This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

ROBOT. At the time, he was in the Ecuadorian embassy hiding out, squatting there, and Ecuador were getting a bit fed up with him, to be honest. They meddled with his internet connection so he couldn't use it for a while. I guess they switched it to TalkTalk. Basically the same as not having an internet connection, isn't it? Smashing Security, episode 378: Julian Assange: Inside a DDoS Ransomware Attack and Deepfake Traumas with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 378. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And this week, Carole, on the show, we're joined by someone very special, someone who hasn't been on the show before. It is the co-founder of Assured and perhaps best known as the former editor of Infosecurity magazine. It's Eleanor Dallaway. Hello, Eleanor.

---

ELEANOR DALLAWAY. Hello. What a pleasure to be here.

---

CAROLE THERIAULT. Princess Eleanor.

---

ELEANOR DALLAWAY. Do you want to be known by Cyber princess or just princess? That's my formal title, yes.

---

CAROLE THERIAULT. Okay, let's kick this show off and thank this week's wonderful sponsors, 1Password and Vanta. It's their support that helps us give you this show for free. Coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be asking the big question: Julian Assange, hero or villain?

---

CAROLE THERIAULT. Okay, what about you, Eleanor?

---

ELEANOR DALLAWAY. I'm going to be talking about some ransomware simulation hot takes. And walk down memory lane at the same time.

---

CAROLE THERIAULT. And I'm going to be talking about kids, teens, and deepfakes. What can we do? All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, on the day that we're recording this, news has broken that Julian Assange, the founder of WikiLeaks, who's been holed up in Britain's Belmarsh Prison for the past 5 years. And previously to that, he was squatting in the Ecuadorian embassy in London for 7 years or so. He is out. He's out of the UK. He's a free man and obviously quite a controversial figure. We've talked about Julian Assange before, back in episode, let me think, episode 245, I think. We talked about—

---

CAROLE THERIAULT. You're so smart for remembering that.

---

ELEANOR DALLAWAY. Just off the top of your head.

---

CAROLE THERIAULT. I know, he's incredible.

---

GRAHAM CLULEY. By the advance in years, I can remember things this. We talked about the US government's attempts to get him extradited to face trial. There was this wild assassination plan plotted by the CIA against Assange if he was ever bussed out of the embassy by Russian agents wanting to take him to Moscow. So extraordinary things have happened, and the truth is that Julian Assange, he's a bit of a Bond villain, isn't he?

---

CAROLE THERIAULT. He would be a shit Bond villain.

---

GRAHAM CLULEY. Would he?

---

CAROLE THERIAULT. Would he?

---

GRAHAM CLULEY. But why's that? He's an albino to start with. I mean, normally they have some sort of physical trait, don't they? A big scar or something, or a—

---

CAROLE THERIAULT. Wasn't there one with an albino cat?

---

GRAHAM CLULEY. Oh, you mean—

---

CAROLE THERIAULT. A hairless cat?

---

GRAHAM CLULEY. Blofeld had the cat. Yes, Blofeld. Yes, that's right. In his Nehru jacket. Yes, he did. Assange is complicated. He's obviously passionate in his beliefs, and you know, that can be admirable.

But he's— I find it a little bit of difficulty to feel comfortable really liking him. There are torrid tales of Assange. There are historic rape and assault claims which have been made in Sweden against him, as well as the well-known hacking-related allegations from the United States.

First with the release of almost half a million documents related to US action in Iraq and Afghanistan, containing a series of damaging revelations to the White House, including a video of a US helicopter attack in Baghdad that killed a Reuters journalist. He made himself back in 2016 the enemy of millions and millions of US Democratic voters because he published leaked emails which had been hacked from the DNC in the Hillary Clinton campaign in the run-up to the 2016 election.

So for those of you who don't remember or too young to remember the pre-Trumpian days, Julian Assange published emails stolen from the Democrat Party in Hillary Clinton's campaign, emails that had been hacked from them by the Russian Fancy Bear Gang. Which has links to the Kremlin.

---

CAROLE THERIAULT. And they were literally emails that had been sent to a server, right?

---

GRAHAM CLULEY. In any organization, yes, you will get work-related emails, but you get a heck of a lot of personal stuff as well.

---

ELEANOR DALLAWAY. Yeah.

---

GRAHAM CLULEY. And he didn't redact any of that personal information. So as well as emails from Hillary Clinton or the hacked Chief of Staff John Podesta, you also got other people's private emails, and they were made completely searchable.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. On the WikiLeaks website.

---

CAROLE THERIAULT. That was our big problem at the time. I remember episode 245, and I remember very little, as you know, but I do remember that we talked a lot about him not redacting information, putting people at risk, and that being the really big thing that certainly, you know, bugged me about it all.

---

GRAHAM CLULEY. For us, at least, for us in the cybersecurity and privacy sort of end of things.

---

ELEANOR DALLAWAY. He's a very, very sharp thorn in the side of some of the most powerful establishment figures in the whole of Western world, isn't he?

---

CAROLE THERIAULT. He really is. Yeah, but he must have had hero complex. He must have just thought he was a god at the time.

---

ELEANOR DALLAWAY. Do you remember the fabricated version of the Time magazine cover showing Julian Assange as the Person of the Year? I think it was 2020, 2021.

---

GRAHAM CLULEY. Yeah.

---

ELEANOR DALLAWAY. And it went viral and all different media outlets published it. They thought it was real at the time, but it was just totally fake news. And the real winner, believe it or not, was actually Elon Musk.

---

CAROLE THERIAULT. Oh my God.

---

GRAHAM CLULEY. Oh, hard to choose there, isn't it?

---

CAROLE THERIAULT. Yeah, I can see why they made a mistake.

---

GRAHAM CLULEY. But when these emails were put up on the WikiLeaks website, and they're still there, I looked this morning, you can get people's private passwords, calendar invitations, holiday plans, requests for roommates, dentist recommendations. I was actually searching for dentist recommendations. This morning, I was doing it.

Email addresses, phone numbers, it's all there. And the conspiracy theorists believe that there were even emails containing coded messages about Pizzagate.

---

CAROLE THERIAULT. Yeah, wrong.

---

GRAHAM CLULEY. And we cannot ignore the fact that WikiLeaks published that data dump on October 7th, 2016, 30 minutes, just half an hour after the Access Hollywood tape of Donald Trump saying he liked to grab women by the hoo-ha.

---

CAROLE THERIAULT. That's not what I call my bits.

---

GRAHAM CLULEY. No, that's not what you call your growler.

---

CAROLE THERIAULT. That's not a typical name that I think most women use.

---

GRAHAM CLULEY. Okay, alright.

---

ELEANOR DALLAWAY. Lady bits.

---

CAROLE THERIAULT. Lady bits.

---

GRAHAM CLULEY. Anyway, so it was just after that, and of course it was designed and timed to take attention away from Trump's terrible behavior and damage Hillary Clinton's presidential campaign instead. So he could choose what to release and he could choose when, and he was weaponized in that.

So I find it personally a little bit difficult to say, oh, he's just about freedom of the press and all information should be free. It's like, well, it's certainly under his kind of terms that he's doing that.

---

CAROLE THERIAULT. Yeah, he didn't do it with a very strong ethical banner, I felt, you know. That's what I found was very much missing.

I don't have a problem with whistleblowers, but I think there's a responsibility that comes with that. For me, he pushed those boundaries a little bit. A lot.

---

GRAHAM CLULEY. I think he would say that he was working to a higher moral value by saying, yes, people may get hurt, but there's a higher purpose here because obviously people are being killed by administrations around the world and armies. And what am I doing here defending Julian Assange?

At the time, he was in the Ecuadorian embassy.

---

CAROLE THERIAULT. Hiding out, yeah.

---

GRAHAM CLULEY. Squatting there. And Ecuador were getting a bit fed up with him, to be honest.

They meddled with his internet connection so he couldn't use it for a while. I guess they switched it to TalkTalk. It's basically the same as not having an internet connection, isn't it?

---

ELEANOR DALLAWAY. Every time you say squatting in the embassy, I imagine him—

---

CAROLE THERIAULT. Taking a dump.

---

ELEANOR DALLAWAY. Squatting, yeah.

---

GRAHAM CLULEY. Well, the funny thing is, he wasn't happy with conditions at the Ecuadorian embassy, and apparently he did do what is known as a dirty protest. Where he was smearing some of his— I would say data dumps, but certainly his dumps on the wall.

So if you do read up about this, he wasn't necessarily being the most lovely houseguest. That is foul. But that isn't the only reason the Ecuadorians wanted him out, of course.

---

CAROLE THERIAULT. Really?

---

ELEANOR DALLAWAY. Really?

---

CAROLE THERIAULT. That'd be enough for me. If I had a houseguest who, you know, I'd be, "You know what, dude? I think we're gonna call this a day." You know?

---

GRAHAM CLULEY. At least he had that balcony. He could have been using that, couldn't he?

WikiLeaks were doing other things to make themselves unpopular and to be seen as the bad guys in the eyes of Western governments. In March 2017, they released information about some ultra-secret CIA hacking tools.

It was the Vault 7 leak described as the largest data loss in CIA history. And WikiLeaks claimed, albeit incorrectly, that encrypted chat apps like Signal and WhatsApp had been cracked by the CIA.

They hadn't. They said that Samsung TVs were being remotely hacked to spy on conversations. They weren't. And WikiLeaks said it would work with software vendors to fix the zero-day vulnerabilities.

People at Apple and Google. They didn't.

---

CAROLE THERIAULT. So how do we know they hadn't and they didn't and all this?

---

GRAHAM CLULEY. Well, because when people asked for the evidence, it was never forthcoming. And WikiLeaks initially said, we are going to work with the vendors, we're going to do this. And within a week they pulled back and said that they weren't going to do that. And you have to think, if these really were vulnerabilities which the CIA or indeed any other intelligence service might be exploiting, wouldn't it be good to work with the vendors to protect them if they had details of these bugs? So some of this information they were coming out with was a bit questionable. And time and time again, whether it be diplomatic cables which were coming out, whether it was stolen email archives being published, and innocent people potentially being put at risk because WikiLeaks wasn't protecting it.

---

CAROLE THERIAULT. Okay, come on. We were at the time working at a cybersecurity company, trying to build a PR empire for that company. God knows why, but that's what we were doing.

---

ELEANOR DALLAWAY. You know, we—

---

GRAHAM CLULEY. With help from Infosecurity magazine. God knows who their editor was.

---

ELEANOR DALLAWAY. Guilty.

---

CAROLE THERIAULT. Exactly. And we, whenever any of these leaks came out, we were chomping at the bit to get the write-up and put it out first.

---

GRAHAM CLULEY. Oh, it's interesting. Yeah, yeah.

---

CAROLE THERIAULT. You know, so we helped in this is all I'm saying. You particularly.

---

GRAHAM CLULEY. Well, hello.

---

CAROLE THERIAULT. And Eleanor, both of you.

---

ELEANOR DALLAWAY. Not to point fingers, but—

---

CAROLE THERIAULT. I was just the boss. I didn't do anything.

---

GRAHAM CLULEY. I've never done a dirty protest. Let me just stress that.

---

ELEANOR DALLAWAY. Are you sure?

---

CAROLE THERIAULT. You've been to my house before. I'm just saying.

---

GRAHAM CLULEY. Let's not go into any details. Assange— put the seat down, Graham. Assange is out.

---

CAROLE THERIAULT. Okay, isn't that interesting? He's out just before the elections again.

---

GRAHAM CLULEY. Well, interesting, isn't it? Maybe the Americans didn't want him to be a political football. Maybe they didn't want there to be a lot of argy-bargy. They didn't want him coming to America and facing trial and all that hoo-ha. He's agreed a plea deal. He's pleaded guilty to one charge. He won't have to spend any time in a US prison. His sentence is the time he's already served in Belmarsh in the UK. His health has been suffering, and they forced him to plead. The plea they've made him force is a conspiracy to violate the Espionage Act, which according to the law amounts to receiving and obtaining— this is interesting— receiving and obtaining secret documents and willfully communicating them to persons not entitled to receive them. Now, that definition would cover an awful lot of whistleblowing, wouldn't it?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. And it must be scary for many journalists around the world to think, well, hang on, I receive and obtain secret documents. I willfully communicate them to people not entitled to receive them. Because sometimes governments do need to be taken into account. And so I have some sympathy there. Now, what we might see is future US presidents decide that certain journalists are, quote, enemies of the people, and ensure that their attorney general throws the book at them, because they will feel more empowered.

---

CAROLE THERIAULT. This doesn't happen yet anywhere in the world, Graham. Journalists are revered all the world over, and governments love them, especially when they point out the things that they're trying to hide. It's totally—

---

GRAHAM CLULEY. Do you feel revered and loved, Eleanor?

---

ELEANOR DALLAWAY. No snub.

---

CAROLE THERIAULT. Princess Eleanor, please.

---

ELEANOR DALLAWAY. Yes, it might need tied things together.

---

GRAHAM CLULEY. Eleanor, what have you got for us this week?

---

ELEANOR DALLAWAY. So it's not news per se, it's more hot takes actually from a ransomware simulation event that I attended yesterday. It was hosted by SecureWorks, and it was only members of the press were invited along, and it was surprisingly really quite enjoyable because it was so nice to see my fellow cyberhack peers, including the lovely Dan Raywood and James, who were both on my team at InfoSec Mags. It's old days.

And the Beebs, Joe Tidy, who, fun fact, was on the editorial team with me at our student newspaper.

---

GRAHAM CLULEY. Really?

---

ELEANOR DALLAWAY. At Loughborough University.

---

GRAHAM CLULEY. Yeah, look at him now.

---

CAROLE THERIAULT. I know.

---

ELEANOR DALLAWAY. Imagine if someone had told us back then, you're both going to be cybersecurity journalists. I think we'd probably be absolutely mortified.

Here we are, c'est la vie. Anyway, I have done a lot of these types of events before.

We even run them at Assured actually, but there are a few things that struck me as uniquely notable or interesting. And the fact also that they use a publishing house as the case study of the hacked company, the ransomware simulation, was a bit of a trippy walk down memory lane for me, back to the summer of 2021 when Infosecurity Magazine were taken offline for 6 weeks due to a whopper of a DDoS attack.

So 6 weeks, 6 weeks, it's horrendous, isn't it?

---

CAROLE THERIAULT. What happens inside when that happens?

---

ELEANOR DALLAWAY. It was painful, it really was. What happened inside is a really good question.

A lot of internal conflicts, as you'd probably expect. So you have lots of different teams pulling in different directions.

You've got, especially when it comes to the messaging, you've got the legal team saying one thing, the marketing team for the company saying another. I mean, we were owned by Reed, a FTSE company, a lot of global players involved.

And then of course you've got this sort of hands-on editorial team, people that are very closely connected to the industry, that are saying, well, I want to do it this way because we have to eat our own dog food, right?

---

GRAHAM CLULEY. Yes.

---

ELEANOR DALLAWAY. Publication, we preach transparency and openness and learning from mistakes. We cannot cover this up, which you'll be unsurprised to learn is exactly what some of the head honchos wanted to do, right?

So there was lots of sort of internal battling going on. Talking about the comms, I turned instantly to some people in the industry who I really trust for their advice on what to do, what to say, and we tried to manage it as transparently as we could.

But for 6 weeks, all we could really do in a literal sense in terms of the work was prep for sort of evergreen features, because we knew that there was no point writing news. We did switch to a podcast to try and present news in some way to the readers.

But really, there was very little we could do other than work with our tech providers, the CMS. It was the CMS that was hacked, actually.

So work with them as closely as we could to try and build— we had to build a new CMS and migrate everything.

---

CAROLE THERIAULT. Oh my God.

---

ELEANOR DALLAWAY. Yeah.

---

GRAHAM CLULEY. And it's horrendous, isn't it? I remember when this happened.

Yeah, yeah. I mean, and it was just astonishing how long it lasted for.

---

ELEANOR DALLAWAY. Yeah.

---

GRAHAM CLULEY. But the thing with you was that you were a very public, well, publication. You know, people would go there every day or multiple times a day to get the latest cybersecurity news, and suddenly the website wasn't there.

So it would've been very difficult to hide what was wrong.

---

ELEANOR DALLAWAY. Exactly.

---

GRAHAM CLULEY. But there appeared to be some sort of serious infrastructure problem going on.

---

ELEANOR DALLAWAY. And it's embarrassing, right? Our title is Infosecurity Magazine, and we've been hit by a huge attack.

The shame. The shame.

---

CAROLE THERIAULT. Did you ever find out who was behind it?

---

GRAHAM CLULEY. What the motivation was.

---

ELEANOR DALLAWAY. We didn't. And there was— I had theories at the time. I'm not going to go into them. I don't want any calls from—

---

CAROLE THERIAULT. We have censor beep.

---

ELEANOR DALLAWAY. One of my theories, and it's probably quite far-fetched, but I've written once actually in my career— I haven't done this very often— but quite a harsh exposé of something that happened only a month before. And somebody did say to me in the industry, I really do think it could be coming from that, right?

The likelihood was it was something completely disconnected to that, but it was our CMS system that was DDoSed, and they also looked after a very large British bank. And because they had to prioritize that customer, they basically just said, we are shutting you down and there's nothing we can do about it.

So it was a very trying time, but it was actually really interesting from my perspective because I get to put into practice all the things that we wrote about. And we did, and hopefully sort of did the industry proud in the way that we were very transparent and open.

Frustrating as it was that we weren't able to do what we did, that we lost our bread and butter. We were also losing vast amounts of money at the time.

We were making a huge amount of revenue on digital advertising and serving impressions on the website, and obviously running webinars and podcasts, and all of that just had to cease for a whole 6 weeks. So it just took a massive financial hit as well, which was definitely not the main thing, but certainly consideration as well, especially to obviously a very corporate company like Relaix.

---

GRAHAM CLULEY. It just seems really strange why someone would launch a DDoS attack. I mean, reasons to do it would be something political, or they don't like you for some reason, in which case, what's the point of doing it unless you post something on Twitter claiming responsibility and saying why, to make your point and saying that, you know, Infosecurity Magazine is a terrible outfit, you know, and something like that.

---

ELEANOR DALLAWAY. Bloody editor.

---

GRAHAM CLULEY. Well, yeah, right.

---

ELEANOR DALLAWAY. Useless.

---

GRAHAM CLULEY. Or to get in touch and say, give us some money. It just seems really bizarre, doesn't it?

---

ELEANOR DALLAWAY. That was the strange thing that nobody claimed it.

---

GRAHAM CLULEY. How frustrating not knowing.

---

ELEANOR DALLAWAY. We were expecting— every day we were expecting someone to claim it. Yeah, but it never came. It never happened.

So there's so many question marks still over it. But, yeah, do you know what was interesting?

There were 9 of us journalists at that event yesterday, and somewhere between a third and a half of us had worked at a publication that had been the victim of a cyberattack that had quite literally taken them offline. Obviously well publicized that The Guardian had suffered high-profile attacks, including the ransomware in 2022.

They obviously reported on themselves, but we got some sort of insider scope on that yesterday as well. And you're saying that they had 3 hours once they discovered the attack to work out how to put out a print newspaper without any access to their software or servers or any IT system.

---

GRAHAM CLULEY. Yeah.

---

ELEANOR DALLAWAY. And they bloody well did it. I mean, it's incredible.

---

GRAHAM CLULEY. That was incredible, wasn't it? I was amazed when they managed to do that because they carried on working despite all their IT systems effectively being shut down.

---

ELEANOR DALLAWAY. So impressive and remotely as well because they shut the office down and told everyone to stay at home and they still managed to spin that around. It's just amazing business continuity.

But we all know you say it how it is. You say as much as you can without saying too much. But one thing that a victim didn't want to say recently, they didn't want to use the word ransomware in their comms. So instead they used the term unscheduled encryption.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. Well, this week in the UK, we saw media reports of two private schools that have found themselves under police investigation. And the reason are these allegations that students have used deepfake tech to create porn images of some classmates.

So the incident reportedly involved students from an all-boys school who manipulated images to create explicit content of girls from a nearby girls' school. And the schools implicated are not named, but they are described as some of the most prestigious private institutions in the UK.

---

GRAHAM CLULEY. Not the comprehensive I went to then.

---

CAROLE THERIAULT. Yeah, you're safe. You're safe.

And worse, these deepfake images, which look very highly realistic, were distributed and shared amongst the students at the schools. So up to a dozen female classmates were sexualized and debased via these pornographic deepfakes.

And the whole thing is this is a case of a broader trend where the misuse of deepfakes to create non-consensual explicit content is becoming more prevalent because tools to make it happen are readily accessible and fairly simple to use, as far as I understand. Is that your take as well?

---

GRAHAM CLULEY. I haven't been in the habit of creating deepfake nudes of my podcast co-hosts, but yes, I just want to stress that.

---

CAROLE THERIAULT. I meant in your research as a journalist.

---

GRAHAM CLULEY. I'm not a journalist, for goodness' sake. But I understand it is very easy to do, yes.

---

CAROLE THERIAULT. So teaming up with End Violence Against Women Coalition, Not Your Porn, and Claire McGlynn, this is a professor of law at Durham University, they're demanding that the next government introduces a new dedicated image-based abuse law. And actually, Glamour magazine shared a few stories, one that included the story of Jody.

This is not her real name. Jody, she gets sent a link and she opens it and she finds images and a video of her appearing to have sex with various men.

And the image was deepfaked, digitally altered to edit Jody's face onto another non-consenting woman's body. Someone apparently posted Jody's face on a porn site and asked if any other users could create fake porn of her.

And the thing is, is when something happens, it can haunt you for a long time, right? Because once it's out there, it's out there.

So for Jody, she said she faced years of image-based abuse. So Jody's images were being used without her consent on dating apps and social media.

One caption reportedly read, "What would you do with little teen Jodie?" Okay, so let's take a pause here. So if this kind of thing happened to me now as a woman in her 40s, I'd be effing distressed, right?

I'd be seriously distressed that my face had been realistically knitted to someone else's body doing something porny or distasteful or whatever. I'd be horrified.

---

ELEANOR DALLAWAY. Honestly, it's one of the scariest things, I think. And actually, not just— it's more when it comes to my children, I think.

I think about the pictures I put up on social media, on my sort of personal social media accounts. You want to be able to share these cute moments with your children, right?

You want to be able to show them to the world. But at the same time, there's this fear. I have this awful, awful fear that someone will take them and they will be used in the wrong way. It's a horrible, horrible thought.

---

CAROLE THERIAULT. And Graham, I don't even know how to ask this or if it's even appropriate.

---

GRAHAM CLULEY. Which means it probably won't be. Yes.

---

CAROLE THERIAULT. But do you think it might be harder for some men to get their heads around the damage of this kind of action towards women? Basically, if there is a pic of you, you know, your headshot attached to David Hasselhoff's nude body doing sexy times with whoever, you'd love it.

---

GRAHAM CLULEY. David Hasselhoff would be extremely annoyed about that. Yes, I can understand the hurt that would cause him.

---

CAROLE THERIAULT. You wouldn't care though, really, would you? You wouldn't see— there'd be no negative impact or—

---

GRAHAM CLULEY. Well, it'd just be ridiculous. I wouldn't wear red swimming shorts that. So, no, it's—

---

CAROLE THERIAULT. I don't think he's wearing red swimming shorts when he's doing the sexy times.

---

GRAHAM CLULEY. Oh, okay, okay. I see. I have had people do very crude things with my image. Unpleasant people who've pasted my image into other unpleasant images, not just my unpleasant image. And for real? Yeah, yeah, yeah, yeah.

---

CAROLE THERIAULT. Oh, what?

---

GRAHAM CLULEY. I don't know if you really want me to say this, but I've had people who've taken my image and pasted it into pictures of bestiality.

---

CAROLE THERIAULT. Oh my God, I was just gonna say what if that happened to you? Pulling a David Cameron, I was going to call it, right? But if that happened to you, it's upsetting. That would be the amount of shame and guilt that I would imagine women feel.

---

GRAHAM CLULEY. What happened with me, I'm not suggesting it was deepfake or anything that. I think it was fairly crude, but it was people who were upset with me for a ridiculous reason on Facebook and were posting up pictures of me and claiming that I was all kinds of unpleasant things and also contacting the HR department of the company we used to work for. Saying, do you realize you employ this guy? And at the time I was out on holiday in the Far East and they were saying, 'We're going to burn down your house and we're going to shoot your partner' and all sorts of other things as well.

---

CAROLE THERIAULT. So that's really scary.

---

GRAHAM CLULEY. That kind of thing has happened to me and it is distressing, particularly when it involves other people as well, or when they contact your place of work or when they begin to make threats against people in your family.

---

CAROLE THERIAULT. I think you just nailed my point. If this is exactly how women feel when they are attached to bodies doing adult pornographic acts, right? The feelings you're describing, I think, are universal across women who've gone through this kind of situation.

---

GRAHAM CLULEY. I would think so. Yeah. I mean, it's hard for me to put myself in that position, but I would imagine that a woman would feel very uncomfortable because she might fear it's sending out a message that she's the kind of woman who's up for that and isn't afraid to be videoed or photographed doing it as well.

---

CAROLE THERIAULT. And it's out there for life.

---

GRAHAM CLULEY. And has it been made by a work colleague or a friend or someone who they encounter? You know, it's really, really creepy and horrible.

---

ELEANOR DALLAWAY. I honestly think that sort of distinguishing what is real and what is fake is one of the biggest threats to society in the modern world. I just think—

---

CAROLE THERIAULT. Hear, hear.

---

ELEANOR DALLAWAY. And not just in this sense, you know, political reasons, propaganda. There's just so— geopolitical tensions. There's so much that comes down to fake news now, and the way it's sort of manipulated in the media is really scary.

---

CAROLE THERIAULT. Well, listen, so we're going to get back to Jodi's story, okay? Because she figures out who was behind the deepfake.

It turns out it was her best friend. Interesting you said that, Graham, right? A guy called Alex Wolfe, who uploaded her pictures to pornographic websites without her consent. And Jodi says, quote, "I saw a photo of me where I'm looking at someone and laughing, and there's King's College Cambridge behind me. And I know exactly who I'm looking at. And my heart drops, because I just know who's on the other side of that photo. I know that is the only person who had that image. Everything just made sense. I knew instantly what he had been doing to me. I knew that I didn't want to hear his excuses or lies. So I went to the only place that I thought could help me, which was the police."

So when Jodi initially went to the police, accompanied by her flatmate, who also was a victim of Wolfe's abuse, she spent 3 hours detailing her long history of image-based abuse. The police officer apparently didn't take any notes.

She was later called by a liaison officer who said that there was insufficient evidence to proceed with her case, and they didn't feel as though a crime had been committed. Luckily, Jodi didn't let go.

After reporting the abuse to another branch of the police, she spent 6 months pursuing the case. Often at her own financial and emotional expense.

She had to present all the screenshots and all her own evidence, all 60 pages worth, and she finally got her guy. Wolfe eventually admitted to stealing clothed images of 15 women, including Jodi, from social media and uploading them to porn sites without their permission, and was convicted on 15 charges of sending, by means of public electronic communications, grossly offensive messages of an indecent, obscene, or menacing nature.

And remember, this is in the UK, right? And the upshot here, when we get back to that private boys' school that were creating deepfakes of the girls at the nearby all-girls' school, you know, one of the parents said to The Times, "This has been really hard for our daughter to find out that these videos have been created of her and had been circulated was a horrible shock. And for her to see 7 weeks later that no one has been disciplined, and that she has no form of apology is even harder," which I get.

---

GRAHAM CLULEY. Yeah, when young people— young people go through enough as it is, don't they, without having to deal with this kind of shit.

---

CAROLE THERIAULT. Yeah, I mean, I'd love to know what you guys think here, but parents, schools, communities are not properly equipped to handle the dangerous growth of tech used to sexualize or demonize or, you know, demean or distress girls and young women, or anyone for that matter. And there's a lack of sufficient legal recourse, right?

So that makes the whole situation worse as the technology gets more easy for anyone to get their hands on. In the interim, do you think tech companies need to do more to stop the distribution of such images?

---

GRAHAM CLULEY. I think they should probably be policing it a bit more if they're able to. The thing is, sometimes you will find people in authority asking the tech companies to maybe break encrypted messaging systems in order to intercept this kind of thing.

So it's not an easy problem to necessarily fix.

---

ELEANOR DALLAWAY. And in a way, it's the same as all cybercrime, right? Any crime that happens online, it's just so much harder to hold people accountable and then to throw the law book at them.

It's just, we are woefully inadequate when it comes to punishing those for digital crimes. There was the new law to tackle revenge porn, I believe, wasn't there? One development that we can be grateful for.

---

CAROLE THERIAULT. Yeah, there are some measures to protect against image-based sexual abuse, including the criminalization of sharing intimate images without consent, cyber flashing, and upskirting. But there's still huge gaps.

And perhaps as a baby step, you know, this was good to read a few days ago, that YouTube now accepts complaints about AI-generated deepfakes that could impersonate. The content must use AI-generated and feature identifiable visuals or voice samples. Now, I don't understand really why the AI generation component matters here. Like if someone did a collage of my head and some body and took a picture of it and distributed it, why is that any less upsetting?

But so in the interim, I'm not even sure what to advise women and girls out there, make sure there are no headshots of you anywhere. 'Cause you never know, it's bullshit. And action needs to be taken now.

---

ELEANOR DALLAWAY. Exactly my thoughts. Yeah, I'm sorry.

---

CAROLE THERIAULT. I know this wasn't a ha ha ha piece, but sometimes you got to get real. So I'm stepping off my soapbox now.

---

ELEANOR DALLAWAY. The part about Graham being merged with David Hasselhoff was fairly ha ha ha.

---

CAROLE THERIAULT. Not for him.

---

GRAHAM CLULEY. He doesn't consider it any laughing matter.

---

CAROLE THERIAULT. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for ISO 27001, SOC 2, GDPR, and more, saving you time and money.

With Vanta, you can unify your security program management with a built-in risk register and reporting, and proactively manage security reviews with AI-powered security questionnaires. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to build trust and prove security in real time.

Our listeners get 10% off Vanta at vanta.com/smashing. That's vanta.com/smashing for 10% off. And thanks to Vanta for sponsoring the show.

---

GRAHAM CLULEY. In a perfect world, end users would only work on managed devices with IT-approved apps. But every day, employees use personal devices and unapproved apps that aren't protected by MDM, IAM, or any other security tool.

There's a giant gap between the security tools we have and the way we actually work. 1Password calls it the Access Trust Gap, and they've also created the first-ever solution to fill it.

OnePassword Extended Access Management secures every sign-in for every app on every device. Includes the password manager that you know and love and the device trust solution you've probably heard of on this podcast back when it was called Kolide.

OnePassword Extended Access Management cares about user experience and privacy, which means it can go places other tools can't, like personal and contractor devices. It ensures that every device is known and healthy and every login is protected.

So stop trying to ban BYOD or shadow IT and start protecting them with 1Password Extended Access Management. Check it out at 1password.com/smashing, and thanks to 1Password for supporting the show.

And welcome back, and you join us, our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like.

Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security-related necessarily.

Better not be. Well, my Pick of the Week this week is not security-related. You'll be very pleased to hear.

This last Saturday, Saturday the 23rd of June, it was supposed to be the date when Parisian mayor Anne Hidalgo was going to swim in the River Seine to prove that the water was clean in readiness for the Olympics.

---

CAROLE THERIAULT. I can't believe this is your pick of the week! I was going to bring this up during our earlier foray in that, you know, talk about Julian Assange. I was actually going to bring this up.

---

GRAHAM CLULEY. So you've heard of this? You've heard of this, have you?

---

CAROLE THERIAULT. Yes, I know all about this.

---

GRAHAM CLULEY. Go on. Wonderful. Well, this was actually— I didn't know anything about this until it was brought to my attention by a listener of Smashing Security. Let me thank Friso Moselmans, who has been in touch about this Pick of the Week, because he thinks this is fantastic.

So the Parisian mayor was going to swim in the Seine to prove the water was clean, because they've spent €1.4 billion trying to make the water safe enough for the triathlon and the open water swimming events scheduled to take place in the river.

---

CAROLE THERIAULT. How depressing is it that it's not safe enough to swim in? It's just— makes me heartbroken.

---

GRAHAM CLULEY. Don't fear, because the Parisian mayor said that last Saturday— no, sorry, last Sunday— they were going to swim in it. And President Macron himself, he said he was going to be dipping his little toe in there. I will have a little swim as well.

Well, you'll never catch me doing a funny accent of the French, so I'm surprised you did that.

---

CAROLE THERIAULT. But I speak French, actually, so.

---

GRAHAM CLULEY. So there was a hashtag created called #jachie dans la Seine, which is running a website, and that basically translates to 'I shit in the Seine.' And this, their motto was, they have plunged us into shit. It's their turn to plunge into our shit.

And what he's done is he's, this guy set up this website and French people are being told that they have to shit in the River Seine so that the water is of bad enough quality that they might actually do something to clean it up properly.

---

CAROLE THERIAULT. I hate it. I understand. I understand. But I fricking hate this so much. Anyway, I'm not a supporter.

---

GRAHAM CLULEY. Are you just jealous because you wouldn't have to do this in the UK because there's already enough shit in our rivers?

---

CAROLE THERIAULT. No, I just— I'm a swimmer, right? I was a competitive swimmer for 10 years. I swam open waters. I have clean waters.

And I understand, let's clean our waters, but to shit in it in order to make sure it gets cleaner makes me sick.

---

GRAHAM CLULEY. Well, but also to spend €1.4 billion, Carole, on cleaning up the river just so some athletes can have a swim in it, as opposed to all the other things that money could have been used for.

---

CAROLE THERIAULT. Not just athletes.

---

ELEANOR DALLAWAY. Not just athletes.

---

CAROLE THERIAULT. Afterwards, anyone can get in and have a little, you know, swim-along lesson in your little striped suit. Le petit splish-splash.

---

GRAHAM CLULEY. You might get run over by a bateau mouche if you did that. I don't think it's that safe. Is it?

---

ELEANOR DALLAWAY. I feel like defecation has featured way too much in this podcast.

---

GRAHAM CLULEY. It's about the typical level, to be honest. Welcome, Eleanor.

What I liked about this website is they had a distance calculator, so you could calculate, depending on how far away you lived, on what day you would have to dump your package in order for it to arrive in Paris on the 23rd of June. Which I thought— So this is why Friso got in touch with me and said, it sounds like a perfect Pick of the Week.

Now, unfortunately, Emmanuel Macron has ruined everyone's fun by calling an election. Another one. Which means that the mayor of Paris has said, "Well, I can't swim in it now 'cause I'm campaigning." So she's put it off.

Well, he called an emergency election.

---

CAROLE THERIAULT. I think they have something what, two weeks or a month to get ready?

---

GRAHAM CLULEY. It's so ridiculous. Yes. Well, do you think this is the reason though? 'Cause he thought, "Oh, sacre bleu." Sounds like a get-out-of-jail card to me.

---

CAROLE THERIAULT. "I don't wanna swim in la merde." In la merde.

---

GRAHAM CLULEY. Exactly. La merde de la merde. That is my pick of the week. Bravo to the French.

---

ELEANOR DALLAWAY. Just as a side note, I'm sure I read recently that the Thames has over 125 different types of fish living in it, and they also say seahorses and seals live in the sea. No, they're probably all mutants.

---

CAROLE THERIAULT. It sounds lovely. I was in Trieste recently on a little excursion, and I was— it was a very hot day, and my friend and I went down to the port, and she was like, "Oh my God, I think I'm gonna go in. I'm gonna go in." Right? And she starts taking off her clothes.

And I go, "Don't." 'Cause there's floating, bloated rats everywhere. Like, it was suddenly, as soon as you saw one, you saw them everywhere along the boat. So, our poor waters!

---

GRAHAM CLULEY. Oh, no, no. Dear, oh dear. Eleanor, what's your pick of the week?

---

ELEANOR DALLAWAY. The way that things go viral has always totally blown my mind. That sort of instant fame, the obsession that ripples across the globe.

And I really love the fact that pop culture can just transcend any geographical boundary. And genuinely, there are very few jobs I have more respect for than the meme creators.

I mean, obviously surgeons, GPs, teachers, but how clever and how quick-witted are meme writers. So I thought my pick of the week could be looking back at my 3 favorite viral memes of all time.

So I'm going to do it in reverse order, just like the Top 40 back in the day, you know, trying to record them on a tape off the radio. Yeah, cutting out the answer between.

So in third place is I'm Not a Cat, the lawyer turning up to his virtual court in Texas during COVID times with a kitten filter on his Zoom, completely baffling him. Absolutely love that. Do you remember?

---

GRAHAM CLULEY. Oh, that was wonderful. I love that.

---

ELEANOR DALLAWAY. And his cute little Texas accent. I loved that. Yes. And I love the eyes because he's trying to turn it off desperately. Flickering going from side to side, "I'm not a cat."

Then at number 2 is— I'm sure you will both remember this one— Guy Goma, the poor unsuspecting man that turned up for a job interview at the BBC for, I think it was a technical computer role actually, but he was mistaken by the people at the BBC as being Guy Kewney. He was being interviewed live on TV about the Apple legal dispute.

And so this poor guy, literally Guy, was thrust into the hot seat under all the cameras and broadcast on live TV, asked about the legal implications of the Apple dispute, when really all he was doing was trying to turn up for a job interview. And his little face, it was amazing. It makes me howl every time I see it. Do you remember that?

---

GRAHAM CLULEY. I remember Guy Kewney has passed away these days, but I remember speaking to him and he said, "This is all people are ever going to remember me for," all the great journalism he did. But in fact, he will be most remembered maybe for not having been present at that interview when someone else was there they thought was Guy Kewney.

---

ELEANOR DALLAWAY. He probably became the other guy, right? And then at number 1, my absolute favourite viral meme of all time was the Senator Bernie Sanders at the presidential inauguration in Jan 2021. Do you remember it?

---

CAROLE THERIAULT. The mittens? Is this the mittens?

---

ELEANOR DALLAWAY. I mean, the poor man— I like the mittens too. He was just sat there in his mittens, his winter coat, with his arms and legs crossed. Really nothing particularly striking about it, although definitely endearing.

But for some reason, one photographer took a picture of him, and the internet took it and ran with it. And they dropped him in— his picture into almost every famous movie scene. Forrest Gump bench, The Lion King holding up the baby off the The Friends sofa. He replaced Neil Armstrong on the moon in one picture.

---

CAROLE THERIAULT. It would be a great statue of him, don't you think, somewhere? Wouldn't it?

---

ELEANOR DALLAWAY. It was just fantastic. And I don't know what it was about it, but I loved it so much that my best friend commissioned someone to knit me a knitted Bernie in mittens with his legs crossed for my birthday that year. And I still have it, and it makes me smile. Brilliant. People that visit just think I, you know, I—

---

CAROLE THERIAULT. It's important to remember what, you know, we love on the internet, I think.

---

ELEANOR DALLAWAY. Yeah, I'm obsessed with American politics or something, but there you go.

---

GRAHAM CLULEY. Carole, moving swiftly on, what's your pick of the week?

---

CAROLE THERIAULT. So my pick of the week is for those of us who have suffered hand or wrist injuries. Maybe things like RSI, maybe something like arthritis in your hand joints. And it's also for fidgeters, you know, those people that are always clicking pens and, you know, doing stuff like that. You know, maybe because you're a bit anxious.

---

GRAHAM CLULEY. People with a restless knee, people are bumping their knee up and down all the time.

---

CAROLE THERIAULT. They're restless. Yeah, they have a lot of energy and, you know, maybe they're a little anxious about what they're doing. Anyway, so—

---

GRAHAM CLULEY. Come the revolution, I'm putting them up against the wall. I'm telling you, they are top of my list.

---

CAROLE THERIAULT. Oh, one, and get something else that's top of your list on the shit list. Now look, my hands, as you guys know, are super important to me because, you know, in my other life I try to do art and I paint and sketch and I need my hands to do that. And the trick is try and keep them strong and mobile.

So there's a lot of gizmos out there to help strengthen hands, like spring-loaded thingies and fidget toys and all kinds of stuff. But they're all kind of irritating to me so far, you know, too big, too noisy. Too, I don't know, just I'd lose them. I just, I'd not bonded with any of them.

But I found one. My neighbor introduced me to this physical therapy tool called a rubber egg. Okay. And these eggs come in different resistances.

So they're really egg-sized, egg-shaped, and you just can squeeze them and hold onto them and play with them when you're doing anything. Right now I'm doing that with my hand and you can't hear anything. Because it's silent, which is fantastic.

So when you're recording a podcast and you need to fidget, because I'm a fidgeter, you can do it without being annoying. And plus my hands are getting way stronger. So that's a crazy pick of the week, but it's a really good one.

So if you know anyone with arthritis or hands that are getting stiff or have an injury. What are they called again, Carole? These are hand exercise egg-shaped physical therapy tools. There's loads of different brands out there, right?

So I've put a link in the show notes to the ones that I like, the ones I've tried. But literally it's just a piece of rubber in an egg and it has a good little texture and it just— I don't know, I love them. So that's my pick of the week.

---

GRAHAM CLULEY. Oh, terrific. Well, that just about wraps up the show for this week. Thank you so much, Eleanor, for joining us. I'm sure lots of people would love to follow you online. What's the best way for folks to do that?

---

ELEANOR DALLAWAY. So on Twitter, I'm just the very imaginative @EleanorDallaway, and on LinkedIn you can follow Assured Cyber Insurance.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't have a G. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge, huge thank you to our episode sponsors Vanta and 1Password. And of course to our wonderful Patreon community.

It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 376 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. 376, Graham. Oh my God.

377. It's more than 3. This is episode 378, Carole.

Well, that's still impressive. Ah, until next time. Cheerio.

Bye-bye. Bye.

---

ELEANOR DALLAWAY. Bye!

---

CAROLE THERIAULT. Slick. Oh my God, slick.

It wasn't that bad. Well done for being under— Thank you.

---

GRAHAM CLULEY. You must be so uncomfortable. Thank you so much, Eleanor.

---

CAROLE THERIAULT. I'm on the hottest day of the year.

---

ELEANOR DALLAWAY. Oh, it is hot, isn't it? I'm gonna send you a couple of snaps.

---

CAROLE THERIAULT. Yeah, send us some snaps. But maybe just tell, as a final Easter egg to our listeners, tell them how you've been positioned this entire show.

---

ELEANOR DALLAWAY. So I'm currently sat under a round table in a meeting room in my office that's got sweaty gym towels that I've stolen off of the boys that work in the office, creating a den, like a little child's den. And I'm sort of hunched underneath it.

It's actually very cozy despite being very uncomfortable.

---

CAROLE THERIAULT. You see, listeners, this is the length to which our special guests go for you.

---

ELEANOR DALLAWAY. Love you. Thanks so much.

Bye-bye.

---

CAROLE THERIAULT. Bye. Thanks so much.

-- TRANSCRIPT ENDS --