This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

CAROLE THERIAULT. She claims that at age 9, she created very detailed drawings of a time machine. Now, you guys are both parents.

---

THOM LANGFORD. So did I.

---

CAROLE THERIAULT. You guys are both parents, right? Does that indicate genius to you? Is that a sign?

---

GRAHAM CLULEY. No, just means you've drawn a police box or something.

---

THOM LANGFORD. I mean, what is that? Yeah, exactly. Exactly, yeah.

---

GRAHAM CLULEY. What do you mean, very detailed drawings of a time machine?

---

CAROLE THERIAULT. I told my husband this and he looked at me completely nonplussed and said he and his brother made a full-size TARDIS console out of cereal boxes at age 9, so she could fuck off.

---

UNKNOWN. Smashing Security, episode 243: Breaking News, Apple Zero Clicks, and Bad Blood with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 243. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And we're joined this week by a special guest. It is Thom Langford.

---

CAROLE THERIAULT. Is he that special?

---

THOM LANGFORD. He is, apparently.

---

CAROLE THERIAULT. He thinks he is.

---

THOM LANGFORD. He keeps coming back. It's like, you know—

---

GRAHAM CLULEY. Like gonorrhea.

---

THOM LANGFORD. Yeah, well, when I was born, they broke the mould and unfortunately it keeps going back.

---

CAROLE THERIAULT. You know, it's a bit like friends with benefits, right?

---

GRAHAM CLULEY. I hope not.

---

THOM LANGFORD. What time should I pop over, folks? Yeah.

---

CAROLE THERIAULT. I'm just saying, you just call on Thom when you're a little bit bored and you're like, oh God, I need another show. Again.

---

THOM LANGFORD. Yeah, I always deliver, always deliver the goods.

---

CAROLE THERIAULT. We'll see.

---

THOM LANGFORD. On time, on budget.

---

CAROLE THERIAULT. And let's thank this week's glorious sponsors, TiVo Networks and 1Password. It's their support that helps us give you this show for free. Coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I've got some industry news.

---

CAROLE THERIAULT. Okay, Thom, what about you?

---

THOM LANGFORD. Uh, I've got a story that you'll give zero clicks about, and I'm going to natter about a high-tech startup that had a tech scandal.

---

CAROLE THERIAULT. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Well, chums, chums, it's that time of the show where we head over to our news sources over at the Supermarket PA Newswire, who've been very busy bringing us the latest and greatest supermarket news from around the world.

---

CAROLE THERIAULT. Industry news, um, all new Waitrose deliveries and in-store collections will be bagless, eliminating an estimated 40 million plastic bags per year.

---

GRAHAM CLULEY. Industry news. Tesco cherry lovers in for a treat after UK tropical weather creates huge crop flush. Industry news.

---

THOM LANGFORD. Coffee just got a latte better. Sainsbury's makes it easier than ever to recycle aluminium— aluminium for our friends— coffee pods at home.

---

GRAHAM CLULEY. Industry news.

---

CAROLE THERIAULT. Walmart announces major partnership with Litecoin. What?

---

GRAHAM CLULEY. Industry news. And that was this week's Industry News.

---

THOM LANGFORD. Tell you what, it's like being in the room.

---

GRAHAM CLULEY. Now, some fascinating topics there, uh, brought to us by our US correspondent.

---

THOM LANGFORD. Huge if true.

---

GRAHAM CLULEY. Huge if true. One of them which caught my eye was this news from Walmart. Walmart, of course, uh, I think many Brits may not be that familiar with them, but certainly in the States, they're a bit big, aren't they? They grow in North America. Do you have them in Canada?

---

CAROLE THERIAULT. Uh, they're huge. They're huge. They own ASDA.

---

THOM LANGFORD. I was going to say, aren't they?

---

GRAHAM CLULEY. Yeah.

---

THOM LANGFORD. Yeah. Okay.

---

GRAHAM CLULEY. Well, they are by far the largest food retailer in the States, big grocery chain. And they issued a press release this week saying that they would accept the litecoin cryptocurrency as payment at its retail stores from 1st of October. Huge cryptocurrency news.

---

CAROLE THERIAULT. I can't believe it.

---

THOM LANGFORD. And also that, that well-known cryptocurrency Litecoin. I think even Dogecoin is more known than Litecoin.

---

CAROLE THERIAULT. Yeah, which one of their customers? Who's all the— who are all the Litecoin users where they think this is a useful—

---

GRAHAM CLULEY. yeah, well, you know, everyone's going to be getting Litecoin now if Walmart are using it, and I would imagine lots of people are getting terribly excited.

---

THOM LANGFORD. Oh, and I see where you might be going with this as a result.

---

GRAHAM CLULEY. Well, this is why it is terrible, is because if it was true, this would be huge news, but it is not. True. Shock.

---

CAROLE THERIAULT. Okay, so someone who's listened to the show for what, 4 minutes have we been live now, and decided they had to go for a poo and didn't want to take their phone with them or didn't have their Home Assistant in their bathroom will think this is true. Well, you buried the headline.

---

GRAHAM CLULEY. Huge but not true.

---

THOM LANGFORD. So by Home Assistant, do you mean Butler?

---

GRAHAM CLULEY. It is fake news, everybody. This big news about this partnership between Walmart and Litecoin was announced on Globe Newswire. They are a news agency. They're not some new kid on the block. They've been around since the late 1990s. So it's a respected newswire like the PA Supermarket Newswire, like BR Newswire, like all those other newswires who are out there. And this, this news release, which appeared to come from Walmart, was picked up by the likes of Reuters, CNNBC and others, and it was even tweeted out by Litecoin itself after they saw news about their digital currency reported by Reuters.

---

THOM LANGFORD. So, so all of these established companies just re-released this information without any kind of fact-checking.

---

GRAHAM CLULEY. Including one of the organizations which was actually being referred to in the press release.

---

THOM LANGFORD. So it was about them partnering with Walmart Well, I mean, I can understand that. I mean, who knows with some of these crypto companies, right?

---

CAROLE THERIAULT. Well, look, at the time of recording, Graham, Apple's making some announcements, right? And what if an announcement came out, a tweet came out saying, hey, and the next iPhone is going to feature a Graham Cluley etching on the back of the phone. This is very exciting. Would you retweet it?

---

THOM LANGFORD. Oh, it could match the one on the ceiling of my bed.

---

CAROLE THERIAULT. Whether you thought it was true or not, would you retweet it? We know the answer.

---

GRAHAM CLULEY. I'm slightly more disturbed by what Thom's just said. Well, no, of course I wouldn't, because I wouldn't believe it was true. No, I would not.

---

CAROLE THERIAULT. You would retweet it going, look at this, guys, smiley face, smiley face.

---

THOM LANGFORD. It would match your blue tick on Twitter.

---

GRAHAM CLULEY. Now listen, listen, you chumps. Listen, you scallies. What do you think happens when news like this comes out about a cryptocurrency teaming up with the world's largest grocery chain?

---

THOM LANGFORD. Um, I guess they get a lot of visits and a lot of purchases of Litecoin, perhaps.

---

GRAHAM CLULEY. Exactly. People buy Litecoin thinking, well, that's got to be good news for Litecoin, that's going to increase adoption of that cryptocurrency, I'm going to move my investment into Litecoin.

---

CAROLE THERIAULT. I can get plastic pools and furniture and food for life, right, if that climbs up in value.

---

THOM LANGFORD. Unethically sourced food. I'm happy to pay for that with cryptocurrency.

---

GRAHAM CLULEY. Well, we're all used to cryptocurrency prices being volatile. The value can rocket to the moon at lunchtime, tumble back to earth within a few hours, up and down, up and down, up and down.

---

CAROLE THERIAULT. So much like a roller coaster.

---

GRAHAM CLULEY. The price of litecoin jumped from £125 per token to £170 in a very short period of time. Yeah, an increase— I don't know if either of you are any good at percentages— an increase of 40? Oh, close. I'm very impressed, Thom. 36%. 36%.

---

CAROLE THERIAULT. It's kind of meh.

---

GRAHAM CLULEY. Not a bad profit.

---

CAROLE THERIAULT. Yeah, but, you know, I don't know.

---

THOM LANGFORD. Well, I mean, if you're responsible for that story and you time it right, you're making 36% free money.

---

GRAHAM CLULEY. Yeah, exactly.

---

THOM LANGFORD. That's the point, isn't it? It's like, it's like the bank that made an announcement that they had been breached. Or a financial institution, their stock price fell dramatically. By the time the bank had realized that actually the announcement was not made by them, the attackers who did make the original announcement had bought their stock, then announced that they weren't breached and that it was an attack and they should ignore it. The stock went up and then they sold it.

---

CAROLE THERIAULT. Yeah, like a little pump and dump, but with a modern twist.

---

THOM LANGFORD. They did that all before the bank itself or financial institution itself could actually respond themselves.

---

GRAHAM CLULEY. Well, that's really interesting, isn't it? Because of course we see all these ransomware gangs who announce their victims. They could potentially, because they run websites where they announce, you know, who's been caught and some of the media are closely following those. They could announce that a company has been hit by ransomware when it hasn't and make money on the stock market, couldn't they?

---

THOM LANGFORD. Yeah.

---

GRAHAM CLULEY. Very sneaky. Well, CNBC were amongst the media that reported the news before verifying that it was true. It's only when they contacted Walmart's press office asking if anyone could come on and talk about the new partnership that they discovered it was nonsense, and Walmart confirmed that they had no relationship with Litecoin whatsoever.

---

THOM LANGFORD. So what they did was they ran the story and then phoned Walmart?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Well, no, because they, they want to double down, right? They've written a story that had gotten lots of clicks So they wanted to do a, you know, a little interview, and that's where it all fell apart, I bet.

---

GRAHAM CLULEY. And, and, you know, it appeared to be a press release put out through an official channel from Walmart, so most people will take that at face value. I mean, Litecoin believed it.

---

THOM LANGFORD. Yes.

---

CAROLE THERIAULT. So, you know, I wonder how many algorithms actually purchased Litecoin based on that news. Yeah, not people.

---

THOM LANGFORD. Yeah, that's absolutely a possibility because they would just see a shift in, in purchase, in buying trends, wouldn't they? Yeah, the algorithm, and then join in or decide not whatever to do.

---

GRAHAM CLULEY. Well, some people took to Twitter to say that they'd invested in Litecoin upon hearing the news, only to then see the price tumble down again, leaving them out of pocket. So they're not very happy. And like you said earlier, this is a pump and dump scam. Where the share price has been artificially inflated through fake news. It's the kind of scam that John McAfee was accused of perpetrating, um, where he was sort of promoting cryptocurrencies and it was said he was doing it for his own financial gain. Uh, but the question is, who— is it possible to determine who was responsible for this one? I don't think it was John McAfee for obvious reasons.

---

CAROLE THERIAULT. Um, whoever put out the freaking press release, right?

---

THOM LANGFORD. Yeah, but through the company, the—

---

GRAHAM CLULEY. Through Globe Newswire.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. If I leave my car door unlocked and someone steals it, is it my fault?

---

GRAHAM CLULEY. Yeah, but I don't think necessarily, Carole, it was the case that the bad guys broke into Walmart's app.

---

CAROLE THERIAULT. I didn't say that either. But it definitely wasn't— I'm saying it wasn't Walmart that put out the press release. No. Right? And it may be some insecurity on their side or on a supplier side somewhere they were able to inject that message in and get it to be read as though it was Walmart's. And everyone just gobbled it up because that's always the way it has been until now, right?

---

THOM LANGFORD. Did GlobusWire say they take security seriously?

---

GRAHAM CLULEY. They say that they are improving their security. They said a fraudulent user account was used to issue an illegitimate press release, and they say this has never happened before, and they are adding some additional authentication.

---

CAROLE THERIAULT. I'm thinking ex-employee, ex-employee, ex-PR. Firm, somebody?

---

GRAHAM CLULEY. I think it just may have been anyone just created an account at Globe Newswire.

---

CAROLE THERIAULT. Oh, really?

---

GRAHAM CLULEY. And, uh, posted it out under Walmart's name, which suggests they don't have enough checks in place to verify that people are associated with the company. Now, one conspiracy theory would have it that Litecoin itself might be behind this, right? And, uh, Charlie Lee, who is the founder of Litecoin and its head honcho, he went on TV. He was being quizzed about it. He admitted that they completely screwed up. By doing the retweet, obviously, which didn't really help matters, did it? But he says one of the reasons he's confident that it wasn't them is he says he currently only owns about 20 Litecoin tokens. So he said, well, I wouldn't be making much out of it now. And so he didn't have much incentive for the fake news to come out. Now, if the founder of a cryptocurrency only has 20 tokens himself, not much of a vote of confidence, is it? No, not really.

---

THOM LANGFORD. Well, you know, I kind of think this might work, but just in case, I'm not going to bet the house on it.

---

CAROLE THERIAULT. Just the world's going to— the world's burning in front of us here. Okay.

---

GRAHAM CLULEY. So there's one clue that Joe Tidy picked up on, on the BBC News report about this incident, which is that a press contact email address, which was included in the press release, pointed to a web domain which had only been registered a few weeks ago.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And emails to that address bounced as undeliverable. But that's something clearly which Globe Newswire could have checked to see whether, you know, any email addresses and things that—

---

THOM LANGFORD. You have services that do that for you. Yeah. And whether or not they've got Cyrillic characters in them and all that sort of stuff. There's plenty of, plenty of companies. I mean, there's about 3 or 4 main ones, but plenty of companies that will do that, you know, automatically.

---

GRAHAM CLULEY. Homoglyphs, you can look out for those as well.

---

THOM LANGFORD. Yeah.

---

GRAHAM CLULEY. All those sort of things. Please, Carole, don't snigger at the word. And anyway, so Globe Newswire clearly to my mind didn't have enough security in place. They weren't properly verifying that people were who they claimed to be. But also the media sort of let the site down as well, I think.

---

THOM LANGFORD. But you say that about Globe Newswire. Has it been confirmed it has actually come from inside their own domain, or was it a copycat domain with an email or something coming from—

---

CAROLE THERIAULT. Yeah, Graham?

---

GRAHAM CLULEY. It was posted on Globe Newswire's own website, so it really did appear on their website, and Globe Newswire have printed a sort of 'please disregard the previous press release,' as have the others as well. We'll put links to the show notes where you can see everyone sort of panicking and saying, 'We didn't mean that.' Reuters published a retraction as well, so everyone's now saying, 'Look, this definitely was fake,' but of course people have been left out of pocket. And somebody, I suspect, might have made an awful lot of cash, or at least Litecoin, out of it.

---

CAROLE THERIAULT. Yeah. Well, 36% increase. Yeah.

---

GRAHAM CLULEY. Carole, that is a lot.

---

THOM LANGFORD. Yeah.

---

CAROLE THERIAULT. Yeah.

---

THOM LANGFORD. That's £3.60 on £10, that is.

---

CAROLE THERIAULT. Yeah, exactly.

---

GRAHAM CLULEY. Very good, Thom. I'm impressed.

---

THOM LANGFORD. Or £7.20 on your 20 Litecoin.

---

GRAHAM CLULEY. Maths GCSE.

---

CAROLE THERIAULT. Thom, save your brain. You got to do your story next.

---

THOM LANGFORD. Oh my God.

---

GRAHAM CLULEY. Thom, what's your story for us this week?

---

THOM LANGFORD. So just before I joined this lovely podcast, I was watching the Apple announcements of the Apple event, you know, of its new products.

---

CAROLE THERIAULT. You might be.

---

THOM LANGFORD. Absolutely. Of course I was. I was watching it while cooking dinner. My dinner, while slightly burnt, was very delicious.

---

CAROLE THERIAULT. But as a result of watching it, of course, we want to know what you ate now.

---

THOM LANGFORD. We want to know. Toast? It was lovely. It was a chicken and plum hoisin noodle stir-fry. It was lovely. Very good. Anyway, that's not my topic, believe it or not. So I was watching that, but my topic is about Apple because today my work laptop was rudely rebooted for me, almost literally in front of my eyes, because Apple had rushed to block a zero-click iPhone spyware. And when you dig into this, you see that actually this is a story that has been running for a while, actually. Now, zero-click spyware is where you quite literally don't do anything apart from receive a file in an email or a message or iMessage or something like that. And the mere presence of that file, and I think in this case it was a malicious PDF, actually allows your iPhone or your device to be snooped upon. Now, interestingly, this vulnerability was discovered and exploited by a company called NSO Group, which has been described as hackers for hire or hackers to the highest bidder. So effectively, I guess they're like mercenaries in the hacking community. They were employed, and I don't know by who, but they were employed to snoop on a specific person in a different country. Country, and they used this particular vulnerability. And then the people who had paid NSO Group then exploited it further and started to spy on journalists and all that sort of thing. In fact, I think you may have covered this a few weeks back.

---

GRAHAM CLULEY. We have talked about the NSO Group before. Yeah, they do all kinds of nasty things.

---

THOM LANGFORD. Dodgy stuff. Yeah, that's right. And literally to the highest bidder, which is normally some, you know, as you said, nasty, nasty government. And this is another one. So because there is no protection against this, or very little protection, I should say, Apple released patches very, very quickly. And as I say, we're pushed down to probably a lot of corporates today with very little announcement and time. And, you know, certainly not a Patch Tuesday, but a Patch Now job.

---

CAROLE THERIAULT. Patch right effing now.

---

THOM LANGFORD. Yeah, that's right. That's right. I think what gets me is where is the legality of groups like NSO in this sphere? Because the industry relies on security researchers without a shadow of a doubt, you know, for bug bounties and actually finding the vulnerabilities in the first place. And one could argue that NSO Group is simply security researchers who are monetizing their research for the highest bidder. But the problem, of course, is that it actually creates problems for most people for everybody else in the world as a result, because all of these vulnerabilities get weaponized, they get found and, you know, and put into use in the real world. I mean, the reality is, of course, unless you're famous, you know, a prince or prince or a diplomat or someone in a senior government position, you're very unlikely to be targeted with this. But it's still out there. It's still out there in the wild. And so I— it just concerns me that organizations like the NSO Group exist and profiteer from this and are actually, to be blunt, making the world a worse place as a result.

---

GRAHAM CLULEY. Yeah, we were speaking, I think, a couple of months ago about NSO Group with the Pegasus spy software, which they've been using to target smartphones of journalists, activists, political leaders.

---

THOM LANGFORD. Yeah, yeah.

---

GRAHAM CLULEY. I mean, they claim that they only deal with legitimate governments and sort of trusted intelligence agencies, but—

---

THOM LANGFORD. But that was debunked very quickly, wasn't it?

---

GRAHAM CLULEY. It does seem that these tools fall into the wrong hands regardless, doesn't it?

---

THOM LANGFORD. Yeah. Didn't I see a whole bunch of tweets about some hardware that this NSO Group sell only to legitimate governments, etc., that, oh look, look what I found in a field. Here's a piece of hardware. You know, oh, it's from the NSO Group. How did I get hold of this? Obviously just making fun of the fact that they were able to get hold of this thing and they're not a government or a, you know, an agency or whatever.

---

CAROLE THERIAULT. No, and they help to breed the paranoia that people have already with devices, right? Like we're kind of now so intertwined, it's like our heroin technology, right? I don't know if anyone on the planet can imagine living without a mobile phone or a computer or whatever.

---

THOM LANGFORD. You know, like I say, it's, you know, security research is very, very useful and it's almost like when you go far enough around the spectrum, a security researcher just suddenly becomes somebody who almost legitimately breaks the law for their own profit, regardless of what it is that actually the impact it has.

---

GRAHAM CLULEY. So what do you want to see done, Thom?

---

CAROLE THERIAULT. Ooh, yeah, Master Thom.

---

THOM LANGFORD. I would like to see some clarity. I'd like to start a global discourse on actually where is the NSO, because I'm seeing lots of stuff on Twitter, for instance, you know, fuck NSO Group and all that sort of stuff. But is that the right, Are we being outraged?

---

GRAHAM CLULEY. You want to see a global discourse. What are you suggesting? Is that everyone gets on WhatsApp or something and starts talking about this, all these governments?

---

THOM LANGFORD. Well, hopefully not my WhatsApp because I don't think I'd cope. But, you know, links in the show notes.

---

GRAHAM CLULEY. But what happens if they start sending PDF files to each other?

---

THOM LANGFORD. Well, exactly. I mean, there we are. It's just, you know, we're damned if we do and damned if we don't. But no, I think actually understanding the legality of where they sit on this and actually is this is this sort of ire that is being directed at NSO? Is it valid? Are NSO actually doing something perfectly legal and perfectly valid for our security industry? Or are we just grabbing the torches and pitchforks to go after the nearest bad person?

---

GRAHAM CLULEY. Well, if they're not reporting these vulnerabilities to Apple directly, then I would argue that they're not really helping most of us, are they? Yeah, and I'm not sure.

---

THOM LANGFORD. No, exactly. I'm not sure that they are, but.

---

GRAHAM CLULEY. No.

---

THOM LANGFORD. Some might say it's still research. It's just that they use it first.

---

GRAHAM CLULEY. Hmm.

---

THOM LANGFORD. Hmm.

---

CAROLE THERIAULT. Okay, Marge Simpson.

---

GRAHAM CLULEY. So in that— so in the meantime, everyone needs to patch just like you've patched today and your laptop's been rebooting and—

---

THOM LANGFORD. Absolutely rebooting. And that's across macOS and iOS.

---

CAROLE THERIAULT. Everything with a little apple with a bite taken out of it.

---

THOM LANGFORD. Yeah, exactly. Exactly. Your TV, your watch, your little network device. Urses, everything, just in case.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. Well, I'm going to cheer us up.

---

GRAHAM CLULEY. Finally.

---

CAROLE THERIAULT. So Theranos, not Theranus, but Theranos, okay?

---

GRAHAM CLULEY. Sorry?

---

CAROLE THERIAULT. It's not Theranos. Theranos.

---

GRAHAM CLULEY. Theranos.

---

CAROLE THERIAULT. The-anos.

---

GRAHAM CLULEY. The blood people. Smashing Security. The blood testing bit. Yeah.

---

CAROLE THERIAULT. So, I'm going to talk about that today because it's fascinating. And I'm going to try and weave in some cybersecurity, okay? Try to find a few angles that will make it tie tangentially to the show, but it's just too fascinating to not do. And it's all about tech. So, apparently the name is made up of two words, a coinage, if you will. Can you guess what they might be?

---

THOM LANGFORD. Something and -itis.

---

GRAHAM CLULEY. Thermos phalloscopiuritis? Is that what it is? Is that how they collect the blood? Theranos.

---

THOM LANGFORD. I have no idea.

---

GRAHAM CLULEY. I don't know.

---

CAROLE THERIAULT. Therapy and diagnosis.

---

GRAHAM CLULEY. That is rubbish.

---

CAROLE THERIAULT. Rubbish! Isn't it rubbish?

---

THOM LANGFORD. Therapeutic diagnosis.

---

CAROLE THERIAULT. Before it was changed to Theranos, it was called Real-Time Cures. And I think one of the reasons they may have changed their name is because there was a typo that went out once. And can you guess what it read? Real-Time Curses.

---

GRAHAM CLULEY. I know. Alas, that's a bit like Susan Boyle's album.

---

THOM LANGFORD. Yeah, that was brilliant.

---

GRAHAM CLULEY. Susan Boyle's album.

---

THOM LANGFORD. That was brilliant.

---

GRAHAM CLULEY. Theranos.

---

CAROLE THERIAULT. Theranos, people, not Susan Boyle. Theranos exists no more. And since August 31st, right, just a few weeks ago, the founder, Elizabeth Holmes, has found herself in federal court fighting off 12 fraud charges. And if found guilty, facing 20 years in the clink and possibly a $2.7 million fine. So, not, you know, big, big stakes here. We're gonna go through this story very quickly, okay? I'm just gonna give the highlights of the Elizabeth Holmes story, 'cause I've been totally drinking it like Kool-Aid.

---

GRAHAM CLULEY. Give us the how, what, where, when, whatever.

---

CAROLE THERIAULT. So, she's a straight-A kid, strong work ethic. She claims that at age 9, she created very detailed drawings of atomic bombs. Time machine. Now, you guys are both parents. You guys are both parents, right? Does that indicate genius to you? Is that a sign?

---

GRAHAM CLULEY. No, just means you've drawn a police box or something.

---

THOM LANGFORD. I mean, yeah, exactly, exactly.

---

GRAHAM CLULEY. Yeah, what do you mean, very detailed drawings of a time machine?

---

CAROLE THERIAULT. I told my husband this and he looked at me completely nonplussed and said he and his brother made a full-size TARDIS console out of cereal boxes at age 9 so she could fuck off anyway. Yeah.

---

THOM LANGFORD. But she was touted as the next Steve Jobs at one point, I think, wasn't she?

---

CAROLE THERIAULT. Yes. Yeah. She's driven. She even learns Mandarin. And she decides she wants to go into medicine, but she discovers that she's terrified of needles, which later influences her wanting to start this company, Theranos, right? And Theranos's raison d'être— that's French, Graham.

---

GRAHAM CLULEY. I know.

---

CAROLE THERIAULT. On the idea that it could run blood tests using their own tech that required only a finger prick. Finger pinprick and a small amount of blood, like a few drops. And Olivia said the test would be able to detect medical conditions like cancer or, you know, high cholesterol or even miscarriages, pregnancy, heart problems.

---

GRAHAM CLULEY. And they can do all this just from like a single drop of blood rather than have to take multiple samples, right?

---

CAROLE THERIAULT. Because people are terrified of needles. Needles are complicated. You have to put them away safely. People can get hurt, all the stuff. But the thing was, is Elizabeth needed some big bucks to pull off this medical marvel. She had to get her act together. She had to make herself memorable. And her approach, Thom, she put on the black turtleneck à la Steve Jobs. That's also French.

---

THOM LANGFORD. Great.

---

GRAHAM CLULEY. Is the black turtleneck, is that a euphemism for something? What does black turtleneck mean?

---

THOM LANGFORD. She wasn't trying to pretend to be Sterling Archer.

---

CAROLE THERIAULT. Apparently, she loves Steve Jobs. She even decorated her office à la Steve Jobs. She never took holidays à la Steve Jobs. Jobs, and reportedly lowered her voice from its natural timbre to having more gravitas.

---

GRAHAM CLULEY. Like Margaret Thatcher.

---

CAROLE THERIAULT. Did she do that?

---

THOM LANGFORD. Yeah.

---

GRAHAM CLULEY. Do you like me more now?

---

CAROLE THERIAULT. Do you trust me?

---

GRAHAM CLULEY. Thom, could you just let Carole finish her story before you interrupt?

---

CAROLE THERIAULT. Whatever she did, investors lapped it up to the tune of hundreds and hundreds of millions and millions and millions. And it's like one gave, then the others followed like millionaire lemmings, right? Like literally, just like the same as your story, Graham. And actually to yours, Thom, too. It's all about people just going, "Oh, if they did it, it must be true. I'll just follow." Yeah.

---

GRAHAM CLULEY. It's all kind of technical gobbledygook medical stuff, but it sounds really clever and they've put money in, so we better put money in as well, 'cause otherwise we're gonna miss out.

---

CAROLE THERIAULT. All right. So Graham, I wanna imagine, I want you to imagine I've got this bazillionaire amazing idea and I've just given you the pitch and you have got basically a little, You know, you're— you've got to send me over it. You're just like, I want—

---

GRAHAM CLULEY. you've dreamt up an idea like, I'm gonna do a podcast about pickles. I'm thinking, that's— that sounds amazing.

---

THOM LANGFORD. I've got a pickle and it's regularly sticky.

---

GRAHAM CLULEY. Oh, that is going to make an awful lot of money. I'm thinking, okay, right, exactly, exactly right.

---

CAROLE THERIAULT. Now I would say to you, um, you never get to know how I make this amazing show. Right? So she never revealed how the technology worked to anyone. Plus, she'd have final say over anything and everything that had to do with the company. But she still wanted people to part with hundreds of millions of pounds. I don't know, man.

---

THOM LANGFORD. It scares me to death that people say, "Okay, no problem." More fool them, to be honest with you, because I think it's a very compelling business case, but— You can't do a huge amount of analysis on a pinprick of blood.

---

GRAHAM CLULEY. Yeah, but it's been a breakthrough. That's why it's amazing, Thom.

---

THOM LANGFORD. Then tell us about the— as investors, and I've seen Silicon Valley. I know how investors work in the Three Comma Club and all that sort of thing. If the fact that they were not insisting that, okay, we need some more information, we need evidence of what you are doing here is actually going to work. You know, or at least if it's not working, that you actually, you know, you've cracked three-quarters of the problem.

---

CAROLE THERIAULT. Yeah, and she went completely the other way. She's like, you want to come visit the company? You need to sign an NDA before you're allowed in the building, and a security guard's going to follow you everywhere, even the loo.

---

THOM LANGFORD. That's fine, as long as they give me the information. If I'm gonna, you know, drop up, you know, a metric fuck ton of money onto something like this I understand that there is security at play here. It's understandable. And I also need other independently qualified people who will also sign NDAs and have people watching them go for a poo, actually validate what it is you're saying.

---

CAROLE THERIAULT. I wish there were more people like you, Thom, because meanwhile, she was making big kick-ass deals, right? Like the ones people mostly just can't even dream about. Capital Blue Cross, Cleveland Clinic signed to offer Theranos tests to all their patients. Walgreens made a deal to open Theranos testing centers in their stores. They also formed a secret partnership with Safeway worth $350 million. And she, during all this, becomes the youngest female billionaire. On paper, anyway. But rumors are starting at this point. So this big brain, right? This big testing thing called Edison, the secret machines that test the teeny blood samples, right? Is temperamental, like not ready for real-life workhorsing.

---

GRAHAM CLULEY. Okay, they're still ironing out some of the bugs.

---

CAROLE THERIAULT. Results were not trustworthy, but you can just imagine it having worked in the corporations before, right? Clearly, like, you know, we're meeting our deadline, we are not shifting the deadline, we are going live on this day, fix it or else. But someone tipped off the Wall Street Journal and reporter John Carreyrou, very hard name to say, Carreyrou, started digging. And he published his investigation into Theranos' struggle with the technology. He found out not only were they not able to give accurate results, that Theranos was actually running its samples through its competitors' blood testing machines.

---

THOM LANGFORD. That's right. Yeah, I remember. I remember. Yeah.

---

GRAHAM CLULEY. Hang on. So they got drops of blood, which they said, oh, we'll test these in our amazing machine. But what they actually did was they farmed them out to people doing it the old-fashioned way.

---

CAROLE THERIAULT. And so you had all these, like, basically sweat labs, people going through and trying to get everything done in time because they had a turnover time that was faster than anybody else. Like a nightmare. And she's, you know, she's still spinning the wheels and bringing in the money and doing like— and she's like a press queen. Like, the press adore her. She's just—

---

GRAHAM CLULEY. Well, she's got a black turtle neck.

---

CAROLE THERIAULT. She's got a very deep voice. They love that.

---

GRAHAM CLULEY. Yeah.

---

THOM LANGFORD. Sorry, Graham, I didn't mean to interrupt.

---

CAROLE THERIAULT. Anyway, so this Wall Street Journal article comes out. Holmes does not take it lying down. She goes on CNBC's Mad Money. And she says, "This is what happens when you work to change things. And first they think you're crazy, and then they fight you, and then all of a sudden you change the world." So she'd be fun at a dinner party.

---

THOM LANGFORD. She wouldn't have time for such frivolities.

---

CAROLE THERIAULT. Yeah, exactly. She claims she only sleeps 4 hours a night.

---

THOM LANGFORD. Does she get up an hour before she goes to bed?

---

CAROLE THERIAULT. Exactly. But things are heating up, right? Because of the rumors. FDA have now been investigating. Wall Street Journal's written their article. Regulators from from all kinds of government bodies that oversee laboratories are finding major inaccuracies, testing of Theranos. And this is all over Walgreens and stuff.

---

THOM LANGFORD. I've got two words to say to this: due diligence.

---

CAROLE THERIAULT. People were being told they had cancer when they didn't, right? People were told that they were miscarrying, they were miscarrying when they weren't. People were told they were pregnant when they weren't.

---

GRAHAM CLULEY. Right?

---

CAROLE THERIAULT. Just crazy stuff. Basically, 2018, the federal grand jury charges Holmes, and this is where she is now. She's now newly married because of the pandemic, everything got delayed. She's newly married, she has a 1-month-old baby, and she's facing 12 fraud charges, and if guilty, faces 20 years in the clink.

---

GRAHAM CLULEY. So, is the argument whether she was deliberately doing this, or is her defense team gonna say that she was just incompetent?

---

CAROLE THERIAULT. Well, that's very fascinating. I think the argument's gonna be in so far as like, "Well, I had a co-starter with me." who was 20 years older than me and I was kind of in love with, and he was very strong-minded and he ran everything. So I promised, like, a little infosecurity here, right? So when the subpoena request went to Theranos saying, "Hey, can you give us the whole lab database data?" Because she always said, "It's in the data," right? Like, "The data speaks for itself. You need to see the data. You need to see all the data in order to make an opinion." So they're like, "Okay, It's the data.

---

GRAHAM CLULEY. It's the data.

---

CAROLE THERIAULT. It's the data.

---

THOM LANGFORD. It's the data.

---

CAROLE THERIAULT. Give us the data.

---

GRAHAM CLULEY. Exactly.

---

THOM LANGFORD. Yeah, like that pillow guy and his proof of election fraud is all in the data.

---

CAROLE THERIAULT. Right. So a subpoena is sent to them, say, give us your fricking data from your lab so we can just see how crazy all this is. And 2 and a half months later, they do exactly that. They send over an encrypted database with a password. Great, right? Except the database required not one, but two distinct passwords to access the encrypted data. And only one was sent in. So, when the time that the guys realize this, they call Theranos and go, "Hey." But Theranos is now defunct. It's now been dismantled. They're like, "Hey, well, we took it all apart. We dismantled the database, and we ate the passwords. And so, how dare you? Because that would have totally vindicated us, right?

---

THOM LANGFORD. All the data that you've now lost, feds." So, yeah, there's a case there for, well, one, for timely investigation of the evidence that he sent to you. But two, also, you know, the criminal use of, "Oh, sorry, I forgot." Have you heard the podcast all about this, Carole?

---

GRAHAM CLULEY. I listened to it. I think it's called The Dropout.

---

CAROLE THERIAULT. Yeah, there's Dropout. There's also Bad Blood, right? Oh, yeah. That was the book written by The Wall Street Journal. And he's now just releasing now a live one, which I been following as the court case is unfolding slowly.

---

GRAHAM CLULEY. So is he live tweeting?

---

CAROLE THERIAULT. No, he's not live tweeting. He's just giving his kind of views as it's coming closer because he's discovered more things since he's written his book. So there's lots of information. It's just fascinating. And why are we fascinated? Because it's a female leader. Is that why?

---

GRAHAM CLULEY. With a very deep voice.

---

THOM LANGFORD. With a very deep voice.

---

GRAHAM CLULEY. Around 80% of of business data breaches result from weak or reused passwords. Using 1Password in your company can close the gaps in your security, combat shadow IT, and help your workers stay both productive and secure wherever they are. With the right tools and the right mindset, you can create a culture with 1Password where your employees feel empowered to share responsibility for security risk management. Everyone needs to be on board, working together to stay protected. Find out more and try 1Password for free for 14 days at 1password.com. And thanks to 1Password for sponsoring the show.

---

CAROLE THERIAULT. Listeners, it is time to get serious about preventing and detecting credential abuse, privilege escalation, and entitlement exposures. My friends over at Attivo Networks have tackled this challenge, and I want to share how it works. The Attivo Identity Visibility Bundle finds exposed admin credentials from the endpoint, conducts over 200 continuous checks on Active Directory, and identifies risky entitlement and over-provisioning in cloud environments. The Attivo Identity Detection Bundle cloaks production credentials and AD objects to hide and deny access and deceives tools like Bloodhound, steering the attacker into decoys for threat intelligence gathering. If you want to learn more and kick credential attacks to the curb, go to attivonetworks.com. That's attivonetworks.com. And thanks to Attivo Networks for sponsoring the show.

---

GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

THOM LANGFORD. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. My Pick of the Week is something which I have been watching on streaming services. Specifically, I've been watching it on BritBox, but I imagine you can also rent and buy it on other streaming services. It is The Trip with Steve Coogan and Rob Brydon, where they travel across the country, initially the UK, then other European countries, eating food in nice restaurants. Uh, it's like a road movie.

---

CAROLE THERIAULT. Didn't this come out 2003 or something?

---

GRAHAM CLULEY. It came out some time ago, but they keep on doing new series of them. So they've gone to—

---

CAROLE THERIAULT. Oh really? I didn't even know that.

---

GRAHAM CLULEY. Yeah, they did in the UK. I think they've done it in Italy. Maybe they've done it in Greece as well. I'm possibly other places. Um, and it's most amusing. They're sort of playing versions of themselves. Um, and a large part of it is them sort of bantering and doing rival impressions of Michael Caine.

---

CAROLE THERIAULT. Can I tell you, Graham? You don't know this about me, for real. I can't stand Rob Brydon.

---

GRAHAM CLULEY. Can I?

---

THOM LANGFORD. Really? What's wrong with Rob Brydon?

---

CAROLE THERIAULT. I just find him— I agree that intellectually he's funny.

---

THOM LANGFORD. Is he a bit too Welsh for you?

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. Is he a bit too intellectual for you? I love—

---

THOM LANGFORD. Racist.

---

CAROLE THERIAULT. Am I?

---

GRAHAM CLULEY. You are racist. You're just anti-Welsh.

---

THOM LANGFORD. Whoa.

---

GRAHAM CLULEY. We've got a lot of listeners in Wales, you know. Can I say for the record, I really think Rob Brydon is funny.

---

CAROLE THERIAULT. You don't like Piers Morgan. What does that say about you?

---

GRAHAM CLULEY. I think Rob Brydon is most entertaining and he does amazing impressions.

---

THOM LANGFORD. Questions.

---

GRAHAM CLULEY. Must be of Ronnie Corbett.

---

THOM LANGFORD. Yes, he does. Yeah, yeah, certainly. My God, it's like he's in the room.

---

CAROLE THERIAULT. So, so, again, I really don't like him. He does that TV show, he does a, um, a series.

---

GRAHAM CLULEY. Would I Lie to You?

---

THOM LANGFORD. Yes, that's brilliant.

---

CAROLE THERIAULT. I love The Panel. I don't— I just—

---

GRAHAM CLULEY. Bob Mortimer is amazing.

---

CAROLE THERIAULT. Yes, I agree.

---

GRAHAM CLULEY. And Rob Brydon holds it all together. He's very, very funny. Well, Kroll, you know, maybe this isn't a pick of the week for you. But I like The Trip and I recommend it and go and check it out. My pick of the week.

---

CAROLE THERIAULT. Stay away, guys.

---

GRAHAM CLULEY. Thom, what's your pick of the week? And please don't suck the joy. Well, I won't suck the joy of your pick of the week, unlike Kroll.

---

THOM LANGFORD. Well, my pick of the week, I think, is a good one. It's a serious one. Not security per se, but a small element of security in there. But it is an app you can download for your phone called Traffic Cam. I downloaded this about a month ago when I realized that my travel schedule was about to start up again after 18 months.

---

CAROLE THERIAULT. Getting the old scooter out.

---

THOM LANGFORD. Exactly. Exactly. So I, last week I was in Amsterdam. and we've stayed in a couple of different hotels. Now, what this app does is it, it prompts you to take photos of your hotel room, and you, you select an icon at the bottom of, say, the bed or the sink or the toilet or a, you know, or a desk or something, and you take a picture of it and you create this selection, and then you upload them to this traffic cam app. Now, the purpose of this is to try and curtail and as well as try and ascertain the location of the, um, sexual trafficking and molesting of children, because much of it is done on the move in hotels, etc. You know, so all the details are in the background and various agencies, Interpol, Europol, etc., they try and— when they come across this material, they try and work out when and where, etc., it happens so they can try and ascertain who the victim is, who the perpetrator is, and all that sort of thing. It starts to build a big picture. So the idea of traffic cameras has been out for about 4 years apparently. I've only just come across it. It is that by crowdsourcing this, and you say, you know, it checks your location and say, okay, I'm in Hilton Amsterdam, which room are you in? Room whatever. And here's a picture of the bed in that room. Here's a picture of the light stand. Here's a picture of the sofa. Here's a picture of the sink, the toilet, the bath, etc. All that gets loaded up and can then be used by the analysts to, you know, pull together and hopefully give them more data in order to capture the perpetrators.

---

GRAHAM CLULEY. Because in an image of some child sexual abuse, for instance, there may be something in the background like a light fitting which could potentially identify the location and then may even lead to the identification of the perpetrators or the victim.

---

THOM LANGFORD. Yes, maybe even the location or even the time, because it may have been that those light fittings were replaced this year and were there last year. And so therefore you can sort of try and ascertain a rough period of time, etc., perhaps even, you know, look, look through videotapes. The kind of volume of data this can generate could be very, very useful.

---

CAROLE THERIAULT. Yeah, I think I would have to rely though on corporate trips to do that because I can't imagine going on my honeymoon or an anniversary and going, just hold on, honey, I'll bring you over the threshold in a minute. I just want to—

---

THOM LANGFORD. Absolutely. Absolutely.

---

CAROLE THERIAULT. Yeah.

---

THOM LANGFORD. You know, it may well warrant you doing your own research on this. There may be other apps out there. And if there are, I'd love to hear about them. But this, from what I can make out from my own research, is, you know, completely legitimate, is providing information. It's part of a larger organization. I'm trying to remember what the name is. I can't remember off the top of my head. It's E-I, I think.

---

GRAHAM CLULEY. The Exchange Initiative. I'm on the website.

---

THOM LANGFORD. Exchange Initiative. There you go.

---

GRAHAM CLULEY. Yeah, I'm on the website at the moment. And it's also been in coordination with George Washington University and Temple University.

---

THOM LANGFORD. There's probably plenty of others out there, but this is the one I came across. But if there are others, let me know.

---

GRAHAM CLULEY. And that's TrafficCam. Traffic is C-K and then cam as in camera, right?

---

THOM LANGFORD. That's right.

---

GRAHAM CLULEY. Well, that's very interesting.

---

THOM LANGFORD. Yeah, not very funny, I'm afraid, but yeah, fascinating.

---

GRAHAM CLULEY. Well, we're used to that from you, Thom, to be honest. Carole, what's your pick of the week?

---

CAROLE THERIAULT. It's not a podcast this week, but a webpage. Okay, so it's in the show notes. You can go click on it. And this is a webpage with cuss alternatives. My niece suggested that maybe I had a propensity to be a little bit sweary.

---

GRAHAM CLULEY. Oh, so these are alternatives to swear words.

---

CAROLE THERIAULT. Yeah, so she was trying to give me some alternatives and I thought, oh, I'm sure someone's put Wet Together website with alternatives that I can try and learn. So this page came up and I wanted to show it to you guys and ask what the heck some of these meant.

---

THOM LANGFORD. Gee willikers, Carole, what is this?

---

GRAHAM CLULEY. Yuck you, Carole.

---

CAROLE THERIAULT. There's one says go lick a duck.

---

GRAHAM CLULEY. Oh, friend of the show.

---

THOM LANGFORD. Well, poo on a stick is all I can say to that. And what about Caesar's goat No, that's a euphemism.

---

CAROLE THERIAULT. There's one that says jerk water, which—

---

THOM LANGFORD. I know. Or you're just behaving like a fart knocker, which as far as I'm concerned is a poo, surely.

---

GRAHAM CLULEY. Hang on, there's one here which just says Barbara Streisand. That seems rather unfair.

---

CAROLE THERIAULT. You know what's annoying though is it says cuss alternatives, but it doesn't tell you— like each cuss word has an alternative. A distinct requirement, right? You say certain ones for certain things. And I kind of would like some guidance on when to use this, right? Because I can imagine saying shiitake mushroom in an entirely wrong context.

---

GRAHAM CLULEY. Thom, stop being such a hobnocker, will you?

---

THOM LANGFORD. What, have I got my camera on?

---

CAROLE THERIAULT. Anyway, that's my pick of the week, trying to learn how to cuss less with weird alternatives. This is not a great one, so if anyone has a better one, I'm all ears.

---

GRAHAM CLULEY. Because you need them, Crow, because basically, I mean, you have got a potty mouth, haven't you?

---

CAROLE THERIAULT. Yes, I just swear a bit, especially, you know, swear a bit.

---

THOM LANGFORD. Fudgeberries, that's an understatement.

---

CAROLE THERIAULT. Good night. That's one too, apparently. Good night.

---

GRAHAM CLULEY. So, suffering succotash, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

---

THOM LANGFORD. Oh, Twitter @TomLangford. That's Thom with an H because Twitter would let me have the H. And on my website, ThomLangford.com.

---

GRAHAM CLULEY. Fabulous. And you can also follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G. And we also have a Smashing Security subreddit. And don't forget to make sure you never miss another episode. Follow Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, Spotify and Google Podcasts.

---

CAROLE THERIAULT. Huge, huge thank you to this week's episode sponsors, TiVo Networks and 1Password, and to our wonderful Patreon community. It's thanks to all of these people that this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 242 episodes, check out smashingsecurity.com. Until next time, that's your line.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

THOM LANGFORD. Stay secure, friends.

---

CAROLE THERIAULT. Whoa, deep tone.

---

THOM LANGFORD. Stay secure, my friends.

---

GRAHAM CLULEY. Stopping recording.

-- TRANSCRIPT ENDS --