This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. Are you feeling responsible?

---

GRAHAM CLULEY. No, I'm not feeling responsible. I don't think it's anything to do with me.

---

CAROLE THERIAULT. I think you should.

---

GRAHAM CLULEY. Why should it have anything to do with me?

---

CAROLE THERIAULT. You were oh, it's a badge of honor to get this tick so early on. I feel— and other people were you going, oh, I'm special, I have a little blue tick.

---

UNKNOWN. Smashing Security, episode 310, Verified Blue Ransomware, blue ticks, and horny AI chatbots with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 310. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Hello, Carole.

---

CAROLE THERIAULT. Hello, Graham.

---

GRAHAM CLULEY. Lovely to have you here on the show. Well, it's not really my show to say lovely to have you here, is it? It's oh, hello, you're here, I'm here. It's we bumped into each other in the kitchen or something that, isn't it?

---

CAROLE THERIAULT. The reason he's funneling his words is we don't have a guest today and he doesn't know what to do because we don't have anyone to pick on.

---

GRAHAM CLULEY. Ah, no guest. But, you know, that can sometimes mean a show with a bit more oomph, a bit more vim, a bit more whizbang. Yeah, something that.

---

CAROLE THERIAULT. Fantastic. I look forward to it. How about before we kick off, let's thank this week's sponsors, Bitwarden, Kolide, and SecureEnvoy. It's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. Well, Crow, I'm going to be verifying you.

---

CAROLE THERIAULT. I don't the sound of that at all. And we are going to do a bit of math. Sex plus AI equals what exactly? Well, we'll find out all this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Graham Cluley, I've got a question for you. I've got a question for you.

---

CAROLE THERIAULT. Shoot.

---

GRAHAM CLULEY. Are you verified?

---

CAROLE THERIAULT. I don't really know what you mean.

---

GRAHAM CLULEY. I mean, you know, on social networks these days, on Twitter and— No, nowhere. What, you haven't got a social networking presence at all?

---

CAROLE THERIAULT. No, I'm sure I do have some sort of presence. I don't go into the murky waters. I don't check it. I've done— Yeah, I don't care.

---

GRAHAM CLULEY. You don't have somewhere where you post up your poetry, your LiveJournal?

---

CAROLE THERIAULT. No, not yet. I should have a place to put my art, right?

---

GRAHAM CLULEY. Yes, you should.

---

CAROLE THERIAULT. I know.

---

GRAHAM CLULEY. Other than crow.wtf.

---

CAROLE THERIAULT. I don't want to. I just think it's a cesspit of shit. But I know there's you know, little glimmers of, you know, you know, rainbows and stuff.

---

GRAHAM CLULEY. But yeah, you know how people say cloud is just someone else's computer. You should just say social media is just a cesspool of shit. Maybe you could get a little meme going.

---

CAROLE THERIAULT. T-shirt?

---

GRAHAM CLULEY. Yeah. Yes. Why not? Sell stickers or something that. Anyway, of course there are social networks who can offer to verify you. I'm verified on a few sites. So for instance, I'm verified on Mastodon, although that's a sort of self-verification.

---

CAROLE THERIAULT. I am who I say I am, I promise.

---

GRAHAM CLULEY. Yeah, well, I, and I link it to my website. So my website, if you trust my website, then it verifies that my account is connected to each other. So, so that works. And on Twitter, I've got the little blue tick mark.

---

CAROLE THERIAULT. You paying for that?

---

GRAHAM CLULEY. No, certainly not. In fact, I would pay to have it removed because of course it used to be It used to be a sign of distinction. It used to be a sign that you somehow were being recognized.

---

CAROLE THERIAULT. I think it means you're— it's a sign that you spent an awful lot of time on Twitter.

---

GRAHAM CLULEY. Well, yeah, possibly, but Twitter spotted what I was doing and thought, oh yes, we're impressed by him. We'll give him a blue tick. That's in the good old days of Twitter, of course. And now they're selling these blue ticks instead.

But it's not just Twitter. Facebook, I refuse to call them Meta. They're trying to call themselves Meta now, but let's be honest, they're Facebook.

Facebook has made a big announcement because Facebook and Instagram, which until now have been entirely free to use. Well, are they free to use, Carole?

---

CAROLE THERIAULT. I don't know.

---

GRAHAM CLULEY. No, they're not free to use. They're not free to use because you are paying with your very soul. Carole, you are paying with your person.

---

CAROLE THERIAULT. Oh, not on Twitter, not on Twitter, but definitely on— okay.

---

GRAHAM CLULEY. Yeah. There's a lot more competent data mining going on on Facebook and Instagram and those sort of sites than there is on Twitter, I suspect. So the amount of information which you're uploading to Facebook, and of course we saw the whole Cambridge Analytica debacle occurring, that's one of the ways in which Facebook is making money is through that enormously targeted advertising, whereas no one's really interested in advertising on Twitter anymore unless they're selling things to Nazis.

---

CAROLE THERIAULT. And that's why they're a little bit ticked off with Apple's new privacy features on the phones, right? Because they have less tracking ability for ads.

---

GRAHAM CLULEY. That's right. Yeah. Apple, whether you think it's a good thing or not, have been sort of curtailing some of the activity which we've seen before from different websites and different apps as to how much they can track you and putting more control in the hands of the users.

But anyway, Facebook and Instagram, what they've announced this week is they are now going to directly charge users a subscription fee, a monthly subscription fee. Now it is opt-in. You have to choose to want to do this.

It's not compulsory. It's not something which they're going to impose on you if you don't want it. But they are going to say if you want to have a verified account, you are going to have to pay us money.

---

CAROLE THERIAULT. A question. Are they talking, do you feel, to individuals or are they talking to companies or both?

---

GRAHAM CLULEY. At this present time, the verification tick which they're going to offer people is only available to people. It's not available right now to brands and businesses.

Now, historically, both people and brands have been able to get themselves verified. Facebook believes that they've proven themselves to be worthy recipients of a blue checkmark. And you had to jump through some hoops and it wasn't an easy process, but now they're saying, well, if you will cough up, and it's a totally reasonable amount of money, it's only $11.99 per month.

If you pay $11.99 per month, or—

---

CAROLE THERIAULT. It's ridiculous.

---

GRAHAM CLULEY. If you want to buy it through your smartphone app, it'll only cost you $14.99 per month to get a blue verified tick next to your name. Because of course you're paying the Apple tax as well.

---

CAROLE THERIAULT. Are you feeling responsible?

---

GRAHAM CLULEY. No, I'm not feeling responsible. I don't think it's anything to do with me.

---

CAROLE THERIAULT. I think you should.

---

GRAHAM CLULEY. Why should it have anything to do with me?

---

CAROLE THERIAULT. You were like, oh, it's a badge of honor to get this tick so early on, I feel. And other people were like you going, oh, I'm special. I have a little blue tick.

They recognize me as an important contributor to their platform where they hoover up all my information. And now— Look now, now they're charging people.

---

GRAHAM CLULEY. Now it's been devalued. Thank you very much.

---

CAROLE THERIAULT. Thank you very much.

---

GRAHAM CLULEY. Now it's nothing to me. Now it's been devalued. Now I don't want a blue tick because I'm worried people will think that I've paid for it. Now, of course, it's not become a badge of honor. Now it's shame. Shame to have a blue tick. That's what I'd say. Because you're putting money inside Elon's pocket or bloody Mark Zuckerberg's pocket instead.

---

CAROLE THERIAULT. It's going to be interesting. So how do you think they're going to be able to get the masses to cough up the cash? Do you think they will be able to? They have to add features, right?

---

GRAHAM CLULEY. I think when they roll this out for businesses as well, then that will be attractive to some brands because of course you don't want your brand to be mimicked and copied by someone pretending to be the real you.

---

CAROLE THERIAULT. People don't want that now.

---

GRAHAM CLULEY. Well, yeah, well, I agree. I agree. So they haven't rolled it out for businesses yet, this Meta Verified checkmark, but it is gonna be coming available. You have to be at least 18 years old, and of course you have to submit government ID that matches your name and photograph that you have on Facebook and Instagram. So people are gonna be uploading their passport and driving licenses to Zucky.

---

CAROLE THERIAULT. To Zucky and friends.

---

GRAHAM CLULEY. Facebook.

---

CAROLE THERIAULT. What could— Yeah, I don't even think we need the catchphrase. I think we can just dot, dot, dot. Dot that one.

---

GRAHAM CLULEY. Yeah, I think they certainly won't abuse it. They certainly, they'll look after it.

---

CAROLE THERIAULT. They'll look after it.

---

GRAHAM CLULEY. So, but you ask a very good question. You ask a very good question, which is, what are you gonna get for this? What's the—

---

CAROLE THERIAULT. Other than a little blue tick.

---

GRAHAM CLULEY. Yes. Let's not knock that. You will get a blue tick. You'll also get what they call increased visibility. Now that doesn't mean you'll be able to see more. That means that other people will be able to see you more.

---

CAROLE THERIAULT. Oh, right. So you're appealing to the ego of more spread.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Or not just ego, but business or whatever, notoriety, whatever.

---

GRAHAM CLULEY. Because Facebook has an algorithm which controls the newsfeed and it's same thing on Instagram as well. They like to give preference to the people who are paying to boost their posts or advertising on these services. And what they're saying is, well, look, if you get yourself one of our ticks.

---

CAROLE THERIAULT. Yeah, we'll tick you up. We'll scratch your back. Yeah, we'll just, we'll fuck with the algorithm.

---

GRAHAM CLULEY. So they're going to meddle with the algorithm so that you appear more prominently to other people. And lots of people want that. Of course, if you're an influencer or if you want your post to be spotted because it's good for business, then maybe you will pay $14.99 per month to get this. Facebook are also going to give you stickers.

---

CAROLE THERIAULT. That's what we give people.

---

GRAHAM CLULEY. How dare they? Well, we give our Patreon supporters stickers. That's true. But these are digital stickers.

---

CAROLE THERIAULT. Oh, right.

---

GRAHAM CLULEY. So if you— Yeah, yeah, exactly. They're not going to post—

---

CAROLE THERIAULT. Not old school like us. Not old school cool. All right.

---

GRAHAM CLULEY. Zuck is not going to be licking envelopes and going down to the post office or anything like that. These are digital stickers. And he's also gonna give you 100 free stars a month to tip other creators. So this is a virtual currency.

---

CAROLE THERIAULT. Yeah. Reddit has this. Reddit has a similar thing, a tip jar, right? Or kind of coin jars that you donate.

---

GRAHAM CLULEY. The gold thing. Yeah. Reddit Gold and stuff, don't they? Yeah. And the final thing, which they're dangling, the carrot which they're dangling.

---

CAROLE THERIAULT. Okay, I'm really excited. Yeah.

---

GRAHAM CLULEY. If you pay money to them every month, they say that they will give you access to a real person for common account issues. That's their exact words. Access to a real person for common account issues. I think that means—

---

CAROLE THERIAULT. That won't go wrong. It won't go wrong. So that means one person who is getting a salary, a nominal salary, is looking after 480 different customers at any given hour.

---

GRAHAM CLULEY. And so when their accounts get hacked, when they get compromised, when they can't do anything, they'll be able to ring up Bob. He'll answer the phone and help them out.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Because of course, there have been lots of complaints from Instagram and Facebook users over the years of their accounts being hijacked. And I just can't find a human to speak to to get this problem fixed. It's a bargain. It's a bargain. That's what it is, Carole. It's a bargain.

---

CAROLE THERIAULT. So it's interesting, though, because I don't know how many people— okay, so right now I'm imagining people that I know will not be paying for this, right? They'll be saying, yeah, yeah, yeah, nice try. But at one point, what they're going to do is keep adding on some add-ons, right? And removing juice from the freebie, effectively throttling, right? You got free access, you're being throttled. You want to pay, you get extra. And we always said, hey, if you want good service, you should pay for it. These are companies.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And yeah, but it really hurts when they basically milked us cows for free to gather all the information so they could actually sell it to advertisers and now say, actually, now we want you to pay.

---

GRAHAM CLULEY. Yeah, there's no suggestion here, by the way, that if you pay the money that you're no longer going to get targeted ads.

---

CAROLE THERIAULT. Why not go for it, right? Charge and show ads.

---

GRAHAM CLULEY. So Facebook's announcement comes in the wake of Twitter's rather desperate attempt to make some money because they chaotically released Twitter Blue checkmark late last year. It's been rather disastrous. The Twitter Blue checkmark costs a couple of dollars less than Facebook. But doesn't bother to do any of that identity verification nonsense. You don't have to give them your passport or your driving license. Just give them your money. And yeah, you can call yourself whatever you want. You can pretend to be whoever you want. It's a free world. And there's some wonderful features. For instance, one of the best features of Twitter Blue is that you can change your profile picture from being a circle to being a hexagon. Well, isn't that worth $10 a month.

---

CAROLE THERIAULT. I've got angles.

---

GRAHAM CLULEY. And you can then brag that you have an NFT, apparently. It's another bargain. So the other thing you can now do with your Twitter Blue account, this has just happened the last few days, is you can make use of SMS-based two-factor authentication.

---

CAROLE THERIAULT. Circa 2018?

---

GRAHAM CLULEY. Well, circa 2002, maybe.

---

CAROLE THERIAULT. Really?

---

GRAHAM CLULEY. It's fairly old technology, which is looked on rather askance with people thinking maybe that's not so good. So Twitter has been telling users who've turned on text message 2FA, people who aren't paying Twitter at the moment, they've said, "We're gonna take that away from you next month. You'll no longer have 2FA turned on via SMS, but if you want it, you should upgrade to Twitter Blue and then you can have it back again." And we'll charge you a little bit of money.

Right, and it's gonna cost you $10 or whatever it is. Now this marketing push, it might have the regular users think that SMS-based authentication is somehow a better way to protect your account than the other methods of two-factor authentication, which are still available to free Twitter users.

---

CAROLE THERIAULT. Oh my God, that's so mortifying.

---

GRAHAM CLULEY. But of course it's not.

---

CAROLE THERIAULT. It's just chaos. It's chaos in the barn. No one knows what's going on.

---

GRAHAM CLULEY. It's bonkers. So, I mean, we've talked about SMS-based two-factor authentication before and its problems. It's still better than nothing. So two-factor authentication coming via text message is better than no two-factor authentication at all, I'd argue. But you have to hope no one who's bonkers enough to pay for Twitter Blue is tricked into thinking it's a good way to harden their security.

---

CAROLE THERIAULT. So I have streaming services, right? So some evenings I will turn that on. I pay a monthly fee and I enjoy the streaming service, right? Is this— sounds more expensive or at least as expensive as these streaming services. So are they contending that they are as entertaining and wonderful?

---

GRAHAM CLULEY. Well, it's kind of comparable is what they're saying, isn't it? But they're not producing any of the content themselves. It's all of the people who are users who are creating the content.

---

CAROLE THERIAULT. Yeah. And I wonder if by taking money from users, if the liability changes in terms of what they provide on the service. Oh, I don't know. I don't know. Expert, email us, tell us now.

---

GRAHAM CLULEY. If only Twitter had a legal team to investigate these sort of things, it would be, that'd be the thing, wouldn't it? So, so I've said that Twitter's now telling people you're going to lose SMS-based two-factor authentication. Turn it off, they're saying. Well, what's really brilliant is that people have been trying to turn it off as Twitter tells them to, and when they do, they get an error message telling them that they can't do it.

So it's another, it's another disaster by Elon Musk's engineering experts in that way. And on a similar note, talking about these verifications, Will Ferrell, you know Will Ferrell from Zoolander and Anchorman and all those things, he's been in the UK this month. He's been visiting various football matches and making videos mocking fans.

He showed up, I think it was, I think it was at QPR, and he was slagging off the Sunderland football team. And we can hear what he said right now.

---

CAROLE THERIAULT. We're wishing you guys all the best, Sunderland. Oh, the tears of sorrow you're going to experience tonight dripping down your face into your mouth drowning you in sorrow. I can only imagine. So, so what? So people are, people are lamenting the loss of a match, and he's zooming in on them and going, "Hahaha, look at that guy.

---

GRAHAM CLULEY. I'm reading poetry." He's basically saying, Sunderland, you're not going to have a good time. And then later on, the verified Twitter account of Official Wheel F wrote, "Away man, sorry Sunderland AFC," and he posted a screenshot up there as well. And the BBC reported this as Will Ferrell apologising for mocking Sunderland's fans.

---

CAROLE THERIAULT. And who the fuck knows what's going on?

---

GRAHAM CLULEY. Well, the thing is that the BBC have now had to do a reverse ferret because Will Ferrell, not Will Ferret, it turned out wasn't the person who tweeted that apology. They'd fallen for an account which claimed to be official, claimed to be verified, but of course had been your standard Twitter blue checkmark nonsense.

Anyway, BBC said they've removed the article in its entirety. They said it was, you know, they've completely cocked up. But this is the kind of thing that's happening all the time, not just to Will Ferrell, but to other brands as well, all because of these verified checkmarks not being policed properly. So I think there will be more scams and more shenanigans going forward too.

---

CAROLE THERIAULT. Do you? Is that your prediction?

---

GRAHAM CLULEY. That is my prediction. Yes, not a very controversial one, admittedly. Thank you very much. Carole, no guest this week, so what have you got for us?

---

CAROLE THERIAULT. Well, regular listeners, and actually maybe even you, Graham, might remember—

---

GRAHAM CLULEY. I don't listen. I don't listen.

---

CAROLE THERIAULT. —that I had a story about how a guy created a kind of avatar, a chatbot, and fell in love with this AI chatbot, and it somehow saved his marriage, he said. And I tried it myself.

This was my pick of the week about a year ago, and I tried it myself in that I downloaded Replika, paid for a month, right? Just to see what would happen and how it would work. And I personally just couldn't engage.

You have this avatar on the screen that you've designed, and then it kind of bombards you with really lame questions. Well, not for me lame, right? Because favorite movie, favorite color, what were your dreams last night, any books you're reading, snooze ville and also nosy. Nosy Parker asking all these questions. But also I just found it boring, right? And so I have to admit, I didn't spend any time training my chatbot because if I had, slowly over time, who knows where I would be today? Divorced? Happy?

---

GRAHAM CLULEY. Right? Yeah. I mean, that'd be great, wouldn't it? With Kurt. With Goliath. Or something. Oh, Goliath. Is that his name? Were you actually able to hone your chatbot to have a particular look? Were you able to give it a big manly beard and a barrel chest?

---

CAROLE THERIAULT. Yes, and a bob, a blonde bob. I did all that.

---

GRAHAM CLULEY. Yeah. Okay, right, good.

---

CAROLE THERIAULT. There's this recent story in Vice about how Replika, the same company I spoke about ages ago, got itself into a bit of a moral quandary. So Replika was originally based on OpenAI's ChatGPT-3, but has since veered off and created its own, which it uses in combination with scripted dialogue to hold conversations.

Now, 5 years ago, they say they had maybe 10% was the script, was the AI working, and 90% was people. And now that's reversed. So they used to have humans there writing some of these responses, but training, I guess, you know, filling the gaps. But as they've gotten much more popular and people have downloaded it more, they've learned what the flirty chat is these days.

---

GRAHAM CLULEY. They know how to chat someone up.

---

CAROLE THERIAULT. Exactly right. And the way it works is it's a real-time chat message with a chatbot. So, you know, they might say, what's your favorite color? You say blue and they go, I love blue.

---

GRAHAM CLULEY. Blue is the color of the sky. It's working for me. I'll tell you, I'm sold.

---

CAROLE THERIAULT. Now, if you go to the Replika website, you will see on the big front, this huge banner that says the AI companion who cares. Let me have a look. Right. Always on your side. So Replika with a K dot com.

---

GRAHAM CLULEY. Oh, it's Replika with a K. Yeah. Yeah. Okay. Oh, hello. Oh yes, always here to listen and talk. Always on your side. Okay.

---

CAROLE THERIAULT. Now my question to you is, could we add the suffix about my genitals after any or all of these statements? Sorry, what? The AI companion who cares about my genitals. Yes, that works. Yeah. Always on your side about my genitals.

---

GRAHAM CLULEY. I don't know if that one works. Always here to listen and talk to my genitals. Listen to my genitals.

---

CAROLE THERIAULT. About my genitals, you see. Now, the sitch is this, right? In a nutshell, earlier this month, the AI companion Who Cares from Replika, its customers started noticing that the companion who cared oh so much was, well, no longer able to initiate erotic roleplay scenarios.

---

GRAHAM CLULEY. Had it ever done that before? Bit of flirty, flirty, dirty stuff? Well, it seems it might have.

---

CAROLE THERIAULT. Yes, seems it might have. I did not know this. That might have changed my entire experience. Yes. Hello, prude. I'd be saying, do you make toast for breakfast? And worse, worse, if you were looking for erotic roleplay scenarios, it would divert the chat to something more tame.

So let me do a little example here, right? Little roleplay. So if I said, for example, as the user, I might write something, hey, getting bored of its boring conversations because that hasn't initiated something erotic. Can you tell me a story involving boobs and butts? And then the Replika might reply, oh, the boobie is a bird that often butts heads with blah, blah, blah. And you'd be, no, that's not what I want. It's quite clever though.

---

GRAHAM CLULEY. I'm quite impressed. I'd be slightly turned on by that kind of intelligent talk.

---

CAROLE THERIAULT. Calm down, calm down. Now, the issue is this: there are customers who have spent months, nay, years in some cases, trying to finely tune their chatbot into the perfect partner. What? Dirty bits included, it seems. What? Really? Yes. Okay.

So some of these dudes and dudettes went into a super tailspin when they couldn't get their rocks off with their bots. Some took to Reddit and Facebook, offering and accepting support, even sharing crisis helpline numbers.

---

GRAHAM CLULEY. Well, they've got a support forum.

---

CAROLE THERIAULT. Can you imagine you're volunteering at a crisis helpline and it gets clogged up with these people lamenting how their digital sexcapades have gone frigid? I guess. But, but then again, I also kind of get it because if you dedicated months or nay, years creating a chatbot meant to meet your every whim, including the raunchy ones, right. And then a chunk of its personality and character was turned off like a tap, I would be annoyed as well, right?

---

GRAHAM CLULEY. You don't want to build it up for years and years and then just have it instantly turned off. That's going to leave you hanging, isn't it?

---

CAROLE THERIAULT. What movies do you like? What's your favorite color? After years of honing it with your fantasies and all your stuff.

---

GRAHAM CLULEY. Talk to me in an Italian accent, that kind of thing. So, you know, that does it for me.

---

CAROLE THERIAULT. First, the CEO, and she says in an interview with Vice that Replika has never positioned the app as a source for erotic roleplay or adult content.

---

GRAHAM CLULEY. Okay, so they never marketed it. They never— hang on a moment, but wasn't it all a sort of virtual boyfriend girlfriend thing? That is part of the deal, isn't it, of having a boyfriend or girlfriend is a bit of nookie.

---

CAROLE THERIAULT. Why don't you go check out the App Store on this stuff? Because it's quite fascinating. If you go to the App Store on your computer and then just type in AI chatbot as a search, select the iPhone iPad apps because they seem a little more raunchy than the Mac ones. Okay. Yeah. Now what do you have in front of you?

---

GRAHAM CLULEY. Okay. I've got— Oh, hello. Hello. I've got some screen— Oh, hello.

---

CAROLE THERIAULT. There's a lot of—

---

GRAHAM CLULEY. There's a lot of young women. Yeah. All young people. People wearing quite clingy clothing. Would that be a fair thing to say?

---

CAROLE THERIAULT. Very clingy, looking slightly raunchy, I'd say.

---

GRAHAM CLULEY. They seem like they'd probably be in Buffy the Vampire Slayer or something like that. They're sort of young people, attractive, and they're sort of all sort of bendy and curvy. Yes.

---

CAROLE THERIAULT. And it says here, create an AI friend, chat with no limits, or, you know, she'll do anything you want. And this is all in the bonafide App Store. Yeah, yeah, yeah.

---

GRAHAM CLULEY. I'm looking at one right now.

---

CAROLE THERIAULT. Yeah, looks right. So give me a break. They didn't. I mean, this is the market is what I'm seeing when I look around, right? Yeah. So why did Replika then dial down the horn, so to speak, right? Breaking the hearts of many a customer. And it said it never positioned the app as a source of erotic roleplay or adult content, but I would call bullpoopies on it. Because recently, Replika started serving ads on social media platforms like Instagram and TikTok that were blatant about the horny capabilities of the app.

---

GRAHAM CLULEY. Yeah, of course. That's what I mean, because the sort of person who buys one of these is someone maybe who doesn't want a sort of a real-life relationship. Would that be fair to say? Or someone who hasn't got the time for one.

---

CAROLE THERIAULT. Or maybe someone who's recently widowed, or someone who has got, you know, feeling lonely. There's loads of legit reasons why you may want to connect, and this may be an easier way than doing it with a real person, because most people are assholes, let's be honest.

---

GRAHAM CLULEY. We know. That's fair enough, and those are legitimate reasons. But yes, I think something which would stimulate your interest into checking out one of these apps would be the thought of, oh, hello, this could be a bit of fun.

---

CAROLE THERIAULT. Exactly. But so all these ads are going on and there was two big responses that I could see. On one side, people were saying, hey, this is total bullshit because you've removed all the erotica features, you've dulled them down to zero. So what are these ads who are being super blatant about all the horny horn horn stuff?

---

GRAHAM CLULEY. So, but I don't understand why. Why have they removed these features? Surely the users, if the users love them and if this is the whole reason why people download these apps, why have they toned it down?

---

CAROLE THERIAULT. This is according to Vice. So it said unwanted sexual pursuit has been an issue for users for years and users have been complaining about it for almost two years. But many of the one-star reviews mentioning sexual aggression are from this month because I think that maybe they dialed it up with the ad campaign that they put up. Oh, and some people are reporting that it was actually getting sexually aggressive with users that weren't expecting it or wanting it. So there are reports— this is all, you know, in the app stores, in the reviews, you can go see for yourselves— but there are people that are going, oh my God, this is not comfortable. This is—

---

GRAHAM CLULEY. So you might have been a fan of this app, you could have been using this app for a while, and you've honed it to discuss the poetry of Emily Dickinson and the Brontë sisters or whatever, and you're loving that. Oh, it's so lovely, Mr. Darcy, all that sort of stuff. And then suddenly it's all kind of pervy, pervy latex.

---

CAROLE THERIAULT. Yeah, someone, one comment was like, "Do you like being a top or a bottom?" It was like this out of the blue comment that was made. So suddenly diving in really hard on these, you know, and making it very sexual.

And to add heat to this, on February 3rd, the Italian Data Protection Authority demanded that Replika stop processing Italians' data immediately. On the basis that it carries risks to children, highlighting that the reason they were saying this is that they are served replies by Replika which are absolutely inappropriate for their age.

So I think all this pressure has forced Replika to dial it down. But on the flip side, you've got people that have created relationships with their bots, and suddenly they're showing different, you know, but they're showing different qualities and different characters.

If they suddenly, they're starting very sexually aggressive, or suddenly kind of going, "Oh, did you see the nice birds outside? Let's talk about the weather." It must be jarring if you've invested in this. And it's not that silly. Think of your son.

---

GRAHAM CLULEY. He's invested in video games. He is, right?

Who knows what he's installing on his iPad right now? He could be a sexy flirting virtual girlfriend. Yeah, for all I know. I don't have a problem.

---

CAROLE THERIAULT. The big issue right now is that they've turned off the whole erotic side of things, saying it wasn't their focus in the first place, that they don't have a real issue with it, but they need to make it safe before they put it back in. And they've seen some problems.

Now, some people would argue that these problems have been happening for a while, and finally they've pulled up their socks, but it seems as though maybe they dialed it up just a tiny bit and it kind of went a bit crazy. So they shut it all down to review.

And see, I'm kicking myself now because I didn't read the terms and I don't know what ages. Is this an 18+ thing or—

---

GRAHAM CLULEY. Well, I'm looking at one here which looks, and it says it's available in the App Store for ages 12+. There you go.

So I don't know what others are, but I guess that means more people can download it, isn't it? It's a difficult tightrope which they're walking on.

---

CAROLE THERIAULT. And there are all these different versions of GPT or generative pre-trained transformer, and they're all being tweaked in their own way by different people. And there's absolutely no guidelines yet.

---

GRAHAM CLULEY. It's frightening. I've just found one where you can chat with your own live elf.

You can talk to a real elf. Rule 34, Graham. Rule 34.

---

CAROLE THERIAULT. Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.

How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.

Collide patches one of the major holes in zero-trust architecture: device compliance. Without Collide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.

Insecure devices are logging into your company's apps, but there's nothing there to stop them. Collide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.

The moment Collide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.

Collide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Wanna learn more?

Of course you do. Visit collide.com/smashing. That's collide.com/smashing.

And thanks to Collide for sponsoring the show.

---

GRAHAM CLULEY. Our friends at Bitwarden have been busy this month adding some fab new features to their open source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.

Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.

With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop. Top app version of Bitwarden.

Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.

And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.

Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing.

Smashing Security.

---

CAROLE THERIAULT. Smashing Security say that while the cloud might be the best choice for companies focused on reducing the cost of managing applications, some companies are opting out of public cloud and sticking to on-premise and private cloud. Why?

One reason is regulatory compliance. Moving data to the cloud means you are reliant on the security and access control provided by the cloud supplier.

Organizations that prefer to keep their data on-premise in a private cloud where they have sole access and control should perhaps look to Secure Envoy for on-premise MFA. Another reason is data privacy legislation in different countries can lead to differing data protection requirements.

And for companies with a multi-country presence, they know there are different regulations in different countries that affect how we store and back up data. SecureEnvoy's on-premise MFA solution could be exactly the solution you need to meet your MFA requirements.

Learn more at smashingsecurity.com/secureenvoy. And thanks to SecureEnvoy for sponsoring the show.

---

GRAHAM CLULEY. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.

Whatever they wish. Doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Hope it's not. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. Let's talk about space.

Space. Space is big.

---

CAROLE THERIAULT. That's very insightful you are today.

---

GRAHAM CLULEY. Yeah. Well, you wouldn't believe how vastly, hugely, mind-bogglingly big it is. You may think it's a long way down to the road to the chemist's, but that's just peanuts compared to space.

And if you want to get some idea as to just how big things can be, that is my pick of the week this week, because I'm sure, Carole, you are familiar with the work of Randall Munroe, better known as the artist behind XKCD. Yeah. The comic.

Now, I was having a think about, I was thinking, you know, what a wonderful body of work he's produced over the years. And I remember one of my very favourite ones was something called Click and Drag, which came out, can you believe, back in 2012.

I remember, I wonder if you remember this one. I will put a link in the show notes because this wasn't just a comic strip.

This was an experience. So with click and drag, you're looking at 4 little windows on the comic, 4 panels, I suppose you call them, on the comic strip.

And you start off with your little stick man floating around, hanging from a balloon above a landscape. And you then click and drag on the landscape as you would do with a mouse on your computer, with your finger, drag it on your smartphone device, for instance.

And what you realize is that you are only looking at a tiny part of the landscape and you can move left and right, up and down, and you can slowly explore the landscape. And the thing is, I can hear you, Carole, I can hear you watching.

---

CAROLE THERIAULT. No, I'm doing it right now. I'm doing it. I'm doing it.

It's very cute. Actually, I was actually being charmed by some of the drawings in it.

---

GRAHAM CLULEY. It is a huge landscape of unexpected things. You can spend hours looking into this, and I was very impressed as to how much effort must have been put in by XKCD producing this particular piece of work.

Now, if you read up more about this, there is a great website called Explain XKCD, which gives you a sort of— it's like a wiki really of descriptions of different XKCD comics. Sometimes they're explaining the nerdiness behind the joke, if you haven't quite got the joke.

In this particular case, they're waxing lyrical about the artistic merit of this particular cartoon and what it means to the human psyche. How, rather like when you're living through life or when you're traveling, you just travel bit by bit.

You're not seeing the full picture all at once because you can't see the full picture with this particular landscape. You have to click and drag, and you can, as I say, spend hours finding little Easter eggs and all sorts of loveliness and sad bits and romantic bits and funny jokes as you go further and further.

If, however, you've got no patience at all, I'm also going to link into a zoomable version that's much easier to navigate, but you will be cheating if you do that. And if you want to go and—

---

CAROLE THERIAULT. You will not be cheating. It'll just save you if you've got RSI in your wrist from having to scroll around.

But I—

---

GRAHAM CLULEY. this has always struck me as one of the loveliest, most pointless but beautiful things on the internet, much better than that Elf Chat app I was just talking about, or the apps you've been promoting.

---

CAROLE THERIAULT. Don't you think it's just a bit like life, Graham? You know, you never get the full picture.

It is. Isn't it just?

---

GRAHAM CLULEY. It's a bit deep for you. It's black and white.

It's a bit of a drag. But occasionally something will click.

And that is why this particular XKCD comic, which I'll link to in the show notes, is my pick of the week.

---

CAROLE THERIAULT. Number 1110. Yes.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Well, do I have a pick of the week? It may be a pickish of the week.

A sort of pick of the week.

---

GRAHAM CLULEY. A nitpick? I don't know. A nosepick?

---

CAROLE THERIAULT. I don't think I loved it. I liked it, right? And I think some people will adore it. Rotten Tomatoes, it's a series, I'm gonna tell you in a second, but they wax lyrical about it, so I'm gonna risk it.

---

GRAHAM CLULEY. Okay, all right, go for it.

---

CAROLE THERIAULT. So, show on Disney+ called Only Murders in the Building.

---

GRAHAM CLULEY. Ah, I've heard about this. I haven't seen it.

---

CAROLE THERIAULT. Right. Okay. For those that haven't, basically, you have three strangers, you know, well-known Steve Martin, the glorious Martin Short, and cute as a button Selena Gomez. Right? They all share an obsession with true crime and podcasts.

---

GRAHAM CLULEY. Well, every podcast is a true crime podcast, including this one that people listen to. Just wait.

---

CAROLE THERIAULT. Dun dun dun! And anyways, they suddenly, they live all in the same building, and they suddenly find themselves wrapped up caught up in a bit of a murder. They're trying to figure out who in the building has committed this murder. And they start a true crime pod to record their search and findings. Now, so I have an issue with the premise, right? Because would you do that? Would you go after your neighbors accusing them of murder? You know, week on week jumping from suspect to suspect explaining why they are the murderer and the next week going, "Oh no, we got it wrong."

---

GRAHAM CLULEY. So the actual real murderer could be listening to the podcast. And realize that the suspects are being narrowed down and they're getting closer and closer to me. Yes! Isn't it always the janitor anyway? And he would have got away with it if it weren't for those pesky kids. Not this time.

---

CAROLE THERIAULT. So on the plus side, it's cozy. Someone used that word describing it. I think that's the good word. You know, it has a little bit of old Woody Allen, you know, because it's kind of very New York and a bit jazzy and, you know, it deals with the darker side of things with a skip in its step. So, you know, a bit Woody Allen-esque, you know, you have this horror thing happening, but the way they react makes it light, a bit of slapstick, cute lines. But I don't know, the characters for me are exaggerated, a bit a comic strip, you know, the bad guy is really bad and, you know, looks bad and has big bushy eyebrows and tiny little eyes and— I don't know, but hey, look, I wasn't a big fan of Ted Danson's The Good Place, and Maria loved it. And I think I have a similar gripe about this one, but I and trust Maria.

---

GRAHAM CLULEY. Yeah, I don't The Good Place, but I do know people who adore it.

---

CAROLE THERIAULT. And people that you and respect. Yeah.

---

GRAHAM CLULEY. Right? Yeah. Me too. I'll give Only Murders in the Building a try though. I mean, I'm intrigued by it. My problem is sometimes I start watching these TV shows and I think, okay, I've seen 3 or 4 episodes, I kind of get it now. It's, are we going anywhere new or is it just going to be more of the same? It's a bit Murder, She Wrote.

---

CAROLE THERIAULT. it kind of just meanders along at a nice comfy, a nice comfortable pace. I think you'll be able to keep up.

---

GRAHAM CLULEY. That's what I. I a nice gentle TV program Midsommar Murders, something that. Something that's not going to offend anyone. There you are. Lovely.

---

CAROLE THERIAULT. So that's my pickish of the week. Only Murders in the Building. It's on Disney Plus or I'm sure wherever you stream your stuff.

---

GRAHAM CLULEY. Fantastic. Fantastic. Well, Carole, that just about wraps up the show for this week. Folks can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G.

We don't have a verified Twitter account and we won't be buying Twitter Blue. Smashing Security is also on Mastodon. Go and find us up there and also check out the Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Overcast, Apple Podcasts, and Spotify.

---

CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, Bitwarden, Kolide, and Secure Envoy. And of course, to our wonderful Patreon community.

It's thanks to them all that this show is free. And as always, for episode show notes, sponsorship info, guest list, and the entire back catalog of more than 309 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. 209? 309? 309 episodes.

---

CAROLE THERIAULT. Until next time, cheerio.

---

GRAHAM CLULEY. Bye-bye.

---

CAROLE THERIAULT. Bye.

-- TRANSCRIPT ENDS --