This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

CAROLE THERIAULT. It's just, it's just a waste of time.

---

GRAHAM CLULEY. What, this podcast?

---

CAROLE THERIAULT. No, well, maybe.

---

ROBOT. Smashing Security, episode 164: A Bitter Pill to Swallow with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 164. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Hello, Carole. You're back from the Canadian tundras.

---

CAROLE THERIAULT. That's excellent to see. I am. I'm getting less and less jet-lagged, but yeah, I was there for a month, so it has its impacts, doesn't it?

---

GRAHAM CLULEY. Oh, yeah.

---

CAROLE THERIAULT. I miss the snow already, though. Can I say? Do you? Yeah.

---

GRAHAM CLULEY. Well, it's pretty, but it's— I don't know if you noticed, it's also cold and slushy.

---

CAROLE THERIAULT. Yeah, it's good for the body, though, doing good old shoveling.

---

GRAHAM CLULEY. Well, oh, I see. I thought you meant you were rolling around in it.

---

CAROLE THERIAULT. I'm ripped.

---

GRAHAM CLULEY. Oh, are you?

---

CAROLE THERIAULT. Now we don't have a guest today.

---

GRAHAM CLULEY. We don't.

---

CAROLE THERIAULT. Well, we did have a guest, but we had some technical issues.

---

GRAHAM CLULEY. Bloody technical issues.

---

CAROLE THERIAULT. So we will reschedule her. There's a hint.

---

GRAHAM CLULEY. Oh.

---

CAROLE THERIAULT. But you're gonna have to just put up with the two of us this week.

---

GRAHAM CLULEY. Ah, our podcast would be so much easier if there was no technology involved, wouldn't it?

---

CAROLE THERIAULT. Yeah, yeah, well, it wouldn't be possible, nor if we had more time, if we didn't stick to our schedules so closely.

---

GRAHAM CLULEY. So rigidly.

---

CAROLE THERIAULT. So rigidly. We're such professionals. Yes.

---

GRAHAM CLULEY. We are professionals. And talking of which, what's coming up on the show this week, Carole?

---

CAROLE THERIAULT. Well, first, let's thank this week's sponsor, LastPass. Its support helps us give you this show for free. Now, Graham tries to show his more cultured side and shares the deets on an unusual art heist. And I gab about an innocent-looking, though not so innocent-acting medical patient software. Just you wait. All this and loads more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chum chum.

---

CAROLE THERIAULT. I like it, like it.

---

GRAHAM CLULEY. We aren't just security experts, are we?

---

CAROLE THERIAULT. No, God no.

---

GRAHAM CLULEY. Well, no, I mean, I don't know about you.

---

CAROLE THERIAULT. I mean, we are, you know, we are experts, but we also have other things.

---

GRAHAM CLULEY. We've got a podcast, therefore we must be experts, right? I mean, I consider myself also something of a bon vivant, a gourmand, a national treasure.

---

CAROLE THERIAULT. Treasure, you just like food.

---

GRAHAM CLULEY. Carole, I've seen your feet, you must be body part model. And of course you're an artist now, aren't you? How's the art going? All the painting and things like that?

---

CAROLE THERIAULT. Yeah, you know, I have an art show coming up again.

---

GRAHAM CLULEY. Do you?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Oxford Art Weeks?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. You participate in that again? Oh, marvellous.

---

CAROLE THERIAULT. Okay. Yeah. So I've got to get ready.

---

GRAHAM CLULEY. Well, as an appreciator of art, I'm sure you appreciate the works of John Constable.

---

CAROLE THERIAULT. Well, yes. He's a hero. Beautiful, beautiful skies.

---

GRAHAM CLULEY. One of England's greatest painters, famous for his landscapes, of course, the Suffolk countryside. In the first half of the 19th century.

---

CAROLE THERIAULT. See, you don't like landscapes though.

---

GRAHAM CLULEY. Well, I prefer people in my pictures, I think. I know I'm sort of, you know, quite like that sort of thing. But you come from Canada where there are no people. There's just acres and acres of land.

---

CAROLE THERIAULT. Yeah, I like a good old landscape.

---

GRAHAM CLULEY. Well, word reaches us that hackers have managed to trick a Dutch art museum into paying them £2.4 million, which is about—

---

CAROLE THERIAULT. Ooh, that's gotta hurt a museum.

---

GRAHAM CLULEY. Yeah, about $12.50, I suppose, for our US friends. For a John Constable painting.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. So would you like to hear the story, Carole, of how all this happened?

---

CAROLE THERIAULT. Yeah, yeah.

---

GRAHAM CLULEY. Of course you would.

---

CAROLE THERIAULT. I'm sitting back. I'm sitting back. I've got my coffee in hand. Let's go.

---

GRAHAM CLULEY. Well, the story starts like this. In March 2019, the director of— I'm going to have to take a run-up at this. The director of the Rijksmuseum Twenthe Art Museum in Enschede in the Netherlands.

---

CAROLE THERIAULT. I love how you put an accent on, just to give it a bit more authenticity.

---

GRAHAM CLULEY. The director popped in along to the European Fine Art Fair to check out the pictures. Went, "Oh, that's nice. Oh, that's lovely." All the great artists were represented. Turner, Constable, Thériault, they were all there. But the picture which caught his eye was Constable's 1855 painting. I'm sure you know it. A View of Hampstead Heath.

---

CAROLE THERIAULT. Oh, I don't. I couldn't recall it in my head like that. No.

---

GRAHAM CLULEY. Oh, right. Well, I'll tell you which one it is. In fact, what I've done is I've just put it in the document which we shared, and I'll also link to it in the show notes. Now, I'm not sure it's that amazing. This view from Hampstead Heath.

---

CAROLE THERIAULT. But you're not looking at a finished painting here. The one you put in the document is just like the study. It's just what's called a grisaille.

---

GRAHAM CLULEY. Is it?

---

CAROLE THERIAULT. Yeah. So it's just a tonal sketch of the landscape in one color. So you can kind of go, this is where the light's going to hit. This is how the composition of the painting is going to work. So it's kind of like a study.

---

GRAHAM CLULEY. Oh, I thought he hadn't colored it in. Okay. So I've made a mistake. Well, anyway, the director of this Dutch museum, he saw this and he thought, "Oh, I'd love to stick that up on my wall. I think that looked marvellous." And so he began negotiating with a London art dealer called Simon Dickinson to buy the Constable painting.

---

CAROLE THERIAULT. Okay, so this would be like you falling in love with one of my paintings, and you call up your local art dealer, your Yeah. You call your local art dealer and say, Richard, Richard, call Carole, and I want this painting on my wall. I want to look at it every day. Yes, exactly. Okay, gotcha. Exactly.

---

GRAHAM CLULEY. So this art dealer was saying, oh yes, we should do this.

---

CAROLE THERIAULT. Fair enough. I imagine that's how it works.

---

GRAHAM CLULEY. And the negotiations began. You can imagine that, oh, there's a bit of haggling, bit of to and fro. It's like, oh, will you include the little bit of string to hang it up on the wall? Can you give me a rusty nail?

---

CAROLE THERIAULT. Well, he is a director of a museum. Presumably he's got a few of those things in the back room.

---

GRAHAM CLULEY. I'm going to take off some of the price because it isn't coloured in. That kind of thing, right?

---

CAROLE THERIAULT. I've got to buy a few more paintings this year. Yeah.

---

GRAHAM CLULEY. Well, these things take time. There's a lot of haggling going on. But then, aha, a breakthrough occurred, right? And the price was agreed. £2.4 million, or $3.1 million. Mm-hmm. And Dickinson, the London art dealer, delivered the precious painting, the masterpiece, to the Dutch museum.

---

CAROLE THERIAULT. Okay, so they agreed. They agreed the price. They agreed everything. They did a digital handshake.

---

GRAHAM CLULEY. Well, I don't know about that. They agreed. You know, I don't know how it works with the old funny handshakes. But yeah, the painting has arrived. Marvellous. Everything's good, right? Everything's good.

---

CAROLE THERIAULT. Well, okay. And he's got his money?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Okay. Was the museum up to some nothing no good, or what happened?

---

GRAHAM CLULEY. Well, no, the museum weren't the scammers.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. So the price had been agreed, right, in the email, and the money had been transferred. And in the email it said, you know, transfer the money for payment of the painting into a Hong Kong bank account. And the museum, sure enough, funnelled the money over to Hong Kong.

---

CAROLE THERIAULT. Oh, okay. Was that— I guess that was agreed?

---

GRAHAM CLULEY. Well, it was agreed in the email, and the museum thought it was the art dealer in London who was telling them the banking details. But of course, kaboom! Yeah. It was disastrous.

---

CAROLE THERIAULT. You see, I kind of feel a bit like I would've got someone on the phone. Suddenly it was a different bank account and I had to use the IBAN number for Hong Kong.

---

GRAHAM CLULEY. Right. So you would've asked—

---

CAROLE THERIAULT. Unless I thought he was in Hong Kong or she was in Hong Kong who I was dealing with.

---

GRAHAM CLULEY. I suppose that's possible as well. So if you'd been in the museum, you would've asked the person emailing you, you wouldn't know that it was a hacker.

---

CAROLE THERIAULT. No, no, I'm assuming we made a relationship.

---

GRAHAM CLULEY. Can you say, "Give me the phone number." We're talking 2.4 million, right?

---

CAROLE THERIAULT. And I know we've talked and he says, "Yes, of course I'm in Brussels." I am based, right? Or wherever. There would have been some information passed on. However, that does not mean that the person who's actually paying from the museum— I imagine, you know, it could be someone else who wasn't involved in the negotiation, so just paid it.

---

GRAHAM CLULEY. Oh, I think it was the museum who were buying.

---

CAROLE THERIAULT. No, I know, but it may be two people, two different cogs, right?

---

GRAHAM CLULEY. Oh, I see. So the person—

---

CAROLE THERIAULT. the finance department versus the purchasing department.

---

GRAHAM CLULEY. Okay, yes, that's, that's always possible. Anyway, this has now ended up in court because, as you correctly surmised, it was a hacker who had intercepted the conversation between the art dealer and the museum, jumped in on the negotiation, posing as the dealer, and given those phony bank details for the money to be put into. And it's not the hacker who's shown up in court. They're nowhere to be seen. No one knows who they are. Instead, it is the museum which is trying to sue the art dealer.

---

CAROLE THERIAULT. The one who provided the painting?

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. The one who's out $240 million, or $204 million.

---

GRAHAM CLULEY. Yes, exactly. So the museum, which paid the money to the wrong people is blaming the art dealer, saying that the art dealer should have noticed that the fraud was taking place because they'd been copied on the email thread, even though the bank account had been changed to Hong Kong. And they didn't the lawyers for the museum actually say that the art dealer, by saying nothing, they said everything. So they should have spotted what was going on and went, oi, oi, oi, yoy. Those aren't our bank details. What's going on here?

---

CAROLE THERIAULT. Do you know what's depressing about getting older in life? What? It's just how many shysty moves there are. Like, why wouldn't they just both go, "Okay, we screwed up. Let's, you know, I don't know, tear the painting in half. Let's split the diff." Tear the paint—

---

GRAHAM CLULEY. This isn't a Banksy which gets shredded. Do you remember when that painting by Banksy got shredded?

---

CAROLE THERIAULT. They could do 6 months, 6 months.

---

GRAHAM CLULEY. Oh, just sort of have co-ownership. Co-ownership. No, no, Kroll, that's rubbish because the art dealer owned the painting, right? Now they only own half the painting and they've received none of the money.

---

CAROLE THERIAULT. No, no, no, and I think they should split the money as well. They should split the money. I think the museum should pay him 1.2, half the money.

---

GRAHAM CLULEY. For 6 months of the year?

---

CAROLE THERIAULT. No, just pay half, and then they both have equal loss and equal gain.

---

GRAHAM CLULEY. Okay, okay, look, sorry.

---

CAROLE THERIAULT. See, I can sort this.

---

GRAHAM CLULEY. This isn't like some sort of divorce settlement where you're getting visiting rights at weekend. No, because the art dealer owned the painting outright. Maybe they want to sell it to someone else who would offer 2.4 million rather than getting 1.2 million, and they'll never be able to sell the other half.

---

CAROLE THERIAULT. I understand.

---

GRAHAM CLULEY. Who's gonna want to buy the other half of the painting?

---

CAROLE THERIAULT. I understand, okay? It's not an ideal situation. However, it is what it is. And really the actual problem, the actual person who should be getting the finger is this mysterious hacker. If they pooled their resources, maybe go after them.

---

GRAHAM CLULEY. Well, interestingly, both the art dealer and the museum are blaming each other for the hack. Yeah.

---

CAROLE THERIAULT. Well, that's kind of stupid.

---

GRAHAM CLULEY. 'Well, it wasn't us who had our email hacked. It must have been you.' So this has gone to the courts now. The courts are going to have to decide.

---

CAROLE THERIAULT. They're always going to get that rich off it.

---

GRAHAM CLULEY. Well done, guys. No doubt. Clearly, the museum would have been wise to have independently verified the legitimacy of the bank account they're chucking money into. But they argue that the art dealer as well should have been a little bit more vigilant. So—

---

CAROLE THERIAULT. It's just a waste of time.

---

GRAHAM CLULEY. What, this podcast? No, well, maybe.

---

CAROLE THERIAULT. No, no, but my story is about people. This situation, okay, so here, the problem here is two innocent parties that were trying to make a deal got screwed.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Right? And now they're blaming each other for getting screwed as opposed to just saying, "Okay, there's a bit of egg on both our faces here, but really it's because we got targeted." And like, what? So if whoever is found to have the malware or the issue is going to be the one that has to suck it up? Is that the Is that the idea?

---

GRAHAM CLULEY. I don't know. I don't feel that that necessarily means you're 100% to blame.

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. If you're the one to be— it's some very wise old judge is going to decide this, right? Yeah. Is it a computer program? That's not in a Dutch accent, obviously.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Which is probably a blessing for all of us. So what kind of advice can we offer people who might find themselves in a similar situation? Double-check and check via a different method. Don't use email. If you've been chatting to them via email so far, call them on the phone or maybe find some software where you can have, what are they called? Sort of digital meeting, these sort of safe rooms, aren't they? Safe online rooms for having—

---

CAROLE THERIAULT. Exactly. Virtual safe rooms. These are places where companies can go or individuals can go in order to negotiate a deal with high stakes. In a way that they can be guaranteed nothing leaves the room, right? All the paperwork, everything is gonna closed setting. So it means no one can infiltrate. So when you're talking this kind of money, it's kind of a good idea to look into these virtual safe rooms.

---

GRAHAM CLULEY. Mm. And all the communication's gonna be properly encrypted, and you can have lots of security in place to prevent unauthorized people getting an earwig into the room and hearing what's going on. Well, Carole, if only they were as wise as you. And talented, perhaps. Krow, what's your story for us this week?

---

CAROLE THERIAULT. Okay, do you remember when you hurt your cooter? It was like years and years ago.

---

GRAHAM CLULEY. Are we really?

---

CAROLE THERIAULT. Or maybe it was your— maybe— anyway, you've had a number— we've known each other a long time. And you've had a number of instances where you've had really bad pain. I think there was one called beaver fever at one point.

---

GRAHAM CLULEY. That wasn't a problem with my beaver. Let's stress that.

---

CAROLE THERIAULT. Close your eyes and take yourself back to whichever one hurt the most. Okay.

---

GRAHAM CLULEY. It's yes.

---

CAROLE THERIAULT. Okay. Now, what do you do? What do you do in that situation? You're like, ow, ow, ow.

---

GRAHAM CLULEY. Oh, it's easy. I'm a man. So what I will do is I will complain about it a lot, but I won't actually go to the doctor.

---

CAROLE THERIAULT. I thought in your case you had quite a fetching doctor. So you'd be dashing off.

---

GRAHAM CLULEY. I did eventually go and see I won't mention her name, but I did go— she no longer works there for reasons which may become apparent. I did go and see my doctor, and she wanted to examine me.

---

CAROLE THERIAULT. Right, okay, let's leave it to everyone's imagination, shall we? So, okay, so she's examining you. I want you to, you know, she's examining you. Don't worry, this is not going to get too personal, right? But as she's examining you, she's probably filling in an online patient record, right? She's saying, 'Graham Cluley's come in.' 'Yeah, hurt his little guy. I'm here to help,' whatever, right?

---

GRAHAM CLULEY. Right. She's entering this on a computer.

---

CAROLE THERIAULT. Yeah, right. And she's— well, Graham, it is 2020. They're not doing it longhand.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And one of the questions she probably asked you is, 'Can you rate your pain, Graham?' Right? 'How do you rate your pain on a level from 1 to 10?' Yes.

---

GRAHAM CLULEY. Well, I'm a bit Spinal Tap, so I normally try and go up to 11 or something like that.

---

CAROLE THERIAULT. Yeah, with all your complaining and whining. So okay, imagine your doctor puts that into the system and bish bash bosh, at the end of the examination, she, she goes, okay, well, thank you very much. Here are some painkillers. I think you should take them to deal with your pain, your penile pain, right? And you would trust this recommendation because you like your doctor. And she's advising that you take the pills. Yes. And the doctor, and effectively you, is trusting that the software is literally not trying to influence you and do anything that none of you are aware of.

---

GRAHAM CLULEY. So she's got a piece of software on her computer which has made the recommendation or something. She's not just Googling the symptoms because I can do that at home quite successfully. She's—

---

CAROLE THERIAULT. Okay, sit down. Listen.

---

GRAHAM CLULEY. That's what she said.

---

CAROLE THERIAULT. So meet Practice Fusion. This is a San Francisco medical startup. Okay. And according to its own website, Practice Fusion streamlines the running of a typical healthcare practice. And it does this by providing a cloud-based electronic health record system.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And you may remember that my first job was working at a medical office, a kind of place that— a practice, a medical practice, the kind of place that this software would be perfect for.

---

GRAHAM CLULEY. Yeah, you were working for your dad, weren't you?

---

CAROLE THERIAULT. Right. But I was working pre— I was working at, you know, when paper was moving to computer.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. So we still had paper files. And I actually got fired from that job by my dad.

---

GRAHAM CLULEY. Your dad, your own dad fired you from the job?

---

CAROLE THERIAULT. My own dad fired me from the job because I did something really awful. I didn't do it on purpose, but I lost a patient file and the guy went to hospital. The guy went to hospital and they couldn't find his file because I'd accidentally tucked it into someone else's file by accident when I was putting it away. Anyway, trauma trauma.

---

GRAHAM CLULEY. Did they chop off the wrong leg or something? What happened as a result of this? Do you know?

---

CAROLE THERIAULT. I got fired.

---

GRAHAM CLULEY. Yeah, that's the most important thing. That's the most important thing.

---

CAROLE THERIAULT. So back to Practice Fusion. Okay, so its website says it It's super popular, 4 million patient visits per month, 80 million patient records, yada, yada, yada. We're number one. And the software is apparently used by tens of thousands of doctors' offices across the US of A. So presumably should be all tickety-boo.

---

GRAHAM CLULEY. Oh yes, I'm sure that's why you're mentioning it on the show. Yes, yes, wonderful.

---

CAROLE THERIAULT. So yes, this software had this electronic health record system. So this is where all your information was being inputted by, you know, said doctor or health practitioner.

---

GRAHAM CLULEY. It's going to be a data breach, isn't it?

---

CAROLE THERIAULT. And occasionally, a pop-up window would show up with a question asking about a patient's pain level. And in your situation, you would say, oh, you know, I'm a 12, right? And I said, no, Graham, could you please take this seriously? Right? And you would say whatever number you'd say. The software, this dropdown menu, would then provide a list of treatment options, including Perhaps a prescription for, say, oxycodone or another opioid.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. Now this is how it worked. This is what makes it all a little bit icky. This tool existed thanks to a secret deal. This is all according to a Bloomberg article in the LA Times I read. So it turns out that Practice Fusion was paid by a major opioid manufacturer Pharmaco X, let's call them that for this moment because they're unnamed. So this major opioid manufacturer paid Practice Fusion money in order to kind of boost prescriptions to addictive pain pills.

---

GRAHAM CLULEY. Oh, crumbs.

---

CAROLE THERIAULT. Yeah. And this went on for 3 years between 2016 and 2019.

---

GRAHAM CLULEY. And so the software is telling the doctor to prescribe, you know, these addictive pills?

---

CAROLE THERIAULT. So it would just show up. It wouldn't show up on everyone's system. So let's say, so sometimes with some patients, suddenly this pop-up would show up. And the pop-up would ask about pain level. And it was targeting, it was targeting patients that weren't currently taking opioids. And patients that were maybe on medicines that were less profitable for the company.

---

GRAHAM CLULEY. Oh my goodness. So they're basically recruiting.

---

CAROLE THERIAULT. They're upselling. They're upselling people to an addictive drug. So it's like it's back to the '40s with the cigarettes.

---

GRAHAM CLULEY. This is horrific.

---

CAROLE THERIAULT. Yeah. And the doctors didn't know this, right? So you'd go, you'd toddle off to your local medical center and your doctor would go, oh, you know, hey, you have a headache. Well, I think maybe, oh, you should maybe, pain pill does this. Okay, maybe you should try some oxycodone to deal with that.

---

GRAHAM CLULEY. My goodness.

---

CAROLE THERIAULT. They've now been hit. The DOJ did a big investigation and the DOJ alleges that Practice Fusion took financial kickbacks from drug companies and let the drug makers draft the language in the so-called clinical decision support alerts, which we're talking about. These are these pop-ups that were presented to doctors. So they were able to massage the wording and decide on what the levels would be and what would be presented as possible options.

---

GRAHAM CLULEY. I'm slightly speechless, Carole, which is no good for a podcast at all.

---

CAROLE THERIAULT. Don't worry, I've got lots more to say. Maybe it's a big improvement. Finally. Okay, so listen to this. So employees inside, okay, the drug company said that they bolstered opioid sales by as much as $11.3 million through this partnership. So in the contract, the drugmaker paid Practice Fusion almost $1 million for the opportunity to present their drugs to patients in this way.

---

GRAHAM CLULEY. Wow.

---

CAROLE THERIAULT. So I'm researching the story, right? And what I'm annoyed about is who is this drug company?

---

GRAHAM CLULEY. Oh, because we don't know.

---

CAROLE THERIAULT. I wasn't alone though.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Because Reuters figured it out. Okay. So despite it being redacted from the government documents, and if you want to read about this, I've got it, you know, as you know, I do a ton of research. So there's a ton of links inside the, you know, the Smashing Security webpage. You want to read more about this. So Reuters published that the oxycodone maker was in bed with Practice Fusion was none other than Purdue Pharma.

---

GRAHAM CLULEY. Purdue Pharma.

---

CAROLE THERIAULT. Now, Purdue was not criminally charged in this case or accused of any wrongdoing. In fact, there's been no determination of liability on civil claims. Like, so I don't know, I was thinking about this, right? So say your doctor had done this and you'd read about this and you might think, God, I was on oxycodone for my head. Yeah, yeah. Which, you know, you might in some instances want to sue that medical practice. And what the medical practice would then probably, you know, like there has to be a route.

---

GRAHAM CLULEY. They'd sue up the chain, wouldn't they? I mean, that's That's how it works in America, isn't it? Everybody sues everybody.

---

CAROLE THERIAULT. Practice Fusion have agreed to pay 145 million squids to resolve this. And this is to basically pay for any criminal, like pay the lawyers and play any civil investigations.

---

GRAHAM CLULEY. But golly, yeah. What a story. It reminds me a little of, do you remember back in episode 122 of Smashing Security?

---

CAROLE THERIAULT. Oh yes, of course I remember that episode.

---

GRAHAM CLULEY. Well, I've just looked it up. That's why I remember. Office Depot. They were fined millions because they tricked customers into thinking their computers were infected with malware. Because what would happen is you'd take your computer into Office Depot and they say, oh, we'll check to see why your computer's running slow, why you're having crashes. They'd run this piece of software which would falsely claim it was infected by malware and then tell you you needed to buy a certain antivirus.

---

CAROLE THERIAULT. Oh yeah, yeah, yeah.

---

GRAHAM CLULEY. It was absolutely scandalous at the time. And they ended up having to settle with the FTC millions and millions and millions. Over those tricked consumers. But it's a little bit like that because although you genuinely did have the symptoms of some kind of illness or pain, the software is the thing which is telling you to take the wrong remedy or perhaps—

---

CAROLE THERIAULT. Well, no, it's the people that created it. It's both the drug maker and the people that created the software and the people that allowed the software in the practices. So they're obviously just buying an EDM. They're just buying an electronic patient record holder. They weren't even expecting these pop-ups. That wasn't, you know, they were just looking for place to hold data. But still, that's patient data. So thinking of the vetting they did, they obviously did no security testing. How clear are they that the data that they're holding on patients is actually secure? It just makes the whole thing feel a bit not as safe as one assumes.

---

GRAHAM CLULEY. This kind of thing really gets my goat. I don't think a financial penalty is enough. I think someone has to have their goolies cut off because of this.

---

CAROLE THERIAULT. If they have no goolies, what then? Well, you're planning to remove ovaries?

---

GRAHAM CLULEY. Oh, okay. Yeah, maybe I've gone too far.

---

CAROLE THERIAULT. As usual. Okay, I'm not gonna lie to you, passwords often are a pain in the you-know-where, but they don't always have to be. Take for instance LastPass's single sign-on feature. Now, single sign-on is very cool because it is integrated with more than 1,200 different applications, applications that your users need to do their jobs. And this simplifies accessing those applications, making it far more streamlined. Want to learn more? Check it out at lastpass.com/smashing. On with the show.

---

GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week?

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Should not be.

---

GRAHAM CLULEY. And my Pick of the Week isn't really security related. It is instead, see what I like to do is I like to thread, I like to weave a theme through the podcast. It's very, this isn't some ramshackle shambolic recording, Carole. I've put genuine thought into this because I am now coming up Coming back to the topic of art, and specifically—

---

CAROLE THERIAULT. That's very good, Graham. I don't think I've ever heard you do this before.

---

GRAHAM CLULEY. Specifically, an artist called Simon Weckert, or maybe it's Simon Weckert, who is based in Berlin, which is in Germany, don't you know? And he did something rather extraordinary this week, and he produced a video, and you can read all about it on his webpage. We will link to those in the show notes. What he did was he generated a virtual traffic jam on Google Maps.

---

CAROLE THERIAULT. Okay. How? Explain.

---

GRAHAM CLULEY. Okay. So, do you know how Google Maps works regarding traffic?

---

CAROLE THERIAULT. Well, I'm assuming it's going, oh, there's a lot of people here. And we know that through their— we know that through their GPSs or their phones. Yeah, right.

---

GRAHAM CLULEY. Through their phones. Exactly. So, people are carrying phones running Google software, racing around in their motor cars. And Apple is able to identify where they are roughly, and it says, "Oh, there's an awful lot of them here, and they did look like they were in a car, and now they don't appear to be moving very fast," and et cetera, et cetera. So that's how Google is able to tell you this is a busy bit of road or this is a quiet bit of road, right?

---

CAROLE THERIAULT. Right, right.

---

GRAHAM CLULEY. Very clever. So what Simon Vekert did was he got a kid's little trolley, like a little wagon, right?

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Filled it up with 99 secondhand smartphones, And he walked around Berlin and just ambled along.

---

CAROLE THERIAULT. I love it. And then basically Google Maps was saying, "Oh, traffic jam, traffic jam, traffic jam." And Google Maps thought there was loads of traffic jams happening.

---

GRAHAM CLULEY. Oh, okay.

---

CAROLE THERIAULT. It's very cute. However, I can see some serious problems here, actually.

---

GRAHAM CLULEY. Okay, go on.

---

CAROLE THERIAULT. Well, imagine if you were having a heart attack.

---

GRAHAM CLULEY. Oh, yes.

---

CAROLE THERIAULT. Right? And the ambulance is like, "Oh, shit." Well, yes, exactly. Yeah.

---

GRAHAM CLULEY. Because the ambulance might take a longer route.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. I don't think he's planning to do this on a regular basis. I think he's proved his point. But yes, if other people wanted to do—

---

CAROLE THERIAULT. Or someone's being held at knifepoint and the cops can't get there.

---

GRAHAM CLULEY. Yes, exactly. Exactly. Or if you were transported— and I remember an old episode of Captain Scarlet where a very dangerous nuclear missile was being taken via some sort of vehicle through the streets of London for reasons which were best known to itself. But the bad guys— but the bad guys wanted to divert the course of this nuclear weapon to go the particular way that they wanted so that they could try and steal the weapon. So you could create a fake traffic jam and get them to move another way. Or if there's a very important person like, I don't know, a politician or something like that, and your security detail are trying to get you through the city, right, in an emergency, and they don't want to be ambushed by the bad guys, Well, they might see a traffic jam in Google Maps and go, "Ooh!" Oh yeah, that's way more important than someone being held at knifepoint.

---

CAROLE THERIAULT. You're right.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. No, no, good point.

---

GRAHAM CLULEY. Anyway, I thought this was rather cunning and clever and also cute. And for me, that's what counts. And that is why it is my Pick of the Week.

---

CAROLE THERIAULT. Mm, yeah. Cute but dangerous. I think needs a bit more thought, I think.

---

GRAHAM CLULEY. Well, I'm not suggesting people do it. I just think it's interesting that it was done. Yeah, yeah.

---

CAROLE THERIAULT. But he's now done and proved a concept, hasn't he?

---

GRAHAM CLULEY. Oh, so you're saying he's a bad guy?

---

CAROLE THERIAULT. No, I'm not.

---

GRAHAM CLULEY. Okay, good. He's a fellow artist. You just don't like the competition.

---

CAROLE THERIAULT. That's right. That's right. Oh, no, no, I seriously, I'm looking for artist friends, actually. I'm looking to expand my artist friends. So unfortunately, Graham, you might get dumped. Okay, my pick of the week.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Okay, so my pick of the week. Do you remember last week we had Lisa Forte on the show?

---

GRAHAM CLULEY. I do.

---

CAROLE THERIAULT. And she was talking about Her Story, which is a game I play. And she mentioned also that they had a new one out, a new game called Telling Lies. And so I played it. And I can, I can attest it's pretty cool. So it's basically kind of called a desktop thriller. That's how one of the creators calls it. Okay, so you have to imagine you have 4 characters, right? And you only get one side of the conversation. You are basically an NSA person, right? And you come to a computer, you sit down, and you are now going through files.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And you are hearing snippets. Some of the files are 13 seconds, some of the files are 8 minutes long, and it's one side of the conversation. It's like a digital puzzle. You have to go and find the two bits of conversation that go together.

---

GRAHAM CLULEY. Oh, okay. So it's like if— so it's like maybe a telephone conversation, but you've got two different recordings, one from each end.

---

CAROLE THERIAULT. Exactly. That's exactly what it is, right? So if you and I were planning something really bad, a heist or something. Yeah, right. And you had my side of the conversation, but there'd also be these. All these moments where I wouldn't be talking, right. Because I'd be listening to you. Because you. Yeah, yeah, yeah. Yab, yab, yab y. So. So. So sometimes you're. You're watching it, right? And you're. They're doing nothing. They're just looking at you. They're looking right in the camera as though you're speaking. And that can go on for minutes at a time. It's really bizarre. However, the story is fantastic. And slowly, slowly, as you start kind of dissecting all these different little audio clips and video cl, clips, you can figure out what's going on. And what makes it great is the acting is super cool. Right? Acting is great. And the script is noticeably tight. And there's a number of different endings, a number of different things you can learn. So there's no one ending. And the one thing though, is I'm not really sure what the goal is. Like, I haven't figured that out yet.

---

GRAHAM CLULEY. That's more realistic. You don't necessarily know what you're investigating.

---

CAROLE THERIAULT. Yeah. So there's like a number of different story threads. I'm not finished it yet. But I'm still at this stage. I'm like, am I— I don't know how to conclude. And I think that you have to— I mean, I've actually built this baby obsession wall. My husband and I, he comes down with thread, you know, like, you've got an obsession wall and Blu Tack and a few 3M sticky Post-its. And they're all over our front room. But I don't think we're doing it seriously enough, because there's all kinds of little clues like timestamps and word clues. So I guess so one, you know, there's one conversation going on, and they'll say something, you'll be like, hey, they mentioned that before. And that's how you find your clips is by doing a word search. It's not like all the clips are in front of you. You have to kind of go, oh, I want to look for the word liar, for example, right? Or I'm going to look for the name Peter. And then clips where that's mentioned comes up. Anyway, I've talked too much. It's really cool. Check it out. It does cost money, but it is, I think it was $7.

---

GRAHAM CLULEY. So you got the, what, the iPad version?

---

CAROLE THERIAULT. I got the iPhone one. I got it for the iPhone. Phone because I was traveling. But then what I ended up doing is we ended up doing it in our living room and I beamed it to the telly through the Apple TV. So we were playing together and we were 3 of us actually, and it was great fun.

---

GRAHAM CLULEY. I'm just checking out the website now. You can also buy it for Windows.

---

CAROLE THERIAULT. Yeah, and it's available on Steam.

---

GRAHAM CLULEY. Yep.

---

CAROLE THERIAULT. Anyway, I thought it was great fun and it's, it's something you can do on a Friday night with your other half, right? If you need to have something because it's, you know, you get pretty into Anyway, that's my pick of the week.

---

GRAHAM CLULEY. And it's called Telling Lies.

---

CAROLE THERIAULT. Telling Lies.

---

GRAHAM CLULEY. Excellent. Okay, I just want to repeat that because we had a listener say, can you always try and remember to tell us what the pick of the week was at the end of the pick of the week?

---

CAROLE THERIAULT. It's published by Annapurna Interactive, and it was published initially in August 2019. So it's not even a year old, still fairly nascent.

---

GRAHAM CLULEY. Well, sounds really cool, Krow.

---

CAROLE THERIAULT. Good. It is.

---

GRAHAM CLULEY. I think that just about wraps it up for this week. Um, if you'd like to follow us on Twitter, do it. Follow us on Twitter @SmashingSecurity, no G. Twitter allows to have a G. And you can also join us on Reddit in the Smashing Security Reddit. And don't forget, if you want to be sure never to miss another episode of Smashing Security, subscribe in your favorite podcast app, such as Castbox. Which is currently featuring Smashing Security. Hooray!

---

CAROLE THERIAULT. That is so cool. Thank you, Castbox. And a huge thanks to all of you for pointing your ears our way, supporting us on Patreon, and giving us— giving us wonderful reviews. Also, a big shout out to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out smashingsecurity.com/lastpass for past episodes, sponsorship details, and information on how to get in touch with us.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye.

---

CAROLE THERIAULT. You think they missed the guest this week?

---

GRAHAM CLULEY. Well, she would have been a very good guest.

---

CAROLE THERIAULT. She'll come back. We'll explain what happened. It was, uh, We're not going to blame anyone. No, no, we're not blaming anyone. We're not going to—

---

GRAHAM CLULEY. well, it's technology.

---

CAROLE THERIAULT. Your story.

---

GRAHAM CLULEY. Computer's fault.

---

CAROLE THERIAULT. Yeah. I don't want to get into it.

---

GRAHAM CLULEY. I blame Babbage. If he hadn't started all of this.

---

CAROLE THERIAULT. Nice, nice, nice.

---

GRAHAM CLULEY. Ada Lovelace as well.

---

CAROLE THERIAULT. Nice.

-- TRANSCRIPT ENDS --