This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. Do you remember there was that internet hoax about some dying kid called Craig Shergold and everyone had to write postcards to him to cheer him up? And this was still going on 15, 20 years. I can't remember if he died or lived, but there was this mountain of posts.

---

DAVE BITTNER. He died of old age.

---

UNKNOWN. He died because there was an avalanche of postcards outside his door. Smashing Security, episode 363. Stuck streaming sticks. TikTok conspiracies and spying cars with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 363. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And this week, Carole, we are joined by a returning guest, regular, I would say. It is the CyberWire and Hacking Humans Dave Bittner. Hello, Dave.

---

DAVE BITTNER. Well, hello there.

---

CAROLE THERIAULT. Hi, Dave.

---

DAVE BITTNER. Nice to be back.

---

CAROLE THERIAULT. It's been a while. We're glad to have you back.

---

DAVE BITTNER. It's been a little while, but it's always my pleasure.

---

GRAHAM CLULEY. I love hearing your deep voice. Velvet tones, especially as you've been a little bit sick of late and you've been a bit more croaky. Sounded you were gargling with razor blades. That's right, exactly, on your show for a little bit there.

---

DAVE BITTNER. Yes, I was not doing a Thom Waits tribute show from the CyberWire.

---

CAROLE THERIAULT. Oh, I love Thom Waits. Before we kick off, let's thank this week's wonderful sponsors, Collide, KnightWorks, and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show. Graham, what do you got?

---

GRAHAM CLULEY. I'm gonna be talking about revolting Roku users.

---

CAROLE THERIAULT. Okay. What about you, Dave?

---

DAVE BITTNER. I'm gonna be talking about why TikTok has become a conspiracy theory playground.

---

CAROLE THERIAULT. Ooh. And is your car insurance super expensive and you don't know why? I might have the answer. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, I want you to imagine the scene. It's late in the evening and Dave Bittner, podcast host extraordinaire, he's there wearing his smoking jacket as normal. He's put a little Kenny Loggins on the hi-fi. You've impressed your little lady there, haven't you, Dave?

---

DAVE BITTNER. I always do.

---

GRAHAM CLULEY. With your smorgasbord of little tapas.

---

DAVE BITTNER. I'm sorry, my little what?

---

GRAHAM CLULEY. Your plate of spaghetti and meatballs and you're eyeing up the fondue. You've got quite an evening lined up. You think this is going to be fun and you slip into the sofa and you're readying yourself for a cosy night, bingeing your favourite show, BattleBots.

---

DAVE BITTNER. Yes.

---

GRAHAM CLULEY. So you boot up your streaming stick, you're all hot and bothered for an evening of sweet, sweet bingeing on the show and robotic action.

---

CAROLE THERIAULT. What's BattleBots?

---

GRAHAM CLULEY. BattleBots, don't start that again, Carole. Okay.

---

CAROLE THERIAULT. I'm just thinking some of our listeners would to know.

---

DAVE BITTNER. You can go back to a past episode and hear us having at it with each other over BattleBots.

---

GRAHAM CLULEY. Link's in the show notes. There you go, about BattleBots versus Robot Wars, if you're interested. Anyway, you're looking forward to this, right? You turn on your TV and your little streaming stick there, and it pops up and it says, oh, it says, we've updated how we'll handle it if you want to sue us. Hit agree to watch BattleBots or remain in TV purgatory.

---

CAROLE THERIAULT. What?

---

GRAHAM CLULEY. It's a pop-up. It's a pop-up which is appearing to owners of Roku streaming devices. They're not using those exact words. Their words are a little bit different.

---

CAROLE THERIAULT. Oh, okay.

---

GRAHAM CLULEY. What they're saying is, "We've made an important update. We've updated our dispute resolution terms. Select 'Agree' to agree to these updated terms and continue enjoying our products and services." Hmm. Now, here's the thing.

There's a big fat button which is marked 'Agree.' There isn't even the tiniest button to say you disagree. And if you don't hit agree, your streaming stick or your Roku TV or whatever it is, is now basically bricked.

You can't watch. You can't watch the telly anymore because you haven't agreed to it.

Now, you may have had this device for years and it's been absolutely fine. It's given you many, many hours of enjoyment, Dave. But now no longer because you have to agree to the terms.

Are you happy agreeing to the terms? We can press a button, you can read the terms. Oh boy, you could read the terms. There's an awful lot of those.

---

DAVE BITTNER. Who has time for that?

---

CAROLE THERIAULT. Graham, have you been living under a rock? Because I think this is the way of the world at the moment with every single app, every single anything you want to use.

---

GRAHAM CLULEY. It's called enshittification.

---

CAROLE THERIAULT. Enshittification?

---

GRAHAM CLULEY. Enshittification. There's the general enshittification of all technology and devices where they are being ruined.

---

DAVE BITTNER. Yeah, I believe the term was coined by Cory Doctorow.

---

GRAHAM CLULEY. That is correct. Yeah. So what Roku wants you to do, it wants you to agree to a change to its dispute resolution terms. In particular, there's a bit which demands users who've got any beef with Roku have to make a good faith effort to enter negotiations with Roku for at least 45 days before entering arbitration.

And they're also limiting your ability to sue. So they're saying in most cases, disputes are going to be settled in arbitration instead. Yeah. And there's no way to opt out.

---

CAROLE THERIAULT. So I do think in these instances that most legal scrapes that you might get into, so say you decide to sue or something, or to complain, they would be in your favor because you didn't create the terms and conditions, they're responsible for them and you signed on and you also are a smaller player, right? You're a tiny person versus this big massive company.

---

GRAHAM CLULEY. Well, in this particular case, you haven't agreed to them. You haven't signed them because you're just stuck at that screen and you can't watch BattleBots anymore until you hit the agree button. There's no way to opt out.

---

CAROLE THERIAULT. Can you at least read them before you agree?

---

GRAHAM CLULEY. Oh yes, yes, you can read them before that happens. And in fact, if you do go to the effort of reading them, I lied. There is a way to opt out.

---

CAROLE THERIAULT. Oh.

---

GRAHAM CLULEY. But there's not a way to opt out electronically. You have to do this thing called writing a letter. Now—

---

CAROLE THERIAULT. What? What is that called?

---

GRAHAM CLULEY. Some of our older listeners may remember this concept of writing a letter.

---

CAROLE THERIAULT. Have you ever written a letter, Graham? A personal letter?

---

GRAHAM CLULEY. Back in the old days, I used to write love letters.

---

CAROLE THERIAULT. With your hands or did you type them out?

---

GRAHAM CLULEY. No, I use my feet. What do you think I am, Daniel Day-Lewis? Yes, I use my hands.

---

CAROLE THERIAULT. With a pen or a pencil?

---

DAVE BITTNER. Yes.

---

CAROLE THERIAULT. Or did you type it?

---

GRAHAM CLULEY. I used to write letters on a manual typewriter at one point, as well as by hand.

---

CAROLE THERIAULT. I'm thinking, Graham, I've known you how long? What, 20 years probably? At least something, I don't know, too many years. I don't think I've ever seen you write more than 30 words together ever.

---

GRAHAM CLULEY. Well, you don't have to these days, do you?

---

CAROLE THERIAULT. No, but isn't that crazy?

---

GRAHAM CLULEY. But if you want to opt out of Roku's terms and conditions, they've made it really simple. All you have to do is make yourself some parchment from the skin of an Astrusian mountain goat.

---

CAROLE THERIAULT. Someone Googled.

---

GRAHAM CLULEY. You get a goose's feather as a quill and use some ground-up berries as ink. And you write to Roku's general counsel in California mentioning the name of everyone who's opting out and contact information for those people, the specific product models of Roku products you've got, the software, the services that you use, and the email addresses used to set up your Roku account, if you have one, and if applicable, a copy of your purchase receipt.

---

CAROLE THERIAULT. Good God.

---

DAVE BITTNER. Right. From several years ago.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. They can't set up an email address for this because that would be just too much bloody trouble.

---

GRAHAM CLULEY. The thing is that if you sign into your account to use this device, right, they could just have a disagree button. They could just have say no thanks because they already know your IP address. They already have your information from when you set it all up. They could do all that, but they're choosing not to let you do that. So they want you to actually physically write a letter.

---

CAROLE THERIAULT. No, they don't. They don't want you to write a letter.

---

DAVE BITTNER. They want to make it so—

---

GRAHAM CLULEY. Yes, they don't.

---

CAROLE THERIAULT. They don't.

---

GRAHAM CLULEY. They'll be really annoyed.

---

CAROLE THERIAULT. Yes, they have no one to handle it.

---

GRAHAM CLULEY. Do you remember there was that internet hoax about some dying kid called Craig Shergold and everyone had to write postcards to him to cheer him up? And this was still going on like 15, 20 years. I can't remember if he died or lived, but there was this mountain of posts.

---

DAVE BITTNER. He died of old age.

---

GRAHAM CLULEY. He died because there was an avalanche of postcards outside his door. He opened his door when it fell on top of him. They don't want letters. Of course they don't want that.

---

DAVE BITTNER. But isn't this just the age-old thing on the internet of everything that's buried in the EULA and your options are basically either agree to everything that we put here, including that you must send us your firstborn child, or simply don't use our service. And we're okay with that because—

---

CAROLE THERIAULT. And go back and live under a rock. Right.

---

DAVE BITTNER. Because we operate at scale.

---

GRAHAM CLULEY. But you've already bought this little gadget or this TV, haven't you? You bought that under the old terms of service, which you agreed to and you were happy with.

---

DAVE BITTNER. Right.

---

GRAHAM CLULEY. And now they've gone and changed them.

---

DAVE BITTNER. Well, it's like Darth Vader with Lando Calrissian, right? I'm altering the deal. Pray I don't alter it further. That's a Star Wars reference, Carole.

---

CAROLE THERIAULT. Yeah, I wasn't listening.

---

GRAHAM CLULEY. So clearly they're doing this because they don't want people to opt out. And actually, if you look at the terms of service, they also say the users only have within 30 days of them first being subject to Roku's updated terms, which was February 20th when this pop-up first began to appear, to opt out. Otherwise, you're opting in automatically.

---

CAROLE THERIAULT. Oh, God. So you're basically spreading the word now to all our listeners that they have 5 days.

---

GRAHAM CLULEY. Yeah, very few days to get a move on.

---

CAROLE THERIAULT. If they've been sitting there on that screen, the agree screen.

---

GRAHAM CLULEY. You could technically click 'I agree to the new changes to watch BattleBots,' or whatever show it is that you want to watch, and then write a letter telling them that you've opted out. That works. But otherwise, you've got to wait for them to receive the letter and act upon it to be able to use your TV.

---

CAROLE THERIAULT. Well, that's interesting, though. So 30 days, you have to act within 30 days of that. But does that include the letter arriving at their facility?

---

GRAHAM CLULEY. I don't know, Carole. I don't know.

---

DAVE BITTNER. You'd have to see—

---

CAROLE THERIAULT. You see, it's complicated.

---

GRAHAM CLULEY. It is complicated. And what's more complicated is people have found out that actually Roku updated its terms of service last August. And they did that on their website, but they didn't tell anyone.

And no one noticed because no one reads the terms of service. And it's only now their TVs are popping up telling them you have to agree to this.

And so Ars Technica, they went to Roku and said, you know, this seems a little bit sneaky. And Roku said, well, you know, we update our terms occasionally and we told people somewhere, but you know, words to that effect.

Basically, they didn't properly tell people, they didn't inform people. And now to stream TV that you love, you've got to also read the legalese.

You've got to agree to it.

---

DAVE BITTNER. Yeah.

---

GRAHAM CLULEY. And shitification, as Cory Doctorow said.

---

DAVE BITTNER. I just wonder where this ends. You know, I mean, so first of all, the thing about being opted in automatically, it seems to me that would not stand the scrutiny of standing in front of a judge and the judge saying that that was a reasonable course of action, that if you do nothing, you will be automatically included in some sort of legal agreement.

That doesn't seem to withstand scrutiny. But who's going to be the person who goes through the trouble over a Roku device to spend time to stand in front of a judge?

I think part of what they're trying to prevent here are class action suits, which is the big thing where they talk about, you know, agreeing to some kind of negotiation.

---

GRAHAM CLULEY. Well, this is what's actually happening now is on the Roku forums, really, really pissed off users are saying, let's start a class action against this. They're really upset that they've been forced to do this.

And so they've been stirred into action right now that they are revolting.

---

CAROLE THERIAULT. Can I just say though, the Roku is not a very expensive piece of kit.

---

GRAHAM CLULEY. Is it not?

---

CAROLE THERIAULT. I just Googled it. How much do you think it is?

---

GRAHAM CLULEY. $19.99.

---

DAVE BITTNER. I'm going to say $30.

---

CAROLE THERIAULT. $30. Right.

So, you know, if you've had it for a few years, maybe it's time to go somewhere else.

---

GRAHAM CLULEY. Vote with your wallet.

---

CAROLE THERIAULT. Vote with your wallet.

---

DAVE BITTNER. Yeah. But I think ultimately the solution to this would be some sort of regulation that would require that EULAs be explained in terms that mere mortals can understand, and then also perhaps have some kind of granularity on what you do and do not agree to, because the balance of power is totally out of whack here.

Unfortunately, here in the US anyway, we're not going to get anything anytime soon because we have a Congress who can't get anything done. I feel you all on your side of the pond are probably in a better situation here with GDPR and just the overall attitude.

---

GRAHAM CLULEY. Oh yeah, but Dave, we don't even have a postal service over here, Dave, anymore. There's no way we could write to complain or opt out.

---

DAVE BITTNER. That's true.

---

CAROLE THERIAULT. Maybe that's why they changed their terms. They knew it was coming.

---

GRAHAM CLULEY. Dave, what's your story for us this week?

---

DAVE BITTNER. Well, I'm curious. Are either of you particularly active on TikTok?

---

CAROLE THERIAULT. Yes, yes, I am. I have a secret account, a million followers, and I dance daily, some wacky dance.

---

DAVE BITTNER. I don't mean active posting on TikTok. I mean, are you a consumer of TikTok?

---

GRAHAM CLULEY. No.

---

DAVE BITTNER. No?

---

GRAHAM CLULEY. I have a TikTok account, but I don't have the app installed, so I'm not really making much use of it. So, yeah, yes, I don't know. I don't understand. I think I'm a little bit too old for it, Dave.

---

DAVE BITTNER. I think, yeah, I concur.

---

CAROLE THERIAULT. Do you have one?

---

GRAHAM CLULEY. No. All right.

---

CAROLE THERIAULT. So we're all going to be talking out of our asses. Excellent.

---

DAVE BITTNER. Which is what we do best.

---

GRAHAM CLULEY. Which would make a great TikTok video, to be fair.

---

DAVE BITTNER. There you go. Yeah.

---

GRAHAM CLULEY. How do you know, huh?

---

DAVE BITTNER. So I saw this video from Abby Richards. She labels herself in the video as unpaid intern at Media Matters, which is— they're a left-leaning nonprofit organization. And they fancy themselves a media watchdog group. And Abby was looking at this trend of conspiracy theory videos on TikTok that have just exploded.

---

GRAHAM CLULEY. Right.

---

DAVE BITTNER. And as these things often happen, they are all working from a common template.

---

CAROLE THERIAULT. Okay.

---

DAVE BITTNER. And they are extraordinarily successful. And because they are successful and working from a common template, you can go on YouTube and find videos that give you specific step-by-step instructions for how to create a conspiracy theory video that will generate traffic and then cha-ching, dollars. And of course, that's what this is all about. This is people making tens of thousands of dollars a month generating these videos.

---

GRAHAM CLULEY. Huh. Yeah.

---

CAROLE THERIAULT. So Graham's going, this is interesting, right?

---

DAVE BITTNER. Exactly. Maybe.

---

GRAHAM CLULEY. What exactly?

---

DAVE BITTNER. I'm talking.

---

CAROLE THERIAULT. Let's dig out that TikTok account.

---

GRAHAM CLULEY. I'm thinking promote the podcast. If we can write conspiracy about this, that's what I'm thinking. Yeah, right.

---

DAVE BITTNER. So Abbie Richards goes so far as to create her own conspiracy theory video as a demonstration, and it's actually quite delightful. She comes up— so step one is come up with an outrageous claim. And the claim she comes up with is eating Play-Doh cures cancer.

---

GRAHAM CLULEY. Wow.

---

DAVE BITTNER. Yeah.

---

GRAHAM CLULEY. Right?

---

CAROLE THERIAULT. Oh my God.

---

DAVE BITTNER. So you start off with that. You know, scientists have discovered the shocking news that consuming Play-Doh cures cancer. So that's step 1. Any guesses on what step 2 would be here to make it click?

---

CAROLE THERIAULT. Pay?

---

GRAHAM CLULEY. Pay?

---

CAROLE THERIAULT. Some ad money?

---

DAVE BITTNER. Okay.

---

GRAHAM CLULEY. Nudity?

---

DAVE BITTNER. Nudity. Very good. See where Graham's mind goes immediately.

---

CAROLE THERIAULT. Yeah. Some fake stats? Some fake stats, some fake quotes, maybe?

---

DAVE BITTNER. Yeah, yeah. What they say is the next thing you need to do is invent a credible character to anchor the narrative. So you have to create an expert that grounds it. So in other words, you start off by saying there's shocking news that Play-Doh cures cancer. And the next thing you do is you say something like, world-renowned cancer researcher Graham Cluley discovered by accidentally ingesting some Play-Doh that not only was it tasty—

---

CAROLE THERIAULT. Thinking it was spaghetti. Right.

---

DAVE BITTNER. But yeah, he had his fuzzy pumper barber shop and accidentally was ingesting Play-Doh and discovered that the tumor the size of a tennis ball he had in his skull was immediately cured. Right. Right. But by having it be a real person, this is an important part of it. Yeah. If you were telling a story to someone and you say something, you know, hey, eating Play-Doh cures cancer, and they go, what? What are you talking about? And if you say, no, no, no, seriously, there was this scientist, his name was such and such, and this actually happened to him, that makes it much—

---

CAROLE THERIAULT. You have a scientist in a case study, basically, right? Like an example.

---

DAVE BITTNER. Right, right. So the next thing you need to do is make your video a minute long, because evidently that is the key length for TikTok's creativity program, which is the system by which you monetize these sorts of things.

---

CAROLE THERIAULT. Graham's taking notes.

---

GRAHAM CLULEY. This is fantastic. I'm going to be doing this.

---

DAVE BITTNER. And from there, it's mostly relying on AI. So you use an AI voiceover.

They were saying that for a lot of these, they'll use someone like Joe Rogan, who of course is very popular with this sort of stuff. But then you generate a bunch of AI images and then you just edit the hell out of it.

So part of what you have to do here is you have to grab people's attention and you have to hold on to it, keep them in your grip for the 60 seconds. And the way you do that — so lots of cuts and weird effects and cuts and zooms and just everything has to be in constant motion.

Yeah, there can be no break. You can't allow them to blink while you're holding because they lose out.

---

CAROLE THERIAULT. They lose out if you leave before the minute's over. Is that right?

---

DAVE BITTNER. Correct. So the more engagement you get from them, the longer they watch, the better you're going to be in terms of generating your revenue here.

---

GRAHAM CLULEY. Fascinating.

---

DAVE BITTNER. Yeah. And then, of course, you want to put some spooky music under it to make it feel mysterious and also hold on to their attention.

And there's a whole cottage industry here of folks who are following this simple formula. You have all the tools you need, right?

So you don't have to have a booming voice. You can just have AI generate that. You don't have to have artistic skills. You can have AI generate that.

You do have to have some editing capabilities, but I'm guessing you can probably have AI generate that, right? You can have the music generated by AI.

---

GRAHAM CLULEY. So, you know, this is true. Just last week I was on this AI thing.

I was messing around and I said to it, make me a video about pig butchering. You know, the pig butchering scams.

And it did everything. It did the voiceover, it did the graphics, it did the visuals. It was all edited together.

Now, it did make some mistakes because it thought I meant actually the butchering of pigs. It's a subtle distinction.

---

CAROLE THERIAULT. Yeah, I was just thinking that would be the craziest thing to ask an AI to do.

---

GRAHAM CLULEY. And occasionally there was a bit of the scam stuff. There was a man shouting into a mirror for some reason and someone smashing a piggy bank.

But mostly it was about cutting up animals and butchering and things, but it did it all within seconds. And it was like, my goodness, this is extraordinary.

---

CAROLE THERIAULT. Welcome to the party, Grim.

---

GRAHAM CLULEY. Yeah, sorry, I've just woken up to what's going on in the world.

---

DAVE BITTNER. But I think the point here is that the barriers to entry are gone. And so when you combine that with the incentives here to make money and lots of money, by kind of short-circuiting people's brains and finding the things that will demand their attention, grab their brains and not let go.

That's exactly what we've got here. And people have fine-tuned their formulas to do that.

And I don't know how we get around that. I mean, obviously TikTok could try to clamp down on these things, but that's against their interest because they want the engagement.

---

CAROLE THERIAULT. Why would they want to do that?

---

GRAHAM CLULEY. Exactly. Right.

---

DAVE BITTNER. Exactly. So just for fun, I gave ChatGPT a prompt. I said, generate an image of a rugged, authoritative cybersecurity expert styled after Graham Cluley. And if you look in the script here, I think it is right on point. Don't you think? I mean, that is uncanny. It's looking in a mirror, isn't it, Graham? I mean, great.

---

CAROLE THERIAULT. Because yeah, for those that don't know, Graham regularly wears black leather.

---

DAVE BITTNER. Yeah.

---

GRAHAM CLULEY. My chiseled jaw.

---

CAROLE THERIAULT. Yeah, he can grow a beard nobody's business.

---

DAVE BITTNER. That's right.

---

CAROLE THERIAULT. So that 5 o'clock shadow is definitely on point.

---

GRAHAM CLULEY. Yeah. Handsome head of hair.

---

DAVE BITTNER. Oh, yes.

---

CAROLE THERIAULT. You do have a lot of hair, but the eyebrows are a little weak there for this guy, even though they're quite bushy.

---

DAVE BITTNER. But doesn't he look— he looks very serious and he's very well lit, standing in front of some sort of security operations center. It looks the control room from WarGames. I mean, it is. If I didn't know better, I'd think this was a photograph of you, Graham.

---

GRAHAM CLULEY. It is uncanny.

---

DAVE BITTNER. Yeah, it really is.

---

GRAHAM CLULEY. No Play-Doh coming out of my mouth though, so that's, you know, it doesn't feed into the conspiracy theory, does it? Carole, what have you got for us this week?

---

CAROLE THERIAULT. Okay, so we're going to driving school. Well, not driving school, but let's just look back on our driving history, perhaps.

---

GRAHAM CLULEY. Oh yeah.

---

CAROLE THERIAULT. Do either of you have a perfect driving record? So never been caught speeding, never had an accident, no parking tickets?

---

DAVE BITTNER. I have never had a speeding ticket. Wow.

---

GRAHAM CLULEY. Really?

---

DAVE BITTNER. I have never had a moving violation.

---

GRAHAM CLULEY. Wow.

---

DAVE BITTNER. I have. I've had a parking ticket. I got pulled over once for having an expired tag, but no, I think—

---

CAROLE THERIAULT. I thought you were gonna say for my cocaine habit.

---

GRAHAM CLULEY. Yeah, yeah. Expired partner in the passenger seat.

---

DAVE BITTNER. Dead body. I mean, minor stuff, but who hasn't really? I mean, if you want to use the HOV lane, you do what you gotta do.

---

CAROLE THERIAULT. You do what you gotta do. You got a real doll in the seat next door.

---

DAVE BITTNER. Exactly, exactly.

---

GRAHAM CLULEY. I have had speeding tickets, yes. That, I'm afraid, has happened.

---

CAROLE THERIAULT. Yeah, so have I. I've had parking tickets, I've had accidents, nothing major, but yeah. Well, last year, if you lived in the States, you might have been in a bit of a shock when it came to renew your car insurance because there were insurance hikes across the board, it seems, of on average 5%, and in some cases as high as 15%. This was reported in the New York Times at the time. Did this happen to you, Dave? Did you notice this?

---

DAVE BITTNER. No, I have not. But I have to say that in the division of labor within our household, paying the car insurance is not one of my responsibilities.

---

CAROLE THERIAULT. Ah, I see what you mean. I see what you mean. Now, the reason they hiked up the insurance apparently was to increase the profitability of auto insurance. They said the problem was labor, pricey parts, all this kind of stuff. And on top of that, last year, it turned out that good drivers were actually being penalized with additional price hikes based on things that had nothing to do with driving.

---

DAVE BITTNER. Oh, yeah, that makes— I mean, that doesn't surprise me.

---

CAROLE THERIAULT. Would you be surprised if I said that a low credit score could ramp up your insurance fees? Why do you think that is, Dave?

---

DAVE BITTNER. I think they'll just say that you are demonstrating that you are irresponsible.

---

CAROLE THERIAULT. That's interesting because apparently it's because those with good credit are less likely to file an insurance claim.

---

DAVE BITTNER. Oh, right. They'll just pay it off. Why bother?

---

CAROLE THERIAULT. Yeah, why bother? Too much paperwork. I can pay the excess.

---

DAVE BITTNER. Sure. Sure. Okay.

---

CAROLE THERIAULT. And the advice at the time, right, when this came out a year ago, was shop around, you know, go shop around. But as two security professionals, you guys, don't you think going around and giving everybody your information in order to get a quote makes me feel like it's more hands of people that might misuse it or have an accident with that information. I don't know if you guys feel that.

---

GRAHAM CLULEY. I hear what you're saying, Carole, but—

---

CAROLE THERIAULT. You're over that.

---

GRAHAM CLULEY. I seem to feel that everyone's got my data already. You know, it's been breached so many times from so many organizations and given it to legitimate companies. And there are all these comparison sites these days as well, aren't there, where they take your data and they go to all the different insurance firms and try and get you the best quote.

---

CAROLE THERIAULT. I ask you why you're on this stupid show, Graham, if you don't even care and you've given up? What's the point?

---

GRAHAM CLULEY. What? No, I'm just—

---

DAVE BITTNER. Carole, I was thinking the same thing. If we're at the point where security professionals are just throwing their hands up and saying, yeah, what are you gonna do? That's where we are.

---

CAROLE THERIAULT. I've been doing that noise every show for the last 3 years. So, okay, so what about you? Do you feel the same, Dave? I'm saying— I'm thinking no.

---

DAVE BITTNER. I mean, Graham's point is valid that what options do you have if you want to buy insurance? You're going to have to share that information with someone. If you want to shop around, you're going to have to share with more than one organization. So, I mean, I suppose you could do some independent research and find ahead of time which insurers have the lowest rates and then just apply with them. But yeah, that's a lot of work.

---

CAROLE THERIAULT. Well, okay, so let's move forward a year. I had a look at the top 3 insurers in the States. So we've got State Farm, Progressive, and GEICO. And they all seem to be doing very well if I look at their last 5 years. They have this nice upward slope where our coffers are getting full, which, good for them, maybe. But a privacy scandal is brewing this week. And I wanted to get your takes. The New York Times just issued a big piece on how connected cars, or smart cars, or internet enabled cars with built-in telematics share driver statistics and data with insurers.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Often without the owners even realizing it. So they showcase a 65-year-old man named Kendall, okay? And he leases a Chevrolet Bolt. This is a General Motors car, GM. And his insurance increased by 21% in 2022. So he decides to shop around following the advice from last year. Well, if they're giving you too much of a price hike, go ask other people.

---

GRAHAM CLULEY. In fairness, Ken Doll has had quite a good year, hasn't he? He's been doing quite well. And his celebrity status—

---

DAVE BITTNER. Driving something a little more upscale than a Chevy Bolt. But maybe it just tickles his fancy.

---

CAROLE THERIAULT. Yeah. So he decides to shop around, our Ken here. But other insurers are giving him the same high quotes. And the thing is, he's a good driver. He's never had an accident. His own words: 'I've always been a careful driver.' So why the 21% jump? Any ideas?

---

GRAHAM CLULEY. Has he been speeding and he hasn't been caught for speeding, but the car manufacturers know that he's been speeding?

---

DAVE BITTNER. Right, he's being ratted out by his telematics inside his vehicle.

---

CAROLE THERIAULT. Exactly. One of the agents, the insurance agents he spoke with, revealed to him that he should get his hands on his LexisNexis report.

---

DAVE BITTNER. As you do.

---

CAROLE THERIAULT. And this was one of the reasons that the prices were so high. So LexisNexis, I didn't, I've never heard of them, but they employ about 10,000 people.

They have offices in 24 countries. They're headquartered in Georgia, USA, and they are a global provider of information-based analytics and decision tools for professionals and business customers. And they say they help detect and prevent online fraud and money laundering and deliver actionable insights to insurance companies and healthcare networks. And typically they would be the people that would keep tabs on accidents and tickets.

But see, our guy here, Ken, doesn't have any, right? He's the good driver.

So what does Ken do now? He decides to request a consumer disclosure report as required by the Fair Credit Reporting Act.

And it takes a while, but he gets it. And the report is 130 pages long.

He's had this car for 6 months. It detailed each time he or his wife had driven the Bolt over the past 6 months, and it totaled 640 trips.

It had their start times, end times, distances driven, info when the driver was speeding, hard braking, and sharp accelerations. So internally, the one thing they didn't have, interestingly, was data on where the car was going, like A to B-ing.

---

DAVE BITTNER. That would be too much.

---

CAROLE THERIAULT. Oh yeah, that would be too much. I'm thinking there's a lot of other tools that do that for you.

So one Thursday morning, there was a car trip that recorded 7.33 miles and it was completed in just 18 minutes. And on that particular route, maybe that was just too darn short.

There had been two rapid accelerations recorded and two instances of hard braking. So who had provided this information to LexisNexis?

GM, the car company from who he was leasing with his very own hard-earned money? His Chevy Bolt.

---

GRAHAM CLULEY. I was about to say, so what are GM getting out of this? But of course, the answer is going to be money, isn't it?

---

DAVE BITTNER. Mm-hmm.

---

GRAHAM CLULEY. Yep. Yeah.

---

CAROLE THERIAULT. Money. And this is the rub, right?

I feel there's an honest way to do this. You could ask drivers to willingly install trackers of sorts to prove they are good drivers in order to lower their insurance rates.

Yeah.

---

DAVE BITTNER. And some insurance companies do that.

---

GRAHAM CLULEY. Yeah, they do, don't they?

---

CAROLE THERIAULT. Absolutely. And a lot of these services can be— so GM in its cars have this Smart Driver.

This is a service from GM that is optional for drivers to turn on, which will then record stuff and be handed over. But there's two problems they highlight.

So one, if you do turn it on, the explanations are not explicit about what it collects about you, your driving habits, and who it shares it with. The other thing is some reporters, some users reported that they did not turn it on explicitly.

And yet still, their insurance went up unexpectedly. So I know that internet-savvy cars allow access to services like navigation and roadside assistance and apps to lock and unlock your car.

But it seems clear that most users, most drivers have no bleeding idea what the insurers are being fed from this additional connectivity. I mean, if you think anyone in your life, if you think of the people in your life that are not involved in this arena, this either cyber or cars, auto industry, would they know anything about this?

---

GRAHAM CLULEY. Oh, absolutely not. No.

The average person on the street, whether in a vehicle or otherwise, wouldn't be aware that cars are doing this. And of course, try getting yourself a car which isn't in some way connected anymore.

I mean, I know you've got an old car, Carole, which doesn't do things. They still run on rubber bands and clockwork.

---

CAROLE THERIAULT. My feet are underneath like the Flintstones.

---

GRAHAM CLULEY. But, you know, try buying a new car which isn't in some way integrated. Now, I don't know if all manufacturers have given this information or selling this information to insurers, but I bet they've all been thinking about it at the very least.

---

CAROLE THERIAULT. Because the problem with this is the stealth enrollment. Yeah, that's the problem, because it's a pretty shitty thing to do to someone who's actually giving you money for a service. Your customer, seems to me.

---

DAVE BITTNER. Yeah, I saw this article too, Carole, and one of the things that struck me was that the car companies are claiming that they're being overt in requesting the users permit this, but the users are saying that's not the case.

---

CAROLE THERIAULT. Absolutely. There's this one instance where they say, your privacy matters to us. We will never share with any third party without your explicit consent. But then inside the T's and C's, they have, hey, we share this with this company.

---

GRAHAM CLULEY. Right.

---

DAVE BITTNER. Totally without your consent.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Yes, because you signed off on those things.

---

DAVE BITTNER. I think, you know, kind of to Graham's point about connected cars, I think most people are aware for the past decade or so that your car is logging things internally because cars have so many computers. But I think the notion that it's sharing this information in real time would be disturbing to a lot of people. I also can't help wondering if there's an opportunity here for some kind of chop shop where you can bring your car in and there's some hacker there in a hoodie with a laptop and they jack into your car and they alter your car's firmware so that it's only reporting good things about you, right? You will never exceed the speed limit. You will never accelerate or decelerate out beyond a certain amount so that you always look like you're the perfect grandmother driving to the grocery store every day. Seems to me like there's an opportunity.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. It really ticks me off though, because if a kid jumps out in front of the car, what do I want every fucking driver to do? Slam on the brakes. And when I want someone to go really slow, I'll tap him. I'll tap the kid. I'll be going a lot slower, but I just don't want to get the points. I just don't want to have that extra hit on my insurance.

---

DAVE BITTNER. Right. I'd rather swerve.

---

CAROLE THERIAULT. Yeah, exactly, yeah. So if you want to know what your car is hoovering up, first check what services are enabled or those that you or someone else in the family have enabled. And you may be willing to part with that service if you find out via, yes, as Graham mocked earlier, reading the T's and C's to find out what really they're interested in taking.

---

GRAHAM CLULEY. Oh, for goodness' sake, with a car, is anyone going to, I mean, I don't read the manual for a car. Does anyone read, you know, when you get these cars and they've got 400-page manual of how to use the bloody, no one looks at it.

---

CAROLE THERIAULT. No one, okay, I'm not talking about that. I'm not talking about the manual. I'm talking about the privacy section inside the terms and conditions.

---

GRAHAM CLULEY. People are even less likely to look at that, Carole.

---

DAVE BITTNER. People aren't expecting their car to be ratting them out.

---

CAROLE THERIAULT. That's why I'm doing this story. Listen to me and not to Graham. And I, you know, I am a happy bunny to say that I am super old school for driving a dumbass car.

---

GRAHAM CLULEY. So smug about it. Every chance you get, you talk about it.

---

CAROLE THERIAULT. Yeah, well, jealous. That's what I hear.

---

GRAHAM CLULEY. Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk. Well, this podcast is sponsored by KiteWorks, who enable organizations to effectively manage risk in every send, share, receive, and save of sensitive content.

To do that, they've created a platform that delivers content governance, compliance, and protection to customers, tracking, controlling, and securing sensitive content as it moves within, into, and out of organizations, all while ensuring regulatory compliance on all sensitive content communications. KiteWorks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure web forms, managed file transfer, and governed SFTP servers.

Visit kiteworks.com to get started today. That's kiteworks.com, and thanks to them for supporting the show.

---

CAROLE THERIAULT. Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming.

Enter Vanta. Vanta gives you one place to centralize and scale your security program.

Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more. You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers.

Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta.

All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A dot com slash smashing.

And thanks to Vanta for sponsoring the show.

---

GRAHAM CLULEY. You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first.

For over a year, Kolide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data. And that's what they're still doing, but now as part of 1Password.

So if you've got Okta and you've been meaning to check out Kolide, now's a great time. Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.

Plus, you can use Kolide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Kolide is part of 1Password, it's only going to get better.

Check it out at kolide.com/smashing to learn more and watch the demo today. That's k-o-l-i-d-e.com/smashing.

And thanks to them for supporting the show. And welcome back.

Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?

---

CAROLE THERIAULT. Pick of the Week.

---

DAVE BITTNER. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they like.

It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my pick of the week this week is not security related. I have just come back from a long weekend in Madrid with my partner. It was absolutely lovely. And when you're in Madrid, obviously the thing, you know, if you look at the top things to do in Madrid is go to El Prado, you go to the art galleries, you check them out.

Isn't this fantastic? We didn't do any of that. We just went around and had some nice food and hung out a bit. We went there with good intentions, but it didn't really happen. And so I came back and I felt a bit guilty because we had planned to go to El Prado and some of the, you know, all that sort of cultural stuff.

And I thought, what should we have done? Well, what we could have done is we could have gone to this website, which I don't think many people know about. It's a website run by Google, who are a lovely company, lovely advertising company.

It's called artsandculture.google.com. And it gives you virtual access to the treasures of over 2,000 museums all over the world. There's interactive activity, so if you've got kids, or if you're you're a kid and you need something to make it more interesting, there are puzzles and online games.

And you can look at beautiful high-resolution versions of works of art. Museum of Modern Art, Tate Gallery, Australian National Surfing Museum, Italy's Pasta Museum. All of those are up there and it's rather splendid.

---

CAROLE THERIAULT. Are you sure this has never been Pick of the Week before, Mr. Cluley?

---

GRAHAM CLULEY. I don't think it's been. Oh, this is controversial.

---

CAROLE THERIAULT. You know that my memory is a sieve. But I have a feeling I may have had this as an early Pick of the Week. So we're talking early.

---

GRAHAM CLULEY. Going to the list.

---

DAVE BITTNER. Uh-oh.

---

GRAHAM CLULEY. Oh my. And—

---

DAVE BITTNER. Oh dear.

---

GRAHAM CLULEY. Oh my God. Oh my God. Episode 61. Boom! Episode 61?

---

CAROLE THERIAULT. Isn't it, you owe me 10 grand? Isn't that what we said?

---

GRAHAM CLULEY. Oh my God.

---

DAVE BITTNER. There you go. Wow. There you go. It's old as new again.

---

CAROLE THERIAULT. Yeah, that's gotta hurt.

---

GRAHAM CLULEY. Yeah. January 2018.

---

CAROLE THERIAULT. There you go. It was a long time ago.

---

GRAHAM CLULEY. Man, Carole, your memory.

---

CAROLE THERIAULT. But I haven't been there.

---

GRAHAM CLULEY. You what? You said it was your Pick of the Week, but you didn't actually ever go to the URL. This is a scandal.

---

CAROLE THERIAULT. No, no, no. I haven't been there for a number of years, since the pandemic. And I don't know why I forgot about it. So I'm very grateful, Graham, that you brought it back to my attention. My Pick of the Week from 2018.

---

GRAHAM CLULEY. It's a re-Pick of the Week.

---

DAVE BITTNER. That's very gracious of you, Carole.

---

CAROLE THERIAULT. Yes, I am gracious.

---

GRAHAM CLULEY. Unexpectedly so.

---

DAVE BITTNER. This is lovely. As much as I want to hate it, I can't because it is delightful. And this should be a stop. Everyone should spend a few minutes on this every day.

---

GRAHAM CLULEY. I'm amazed Google hasn't shut it down because all the useful sort of money-making services in some cases that they have had and they've shut down over the years. But this apparently has been going for something—maybe they've forgotten about it.

---

DAVE BITTNER. I was going to say the same thing. Maybe we shouldn't bring it up.

---

CAROLE THERIAULT. Yeah, you're right. Let's censor out the name.

---

GRAHAM CLULEY. Dave, what's your pick of the week?

---

DAVE BITTNER. Well, my pick of the week is actually another delightful YouTube video here. Are either of you aware of this ongoing competition that's been happening for several years now? It's called Dance Your PhD.

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. Strangely, no. No. What does that involve?

---

DAVE BITTNER. I wasn't aware of it either, but what they do is they put the word out for folks who have just completed their PhDs to create a video, a music video, where they dance and explain their PhD. And this year's winner is a gentleman who's doing his PhD research on kangaroos.

---

GRAHAM CLULEY. Wow.

---

DAVE BITTNER. And so there's a video about called Kangaroo Time. And it's not only is it educational, it is just delightful. It's a catchy tune.

There's all kinds of people dancing. Not well, I guess they're using their dance to explain some of the social habits of kangaroos. And so it's cute, it's fun, it's funny. It's just something for me. It was something that just made me feel good. So I hope you'll check it out and enjoy it.

---

CAROLE THERIAULT. I love the idea.

---

GRAHAM CLULEY. They've got drag queens. There's someone doing some Indian dancing. All sorts here. And some of them are pretending to be kangaroos. I mean, I can imagine doing a kangaroo dance, the sort of thing I might do on a disco floor, but it's not—

---

DAVE BITTNER. Right, back in the '80s, while everyone else was doing the robot, Graham was famous for his kangaroo dance.

---

CAROLE THERIAULT. Can I ask though, if it's so famous, why it has only 288 subscribers on the channel you gave us?

---

GRAHAM CLULEY. I know that this is the winner this year, Carole. The actual meme of dancing your PhD has been around for a few years. Is that what you're saying, Dave?

---

DAVE BITTNER. That is correct, yes. So I think if you go to the main page of the Dance Your PhD folks, they have their own YouTube channel, and that has a lot more views and the whole rundown of all the winners and runners-up over the years.

And as these things are, it's hit or miss. But this particular one, the kangaroo dance, I think is just delightful. And I've watched it several times, and every time I do, it leaves me with a smile on my face. So that is why kangaroo time is my pick of the week.

---

CAROLE THERIAULT. Beautiful.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Well, okay. You guys should click on that link right now while I'm talking because it'll be self-explanatory for you.

And then you can say how amazing it is because you know how Tetris, you play for 30 seconds and you go, this is a winner. This is a winner. I'm calling this a winner. And I discovered it yesterday.

Okay, so it's a cheeky little game. You can find it on crazygames.com. I have mentioned crazygames.com before, but this game was not on there as far as I know.

---

DAVE BITTNER. Oh, okay.

---

CAROLE THERIAULT. As some people know, I have a young niece who lives far away, and we get together a few times a week on Zoom for a chill-out. But now she's more into online games.

But we found this little gem, and I have to say it's a corker. So it's called Animal DNA Run, and you can play on any device.

You can play on a computer. You don't have to log in, as long as you don't care about keeping score and coming back and tracking it. And as everything's shown in thumbnails in crazygames.com, you're looking for a pic of a tiger on one side and a gorilla on the other.

And in between them is a plus sign. So the game, you have an obstacle course which changes with every level with increasing difficulty.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And it takes under a minute or less to do a course, maybe 10 seconds at some times. And you run the course as a designated animal.

You guys start off as a dinosaur?

---

DAVE BITTNER. Yes, well, at this point I am a dinosaur combined with a shark.

---

CAROLE THERIAULT. Because as you run, you hit mutation points that will change a third of your being into another animal.

---

DAVE BITTNER. Oh no, I fell in a pit.

---

CAROLE THERIAULT. Each mutation point will transform you in some wacky crazy thing. And so, imagine you're a shark — you can't run on the grass very well, but you can swim at speed.

But if you're a shark—

---

GRAHAM CLULEY. Yeah, I was terrible in the desert as a shark. I've just been doing that — it's not too good.

---

CAROLE THERIAULT. But if you're a shark-eagle-gorilla, you can kind of do almost anything.

---

DAVE BITTNER. Oh, I see. Oh, look at that, right?

---

CAROLE THERIAULT. But my favorite one so far that I've come across is the giraffe body with spider legs and a gorilla head.

---

DAVE BITTNER. Oh yeah.

---

CAROLE THERIAULT. Just brilliant. We were laughing our heads off playing this.

I don't think it matters what age you are. I just think it's a great, great game.

If you need to get 10 minutes out of your system and calm down and chill out, this is how you do it. Animal DNA Run on crazygames.com — that's my pick of the week.

---

GRAHAM CLULEY. Excellent stuff, chaps. And that just about wraps up the show for this week.

Dave, I'm sure lots of listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

---

DAVE BITTNER. Oh, the best thing to do is go search for The CyberWire on your podcast player and check it out.

---

GRAHAM CLULEY. Super duper. And you can follow us on Twitter @SmashingSecurity — no G, Twitter won't allow us to have a G.

We also have a Mastodon account. And don't forget to ensure you never miss another episode — follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And ginormous thank you to our episode sponsors, Kolide, KiteWorks, and Vanta, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship information, guest lists, and the entire back catalog — more than 362 episodes — check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye, bye-bye. Thank you so much once again, Dave, for giving us your time — really appreciate it.

---

DAVE BITTNER. Yes, my pleasure. Anytime.

---

CAROLE THERIAULT. It was fun. We had a good little laugh.

---

DAVE BITTNER. That was fun. That was a good one.

---

CAROLE THERIAULT. And we didn't even have to talk sex.

---

GRAHAM CLULEY. What?

---

CAROLE THERIAULT. Normally you guys get together and there's all this double entendre and I have to sit there going gag, gag, gag.

---

DAVE BITTNER. Yeah, I was — I've considered it when we were talking about, well, Graham's, all of his Roku things about, you know, your streaming stick and all that sort of stuff. I thought, I was like, is this a euphemism salad here?

---

CAROLE THERIAULT. He doesn't even know he's doing it.

---

DAVE BITTNER. Doesn't he though? Doesn't he?

---

GRAHAM CLULEY. I'm going to post this image Dave has made of me up on Twitter.

---

CAROLE THERIAULT. Why don't you just make it your new avatar everywhere?

---

GRAHAM CLULEY. Right.

-- TRANSCRIPT ENDS --