be perhaps, perhaps, allegedly, allegedly a house of cards.
And there seems to be a bit of internal whistleblowing going on that's gaining momentum. The guy also just announced his own religion, though. It's called Don't Die.
Says it'll save the human race, which, you know.
And there seems to be a bit of internal whistleblowing going on that's gaining momentum. The guy also just announced his own religion, though. It's called Don't Die.
Says it'll save the human race, which, you know.
Well, yeah, probably would, wouldn't it?
Might be in the name.
Yeah. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.
Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.
So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security.
Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security.
Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control.
It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
So secure every app, device, and identity, even the unmanaged ones. Go to 1password.com/smashing. That is 1password.com/smashing.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, Carole, my Pick of the Week this week is not security-related.
My Pick of the Week this week is, well, I wonder if you remember a while back I recommended an e-reader that I'd bought, the Kobo Clara BW e-reader.
My Pick of the Week this week is, well, I wonder if you remember a while back I recommended an e-reader that I'd bought, the Kobo Clara BW e-reader.
Oh!
For reading ebooks.
I know someone who's looking to potentially upgrade their Kobo, and I know nothing about them. So I forgot about that completely that you mentioned that.
Ah, yes. So I'm very happy with it. It's like a Kindle, but it's not tied to Amazon. It comes from another company and isn't stuck with them.
And I think you mentioned, Carole, that your mum has a Kobo e-reader as well, but she found the user interface a bit of a challenge.
And I think you mentioned, Carole, that your mum has a Kobo e-reader as well, but she found the user interface a bit of a challenge.
Or it might have been me finding it really difficult to use as well.
Well, I was interested in how I could tweak the Kobo to do some extra stuff, and I stumbled across a piece of open-source software that I could install on it, and you can install on a Kindle as well.
So it doesn't just work on Kobos, it also works on Kindle, and it is called KOReader, or KOReader with a K. And essentially it makes your e-reader more capable.
So it handles more ebook formats. You can tweak the user interface in a gazillion different ways to be exactly what you like. The pages turn faster.
There's things which you don't like, you can turn off all of these extra things. It's a completely new user interface.
It isn't just tweaking the existing user interface on your e-reader. It's giving you a whole new user interface.
So it doesn't just work on Kobos, it also works on Kindle, and it is called KOReader, or KOReader with a K. And essentially it makes your e-reader more capable.
So it handles more ebook formats. You can tweak the user interface in a gazillion different ways to be exactly what you like. The pages turn faster.
There's things which you don't like, you can turn off all of these extra things. It's a completely new user interface.
It isn't just tweaking the existing user interface on your e-reader. It's giving you a whole new user interface.
Yeah. Can I ask a question?
Yeah, sure.
My experience with the Kobo and trying to get someone hooked up to their library with it, because I was talking about on the show, was using OverDrive, I think it was called.
That's right. OverDrive. Yes.
Is that the only way you can do it? Because that was really difficult. It's a bit clunky, the experience I had with it, trying to install it.
It's much more flexible with KOReader in my experience.
Oh, interesting.
You can just plug your e-reader into your computer and copy over books to then read them on your e-reader.
If you have a piece of software called Calibre, which is another freely available piece of software, and set it up correctly, you can even do this wirelessly as well.
So just updating a directory on your computer will automatically update your e-reader as well. Anyway, my experience has been great.
I've been tinkering with my fonts, I've been installing my own, I've been changing the user interface, I've been more easily sideloading books, and it's been great.
And I've been most recently reading a book called Killing Thatcher on my e-reader by Guardian reporter Rory Carroll.
It's a really gripping book about the 1984 bombing by the Provisional IRA of the Grand Hotel in Brighton, where Margaret Thatcher and the British cabinet were staying for a party conference.
Really interesting book.
Talks about the resurgence of the IRA during the '70s, the assassination of Lord Mountbatten, as well as, of course, the background to the Brighton bombing, as well as its aftermath.
So I would recommend that book as well. But my pick of the week is KOReader, and I hope you find it useful. Cool, Carole, what's your pick of the week?
If you have a piece of software called Calibre, which is another freely available piece of software, and set it up correctly, you can even do this wirelessly as well.
So just updating a directory on your computer will automatically update your e-reader as well. Anyway, my experience has been great.
I've been tinkering with my fonts, I've been installing my own, I've been changing the user interface, I've been more easily sideloading books, and it's been great.
And I've been most recently reading a book called Killing Thatcher on my e-reader by Guardian reporter Rory Carroll.
It's a really gripping book about the 1984 bombing by the Provisional IRA of the Grand Hotel in Brighton, where Margaret Thatcher and the British cabinet were staying for a party conference.
Really interesting book.
Talks about the resurgence of the IRA during the '70s, the assassination of Lord Mountbatten, as well as, of course, the background to the Brighton bombing, as well as its aftermath.
So I would recommend that book as well. But my pick of the week is KOReader, and I hope you find it useful. Cool, Carole, what's your pick of the week?
I have a book as my pick of the week.
Super.
A noble work called The Urge: Our History of Addiction by Carl Erik Fisher, and it was published a few years ago, 2022.
It was named best book of the year by The New Yorker and The Boston Globe. So I dove in without much context. But the author is an addiction psychiatrist and also an addict.
And wanting to learn more about his own addiction, he turned to learning about addiction's history and the century-old struggle to manage and treat addictive behaviors.
It took him a decade to pull this book together. And it's so good because it's woven between snippets of his own personal dealings with his demons that almost destroy him.
He also then looks at conditions and treatments over the decades, some that produced relief, sometimes shamed people, and sometimes made things much, much worse.
Sometimes did all three. So anyway, it's a great work. It's written with heart, compassion, commitment, and worth a look if you or someone you love struggles with addiction.
That's The Urge: Our History of Addiction by Carl Erik Fisher. That is my pick of the week.
It was named best book of the year by The New Yorker and The Boston Globe. So I dove in without much context. But the author is an addiction psychiatrist and also an addict.
And wanting to learn more about his own addiction, he turned to learning about addiction's history and the century-old struggle to manage and treat addictive behaviors.
It took him a decade to pull this book together. And it's so good because it's woven between snippets of his own personal dealings with his demons that almost destroy him.
He also then looks at conditions and treatments over the decades, some that produced relief, sometimes shamed people, and sometimes made things much, much worse.
Sometimes did all three. So anyway, it's a great work. It's written with heart, compassion, commitment, and worth a look if you or someone you love struggles with addiction.
That's The Urge: Our History of Addiction by Carl Erik Fisher. That is my pick of the week.
Terrific. And that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't have us.
And don't forget to ensure that you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure that you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.
And thank you to our episode sponsors, 1Password and Vanta, and to our wonderful Patreon community. It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 413 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 413 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye. Graham?
Yes?
Do you see in the notes I put a picture of Mr. Johnson? Do you see his little pic there?
I think he looks better before.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Elusive Comet advisory – Security Alliance.
- Mitigating Elusive Comet Zoom remote control attacks – Trail of Bits.
- Aureon Capital: The Fake VCs who Almost Hacked Me – David Z Morris.
- Requesting or giving Remote Control – Zoom knowledgebase article.
- Has Bryan Johnson’s anti-aging experiment backfired? Biohacker spending $2 million-a-year admits to a costly misstep – Economic Times.
- How Blueprint Founder Bryan Johnson Sought Control Via Confidentiality Agreements – The New York Times.
- Anti-aging mogul Bryan Johnson claims NY Times preparing ‘hit piece’ about alleged use of prostitutes, drugs – NY Post.
- KOReader – document reader for E Ink devices.
- Killing Thatcher: The IRA, the Manhunt and the Long War on the Crown – Bookshop.org.
- The Urge – Our history of addiction by Carl Erik Fisher.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
