233: Peloton problems, romance regret, and Weiner woes

We take a look at why Peloton is being accused of ransomware-like behaviour, how one man lost $250,000 in a romance scam, and how a chap called Weiner has found himself in a political pickle.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown's Andrew Agnês.

Plus we have a featured interview with KnowBe4 expert Roger Grimes. Don't miss it!

Visit https://www.smashingsecurity.com/233 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Andrew Agnês and Roger A Grimes.

Sponsored By:

Support Smashing Security

Links:

CPSC Warns Consumers: Stop Using the Peloton Tread+ — CPSC
Peloton Tread+ Treadmill Safety Incident — YouTube.
Peloton Recalls Tread+ Treadmills After One Child Died and More than 70 Incidents Reported — CPSC.
Peloton Recalls Tread Treadmills Due to Risk of Injury — CPSC.
Tread Lock — Peloton support.
Peloton Tread owners now forced into monthly subscription after recall — Bleeping Computer.
Is Your Peloton Spinning Up Malware? — McAfee.
A fake wedding, and a $250,000 scam — BBC News.
Romance fraud advice — Action Fraud.
OnlyFans, Twitter ban users for leaking politician's BDSM video — Bleeping Computer.
Statement by Zack Weiner — Twitter.
Anthony Weiner documentary trailer — YouTube.
Blue — Joni Mitchell.
Timekettle Voice Language Translator.
Finders Keepers trailer — YouTube.
Finders Keepers (2015 film) — Wikipedia.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

Privacy & Opt-Out: https://redcircle.com/privacy

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. I imagine there's a little backlash.

GRAHAM CLULEY. Do you think?

CAROLE THERIAULT. Do you think maybe a soupçon of backlash? Just what I'm thinking, a nuage of backlash.

ROBOT. Do you think possibly his PR agency said, 'Freak, we're not sure that's the right approach on this one.' Shut the fuck up is what I would say. Shut the fuck up, shut the fuck up. 233, Peloton Problems, Romance Regret, and Wiener Woe with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 233. My name's Graham Cluley.

CAROLE THERIAULT. I'm Carole Theriault.

GRAHAM CLULEY. And Carole, we are joined this week by a special guest, someone who's brand new to the show.

CAROLE THERIAULT. A newbie.

GRAHAM CLULEY. But someone who might be known to a small fraction of our audience. Tiny. Tiny. That part of the audience which listens to the Host Unknown podcast is Andy Agnès.

UNKNOWN. Hello, Andy.

ANDREW AGNÊS. Hey, hello, the sole founder of Host Unknown.

CAROLE THERIAULT. Welcome, Andy.

ANDREW AGNÊS. I'm feeling a bit lost here because obviously to everyone else that's listening, they've just heard a whole load of music playing in, whereas I didn't. It feels a bit raw. I feel a bit behind the scenes and I feel like I'm missing something.

CAROLE THERIAULT. Because on your show, you guys do the music live, don't you?

ANDREW AGNÊS. We do.

GRAHAM CLULEY. We've actually got a band in the room with you.

CAROLE THERIAULT. No, they literally, they press play during, and everyone has to be quiet. I was on the show recently and I spoke during one of the musics and I just heard one of the people going for for fuck's sake, and then starting it again. So it's a different production quality, isn't it?

ANDREW AGNÊS. Different role.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Most definitely. But you recently won an award, is that right?

ANDREW AGNÊS. This is true. And I have to say thank you for the message that you sent us. We played it ourselves on our own show.

GRAHAM CLULEY. Don't remember sending you a message, to be honest.

CAROLE THERIAULT. I don't remember sending them a message either.

ANDREW AGNÊS. Oh, you listened to last week's show. It's on the Host Unknown podcast. You listen to that, you'll hear the message.

CAROLE THERIAULT. Should we go to the sponsors?

GRAHAM CLULEY. Yeah, probably.

CAROLE THERIAULT. Thanks to this week's sponsors: 1Password, KnowBe4, and JumpCloud. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. Tread warily if you are thinking of buying a Peloton treadmill.

CAROLE THERIAULT. Oh, okay. And Andy, what about you?

ANDREW AGNÊS. I am going to be talking about the mother of all romance scams.

CAROLE THERIAULT. Uh, and I am I'm going to talk about Zack Wiener. His name is all we need. That's it. Plus, we have a featured interview with Roger Grimes of KnowBe4. It is a fantastic interview. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, we are all fitness freaks, aren't we?

ANDREW AGNÊS. I am, actually. A fitness burger in my mouth. Yeah.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. I don't know. A freak is— Okay, what do you mean by fitness freak? Can you just describe what that means?

GRAHAM CLULEY. You're an enthusiast, Carole. You do keep fit activities every day, don't you?

CAROLE THERIAULT. I'm an enthusiast, I think, because I'm not like a— I don't do marathons.

GRAHAM CLULEY. Yeah, but you have an exercise bike and you get on an exercise bike each day. I have an exercise bike.

ANDREW AGNÊS. Do you hang clothes on it?

CAROLE THERIAULT. I haul ass. No, I haul ass. You're right.

GRAHAM CLULEY. I haul ass.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Haul ass? I don't pull donkeys with it. No, I just go cycling. Andy, do you do anything at all?

ANDREW AGNÊS. Not that would qualify as exercise. I mean, I walk the dog occasionally.

GRAHAM CLULEY. Okay, alright.

ANDREW AGNÊS. But I don't need to pay a subscription to do that, you know?

CAROLE THERIAULT. Exactly. Oh my god, I'm so lucky.

GRAHAM CLULEY. I think you find you do, because if you have a pet dog, you're paying pet insurance, you're having to feed it, right?

CAROLE THERIAULT. Right, that's a subscription fee? Is that what you call it?

GRAHAM CLULEY. It is like a subscription fee, yes. Quite a lot of money involved.

CAROLE THERIAULT. Does your Peloton give you love back though?

GRAHAM CLULEY. I haven't got that attachment. But in April—

CAROLE THERIAULT. Grubby.

GRAHAM CLULEY. The Consumer Product Safety Commission, they told consumers to stop using the Peloton Tread+. So I have a Peloton Cycle.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. But some people have what's called the Tread+, which is that—

CAROLE THERIAULT. What is that?

GRAHAM CLULEY. It is their vastly expensive treadmill.

CAROLE THERIAULT. What do you mean vastly expensive?

GRAHAM CLULEY. Well, like $3,000 for a treadmill.

CAROLE THERIAULT. Okay, to go for a walk?

GRAHAM CLULEY. To go for a walk.

CAROLE THERIAULT. When there's ground outside.

GRAHAM CLULEY. But it comes with— but it comes with a TV screen as well.

CAROLE THERIAULT. Oh, right.

GRAHAM CLULEY. And so you can— you can watch someone sort of shouting at you to carry on walking, and you can team up with your buddies, and you can have races against them.

CAROLE THERIAULT. It's a kind of fetish, isn't it?

ANDREW AGNÊS. It's a cult.

CAROLE THERIAULT. Yeah. The people that are getting sexually repressed, this is how they get their kicks.

ANDREW AGNÊS. That person can see you as well. Is that right? So when you're on the Peloton bike, can the person see you?

GRAHAM CLULEY. Well, look, nobody turns that on. Yes, there is a webcam in the bike.

CAROLE THERIAULT. Is there?

GRAHAM CLULEY. There is. Mine is covered up with a little—

CAROLE THERIAULT. Wait.

GRAHAM CLULEY. A little dot, a sticky dot thing.

ANDREW AGNÊS. Oh, okay. Graham, you're showing brain out the side of your shorts.

GRAHAM CLULEY. Because— Why would anyone want to see anyone else? It just doesn't make any sense, right?

CAROLE THERIAULT. Because you're sweating away.

GRAHAM CLULEY. Yeah, yeah. So you could technically go, "Go on, Geoff!" You know?

CAROLE THERIAULT. What if you were having a heart attack or something? Wouldn't you want someone to see that?

GRAHAM CLULEY. Not really, Crow. No, I wouldn't.

ANDREW AGNÊS. Okay, very good.

GRAHAM CLULEY. It's not something I'm planning to stream live onto the internet, no.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Anyway, the Consumer Product Safety Commission, they told everyone, "Stop using your Peloton Tread," back in April because— There'd been a number of incidents where small children and pets had been injured beneath the Smart Treadmill. Yes.

CAROLE THERIAULT. What, like getting caught? Like—

ANDREW AGNÊS. It swallowed dogs, didn't it?

GRAHAM CLULEY. Okay, look, you guys are laughing. Someone died.

CAROLE THERIAULT. No, I'm not laughing.

GRAHAM CLULEY. You clearly are laughing. I can hear you laughing right now. It's not funny. There was one 6-year-old child which horrendously— In fact—

CAROLE THERIAULT. Are you kidding me?

GRAHAM CLULEY. No, I'm not. In fact, the Safety Commission, they have released a video on YouTube, and I thought, oh, I better go and check this out before talking about the story. When I went to this link on YouTube, YouTube actually said, can you enter your credit card details first to confirm you're over 18? They said, we're not gonna charge you, but this is pretty horrifying.

CAROLE THERIAULT. And did you?

GRAHAM CLULEY. Well, yeah, I did.

CAROLE THERIAULT. Oh, of course. 'Cause YouTube, they're so cool.

GRAHAM CLULEY. No, they have my credit card details already for other services I buy from.

CAROLE THERIAULT. Of course. Yeah. 'Cause they're a really joined up communication company and they all know, everyone knows everything. Yeah, you're right. Yeah.

GRAHAM CLULEY. Now, thankfully, this particular child in this video walked away, but it was pretty horrifying how this small child got sucked under the treadmill.

CAROLE THERIAULT. So what, it walked up, the treadmill is running on its own, or someone's running on the treadmill? Give me the scenario.

GRAHAM CLULEY. In this particular video I saw, there was like a little toddler walking on the treadmill.

CAROLE THERIAULT. And it's on? It's on.

GRAHAM CLULEY. And it's on. It's going probably at like 2 miles per hour or so.

ANDREW AGNÊS. And was this captured by the treadmill camera, or was this like—

GRAHAM CLULEY. No, this is someone's home security camera.

CAROLE THERIAULT. Oh, thank God Nest was there or something. Something.

GRAHAM CLULEY. Yeah. And there's another little kid around the back of it, getting all excited, seeing the floor moving, and sort of puts his hand underneath. And at first he just sort of gets his arm trapped, and the other kid sort of runs off, presumably to get a parent. And then this kid is kind of dragged underneath, like hoovered, hoovered under. You see, much so.

CAROLE THERIAULT. Oh my fucking God.

GRAHAM CLULEY. It was horrific. Link's in the show notes. Don't really recommend it.

CAROLE THERIAULT. No, no, don't, don't, no, no, no.

ANDREW AGNÊS. There's a live link to the show notes.

GRAHAM CLULEY. They've linked, they've linked to it. The Consumer Product Safety Commission have linked to it. So you get an idea of just because they were saying everyone needs to stop using these things. Right. And I think that's an important message. And having seen that, I took it a bit more seriously myself because I thought, well, yeah, this does seem pretty bad what happened. Now I, the other day, so I have a treadmill, but I've only got like a cheap one, which costs like a few hundred pounds.

CAROLE THERIAULT. And that's probably way safer, right?

GRAHAM CLULEY. Well, well, You think that, Carole, but about a week and a half ago—

ANDREW AGNÊS. You lost your dog. I was— Worse!

GRAHAM CLULEY. I was on the treadmill and I made the foolish mistake of going on the treadmill in my socks, because I thought I'd just go—

CAROLE THERIAULT. You take it seriously. Did you hear those 5-toe socks with like the grippy bottom?

GRAHAM CLULEY. I had a few minutes spare in my schedule and I thought I'd just hop on this, just for 10 minutes.

ANDREW AGNÊS. Get those bunions working.

GRAHAM CLULEY. Right. And then my phone rang and I sort of hopped off the treadmill while it was running. Not a good idea.

CAROLE THERIAULT. Oh, like a cool dude. Like a dude.

GRAHAM CLULEY. Like a gazelle. Imagine a gazelle.

CAROLE THERIAULT. Yes. Gazelle and you. I'm picturing it now. It's like this weird mythical creature. Okay.

GRAHAM CLULEY. But I, I, I, one of my toes then got trapped in the treadmill wrap.

CAROLE THERIAULT. Toes?

GRAHAM CLULEY. Yes. My flipping toe. My big toe. Got trapped where? My big toe is all strapped up because I might have broken or fractured it or something. And it's still flipping sore. This is a week and a half later. So I really hurt myself.

CAROLE THERIAULT. This is a big intro for a security story, just saying.

GRAHAM CLULEY. Right. Anyway, so let's get back on track, right? I don't know why you went down that alley. The Consumer Product Safety Commission told people to stop using Pelotons. Right. Peloton Tread+. Let's be specific. The Peloton Tread+. Peloton CEO, he came out fighting. He said, oh, that's all inaccurate, misleading report. Says we've got no plans to recall the Peloton Tread+ at all. He said, "It's safe when you follow our instructions. Every day, thousands of people are enjoying working out on their TreadLife." He said that after seeing babies being hoovered underneath it? Well, I don't know if he watched the video, but yes. Certainly after the stories came out.

ANDREW AGNÊS. He didn't want to put his credit card into YouTube to watch it.

CAROLE THERIAULT. Yeah, yeah, I imagine that's right. I imagine there's a little backlash.

GRAHAM CLULEY. Do you think? Do you think maybe—

CAROLE THERIAULT. Yeah, just a soupçon, a soupçon of backlash. That's what I'm thinking. A nuage of backlash. Do you think possibly his PR agent Freaks.

GRAHAM CLULEY. We're not sure that's the right approach on this one.

CAROLE THERIAULT. Shut the fuck up is what I would say. Shut the fuck up, shut the fuck up, shut the fuck up.

GRAHAM CLULEY. Anyway, yeah, within a few weeks, Peloton had changed its tune and announced it was recalling both the Peloton Tread, which is the smaller version, which doesn't suck up children as far as we know, and the Peloton Tread+. So the Tread+, they said, look, we're recalling this because there is this itsy bitsy safety issue of sucking up children. And the Tread, they said, the problem with that is that the big touchscreen which you have on the front of the treadmill, it can accidentally wobble and fall on your foot, right? Can fall off.

CAROLE THERIAULT. Is that what happened to your toe?

GRAHAM CLULEY. No, I don't have a screen on my treadmill. My treadmill's cheap, right?

ANDREW AGNÊS. Right.

GRAHAM CLULEY. Not connected to the internet.

CAROLE THERIAULT. Trusted. Trusted and cheap. Amazon special.

GRAHAM CLULEY. Just like me.

CAROLE THERIAULT. Yep.

GRAHAM CLULEY. So at that point, the advice was stop using the Tread or the Tread+, contact Peloton for a full refund or some other kind of remedy.

CAROLE THERIAULT. So if your Peloton bike were to be recalled, would you literally stop using it, or would you say, fuck you, I paid £1,200 for this, so I'm using it, I'll be careful, I'm fine? Like, don't you think 90% of people are still using their Peloton Treads?

GRAHAM CLULEY. Well, I think you're right, and I think Peloton knows that as well. Yeah, so Peloton is worried that more children get sucked up, and in the land of America, there may be lawsuits, right?

CAROLE THERIAULT. Oh, they're worried about lawsuits. Okay.

GRAHAM CLULEY. Well, of course they are. They're going to worry about losing money.

CAROLE THERIAULT. Not pancake children. We don't care about them. But we care. We care about the lawsuits. Okay.

GRAHAM CLULEY. So Peloton, one of the remedies they've come up with is a software update, which they've pushed out to the Tread+.

CAROLE THERIAULT. Without your authorization, or you signed up when you bought it?

GRAHAM CLULEY. You get updates all the time that turn your lighter full, right? And it is something called Treadlock. And what Treadlock does is it automatically locks the Tread+ treadmill if you put it to sleep or after 45 seconds of inactivity. So if you haven't done anything for 45 seconds, you have to then enter a 4-digit passcode.

ANDREW AGNÊS. Oh my God.

GRAHAM CLULEY. So it's like your phone, right? Your phone locking.

CAROLE THERIAULT. So if you stop for a text message and then start running again, And then you have to go and go put your code in.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. You have to put in your passcode. 6969 or whatever it is. Yeah.

GRAHAM CLULEY. Now, so this has been pushed out to Peloton Tread Pluses, but there's a catch.

ANDREW AGNÊS. Okay.

GRAHAM CLULEY. Because you bought your Peloton Tread Plus for $3,000.

CAROLE THERIAULT. Cheap.

GRAHAM CLULEY. And what— So when you buy a— let me explain. When you buy a Peloton Tread Plus for $3,000, you can just buy it for $3,000. End of story. Right. And you can go running on it. Yeah, okay. Or you can pay the $39.99 monthly subscription to have someone yell at you, to have some fitness model scream at you.

CAROLE THERIAULT. It's a form of BDSM, right?

GRAHAM CLULEY. Right, exactly. But what's happened with the Tread Lock is that you no longer have the option to just run. You have to sign up to the $39.99 monthly subscription.

CAROLE THERIAULT. Oh, they're such Oh, I didn't say that. They're such— they're such douches.

GRAHAM CLULEY. And Peloton has said to its customers in an email, they said, this is for your safety and well-being. You're going to give us $39.99 because we've now given you this Treadlock feature. And you'll be surprised to hear some people are not very happy about this.

CAROLE THERIAULT. So they want—

GRAHAM CLULEY. they can no longer run unless they pay $39.99 a month.

CAROLE THERIAULT. So that's a lot of money, isn't it, to run? I just wanna— I just want to add up the annual fee of this, right, on a yearly subscription. So how long do you want to use your teletone? For probably 3 years, right? So it's $1,000 a year, right? And then you've got your subscription fee, and then a year, that's, uh, $1,000, right?

GRAHAM CLULEY. Yeah, well, it's a lot of money, but if you— but if you want all all of the, you know, the whiz-bangs, the special classes, and the screen people screaming at you.

CAROLE THERIAULT. Gustav, Gustav, this, the, the master cyclist or the running man showing you these special moves.

ANDREW AGNÊS. Yeah.

GRAHAM CLULEY. So what some customers have compared this to is ransomware. They say you've basically locked my device and you're telling me that to get it working again, I've got to pay you $39.99, and this wasn't the deal I signed up for.

CAROLE THERIAULT. So everybody that bought one of these Tread Plus is now being locked into the having to pay a monthly fee on top of the original fee. Is that correct?

GRAHAM CLULEY. That is what it looks like. Wow.

ANDREW AGNÊS. Would you— I mean, the Peloton. So I'm, you know, I'm totally engrossed in this because normally I'm listening, you know, on my headset, but here I'm actually here and I can ask questions. I can interrupt you. It's amazing.

GRAHAM CLULEY. No, you can't. Carl, have you got any questions?

ANDREW AGNÊS. So why would you buy a Peloton Tread for $3,000 if you didn't want someone to shout at you? Like, what's so special about that? Oh, okay. If it wasn't for the interaction part.

GRAHAM CLULEY. I've done the research. And so there's a Peloton Tread and a Peloton Tread+. The Tread+ is bigger and sturdier than the now cheaper one.

ANDREW AGNÊS. For the larger gentlemen, is it?

CAROLE THERIAULT. For the large children.

GRAHAM CLULEY. Exactly. So the smaller one can't suck up children as efficiently.

ANDREW AGNÊS. Hamsters and rabbits, guinea pigs.

CAROLE THERIAULT. Yeah.

ANDREW AGNÊS. Yeah.

GRAHAM CLULEY. So you need the tread place. So. But yeah, I mean, it's. It's like a proper. I mean. I mean, I've got a peloton bike. Right.

CAROLE THERIAULT. Which is the same. Which is the same, really. Right.

GRAHAM CLULEY. Well, it is a really nice exercise bike. You know, it's. What do you know about.

CAROLE THERIAULT. How many exercise bikes have you owned?

GRAHAM CLULEY. Oh, crow, crow. How many? Come, come.

CAROLE THERIAULT. How many?

UNKNOWN. None.

CAROLE THERIAULT. Come, come, come. Zero.

GRAHAM CLULEY. Hush now, hush, hush, hush, hush now.

ANDREW AGNÊS. Fuck.

GRAHAM CLULEY. Anyway, so Peloton is saying, look, um, we realize some people may not like this, so they're now offering people— they're saying, look, for 3 months you can have all-access membership, so we're going to waive the fee for 3 months. But of course, some people never wanted that anyway. They just wanted a nice treadmill, end of story. That's all they wanted.

CAROLE THERIAULT. Yeah, well, they should not have bought Peloton then.

GRAHAM CLULEY. Yeah, but they didn't know this, Carole, when they signed up.

CAROLE THERIAULT. Well, they know now. So, I mean, I always knew a bike for 3 grand— it's not a bike.

GRAHAM CLULEY. It's a treadmill.

CAROLE THERIAULT. Well, whatever. Any Peloton thing is like over a grand, it seems.

GRAHAM CLULEY. You can ask for a refund, apparently.

CAROLE THERIAULT. Well, that's kind of them.

ANDREW AGNÊS. So is this spawning a whole new market of people that are offering to downgrade it or mod your Peloton?

UNKNOWN. Ooh.

ANDREW AGNÊS. You know, like, hey, you can get these forums where they mod LastPass.

CAROLE THERIAULT. Yeah, jailbreak it.

ANDREW AGNÊS. Yeah, exactly.

GRAHAM CLULEY. Well, the thing is, of course, there's just been this other story. The researchers at McAfee found a vulnerability. In the Peloton bike. I think it's in the Peloton Bike Plus.

CAROLE THERIAULT. Oh, right. The cool thing you bought.

GRAHAM CLULEY. No, I got the Peloton bike, not the Bike Plus. It's different. But anyway, apparently the vulnerability exists in the Tread Plus as well, where you can actually mod the software to spy on people. So if you have physical access to the exercise gear, so maybe you could modify it to turn off the treadlock.

CAROLE THERIAULT. So effectively, I could go to your house, mod your Peloton, stream you live on YouTube, and then just wait for you to find out.

GRAHAM CLULEY. No, you couldn't, because I've got a sticker over the webcam.

ANDREW AGNÊS. That's the physical access part, right? You just peel off a sticker.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Yeah, thanks, Andy. Graham doesn't figure that out.

GRAHAM CLULEY. Andy, what's your story for us this week?

ANDREW AGNÊS. See, I'm expecting some sort of music to start coming out.

CAROLE THERIAULT. There is music.

GRAHAM CLULEY. Everyone else has got music.

CAROLE THERIAULT. Ding, ding, ding, ding, ding, ding, ding.

GRAHAM CLULEY. Everyone else heard it.

ANDREW AGNÊS. Yeah, okay, so I am going to talk about a romance fraud on steroids. So what do you know about romance fraud?

CAROLE THERIAULT. People pretend to love you and then say, oh, can you buy me a plane ticket? Can you give me some money, basically?

ANDREW AGNÊS. Yeah, exactly that. Yeah, so it's that type of scam which involves, you know, Mark being duped into sending money to, you know, the scammers. You know, they go to great lengths to play on your emotions, ultimately convince you to send money.

CAROLE THERIAULT. Yeah.

ANDREW AGNÊS. You know, and it's, they get all types of people down these scams. You know, it's people who would probably normally never fall for scams, but because they're playing on their emotions to make decisions, it stops them from sort of thinking through logically. So, you know, typically a scammer would set up a fake profile, a nice appropriate photo, you know, find someone's looking for love, whether it's on dating sites, apps, or, you know, wherever. They love them.

CAROLE THERIAULT. Yeah.

ANDREW AGNÊS. They love them. Yeah. So they target vulnerable people, lonely people, older people, people with self-esteem issues, you know, make them feel good.

CAROLE THERIAULT. But don't you think anyone would fall for that? If someone said, oh my God, Andy, you're so great. You're like the greatest. You're so great.

GRAHAM CLULEY. You're the favorite of all my hosts.

CAROLE THERIAULT. Yeah, you're my favorite person.

ANDREW AGNÊS. Exactly. And then it's followed by, yeah, you just need your credit card for another hour, sir. You know, and then—

GRAHAM CLULEY. But I think, I think time plays a factor in this though, doesn't it? I mean, if someone said that to you the first day you met them, you might be a bit suspicious. But if they worked on you for weeks and weeks and weeks, I'm working up to mine, Graham, with you.

CAROLE THERIAULT. 20 years in the making. It's going to be expensive.

GRAHAM CLULEY. But then somehow it seems more logical and natural, doesn't it? I think that's one of the problems is sometimes these scams can take place over weeks or months.

ANDREW AGNÊS. Yeah, you're right. It's not like a 24-hour thing. And often, you know, the reasons why you can't meet are actually quite logical. You know, whether they're in another country, so you can't just pop round or they can't come over. Or if they're in maybe a poorer country and they say, oh, my camera doesn't work. You know, I don't have a camera on my phone or, you know, I don't have video chat or anything like that. But it's usually when you look back, you can put together the red flags. But at the time, as you're just saying, you build up to it, it's so emotive. It's actually easy to believe. And then it is usually that next stage where, you know, the scammer sort of asks to ship something or something gets held by customs. They need your help releasing it or they need some money for a visa to come and see you or flight tickets or You know, some big complicated drama that you can't be arsed to go look into.

CAROLE THERIAULT. It'll cost you 200 grand.

ANDREW AGNÊS. Yeah, exactly. Yeah. Family member having an accident, you know, is another one which results in significant medical bills. You know, and that's typically the only thing that's stopping them from coming to see you is they need to resolve this problem.

GRAHAM CLULEY. And you think if you pay up, then they will feel, you know, maybe they'll be a little bit more inclined to, you know, with you or something.

CAROLE THERIAULT. What? There's no sex involved in this one.

ANDREW AGNÊS. No, but there will be ultimately.

CAROLE THERIAULT. Yeah.

ANDREW AGNÊS. It's a long game on both sides.

GRAHAM CLULEY. Yeah.

ANDREW AGNÊS. So what can people do to protect against this? Okay, so there's multiple sources for, you know, the fraud prevention advice that recommends things like, you know, don't believe the photos. They may not be genuine. So do your research first, you know, reverse search an image. Be suspicious for any requests of money from people you've never met in person, particularly if you only ever met them online.

CAROLE THERIAULT. Well, I give Amazon money like every week.

GRAHAM CLULEY. Geoff Bezos hasn't been around to your house yet.

CAROLE THERIAULT. I've never met him. He's always declined my dinner invites.

ANDREW AGNÊS. I mean, all of this advice basically revolves around being wary if you haven't met someone, okay? So there's a guy called James, which isn't his real name, so his identity's been protected, a 52-year-old charity worker who's living in the UK and asked by a friend in 2015 to help set up a new project supporting children that were fleeing the conflict zone in Ukraine.

CAROLE THERIAULT. Wow. Okay. So he's like, I'm all in.

ANDREW AGNÊS. Yeah, absolutely. Yeah. I mean, he's charity work. This guy, you know, he's got a good heart. Okay. It's, you know, someone that you want to look after. So James had never worked abroad before. So he had a translator assigned to him when he got there. This translator called Julia. He's still got a full-time job in the UK, but he's flying back and forth. Gets to know Julia better on each trip he's out there.

CAROLE THERIAULT. Meeting her in person.

ANDREW AGNÊS. Meeting her in person. Yes.

GRAHAM CLULEY. Yeah.

ANDREW AGNÊS. I think this is where, you know, your guard maybe drops down a bit more. Totally. So during the In the winter of that year in 2015, there's like a massive heavy snowfall. So Julia, someone who he's built a nice relationship with over the months.

CAROLE THERIAULT. She snowed in.

ANDREW AGNÊS. She's a translator and she said, how about you go on a date with one of my friends called Irina? And he's like, okay, well, sounds good.

CAROLE THERIAULT. Yeah, we're bud buds.

ANDREW AGNÊS. Someone, a mutual friend, that's got to be a good thing, better than a complete stranger. So he met Irina, who was a 32-year-old, so 20 years his junior. And she had all kinds of stories that really tugged on his heartstrings. Not just stories about fleeing a war, but she told him about these two previous marriages and why she would never want to marry a Ukrainian man again. So she'd been scarred in the past and she wasn't looking for that.

CAROLE THERIAULT. And she really liked gray hair. She really liked gray hair and wrinkles and older gentlemen.

GRAHAM CLULEY. Beer belly. Yeah.

ANDREW AGNÊS. So despite this age difference of 20 years, right, they got on like a house on fire. For a few evenings in a row, they were going out enjoying Odessa's nightlife. And while James always had fun with Irina, because she spoke minimal English and he spoke zero Ukrainian or Russian or anything with a Cyrillic character in it, Julia had to accompany them. And as she was a translator, a professional service translator—

CAROLE THERIAULT. It's kind of sexy a bit, right? It's like you have like a chaperone.

ANDREW AGNÊS. Like a third wheel. Yes. But she was getting paid $150 a day for this. So like £107 a day. By whom? By James, who's paying for it. For her services as a translator.

CAROLE THERIAULT. So he's like, oh yeah, come on our date and translate. I won't use Google Translate or any app that can help us. You come along and I'll pay you.

ANDREW AGNÊS. Okay. It's funny you say that because he actually said that it was easier to communicate when they were apart because they used the messaging app Viber, which had a translation function built into it.

CAROLE THERIAULT. Actually, I was introduced to Viber by an Eastern European friend.

ANDREW AGNÊS. So, okay, you know, every 53-year-old guy wants to, you know, receive messages from an attractive lady 20 years his junior.

CAROLE THERIAULT. I'm sorry.

ANDREW AGNÊS. Yeah, I'm just saying it. Well, I'm going to speak for all men on that. You know, I'm nowhere near 53 yet, but Graham, I'm sure you would. You want to be flattered by a text message by someone that you've actually met in person? Yeah.

GRAHAM CLULEY. No, no, I wouldn't. I would— I don't want any 32-year-old unless it's Diana Rigg. 32. I, I'm more like 30 years younger than she was when she died, I think. But, um, she—

CAROLE THERIAULT. but that would be quite cool though.

GRAHAM CLULEY. It wouldn't— see, because, because what I want to do, what I want to do is I want to curl up with a gorgeous woman and talk to them about retro television and LPs from the 1970s. And I'm not going to be able to do that if they haven't ever heard of the Beatles, if they've never heard of the Beatles, which is of course the fate of one of my past girlfriends.

CAROLE THERIAULT. She's probably still crying about it.

GRAHAM CLULEY. Yeah. Anyway, James was up for it.

ANDREW AGNÊS. James was up for it. An example of a message he sent, she says, "You gave me a real fairy tale. Thanks so much for that. I believe in you. Just you can give me this happiness. I love you." So it wasn't just like a couple of nights they were going out. You know, this went on for like the next 6 months. You know, James was flying over there a lot. Every night they went out in Odessa. Expensive meals, evenings at the opera house. You know, he was totally living up to her. Hang on.

GRAHAM CLULEY. So, Julia was going to these expensive meals and to the opera house as well?

ANDREW AGNÊS. Yes.

CAROLE THERIAULT. Did she join them in the bedroom as well, just to kind of clarify what everyone wanted?

ANDREW AGNÊS. Well, so intimacy—

CAROLE THERIAULT. Just in case they couldn't work it out themselves.

ANDREW AGNÊS. Up a bit, left. Yes.

CAROLE THERIAULT. No, no, no, James. Jesus.

ANDREW AGNÊS. She's said wrong half. Reverse. Intimacy was awfully Including kissing. So Julia, the translator, said that Irina didn't believe in sex before marriage. Okay. But to James, that was a good thing. He had a very high moral standard. And so he actually liked her even more for that.

CAROLE THERIAULT. I love how lack of sex is moral.

ANDREW AGNÊS. Okay, good. Good.

GRAHAM CLULEY. So they didn't have a kiss either?

ANDREW AGNÊS. No kisses. No, even kissing was off limits.

CAROLE THERIAULT. No second base. No first base.

ANDREW AGNÊS. Nothing like that.

GRAHAM CLULEY. You can't marry someone you haven't kissed.

CAROLE THERIAULT. I am totally hook, line, This should be on Sticky Pickles. Okay, carry on.

ANDREW AGNÊS. It should be. So 11 months after they first met in that winter of 2015, they were engaged. So James had been prodded by Julia and Irina in that sort of direction.

GRAHAM CLULEY. Lucky him.

CAROLE THERIAULT. Yeah, he's getting a 32 cutie who doesn't speak English and won't smooch him.

ANDREW AGNÊS. Yeah. But he was completely in love. He'd fallen in love with her and he was under no illusion. This was a real thing. Thing. She was trapped in her country, you know, he wanted to be this knight in shining armour that, you know, helped her out, took her away. And there's actually video footage from their engagement party, you know, which shows James dancing like a dad on the dance floor and Irina's like moving around smiling, waving at the camera, glitters falling from the sky, Whitney Houston's ballad "Could I Have This Kiss Forever" echoing across the room. This is an Eastern European version of a Hallmark movie. Everything's good. So, how could this possibly go wrong? Okay, he's met her in person. He was introduced to her by, you know, someone he thought was a friend. She's a real person. He knows all about her. How could this possibly end badly? Well, good question, I ask myself. So, James started paying for her to have English lessons, right? And the hope was that he would be able to bring her back to the UK with him.

GRAHAM CLULEY. Civilised her. Yes.

CAROLE THERIAULT. I so hope when she learns English, she tells him, "Oh my God, I've been trying to tell you for months. I've been scamming you." Yeah.

GRAHAM CLULEY. It's the translator all this time. Yes.

ANDREW AGNÊS. So after a few chats with the embassy, it was clear that the process to get her back to the UK was going to take several years. So he was like, "Look, I don't want to wait any longer." So he thought moving to the Ukraine and starting a new life with Irina there would be the best way to go. So he quit his job, sold his house, and obviously with Irina's encouragement, they began looking for a place to live. And obviously buying a house was expected because they said it gave that sort of permanence to the relationship. But obviously transferring money from the UK to the Ukraine is not a straightforward task due to it being statistically one of Europe's most corrupt countries. So money laundering controls are just ridiculous. You can't just transfer money from a house sale in the UK to a bank account in the Ukraine. So, Irina came up with an out-of-the-box suggestion, you know, to sort of get this $200,000.

CAROLE THERIAULT. Give me your money.

ANDREW AGNÊS. I know how to get this apartment money to the Ukraine. But instead of putting the money into, you know, her personal account, she said, look, I've got another friend called Christina. She's our wedding planner. But because she's got a business account, account, it's not going to flag anything, right? You know, that money can just get straight out there, no problem.

CAROLE THERIAULT. Of course, Sugar Plum. Sounds brilliant, Sugar Plum.

ANDREW AGNÊS. But again, you know, thinking, well, you know, is this a good idea? But actually, it all makes sense, right? You know, a business account has probably got less stringent controls on it than a personal account, or it's got certainly a higher limit.

CAROLE THERIAULT. There's a number of red flags here so far. You keep saying it all makes sense. I'm like, hmm.

ANDREW AGNÊS. But Carole, I think it kind of does because you're a year into a relationship here.

GRAHAM CLULEY. They've had their engagement party.

UNKNOWN. All the friends have been there.

GRAHAM CLULEY. You know, they've They've had the dance, they've had Whitney Houston, right? They're going to buy a place together. It's just a way to get money in, is to put it through her friend Christina's business. Okay, it sounds good. You know, no snogging though, that's a bit disappointing.

ANDREW AGNÊS. No. Well, old school though.

CAROLE THERIAULT. Have they snogged now? Do we know that they snogged?

GRAHAM CLULEY. They're not married yet, Crow. You can't kiss people until you're married in Ukraine.

ANDREW AGNÊS. The wedding's coming.

CAROLE THERIAULT. They had Whitney Houston pre-wedding. That is a That's a giveaway. That's a red flag if it's December 1st. Okay, carry on.

ANDREW AGNÊS. So, like, a bit of a snag came up, okay? Irina announced to James that the bank would only release the money if he was legally married to Christina, the wedding planner. Now, you know, it's just a formality, okay? She's saying, look, just, we'll get it done in 10 minutes, okay? You go to a registry office.

GRAHAM CLULEY. Hang on. Does everyone who tries to give money to Christina's wedding planning business also have to marry her before they reach the money?

ANDREW AGNÊS. Yeah, I don't know how many times she's fallen in love and then had someone fly out there to live with her.

GRAHAM CLULEY. So you need to marry the wedding planner.

ANDREW AGNÊS. So now you need to marry the wedding planner in a registry office, like 10-minute job, bish-bosh.

CAROLE THERIAULT. Okay, are you still saying— Of course, of course, of course. And then, you know, it's completely reasonable. Are you both saying—

ANDREW AGNÊS. Well, so now James is like, this isn't what I planned for. Okay.

CAROLE THERIAULT. This is not— this is a bit of a red flag.

GRAHAM CLULEY. Hang on. How hot is Christine? Christina? Do we know? How hot is she? Maybe he could do a pivot here. Does Christina speak English? Because that'd be convenient.

ANDREW AGNÊS. Yeah.

CAROLE THERIAULT. Do you know the Beatles?

ANDREW AGNÊS. I don't have that level of detail, unfortunately. So Christina's not a main character.

GRAHAM CLULEY. Okay.

ANDREW AGNÊS. Despite, I mean, despite getting married, obviously Christina's not the main character. So James is now in this impossible situation, right? Okay. So Irina's threatening to call off the wedding unless, you know, this money's released and they had a home to move into, you know. And she starts saying, look, you're going to make me look like a prostitute in the eyes of my family. You know, is it essentially what she's saying, that, you know, I can't be married and not have a house to settle down in? And so, you know, things are not looking good. He's feeling pressured.

CAROLE THERIAULT. Yeah.

ANDREW AGNÊS. So 60 guests at the wedding, you know, including their family. James is like, oh my God, like, you know, I don't want this. I don't want it to look bad. So I'm going to get married to Christina, then we'll get divorced, and then I can marry Irina.

CAROLE THERIAULT. I love your empathy, Andy, because you really are identifying with him. Is this like— Is he your friend?

GRAHAM CLULEY. Yeah. It's suspicious. They call this character James.

ANDREW AGNÊS. No comment. No comment. I'm still scarred. Nyet. So, it was July 2017. With the encouragement of his fiancée, Irina, James actually married the wedding planner, Christina.

CAROLE THERIAULT. Of course.

ANDREW AGNÊS. And Irina was there.

CAROLE THERIAULT. Reasonable.

ANDREW AGNÊS. Yeah, she was happy for them, jumping up and down. The money was released that same afternoon. And Irina then said, look, $200,000, it's all out. We've spent it on an apartment. And that's great. They've now got the place to move to. But the challenge was that apartment wasn't just in James's name. It was also in the name of Christina, his fake wife, you know, the wedding planner. Yeah. Also, I mean, it gets even worse. He actually found out that the value of the property wasn't $200,000. It was actually just $60,000. Oh. This is where the penny drops.

CAROLE THERIAULT. Oh, this is when! This is when it drops! This is when! It's not when he had to marry the fucking wedding planner. It didn't drop then.

ANDREW AGNÊS. Okay.

CAROLE THERIAULT. Okay, reasonable.

ANDREW AGNÊS. Now he's starting to, you know, have sort of second thoughts.

CAROLE THERIAULT. He's starting to think, hmm.

GRAHAM CLULEY. Seriously, Pearl, you're being very sceptical. Have you never married someone else in order to get married to the person you wanted to get married to? Have you never done that?

ANDREW AGNÊS. Is that not how you do it in Canada?

GRAHAM CLULEY. It's fairly traditional, I thought.

ANDREW AGNÊS. Yeah. So, but believe it or not, he actually still got married to Irina. So he obviously paying for everything. And Ukraine is relatively cheap by European standards. But, you know, he had a $20,000 wedding bill. 60 guests.

CAROLE THERIAULT. Twice.

ANDREW AGNÊS. Twice. But 60 guests that he actually now believes were paid to be there. There. And now even Irina's mother turned out to be Julia, the translator's mother. So, you know, the mother of the bride wasn't actually—

GRAHAM CLULEY. Oh, the translator's back.

ANDREW AGNÊS. Yeah. So, he was probably the only person at the wedding that thought it was real, you know, unfortunately.

CAROLE THERIAULT. You know what? Netflix, grab the script. Yeah.

ANDREW AGNÊS. And it turns out that Irina actually already had a husband as well. She already had a husband. And the wedding planner also had a husband as Well, who—

GRAHAM CLULEY. Oh, hang on.

ANDREW AGNÊS. Yeah. I know.

GRAHAM CLULEY. So it's traditional for the men to get married multiple times, but for the women, they don't get divorced. They just keep on marrying.

ANDREW AGNÊS. Well, so he actually divorced her prior to Christina's marriage to James. And then after James divorced Christina, her ex-husband then remarried her.

GRAHAM CLULEY. I'm gonna need a flowchart for this.

CAROLE THERIAULT. Yeah, this is like The Archers on speed, okay?

ANDREW AGNÊS. I know. Yeah, so with, you know, the evening of the wedding reception, it was going to be their first ever night of intimacy, you know, with James and Irina. And next thing you know, he sort of woke up in a taxi after violently shaking.

CAROLE THERIAULT. We're hypnosed to the gills.

ANDREW AGNÊS. Exactly. He ended up in hospital. Irina refused to go and see him. She accused him of getting drunk and humiliating her in front of her family, you know. And then for the next couple of weeks, kept saying she had medical problems and James couldn't visit her in hospital. Because on his passport, he was still Christina's husband, not her husband. I mean, the whole thing just got worse. So he, this kind-hearted charity worker, still sent $12,000 for her medical costs.

UNKNOWN. Oh!

ANDREW AGNÊS. You know, which he genuinely believed she was ill. But ultimately, I mean, the madness stopped.

CAROLE THERIAULT. How much out of the pocket is he?

ANDREW AGNÊS. Totally, he's saying that the women scammed him out of $250,000. Boy, oh boy. But I mean, just the level that they went through to do this scam. The amount of people involved, unbelievable.

GRAHAM CLULEY. This is insane. If you live in Ukraine and you're listening to our podcast, can you get in touch and tell us if this is normal?

CAROLE THERIAULT. Would you do this?

ANDREW AGNÊS. Yeah, so they, funnily enough, people have said this does happen. In Odessa in particular, they've got a reputation for marriage scams. And so the police don't really deal with these things too often. And there's been no justice so far. So James has paid a private investigator $3,000 $100,000 to recover the money.

UNKNOWN. Hang on, hang on.

ANDREW AGNÊS. And there's a 30% finder's fee as well.

GRAHAM CLULEY. Who's this private investigator married to? Is he the cousin of the translator?

ANDREW AGNÊS. Well, that would— I mean, this would just be next level if that was true, right? That would be so good.

GRAHAM CLULEY. Kuro, what have you got for us this week?

CAROLE THERIAULT. Okay, so I don't know how I'm going to follow Andy's story. Have you guys heard of Zach Weiner. Zach Weiner.

GRAHAM CLULEY. No, Zach.

ANDREW AGNÊS. It sounds like a fake name, if I'm honest.

CAROLE THERIAULT. Doesn't it?

GRAHAM CLULEY. Sounds like a medical condition.

CAROLE THERIAULT. It's not.

ANDREW AGNÊS. Yeah.

CAROLE THERIAULT. I'm going to show you a photo of 6 people, and I want you to decide at this stage who you think Zach Weiner might be.

GRAHAM CLULEY. Okay, well, 3 of them appear to be female. I imagine that is Zach.

ANDREW AGNÊS. And I'm going to stereotype and say that it's a Jewish name. And so I believe it would be the guy with the beard.

GRAHAM CLULEY. Okay, I think it's the guy in the bottom right, the young guy, uh, dark hair, glasses.

CAROLE THERIAULT. Let me describe him, what he does and stuff, and see if you change your minds at all. So Zach is a screenwriter, actor, and film producer based in New York. He's also running for city council 2021 in a district in the city. And he's running against 5 other candidates. And what you're looking at is the 6 candidates that are running for District 6. Now, the election is actually happening right now as we speak, and by the time this show is out, we are going to know whether he has won or whether he got kicked to the curb. So I checked out Zach's website, and there's like an About Zach, and in the About Zach section, it says, Zach has new ideas for the neighborhood he loves. He will not stand for bad deals that hurt the quality of life and neglect the homeless under the false pretense of moral righteousness.

GRAHAM CLULEY. Oh, that's disappointing, isn't it? Because I'd really want to vote for someone who did support bad deals.

CAROLE THERIAULT. And his tagline is, on June 22nd, vote Wiener to start production. You know, because he's a screenwriter.

ANDREW AGNÊS. Oh dear.

CAROLE THERIAULT. Get it? Yeah, he's writing a better script for tomorrow's New York inspired by the vision of his community. Okay. Yeah, I know.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Okay. So why am I talking about this guy? Well, seems he is the latest victim in a crazy scandal that just might help him win or lose the election. And that is my question for you guys. Okay. So by the end of this, I want to know whether you think this actually helped him before we actually know the results. Okay. So Candidate Weiner, that's what we'll call him. Aside from writing screenplays and running for city council, has a few pastimes. Not golfing or making sourdough or things like that. No, one of his personal détente activities is to be bound, gagged, and under the full care and attention of a dominatrix.

GRAHAM CLULEY. Okay, yeah, right.

CAROLE THERIAULT. Like, who doesn't? I know.

GRAHAM CLULEY. Yeah.

UNKNOWN. Right.

CAROLE THERIAULT. It does sound a bit more fun than golf. But you know, what do I know? Anyway, so So, so we know this, we know that he enjoys this because someone anonymous, okay, air quotes here, released a snippet of a BDSM XXX video of candidate Weiner enjoying his private time. And they released this on Twitter, along with the text, quote, my magnificent dom friend played with Upper West Side City Council candidate Zach Weiner, and I'm the only one who has the the footage. Do you want to see a still of the footage? I've got, I've got a still.

GRAHAM CLULEY. I don't know, you tell us. Do we want to see a still of the footage?

CAROLE THERIAULT. Of course you do.

ANDREW AGNÊS. Have we got video?

CAROLE THERIAULT. No, we don't have video. And this is—

ANDREW AGNÊS. Oh, just stills.

CAROLE THERIAULT. Yeah, we just— I have one still for you.

GRAHAM CLULEY. Oh, for goodness' sake.

ANDREW AGNÊS. Oh, okay.

GRAHAM CLULEY. I don't want to look at that.

CAROLE THERIAULT. This is in the New York Post, this picture. You might be able to identify who it is now.

ANDREW AGNÊS. This is Thom's basement. Basement.

CAROLE THERIAULT. Right, okay.

ANDREW AGNÊS. I've seen this room before.

GRAHAM CLULEY. This doesn't look like an amateur image to me.

CAROLE THERIAULT. No, it's not. It's not.

GRAHAM CLULEY. This looks quite professionally taken, professionally lit.

CAROLE THERIAULT. Now, what's interesting is the timing of this leak is interesting because it's just a week before the local elections, right? So this got leaked last week and today—

GRAHAM CLULEY. Are those clothes pegs?

CAROLE THERIAULT. Yes. Clothes pegs are clamping something.

GRAHAM CLULEY. No, we don't go into detail.

CAROLE THERIAULT. No wonder the New York Post dubbed this whole story a late-breaking case of electoral bondage. So cute. Now, this is not a deepfake. Candidate Weiner is owning it. Okay. In a call with the Post, Weiner confirmed it was him in the video and said the footage was made about 18 months ago with a former girlfriend he met during a Halloween party in 2019. Quote, I am a proud BDSM I like BDSM activity. He refused to name the woman in the video and said he had no idea on earth on how this footage was surfaced. Okay.

GRAHAM CLULEY. Yeah, yeah, right.

CAROLE THERIAULT. The deal here was he did this little video. He, he knew it was being recorded. It was being recorded by this, like, famous place in New York, apparently. I can't remember what it's called, but there's like someplace where you can kind of have your activities recorded, like in sex. Yeah, that's right. The sex dungeon, the Guggenheim. That's right.

ANDREW AGNÊS. The Langford land.

CAROLE THERIAULT. And okay, so he comes out, he comes out, candidate wiener, right? He goes, whoops, I didn't want anyone to see that, but here we are. I'm not ashamed of the private video circulating of me on Twitter. This was a recreational activity I did with my friend at the time for fun. Like many young people, I have grown into a world where some of our most private moments have been documented online. While a few loud voices on Twitter might chastise me for the video, most people see the video for what it is: a distraction. I trust that voters will choose a city council representative based on their policies and their ability to best serve the community. Comments?

GRAHAM CLULEY. Right.

CAROLE THERIAULT. I'm backing up. Off the mic.

GRAHAM CLULEY. Can I intervene at this point?

ANDREW AGNÊS. Yes!

GRAHAM CLULEY. Because I can smell something in the air. In the air.

CAROLE THERIAULT. Interesting.

GRAHAM CLULEY. I think I smell a little bit of BS.

CAROLE THERIAULT. Do you?

GRAHAM CLULEY. About all of this.

ANDREW AGNÊS. BDSM or just BS?

CAROLE THERIAULT. Yeah, BDSM.

GRAHAM CLULEY. Because I think this is all a publicity stunt. I think this is a video which he has had made. It looks too professional. Doesn't look furtive. I think he's done this to gain himself notoriety. He's done on this because now, presumably just a couple of days before the election's going to take place, everyone will be talking about him rather than anything else. He's come out with this rather cute statement of oops, you know, I'm not ashamed of this and all the rest of it. And all the trendy liberals on the East Coast, they're not going to be bothered about this either because he's not hurting anybody. It's not like he's been—

ANDREW AGNÊS. It's consensual.

GRAHAM CLULEY. He's not been sucking up kids under his treadmill or something on that.

CAROLE THERIAULT. He's basically saying, you think I'm boring, I'm not boring.

GRAHAM CLULEY. Yeah, but you know what, I wouldn't vote for him now.

CAROLE THERIAULT. Why?

GRAHAM CLULEY. And not because, because I think he's full of shit. I think he's a liar.

CAROLE THERIAULT. Whoa, you, you have just, I just say you did 1 1 15 and you decided to hate him.

GRAHAM CLULEY. No, no, my, my hunch, my hunch, and may I, if I am wrong, let me know, but I have to work on my hunches here. My hunch is that he is behind all this as a publicity stunt. He's pretending it's been least against his will. I think he was right behind it. And it just makes me think, well, I can't trust you. I don't want you representing me. Wow.

ANDREW AGNÊS. See, I don't, I don't think it's a fake video. I think this is a genuine session that he's probably been through. But I do agree with Graham that I think he is probably behind the leak. But I see it more as a power play. Like, you know, if he, if he's prepared to leak stuff like this, you know, what have you got on him. You know, any sort of political leverage, you know, other— his opponents might think they've got. I'm going to release an embarrassing video of you. And he's like, well, I've just released my own video of me with a hamster going up my ass in a gerbil in a toilet roll.

CAROLE THERIAULT. Beat that.

ANDREW AGNÊS. Yeah. What have you got? You know, bring it. This is a power move. This is.

CAROLE THERIAULT. So it's interesting because I got the same twinge when reading that statement he said, because I think all of it— owning it, fine, who cares, right? Like, I love this community, great, great, great, you do you.

GRAHAM CLULEY. Yeah, don't kink shame.

CAROLE THERIAULT. The fact that he didn't come out and say, and whoever did this, shame on you, and I hope you get caught— like, there's none of that. There's no, like, basically, if this happened to anyone, it would be revenge porn. Yeah, I mean, this is kind of revenge porn. You're doing something completely private and a third party is slapping it online, naming you and shaming you. And he's ignoring that whole side of it going, "Yeah, yeah, it looks like— turns out I got a sexy sex life." I don't know. So I had a twinge there too about that. So we will find out, I'm sure. Time will tell.

GRAHAM CLULEY. So I think I want to vote for the woman who's in the middle on the top row of the 6 pictures now. I think I like her the most. Yeah.

CAROLE THERIAULT. Always go for a woman. I agree. Smashing Security. So I was wondering why, like, if you were into this, like, why, why would you film it? Like, especially if you were a millennial, like he's 26, I think, or 28. So why would you consent to someone videoing you, you know, enjoying yourself?

ANDREW AGNÊS. Different generations, though. I think it's quite normal to live under a camera quite a lot of the time these days.

CAROLE THERIAULT. Yeah, because there was a Dom interviewed by Motherboard, a dominatrix, or I shouldn't use the shorthand. They said sometimes clients request to be filmed because they want to be able to look fondly back at their experience. Quote, think of it like a bar mitzvah video where the only person that might ever watch it again is the client.

GRAHAM CLULEY. So do you think he really is into BDSM?

ANDREW AGNÊS. Yep.

GRAHAM CLULEY. Yeah, yeah, because I wouldn't put those clothes pegs on unless I was, right?

CAROLE THERIAULT. Now, yeah, Twitter suspended the account hours after the video was posted, right? But it was also posted on OnlyFans, or like snippets were, you know, so that you could buy the whole video or whatever.

ANDREW AGNÊS. And do we know where that money's going to, or who's behind that OnlyFans account.

CAROLE THERIAULT. Yeah, exactly. Follow the money. New York Times, tip to you guys, follow the money. So OnlyFans only removed the video after 24 hours, and this was after Motherboard reached out, uh, to the company for comment saying it was in violation of the OnlyFans terms of service. That's the story. So interesting. Yeah, so one of my questions at the end was like, did he do it himself? But we've already covered that one because—

GRAHAM CLULEY. so are we all, are we all thinking he He did.

CAROLE THERIAULT. We are.

GRAHAM CLULEY. Yeah. And so how is this going to affect the election?

ANDREW AGNÊS. It's not— I don't think this type of thing bothers people at all.

CAROLE THERIAULT. No, but do you think he might win? Like, maybe he was like never going to win this thing because he just looks too young to run a city council for me, but I'm too old to judge that. Anyway, who knows what's going to happen? But you know what, guys, go look up his name, Zach Weiner. Did he win? Win? Did he win?

GRAHAM CLULEY. Might you confuse his name with the other famous wiener?

CAROLE THERIAULT. Well, you know what, that was my first thought. That's why I decided to cover the story straight away. I was like, no way, his son— his son is now in politics? And then no, apparently they don't have anything to do with each other. But great documentary, Wienergate. Check it out.

GRAHAM CLULEY. Chums, chums, if you remember one thing from today's episode, it should be to check out the leading cloud directory platform, JumpCloud. JumpCloud's directory platform makes it easier to solve today's IT challenges by unifying device and user management through a single pane of glass. With JumpCloud securely managing your users and their devices, doing common things like onboarding and offboarding remote workers is easy. Try JumpCloud for free today at smashingsecurity.com/jumpcloud and help your organization organisation. Move to a modern, secure hybrid work model. Around 80% of business data breaches result from weak or reused passwords. Using 1Password can close the gaps in your company's security, combat shadow IT, and help your employees stay both productive and secure wherever they are. 1Password makes the secure thing to do the easiest thing to do. Quickly deploy 1Password to a single team, multiple teams, or your entire provision employees using trusted systems, respond rapidly to domain breach reports, and offer every business user a free 1Password Families account for work-from-home security. Find out more and try 1Password for free for 14 days at 1Password.com. And thanks to 1Password for supporting the show.

CAROLE THERIAULT. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. Artist. In the world of security, we call confidence tricks social engineering. And as our sponsors KnowBe4 can tell you, human error is how most organizations get compromised. Where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. And to do that, they need new-school security awareness training. KnowBe4, the provider of the world's largest security awareness and simulated phishing platform, platform. See how your security culture stacks up against KnowBe4's free phishing test. Get it now at knowbe4.com/freetest. That's K-N-O-W-B-E and the number 4 dot com slash freetest. Think of KnowBe4 for your security training.

GRAHAM CLULEY. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

ANDREW AGNÊS. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. And my Pick of the Week this week is not security-related, but it is Canada-related, Carole.

CAROLE THERIAULT. Oh, better not be shaming us in any way.

GRAHAM CLULEY. No, not shaming. Is in fact possibly your greatest cultural export ever.

CAROLE THERIAULT. Oh, maple syrup?

GRAHAM CLULEY. In your history.

CAROLE THERIAULT. Leonard Cohen?

GRAHAM CLULEY. No, not maple syrup.

CAROLE THERIAULT. No, no. Celine Dion?

GRAHAM CLULEY. It is Joni Mitchell. Album Blue is 50 years old this week. Can you believe it?

CAROLE THERIAULT. You just heard about it?

GRAHAM CLULEY. 50 years old this week. Perhaps it's my favourite album of all time. I absolutely love Blue by Joni Mitchell. It chronicles the breakup of her relationship with Graham Nash, if you remember him from The Hollies, giving away her daughter in maybe the greatest Christmas song ever. What was the greatest Christmas song ever, everybody?

ANDREW AGNÊS. Uh, Killing in the Name of?

CAROLE THERIAULT. No.

ANDREW AGNÊS. Oh, damn it, damn it.

GRAHAM CLULEY. Anyone, anything else? Any other candidates? It is of course River. Um, and never heard of it. Of course, You've never heard River by Joni Mitchell?

CAROLE THERIAULT. I don't know if I have or noticed it.

GRAHAM CLULEY. Well, you'd know the tune. It's Jingle Bells is the tune, but it's a sad, plaintive Jingle Bells. And also some of the shenanigans she got up to on a Greek isle. A new EP has just been released with some demos and outtakes to celebrate the 50th anniversary of Blue, including a version of A Case of You with slightly different lyrics.

CAROLE THERIAULT. Are you going to buy the The record for your record player that I got you when you turned 50?

GRAHAM CLULEY. You know what? I very well might, Rob, because—

CAROLE THERIAULT. Good.

GRAHAM CLULEY. This is such an incredible LP. I love it to death. This, Blood on the Tracks by Bob Dylan, and the Moondance LP by Van Morrison were the soundtrack of a couple of years of my life when I was at college. I just listened to them on repeat constantly, and it's fantastic. And if you've never heard Blue by Joni Mitchell, go and check it out in your normal places where you can hear LPs or albums, as I believe they're called these days. And that is why it is my pick of the week.

CAROLE THERIAULT. Good one.

GRAHAM CLULEY. Good one. Thank you very much. Andy, what's your pick of the week?

ANDREW AGNÊS. So again, I do not have a security-related pick of the week. Do we have any Star Trek fans here?

GRAHAM CLULEY. Certainly not.

ANDREW AGNÊS. Oh my days.

CAROLE THERIAULT. I am kind of, but I don't have very good memory, so I'll do the best What's your best?

ANDREW AGNÊS. Well, so, you know, if you can speak three languages, you're trilingual. If you can speak two languages, you're bilingual. If you speak one language, you're British. So my—

GRAHAM CLULEY. If you're lucky.

ANDREW AGNÊS. If you're lucky. My pick of the week is— Star Trek fans will know it as a universal translator. And this is the Timekettle. The particular model I've got is the M2. So I work around the world and I have very poor linguistic skills. I barely speak English.

GRAHAM CLULEY. That's what she said.

ANDREW AGNÊS. Dear Rich. See, I'd expect that on the Host Unknown podcast, not this upmarket show, right?

CAROLE THERIAULT. Yeah, Graham.

ANDREW AGNÊS. Yeah, bringing the tone down. And so what it does, you know, this sort of robotic voice that you've got at the beginning of the show, this is episode 232 with, you know, it does the intro.

GRAHAM CLULEY. So, oh yeah, Geoff.

ANDREW AGNÊS. This Geoff. Yeah, this is a real-time translator. And it listens to language, and in your earbuds, it will actually translate it, unfortunately, in that robotic voice. But there's only about a 2-second delay. So I can join meetings with people speaking in Spanish, different dialects of Spanish, and it will translate it. Unfortunately, dictionary word-for-word translation. So you have to put parts of it together.

CAROLE THERIAULT. Yeah, it's like Google Translate, I guess.

ANDREW AGNÊS. It is exactly that, yeah.

CAROLE THERIAULT. So you get about 60% of what they're saying, and make huge decisions based on that.

ANDREW AGNÊS. Excellent. Yes. Yeah. And it's worked for me so far. And that's how I became the mayor of Chakota in Russia.

GRAHAM CLULEY. Did you end up marrying some—

ANDREW AGNÊS. Yeah. Well, had James used one of these devices for, you know, less than $200, he could have actually understood the conversations that were happening because it supports 40 different languages on one device.

GRAHAM CLULEY. So this is like a Babel fish from Hitchhiker's Guide to the Galaxy.

CAROLE THERIAULT. People can use—

GRAHAM CLULEY. Yeah. Put this in your ear.

CAROLE THERIAULT. This is like international dating, you know, material. This opens up a whole new world, right?

GRAHAM CLULEY. So this really, hang on a minute. That's, backtrack, backtrack. Andy, this really works, does it?

ANDREW AGNÊS. Yeah, so I use these quite often. So I work in a company that's sort of multi, you know, quite global. And if I join a meeting where I'm the only person that doesn't speak that local dialect. So whether it's Portuguese or Spanish or something, I'll say, look guys, don't let me hold you back. You know, converse locally and I will, you know, I'll keep up with it. Yeah, I'll keep up.

GRAHAM CLULEY. Hang on, but how do they understand you though?

ANDREW AGNÊS. Because I speak in English and because they are so good, their education system is far superior to us. They understand bits of English. It's just easier for them to speak.

CAROLE THERIAULT. Do you have very, very tiny earbuds that no one can see so they think you actually speak 40 languages? This is a problem.

ANDREW AGNÊS. They're not small. So if you think of like the Apple— well, no, they do fit in your ear though. So if you think of the Apple AirPods.

CAROLE THERIAULT. Yeah, they're 15 times size.

ANDREW AGNÊS. They're over-the-ear versions of those. No, they are a bit thicker than that. So, you know, they actually fit in the ear, but the thickness of that bar which comes down is a lot bigger. Probably about twice as big. Yeah, that matters though.

CAROLE THERIAULT. I remember a guy getting a watch that was twice as high as a normal watch, and it really caused issues. You know, the watch did.

UNKNOWN. Oh yeah.

GRAHAM CLULEY. Andy, I'm still interested in these. Are these, is there an online component? Is it sending the stuff to the cloud or is it all happening on device?

ANDREW AGNÊS. No, it's clearly sending stuff to the cloud. This stuff is way too small to do anything locally. And to be honest, you know, that information could be going to China or Russia. I mean, the languages it supports from Arabic to Filipino, Icelandic, Tamil, Tamil, Thai, Turkish, Urdu.

CAROLE THERIAULT. It's Bluetooth, so it connects whatever, connects to your phone.

ANDREW AGNÊS. Yeah, and it uses your phone. Yeah, it goes through your phone and sends all your data. But the great thing is at the end of it, because when it does a translation in your ears, it also does the transcript on screen on your phone. So it's got what it heard and then it's got the English translation on the opposite side. So for me, it's actually useful notes to go back and see what was discussed in the meeting as well. And then I can say, oh, that's how they understood it. That's not the direction I was going.

GRAHAM CLULEY. So how much do these Timekettle earbuds cost?

ANDREW AGNÊS. The Timekettle, yeah, so I actually got it quite a while ago on Kickstarter. And, but now, you know, they've got their own website. You can buy them on Amazon as well now. And I paid, I think at the time, about $179 US. And you love them? I do love them. It's just a whole new world for me.

CAROLE THERIAULT. Have you ever caught anyone, have you ever got them to translate an insult that someone was saying about you, not realising that you you were actually not listening to music, but actually eavesdropping on them?

ANDREW AGNÊS. No, most of my colleagues are polite enough to insult me in English.

CAROLE THERIAULT. Do you ever go to a restaurant on your own and put them on just to see what people say about you around you?

ANDREW AGNÊS. I haven't yet, but I, do you know, this is the only problem, you have to set what language to translate. It doesn't automatically translate. So, you know, I need to, if I'm walking down the street and I hear, you know, some foreign language, I've got to figure out what language that is first. If it's not French or Spanish.

CAROLE THERIAULT. There's an app for that, I'm sure.

ANDREW AGNÊS. Yeah, download another app. That'll be next week's Pick of the Week.

CAROLE THERIAULT. Okay, perfect.

GRAHAM CLULEY. Wow, that's extraordinary. Carole, what's your Pick of the Week?

CAROLE THERIAULT. Okay, Graham, you know what my Pick of the Week is, but for our listeners and for Andy, it is a crazy weird documentary that I watched over the weekend. Now, it was released way back in 2015, 2015, and it's mad. It's a bit sad. It's funny.

GRAHAM CLULEY. Is it?

CAROLE THERIAULT. Well, we'll come to that. We'll come to that. Okay, the premise is this. Okay, Graham, you can interrupt any time because I mean, you watched it. You watched it. Okay, someone gets— I want to try and keep as much out of it as possible, right? But someone gets their leg amputated following an accident, and they decide to keep the leg. And the leg, through a series of strange events, becomes the property of a third party who becomes known as the Footman because he uses this leg to try and gain some fame.

GRAHAM CLULEY. Notorious.

CAROLE THERIAULT. Became notorious. Yeah.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. But our primary leg owner, the amputee, wants his leg back. And the story is about how he goes about this quest. And the documentary is cleverly called Finders Keepers, which is not a giveaway. Way, though it could be, but it might not be. Don't, don't read into that.

GRAHAM CLULEY. So with that kind of description, that's what enticed me to also watch this movie. So Carole said to me, she said, oh, there's this great movie about a guy who's lost his leg, literally lost it. Well, not lost his leg. It's become the property of somebody else and he wants his leg back. And she said, it's really funny. And so I watched I found it— I mean, it's peculiar. It's also rather miserable.

CAROLE THERIAULT. Andy, I'm really going to ask you to try and watch this, okay?

GRAHAM CLULEY. There's a lot of dysfunctional people in this.

CAROLE THERIAULT. Well, no, no, maybe normal. Maybe normal. Maybe you're the dysfunctional one. Who knows? There's a line where the footman says, quote, I'm pretty smart. I'm sure you all figured that out by now. I've heard from many a folk kin to me and close to me, and the ones that know me, they tell me I have the best business mind that they've ever seen. Okay, so that's who you're dealing with as the footman.

GRAHAM CLULEY. And he claims at one time that if he'd had a lucky break or something, I could have owned Microsoft, Apple, and I had owned Bill Gates's ass by now. I should be the CEO. Yeah.

UNKNOWN. Yeah, all I got is this foot.

CAROLE THERIAULT. Yeah, so like Graham, like you, he really thinks he's smarter than most people, right? And he just feels— there are some poignant moments, okay? It's not just funny, but there's some poignant moments. And you go to laugh, but you walk away having learned something about the human condition.

GRAHAM CLULEY. What did you learn about the human condition, girl, from this movie?

CAROLE THERIAULT. I learned that not all mothers are terribly loving loving.

GRAHAM CLULEY. That's true.

CAROLE THERIAULT. That, that sometimes, uh, you can go through something hard in life that actually makes you go crazy. That, uh, if you somehow get addicted to something, it can skew your whole view on everything. And if you have big dreams to become rich off the backs of other people, it can bite you in the ass. That's what I've learned. Anyway, I recommend anyone who's kind of intrigued Andy, you're totally intrigued. Go watch it. It's on Amazon. Finders keepers.

ANDREW AGNÊS. It says, "One man's leg is another man's treasure." That's the tagline for the film.

CAROLE THERIAULT. Exactly! That's the tagline. Why wouldn't you watch it? Why wouldn't you watch it? Our mutual friend, Thom Langford, watched it.

ANDREW AGNÊS. Yeah, but he's a freak. He's—

CAROLE THERIAULT. He liked it. He liked it. So, Andy, we need you to break the oath.

ANDREW AGNÊS. Mutual acquaintance, really.

GRAHAM CLULEY. Yeah, exactly. You watch it, Andy, and report back to us.

ANDREW AGNÊS. I'll do that.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Need a tiebreaker. Now, Carole, you've also been busy this week. You've been chatting to Roger Grimes of KnowBe4.

CAROLE THERIAULT. Yes. I have never spoken less in an interview than with this one. This guy has a lot to say, and it's all gold, really. Take a listen. Today we get to chat with Roger Grimes. He has been with KnowBe4 as its data-driven defense evangelist for 3 years. Now, today Roger joins us on Smashing Security. Roger, it's a pleasure to speak with you. Thank you so much for making the time to chat with us.

UNKNOWN. I'm delighted to be here, truly.

CAROLE THERIAULT. So here's a little bio for our listeners here. So you've been in the computer industry for more than 30 years. You've been a consultant, an instructor, you hold dozens of computer certifications, you're an award-winning author, 10 books, 1,000 magazine articles. Are you 90? Because that's quite a serious bio.

UNKNOWN. [Speaker:JIM COLLISON] Yeah, I'm 54. I'm actually just working on my 13th book right now. But yeah, I just, you know, kind of got into the groove of things. I got a lot of certifications when I worked at a boot camp for, you know, a training boot camp for a couple of years that I took like 50 certifications there. So some people go, how could you possibly have that many? I have a lot of free time and I test for free, but I've been doing it 34 years. I've certainly, I was here before the internet.

CAROLE THERIAULT. Can you tell me a bit about your job? Is it still, is the title Data-Driven Defense Evangelist?

UNKNOWN. Yes, yes, I made it up actually when I came to KnowBe4. I'd written a book called Data-Driven Computer Defense, which I consider kind of my magnum opus out of my 13 books. It really is the one that talks about the underlying problems. Like we're so hacked today, you know, by malicious hackers and malware because we're not doing computer security we're not doing risk management correctly. And that's what that book was all about because I realized I was working for Microsoft at the time and I've been doing security for a long time. I was putting in these multimillion-dollar advanced security systems and multifactor authentication systems and helping to create the most secure features in Windows Vista and above. And I realized that all my clients were still being hacked by social engineering and unpatched software. And it was kind of embarrassing how misaligned aligned all the money was. And that's what I realized, like, you know, the vast majority of people are compromised with social engineering and unpatched software, but the average organization only spends about 3 to 5% of their resources upon that. And it's that fundamental misalignment that allows hackers and malware to be so successful today. It's funny, it— computer security is 100% about risk management, and yet in this industry we have some of the most immature risk management ideals possible. Most people have no idea of how bad it is. Everybody sees attackers and threats kind of like as bubbles in a glass of champagne. And what they don't realize is that two of those bubbles are far bigger than all the other bubbles added together. But the defenses, everyone's trying to do everything right. Or like, put it in another context, suppose you get a security control document, like in the States, a really popular one is the NIST Cybersecurity Framework or HIPAA or Sarbanes-Oxley. Or NERC, or, you know, there's no lack of security control documents telling you to do good things, or PCI DSS, you know, for credit card transactions. But what they, the average controls document is probably 80 to 200 pages long, probably has 200 to 300 controls and things they tell you to do well. And what they don't tell you is that 2 or 3 of those things are almost all the risk. And the documents themselves, even though they're 80 or 200 pages long, will devote less than a page to each of those two topics while spending 10 pages on storage encryption. You know, and it's that, you know, it's like the entire industry is trying to distract you from figuring out what you really need to concentrate on. So that was my book. A lot of people that read it, a lot of people say it changed the way they think about computer security the rest of their life and every aspect of their job. But when I came here, Stu, the CEO, said, Roger, what do you want your title to be? And I said, data-driven offensive analyst. And I kind of, I regret barking that out because he won't let me change it now, but I get to talk about it to people like yourselves, and so maybe it's all right.

CAROLE THERIAULT. I think it's pretty good. I mean, you get to promote your book as well, so, you know, win-win.

UNKNOWN. Yeah, yeah, yeah.

CAROLE THERIAULT. So when we were chatting earlier about this interview, you said something that was really interesting. You said, and you've made it, you alluded to it just now in your job description. So you mentioned that how most computer defenses are broken and how to fix them. Them. So, so maybe you can crack that open for me a bit more.

UNKNOWN. Yeah, so certainly number one, it's this fundamental distraction of all of these threats coming at you. Like last year, there was over 8,000 separate vulnerabilities that you were told that you had to patch. Year before that, over 12,000. Year before that, over 15,000. Year before that, over 12,000. Even in the smallest years in the last earlier part of the decade, it was 5,000 or 6,000. So we're being told to deal with somewhere between like 5 or 7 and 55 different exploits that we're told that we have to patch every day. About 1/4 to 1/3 of those are considered the highest criticality. You have to worry about millions of malware programs, hundreds of millions of malware programs each year. You have to worry about all the different types of attackers, ransomware attackers and script kiddies and financial thieves and nation states and intellectual property. So you're being told you have to worry about all this stuff stuff. And in the middle of that, it ends up distracting people and people can't focus on what really matters. Not only that, but we actually are forever calling— like I said, one-fourth and one-third of everything we're told to fear, we're told is high risk. You know, like, high risk, you have to deal with it. Like, I, I use two really good examples. One is, uh, you probably heard about those credit cards that have those RFID tags on them, wireless, and, you know, they use They're used more in Europe than here, but they're actually getting quite popular in the United States. And the whole threat model is that an attacker can simply walk by you, you walk by them at a corner, and they sniff your credit card with an RFID scanner, and then they recreate your credit card and steal and rob your bank account or your credit card account. And indeed, I performed that demo at dinner parties, and you can go on YouTube now and put in RFID Prime, and you're going to get a ton of videos showing people like myself, researchers showing you how easy it is to do. It really is easy to do. And let me say, there's a billion-dollar industry that's been created to help stop this crime. There's these little credit card sleeves they give away at computer security conferences. There's wallets made of the material. There's purses made of the material. My wife said she was shopping for jeans last year and she saw the jean bragging that it had this anti-RFID material built into the pockets. You know, but the wild thing is there's never been a single documented real-world crime that an RFID shielding product would have prevented. Just because something can be done doesn't mean it will be done. And understanding the difference between what could happen and what is likely to happen is the difference between an okay risk manager and computer security person and a good to a great computer security risk manager.

CAROLE THERIAULT. And you know what, to be perfectly fair to that point, I don't think people in the media, people like us, necessarily always help that because we like to talk about the new ways that people are either displaying how an attack might work or like a proof of concept.

UNKNOWN. What you just said is very true. Like, we even hurt ourselves, like even red teaming real quick. Like, you're like, oh, I got a red team. We're going to break into my company. Every red team I've ever Met breaks in using these fantastic ways and they take over the organization and they publish this paper. But the way that they broke in has almost no relevance to how real attackers actually break in. And so it really does you very— it actually does you harm. It distracts you. If your red team isn't trying to break into you the same ways that the real-world attackers did, it's actually hurting you. So how do most people get broken get into. I've been researching this for, for two decades. It's 70 to 90% is due to social engineering of some sort, usually email, can be through the web, can be through SMS messaging, can be through voice calls, can be through a physical thing. But 70 to 90% of all successful malicious data breaches happen because of social engineering. About 20 to 40% happen because of unpatched software. And then the third thing that might be up in there could be either like password guessing attacks or USB key attacks or whatever, but Number 1 and number 2 by far, those 2 things added together account for 90 to 99% of the risk, social engineering and unpacked software. Not only do they account for 90 to 90% of the risk today, it's been for the entire perpetuity of computers since I've been in it for 34 years.

ANDREW AGNÊS. Yeah.

UNKNOWN. You know, it's, you know, so like when people go, you know, and I say, don't believe me, I worked for KnowBe4, we're trying to sell you anti-social engineering software and services. Services. I could be lying to you. I have every incentive to lie to you. Just ask yourself, when your company's been compromised and you're able to find out what was it, or when your computers at home got compromised, or your cell phone, how did it happen? So about 2009, social engineering became more popular because Apple came in, Chromebooks came in, and the attackers would have to write different viruses and malware and software exploits to break into your equipment. So they realized, oh, social engineering— if I ask you for your password, I don't care if you're on an Apple, a Chromebook, or a Windows machine, it works.

CAROLE THERIAULT. Do you think that social networking and the advent of more digital communication made it a, made it a hole-in-one that social engineering would take over in this front?

UNKNOWN. Yeah. Yeah. I think that's a very astute thing, right? We all got used to, you know, connecting with each other more rapidly. When an attacker had to do something physically, let's say even like going back to the RFID crime, one of the reasons the RFID crime doesn't really work is that the attacker has to be in public and he has to be around you and he'd be captured on CCTV cameras. And he takes physical risk, and he's gonna actually get far less money. But a virtual attacker can buy the credit cards by the millions on the internet for $2 to $5 apiece, get a lot more money, a lot more likely to be successful, and almost no chance of being caught. You literally have to be a stupid criminal to rob somebody in public when you can be a very rich criminal living on your island or in your town with almost no possibility of getting caught. So all the gangs, right? All the gangs have gone corporate. And the reason why they did is they're like, wow, we, you know, we were actually just hitting people up for money on the street and the storefronts and doing prostitution and drugs. Well, we can do it through the darkweb and, you know, and we can extort people using ransomware. Like, you know, this— these ransomware gangs are making $25, $40 million in a single haul, right?

CAROLE THERIAULT. You know, it's crazy.

UNKNOWN. Yeah, they could have never done that in the physical Yeah, yeah, you'd have to pick a lot of pockets. But like, let me give you one more example that I've used is that probably the biggest vulnerabilities that were ever announced in my lifetime so far are Meltdown and Spectre. Meltdown and Spectre came out a couple years ago. They were these chip flaws that impacted most of the chips that have been released since 1999. If you had a Windows, Macintosh, Google, whatever machine you had, even you're watching, your cell phone probably had this Meltdown and Spectre flaw. Flaw in it. And if you didn't patch it, there was no way to stop a compromise that was against it. When they announced the Meltdown and Spectre flaws, they actually showed them conducting an attack. And not only could you not stop it by anything your operating system had or firewalls or antivirus, but it wouldn't even show up in your event logs. I mean, it was like this perfect crime. So I was sitting at a law office in New Orleans, but I said, listen, I don't think you need to patch Meltdown and Spectre. And they said, why? I said, well, there's not been an attack in the wild. And one of the greatest indicators of whether something's going to be abused, if someone's actually using it. And for one of the few times in my career, the person became dissatisfied with me. In this case, they actually stopped when I was talking and walked me out of the building. And the guy said, listen, you know, I'm trying to convince my board of direc— he was the CISO. He was like, I'm trying to convince my board of directors that we need to hurry up and patch these Meltdown and Spectre vulnerabilities. They're super high risk and blah blah blah blah blah. Thank you, Roger, I think you're a great guy, but you just, you're making my job harder. And he walked me out. He ended up getting his board approval a couple of days later. He applied the patches. It locked up all of his Windows machines, blue screened them, all of them, and it decreased the performance of his Linux machines by over 60%. And here, two or three years later, there has not, as far as I know, been a single real-world attack using Meltdown and Spectre.

CAROLE THERIAULT. Yeah. On KnowBe4's website, you have a free phishing test. Do you think this is something that organizations should be doing?

UNKNOWN. Most organizations, because they're trying to do 20 things right at once or 200 things right at once, don't realize how easy it is is for their employees to get socially engineered. We frequently hear people go, well, we've probably got a couple of people that might do it. And then the average organization that runs that free phishing test to get what's called a baseline test finds out somewhere on the average, the average customer we have come to us when they do that first phishing test has about a 38% click rate, what we call a phish-prone rate. So over a third of the people in the organization have, let's say, clicked on a phish that when they looked at it, you think the IT person's like, "Any reasonable person would not have clicked on that." But turns out all kinds of people do. And so you just, no matter how good your policies and your technical defenses are, some amount of phishing and badness will get to your end users. So you train them how to recognize and be suspicious of certain types of traits, things telling them to open unexpected emails, you know, asking to open documents or click on links or things like that, or weird email addresses. So you teach them just to look for the basics. It's like teaching your 2 or 3-year-old look right and left before you go across the street, and you have to do that for a while, and then pretty soon that kid is looking right and left before you ask them to do it. That's what we're trying to do, is create this healthy culture of skepticism where people just get, uh, they get a little skeptical of certain things. Customers that do do that, so they do the training and they do simulated phishing at least once a month, uh, they will decrease their phish-prone rate from about 37-38% to below 5% in less than a year. And since social engineering is involved in 70 to 90% of all attacks. It is the number one thing you can do to significantly decrease cybersecurity risk in your organization. I don't even have to guess. I've watched it for over 30 years.

CAROLE THERIAULT. Guys, you've heard Roger Grimes. You should try this for yourself. You can at knowbe4.com/freetest. Roger, thank you so much for coming on. You are such a pleasure to speak with.

UNKNOWN. Thank you, Carole Theriault. Thank you. Appreciate it. Thanks, everybody, for listening to us.

GRAHAM CLULEY. How about that then? Well, that just about wraps it up for this week. Andy, I'm sure lots of our listeners would love to follow you online or get in touch or find out what you're up to. What's the best way for folks to do that?

ANDREW AGNÊS. The best way, probably just drop me a message, 0780 958 3134.

GRAHAM CLULEY. Sorry.

ANDREW AGNÊS. Or listen to the Host Unknown podcast, but either Either way will work.

CAROLE THERIAULT. I have a feeling that might not have been his own phone number. I have a feeling we might have to censor one of the two of those numbers.

ANDREW AGNÊS. I swear, call that number now and I will answer it. I guarantee.

CAROLE THERIAULT. Like I remember what you said.

ANDREW AGNÊS. Okay.

CAROLE THERIAULT. I will check tomorrow when I'm editing, I'll check.

GRAHAM CLULEY. And you can follow us on Twitter at Smashing Security, no G, Twitter didn't allow us to have a G. Of course on Reddit, check out the Smashing Security subreddit and don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Spotify, Pocket Casts, and Google Podcasts.

CAROLE THERIAULT. And huge, huge, huge thank you to this episode's sponsors, 1Password, JumpCloud, and KnowBe4, and to our wonderful Patreon community. It's thanks to all of them the show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 232 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

ANDREW AGNÊS. Bye-bye.

CAROLE THERIAULT. Um, there we go, Andy. Baptism of fire.

ANDREW AGNÊS. That was fantastic. You know what, I just— it's like going to a live show. When you're used to sitting on the sidelines and, you know, listening to it or watching it and you're actually there and it's like, wow, it's just so different.

CAROLE THERIAULT. What are you saying? We're shit?

GRAHAM CLULEY. It's so much better when you hear it on record.

ANDREW AGNÊS. No.

CAROLE THERIAULT. Hey everybody, Carole here. And we're going to do things a little bit differently today. I'm going to read this week's star review, and then we're going to discuss the content of it. So the title is, "What a pair of idiots." Smiley face, smiley face. Quote, "I like Smashing Security a lot. It's like listening to a well-informed, funny, long-married couple people bickering about something that interests you. I have to say I like Carole more. Or Graham. Eff it. You can both stew over whom you like, but carry on with the great work. Signed, LaBar. Well, LaBar, let me tell you what I love about this. I love the 5 stars. I love the smiley faces. I love that you put my name first. But idiots? I mean, I get idiot. One of us might be slightly subpar.

ANDREW AGNÊS. I don't know.

CAROLE THERIAULT. But definitely no S there, right? That was probably a typo. Anyway, Labar, thanks so much. It's a great review, and it made me laugh, something that Graham consistently fails to do. All right, guys, keep them coming. See you next week.

-- TRANSCRIPT ENDS --

233: Peloton problems, romance regret, and Weiner woes

Transcript +