Smashing Security podcast #414: Zoom.. just one click and your data goes boom!

Industry veterans, chatting about computer security and online privacy.

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 / grahamcluley

Zoom.. just one click and your data goes boom!

Graham explores how the Elusive Comet cybercrime gang are using a sneaky trick of stealing your cryptocurrency via an innocent-appearing Zoom call, and Carole goes under the covers to explore the extraordinary lengths bio-hacking millionaire Bryan Johnson is attempting to extend his life.

All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Warning: This podcast may contain nuts, adult themes, and rude language.

0:00
0:00 0:00
0:00
Show full transcript
TranscriptThis transcript was generated automatically, probably contains mistakes, and has not been manually verified.
CAROLE THERIAULT
Oh yeah, because I have millions because—
GRAHAM CLULEY
Because you're a big crypto.
CAROLE THERIAULT
I'm a big crypto queen. Yeah, yeah.
Unknown
Oh, not that one. We've identified Dr. Ruja is actually Carole Theriault. Smashing Security, episode 414. Zoom, just one click and your data goes boom.

With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 414. My name's Graham Cluley.
CAROLE THERIAULT
And I'm Carole Theriault. Before we kick off, let's thank this week's wonderful sponsors, 1Password and Vanta. It's their support that helps us give you this show for free.

Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY
Zoom, just one click and your crypto went boom. Ransomware, etc.
CAROLE THERIAULT
Okay. And I'm talking biohacking, or is it? All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY
Now, chums, Zoom, don't you just love it?
CAROLE THERIAULT
I do love Zoom. Yeah, COVID would not have been nearly as tolerable without Zoom in my book.
GRAHAM CLULEY
No, Zoom, Teams, what else is there? Google Meet. All of those things.

I don't know what I'd do without spending 5 minutes on every video call, either trying to tell someone else that they're on mute or me trying to find the unmute button myself.
CAROLE THERIAULT
Really? That still happens?
GRAHAM CLULEY
It still happens.
CAROLE THERIAULT
That must be an age thing.
GRAHAM CLULEY
It must be.
CAROLE THERIAULT
Everyone understood that happening in the first year, 18 months of Zoom use.
GRAHAM CLULEY
No, it still happens. It still happens all the time for me. What'd be great would be, imagine you were a Zoom ninja and you knew it like the back of your hand.

Maybe you are, Carole, maybe you are a Zoom ninja. You could reach through your screen and press the unmute button on my keyboard or choose the option for me.

And that would help out people, wouldn't it? Rather than them floundering around trying to find the unmute button themselves.
CAROLE THERIAULT
I would charge quite a bit for that skill.
GRAHAM CLULEY
Would you?
CAROLE THERIAULT
Yeah.
GRAHAM CLULEY
Well, there is a feature called remote control in Zoom.

And it allows you to take control of another participant's screen during a meeting after they've given you permission, obviously.
CAROLE THERIAULT
Screen, you mean desktop screen or Zoom settings screen?
GRAHAM CLULEY
The whole caboodle.
CAROLE THERIAULT
The whole caboodle.
GRAHAM CLULEY
So if they wanted to share something or, you know, if they wanted to highlight something in your document or on your spreadsheet.
CAROLE THERIAULT
Yeah, it may be very useful if you're talking to someone who's having a computer problem and they're not understanding your instructions. You can go, look, just give me permission.

I'll go in, I'll fix the problem. I'm out of there.
GRAHAM CLULEY
Exactly, that way you can control their mouse, their keyboard. You can even copy text from their screen to yours should you wish to, you know, to fill in forms or—really handy.

You're absolutely right. If someone isn't quite as au fait as you are with what to do, and let's face it, not everyone knows how to do everything on their computer, do they?
CAROLE THERIAULT
Let me rephrase that. Nobody knows how to do everything on their computer.
GRAHAM CLULEY
Yeah, you're right. Doesn't matter if you're a head honcho of a firm or the HR head honcho of a firm.
CAROLE THERIAULT
Okay. I would never expect them knowing anything about computers, but okay.
GRAHAM CLULEY
Yeah, but they won't admit it normally, will they?
CAROLE THERIAULT
That's true.
GRAHAM CLULEY
There's no shame in not knowing how to do something or how to do everything with every piece of software. There's always going to be a struggle.

There's always going to be, oh, there's a new version of this that's come out. There's a new version of that. I don't know what to do. I've changed my mouse. I don't know.

You know, we can all have struggles.
CAROLE THERIAULT
Yeah, we all have struggles, I would say.
GRAHAM CLULEY
So imagine, for instance, that you are... well, maybe you are, Carole. Maybe you are a leading light in cryptocurrency, for instance.
CAROLE THERIAULT
Yeah, you bet I am. Yeah.
GRAHAM CLULEY
Maybe you run a crypto firm, Carole.
CAROLE THERIAULT
Maybe I do.
GRAHAM CLULEY
Maybe you are an influencer riding the blockchain day and night.
CAROLE THERIAULT
Yeah. Surfing the blockchain, we call it. Yeah.
GRAHAM CLULEY
And you're flattered, aren't you?

You are flattered, very flattered when someone reaches out to you, recognising your status, your position, or maybe your company and how well you're doing in that industry.
CAROLE THERIAULT
Maybe. Yeah, I'm probably thinking, yeah. You recognise greatness.
GRAHAM CLULEY
Exactly. And maybe you've been contacted by a company like Orion Capital. They're a venture capital firm, right?
CAROLE THERIAULT
Admiring me, are they?
GRAHAM CLULEY
They're admiring you. And they send you a DM via Twitter. They say, hey, hey, hey, we'd love to chat to you about investing in your business.

Or maybe you're pinged by Bloomberg conferences and they say, you know what?

We'd really like you to speak at one of our events, or we'd like you to be interviewed by one of our reporters. Or maybe, and this frankly is the greatest flattering thing of all.

Maybe someone wants you to come on their podcast, Carole. Maybe you have been contacted by the On Chain Podcast. They've been in touch. You think, finally, I've been recognized.

They want you to be their guest on an upcoming episode. And quite frankly, you are flattered.
CAROLE THERIAULT
Right. Okay.
GRAHAM CLULEY
You are flattered, but you think, it's about time.
CAROLE THERIAULT
This is what I've worked so hard for, for so many years, for this recognition.
GRAHAM CLULEY
This is the big time. This is the big one. All you have to do is click on a link to set up a time for a Zoom call.
CAROLE THERIAULT
Right.
GRAHAM CLULEY
Now, I know what you're thinking. Is the link malicious, Graham? Is it going to be one of those stories on Smashing Security this week?
CAROLE THERIAULT
I'm thinking, you know, I would never in a million years even read the email or the DM that suggested I should join the Zoom call if I didn't know the person.

So I would never be in this situation. But okay, yeah, I'd be thinking, I don't know. I don't know. Okay, so I say all that. Okay, okay, I'll play.
GRAHAM CLULEY
Maybe you check out Orion Capital and you go and check out their podcast and you think, well, they have interviews with other people.
CAROLE THERIAULT
Sounds great.
GRAHAM CLULEY
Sounds great. But no, the link is not malicious, Carole. It really is a link to Calendly, which is a cloud-based scheduling platform for meetings. I'm sure many of us have used that.
CAROLE THERIAULT
Yep, I've used it.
GRAHAM CLULEY
You have to have the right time to have a call. Lots of people use that.

And before you know it, you've lined up a Zoom call with your potential new investors or the podcast host who wants to chat to you about how amazing you are and about all things cryptocurrency.

Now, I know what you're thinking. You're thinking, are they going to send you a malicious link for the Zoom call?
CAROLE THERIAULT
Are they?
GRAHAM CLULEY
They're not.
CAROLE THERIAULT
Okay.
GRAHAM CLULEY
They're not going to do that.

They are just going to send you the meeting ID number so you can enter into your own version of Zoom and dial into the Zoom call at the scheduled time to have a chat.
CAROLE THERIAULT
You mean click the link?
GRAHAM CLULEY
You can either click a link or what you get is you get a meeting ID number. You can open up Zoom and just enter in the meeting ID number.
CAROLE THERIAULT
Who does that? Who does that?
GRAHAM CLULEY
Well, you could do that, Carole.
CAROLE THERIAULT
No, but who does that? Do you ever do that?
GRAHAM CLULEY
Look, I'm not going to reveal anything about how I protect myself on my computer, but you have that option. Yes.
CAROLE THERIAULT
So they don't give me the link. They just give me the ID to plug into my Zoom. So I need to download Zoom if I don't have it already.
GRAHAM CLULEY
Presumably you have Zoom anyway. Yes.
CAROLE THERIAULT
Okay.
GRAHAM CLULEY
You're a head honcho. You're going to have Zoom installed, aren't you?
CAROLE THERIAULT
Yes.
GRAHAM CLULEY
Everyone's got Zoom, haven't they? They may not use it that often compared to Microsoft Teams or something, but everyone's got Zoom.
CAROLE THERIAULT
Okay.
GRAHAM CLULEY
Nothing malicious about this at all. It is a Zoom call via Zoom.
CAROLE THERIAULT
Okay. I'm totally with you.
GRAHAM CLULEY
So you've been invited by a VC company, Aurin Capital, or a news organization called Aurin News or Bloomberg, or you've been invited to have a chat for a podcast about the blockchain.

What could possibly go wrong? Well, as it turns out, you could be about to lose millions.
CAROLE THERIAULT
So, yeah, because I have millions because—
GRAHAM CLULEY
Because you're a big crypto.
CAROLE THERIAULT
I'm a big crypto queen. Yeah, yeah.
GRAHAM CLULEY
Yeah. Oh, not that one. We've identified Dr. Ruja is actually Carole Theriault.
CAROLE THERIAULT
Yeah.
GRAHAM CLULEY
And what you're about to do is lose millions to a cybercrime gang called Elusive Comet. Okay.

And they have been doing precisely this technique to steal millions and millions of cryptocurrency.
CAROLE THERIAULT
How does it go from here's a Zoom call to me losing millions?
GRAHAM CLULEY
Let me explain.
CAROLE THERIAULT
Okay.
GRAHAM CLULEY
Because it's all to do with what happens on the Zoom call. And it's not that they say, hey, would you mind transferring all this cryptocurrency into our wallet? They don't do that.

What they do is they use that little-known feature hidden within Zoom called remote control.

So the video conference begins, but a member of the crime gang has also joined the meeting. And here's the really sneaky bit. They don't use their real name.

Instead, they call themselves Zoom, and they use that account called Zoom to request remote control of your screen.

And what happens is, a pop-up appears on your screen, the victim's screen, asking you to grant remote control in what looks like a regular Zoom permission request.

So the actual words are, Zoom is requesting remote control of your screen. Approve or decline?
CAROLE THERIAULT
Yeah. So I'd probably say decline.

But I do imagine there are many a CEO with a lot of self-importance that would just go, yeah, yeah, yeah, yeah, yeah, let me get on the call and hear more about how great I am.
GRAHAM CLULEY
But the thing is, I think a lot of people just find it habitual, especially if the app asks for permissions.

So, yeah, yeah, yeah, I just want to go on this call because I'm going to make millions and millions by appearing on this podcast.

It's going to be very successful, or I'm going to get some venture capital. This is brilliant.

Now, there's a number of people who've been targeted by the elusive Comet hacking group in this way.

Cybersecurity research consultancy Trail of Bits, their CEO, Dan Guido, he was asked to invite in what presented itself as a Bloomberg Editorial interview, and thankfully he didn't fall for it.

He said that what made the attack particularly dangerous, as I was saying, is this permission dialog and the similarity to other harmless Zoom notifications.

So the fact that people were able to join a Zoom call and call themselves Zoom was in itself really, really risky.

It was a really clever bit of social engineering because people were tricked into clicking approve because they're so used to giving approval to apps to do things.

Another victim a guy called David Z. Morris. He is the author of Dark Markets. That is a newsletter about tech and finance.

He was targeted by the elusive Comet Gang again, this time posing as Orion Capital. Now, Orion Capital positioned itself as a real company. It had a website. It's now been taken down.

They had social media accounts. They had a news agency pumping out news all the time about cryptocurrency. They even had their own podcast.

Where they were pushing all these things out. So if you just did some casual research, you might think they were real.
CAROLE THERIAULT
I love it. It's like podcasts. They had a podcast. That's how real they were.
GRAHAM CLULEY
Only legitimate people have podcasts. It's not like everyone and their granny has a podcast these days.
CAROLE THERIAULT
It takes 2 seconds to put a podcast together with AI these days.
GRAHAM CLULEY
I know, I know that.
CAROLE THERIAULT
I know you know that.
GRAHAM CLULEY
But there it is. It's up on Apple Podcasts and the rest of it. You know, it could be all the reassurance you need.

And when you see other people being interviewed by the podcast who maybe are figures in the world of crypto, cryptocurrency, you may think, "Oh yes, I'd like that opportunity." Now, they could have grabbed that audio from elsewhere.

Anyway, David Z.

Morris, his spider sense was tingling, and he did some reverse image searching kung fu, and that told him that something was wrong because he saw Orion Capital's website, the sort of About Us page where it talked about their staff.

He found those pictures elsewhere on the internet. But his initial thought was, well, you know, it's just a Zoom call, he thought. What's the harm in doing this?

Now, thankfully for him, the call never happened, but he learned from others that if he had joined the call, a common trick which has occurred is that the friendly VCs who've contacted him via Zoom might have pretended that they couldn't hear him, and they then tell him, oh, you know, we can't hear you properly.

Can you give us remote control to change your settings, for instance, in Zoom?
CAROLE THERIAULT
Sneaky!
GRAHAM CLULEY
Or otherwise, they can also say, oh, if Zoom isn't working, here's a link to a different video meeting program.

And of course, you're under pressure now because you've got an hour slot in your calendar to talk to these people. The video call isn't working.

Let's use this other software which they're recommending because there's some kind of problem with Zoom. And video calls do sometimes go very wrong, don't they?
CAROLE THERIAULT
Well, for you, they seem to go wrong a lot, but I think that might be, again, age-related. I'm just saying.
GRAHAM CLULEY
Charming. Well, and the outcome of this, of course, is that ultimately malware is installed on your computer. Your accounts get hacked. Your cryptocurrency wallet gets stolen.

Researchers at Smashing Security Alliance, they've been looking into this Zoom attack technique and the activities of Elusive Comet, they're advising everyone, do your due diligence to make sure that you're only communicating with legitimate profiles and not—
CAROLE THERIAULT
Oh, come on. I can't even believe you're saying this.
GRAHAM CLULEY
Well, okay, why?
CAROLE THERIAULT
Are you serious? Look at how, look at all the effort they've gone in to try and screw with you. They've got a podcast, Graham. You even mentioned the podcast.

How are people supposed to detect that a company is a fraud if they have a podcast?
GRAHAM CLULEY
In which case, in which case, you might be wise to go into your Zoom settings and disable this remote control functionality entirely.
CAROLE THERIAULT
Okay. How do I do that? Let me just check right now.
GRAHAM CLULEY
Links in the show notes.
CAROLE THERIAULT
Oh, right.
GRAHAM CLULEY
To do that.
CAROLE THERIAULT
Okay then.
GRAHAM CLULEY
Now, some people might need them for accessibility reasons.

If you have some kind of disability or problem with your computer, it may be that you have a legitimate need to have that, in which case, obviously, you have to be very, very careful who you approve to allow access to use that remote control functionality.
CAROLE THERIAULT
Yeah. Sneaky, though.
GRAHAM CLULEY
It's very sneaky. Carole, what's your story this week?
CAROLE THERIAULT
I want to talk to you about a guy called Brian Johnson. Have you heard of him? You may have heard of him. He's notably known for being the founder, chairman, and CEO of Braintree.
GRAHAM CLULEY
Oh, I have heard of this chap.
CAROLE THERIAULT
Okay. Okay.
GRAHAM CLULEY
He's a billionaire or something.
CAROLE THERIAULT
Yeah, we're going to get to all that.
GRAHAM CLULEY
Okay. All right.
CAROLE THERIAULT
So do you know Braintree?
GRAHAM CLULEY
In Essex? Yes.
CAROLE THERIAULT
No, no. Braintree. So they're known for mobile and web payment systems for e-commerce companies.
GRAHAM CLULEY
Right.
CAROLE THERIAULT
Now, Braintree acquired Venmo. This is way back in 2012.
GRAHAM CLULEY
Yeah.
CAROLE THERIAULT
For $25 million USD.
GRAHAM CLULEY
And Venmo's a payment thing, isn't it?
CAROLE THERIAULT
Payment app, exactly. And the very next year, this combined entity, Braintree plus Venmo, was scooped up by PayPal, then owned by eBay, for a sweet $800 million.
GRAHAM CLULEY
Yep.
CAROLE THERIAULT
And if you had to guess who might have received the biggest slab of this money cake, you're probably thinking the founder, chairman, and CEO, Brian Johnson.
GRAHAM CLULEY
Yeah, you'd think so, yeah.
CAROLE THERIAULT
Yeah, Time magazine published that Johnson walked away from the sale of Braintree Venmo with more than $300 million. So not bad.

Now, this was 12 years ago, and I'm sure Johnson had a rollicking good time spending some of his millions. But even that must get dull.

How many Armani suits can a man get excited about?
GRAHAM CLULEY
None, in my experience.
CAROLE THERIAULT
But if you imagine— if you imagine you were very, very, very loaded. Not a little bit loaded, but very loaded. And you feel lucky. You feel smart. You feel strong.
GRAHAM CLULEY
Yes.
CAROLE THERIAULT
You want this to go on forever.
GRAHAM CLULEY
Yeah, yeah, yeah.
CAROLE THERIAULT
It's fun being the kingpin of the pond. But you know, you need something to motivate you because you need to feel alive, Graham.
GRAHAM CLULEY
Yes. Alive. Oh, that would be wonderful.
CAROLE THERIAULT
So what do you do? You could try and save the world from the Zika virus à la Microsoft guy Bill Gates.
GRAHAM CLULEY
Thank you, Bill.
CAROLE THERIAULT
Yes, thank you, Bill. You put up with a lot of grief trying to do that. Put a car in space and play high-ranking bureau twat. Sorry, bureau quat.
GRAHAM CLULEY
Bureau quat.
CAROLE THERIAULT
Bureau quat.
GRAHAM CLULEY
There we are. We got there.
CAROLE THERIAULT
Or perhaps you do what Johnson did 4 years ago when he launched his anti-aging effort that he refers to as Project Blueprint.

And this is where the term I've been bandying around, biohacker, comes in. Okay? It seems to refer to extreme anti-aging practices.

I don't think eating 5 a day or drinking just on the weekend would get you anywhere near the label biohacker, right? It's a little bit more extreme.
GRAHAM CLULEY
Yeah.
CAROLE THERIAULT
A few things about Johnson and his Project Blueprint. It's backed by an annual budget of $2 million dedicated to turning back his biological clock.
GRAHAM CLULEY
Oh, just specifically his?
CAROLE THERIAULT
Yep. Oh, yeah. It's all about him. He's kind of his very own lab rat.
GRAHAM CLULEY
Right. Okay. Right.
CAROLE THERIAULT
Johnson says he follows a strict dietary and lifestyle regimen, right, in pursuit of life extension. So things like after he wakes, he does audio and hair therapy.
GRAHAM CLULEY
What?
CAROLE THERIAULT
Before taking 50-odd pills with an energy drink he calls the Green Giant.
GRAHAM CLULEY
Right. Okay.
CAROLE THERIAULT
He's received plasma infusions from his 17-year-old son. All in the name of trying to achieve more youth.
GRAHAM CLULEY
Oh, lucky son.
CAROLE THERIAULT
He has posted something titled How I'm De-Aging My Penis, in which he points out ways to improve nighttime erections and reveals how he measures penis health.

Among the list were semen analyzations and ultrasound-based blood flow testing.

And he then claimed that Botox and shock therapy lowered his nighttime erection biological age to around 20.
GRAHAM CLULEY
Does he use Botox to make it less wrinkly? Is that how he de-ages it?
CAROLE THERIAULT
Well, maybe because he says his nighttime erections, the length of the Titanic, and his boners clock in at 3 hours and 14 minutes. Let's just pause to consider that.
GRAHAM CLULEY
Does that mean it's unsinkable?
CAROLE THERIAULT
At least while he's snoozing, it seems to be. On his very own YouTube channel, Johnson professes—
GRAHAM CLULEY
I don't want to see any of this on YouTube, Carole. No links in the show notes, I hope.
CAROLE THERIAULT
I'm just going to read a snippet of his about me because it's written in the third person. I don't know, do you do that? Do you write snippets as though you're a third party?
GRAHAM CLULEY
Not normally, but sometimes people will ask, you know, can you send us a bio of yourself or something?
CAROLE THERIAULT
So you don't just go, I'm Graham. Well, he does a similar thing. He goes through his Project Blueprint.

The 45, now 47, but at the time 45-year-old Johnson has achieved metabolic health equal to the top 1.5% of 18-year-olds.

Inflammation 66% lower than the average 10-year-old and reduced his speed of aging by the equivalent of 31 years. Now let's pause.

I'll say right now that Johnson's claims are not universally accepted.

It might be better to see him as a rich guy needing to do wacky shit in front of an audience and win at something. Maybe, maybe, I don't know.

Blueprint, I should mention, is also a company, one that sells health supplements, blood testing equipment, and other products tied to his personal diet and restrictions.

So he's also trying to, I guess, claw back some of that $2 million that he's put in to analyzing himself.
GRAHAM CLULEY
It sounds like he's spending an awfully large amount of his day working on this, so he might as well turn it into his career, I suppose.
CAROLE THERIAULT
Monetize it. Yeah, that's what he's doing. So to me, it all sounds a little bit bonkers, right?

And you would think that if he's as bonkers as he might seem, there would be people that have worked with him, people that have partied with him at Brigham Young, his alma mater, people that dated him, that these people would be spilling some beans, right?

Is there perhaps a different version of the truth than the one Johnson is peddling? But I just couldn't find much dissent, unless there's nothing to hide.
GRAHAM CLULEY
Unless he has no friends at all, of course.
CAROLE THERIAULT
Sure, and he does nothing with nobody. He said he's a hermit, right? But what if I told you that Johnson, since 2020, has found a way to play master controller of the narrative?

How would one do that, do you think? How would you be master controller of your narrative?
GRAHAM CLULEY
A big legal team.
CAROLE THERIAULT
Yeah, confidentiality agreements, right? So basically, it seems he wanted his online persona and private one to be very separate indeed.

No need for his 4 million-odd subscribers on his social channels to know that he dropped acid with a date. But how to ensure that?

Well, whip out an NDA for her to sign before you drop the stuff.

No need for his people to know that he dumped his fiancée and fired her from one of his startups when he found out that she had stage 3 breast cancer.

It's not going to look good with his whole business, is it, really?
GRAHAM CLULEY
Allegedly, allegedly, allegedly, allegedly, allegedly. Can we— sounds like he's got a lot of money to sue people, Carole Theriault. Let's just remember that, shall we?
CAROLE THERIAULT
But I'm more interested in his work ethic. You see, a blueprint employment agreement with confidentiality terms at his company was 20 pages long, listing dozens of restrictions.

Some had to sign up to 3 separate agreements. And this is a company of about 30 employees.
GRAHAM CLULEY
Wow.
CAROLE THERIAULT
Now, this is all according to The New York Times.

One was a rather unusual opt-in agreement, which is not a confidentiality contract, but does aim to protect the company from things like lawsuits.

And so this was sent to employees by email with instructions to sign as normal. Allegedly, allegedly. So under this agreement, employees had to attest that they were okay with Mr.

Johnson wearing little and sometimes no clothing. Oh, no underwear.

They also had to agree that his behavior was not unwelcome, offensive, humiliating, hostile, triggering, unprofessional, or abusive.

They also had to attest that they were okay with hearing discussions of sexual activities, including erections. Now we know from earlier that big boners are a big deal in his world.

And it was sent to them under the guise of here's just another thing you got to sign. So imagine having to agree to that prior to said behaviors, sign this, now I'll fart on you.

You can't do anything.
GRAHAM CLULEY
Charming.
CAROLE THERIAULT
And it turns out that his practices, including asking people to volunteer in a study, and by volunteer, apparently got them to pay $2,000-odd for the honor rather than follow clinical practices where people are chosen at random.

60% of people apparently, according to secret filings that The New York Times saw, suffered at least one side effect.

And he's released a documentary last year about his anti-aging venture where he claims that his age has reversed by 5.1 years.

But an internal range of studies on his health show his bioage had increased by as much as 10 years.
GRAHAM CLULEY
You can de-age yourself just by getting a haircut, can't you? I mean, 5 years, that sounds a bit feeble.
CAROLE THERIAULT
Yeah, I call it the blur function on Zoom.

But my point is this, my point is this: employees did not feel they could share the findings or the set of rules they had to live by because they had signed their rights away.
GRAHAM CLULEY
Right.
CAROLE THERIAULT
And this is while he walks around half naked barking orders about nudging his pill popping routine.
GRAHAM CLULEY
Allegedly.
CAROLE THERIAULT
Allegedly. Now, I wonder how many companies are pushing the boundaries with what they can include in the small print in the agreements.

Because as you say, people rarely read them, despite my many reminders over the years. So why wouldn't companies have a crack at it?

And it seems these types of clauses are meant to isolate the employees so they can't even talk with other employees or friends or family about what concerns them, what they're involved in at work, you know, what a sham the whole thing might be.

And I wanted your opinion on something.

So, would you advise people about to sign contracts to maybe try AI, like a general or maybe even legal-focused AI, to isolate sections that might be contentious?
GRAHAM CLULEY
Oh, I think you've got to be careful about that.
CAROLE THERIAULT
Okay.
GRAHAM CLULEY
Ideally, you get someone knowledgeable to look at it. If you don't trust—
CAROLE THERIAULT
It costs a lot of wonga.
GRAHAM CLULEY
Yeah, well, if you don't have a friend who's got that kind of brain and you don't feel that you can do it yourself, then you're right. It could cost you a lot of money, couldn't it?

But the problem with sharing these things with the AI sometimes is both the AI may not be reliable, but also that you're sharing potentially confidential information with a large language model, which may learn things from it and spit them out again later.

So I'd be nervous of it, frankly.

I was having some conversations over the last week or so with people in my normal, non-tech life, and it's staggering how many people are using AI for everything in day-to-day life now.
CAROLE THERIAULT
So Johnson might be feeling the wobble right now because it sounds like it might be perhaps, perhaps, allegedly, allegedly a house of cards.

And there seems to be a bit of internal whistleblowing going on that's gaining momentum. The guy also just announced his own religion, though. It's called Don't Die.

Says it'll save the human race, which, you know.
GRAHAM CLULEY
Well, yeah, probably would, wouldn't it?
CAROLE THERIAULT
Might be in the name.
GRAHAM CLULEY
Yeah. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.
CAROLE THERIAULT
Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
GRAHAM CLULEY
You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.
CAROLE THERIAULT
So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.

Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security.

Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?
GRAHAM CLULEY
Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
CAROLE THERIAULT
1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control.

It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
GRAHAM CLULEY
So secure every app, device, and identity, even the unmanaged ones. Go to 1password.com/smashing. That is 1password.com/smashing.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT
Pick of the Week. Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.

Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.

It doesn't have to be security-related necessarily.
CAROLE THERIAULT
Better not be.
GRAHAM CLULEY
Well, Carole, my Pick of the Week this week is not security-related.

My Pick of the Week this week is, well, I wonder if you remember a while back I recommended an e-reader that I'd bought, the Kobo Clara BW e-reader.
CAROLE THERIAULT
Oh!
GRAHAM CLULEY
For reading ebooks.
CAROLE THERIAULT
I know someone who's looking to potentially upgrade their Kobo, and I know nothing about them. So I forgot about that completely that you mentioned that.
GRAHAM CLULEY
Ah, yes. So I'm very happy with it. It's like a Kindle, but it's not tied to Amazon. It comes from another company and isn't stuck with them.

And I think you mentioned, Carole, that your mum has a Kobo e-reader as well, but she found the user interface a bit of a challenge.
CAROLE THERIAULT
Or it might have been me finding it really difficult to use as well.
GRAHAM CLULEY
Well, I was interested in how I could tweak the Kobo to do some extra stuff, and I stumbled across a piece of open-source software that I could install on it, and you can install on a Kindle as well.

So it doesn't just work on Kobos, it also works on Kindle, and it is called KOReader, or KOReader with a K. And essentially it makes your e-reader more capable.

So it handles more ebook formats. You can tweak the user interface in a gazillion different ways to be exactly what you like. The pages turn faster.

There's things which you don't like, you can turn off all of these extra things. It's a completely new user interface.

It isn't just tweaking the existing user interface on your e-reader. It's giving you a whole new user interface.
CAROLE THERIAULT
Yeah. Can I ask a question?
GRAHAM CLULEY
Yeah, sure.
CAROLE THERIAULT
My experience with the Kobo and trying to get someone hooked up to their library with it, because I was talking about on the show, was using OverDrive, I think it was called.
GRAHAM CLULEY
That's right. OverDrive. Yes.
CAROLE THERIAULT
Is that the only way you can do it? Because that was really difficult. It's a bit clunky, the experience I had with it, trying to install it.
GRAHAM CLULEY
It's much more flexible with KOReader in my experience.
CAROLE THERIAULT
Oh, interesting.
GRAHAM CLULEY
You can just plug your e-reader into your computer and copy over books to then read them on your e-reader.

If you have a piece of software called Calibre, which is another freely available piece of software, and set it up correctly, you can even do this wirelessly as well.

So just updating a directory on your computer will automatically update your e-reader as well. Anyway, my experience has been great.

I've been tinkering with my fonts, I've been installing my own, I've been changing the user interface, I've been more easily sideloading books, and it's been great.

And I've been most recently reading a book called Killing Thatcher on my e-reader by Guardian reporter Rory Carroll.

It's a really gripping book about the 1984 bombing by the Provisional IRA of the Grand Hotel in Brighton, where Margaret Thatcher and the British cabinet were staying for a party conference.

Really interesting book.

Talks about the resurgence of the IRA during the '70s, the assassination of Lord Mountbatten, as well as, of course, the background to the Brighton bombing, as well as its aftermath.

So I would recommend that book as well. But my pick of the week is KOReader, and I hope you find it useful. Cool, Carole, what's your pick of the week?
CAROLE THERIAULT
I have a book as my pick of the week.
GRAHAM CLULEY
Super.
CAROLE THERIAULT
A noble work called The Urge: Our History of Addiction by Carl Erik Fisher, and it was published a few years ago, 2022.

It was named best book of the year by The New Yorker and The Boston Globe. So I dove in without much context. But the author is an addiction psychiatrist and also an addict.

And wanting to learn more about his own addiction, he turned to learning about addiction's history and the century-old struggle to manage and treat addictive behaviors.

It took him a decade to pull this book together. And it's so good because it's woven between snippets of his own personal dealings with his demons that almost destroy him.

He also then looks at conditions and treatments over the decades, some that produced relief, sometimes shamed people, and sometimes made things much, much worse.

Sometimes did all three. So anyway, it's a great work. It's written with heart, compassion, commitment, and worth a look if you or someone you love struggles with addiction.

That's The Urge: Our History of Addiction by Carl Erik Fisher. That is my pick of the week.
GRAHAM CLULEY
Terrific. And that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't have us.

And don't forget to ensure that you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT
And thank you to our episode sponsors, 1Password and Vanta, and to our wonderful Patreon community. It's their support that helps us give you this show for free.

For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 413 episodes, check out smashingsecurity.com.
GRAHAM CLULEY
Until next time, cheerio, bye-bye.
CAROLE THERIAULT
Bye. Graham?
GRAHAM CLULEY
Yes?
CAROLE THERIAULT
Do you see in the notes I put a picture of Mr. Johnson? Do you see his little pic there?
GRAHAM CLULEY
I think he looks better before.

Hosts:

Graham Cluley:

Carole Theriault:

Episode links:

Sponsored by:

  • Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
  • 1Password Extended Access Management – Secure every sign-in for every app on every device.

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a Patreon supporter for ad-free episodes and our early-release feed!

Follow us:

Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Thanks:

Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and hosts the popular "Smashing Security" podcast. Follow him on TikTok, LinkedIn, Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.