This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. And you think, well, hang on, even though we're booking online, and surely this is more cost-effective for you than having a real person take my order over in person on the telephone, I'm gonna have to pay several pounds more per ticket to go and see some god-awful superhero movie.

---

CAROLE THERIAULT. Graham, you realize that we're on the show right now. This is not just a conversation of you calling me up and having a whinge.

---

UNKNOWN. You know that. Smashing Security, Episode 339: Bitcoin Boo-Boo, Deepfakes for Good, and Time to Say Goodbye to Usernames with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 339. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And I'm delighted to say that we are joined today in the hot seat by someone whose reputation stands before him.

---

CAROLE THERIAULT. What does that mean?

---

GRAHAM CLULEY. Someone whose long, long career in the world of security podcasting knows no equal. It is, of course, the CyberWire's Dave Bittner. Hello, Dave.

---

DAVE BITTNER. Well, I don't know how to follow up an introduction that, so I'll just say thank you for having me.

---

CAROLE THERIAULT. It's a pleasure to have you, Dave.

---

DAVE BITTNER. It's nice to be back.

---

CAROLE THERIAULT. Because we had a quiet summer. It was just Graham and Kroll Show during August, wasn't it?

---

DAVE BITTNER. It was.

---

GRAHAM CLULEY. Drove the listeners mad. When are they going to get a guest back on?

---

CAROLE THERIAULT. But before we kick off this show, let's thank this week's wonderful sponsors: Kolide, Moonlock by MacPaw, and Gigamon. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be talking about paying unnecessary additional fees.

---

CAROLE THERIAULT. Okay. And what about you, Dave?

---

DAVE BITTNER. I'm going to say you'll catch more flies with honeypots than vinegar.

---

CAROLE THERIAULT. And I'm going to examine whether deepfakes can be good. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, I don't know about you, Dave. I don't know about you, Kroll, but I hate paying a little bit extra. I like a good deal. I shoving it to the man and thinking that I have got a way ahead.

---

CAROLE THERIAULT. Okay.

---

DAVE BITTNER. Agreed? Sure.

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. You're thrifty.

---

GRAHAM CLULEY. Because—

---

CAROLE THERIAULT. Well, cheap. There's two words here, Graham, right? There's frugal and there's cheap, right?

---

GRAHAM CLULEY. I just don't wanna pay any additional expense.

---

CAROLE THERIAULT. Right, you don't wanna give anyone anything extra, just the exact requirement.

---

GRAHAM CLULEY. Let me tell you what happened to me.

---

CAROLE THERIAULT. So how do you tip people?

---

GRAHAM CLULEY. Let's not get into that.

---

CAROLE THERIAULT. I know how you tip people.

---

GRAHAM CLULEY. Very generously, very generously. Let me give you an example. The other day I picked up someone from the airport, right?

I went to Gatwick Airport. Oh my God, what a drive.

Anyway, you eventually get to Gatwick Airport. Now, all I want to do is just pick them up, right?

They're there. So, I think, where do I go?

And I haven't been to Gatwick Airport in a car for a while. And so, I think, well, I can just go to the drop-off place and pick them up there.

I'll just tell them, come, arrive there. And I get there, and they're there, and they jump in the car, and off we drive.

You think that's the end of it. Two months later, I get the bill come through, which says that I have to pay £100.

Because I went into this particular zone where apparently you can't drive unless you've pre-booked in advance or you pay within 24 hours or something like that. I didn't see a sign.

And because I lease my car, the original bill went to my car agent and then they forwarded it on to me. But that arrives at my desk more than 14 days after the time limit, which means I don't get the cheapo fee of just £30.

I have to pay the full £100. Right?

I was a bit annoyed.

---

CAROLE THERIAULT. Right?

---

GRAHAM CLULEY. Would you feel a bit annoyed? £100 picking up someone from the airport?

I would feel a bit annoyed.

---

CAROLE THERIAULT. You see, I'd be thinking, if I haven't got in the right place, they're probably going to charge me.

---

GRAHAM CLULEY. Maybe it wasn't very clearly signed.

---

DAVE BITTNER. Yes.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Maybe it wasn't very—

---

CAROLE THERIAULT. You have small eyes. We've established that before.

---

DAVE BITTNER. I'm sure it was their fault.

---

CAROLE THERIAULT. Yeah, it was definitely their fault.

---

GRAHAM CLULEY. Another example. Another example.

I decided— I've moved house recently. I decided that the current washing machine is rubbish.

And so I need a new washing machine. So I go on the review sites, I found a shortlist of good washing machines.

I found what I wanted. And then I tried to find the best price for it online.

Oh, hello, I found one with £50 less than other people are selling for. Great, I think I'll buy it from them.

So I went through the process of buying it online. And it turns out the price I'm paying isn't actually what I imagined it was going to be.

Because it turns out that what I'd quite like is for them to take away and recycle my old washing machine as well, right? So while I'm going through the checkout process, oh, that's an extra 20 quid.

Fair enough, I think. That's an extra service that they're offering.

And then they say, well, would you like the washing machine delivered to a particular room? Yes, I would.

I'd like it delivered to the kitchen. No, I don't want it in the bedroom.

So yeah, that'll be an extra 20 quid.

---

CAROLE THERIAULT. Oh, they were offering to take it upstairs, were they? And you had to redirect them.

---

GRAHAM CLULEY. Would I like it unpacked? It says.

Yes, I would like it unpacked. And silly old me, despite requesting all of these things, when I was going through the checkout—

---

CAROLE THERIAULT. You didn't see that it added money to your end number?

---

GRAHAM CLULEY. No, I did. I thought, okay, begrudgingly, I will tick those boxes.

---

CAROLE THERIAULT. Begrudgingly is the word.

---

GRAHAM CLULEY. Well, and one of the things which I forgot, which didn't appear to me when I was checking out, but only when they called me up afterwards to find out, well, why are you changing your washing machine? What was wrong with the past washing machine? All these questions, none of their business. Right? They said, "So, you know, you want your washing machine delivered?" "Well, yes, I want my washing machine delivered. I'm not going to travel to the Outer Hebrides to pick it up." Oh, you didn't want to give them your address though? No, I gave them my address when I was booked and everything else.

Turned out I hadn't ticked the box for delivery. So that's an extra £30. Not for quick delivery, that's just for any kind of delivery.

---

CAROLE THERIAULT. Oh, so that—

---

GRAHAM CLULEY. So now I'm getting close to the price than the other people were going to charge me who weren't going to add all these on at the end. And so I thought, I've now got it all sorted, right? I've got the new washing machine unpacked. It's been— the old one can be removed and recycled. And yes, I've even dared to ask for it to actually be delivered to my place of residence.

But what I've forgotten to do is say to them, oh, would you also mind uninstalling the old washing machine and plumbing in the new one? Because it's an integrated washing machine, right? Extra cost of that, £130. And so I've got the hump now, right?

---

CAROLE THERIAULT. Did you meet up with any other adult in this process? Because all you do is get yourself in a big tizzy thinking everyone's ripping you off and you just sound like a whiner. And we've been going for 8 minutes so far.

---

GRAHAM CLULEY. I got the hump. I canceled my order, right? And so I ended up going online to go to my usual retailer. And I actually ended up buying a much more expensive washing machine than I'd originally planned. But I felt vindicated that I'd got everything I wanted.

And what about when you get an air ticket for a budget airline, you find out there's additional booking fees, or if—

---

CAROLE THERIAULT. Yeah, if you've been living under a rock for the last decade and haven't encountered these.

---

GRAHAM CLULEY. This is what I'm fed up with. Or that you want to take luggage which is larger than a bum bag with you.

---

CAROLE THERIAULT. Don't go on a budget airline then.

---

GRAHAM CLULEY. Well, yes, exactly. But you've been lured in, haven't you? Been lured in by the low cost. You didn't realize that if you wanted to use the lavatory, or you want oxygen on this plane at 30,000 feet, that's going to cost you extra as well.

So, all the time, or booking theater tickets, okay? And you think, well, hang on, even though we're booking online, and surely this is more cost-effective for you than having a real person take my order over in person on the telephone. I'm going to have to pay several pounds more per ticket to go and see some god-awful superhero movie.

---

CAROLE THERIAULT. Graham, you realize that we're on the show right now. This is not just a conversation of you calling me up and having a whinge. You know that.

---

DAVE BITTNER. Forgive me. Do you— forgive my across-the-pond ignorance here, but do you all have Ticketmaster in your neck of the woods?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Exactly. Ticketmaster, they're the worst, aren't they? Yes. Finally, Dave, you agree with me.

---

DAVE BITTNER. They're the poster child for this sort of thing.

---

GRAHAM CLULEY. Yes.

---

DAVE BITTNER. So their grasp has extended globally.

---

GRAHAM CLULEY. Awful. They're awful. So sometimes, though, additional fees have a purpose. For instance, and we're coming back to the security angle of this podcast here.

---

DAVE BITTNER. Thank God.

---

GRAHAM CLULEY. Bitcoin fees. So when the Bitcoin blockchain was all dreamed up, part of the plan was to include transaction fees. So these weren't just designed to fill someone's pockets with lots of bitcoin, but rather to deter people from flooding the network with transactions and spam and also incentivize miners to validate transactions and add it to the next block of the blockchain.

So this is part of the process. You put a little bit of Bitcoin there along with it. So Bitcoin transactions require a small fee, which is paid to the miners that confirm them. And if you are in a rush to get your Bitcoin transaction processed, you might pay a higher fee. So imagine you want it to be processed in 20 minutes rather than an hour and a half.

---

CAROLE THERIAULT. Because I need that money right now.

---

GRAHAM CLULEY. Right. Some people do. But generally speaking, not always, the higher the transaction value, the higher the transaction fee.

---

CAROLE THERIAULT. It's a percentage, I'm guessing.

---

GRAHAM CLULEY. Yeah. Many cryptocurrency exchanges, they won't allow you to choose how much you pay, because you can choose how much you pay. Instead, they will have a predetermined fee, and that's how they make their millions and millions, is scraping off the top and then using the rest to make payments.

---

CAROLE THERIAULT. Well, we've seen it with banks for millennia, so, well, maybe not millennia, but you know, banks have been doing it for a long time.

---

GRAHAM CLULEY. The thing is this, if you are a more experienced cryptocurrency dealer, it's quite possible that you choose what you want to pay rather than using a cryptocurrency exchange. And that brings me to today's story because someone has just paid a fee to transfer $1,865 worth of bitcoin.

So $1,865 worth of bitcoin.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. What kind of fee do you think they paid?

---

DAVE BITTNER. Hmm.

---

GRAHAM CLULEY. What would seem plausible to transfer that sort of amount of money? $10, maybe?

---

DAVE BITTNER. Sure.

---

GRAHAM CLULEY. Well, yeah.

---

DAVE BITTNER. A couple— 1%, something like that. Yeah.

---

GRAHAM CLULEY. Right. What about $500,000?

---

DAVE BITTNER. Seems excessive.

---

CAROLE THERIAULT. I'm guessing you choose not to do it at that time.

---

GRAHAM CLULEY. Well, this particular person, they chose what their fee was. They chose to pay $500,000 to transfer $1,865 worth of Bitcoin. So they paid 19.82 Bitcoin to transfer 0.074 Bitcoin. In other words, they spent 270 times more than the transaction value to pay the fee.

---

DAVE BITTNER. Why?

---

CAROLE THERIAULT. Well, yeah, I'm guessing we're going to find out about the scam now.

---

GRAHAM CLULEY. Well, Ticketmaster aren't involved. That's your initial thought, is they must be somehow involved in this.

---

DAVE BITTNER. Right.

---

GRAHAM CLULEY. So it does seem a little excessive. So how on earth did this happen? Well, on Twitter, a bitcoiner called Jameson Lopp, which I think is a really cool name, it sounds a bit like Mobius strip.

---

DAVE BITTNER. Right. Or a street on the Apple campus.

---

GRAHAM CLULEY. He speculates that some buggy software might be to blame, either in the payment process or the cryptocurrency exchange. Or maybe someone put a decimal point in the wrong place.

---

CAROLE THERIAULT. How do you do that?

---

GRAHAM CLULEY. I'm not sure.

---

CAROLE THERIAULT. You have a heart attack and fall on your keyboard on the zero. You know, your nose tip.

---

GRAHAM CLULEY. Maybe.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Or maybe they mixed up the fields. Maybe they were planning to transfer $500,000 and pay an $18.65 fee, and they put the wrong numbers in the wrong fields.

---

DAVE BITTNER. Well, then no problem.

---

CAROLE THERIAULT. Yeah, I guess the exchange could give it back to you, say, "That's a ridiculous transfer fee." They've made the commitment by then.

---

GRAHAM CLULEY. And the fee has been lodged.

---

CAROLE THERIAULT. And it ain't regulated, as we've discussed many times.

---

GRAHAM CLULEY. So this is something of a mystery. What we do know is it isn't a newbie, because this particular cryptocurrency wallet, although we don't know who they are, they've made over 120,000 other transactions in the past. Nothing quite as bad as this.

So it looks automated. It looks like this is something which is done as a process. So it doesn't seem like it's simple finger fumbling which has gone on. But clearly someone has somewhere written some software which doesn't do a sanity check about the amount of the fee being paid being so much larger than the amount they want to transfer.

---

CAROLE THERIAULT. I think you're missing it. I think they were actually going to be collecting the transfer fee somehow. You don't know what this person is or what their job is or—

---

GRAHAM CLULEY. I don't think that's how it works. So the transfer fee gets sent ultimately to other people mining on the blockchain.

---

CAROLE THERIAULT. Right, so it gets dispersed.

---

GRAHAM CLULEY. And it's split between them.

---

CAROLE THERIAULT. Oh, right.

---

GRAHAM CLULEY. Yes, it gets dispersed. So this transaction happened on September 10th, 2023 at 5:10 PM UTC. So it's 10 past 6 in the evening UK time.

The mining pool that was used to process the transaction, they're called F2Pool, and they've said that they are giving the sender 3 days. So until Wednesday, September 13th at 5:10 PM UTC. Unfortunately, just before this podcast is released. So my attempts to warn someone is going to fail. I'm sorry if this is bad news that you're hearing this.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. And after then, it's just gonna be transferred and distributed amongst miners on F2Pool. So this is quite an expensive lesson for some people.

---

CAROLE THERIAULT. Maybe it's a Robin Hood moment. Maybe they're like, hey, give it to the people, give them the money.

---

GRAHAM CLULEY. It's a charitable act.

---

CAROLE THERIAULT. Yes, and some people are, Graham. Some people, right? Don't sit there trying to save $2 every time they're trying to buy something—

---

DAVE BITTNER. Wow.

---

CAROLE THERIAULT. It's true.

---

DAVE BITTNER. How did this come to light? Are there folks out there who are just keeping an eye on the blockchain for unusual transactions?

---

CAROLE THERIAULT. Exactly.

---

GRAHAM CLULEY. That's exactly what's going on. People with even less of a life than people who appear on security podcasts.

---

CAROLE THERIAULT. Less than a life than, you know, trying to fill in a washing machine form and missing the, can you do the plumbing, please?

---

GRAHAM CLULEY. Dave, what's your story for us this week?

---

DAVE BITTNER. My story comes from a website called GovInfo Security, and this is written by Matthew Schwartz, and it's about usernames being a potential security issue here. Now, before we dig in here, let me, I'll ask each of you this question. What do you suppose, and we're talking about usernames and passwords, right? The way to log into a system from about as far back as certainly I remember, right? BBS days, right? Username and password, username and password. We still use it today.

What do you suppose the most common username is? You have to guess.

---

CAROLE THERIAULT. Admin.

---

DAVE BITTNER. Admin, excellent guess.

---

GRAHAM CLULEY. It could be something like John Smith, I suppose, or a common name.

---

DAVE BITTNER. Not as good a guess.

---

CAROLE THERIAULT. E.g., John Smith, you know? They have the example thing.

---

DAVE BITTNER. Actually, Graham, I'm surprised that you're not acing this—

---

GRAHAM CLULEY. Your email address.

---

DAVE BITTNER. Oh, I know what it is.

---

CAROLE THERIAULT. No, no, no, no. It's username. What's username?

---

GRAHAM CLULEY. Oh, username. Enter username and password. Yes. Root.

---

CAROLE THERIAULT. Oh, good one.

---

DAVE BITTNER. Ding, ding, ding, ding, ding, ding, ding.

---

CAROLE THERIAULT. Ah, right.

---

GRAHAM CLULEY. Graham got it.

---

CAROLE THERIAULT. Yeah.

---

DAVE BITTNER. Root is it. So this story centers around a gentleman named Jesse LeGroux, who is the chief information security officer at Madison College in Wisconsin, and he also helps out the folks at the SANS Institute with their Internet Storm Center.

He runs a honeypot. And over the past 16 months, he's collected over 3.7 million usernames via attacks that targeted his honeypot.

And the most popular is root, accounting for 48% of all the login attempts. Graham, why do you suppose root is so popular?

Any guesses?

---

GRAHAM CLULEY. Well, because the root account is a powerful one to have.

---

DAVE BITTNER. Yeah.

---

GRAHAM CLULEY. If you manage to break into it.

---

DAVE BITTNER. And it's the default username in Linux.

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. For SSH. Yep, yeah.

Logging in. So 48% of all login attempts used the name root.

Wow. This honeypot also was logging the password attempts.

Let's guess again. What do we suppose the most common password attempts were here?

---

CAROLE THERIAULT. Password 12345.

---

DAVE BITTNER. Yeah, yeah.

---

CAROLE THERIAULT. Root.

---

DAVE BITTNER. Root also, yes.

---

GRAHAM CLULEY. Yes.

---

DAVE BITTNER. Yes, root. Carole Theriault, you are correct, 123.

But there is an odd thing here. The most popular password tested by attackers was 345GS5662D34.

I have to look at my keyboard now.

---

CAROLE THERIAULT. Oh.

---

DAVE BITTNER. And nobody knows why. So there's— it's 345GS5662D34.

---

GRAHAM CLULEY. Is that perhaps the default password used by a particular piece of software or hardware if people don't change it?

---

DAVE BITTNER. Could be.

---

GRAHAM CLULEY. Could this be some sort of targeted attack against one particular device, which is his honeypots are picking up time and time again?

---

DAVE BITTNER. Right. Well, the strongest suggestion so far is that it might be the foreign equivalent of a phrase "my password" being entered into a non-English keyboard.

So in other words, if you're using, oh, I don't know, let's just choose a random part of the world, Russia. If you're using a Cyrillic keyboard, perhaps that's the equivalent of that.

Yeah, I don't know, but for whatever reason, that is the thing.

---

GRAHAM CLULEY. Listeners, get in touch if you've got any theories.

---

CAROLE THERIAULT. I'll give my theory. I think it might be something visual.

If you drew it out, it makes probably a penis or something.

---

GRAHAM CLULEY. Of course.

---

DAVE BITTNER. Pair of boobs.

---

CAROLE THERIAULT. Of course.

---

DAVE BITTNER. Always.

---

GRAHAM CLULEY. What a surprise, Carole, that that's your theory.

---

DAVE BITTNER. I didn't count on you, Carole.

---

CAROLE THERIAULT. Oh yeah, that I would do that.

---

DAVE BITTNER. Yes, she's always going for the smutty answer, isn't she, Graham? So my question here is, should we be restricting default account names?

Does it matter that we have an easy-to-guess username if our password is strong? That's my question for the two of you.

Does it matter?

---

CAROLE THERIAULT. It matters. Well, from my point of view, you have two shots, right?

You got to get both right. And if one's a giveaway, 50% of the time, it's kind of, you know, you're making it way easier.

---

GRAHAM CLULEY. No, certainly I've read best practices before with particular pieces of software I've run on servers where they've said, look, this is how you log in. This is the username.

Obviously change the password, but when you read the best practices, it says also change the administrator username. You know, why use the same administrator username?

It makes sense. And so on my website, for instance, I don't use the standard administrator username.

---

CAROLE THERIAULT. But not everybody reads everything. Remember Graham, the airport story, right?

---

DAVE BITTNER. Right. But this leads me to, should these systems require that you change the default? Should you be allowed to leave the default as the default? Or not.

---

CAROLE THERIAULT. Yeah, I'm thinking of the other way around. Why would they have it as a default? You know, why would they even give a default?

---

DAVE BITTNER. Well, I mean, I guess you got to ship with something.

---

CAROLE THERIAULT. Okay.

---

DAVE BITTNER. Yeah.

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. You got to start somewhere. I mean, the first thing that happens when you power the device up is it says, choose your login name and your password and doesn't even have a default entered in the system at all. That's, that would be an option.

---

GRAHAM CLULEY. Yeah, maybe.

---

DAVE BITTNER. But of course you also have to have something to fall back on. So if someone does a hard system reset, there should be some way to establish the system as if it were new. And so perhaps that's part of the motivation here as well. You have something that you can use.

---

GRAHAM CLULEY. Another thing here is so many websites, they require your username to be your email address. And so there is the potential for privacy breaches to occur because people can see that you're a member of one particular website or a forum and they can see where else you may have accounts. And that can, you know, there is an attraction in being able to choose your own usernames to remain a little bit more private.

---

DAVE BITTNER. Sure. Again, thinking back to the old BBS days when everybody used handles instead of their real names.

---

GRAHAM CLULEY. And now there are privacy services built into things like iOS. So on modern iPhones now, it will actually say you don't have to use your actual email address if you're worried about spam or whatever else. You know, they will give you an email address which will then forward to your real email address. So there is some more privacy there, which I don't know how many people use that, but it seems like it could be a good idea.

---

DAVE BITTNER. Yeah. So in this article, they also talked to Johannes Ullrich, who's the Dean of Research at SANS, and he also founded the Internet Storm Center. He's host of their daily podcast, also regular guest on the CyberWire podcast and personal friend of mine. Plug, plug, plug.

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. Johannes makes the point that this all comes down to strong passwords and multifactor authentication, that you shouldn't really worry about your username as being something secure as long as your password is secure, but then also it's backed up by some form of multifactor. He also makes the point that nobody should be using FTP anymore. But this article points out that Rapid7, back in 2018, they found that there were 21 million FTP servers still running out there. And I think, you know, I think it's one of those things that if it ain't broke, don't fix it, and people don't often consider something that's been in use for a long time.

---

CAROLE THERIAULT. Or they forget.

---

DAVE BITTNER. They just keep on using it.

---

CAROLE THERIAULT. How much digital stuff have people just left online somewhere without no one, the person who was in charge got fired, left, forgot about it. No one knows about it. It's just sitting there humming away.

---

DAVE BITTNER. Right. So I wanted to pivot though, then to passkeys. And I was curious if either of you had any familiarity with passkeys, if you've experimented with them, if you added them with any of the accounts that you have. I guess I should back up and say, if you even know what they are.

---

GRAHAM CLULEY. So Passkeys are pretty cool, aren't they? They're the new development on the sort of password front, trying to make it a more seamless experience to log into sites without having to scrabble around. I must admit, I've played with it. I haven't actually set any of them up yet, so I'm not trusting them yet.

And that's partly because some of the technology which I use isn't completely compatible yet with the Passkey experience. And I'm worried about being maybe locked out from some of my devices, from some of my accounts.

---

CAROLE THERIAULT. So I don't know if I'm familiar. Is a Passkey something like your iPhone might say to you, I'll save that for you, I'll create it, and then you can just go in and go out and your phone manages it for you? Or is it something different?

---

DAVE BITTNER. Yes. So rather than having a username and password that you would enter, it takes care of everything behind the scenes and you would just use something like Face ID to log in. So the combination of Face ID and you being in physical possession of your phone, the key exchange happens behind the scenes.

You don't even see it, but it is quite secure. This all comes through the FIDO Alliance. So it's good stuff. The big players have all jumped on board. I think it's probably being mostly led by Apple. It's built into iOS now, but Google and Microsoft, they're on board also. I think what's going to have to happen is the password managers are going to have to adopt it. And I know a couple of them have, but not all of them have yet. So I think once they get on board, boy, that'll be convenient to be able to do that. Graham, just like you, I've been Passkey curious, but I have not jumped in with both feet. And I actually found it hard to wrap my head around some of the details. So I sought out someone to talk to, and I actually interviewed a guy named Chris Sherwood. He's from a company called Crosstalk Solutions. If people are interested, we'll have a link to that interview in the show notes. And then also I included a link to the Wikipedia page and the page from the FIDO Alliance on passkeys. So I'm hoping that passkeys catch on and they become the future here because it seems to me like jettisoning this whole username password dance could ultimately be a good thing for folks. But like you, Graham, I've just, it's hard. It's hard to trust it so far. I know it has all of this pedigree behind it, all these good organizations, but I'm still not quite there emotionally. And I don't know, and I should be, but I think I trust it.

---

GRAHAM CLULEY. I think it hasn't been completely integrated into all of the browsers yet on all of the different platforms. And that's what makes me a little bit nervous. LastPass, the password manager I support, appears to be making a big push in this area. They're making a lot of noise about this, and they view this as their future, and I have confidence in them.

---

CAROLE THERIAULT. But why wouldn't you use it though, on your phone with apps that you care less about, right? But you could just trial it out on that, on the iOS.

---

DAVE BITTNER. Yeah, you can.

---

CAROLE THERIAULT. Because I'm doing that, and it works for me brilliantly, because you can just delete the app and come back and it'll remember. Which is useful.

---

DAVE BITTNER. Yeah. You're more adventurous than either of us, Carole.

---

GRAHAM CLULEY. She is. We're just curious. She just leaps in. That's right.

---

DAVE BITTNER. She just jumps in, dives in headfirst. You go first, Carole. Tell us how it goes.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. Deepfakes. So when I say deepfakes, when I say that word, what comes to mind? Just give me a little brainstorm. Dave, maybe you go first.

---

DAVE BITTNER. I would say images of celebrities doing things that celebrities usually don't do publicly.

---

CAROLE THERIAULT. That's good. Graham, anything to add?

---

GRAHAM CLULEY. Like they deepfaked Thom Cruise to appear like he's a human being. That kind of thing.

---

CAROLE THERIAULT. Yeah, it's tied to all things crappy, isn't it? Do you know its origins are in the porn world? As the entire internet, I'm led to understand. Is that right, guys?

---

DAVE BITTNER. Every major technological breakthrough has started or at least been popularized— I knew that you'd know more about that than I would. Or so I've heard.

---

CAROLE THERIAULT. So the worst of deepfake world is deepfakes used for child sex exploitation, right? So even actually Australia is proposing a new industry code that would require big tech firms. So the Googles, Microsofts, Microsoft Bing, DuckDuckGo to eliminate child abuse material from their search results and take steps to ensure generative AI products can't be used to generate deepfake versions of the material.

But equally crappy is sex exploitation of any person, you know, either to cyberbully or decimate someone's reputation or shame. Or the conversation last year said that the majority of deepfakes on the internet were assaults on women, grabbing facial images without consent, inserting them into pornographic content.

A deepfake expert found that 96% of deepfakes found online were pornographic, and 100% of those were video images of women. It's crazy, right?

Plus, we have deepfakes designed to spread disinformation, misinformation, and to undermine. Apparently, this is called the liar's dividend. Did you know this term?

---

DAVE BITTNER. No.

---

CAROLE THERIAULT. Yeah. So the liar dividend, the liar's dividend, is the idea that when anything can be faked, people who are lying, so claiming that something true is actually false, have the power because they benefit from the undermining of our trust in all images in this case.

---

GRAHAM CLULEY. Ah, exactly. It wasn't a video of me groping that woman. It must have been a deepfake.

---

DAVE BITTNER. Right, fake news. Fake news.

---

CAROLE THERIAULT. It's like Trump saying that he never met alone and hung out with Jeffrey Epstein ever in his life, right? The message is ultimately you can't trust what you see, but you can trust me because I'm calling out the liars who took— who deepfaked the pictures.

---

DAVE BITTNER. Who are you going to trust, me or your lying eyes?

---

CAROLE THERIAULT. Exactly. Exactly. But what about deepfakes for good? So as synthetic media and deepfakes take off, there's potential in various fields coming to roost.

So one of them, for example, would be healthcare.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. So an example is a Ukrainian company called Respeecher is developing deepfake voice technology for patients who are unable to speak. So they're creating more expressive, realistic voices to replace the robotic-sounding prototypes we had during the '90s and noughties.

And there's also cultural implications. Graham, I think you went to an art show where there was some AI stuff.

I don't know if it was deepfake, but at the Dalí Museum in Florida, they have a deepfake Salvador Dalí welcoming visitors, telling them about himself and his art. And the idea is that it gives visitors a sense of immediacy and closeness and personalization.

You know, deepfake Dalí even offers you a chance to take a selfie with him.

---

GRAHAM CLULEY. Oh my goodness. You see, I find those things a little bit irritating. It's a little bit like there are adverts on the—

---

CAROLE THERIAULT. No, you don't find something irritating.

---

GRAHAM CLULEY. I do. I do. I have to admit it. There's adverts on British TV where Albert Einstein is in the bath recommending we all get a smart meter installed for our electricity. And I think, well, that isn't Albert Einstein. How can they pretend that this is Albert Einstein in the bath telling me this? This is outrageous, I think. And it's all been done with deepfake technology.

---

CAROLE THERIAULT. Yeah, they've done that as well with Marilyn Monroe with the chocolate bar. I think it was Galaxy that gives—

---

GRAHAM CLULEY. Audrey Hepburn.

---

CAROLE THERIAULT. Oh yes, Audrey Hepburn, yeah. And this, in terms of deepfakes for good, this one's close to my heart. So there's research engineers Kate Glasgow and Wee Wei Jiang are using deepfakes to help people with aphantasia, the inability to create mental images in your mind. And I'm super keen on that because I recently learned of my own aphantasia.

I have zero visual mental ability, zero. And apparently it's 2 to 3% of the population.

---

GRAHAM CLULEY. So how does that exhibit itself, Carole? What does that actually mean? You've got—

---

CAROLE THERIAULT. Well, I will put it— I'll put a little test in the show notes if anyone wants to have a play. But effectively, things I'd say, close your eyes and imagine either a color or a shape or a face that you know very well. And then you build a mental image of that, I guess.

And then you would then say, oh, it's super clear super vivid. I can see all the lines, the colors. I can see movement. Some people can see actual, you know, have movies play, you know, play a scene. I just never understood that when they said picture this in your head, that people actually—

---

GRAHAM CLULEY. That's really weird because you're an artist. I mean, you— I know you have your paintings exhibited. How are you managing to do this? It's fascinating.

---

CAROLE THERIAULT. Well, don't worry, I'm going to get in touch with Kate and Wee Wei and say, guys, guys, guys, guys, help me out. It'd be amazing to be able to close my eyes and see color and shapes and stuff. I just, it's nuts.

Anyway, but my big question for you two today is whether the following use of deepfake is for good, because they're definitely trying to advertise it as for good. So synthetic avatars can be used in advertising and internal communications. So this limits the cost of producing and filming and translating videos, right? That's the idea. And there are a smattering of companies that are popping up trying to sell this service. So basically trying to say, have a deepfake. But because deepfakes have such a bad reputation in what they are on the internet, a lot of them are straplining their websites with deepfake for good on their homepage. So Synthesia do this and DeepBrain AI do this.

---

DAVE BITTNER. Why even use that word? I guess for SEO. I don't know.

---

CAROLE THERIAULT. Yeah, I guess people don't know synthetic avatars as well. You know, it's more commonplace. So Axios recently published a story about a company which is granting access to its deepfake tech to the public.

So the idea is to provide a quicker, cheaper, easier alternative to recording everything from customized marketing to instructional videos. And you go to the website, the company is called HeyGen, and it says, no camera, no crew, no problem. Create videos from text in minutes with AI-generated avatars and voices.

---

DAVE BITTNER. Hmm.

---

GRAHAM CLULEY. Isn't this going to put actors and voice artists out of work?

---

CAROLE THERIAULT. Sure it is, absolutely. It's going to have a huge impact. So the way it works is to create a personalized avatar, you would send HeyGen a 2-minute video of yourself speaking into a camera. Your smartphone's fine, along with another video giving consent for the company to do its thing.

Then HeyGen returns a digital avatar that you can use to generate videos by typing the words you want to speak into a text box. And there is a content filter apparently that blocks explicit or violent content. So is it just me, or I don't know, I don't like the idea of an AI-generated something selling me or training me without me knowing that they are a generated AI?

---

DAVE BITTNER. Well, this is an issue with the writers' strike right now, the actors' strike, where the studios were saying that they wanted to do 3D scans of all of the extras in movie production and then be able to use those scans forevermore. So pay you for one day of work and then we'll use your body, your image in the background of all of our movies at our discretion.

---

CAROLE THERIAULT. Yeah, I can understand why people are upset by that. I was going to say a swear word there.

---

GRAHAM CLULEY. I'm conflicted over this because on one hand, I want to fight my curmudgeonly natural— Do you?

---

DAVE BITTNER. You?

---

GRAHAM CLULEY. Well, no, I'm not sure I do actually. But you know what? On the one hand, I kind of think, well, technology moves on. We need to use technology to do clever things which aren't criminal and all the rest.

At the same time, I remember when the wheel was invented and we stopped— Oh, do you? People who used to make a living giving people piggybacks were suddenly out of business because now there were carts and wagons and things like that which could be pulled instead.

---

CAROLE THERIAULT. That's an excellent analogy, Graham. I think we're all with you on that one.

---

GRAHAM CLULEY. And similarly, with deepfake, it's inevitable that this is coming along. So I can understand why people are striking and really upset about this. And I'm very sympathetic with that. Yeah, it gives me a queasy feeling too, Carole.

---

CAROLE THERIAULT. The thing I was thinking about is so the rules say, you know, no explicit, nothing violent, but that doesn't rule out misinformation, does it? So what if your deepfake account gets hacked by an unauthorized third party? I mean, of course, I know this will never happen to any of them.

---

GRAHAM CLULEY. No, definitely not. Definitely not.

---

CAROLE THERIAULT. But humor me for a second, right? Let's imagine, Graham, you had this service on your device and I got access 'cause I came over for a cup of tea, and you never logged out. And I put in the text box saying, "Dave Bittner is a boob. Let me tell you why." And I insert a few fat lies in there.

And then I fire that over to Dave, and it's your face, your gob, spouting out all this stuff that I put in the text box. And, you know, Dave might find out it's a deepfake, but he'll also, I don't know if he'll trust you the same way again. I don't know if he would.

---

DAVE BITTNER. No, it all sounds very plausible to me that Graham would say those things about me. So, oh, that's our Graham. There he goes.

---

CAROLE THERIAULT. You see, Graham, everyone wants to forgive you all the time. Even if you call them a boob. Even if you call them a boob.

---

GRAHAM CLULEY. In a world where technology and human life are intertwined, cybersecurity is just, well, security. Keeping your memories and conversations safe shouldn't require cyber expertise.

Technology is for everyone. Cybersecurity should be too.

So if you're concerned that your iPhone is listening to you, want to know how to defend yourself from WhatsApp scams, or keep track of the latest Atomic macOS stealers, visit smashingsecurity.com/moonlock. At Moonlock, you'll find useful tips on how to stay safe and protect your loved ones in the technology-powered world.

Moonlock by MacPaw, cybersecurity tech for humans. So go visit smashingsecurity.com/moonlock right now, and thanks to them for supporting the show.

---

CAROLE THERIAULT. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common.

It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials.

But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.

Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.

You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.

Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

---

GRAHAM CLULEY. Gigamon's deep observability pipeline amplifies the power of traditional security and observability tools with actionable network-derived intelligence and insight to eliminate blind spots in hybrid cloud environments, including the threats that may be hiding in encrypted traffic. Gigamon's latest survey of over 1,000 global leaders reveals the state of hybrid cloud security and the dangers that free-flowing encrypted traffic poses to organizations.

Find out more. Download the report today at gigamon.com/smashing.

That's G-I-G-A-M-O-N.com/smashing. And thanks to Gigamon for supporting the show.

And welcome back. Can you join us for our favorite part of the show?

The part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

DAVE BITTNER. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Last week I had a nitpick of the week, which was all about induction hobs with knobs and why don't they have knobs. It was fascinating.

I got feedback. Thank you to the listeners who sent me photographs of their induction hobs, claiming that they loved the touch controls on them and that they didn't need knobs.

---

CAROLE THERIAULT. Because they're human and normal and know how to use them.

---

DAVE BITTNER. You are just Mr. Major Appliance lately, aren't you?

---

GRAHAM CLULEY. As I am. As promised.

I'm going to give you feedback because I've now got myself an induction hob with a knob on it rather than touch interface, and it's great. I would like to make my pick of the week the Cookology induction hob with knobs.

It's an induction hob with knobs. What's not to like?

£179. A lot cheaper than the Smeg version.

There aren't many of them out there, but I'm very happy with it. And that is why it is my pick of the week.

---

DAVE BITTNER. Can I ask a question?

---

GRAHAM CLULEY. You may.

---

DAVE BITTNER. What's a hob?

---

GRAHAM CLULEY. Oh.

---

CAROLE THERIAULT. It's a stovetop.

---

DAVE BITTNER. Ah, okay.

---

GRAHAM CLULEY. Yes. Yes. Where were you last week?

---

CAROLE THERIAULT. Can you put in your calendar an annual reminder that this is the day that you plugged in your hob? Presumably they brought it in and plugged it into everything. And that's all happened?

---

GRAHAM CLULEY. Yes. Yeah, that's all happened.

---

CAROLE THERIAULT. It's all plugged in.

---

GRAHAM CLULEY. Good.

---

CAROLE THERIAULT. You managed that one okay.

---

GRAHAM CLULEY. Well done. Yes. Yep.

---

CAROLE THERIAULT. Yep. Just because of the cost and everything, just why don't you just put in, we'll just check how it's going a year from now.

---

GRAHAM CLULEY. All right. Okay. We can make this a regular annual feature.

---

CAROLE THERIAULT. An annual feature. Hob with a bucket. I do not want to hear about your hob until then, though.

---

DAVE BITTNER. Okay.

---

GRAHAM CLULEY. All right.

---

DAVE BITTNER. Well, once a year, Graham checks in, tells us about his hob. So is this where the phrase hobnobbing comes from?

---

GRAHAM CLULEY. Could be onto something, Dave. Dave, what's your pick of the week?

---

DAVE BITTNER. Well, you know, I love British humor. I have a great appreciation for the comedy that comes from your side of the world, be it Monty Python, Fawlty Towers, even I've been known to enjoy The Benny Hill Show. Wow. That's good. Wow.

---

GRAHAM CLULEY. I thought you were going to say something Blackadder or The Thick of It.

---

DAVE BITTNER. Sure, yeah. Oh, Mr. Bean. Fabulous, fabulous, fabulous. Good stuff. Somehow, I don't know why, and I can only guess it's because of my appreciation for British humor, that YouTube decided that it was time for me to learn all about this thing that I did not know existed, and I wonder how my life was satisfactory without knowing it, and that is Mr. Blobby.

---

GRAHAM CLULEY. Oh my goodness. So how are we going to explain Mr. Blobby to people who don't live in the United Kingdom? I'm not sure.

---

CAROLE THERIAULT. Well, he's a ripoff of Barbapapa.

---

GRAHAM CLULEY. Oh, he doesn't look that.

---

DAVE BITTNER. That doesn't help. That doesn't help as an explanation.

---

GRAHAM CLULEY. It's a man in a sort of polyurethane costume who's bumbling around. He's pink. He looks like a—

---

CAROLE THERIAULT. Well, it's a kind of flesh-tone pink with yellow polka dots.

---

GRAHAM CLULEY. Yes.

---

DAVE BITTNER. And it's one of those sort of inflatable outfits.

---

CAROLE THERIAULT. It looks there's a fan. It looks you could punch him and he would just rock back and put the forward, one of those—

---

GRAHAM CLULEY. You don't see his face, so you don't know who's inside the Mr. Blobby costume, but you know it's Mr. Blobby because he's crashing into everything and causing mayhem and destruction.

---

DAVE BITTNER. That's right. He is an agent of chaos.

---

GRAHAM CLULEY. And he was popular about 30 years ago, maybe 35 years ago on British TV.

---

DAVE BITTNER. Oh, is that right? Well, it takes a while for things to come over here. And he only says the word blobby. That's all he says. But he stumbles around and destroys things. And what I've gathered is part of the fun of Mr. Blobby is that he shows up when you least expect him on the TV shows where you would least expect him. Is that an accurate description, Graham?

---

GRAHAM CLULEY. That has happened. He used to be a fixture on a show called Noel's House Party. That's where he first became famous. There were a lot of stunts involving celebrities where the celebrities didn't know, but this was before Mr. Blobby became extremely well known, where this Blobby character would appear and chaos would ensue and the celebrity would be thinking, what's going on? It's a candid camera kind of thing. But then Blobby, his fame became absolutely enormous.

---

CAROLE THERIAULT. As big as his belly.

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. All right. So for my American friends who have no idea what Mr. Blobby is, I'll include a link here for the top 10 WTF Mr. Blobby moments. Wow.

---

CAROLE THERIAULT. It is very odd humor. It's kind of, it almost feels very '60s in terms of its psychedelic everything.

---

DAVE BITTNER. Yeah, it's the pinnacle of British achievement, I think, right here.

---

GRAHAM CLULEY. Mr. Blobby.

---

DAVE BITTNER. So that is why Mr. Blobby is my pick of the week.

---

CAROLE THERIAULT. Do you have anything to whinge about with Mr. Blobby, Graham?

---

GRAHAM CLULEY. I think I'm all blobbied out, to be honest.

---

CAROLE THERIAULT. Finally.

---

GRAHAM CLULEY. One thing for maybe Dave to explore is that Mr. Blobby, who came from a place called Crinkly Bottom, there was a theme park and maybe a couple of theme parks which involved Blobby-type antics. Oh yeah, they're now derelict and overgrown. It was all a sort of financial disaster, but there's plenty for Dave to explore more if he's interested in Blobbyland.

---

DAVE BITTNER. Was there ever a Blobby Doctor Who crossover?

---

GRAHAM CLULEY. I'm sure there's been a comedy skit involving Doctor Who and Blobby. Yeah, that's almost— and he had a number one as well. He had a Christmas number one record, Mr. Blobby. So of course he did.

---

CAROLE THERIAULT. Yeah, there's so much.

---

GRAHAM CLULEY. There's a lot for you to dig into, Dave, if you're ready.

---

DAVE BITTNER. I have so much in front of me. What a world. What a life.

---

GRAHAM CLULEY. Just so much. Please restore some sanity. What's your pick of the week?

---

CAROLE THERIAULT. I will be restoring sanity with my pick of the week because it's a book, a book of fiction. Regular listeners know that I'm a fan of audiobooks. I've been plowing through them. Apparently I— I use the word experience when it's an audiobook. I feel weird about saying read, but I've experienced 57 in the last 12 months. So it's not bad going. Yeah.

---

GRAHAM CLULEY. Wow.

---

CAROLE THERIAULT. I don't sleep a lot. So this one, this last one was a real gem. It's called Lessons in Chemistry by a former copywriter, Bonnie Garmus. Have either of you heard of it, read it?

---

DAVE BITTNER. No.

---

CAROLE THERIAULT. Oh, well, I'm surprised because there was a huge hoo-ha when the book came out. Everyone's saying, oh my God, and it got a big name TV deal really early on. Everyone seemed to love it, and I in fact put off reading it because of the hype. You know, sometimes there's so much hype, you're just like, come on, come on.

So it was stupid of me because I've just now finally read it, and it's fabulous. Polished, funny, thought-provoking, beautifully knitted together.

So we've got a lead, which is a pioneering chemist named Elizabeth Zott, and her obvious talents mean that she should be at the top of her chem game, you know, getting huge research grants for all her cool explorations and discoveries. She's this no-nonsense dedicated researcher, but she's a she, and this is the 1950s set in California.

And as we access her inner life and outer experiences for about a decade, the reader gains an amazing understanding in what was normal just a few generations ago for men and women and how far we've come since then. And this isn't a men are shit and women are fab narrative. There are many characters with flaws, some unforgivably awful, on both sides of the sex divide.

But it's so, just so well done, and it's a real testament to copywriters becoming writers. Because as a copywriter, you learn how to be tight, you learn how to get rid of the riffraff, you learn how to tell a story. And it really shows.

---

GRAHAM CLULEY. Dave, that's quite a cultural pick of the week from Carole Theriault, isn't it?

---

DAVE BITTNER. It surely is, yes. My father-in-law was a research chemist, so perhaps we'll check this out.

---

CAROLE THERIAULT. I was thinking, Dave, I would love for you to read it. Graham, I'd love for you to read it as well. But if nothing else, recommend it to readers in your life.

---

GRAHAM CLULEY. I think Dave should read it rather than watch Mr. Blobby. That's what I'm thinking.

---

CAROLE THERIAULT. I think it's much, much better than Mr. Blobby, though not maybe as a phenomenon, right?

---

DAVE BITTNER. Oh, I don't know. It's a lateral move at best.

---

CAROLE THERIAULT. Yeah. Anyway, it's a beautiful, non-confrontational, non-preachy, non-aggressive way in understanding the journey of how we've managed to get to where we are. Lessons in Chemistry by Bonnie Garmus. It's my pick of the week.

---

GRAHAM CLULEY. Fantastic. You came here for the Hobbes, and you end up with the chemistry. And other magic like that. This is the wonder of the Smashing Security podcast. And that just about wraps it up for this week. Dave, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

---

DAVE BITTNER. You can go to thecyberwire.com, and I am also on Mastodon.

---

GRAHAM CLULEY. Terrific. And you can follow us on Twitter or whatever it's called these days. Elon Musk's fun palace, if you prefer. We are at @smashingsecurity, no G, Twitter doesn't allow us to have a G. And you can also make sure that you never miss another episode by following Smashing Security in your favorite podcast apps, such as Overcast, Spotify, and Apple Podcasts.

---

CAROLE THERIAULT. And massive thank you to this episode's sponsors, MoonLock by MacPaw, Kolide, and Gigamon. And of course, to our wonderful Patreon community, it's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 338 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

CAROLE THERIAULT. Bye.

---

GRAHAM CLULEY. It doesn't make great audio.

---

CAROLE THERIAULT. You really need to see him for it to work.

---

GRAHAM CLULEY. Oh my goodness. You have opened up a can of worms here, Dave. The things you're going to— the Pandora's box you're about to uncover.

---

DAVE BITTNER. Yeah, I just the contrast between the stereotypical stiff upper lip of the Brits with Mr. Blobby coming in and just running through walls. I don't know why it tickles me so, but it does.

-- TRANSCRIPT ENDS --