This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. Life is bad enough as it is in terms of screens. The fact that he would now be sellotaping a couple of screens to his head permanently is absolutely appalling.

---

CAROLE THERIAULT. Even if it was full of education and bollocks, will it be?

---

UNKNOWN. Smashing Security, episode 327. Mark's Metaverse for Miners and Getting Down to Business. LastPass with Carole Theriault and Graham Cluley. Hello. Hello, and welcome to Smashing Security episode 327. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, a pleasure to have you on the show, obviously, all the way from— well, you're out of the country at the moment, aren't you? At a secret destination?

---

CAROLE THERIAULT. Yeah, secret holiday, countrified destination with poor Wi-Fi. So hopefully I'm coming through okay.

---

GRAHAM CLULEY. And even so, the podcast carries on.

---

CAROLE THERIAULT. Shall we kick the show off?

---

GRAHAM CLULEY. Let's get on with it. Come on, Carole Theriault.

---

CAROLE THERIAULT. Before we kick off this show, let's thank this week's wonderful sponsors, Bitwarden, Collide, and Drata. It's their support that helps us give you this show for free.

Now coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be getting down to business.

---

CAROLE THERIAULT. Fantastic. And I'm going to look at what $14 billion can get you. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, Chum Chum, I've got a question for you. What do you do when you need to find a local company to help you with something? Have you had anything going wrong with your house or any service that you need?

---

CAROLE THERIAULT. So I suppose you'd normally search online and I might go and see trade recommendations, you know, if it was a house thing and see if anyone else said this is great.

---

GRAHAM CLULEY. I think you've put your finger on it. You do exactly the same as me, which is that you go onto a search engine. So maybe you'd go on to Google and perhaps your garage door is broken or you need a plumber or you're after a chiropractor and you think, oh crumbs, I don't know one.

Haven't used one before. Where am I going to find one? You go on to Google and you might check out reviews and things.

So one of the things that you have inside Google Search and Google Maps as well, actually, are business results. So you type in the name of something and it will tell you the plumbers in the area. And it may well give them reviews as well.

So people can leave reviews for local businesses. But you want to be careful, of course. You need to be sure that those business results are verified and the real thing.

If you need an aromatherapist, you don't want a tree surgeon coming round.

---

CAROLE THERIAULT. That's a spelling error if that happens.

---

GRAHAM CLULEY. Well, the thing is that if you weren't getting much work as a tree surgeon, maybe you would set yourself up as an aromatherapist in those results. And, you know, you'd go, well, maybe, maybe, who knows?

---

CAROLE THERIAULT. I'm not sure that would work out for you, but okay, I'm gonna— I'll fly along with you.

---

GRAHAM CLULEY. Perhaps it wouldn't. But anyway, so I, for instance, have a relative who has his own little gardening business, and I said to him, well, look, I know how you could help get yourself a bit more traffic coming to your website. Why don't you verify your business on Google, and then they will list you as a gardening service company in this particular part of the world. And he said to me, well, how do you do that?

I said, oh, it's easy. There's a variety of ways in which you can do it. One is that you can go to Google's website and get them— you just fill in a form with details about your business, and they will then send you a postcard. You can actually get a postcard from Google which has a verification code on it, so they're verifying you really are at that address. And then you enter the code and it will add you to Google Maps and Google Search with information about your company, and people can leave reviews for your company.

---

CAROLE THERIAULT. And they've been doing that for what, a decade or something?

---

GRAHAM CLULEY. Oh, at least. At least.

---

CAROLE THERIAULT. In fact, it's funny because my neighbors are down as Slimming World on Google Maps.

---

GRAHAM CLULEY. Oh, really?

---

CAROLE THERIAULT. I was like, how, you know, do you guys do this?

---

GRAHAM CLULEY. They're like, nope.

---

CAROLE THERIAULT. I was like, okay, interesting.

---

GRAHAM CLULEY. That's peculiar.

---

CAROLE THERIAULT. That was years and years ago.

---

GRAHAM CLULEY. Oh yeah. Right. And so Google does attempt to verify these things. Now, for some companies, of course, they may not have a specific location which they want listed. It may be an area. And so for those sort of situations where a postcard wouldn't be appropriate, you can actually get Google to phone you up and FaceTime you. They can have a video call with you where they will actually look around your business. And so you will show them your workshop and they say, oh, okay, clearly you are a business, or you've got this stock which you're selling from this particular place.

---

CAROLE THERIAULT. Do you install bloatware for them to check out if it's a technology business?

---

GRAHAM CLULEY. Oh, no, no, they don't permanently. I mean, although Google is obviously a surveillance company, they don't actually—

---

CAROLE THERIAULT. They do evil now, apparently.

---

GRAHAM CLULEY. Well, yeah, yes, no more promises regarding that. But anyway, the point is that you can see a local business, read up about it, even check out its reviews and make contact. Very, very handy. So imagine, Carole, there you are in the future, you're living in I don't know, Hollywood. You're living in Los Angeles. Woo!

---

CAROLE THERIAULT. Living the dream.

---

GRAHAM CLULEY. You are living the dream. You've got the fancy car. You're driving along the highway. You get back home after a hard day's whatever it is that you do.

---

CAROLE THERIAULT. Drinking coffee.

---

GRAHAM CLULEY. And your garage door doesn't open. Oh. And you think, what am I going to do? Because of course it's LA, so your garage door is all electronic. It's not one you pull up. You press a button and it happens. And you need a garage door repair service.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. So you go onto Google and you search for a garage door repair service and you find the Western Los Angeles Garage Door Repair Company.

---

CAROLE THERIAULT. Perfect SEO for my question.

---

GRAHAM CLULEY. Yeah. Verified listing for what you needed, verified by Google, contains photographs, has a link to the website, information about the business's hours and service area, got reviews. You know, they're all 5-star reviews for this company.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And because you're growing frustrated sitting on the driveway, you call the number, and yep, it's Los Angeles 213 area code. Again, further reassurance that this is a local, legitimate company who you're dealing with.

---

CAROLE THERIAULT. Hi, how are you today? How can we be of service?

---

GRAHAM CLULEY. Yeah, Garage Doors R Us, who you're speaking to. And when you place that call, the thing is you're not actually connected to the business that you quite reasonably believe you were calling, because it turns out that company doesn't actually exist. Instead, your call has been transferred to a different company that is part of this scam, perhaps unwittingly part of this scam, and doesn't even realize it.

---

CAROLE THERIAULT. I'm not following.

---

GRAHAM CLULEY. So what is going on here?

---

CAROLE THERIAULT. Yeah, I'm not. Yeah, I don't know. Okay. Walk me through it.

---

GRAHAM CLULEY. So basically, there are bogus reviews on Google and bogus business profiles on Google, which are then directing to other companies. And they've got fake profiles. They've got fake reviews as well. So Google is now taking legal action against a chap called Ethan Hu. And they claim that Ethan has created over 350 fake business profile listings on Google since the middle of 2021. Why? Exactly. That's what I was interested about. Why has he done this? Yeah.

---

CAROLE THERIAULT. What's the endgame?

---

GRAHAM CLULEY. What's the point?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Well, I'm going to explain it to you because it's really rather clever. Okay, so according to Google, this chap Ethan Hu and some of his collaborators have been tricking Google all of this time for the last two years with these fake reviews, setting up these non-existent companies. For instance, the garage door repair company which I spoke about. For instance, a non-existent chiropractor, plumbing companies, all kinds of companies. And he's managed to verify these companies because when Google video call him he has an elaborate set of props, and they claim that he's using these props, which might be, for instance, a workbench with tools on it. It may be a whole massage chair. It may be aromatherapy, essential oils, all kinds of things which then make them think, oh, he's a legitimate business. We're going to profile him. And he was using both a selection of photographs and props and videos again and again, masquerading as different businesses all across the country.

---

CAROLE THERIAULT. I the idea if he would do that and just set a background, you know, take a picture of a garage and put it behind him and go, yeah, well, you can see over there, there's the car I'm working on.

---

GRAHAM CLULEY. It's just a green screen. Yeah, yeah, exactly. He could have done that. Well, apparently he had a real workbench, apparently. And sometimes he claimed to be the garage door repair company. Then two days later, he'd create another company and get it verified and say that he was a tree surgeon. Then he was a budget plumber's, but he was using the same thing over and over again. And again, I'm still thinking, what's going on there? Why is he sometimes claiming to be a Reiki therapist, other times into massage and things? So hundreds and hundreds of different profiles being set up. So, so what's going on here?

---

CAROLE THERIAULT. I'm still waiting.

---

GRAHAM CLULEY. Okay. Okay. So what's going on here is that he's creating these fake profiles and then he's getting fake reviews for them. So these aren't reviews written by real people. In fact, what he appears— what is claimed according to Google that he's had is he's had over 14,000 reviews for these companies, all 5-star, published on Google, all of them posted by just two different people in Bangladesh and Vietnam. So unlikely to be using his Handy Rapid Plumber Service or the Santa Barbara Maid Service and Home Cleaners and Gold Garage Door Repair and all these other companies. So he's got all these profiles and they've got great reviews and they're littered and scattered across America and people are finding them when they're looking for companies. And once again, Carole, you're going to ask me, why is he doing this?

---

CAROLE THERIAULT. With a more frustrated tone now. Yeah.

---

GRAHAM CLULEY. Yes. The reason is that he is selling those profiles to other people. So he is advertising these profiles, allegedly, on Facebook and the like, saying, I'm looking for a plumber in Los Angeles who would like more internet traffic and more good reviews.

He's finding a plumber who doesn't have very good SEO, who doesn't have good reviews, who services that particular part of the world, and then selling them the business profile. So it gives them the access to the profile, whereupon they can change the name of the company and its contact details, and so that they get the call.

In other occasions, what he will do is he will actually redirect. He says, I'm already getting 30 calls a month and 4 form submissions. I will forward all of these to your company instead at a monthly subscription rate.

---

CAROLE THERIAULT. So then when I call them up to get my garage door fixed, he then transfers it over to a third-party company that actually handles garage doors.

---

GRAHAM CLULEY. That actually handles it. So it automatically goes through. He doesn't do this by hand.

He's not sort of sticking the wires in and reconnecting your calls and hold on a minute, because clearly this is something which is going on at an absolutely huge extent. So there have been hundreds of these profiles created. Thousands and thousands of reviews being left as well.

And he's making all this money. And sometimes the profiles will completely transform. So it may be that he set up a plumbing profile, but then later gets sold to a chiropractor.

And so it will then change its name and its business nature to that of a chiropractor. And there it's got its 14,000 reviews. The reviews may say things like, you know, managed to fix my washing machine rather than the creepy minder.

---

CAROLE THERIAULT. That would, I would find that a little concerning.

---

GRAHAM CLULEY. Yes, but as the reviews are faked, Carole, as they're written by these couple of dudes in Bangladesh and Vietnam, he's probably told them, look, just say things like 5-star service, amazing, they were really terrific, they're the best, rather than being specific about what kind of business that they've been helped for.

---

CAROLE THERIAULT. Okay, so question, question. Are you planning to help your family member in this manner?

---

GRAHAM CLULEY. You know what? That wouldn't be a bad idea, would it?

---

CAROLE THERIAULT. Yes, it would.

---

GRAHAM CLULEY. I think— oh, sorry, would it? Yes, it would.

---

CAROLE THERIAULT. Jeez.

---

GRAHAM CLULEY. Because he's clearly— well, what can Google do about this? I don't know if they can sue or not. I don't know if they— I mean, certainly it is a breach of the terms of service.

And so I think they're threatening to say, look, you'll no longer be able to create any business profiles. Oh, yeah, really?

---

CAROLE THERIAULT. Wow, scary Google.

---

GRAHAM CLULEY. Google claims it has stopped over 20 million attempts to create fake profiles for businesses in 2022, and it's protected more than 185,000 businesses from suspicious activity along these lines. And it reckons the average person actually loses— consumers lose on average $125 a year due to incorrect reviews.

And it is true that we trust online reviews, a great deal when they're posted by strangers and we don't know how many of them are bogus. By the way, if anyone wants to leave a review for Smashing Security on Apple Podcasts, 5-star only, please.

---

CAROLE THERIAULT. Yeah, and please stay vague.

---

GRAHAM CLULEY. Yeah. Well, yes. Say what a great job we did fixing your washing machine, perhaps.

---

CAROLE THERIAULT. Don't name us.

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Well, what do you think, Graham, $14 billion could buy you? It's a serious amount of cash.

---

GRAHAM CLULEY. I think for $14 billion, I could probably get my own personal moon base.

---

CAROLE THERIAULT. You might be able to.

---

GRAHAM CLULEY. I could possibly. I don't know if it would also include the trip there or not, and hopefully back, but maybe I'd be able to get to the moon.

---

CAROLE THERIAULT. I can't imagine you wanting to go to the moon. I think you'd find that whole experience rather uncomfortable. How long does it take exactly?

---

GRAHAM CLULEY. Well, yeah, it's bad enough going to America, isn't it, on the plane or something, or Tenerife. Yeah, I'm not sure I'd want to be on a spaceship for 3 days.

---

CAROLE THERIAULT. Well, you went much bigger than me because I was thinking, well, what about a private jet? But it turns out private jets are for just, you know, cheap people, because with $1 billion, you could have your pick of Boeing commercial planes worth anywhere between $89 million and $450 million, so might as well buy a few, right?

---

GRAHAM CLULEY. I was thinking the other day, because I saw Donald Trump was flying around, and he's got a jumbo jet, hasn't he? And I thought, why does he need one that big? Well, other than to carry documents around or something. I mean, I don't know.

---

CAROLE THERIAULT. For his ego.

---

GRAHAM CLULEY. Yeah, I think it's just pure ego, isn't it? You don't need a plane that big. It could just be a private jet.

---

CAROLE THERIAULT. Well, you know, if you're one of those Geoff Bezos type people, you want to have— I think he went and tried to get the biggest yacht in the world.

---

GRAHAM CLULEY. Yes. You could even buy Buckingham Palace.

---

CAROLE THERIAULT. Which is estimated to be worth $1.4 billion. So you could maybe build a few more of those.

---

GRAHAM CLULEY. Is it for sale? Is Charlie a bit hard up for cash?

---

CAROLE THERIAULT. Juckey's thinking, "I don't need this place." Unfortunately, it's not enough to buy the world's largest royal domain. Can you guess what that might be?

---

GRAHAM CLULEY. You mean domain as in URL?

---

CAROLE THERIAULT. No, as in house.

---

GRAHAM CLULEY. A principality.

---

CAROLE THERIAULT. As in big, huge place in France.

---

GRAHAM CLULEY. What, Versailles maybe?

---

CAROLE THERIAULT. Yes, the Palace of Versailles, an estimated $50 billion because it has 700 rooms, 600 paintings, 400 sculptures, and 1,400 fountains, for God's sake.

---

GRAHAM CLULEY. It has a lovely garden. I have been to the gardens of Versailles. It's very pretty.

---

CAROLE THERIAULT. It's very pretty, but you may not want to stump up $50 billion for it. No, probably not.

---

GRAHAM CLULEY. Probably not.

---

CAROLE THERIAULT. Now, if you were the CEO of Meta, Mr. Zuckerberg himself, what would you do with this money? This $14 billion?

---

GRAHAM CLULEY. Ooh. Ah, I know where you're going now. Because the fact that they changed their name from Facebook to Meta, because didn't they invest a ridiculous amount of money into their virtual reality headsets nonsense?

---

CAROLE THERIAULT. Yes, VR world. Exactly. Way back in December 2021, the New York Times reported, and we remember this, all the world's largest tech companies were hurtling headlong into creating the metaverse, a virtual reality world where people can have avatars and do everything from play video games to attend gym classes or do meetings, all the stuff.

---

GRAHAM CLULEY. And I thought this is just Second Life, which is something that had been around for 20 years, just a sort of sad online games.

---

CAROLE THERIAULT. I still think that, but there you go.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Now, Mark Zuckerberg himself believed in it so much, right, in this metaverse, that he was willing to invest billions in the effort. And he has a whopping $14 billion to expand Reality Labs, the company's arm that is devoted to building hardware and developing the metaverse. But the high cost of trying to turn the metaverse into a mainstream business seems to have spooked Wall Street, causing Meta's stock to plunge last year. We remember this.

---

GRAHAM CLULEY. Yeah, it feels like it was a bad strategy, doesn't it?

---

CAROLE THERIAULT. Well, is it? I mean, everyone was in on that until AI came along, where all the investors are suddenly—

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Got their heads swiveled the other way and went, oh, that looks like a better bet.

---

GRAHAM CLULEY. That looks more interesting. Yeah, totally.

---

CAROLE THERIAULT. But let's go back to poor little Zuckster here. You've invested billions and billions and billions and billions, huge golden shackles that you've put around yourself, if you ask me, and your shareholders are spooked. So what do you do? Because you got to grow the business, make some money, get the investors to come back into the fold.

---

GRAHAM CLULEY. But how? Isn't the actual trick, I mean, isn't the thing which actually has driven internet innovation for the last 30 years, pornography. And wouldn't that be the obvious? I know it's seedy. I know it may not fit into Facebook family, as if Facebook has any values. But if you actually want to make money out of virtual reality and the metaverse, surely the thing is to go hard when it comes to VR porn or something.

---

CAROLE THERIAULT. I think actually AI's got that all beat as well.

---

GRAHAM CLULEY. They've got it beat, haven't they?

---

CAROLE THERIAULT. Yeah, Science Vs. latest episode has a fantastic episode on AI porn if you're interested.

---

GRAHAM CLULEY. No, I'm not, thanks.

---

CAROLE THERIAULT. Well, Zuckerberg decided not to go down that route, Graham. Instead, he has announced his plans to the world that he wants to lower the age limit from 13 to 10.

---

GRAHAM CLULEY. Really?

---

CAROLE THERIAULT. Now, yeah. Now think a bit about this. This is all according to a blog post that they put up, links in the show notes.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Now, if you think about it, the global population is expected to reach more than 8 billion before 2025. So that means by my calculation and looking around at Statista, about a quarter of the world is under 15. So you do a few little maths and you realize there's a few hundred million 10 to 13-year-olds and that might be perfect for this VR world. And they would certainly help fill the empty Meta coffers, wouldn't they?

---

GRAHAM CLULEY. Well, would they though? I mean, how much pocket money are they getting at that age?

---

CAROLE THERIAULT. I think you're hitting up mom and dad to buy the VR set and, you know, pay all the fees.

---

GRAHAM CLULEY. He wants kids on the metaverse.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. It's not just joining Facebook.

---

CAROLE THERIAULT. Oh, I see. Exactly. Right. And plus, lowering the age limit requirements might remove friction, helping younger audiences cozy up with the metaverse, get familiar with it. And the idea would be that they're more likely to continue using the technology as they grow up, as many people now still use Facebook, right?

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. But 10, for fuck's sake, 10 years old. So according to the Search Institute, it is from the ages of 10 and 14 when young people begin to discover who they are and their place in the world. So quote, with a growing ability to see consequences of different actions, tweens and young teens are more able to think like adults, but they do not have the experience and judgment needed to act like adults. And I'm thinking perhaps that too is very attractive to Meta. You know, kids might not yet have the skills to say, this is good for me, or this is not good for me. And Christ, I know many adults that don't even know how to do that.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. But what pisses me off the most here is in Meta's blog announcements, which interestingly has no author. See, surely, I've always thought of a blog as a personal piece from someone representing a company or themselves. But blogs without attribution to a person seem a bit odd to me.

---

GRAHAM CLULEY. Am I the only one saying that? No, in my experience, because I think we've both worked for companies where we've sometimes had to post things, which the company didn't really want to have to post, but knew it had to post. And so there was always an option of let's not have any author on this because no one wanted to put their actual name.

---

CAROLE THERIAULT. Exactly. Yeah. So in this blog announcement without an author, I decided to do a— it's super focused on parents. I mean, literally, I did a search. The word parent shows up 33 times in a single, maybe 5-paragraph blog post. Things like parents decide, parents manage, parents monitor, parent control.

---

GRAHAM CLULEY. Parents abhor, parents hate, parents disgusted by Meta.

---

CAROLE THERIAULT. Yeah. So effectively, they're making being a parent, and you're a parent of a kid in this age group, right? Between 10 and 13.

---

GRAHAM CLULEY. I am.

---

CAROLE THERIAULT. So what are your thoughts? You know, if you have, you know, you've got this, would you want him to go on this metaverse? Is this something you'd be interested in?

---

GRAHAM CLULEY. No. Life is bad enough as it is in terms of screens. The fact that he would now be sellotaping a couple of screens to his head permanently is absolutely appalling.

---

CAROLE THERIAULT. Even if it was full of education and Bollocks, will it be?

---

GRAHAM CLULEY. No, it won't. I don't think he would go in there to do his math problems, right? I would just, yeah, exactly. Please, please read a book for once rather than looking at a screen. Do something else. No, I don't. Oh, it's just, and it's so isolating as well. We need to connect more with our children and just be around them and talk face to face. The thought of people wearing these. I mean, Apple have just brought out their, well, they've announced, haven't they, their new Apple Vision, is it called? The Vision Pro?

---

CAROLE THERIAULT. I don't know, I've been on holiday.

---

GRAHAM CLULEY. Oh gosh, Carole, you missed it. So Apple have now brought out their own virtual reality headset or have announced it at the very least. And one of the things it does is it obviously, the others, it straps a television to the front of your forehead.

---

CAROLE THERIAULT. That's what I need.

---

GRAHAM CLULEY. But it actually has cameras looking at your eyes. That's how you control it, is with your eyes. And it then displays your eyes on the outside screen so that people are less unnerved that you're wearing this thing.

---

CAROLE THERIAULT. So I have these blank eyes that, you know, they're talking to me and I can pretend I'm listening to them while I'm playing a game inside me. Oh, for God's sake. I'm a Luddite. I think we have to stop this podcast. I can't keep up anymore.

---

GRAHAM CLULEY. Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it. With over 14 frameworks, including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work. And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner. So, listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.

---

CAROLE THERIAULT. Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.

---

GRAHAM CLULEY. How?

---

CAROLE THERIAULT. If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Kolide patches one of the major holes in zero-trust architecture: device compliance.

Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.

The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked. Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance.

Wanna learn more? Of course you do. Visit kolide.com/smashing. That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.

---

GRAHAM CLULEY. Our friends at Bitwarden have been busy this month adding some fab new features to their open-source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password?

Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.

Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level.

These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like.

---

GRAHAM CLULEY. It could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my pick of the week this week, is it security-related? I'm not going to give you any spoilers. You may have to actually investigate for yourself.

I have watched a documentary on Netflix, a sports-related documentary, can you believe?

---

CAROLE THERIAULT. What?

---

GRAHAM CLULEY. I know it's unlikely, isn't it? There is a series of sports documentaries on Netflix called Untold, and my attention was caught by one in particular. It tells the story of a guy called Manti Te'o from Hawaii.

And he was a very talented young American footballer who won a place on the Notre Dame Fighting Irish football team back in 2009.

---

CAROLE THERIAULT. Notre Dame. Notre Dame.

---

GRAHAM CLULEY. Not Notre Dame.

---

CAROLE THERIAULT. Notre Dame.

---

GRAHAM CLULEY. Notre Dame. That's a bit weird.

---

CAROLE THERIAULT. Norder— Norderdame.

---

GRAHAM CLULEY. Oh, okay.

---

CAROLE THERIAULT. And correct us, listeners.

---

GRAHAM CLULEY. Anyway, and anyway, he helped transform their performance. They'd had a, you know, bad few years. He got lots of attention as a player to watch.

He was amazing from what I saw. He did really well. And he then hit the headlines in September 2012 upon revealing that both his grandmother and girlfriend—

But when I say grandmother and girlfriend, I don't mean his girlfriend was his grandmother. Just sorry, you just caught—

---

CAROLE THERIAULT. You caught me right before my joke there.

---

GRAHAM CLULEY. Okay, anyway, so both— it's not funny actually.

---

CAROLE THERIAULT. Okay, not laughing.

---

GRAHAM CLULEY. They both died on the same day. He announced that both his grandmother and his girlfriend had died. His girlfriend was a student at Stanford University called Lennay Kekua, and his girlfriend, he said, had had a car crash which had left her in a coma and she'd subsequently died from leukemia on the same day as her grandmother. But despite that, he went ahead with a really important football match.

---

CAROLE THERIAULT. That day?

---

GRAHAM CLULEY. Well, I think it was a couple of days later. He was obviously extremely shaken by the horrendous experience. And the media went nuts.

And he went on to be nominated as a candidate for a prestigious trophy from the world of American football, about Outstanding Player of the Year in college football, and loads of TV interviews, media interest, and the rest of it. Just a few months later though, Deadspin, which is a sports blog, published a story saying that Lennay Kekua, the footballer's supposed girlfriend, was in fact a hoax and his dead girlfriend had never existed.

---

CAROLE THERIAULT. So he had no girlfriend to die in the first place, for example.

---

GRAHAM CLULEY. You'll have to watch the documentary.

---

CAROLE THERIAULT. Lame.

---

GRAHAM CLULEY. So it's called Untold: The Girlfriend Who Didn't Exist. There are some big twists in the story which are quite fascinating because I saw the premise of this like, okay, the girlfriend didn't— people lie about their girlfriends.

And then as a sportsman, I thought, oh, it's going to be like Lance Armstrong who's the quintessential lying sportsman who won the Tour de France and pumped himself full of drugs and all the rest of it. And I thought, oh, this guy's going to be such a liar and all the rest of it.

The story is rather more interesting than simply he was lying for attention. Now, if you're American, you may already know this story because I guess he was a bit of a star in America and it looks like there was quite a lot of media coverage.

I'd never heard of this guy, so the story was a big surprise to me. But anyway, I'd recommend it. It's on Netflix. It's called Untold: The Girlfriend Who Didn't Exist. And that is my pick of the week.

---

CAROLE THERIAULT. Do you recommend it for me personally as well? Do you think?

---

GRAHAM CLULEY. For you personally? Yeah. Yeah, well, I found it interesting. I thought it was a good documentary. Why not? Yeah. Okay. Oh, well, you've still got to watch Into the Spider-Verse.

---

CAROLE THERIAULT. That's true. Although I've been asking other people about it and asking, saying that two people were waxing lyrical and they're like, really? I don't. So that was really interesting for me.

---

GRAHAM CLULEY. Well, they're Philistines. They don't know what they're talking about.

---

CAROLE THERIAULT. Including my hosts at the moment where I am.

---

GRAHAM CLULEY. Oh, well, maybe they are too cool for Spider-Man. I do not know. It is all right. It is okay. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Well, mine's very cute. My pick of the week is Candy Hearts Comics.

Now, you know what candy hearts are, right? Those little sweets with cute messages on it, like, "Date me," "Super cool," "I love you," "Be mine." Remember?

---

GRAHAM CLULEY. Oh, yes. Yeah, yeah, yeah.

---

CAROLE THERIAULT. Well, there's this illustrator called Tommy Siegel, and he's used this kind of idea of these candy hearts to turn them into insightful little comics or illustrations. And they're pretty on point.

They touch upon things like dating, family life, parenthood, and everything in between. And it kind of, I don't know, it's hard to, it kind of, you're already looking at something.

---

GRAHAM CLULEY. Explain these.

---

CAROLE THERIAULT. You are, you are going to be explaining them. But they kind of focus on our miscommunication and assumptions. And they juxtapose those against our thought processes.

See what you say and what you think might be very different, and that exhibition would be quite cute. So Graham, I put a few in the show notes that I thought you can maybe choose one or two here to try and explain them.

---

GRAHAM CLULEY. All right, well, it's difficult. So these characters are all the heart shapes, rather like the candy heart sweets, and they're sort of in human situations.

And I'm looking at one right now where one of them has sent a message to the other, and the first one says, "OMG, that panda video is so cute!" And she's sort of full of love and everything, thinking, "Oh, I love cute animal videos." And the guy is replying saying, "Haha, I'm glad you like it." But inside he's thinking, "How do I tell them I'm a furry?" And he's sitting next to his panda costume.

---

CAROLE THERIAULT. They're very cute, aren't they?

---

GRAHAM CLULEY. They are cute. There's another one of a couple of hearts sat on a sofa together.

They're in love and there's a little baby heart sat on the floor with a rattle in between them. And one of them says, "We won't mess up." And he said, "No, no, we will not mess you up." "Oh yeah, we won't mess you up, like our parents messed us up." And the baby is thinking, "Yeah, I'm a whole new kind of fucked up going on." You have to see these, right? So where can people see these, Carole?

---

CAROLE THERIAULT. So you can actually literally use your search engine and type in Candy Hearts Comics and they'll come up. Or you can go on the Twitter universe and go see them there.

Or you can even buy Tommy Siegel's book. I have seen them online. They happen to be in one of my feeds, and I thought they were very sweet. We all did, in fact. I shared them around. So that is my pick of the week: Candy Heart Comics by Tommy Siegel. Check it out.

---

GRAHAM CLULEY. Very cute. He should do these as sort of greeting cards as well.

I think they'd work very well that. You know, you'd buy them and give them to people because they're fun. A lot of greeting cards try to be funny but aren't actually funny. Have you noticed that?

---

CAROLE THERIAULT. Yeah, a bit some co-hosts.

---

GRAHAM CLULEY. Oh, charming.

---

CAROLE THERIAULT. Funny.

---

GRAHAM CLULEY. Well, Carole Theriault, thank you very much. And that just about wraps up the show for this week.

Listeners, you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G, and we also have a Mastodon account. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And huge, huge shout out to this episode's sponsors once again, Kolide, Dorata, and Bitwarden, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 326 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

---

CAROLE THERIAULT. Bye-bye. I'm gonna go back to my Aperol Spritz now. Well, I'm actually— I'm not drinking one yet, it's only 12 o'clock.

---

GRAHAM CLULEY. It's a bit early in the morning for that, is it?

---

CAROLE THERIAULT. That's my plan later.

---

GRAHAM CLULEY. Okay, well, enjoy the rest of your holiday, Carole.

---

CAROLE THERIAULT. Thanks, I will.

-- TRANSCRIPT ENDS --