This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

GRAHAM CLULEY. Well, he doesn't even use computers, does he? Tends to write his tweets or Truth Social posts on Post-it notes. Yeah, and other people type them in for him. No, he famously doesn't use email and things like that, does he?

---

CAROLE THERIAULT. Yeah, well, you see, a person after my own heart.

---

UNKNOWN. Smashing Security, episode 385. TFL Security derailed, and is Trump the king of crypto? With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 385. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, it's a little bit different this week, isn't it? Because we're recording this a few days earlier than normal in our schedule.

---

CAROLE THERIAULT. Yeah, because normally we do it on a Tuesday and push this out Wednesday midnight UK time. But this week we are recording on Sunday.

---

GRAHAM CLULEY. Sunday night, my time. After my bedtime, this is. And you're in another part of the world.

---

CAROLE THERIAULT. Yeah, secret mission. You don't need to.

---

GRAHAM CLULEY. Okay, we'll get on with it, shall we?

---

CAROLE THERIAULT. Yes, yes, yes. But before we kick off, let's thank this week's wonderful sponsors, 1Password, Vanta, and Flashpoint. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be talking about the Bakerloo Blues and a Piccadilly panic.

---

CAROLE THERIAULT. Very cute. And I'm going to drill into the recent crypto revival. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Chums, chums, let me tell you a story because on Monday, September 2nd, Transport for London, also known as TfL, they are the team responsible for public transport in London, the Underground, the trains, the buses. They revealed they were dealing with what they called an itsy bitsy little— well, they didn't describe it like that. It was a cybersecurity incident. That's what they said.

---

CAROLE THERIAULT. Dun dun dun!

---

GRAHAM CLULEY. And it turned out the previous day, the Sunday, they'd identified some suspicious activity on their systems. But not to fear, they said, because there was currently no evidence that any customer data had been compromised.

---

CAROLE THERIAULT. Phew!

---

GRAHAM CLULEY. Sigh of relief.

---

CAROLE THERIAULT. Yeah, the trains are going to crash, but don't worry, your data's safe.

---

GRAHAM CLULEY. No, no, no, no, no. This isn't a Bruce Willis movie, Carole.

---

CAROLE THERIAULT. No, no, sorry, that's misinformation. I was just being facetious.

---

GRAHAM CLULEY. So nothing like that happened. No impact on the travel services. They're working closely with the NCA, the National Crime Agency, and others to respond to the incident. And of course, the fact that they said they were unable to comment any further, oh, that led to lots of speculation. It was pouring diesel onto a bonfire of speculation. Could it be ransomware? Had they suffered a, I don't know, a Brent Cross site scripting flaw or a two-team— what is a pun? Brent Cross, which is a tube station. Brent Cross Site Scripting Flaw. Do you get it? Brent Cross Site Scripting Flaw, or—

---

CAROLE THERIAULT. It's always the best jokes that need an explanation, I think. Yes.

---

GRAHAM CLULEY. How about this one? A tooting business email compromise, better known as a tooting BEC, or tooting BEC. If you know your tube stations, what I've said there was really, really funny. But never mind. No.

---

CAROLE THERIAULT. The puns.

---

GRAHAM CLULEY. The puns are writing themselves today rather than having a professional to write them for them. Anyway, the silver lining in all this was that they hadn't seen any evidence that customer data had been accessed, which remains the case, marvelously, until they did reveal last week that customer data had been compromised. Of course, often in the instant aftermath of a cyber breach, you may not realize quite what the extent of it may be.

---

CAROLE THERIAULT. So did they not know? That there was any data breach, or did they know and they were just keeping it hush-hush, do you think?

---

GRAHAM CLULEY. Oh no, I think it can be hard to tell. I think first it's really hard to tell what files may have been accessed, where they may have gone, what they may have taken. It's not like stealing the crown jewels and there's a gap. You know, it's data that potentially has been just copied.

So in their words, they said very little, very little customer data has been taken out.

---

CAROLE THERIAULT. I thought they said very little.

---

GRAHAM CLULEY. Oh well, they did say very little and they said very little. OK. In both meanings, yes.

And you and I, we've travelled on British transport and around London.

---

CAROLE THERIAULT. Of course.

---

GRAHAM CLULEY. We've suffered very little delays from time to time, haven't we?

---

CAROLE THERIAULT. Some delays. Occasional delays.

---

GRAHAM CLULEY. Occasional delays. Sometimes it can be hours and hours and hours. So you don't always trust them when they say, you know, it's always very, very small problem, very small problem.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. So the question was, how much customer data was taken?

---

CAROLE THERIAULT. Give us specifics, please.

---

GRAHAM CLULEY. And they said, well, listen, they said there's a problem. They said the problem is the situation is evolving.

---

CAROLE THERIAULT. We would have said that when we did our PR comms days. If we were in this situation, we would have said this exactly.

---

GRAHAM CLULEY. But now we're cybersecurity podcasters, so we can make fun of this. They said this.

---

CAROLE THERIAULT. I'm not making fun of it. I understand. I feel their pain.

The media is just hounding them. They are trying desperately to work out what the fuck happened. They are effectively victims. And that victimization is going to be passed on to users.

And it's a shit show of a situation. And the media is like, what happened? What happened? How many customers?

---

GRAHAM CLULEY. Well, I wondered whether it was evolved in a good way, because sometimes things evolve in a good way, don't they? Like we have opposable thumbs and we can, you know, do things which chimpanzees can't do or dolphins can't do.

---

CAROLE THERIAULT. Wow.

---

GRAHAM CLULEY. Ride bicycles, for instance. But I've also seen Alien, and that evolved in quite a bad way. Anyone who saw John Hurt's chest explode in that movie will remember.

---

CAROLE THERIAULT. So, you know, that, that great documentary.

---

GRAHAM CLULEY. Yeah, factual documentary. That's right.

So they said, although there's been very little impact on our customers so far, the situation is evolving. Our investigations have identified that certain customer data has been accessed, including customer names and contact details, email addresses and home addresses where provided.

---

CAROLE THERIAULT. I don't know if I'd say that's very little, but—

---

GRAHAM CLULEY. Well, yeah, they didn't say how many.

---

CAROLE THERIAULT. Yeah, okay.

---

GRAHAM CLULEY. They just said some. I don't like that they only said some, and maybe that's because they don't really know at the moment.

But then they went on, they were a little bit more specific. They said also some Oyster card refund data. That's the travel card used in London. They say that may have been accessed, including bank account numbers, sort codes, for round about 5,000 customers, they say.

---

CAROLE THERIAULT. Very little. Very little.

---

GRAHAM CLULEY. Not much to feel good about if you are one of those 5,000.

---

CAROLE THERIAULT. Of course, I was being facetious. I'm sure that was clear. Wow.

---

GRAHAM CLULEY. Yes, you also. Yes.

So, so far, so normal. But when a company gets hacked, the impact isn't just to its customers. It's also impacting their IT systems.

---

CAROLE THERIAULT. Whose IT systems? The customer's IT systems?

---

GRAHAM CLULEY. No, no, the IT systems of the organisation that's been hacked. So TfL in this case, right?

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. So, live tube arrival information wasn't available on their website and in their app, although it was still available at the stations themselves. You couldn't apply for a new Oyster photocard.

They said, if you can't get a new photocard, carry on making your journeys as usual, please keep on giving us money, but keep a record and maybe we can arrange a refund in the future. They said, maybe we'll be able to do that once we've resolved this cybersecurity incident.

So there was an impact on the IT systems, and they said some of our staff may not be able to access systems either, so it may be difficult. But when a company gets hacked, it's not just about its customers, and it's not just about its IT systems, it's also about the employees.

And TfL revealed that workers' email addresses, job titles, employee numbers were also accessed. Although at this point of time, at the time of recording, Sunday night, don't forget, they don't believe other data such as bank details and dates of birth and home addresses, they don't think that's been accessed.

---

CAROLE THERIAULT. Yeah, this dribble effect is not fun, is it?

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. This is just dribbling, dribbling, and every time they dribble, it's more awful, awful stinky stuff that you just don't want to hear.

---

GRAHAM CLULEY. They're stuck between a rock and a hard place. I mean, it's horrible obviously for the employees and customers that more and more information begins to dribble out and it's generally bad news.

But it's also really tough for the organization because they're thinking, well, we need to tell them what we know so far, even if we don't know the story.

---

CAROLE THERIAULT. Yeah. If we don't know shit, we're in panic mode. People are yelling at us left, right, and center.

And we have to act calm, cool, and collected and give people information they're asking for. Otherwise, it looks like we're hiding information. And this just happened, right? This just happened.

---

GRAHAM CLULEY. Well, the start of this month. Yeah. It's now two weeks later since it first happened.

---

CAROLE THERIAULT. Yeah. Yeah. They're not a tech firm, but they're an important infrastructure in London, key infrastructure.

---

GRAHAM CLULEY. Yes. Now, sometimes when a hack like this occurs, you kind of have to assume the worst, don't you? Because if you assume the worst, at least it's not going to get any worse than that.

And at least that may be the best route to recovery. So one of the things that they've decided to do is they're going to undertake an all-staff IT identity check. So before any member of staff can log back into their system, they're going to verify those users' identities.

---

CAROLE THERIAULT. I haven't heard of that happening before.

---

GRAHAM CLULEY. Well, it's a bit like resetting a password on a website.

---

CAROLE THERIAULT. I mean, I get it. I get it. It's interesting. But that's a lot of staff when you talk about the Tube in London.

---

GRAHAM CLULEY. Well, yeah, because they're telling these people to show up in person. They're not telling them to do this via their computer.

They're not telling them to do it even via video call. You have to show up in person. 30,000 people are being told to show up in person.

---

CAROLE THERIAULT. Please arrive on Monday between 9:30 and 10:30.

---

GRAHAM CLULEY. That's exactly what's happening.

---

CAROLE THERIAULT. No!

---

GRAHAM CLULEY. I hope they're not trying to get there by train. That is exactly what is happening. There are eight locations across London, and I've seen the photographs posted on social media of these huge long queues. It's like queuing for a Taylor Swift concert, going up the street through offices.

Huge queues of people waiting to have their identity checked. They're taking their passports with them and all the other information. Now, checking the identities of 30,000 people in person—huge logistical challenge.

---

CAROLE THERIAULT. Mm.

---

GRAHAM CLULEY. And as I said, they're giving staff time slots to show up at the locations. They've warned the public that as this process is being carried out, there may be limited disruption to travel services as well.

---

CAROLE THERIAULT. Very, very little. Very little.

---

GRAHAM CLULEY. Very little. Very little. So, few questions. Why are they doing it this way? Couldn't they have done this via video link instead? And I was talking to somebody about this.

---

CAROLE THERIAULT. Yeah, I wouldn't trust it with AI stuff now.

---

GRAHAM CLULEY. I wouldn't trust it. Well, that's—see, yeah, that's exactly what they said, Carole. They said, well, what about if it were deepfaked? But my reaction to that was, well, maybe technically they could, but I don't know if it'd be the most convincing thing. But wouldn't it be easier for a criminal just to turn up in person with fake ID posing as an employee in that person's name? Wouldn't that be easier just to do that?

---

CAROLE THERIAULT. Well, you could pose, may not get through. They might go, nice fake ID there, bubba. Let's go. You know, nice try.

---

GRAHAM CLULEY. Well, who's doing these identity checks? It's not Miss Marple. I mean, is it going to be someone who's—

---

CAROLE THERIAULT. I don't know. Maybe you should go and investigate, do some deep, deep investigation, see what's going on.

---

GRAHAM CLULEY. I also thought, why not have bosses verify their staff? Could the bosses not have rung up their staff? Obviously not if you have hundreds of people working for you, but, you know, it must cascade down.

---

CAROLE THERIAULT. Yeah, I'm actually—I think this is the right thing to do.

---

GRAHAM CLULEY. You do?

---

CAROLE THERIAULT. Because what it says to the public is this was a big fucking deal, which it is, right? And the public want the TfL to say this is a big deal.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And this is a way to help build trust again, and that it's going to be painful. But how long will it take? Maybe a few weeks of nightmare?

---

GRAHAM CLULEY. Now, something similar has happened before where they've had to verify all their staff. Not very long ago. Do you know Dick's at all? You're in North America. Dick's is a sporting chain. They got hacked. They shut down all their email system and they re-verified people via video call. So I guess TfL considered all their options, decided that although disruptive, this in-person check was the way in which they could feel most confident about what they're doing. But what I'd say to any organizations out there listening, consider how you would handle this.

How would you identity check all of your staff before giving them access to your network again? How disruptive would it be? Have you planned for that kind of situation? Now, when I was hearing about this hack, Carole, I was reminded of another organization that was hacked. MGM Resorts last year suffered a cybersecurity incident.

---

CAROLE THERIAULT. I remember, yeah.

---

GRAHAM CLULEY. Their slot machines went down, their ATMs.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. Some people couldn't get into their hotel rooms, hitting all those hotels in Las Vegas. And it was later revealed that the hackers who were members of the Scattered Spider gang had socially engineered MGM Resorts' IT help desk, pretending to be an employee who'd been locked out of their account. And said, "Oh, can you help me if my two-factor authentication, you know, it's not working," you know, answering some questions.

And they gained access and were handed the login credentials. That cost MGM over $100 million, which I imagine included the cost of resetting employees' login credentials and two-factor authentication tokens.

---

CAROLE THERIAULT. And you know what, though, I'm— boohoo, boohoo, really. Like, MGM Resorts can afford that.

Surely that is what of their annual turnover? I'm not saying that, but I'm just saying they can afford it. I'm not sure the shareholders would have been happy.

---

GRAHAM CLULEY. Oh, I'm sure not. But again, I'm not sure I believe in that whole, you know.

So one other side to this story with this TfL hack, we haven't really considered the big question is who was responsible? And it looks like the police may have worked that out because within just a few days, like 3 days of TfL announcing its cybersecurity incident, the NCA, the National Crime Agency, arrested a 17-year-old teenage male in Walsall. This highly sophisticated cybersecurity attack wasn't done by a state nation.

---

CAROLE THERIAULT. He doesn't even have peach fuzz on his chin.

---

GRAHAM CLULEY. They arrested him and they questioned him on phishing and Computer Misuse Act offenses, and he was released on bail. Now, this is a funny coincidence because UK computer crime cops paid another visit to Walsall in the West Midlands a couple of months ago.

In July, they arrested— yes, a 17-year-old teenage male in Walsall suspected of being a member of the Scattered Spider gang, who are thought to be behind the MGM hack. Okay, so I don't know how many 17-year-old youths there are in Walsall, or indeed how many of them may be in the habit of possibly hacking organizations and giving IT support teams a headache over login credentials, or someone has a router right in their basement, wherever they're using it. Oh, you think it's just a compromised computer?

---

CAROLE THERIAULT. And then it's just some 17-year-old is going, "I don't really know what's going on here." That's possible.

---

GRAHAM CLULEY. You should work on the defense case, I think. It seems to me quite right to ponder if it's possible that the reason the UK police were able to find a suspect in the TfL hack quite so quickly was because they had the address of a suspect in another high-profile hack still in their sat-nav history.

So they just said, let's go back to Walsall and pick up this guy. Some people have dubbed this not an advanced persistent threat, but an advanced persistent teenager.

---

CAROLE THERIAULT. But that's also a really excellent joke and well done you.

---

GRAHAM CLULEY. Well, it wasn't original, that one.

---

CAROLE THERIAULT. You told it so well.

---

GRAHAM CLULEY. Crow, what's your story for us this week?

---

CAROLE THERIAULT. So, okay, we're going to go back a bit. So let's think back late 2023.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And at the time, I kind of thought that the whole crypto bandwagon was dwindling, you know, with so many exchanges, you know, having to disclose hacks like Binance or FTX.

---

GRAHAM CLULEY. Oh yeah.

---

CAROLE THERIAULT. There was even some declaring bankruptcy, FTX. Plus the soaring valuations that we were seeing were looking like they were calming down.

Like Bitcoin, for example, which was being valued at $60,000 per coin in '21-'22, was more in the range of $20,000 per coin in 2023. So that's a big dip.

And there was of course this legal quagmire faced by FTX's Sam Bankman-Fried and four of his honchos facing accusations of fraud, conspiracy, and money laundering. And they weren't alone in that.

So all this happening, I'm thinking, ah, crypto, it'll soon be something for the history books.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. But then mid-July 2024, something happened. Bitcoin screamed upwards, from something like $25K to $67,000 per Bitcoin.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. That's a huge jump. It's gone right back up.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And Bitcoins weren't the only coin to see a dramatic uptick, you know. So did Solana, so did doggy coin— sorry, Dogecoin.

In fact, the global cryptocurrency market cap rose by 0.7 to around $2.45 trillion. So big, big things happened.

Can you think of why? Oh, what would have led in mid-July? It coincided with political incidents.

---

GRAHAM CLULEY. Mid-July. Was it Joe Biden decided to get out of politics and he's going to invest in cryptocurrency instead?

Was it something? No, I'm on the right lines.

---

CAROLE THERIAULT. First part was right. Biden's announcement that he would not seek reelection certainly had an impact.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. But also, I'll read a headline to give you a hint here. Bitcoin surged to a two-week high on Monday after the attempted assassination of the former president.

---

GRAHAM CLULEY. How quickly we've forgotten all about that.

---

CAROLE THERIAULT. Well, I hadn't.

---

GRAHAM CLULEY. I know, but it's astonishing, isn't it? That should have been the story of the year.

---

CAROLE THERIAULT. Yeah. Totally. That happened.

---

GRAHAM CLULEY. That happened. But, you know, that was a couple of weeks ago now.

But yeah. Okay. So how did that affect cryptocurrency?

---

CAROLE THERIAULT. Well, the combination together. Right.

So specifically, Biden stepping down. This news was seen as beneficial to the crypto space because it increased the chances of Trump's return, who is perceived as more crypto friendly.

---

GRAHAM CLULEY. Oh, I see.

---

CAROLE THERIAULT. And crypto friendly, the Republican hopeful seems to be. Because just a month before the crypto stocks started doing their aforementioned uptick, Trump pitched himself at the San Francisco tech fundraiser.

He pitched himself as the crypto president. That's a quote.

---

GRAHAM CLULEY. Right. Whereas Joe Biden was just from the crypt.

---

CAROLE THERIAULT. Well, Reuters reported that at this event, our man slammed the Democrats' attempt to regulate the sector. And this is key to the issue, right?

Regulators have been sniffing around a lot more since the bankruptcies at major crypto firms. Yeah, it spooked investors and exposed fraud and misconduct and left millions of investors out of pocket.

And the Democrats are saying even now, they want to look into this and maybe regulation is needed. And of course, the crypto hoi polloi definitely don't want the Wild West that they've created of decentralized money generating schemes to be bogged down by rules.

Which would hold them more liable for losses or lack of security or lack of ethics or whatever.

---

GRAHAM CLULEY. What possible benefit would come from policing and regulating cryptocurrency more so that people didn't lose all of their savings?

---

CAROLE THERIAULT. Exactly. And they've managed to sell this, right? Saying, don't let this be regulated because you're going to lose money. Right now, this is where you can make hay. It's the gold rush. So it makes sense that crypto dudes, they would be very happy that there is at least one presidential candidate that seems to be on side against regulation. But wait, the Republican candidate of which we speak is even more crypto-friendly than that.

---

GRAHAM CLULEY. He who shall not be named. Yes.

---

CAROLE THERIAULT. This past Monday, the wannabe pres with the Florida tan.

---

GRAHAM CLULEY. I don't think the tan comes from Florida. I think it comes from Coupranol. I don't think that that's a tan that has come from sunlight.

---

CAROLE THERIAULT. Always really small, you know, he's been wearing goggles.

---

GRAHAM CLULEY. That's why.

---

CAROLE THERIAULT. But our man is to announce the debut of a brand new crypto platform called World Liberty Financial. This is a brand new decentralized financial platform that will be controlled by sons Trump Jr. and Eric Trump.

---

GRAHAM CLULEY. There's going to be a Trump coin.

---

CAROLE THERIAULT. Quote, we're embracing the future with crypto and leaving the slow and outdated big banks behind, he said in a video posted Thursday on X from Mar-a-Lago. World Liberty Financial has apparently partnered with AAVE. I don't know how you say that, A-A-V-E, AAVE, a crypto lending platform. So I did a little digging, and huddle huddle, because they had a bit of a nightmare last April where they accidentally liquidated $26 million in assets belonging to their users.

So accidentally, apparently, right? So you need to have a certain threshold in order to be a user, I guess. So you have to have at least X amount of cash or something in there, right?

---

GRAHAM CLULEY. Yep. Sounds familiar.

---

CAROLE THERIAULT. They accidentally changed that threshold to make it higher. So suddenly loads of users didn't meet that threshold and the systems just flushed out their assets and sold them off because they couldn't be holders.

---

GRAHAM CLULEY. I wouldn't want my assets flushed.

---

CAROLE THERIAULT. So that's fun. So they're the partner. And the other question mark is with the dealmaker for World Liberty Financial. So according to Bloomberg, Chase Hero, double R-O, that can't be his real name. I mean, come on, Chase Hero.

---

GRAHAM CLULEY. The name's Hero. Chase Hero.

---

CAROLE THERIAULT. So Chase Hero is apparently an interesting choice because he's kind of labeled by many in the industry as effectively unknown. He only had one crypto project, which he's publicly affiliated with, and it attracted just a few million dollars and then suffered a devastating hack. So that's his background.

---

GRAHAM CLULEY. Sounds promising.

---

CAROLE THERIAULT. Yeah, there's a YouTube video with Hero. It's from 2018 and it's on YouTube still, right? So you can see it in the show notes.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. It's called Crypto Talk and he's there driving a Rolls-Royce and he says, quote, "You can literally sell shit in a can wrapped in piss covered in human skin for $1 billion if the story's right, because people will buy it." Hang on. He has in the past called himself reportedly the dirtbag of the internet and says that regulators should kick shitheads like him out.

---

GRAHAM CLULEY. And this is the person who's teamed up.

---

CAROLE THERIAULT. This is the dealmaker, right? Yeah. Sounds promising, right? I can't wait. And the icing on the cake, the icing on the cake, the man that X'd Twitter. Can we just have a little hand clap for me? Because that's cute, right? X Twitter. Or has that been used many times?

---

GRAHAM CLULEY. The person who X'd Twitter? What do you mean?

---

CAROLE THERIAULT. X'd? Yeah, X'd Twitter. It's kind of like axe Twitter. You get rid of it, put an X across it.

---

GRAHAM CLULEY. Oh, okay. That— oh, that's the— no, no, no, that's as good as my puns were earlier, in fairness.

---

CAROLE THERIAULT. Okay, whatever. The man that X'd Twitter, the richest man on the planet, has our presidential hopeful's endorsement to head a new governmental crypto task force. And I think that is an amazing idea because we all know how much Elon loves regulators and he never rocks the boat for his own weird entertainment.

And why not have him be in charge of that? I think that sounds fantastic.

---

GRAHAM CLULEY. What you're saying, that Elon Musk, if Donald Trump wins the election, right?

---

CAROLE THERIAULT. If, if, if he wins the election, he has Trump's endorsement to be the head of this government crypto task force at the moment.

---

GRAHAM CLULEY. Okay, but I don't think that means Elon Musk will do it though, will he?

---

CAROLE THERIAULT. No, but he might just for the kicks. Now, all this crypto hype is a little bit of a U-turn for the former president, who has previously described himself as not a fan of cryptocurrency.

---

GRAHAM CLULEY. Well, he doesn't even use computers, does he? Tends to write his tweets or Truth Social posts on Post-it notes.

Yeah, and other people type them in for him. No, he famously doesn't use email and things like that, does he?

---

CAROLE THERIAULT. Yeah, well, you see, a person after my own heart. In 2019, he tweeted that cryptocurrency can facilitate unlawful behavior, including drug trade and other illegal activity.

But we do all know, and I think I can say this, that this guy loves the stink of the green, doesn't he? And it looks like he's set to go down the crypto highway to find it.

So people that are intrigued, I think trusted advice on crypto is worth remembering. So first, before you get all excited, learn how cryptocurrencies work, the difference between various types of crypto assets like Bitcoin and altcoins and stablecoins and tokens and all that stuff, and deep dive into any project you're interested in.

Notably, we can't really deep dive into this project because there's not a lot of information that has been put out as of Sunday the 15th of September. Evaluate your risk tolerance.

Basically, only invest what you can afford to lose. And secure your investments with reputable exchanges with solid reputations.

---

GRAHAM CLULEY. This is, this is the killer one, isn't it?

---

CAROLE THERIAULT. And maybe store your crypto very, very safely, like in a hardware wallet or a secure wallet.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Take heed, my friends. That's my advice.

---

GRAHAM CLULEY. This episode of Smashing Security is brought to you by Flashpoint. 2024 has been a year like no other for security. Cyber threats, physical security concerns have continued to increase.

Now geopolitical instability is adding a new layer of risk and uncertainty. Last year there was a staggering 84% rise in ransomware attacks and a 34% jump in data breaches.

Flashpoint empowers organizations to make mission-critical decisions that will keep their people and assets safe. How does it do that?

By combining cutting-edge technology with the expertise of world-class analyst teams, and with Ignite, Flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, alerts, and analytics all in one place. It's no wonder Flashpoint is trusted by mission-critical businesses and governments worldwide.

To access the industry's best threat data and intelligence, visit flashpoint.io today. That's flashpoint.io.

Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management.

1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing.

That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.

Whether you're starting or scaling your company's security program, demonstrating top-notch security practices, and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Sophos, FlowHealth, and Quora use Vanta to manage risk and improve security in real time.

Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they like.

It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my pick of the week this week is not security related. It's also not a funny story, a book that I've read, a TV show, a movie, a record, a podcast, a website, or an app.

---

CAROLE THERIAULT. Whoa.

---

GRAHAM CLULEY. It is instead whatever I like. Oh, because while I was on honeymoon earlier this year in Barcelona, I heard a melodic sound coming from this little town square, and I walked into it, and there I found a man playing an instrument of melodic percussion known as the tam drum.

And I was rather taken by it. I said, "That's a lovely instrument you got there, sir," I said in my faltering Catalan.

And he said, "It's a tam drum. Would you like to buy one?" And I bought one.

---

CAROLE THERIAULT. Oh my God, did you?

---

GRAHAM CLULEY. I did, as a little honeymoon gift for myself and for my partner.

---

CAROLE THERIAULT. I bet she loves it.

---

GRAHAM CLULEY. She does love it. It is an instrument recycled from an old propane gas bottle grabbed from a scrapyard.

---

CAROLE THERIAULT. Oh no, I do like these things. Yes, I'm looking at one right now.

I've seen these. Yeah, they have a very nice sound.

---

GRAHAM CLULEY. It has a very beautiful sound.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. In fact, I'm going to start playing one now in the background so everyone can enjoy it.

---

CAROLE THERIAULT. And I'm going to talk a bit softer now that that's playing.

---

GRAHAM CLULEY. Okay, yeah, because it's all a bit namaste now. It's all a bit meditation, yoga, all that jazz.

---

CAROLE THERIAULT. My kind of stuff.

---

GRAHAM CLULEY. You play it with your hands or more easily with little rubber sort of xylophone mallet things, sort of. It's a— I don't know what you're giggling about. You're making your own jokes back there. It's a bit like, I was trying to work out how to describe it. You know, steel drums. You know, you get steel drums.

---

CAROLE THERIAULT. They can hear it right now.

---

GRAHAM CLULEY. I know you can hear it right now. I'm trying to describe what it looks like. It's the inverse of a steel drum. So you're sort of banging on the outside of it and you get these beautiful sounds. Anyway, it's easy to play even if you're an adult me, but in the hands of someone with a musical lean, and one of my stepsons is very musical, tinkle tonkle. It's really lovely. And I will link to the website where we can get them. Obviously, it's going to cost you a bit because you'll have to get it shipped from Barcelona, unless you're out there. But I've got one on my living room table, and everyone who comes by has a little tinkle tonkle, and it's a lot of fun. And that is my pick of the week, the tam drum.

---

CAROLE THERIAULT. Brilliant. There you go.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Okay, look, I've been reading a lot recently. And I just, I kind of started getting overwhelmed by fiction. After a while, I was just okay, enough. So I decided to check out a random memoir. And I chose one from Demi— no, Demi, I learned Demi Moore. Demi Moore.

---

GRAHAM CLULEY. Demi Moore.

---

CAROLE THERIAULT. Inside Out. Ten years ago she wrote this. And the reason I chose this is because over the weekend I read that Demi— or no, Demi is starring in a new maximalist movie called The Substance. Have you heard about this?

---

GRAHAM CLULEY. The sub— no, I haven't heard of The Substance. No.

---

CAROLE THERIAULT. Well, it's just come out. It follows 61-year-old actor Demi. She plays a character called Elizabeth, and she basically in the movie tries a black market drug to create a younger version of herself. Okay, apparently it's the most grotesque movie of the year. I'm dying to see it. This is totally up my alley. And I found this memoir, Inside Out. And I don't know, she was a big deal for me because I was exactly at the right age when she kind of rose to fame.

---

GRAHAM CLULEY. When she did Ghost with Patrick Swayze?

---

CAROLE THERIAULT. Oh, way before that. She was in St. Elmo's Fire, Brat Pack. You know, she was dating Emilio Estevez. I was getting those magazines who's dating who? And oh, oh my God. And you know, there was Rob Lowe and Molly Ringwald and all that stuff. So that was my whole rock space. And the book, this book Inside Out was written after her relationship with the 20-year-younger boy toy Ashton Kutcher went south. So she talks about her shitty childhood, her rise to fame, her relationship with Brucey Brucey Willis, the movies she did. You know, she was the highest paid actress ever for a while.

---

GRAHAM CLULEY. Really? Yeah.

---

CAROLE THERIAULT. And she talks about that cover she did with Annie Leibovitz, you know, the 1991 Vanity Fair cover where she's—

---

GRAHAM CLULEY. Oh, when she was pregnant and naked. Yeah.

---

CAROLE THERIAULT. Mm-hmm. Everyone knows of that.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And I read the article, I found it in an archive, and I've put that in the show notes as well. It is so judgy about her. It's really, you know, they basically kind of treat her as a princess that is not worth her success.

But I did read something in that article that I don't think was in the memoir. Okay, and this is when she was married to Bruce Willis. So apparently the Willis gave birth on film in addition to an audience of six friends. This is all in the Vanity Fair article. And in addition to an audience of six friends, the couple had three video cameras taping the big event.

The guests included their massage therapist, Moore's personal assistant, Bruce's best friend Carmine, Moore's girlfriend Patsy, and of course Randy the video operator.

---

GRAHAM CLULEY. So they've got multiple cameras. That means different angles, giving birth, and an audience. Is there a director's cut?

---

CAROLE THERIAULT. Demi is quoted as saying, the doctor was there, but Bruce's hands were in me pulling Rumer out. That's the name of their daughter. We have it all on video. I stayed very calm.

I had the baby's head out of me. I was touching her ear, and I said to Randy, are you getting this? I want to make sure he has it in focus. Crazy bonkers.

---

GRAHAM CLULEY. Hollywood.

---

CAROLE THERIAULT. But the book is basically that as well. It's fascinating. So she's lived in a vastly different life from mine. So that's my crazy pick of the week, Demi Moore's 10-year-old memoir Inside Out. I really enjoyed it, Graham. I think you might too.

---

GRAHAM CLULEY. I don't know, maybe I'll put it on my list with my Libby app. Maybe I'll find it. Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G.

And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Pocket Casts, Spotify, and Apple Podcasts.

---

CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, Flashpoint, 1Password, and Fanta. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 384 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time. Cheerio. Bye-bye. Bye-bye.

---

CAROLE THERIAULT. Clue. 15 episodes to go before we hit the big 400.

---

GRAHAM CLULEY. Should we even recognize?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Should we just wait till 500? It just seems a bit pathetic celebrating a 400th episode.

---

CAROLE THERIAULT. Well, okay, you don't have to celebrate. I'll celebrate. Why don't you stay home?

---

GRAHAM CLULEY. Don't even show up.

---

CAROLE THERIAULT. I'll have my own show for a day. I'll invite my own Graham replacement for the show. And we'll have a 400th party. Oh.

-- TRANSCRIPT ENDS --