This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. I'm afraid of crocodiles.

---

GRAHAM CLULEY. You should be.

---

CAROLE THERIAULT. And you know what? I should be because their jaws are nothing else. They could just cut you in half.

---

GRAHAM CLULEY. And they're just down the road from you, Carole Theriault.

---

CAROLE THERIAULT. They have very little legs. It'll take them a while. If they— oh, they could swim.

---

GRAHAM CLULEY. Yes, yes.

---

CAROLE THERIAULT. I'm going to have nightmares tonight. Could they climb stairs?

---

UNKNOWN. Smashing Security, episode 390. 391. The secret Strava service, deepfakes, and crocodiles. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 391. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Carole?

---

CAROLE THERIAULT. Yes?

---

GRAHAM CLULEY. Hello.

---

CAROLE THERIAULT. Uh-oh. Are you leaving the show?

---

GRAHAM CLULEY. No, no, no, no. The AI Fix isn't quite that popular yet. So nope, still—

---

CAROLE THERIAULT. Can we bleep out the name?

---

GRAHAM CLULEY. Why would you want to bleep out the name?

---

CAROLE THERIAULT. I don't know. You get a lot of mentions.

---

GRAHAM CLULEY. Well, I don't know that we do. Not as many as Sticky Pickles gets.

---

CAROLE THERIAULT. What?

---

GRAHAM CLULEY. Would you the AI Fix?

---

CAROLE THERIAULT. No, but I'd to kick off this show and thank this week's wonderful sponsors, 1Password, BlackBerry, and Vanta. It's their support that helps us give you the show for free. Now, coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm gonna be talking about striving for security.

---

CAROLE THERIAULT. Okay, and I'm gonna be asking whether we are deepfaking our way into a hole. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, it may well have escaped your notice because it's been hidden under a bushel a little bit, this particular news, but there are some elections just around the corner, in particular in the United States. Are you aware of these, Carole?

---

CAROLE THERIAULT. Oh, yes. My story touches upon them as well. Because it's big, big news, and it has a global impact on whatever happens. So, I think everyone's watching it and paying attention to it. So, apologies if you're bored up to your eyeballs of hearing about the election, but it's a big deal.

---

GRAHAM CLULEY. So, Kamala Harris and Donald Trump, they're oiling themselves up in readiness for their tussle, which is going to be occurring on November 5th.

---

CAROLE THERIAULT. It's not WWE, dude.

---

GRAHAM CLULEY. Well, maybe it is. As we know, it's very, very close. The two candidates, very close in the polls. It's hard to predict the result of the election at this point.

One thing we can be absolutely certain of is that Donald Trump will be announcing that he won within hours of the polls closing. So, Joe Biden, Donald Trump, Kamala Harris, these are the very, very, very important people protected by the Secret Service, as are as well their partners, Melania Trump, Jill Biden, and whoever Kamala's married to.

They're all protected because they're important people. We don't want them being bopped off. And it's just the data at the heart of your company. You don't want your country's leaders or the potential next president to be deleted.

And similarly, you don't want your data wiped, do you? You don't want it to be wiped out. Now, it looks Donald Trump has survived. I think we're pretty clear about that, at least.

And to have one assassination attempt against you could be considered misfortune. But to have two begins to look carelessness by your security team, particularly so close to each other. So I think the question we have to ask ourselves is how well are these individuals actually being protected? Well—

---

CAROLE THERIAULT. Okay. I have no idea where you're going with this. It's fascinating.

---

GRAHAM CLULEY. Well, according to a report in French newspaper Le Monde, the state of security is less than so-so. You know, it's a bit comme ci, comme ça.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. It is not brilliant or fantastique. Brilliant? Yes, that is a new French word.

---

CAROLE THERIAULT. Magnifique?

---

GRAHAM CLULEY. Magnifique, indeed.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Because Le Monde says that bodyguards of world-leading political figures are carelessly leaking their location.

---

CAROLE THERIAULT. These are the people unwittingly—

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Unwittingly, carelessly leaking this information. Of course, they are shadowing these top bods. It turns out highly confidential movements of the US President, Joe Biden, the two people campaigning to be the next president, Donald Trump and Kamala Harris, and other world leaders can be easily tracked online through the Strava—

---

CAROLE THERIAULT. I knew it was going to be Strava.

---

GRAHAM CLULEY. —fitness app.

---

CAROLE THERIAULT. I knew it was going to be Strava. I was going to say Strava 30 seconds ago. So the bodyguards are using Strava.

---

GRAHAM CLULEY. Le Monde says that the whereabouts not only of those people, but also Melania Trump and Jill Biden, can be easily pinpointed by tracking their bodyguards' Strava profiles.

---

CAROLE THERIAULT. We have talked about this before with the military. And why aren't they listening to the show?

---

GRAHAM CLULEY. Back in episode 63, almost 7 years ago, we explained how Strava was revealing the movement patterns of soldiers at military bases. About a year ago, we described how a Russian commander was shot dead while out for a jog, seemingly by Ukraine, because he was posting his runs on Strava.

---

CAROLE THERIAULT. You think if you're going to be protecting and being a bodyguard for a VVVIP, as you said, you would think, "Oh, maybe I'll leave my IoT watch at home." No, they want to get their steps in. They want to get their steps in. They're at the Pentagon, maybe. There's a lot of steps they have to do. They don't want to waste it.

---

GRAHAM CLULEY. And if you're a bodyguard, you want to be fit. You're probably into fitness and running around. Of course you're into fitness.

---

CAROLE THERIAULT. And you're proving, you're probably showing your mates, right? Your other security guard buddies. "I did more than you did. I'm smarter, I'm cooler, I'm stronger." Do you think they do special exercises to strengthen their ears?

---

GRAHAM CLULEY. Because they have those earpieces in all the time, don't they? Yeah.

---

CAROLE THERIAULT. You know what? I bet they do, because earpieces fall out of my ears all the time. When I had earbuds, they just fall to the floor constantly because my ears are the wrong shape. So, I bet I could probably build muscle in my cartilage somehow.

---

GRAHAM CLULEY. So, it's not just the presidents and world leaders, as I said. It's also their partners, so Melania Trump, as I said. Normally, of course, that's not a problem with Melania Trump because she's highly unlikely to be in the same place as her husband. But it's still a risk that she could be kidnapped, which could be very unpleasant for her, especially if a ransom is paid and she's returned to Mar-a-Lago. So, you know, you don't—

---

CAROLE THERIAULT. I was just going to say, I'm sure she has security, but then yeah, there's a catch-22 there.

---

GRAHAM CLULEY. Yeah, they're probably quite hunky, I would expect. Yeah, with their Strava watches.

So Strava, for anyone who doesn't know, it's the athletic social network. So rather than showing off your perfect life and your cronuts that you're eating, you upload details of your workouts and exercise regimes and compete against others, see who can do a circuit the fastest. And yes, it can be handy to find out other people in your city, where they're running, where a good run or a track might be.

But of course, if you're sharing this information a little bit carelessly, if you haven't got your privacy locked down, along come journalists from Le Monde and they find out what you're up to. And it's not just Americans. Le Monde found out the bodyguards of French President Emmanuel Macron.

Mm-hmm. What they're up to.

---

CAROLE THERIAULT. Is he having long lunches? With a glass of wine?

At some bistro?

---

GRAHAM CLULEY. Oh, that'd be nice. In Paris.

Maybe some cheesy French onion soup. It'd be wonderful, wouldn't it?

And also Vladimir Putin. Wow.

Now, I don't think it's his Strava, as far as I know. Le Monde says it has traced the Strava movements of Emmanuel Macron's bodyguards to determine that the French president spent a weekend in a Normandy Sea resort in 2021.

The trip was meant to be private, wasn't listed on his official agenda. They knew he was there because his bodyguards were there.

In another example, they used an agent's Strava profile to reveal the location of a hotel where Joe Biden stayed in San Francisco for talks with the Chinese president last year. Mm-hmm.

A few hours before Biden's arrival, the agent went jogging from the hotel. And used Strava to trace his route.

In all, they identified 26 US agents, 12 members of the president's security group, 6 members of the Russian Federal Protection Service, all with public profiles on Strava, all sharing their locations online even during official trips. You know—

What do you make of it, Carole?

---

CAROLE THERIAULT. Two things. One, wow, in this day and age.

Other side of me, yeah, totally can see that happening, 100%.

---

GRAHAM CLULEY. Even though it's years after this was first revealed. And here's the thing, right?

Here's the thing. If Le Monde is able to work out and able to track where these people are, this must surely be known about by intelligence agencies of other countries.

So I'm sure other countries are tracking.

---

CAROLE THERIAULT. You've got to find out which countries don't have Strava-leaking bodyguards. Yeah.

And they're the ones that have been told.

---

GRAHAM CLULEY. But seeing as intelligence agencies must know about this, why aren't they ensuring that their own leaders are better defended by their security teams and are not allowing this to happen? The US Secret Service says its staff aren't allowed to use these kind of devices while on duty.

But they don't prohibit them for personal use while off duty. So, of course, you're not on duty 24 hours a day.

You'll be doing shifts. So you may go out for a bit of exercise after looking after the president for a bit, and you go for a run round the block.

---

CAROLE THERIAULT. And these were open profiles, completely open, not shared with my contacts that use Strava too?

---

GRAHAM CLULEY. Apparently completely open.

---

CAROLE THERIAULT. And I wonder if that is actually not done on purpose, but actually just because a lot of these things, the config options are difficult to set up, right?

---

GRAHAM CLULEY. I was wondering whether this is actually a crafty scheme by the bodyguards to send attackers off the scent. Are they actually attaching their Stravas to a dog or something, or a kid on a skateboard?

---

CAROLE THERIAULT. God, he's moving fast. Yeah.

Is this a greyhound?

---

GRAHAM CLULEY. Wow. What's he doing going round that lamppost so much?

Carole, what's your story for us this week?

---

CAROLE THERIAULT. I decided, for better or for worse, to cover deepfakes this week. Part of the reason is because the topic is rife in the news at the moment, guessing because of the upcoming elections in the US of A. Deepfakes are a big effing deal. Deepfakes are ranked as a top global risk in 2024.

You know, this is all according to the World Economic Forum. So I was happy to see some nonpartisan public service announcements in the US this week warning people about deepfakes trying to dupe you into not voting.

---

GRAHAM CLULEY. So we've got a series of celebrities here sat at a desk telling us to watch out for AI. On occasion, their faces go bzzz there's a bit of interference or something. Artificial intelligence has gotten so advanced.

---

CAROLE THERIAULT. You probably can't tell that some of us aren't real. I'm definitely real. That's a problem.

---

GRAHAM CLULEY. Because this election, bad actors are going to use AI to trick you into not voting.

---

CAROLE THERIAULT. Not voting. Luckily, we already know what they're going to do. They'll use fake phone calls, videos, or messages to try to change when, how, or where you vote.

For example, a fake message saying voting has been extended or your polling location has closed or changed due to an emergency, or you need new documentation to vote. These are all scams designed to trick you into not voting. Don't fall for it.

What do you think? What do you make of it, Clew?

---

GRAHAM CLULEY. The first thing is, is that what Michael Douglas looks these days? I wouldn't have recognized Michael Douglas.

---

CAROLE THERIAULT. He's an older gentleman.

---

GRAHAM CLULEY. Well, no, I know he is. But I wouldn't recognise a lot of these people, even when they put their names up. I'm not actually sure they are, but I guess—

---

CAROLE THERIAULT. You're not in the States though.

---

GRAHAM CLULEY. I'm not American. That's true. That is Orlando Bloom. I don't recognise him without a bow and arrow.

---

CAROLE THERIAULT. So celebs aside, do you think it's a good ad that educates people about AI and deepfakes?

---

GRAHAM CLULEY. It's a very simple message. What it's basically saying is AI can be pretty convincing, doesn't it?

---

CAROLE THERIAULT. Yeah, and it's gonna maybe try to convince you not to vote or—

---

GRAHAM CLULEY. Because you think all these famous people are talking to you, but in fact, it turns out at the end that they're, I don't know, some cheap actor or something.

---

CAROLE THERIAULT. Well, you see, that was my kind of problem with it. So a lot of people have lauded this as a really great ad. And I guess, okay, I think it's great that we're educating people.

But it's a long ad. It's 1 minute 37. It's too long. Listeners, you didn't hear it all.

And I worry that people will lose interest halfway through because people's attention spans are those of gnats. And it's only at the end of the ad that they kind of explain how deepfakes work and how someone can appear to be someone else, et cetera, et cetera.

But for the first minute or so, the deepfake effects are a bit Max Headroom-y to my mind. And I wonder if people are going to look at that and go, oh, so if I see something glitch, it means it's not real.

---

GRAHAM CLULEY. Oh, I see. And of course, yeah, chances are deepfake isn't going to be that obvious.

---

CAROLE THERIAULT. But I get the problem though. How do you show how effective deepfakes are by showing a person that looks so real? And the thing is, we are pretty crap at telling what a deepfake is and what a deepfake is not, or what a real person is.

According to a new study by Utah Valley University, 56%, so more than half of US test subjects couldn't tell the difference between deepfake and real content. And that's something that the senior project analyst said was a bit of a surprise.

Quote, "One of the questions we've been asking is when deepfakes are going to get good enough that they're actually convincing. The day is today." Now, I heard this, but I'm thinking, I remember research in 2021 that found that as humans, we're biased towards mistaking deepfakes for real people.

Because typically when we see a person on the screen, we think it's a real person. And we also overestimate our ability to tell whether something is deepfake from real.

---

GRAHAM CLULEY. And I think when something's moving as well, video, you're less likely to think it's fake than a photograph, aren't you? Because we're used to things being Photoshopped.

But okay. The truth is that deepfake now, when you have a deepfake video, if there aren't any obvious glitches, you do kind of believe it, don't you?

---

CAROLE THERIAULT. Okay, let's see how good you actually are. Why don't we go and visit the Northwestern AI-generated or real experiment?

They're gonna show you a series of images. You have to guess whether it's real or fake, and they'll tell you whether you're right or wrong. Listeners, this is in the show notes if you want to try it for yourselves.

---

GRAHAM CLULEY. All right, so I've got to this page where it's showing me a photograph and it's asking me, is this a real image? So I've got a picture here of 6 people, far too attractive.

Well, I can tell they're not English, first of all, because their teeth are too good. These are probably Americans, I'm expecting. In fact, they're all far too beautiful. So I'm going to say this is fake.

---

CAROLE THERIAULT. This is because he looks in the mirror every day and can't imagine that people would be that good-looking. Were you right or wrong?

---

GRAHAM CLULEY. Okay, I'm going to say fake. I'm going to click next. Oh, I was right. Okay, next.

Alright, here's a chap who's sort of doing some kind of exercise on some stone steps. Looks very uncomfortable. His legs look a bit weird. I'm— hang on, those arms, I'm not sure, but I'm gonna say fake. Okay, fake. It was a real image. I've gone wrong already. So I've got a 50% hit rate.

---

CAROLE THERIAULT. It's the same as me. That's exactly what I got.

The second image I got, I was thinking, this is definitely real. I really looked at it. I was wrong. Okay. So misleading deepfakes are, I think you and I agree, a seriously big problem. So, what do you think a particular wing of the Pentagon might want to do with them?

With deepfakes? Why would a counter-terrorism group within the US Department of Defense, the DOD, have on its wish list the ability to create deepfakes?

---

GRAHAM CLULEY. Well, I imagine they might want to use them for misinformation purposes. It's a weapon which you could use against other countries.

That's one reason why the military would want deepfakes, just as they may be worried about them being used against them.

---

CAROLE THERIAULT. They don't say that in those words.

---

GRAHAM CLULEY. Well, no, they never do, do they?

---

CAROLE THERIAULT. I think what they said is pretty interesting in itself, though. So what they say is in this wish list, they are reportedly seeking, quote, technologies that can generate convincing online personas for use on social media platforms, social networking sites, and other online content for use by special operation forces. This solution, they add, should include facial and background imagery, facial and background video, and audio layers. The point? Use this capability to gather information from public online forums.

---

GRAHAM CLULEY. To create sort of like sock puppets or things, or fake accounts.

---

CAROLE THERIAULT. To flood social media with these AI bots to interact, I imagine, with people to try and get real information from real people. But how are they going to know they're not talking to another bot?

---

GRAHAM CLULEY. Yeah, and aren't they a bit late to the game here? Have they been on Twitter lately? I mean, that's— it's mostly populated by bots, isn't it?

---

CAROLE THERIAULT. So why are you still there?

---

GRAHAM CLULEY. But I'm clinging on by my fingernails. To the bots' numbers. Yeah. No, I am. I am still there at the moment, but oh my goodness, using it less and less.

---

CAROLE THERIAULT. I was thinking, what would social media companies say to this, right? To have their media platforms flooded with bots. But then it suddenly occurred to me, huh, maybe they don't care at all because they can just say, oh, well, that person or that account viewed this many ads, pay me.

---

GRAHAM CLULEY. Absolutely. If the bot goes about attempting to appear authentic as a user, exactly, it will be clicking on ads or it will be interacting with them or it will be replying. And so the advertisers, they're going to find it more and more difficult to tell if someone's a human or not.

---

CAROLE THERIAULT. Exactly. They're going to have all these profiles of beautiful people.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Between the ages of 19 and 29. Okay, so what is the solution here? What is the solution? So I went around looking around the internet and I found a few cute things.

---

GRAHAM CLULEY. So one was from WeForum. WeForum? WeForum, yeah. That's a community for people who enjoy, okay, carry on.

---

CAROLE THERIAULT. I didn't even see that. Can I honestly say I didn't even? So they list four things. So number one, they say technology, that's really important, right? So basically detection systems to help identify whether something is real or not. The problem with anti-deepfake tech, if I can call it that, is, you know, the false positive thing. So if they get one wrong, a user might get duped.

---

GRAHAM CLULEY. Yeah, it's going to make mistakes in both directions. It will incorrectly say legitimate photos and legitimate videos are faked and vice versa, I would expect.

---

CAROLE THERIAULT. Of course. Number two, policy efforts. So regulation, right? And they're talking about needing a global stance because obviously deepfakes don't respect geographical borders.

---

GRAHAM CLULEY. Yeah, but everyone's going to respect regulations. I mean, that's how the internet works, isn't it?

---

CAROLE THERIAULT. Everyone play by the rules. No, but I, for example, would like it if an artist is selling a piece of work, they can say AI generated versus not. You know, it'd be nice. Or if a company was saying, hey, look at all this imagery, it could be AI generated or not. Or is that crazy of me?

---

GRAHAM CLULEY. No, that would be great. Good luck with that would be my response. Yeah, sure.

---

CAROLE THERIAULT. But even if 80% follow it, it's going to be way better than now. Number 3, public awareness, which is basically why I'm talking about it now and why we're seeing public service ads warning people, because the more you can look at these people and realize how easy it is to fall over like you saw Graham and I do, the more careful you might be.

And number 4 is having a zero trust mindset, Graham. So they write that the zero trust approach in cybersecurity means not trusting anything by default and instead verifying everything. When applied to humans consuming information online, it calls for a healthy dose of skepticism and constant verification.

And they go on and they say, zero trust mindset will become an essential tool to distinguish between what is authentic and what is synthetic in increasingly immersive online environments. So, okay, wow. Right? Basically, they're saying trust no one, right?

And that's great for society. Super cool. You know, actually, Graham, I'm not even sure you are who you say you are. I know I've met you 1,000 times, but I think healthy skepticism and with zero trust mindset maybe you can fire over two pieces of official ID so I can verify your identity.

And how do I double-check every email, every comment that I read? Do I fact-check everything? I read an article every single time to make sure it's from a trusted source?

---

GRAHAM CLULEY. Are we really thinking people who are browsing TikTok or scrolling on Instagram are going to, oh, well, I don't believe this video. I don't believe this video. I'm going to spend— No, they're just going to laugh at the cats doing somersaults.

---

CAROLE THERIAULT. You see, I have no problem people looking at cats doing somersaults on socials. That's probably what they're for. I do want to say be cautious about getting news from those areas.

Yeah, because maybe getting news from nonpartisan news organizations that are held accountable when they get facts wrong and may have to face litigation if they are libelous or don't admit to their mistakes means they have a requirement to try and present the news as most honestly as they can. And it's just depressing.

MIT Lab says, "Look, this is how you can actually do this. Look at the face. Look at the cheeks and forehead. Look for moles and eyes and eyebrows. And do shadows work?" You and I got fooled on the second one.

Yeah. Look, it says pay attention to blinking. You know? Aren't you gonna look a weirdo if the person's actually real? Right? So the person's on the screen, and you're sitting there scrutinizing their moles and looking at their teeth and their hairline.

---

GRAHAM CLULEY. You know, we're on Mission Impossible. They wear those masks and you sort of grab them by the neck, don't you, and try and rip it off. That's what's gonna be happening.

We'll be going up to people in real life thinking, "Oh, you can't not be real." It's Santa's beard.

---

CAROLE THERIAULT. Yeah, you gotta pull it just to see if it's actually Santa. Yes.

Wouldn't it be nice to have secure communications through a critical event? Be it a cyberattack, an extreme weather event, or even civil unrest. Wouldn't it be nice to know that you are communicating to the right people so you can deploy resources to areas where they are most needed?

And wouldn't it be nice to have all this delivered out-of-band so there is continued communication even if your own infrastructure is compromised? The answer is yes.

Yes, it would. Say hello to BlackBerry's SecuSuite, certified to meet the highest security requirements.

SecuSuite protects against threats to enterprise and local and national security by enabling secure communications on conventional mobile devices. With BlackBerry SecuSuite, employees can make secure phone calls and exchange secure messages, including group chats, on the devices that they already carry.

How cool is that? Find out more at smashingsecurity.com/blackberry.

And thanks to BlackBerry for sponsoring the show.

---

GRAHAM CLULEY. Whether you're starting or scaling your company's security program, demonstrating top-notch security practice and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time.

Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.

Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management.

1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing.

That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.

And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. It can be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.

Whatever they wish. It doesn't have to be security related necessarily.

Better not be. My pick of the week this week isn't security related.

I had some children come to visit me. A friend popped round with some children over the half-term holidays, and I thought, what shall I do with these children?

---

CAROLE THERIAULT. First, how old are these kids?

---

GRAHAM CLULEY. Oh, they're about 10 and 8, I think they were.

---

CAROLE THERIAULT. Right. Okay. Yep.

---

GRAHAM CLULEY. And so I thought, okay, I know what to do. I'm going to take them to see the crocodiles.

And so off we went to this place near where I live in Oxfordshire called Crocodiles of the World.

---

CAROLE THERIAULT. I have seen that sign every single time I've driven that road.

---

GRAHAM CLULEY. Have you never been?

---

CAROLE THERIAULT. I've never been. Have you been before this?

---

GRAHAM CLULEY. Yes, this is my second trip to Crocodiles of the World. They have an extraordinary number of crocodiles and they feed crocodiles. I'm not quite sure what they're feeding them, probably not human-legged Graham Cluley or 8-year-old children. But they basically dangle food above a huge swimming pool full of crocodiles and these crocodiles leap into the air.

Jesus, they probably leap about 2 or 3 metres into the air and go with a great big clack.

---

CAROLE THERIAULT. You know how people say, "Oh, I'm afraid of spiders" or "I'm afraid of bees"? I'm afraid of crocodiles and you know what, I should be because their jaws are nothing else. They could just cut you in half.

---

GRAHAM CLULEY. And they're just down the road from you, Carole.

---

CAROLE THERIAULT. They have very little legs, it'll take them a while. Oh, they could swim, yes, yes.

---

GRAHAM CLULEY. I'm gonna have nightmares tonight, Grok.

---

CAROLE THERIAULT. Could they climb stairs?

---

GRAHAM CLULEY. So the average strength of a human bite, right? Imagine you're venturing off into the bush, right? 162 pounds per square inch, 162 PSI, right. Crocodiles have a bite of over 5,000 pounds per square inch.

---

CAROLE THERIAULT. Yeah, I know, they can cut you in half with their little mouths.

---

GRAHAM CLULEY. They've possibly got the strongest bite of any animal, much more than hyenas, much more than sharks. Some people say killer whales... sorry, I shouldn't call them that. Orcas, I believe is the politically correct term.

---

CAROLE THERIAULT. Yeah, they've been pretty angry recently.

---

GRAHAM CLULEY. They've been pretty moody, I don't blame them. Some people say they've got a PSI of 19,000, which is about 4 times what the crocodile has.

---

CAROLE THERIAULT. People or AI? No, no, no.

---

GRAHAM CLULEY. This is a BBC News report I was reading, I was investigating, so I trust them. Now, I don't know how you measure the bites of an orca killer whale, or indeed a crocodile.

---

CAROLE THERIAULT. Jump in next time and see if it hurts.

---

GRAHAM CLULEY. I can tell you, the crocodiles have got a loud clack on them. I don't know if it's cruel, maybe it's cruel to keep them in captivity. To be honest, I don't think these crocodiles would survive in England if they weren't in this particular environment and it seems they're fed quite well.

Anyway, if you're on half-term holiday with your kids, go check out Crocodiles of the World in Oxfordshire.

---

CAROLE THERIAULT. I went there and the kids loved it.

---

GRAHAM CLULEY. They did, they'll probably have nightmares tonight though. Krow, what's your Pick of the Week?

---

CAROLE THERIAULT. Okay, for this week's Pick of the Week, I would you all, grim, darling listeners, all of you to stand up if you can. Obviously don't do this if you're driving or up a ladder or having sexy times. If you're having sexy times and you're listening to this show, all I can say is wow.

---

GRAHAM CLULEY. Geez. Now if I stand up, I'm going to be further away from the microphone. That's okay, we can still hear you.

---

CAROLE THERIAULT. We can still hear you.

---

GRAHAM CLULEY. You can still hear me.

---

CAROLE THERIAULT. Okay, so I'm going to count you in. 3, 2, 1, go and I'm going to explain first what you're going to do, okay? I want you to put your hands on your hips and I want you to stand on one leg for as long as you can. Kind of a flamingo, but the other way, so you're bending your knee the normal way, not the backward way flamingos do.

---

GRAHAM CLULEY. Oh, oh, yes. Okay, yes.

---

CAROLE THERIAULT. And there's no cheating. Do you want to put your video on so I can see you? Because then I'll know if you're cheating or not. Yeah, okay, I see you perfectly. Yes, hi. All right, so hands on hips, eyes open. Timer starts when I say go, and it's going to stop if I see, Graham, your hands move from your hips or you lower your foot.

Okay, ready, Spaghetti? Fascinating radio. 3, 2, 1, go. 1 Mississippi, 2 Mississippi, 3 Mississippi, 4 Mississippi, 5 Mississippi. How's it feeling?

---

GRAHAM CLULEY. Well, a little bit wobbly. It's a lot scarier with you doing the countdown like this.

11 Mississippi, 12 Mississippi.

---

CAROLE THERIAULT. You're doing very well, 13, 14. Are you— is your foot up? I can't see your foot. Yes, it's up! Is it just above the ground though? No, no, it's like perpendicular.

---

GRAHAM CLULEY. Okay, good! I look like a number 4. Yeah, you're doing amazing. Okay, still standing. How long do you think you can go?

---

CAROLE THERIAULT. You think you can go all day?

---

GRAHAM CLULEY. Well, I'd rather not, if that's all right.

---

CAROLE THERIAULT. So you don't have an issue. This is very excellent, Graham.

---

GRAHAM CLULEY. I'm really impressed. I'm still doing it.

---

CAROLE THERIAULT. Okay, and I'm just checking your age. Okay, you're fine, you're fine. Graham, you've passed. You have passed, congratulations.

---

GRAHAM CLULEY. Okay, all right. Putting my foot down.

---

CAROLE THERIAULT. Well done. So what we were doing, everybody, is according to the NHS, apparently balance more than any other activity changes with age. And scientists have reportedly said that it might be because it uses so many different parts of the brain and the body at once. You've really gotta focus. So you held it for many seconds. What should you be aiming for?

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. So if you're 18 to 40, you should be aiming for 43 seconds. Yes, that's me. 40 to 49, 40 seconds. Right, 50 to 59, 37 seconds, which you did, Graham, easily. Easily, I could have done longer. 60 to 69, 30 seconds. Yes, 70 to 79, 19 seconds, and over 80, a little over 5 seconds.

So it really drops between 70 and 80, doesn't it? So if you didn't perform well, listener, don't worry, you can improve your balance. And my tip is practice while you brush your teeth. Right? Because you'll see a huge difference in a mere week or two. That's how I got my balance going.

---

GRAHAM CLULEY. And chances are people have one stronger leg than the other as well, don't they? So you need to switch it up a bit.

---

CAROLE THERIAULT. I didn't tell you to use your left leg, 'cause I know that would've been much harder.

---

GRAHAM CLULEY. Well, actually, I did use my left leg.

---

CAROLE THERIAULT. Oh, did you? Yes. Oh yeah, it was mirrored. Okay, anyway, that's my pick of the week, standing on one leg. No, I am not desperate for pick of the weeks. Please, nobody send me any good ideas ever, please. Thank you.

---

GRAHAM CLULEY. And that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And ginormous thank yous to our episode sponsors, Fanta, BlackBerry, and 1Password. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 390 episodes, check out smashingsecurity.com. Until next time, cheerio.

---

GRAHAM CLULEY. Bye-bye. Bye.

-- TRANSCRIPT ENDS --