This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. Hang on, hang on. He did a DNA test on you. Oh my God.

---

ANNA BRADING. Yes, Jeremy Kyle.

---

UNKNOWN. Smashing Security, episode 395. Jim hacking, disappearing DNA, and a social lockout with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 395. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, today we're joined by a very special guest. Can you please introduce them in your own inimitable fashion?

---

CAROLE THERIAULT. I don't think she needs any introduction, does she? Miss Anna Brading.

---

ANNA BRADING. Hello, how are you two?

---

CAROLE THERIAULT. Welcome back.

---

GRAHAM CLULEY. Hello, Anna.

---

ANNA BRADING. It's good to be back.

---

CAROLE THERIAULT. Anything you want to share with our listeners before we kick off?

---

ANNA BRADING. No, no, it's nearly Christmas.

---

GRAHAM CLULEY. Oh, thank goodness you're here to remind us.

---

CAROLE THERIAULT. Okay, well, let's get this show on the road, but first, let's thank this week's wonderful sponsors, 1Password, Vanta, and ThreatLocker. Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm gonna be talking about hacking might not help you get hired.

---

CAROLE THERIAULT. Okay. Anna, you?

---

ANNA BRADING. I'm talking about a vanishing genetic testing company.

---

CAROLE THERIAULT. Ooh, okay. And I'm gonna look at how Oz plans to de-hook its kids from the socials. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, as Anna just mentioned, it's almost Christmas. The end of the year is rapidly approaching. Always a glorious time of the year. Everyone enjoys all that, the passing of time, the speeding up of our lives to the inevitable doom and demise.

---

CAROLE THERIAULT. You're so doom and gloom.

---

GRAHAM CLULEY. No, I'm not.

---

CAROLE THERIAULT. I am looking forward to the holidays.

---

GRAHAM CLULEY. Are you?

---

CAROLE THERIAULT. Yes, I think we all need a bit of cheer.

---

GRAHAM CLULEY. What in particular are you looking forward to?

---

CAROLE THERIAULT. I'm looking forward to Christmas markets. I'm looking forward to mulled wine. And Christmas quizzes, and little dinners with friends, and all kinds of stuff.

---

GRAHAM CLULEY. Do people actually like mulled wine? I thought they didn't.

---

ANNA BRADING. I love mulled wine.

---

CAROLE THERIAULT. Yes, delicious.

---

GRAHAM CLULEY. I thought there was a reason they only served it once a year.

---

CAROLE THERIAULT. People like mince pies as well. What, do you eat them in June?

---

GRAHAM CLULEY. Yes, I would often be stuffing myself with mince pies. I would have no problem doing that. Maxing out the credit cards, that's another great thing to enjoy.

---

ANNA BRADING. Well, it is nearly Black Friday.

---

GRAHAM CLULEY. Finding pine needles in your socks for weeks afterwards, wearing big baggy jumpers knitted for you by your aunties. Some would say it's the most wonderful time of the year.

---

ANNA BRADING. They would.

---

GRAHAM CLULEY. And then January hits. And you're bloated on Quality Street chocolates, and you never want to see another slice of cold turkey ever again.

---

CAROLE THERIAULT. Yeah, and worse, many people do Dry January, which I'll be doing this year. So you have that first week after overindulgence during the Christmas season.

---

GRAHAM CLULEY. Right, okay.

---

CAROLE THERIAULT. Of basically sweating out the alcohol. Maybe that's just me.

---

GRAHAM CLULEY. A lot of people feel a little bit the worse for wear, don't they, come the New Year? And they think, this year is going to be different. This year I'm going to make a resolution. I'm going to join the gym.

---

CAROLE THERIAULT. Ah, the gym.

---

GRAHAM CLULEY. Yes. But I won't just join the gym. I'll actually— and this is different from joining the gym— I'll go to the gym, is what you'll say. Who cares? Who cares what the weather's like?

I'll be going out in all weathers. I'll go to— yes, of course I'll go to the gym. I don't mind that it costs £50 a month. It'll be worth it, you say to yourself. You convince yourself.

---

ANNA BRADING. I think 50 would be a bargain. I think it's more 150. Yeah.

---

GRAHAM CLULEY. A month? Oh my God.

---

CAROLE THERIAULT. I live right near two gyms, right? There's two gyms on my block.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. And come January, boy, are those places jumping. There's a lineup for the machines. Everyone's got their brand new sports gear on.

---

ANNA BRADING. My Peloton pedals are gonna be falling off in January. At the moment, they're sort of stationary.

---

GRAHAM CLULEY. And you— maybe you do go to the gym. Maybe you go to the gym twice. But you can't get out of the contract, can you?

And so you're still paying for the gym and not going to it in April. And I wonder if that's what happened to a chap called Nicholas Kloster, because he turned up to his local health club on April 26th, 2024.

So earlier this year in April, maybe he joined it in the January. He showed up there just before midnight.

Now you tell me, girls, is that normal to go to the gym at that kind of time? Girls? Okay. I'm flattering you.

---

CAROLE THERIAULT. Throwback to 1990.

---

ANNA BRADING. Well, boy, let me tell you, I do— there is a 24-hour gym near where I live, and when I drive past it, there is often people there at all sorts of times.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Mine, the one on my block's a 24-hour gym. Sometimes people work really late at night, right? If you're doing shift work and you want to put a sweat on before you hit the sheets, or hopefully hit the shower first.

---

GRAHAM CLULEY. Yeah, have a shower. For goodness' sake. Maybe you're right.

Maybe he was going for a late-night session. Maybe he was just trying to cancel his membership and thought it's less embarrassing if I try and do it at midnight.

Not too many people see him. Maybe he was too embarrassed to go to the gym during normal gym opening times because he'd let himself go a bit too much.

---

CAROLE THERIAULT. Okay, so basically he went late at night. Okay.

---

GRAHAM CLULEY. He went very late at night. So just before midnight, he was there at the gym.

---

CAROLE THERIAULT. Yeah. Normal, I'd say.

---

GRAHAM CLULEY. The next day, he allegedly dropped an email to the owners of the gym. This is a company which owns multiple health clubs across Kansas and Missouri.

And he claimed that he had gained access to their computer systems. Yes, there is a cybersecurity element to my story.

And what he claimed in this email was that he could easily hack into the company's IT systems. So he wasn't on the rowing machine. He wasn't pumping iron.

It sounds he was, well, doing what many of us do for exercise, you know, participating in aerobic activity via our fingertips on the keyboard instead. I mean, no, that's what— that is a form of exercise.

You can burn calories just at the keyboard if you want to. Ultimately, if you did enough typing— You know, people come out with diet books all the time.

Different ways to lose weight. I think you could probably sell a book about how you could get a workout at your computer.

---

CAROLE THERIAULT. Yeah. Wouldn't be on my top 10 list, but just—

---

ANNA BRADING. Is there a way to count your fingertip strokes your steps? 'Cause my Apple Watch doesn't count that. Of course.

---

CAROLE THERIAULT. Smart rings, they exist.

---

GRAHAM CLULEY. Install a keylogger. You could just count the key presses, couldn't you? It would work.

---

ANNA BRADING. Perfect.

---

GRAHAM CLULEY. You may have to turn off auto-repeat so you can't cheat by just holding down a key, pressing it 58 times. Anyway, this chap Kloster, he's alleged to have sent an email from his work email address, and he said the following. He said, I've managed to circumvent the login for the security cameras at the gym by using their visible IP addresses.

I've also gained access to the Google Fiber router settings which allowed me to use, and at this point the feds have redacted a word, it's the name of a tool which he used, but anyway, he says it allowed me to use something or other to explore user accounts associated with the domain. He said, if I can reach the files on a user's computer, it indicates potential for deeper system access. So he's saying there's a security vulnerability, right? Yeah.

---

ANNA BRADING. Yeah.

---

GRAHAM CLULEY. He's saying he was able to access security cameras, he's able to access and fiddle around with things.

---

CAROLE THERIAULT. And he's told this to the company in question, not advertised it on some forum.

---

GRAHAM CLULEY. That's right. And he went on to claim that he had assisted over 30 other small to medium-sized businesses in the Kansas City area.

---

CAROLE THERIAULT. A little digital vigilante here.

---

GRAHAM CLULEY. A very interesting point. And he attached a file. Now you're probably wondering what the contents of that file were. Were they malicious? Were they malware? Were they ransomware? Were they something—

---

CAROLE THERIAULT. They open it and they in turn get infected and held up for ransomware. Exactly.

---

GRAHAM CLULEY. What it was is what he described as his resume, his CV.

---

CAROLE THERIAULT. Ah.

---

GRAHAM CLULEY. So, according to the FBI, who've been involved in this case, and they've charged Kloster, it was quite different from his normal resume, the one he normally handed out. So, we don't know exactly the details, but it sounds awfully like he sent an email to the gym's owners claiming he'd hacked into their systems, into their computers, and was looking to get hired by them for security consultant services at the same time.

So, he's done the advert for his services at the same time as breaking into systems. And my question to you, and I think I already know the answer from you, Carole, is do you think that's okay?

---

ANNA BRADING. I think it is if he's responsibly disclosed it. I suppose he's hacking rather than he's just found a vulnerability.

---

CAROLE THERIAULT. Don't a ton of legit companies do this all the time? They'll send you a report going, we found 546 problems in your system.

---

GRAHAM CLULEY. But generally, they're invited, aren't they, to do a penetration test on a company?

---

CAROLE THERIAULT. Not always.

---

ANNA BRADING. Certainly Facebook and other big companies have hired people after they've hacked into their systems, haven't they?

---

GRAHAM CLULEY. Yes, but they've announced a bug bounty. They've given the rules and they've said, if you find a vulnerability, or you're welcome to do this and do this kind of testing, you're not welcome to do other kinds of testing, but this is the kind of test you can participate in. And if you do, get in touch with us and then we may, you know, send you a t-shirt or something like that.

---

ANNA BRADING. Yeah, but I think they've hired people that have stolen stuff.

---

CAROLE THERIAULT. And I would argue, I think it depends on his next actions as well. So if they say, huh, thanks so much, we don't have an opening there, but you know, thanks so much for the information. And then he then holds them to ransom or advertises to everybody what he's done, or retaliates in some way, then that's the issue.

I don't know if there's much of an issue in saying— If someone came to me and said, "Really love your press release, girl, but there's a mistake here, right? You made a mistake here in this paragraph. And boy, I could help you in future doing those much better."

---

ANNA BRADING. Isn't that how you hired me, Carole?

---

CAROLE THERIAULT. There you go. But do you know what I mean?

---

GRAHAM CLULEY. I agree with you. I think it's a grey area, at least based upon the information that we know so far from this press release. But it does appear the US Department of Justice aren't terribly happy with this chap. And there are some more details what he did. I don't know if this is a 24-hour gym or not. And I wondered maybe whether he had gained access by—

---

ANNA BRADING. Did he break in?

---

GRAHAM CLULEY. Well, perhaps. Because it turned out the staff at the gym found out shortly afterwards that he'd done some other things. For instance, he'd deleted his photograph from the gym's database. He had stolen a staff member's name tag. I don't know if that's something which might have helped him gain access to areas of the gym. And also he reduced his monthly gym membership to just $1 per month.

---

CAROLE THERIAULT. I think that's allowed. Come on!

---

GRAHAM CLULEY. That's allowed?

---

ANNA BRADING. It's expensive, the gym! And those photos are never flattering.

---

CAROLE THERIAULT. No!

---

GRAHAM CLULEY. Ransomware. Exactly. Now, some weeks after sending this email to the company, this chap Kloster is said to have posted an image to social media of what appears to be a screenshot of his desktop computer showing control of the security cameras of the gym.

---

ANNA BRADING. Oh, right.

---

GRAHAM CLULEY. And there's a chatbox window saying, "How to get a company to use your security service." Ah, you see, Graham, I don't know if it's fair that you ask us these questions.

---

ANNA BRADING. This is a new technique.

---

GRAHAM CLULEY. Well, this came out months later.

---

CAROLE THERIAULT. Yeah, no, okay, okay. But you got us to kind of give our point of view, basically saying this is the information we have, and you're like, oh, and by the way, the gym's not a 24-hour gym. Did I happen to mention that?

---

GRAHAM CLULEY. Well, I don't know. I don't know if it is or not. I don't know if it is or not.

---

CAROLE THERIAULT. Do you know that he broke in? And do you know that he's gay?

---

GRAHAM CLULEY. I don't know. I don't know.

---

CAROLE THERIAULT. Well, okay. Well, I'm glad you don't know, 'cause we don't know.

---

GRAHAM CLULEY. But okay, but again, I'm not sure about this, right? He posted on social media a screencap of his desktop showing he had control over the security cameras. You do see vulnerability researchers sometimes sharing information to prove that they had access to a system. The chatbox says, "How to get a company to use your security service." Again, he's not saying, "I'm gonna screw these guys up," or, "I'm gonna wipe their tapes," or anything, is he?

---

CAROLE THERIAULT. Did he list the gym, the name? Did he name and shame? Don't know, don't know.

---

GRAHAM CLULEY. The name of the gym has been removed from all of the court documents so far. So I've been through all the indictments.

---

CAROLE THERIAULT. Because I think, again, that changes things, right? Because if he identifies the company and says, these guys have a security vulnerability and I cracked in, I think that it tells other baddies that there may be a way for them to access. Although he was on premise, so, you know.

---

ANNA BRADING. Also, did he blur the images? What's on the images? I think it's a gray area.

---

GRAHAM CLULEY. Excellent questions. Yeah, no, I think you're right, because we don't know enough. We haven't had this picture shared with us. We haven't been able to examine it.

---

CAROLE THERIAULT. We only know what you're telling us, which is probably less than what's available.

---

GRAHAM CLULEY. I'm telling you everything I know. Everything I know. And here's another thing I haven't told you yet, which is it was now the following month, right? The month after he sent the email.

So it's May of 2024, and Kloster allegedly entered the premises of another company, a nonprofit organization, into an area that wasn't supposed to be accessible to the general public. Right? It's beginning to sound a bit shady.

He accessed a computer with internet access, and he's said to have used a boot disk, is how it describes it, to access the computer through various user accounts. He circumvented its password protection and installed upon this computer a VPN, possibly to maintain access to the company's systems.

---

CAROLE THERIAULT. Make them more secure, of course.

---

GRAHAM CLULEY. Make them more— so yes, he's identifying security holes.

---

CAROLE THERIAULT. And helping them along in order to help them produce a report. That's illegal though. That's illegal messing around with someone else's system, right? Now he's breaking the law.

---

GRAHAM CLULEY. Well, it's illegal to access a system. It's not just to fiddle with a system, but to access a system without permission is as well. So you could argue accessing the camera feed is a breach of computer crime laws.

Anyway, this nonprofit, they say they suffered losses of over $5,000 as a result, trying to remediate this security breach. And do you remember I told you that when he sent the initial email to the gym, it went from his work email address?

Well, the feds have been round to there as well. And the people who hired him there, they say that he used stolen credit card information from them and used it to purchase, quote, hacking thumb drives.

So on the company, he had a company credit card. Whether allowed to or not, unclear, and was purchasing potentially tools which could be used maybe as a penetration tester, maybe as a hacker.

---

CAROLE THERIAULT. Yeah, and the fact that the tool that he used at the gym is not being disclosed, just that perhaps it may be a tool that shouldn't be.

---

GRAHAM CLULEY. It could have been File Manager. It could have been, who knows what it was, right? It could just have been a command line.

---

CAROLE THERIAULT. Well, it could have been.

---

GRAHAM CLULEY. We don't know what it was. So, some lessons here, I think. It's all suspicious. If you go to the gym.

---

ANNA BRADING. No, it's not.

---

GRAHAM CLULEY. Late at night.

---

ANNA BRADING. No, it's not.

---

CAROLE THERIAULT. If gym is closed and you break in, that's a little suspicious. If there's a 24-hour gym— If you were at Tesco's at 2 in the morning buying diapers, we'd be like, well, that's suspicious.

---

GRAHAM CLULEY. That would be suspicious. I don't have a child who needs diapers.

---

CAROLE THERIAULT. No, I meant adult diapers, Graham.

---

GRAHAM CLULEY. Oh.

---

ANNA BRADING. That wouldn't be suspicious.

---

GRAHAM CLULEY. That'd be so predictable. Anna, what have you got for us this week?

---

ANNA BRADING. Well, Carole and Graham, do you know your heritage?

---

CAROLE THERIAULT. My heritage? I mean, I know my parents are.

---

GRAHAM CLULEY. Yes, I think I do. Yes.

---

CAROLE THERIAULT. Do you?

---

ANNA BRADING. Go on then, what is it?

---

GRAHAM CLULEY. I'm a very exotic mix.

---

ANNA BRADING. Are you?

---

GRAHAM CLULEY. As you can imagine. Yes. Oh, I'm sure you could have picked that up.

---

ANNA BRADING. Yes.

---

GRAHAM CLULEY. I've got a bit of Aldershot in me.

---

ANNA BRADING. Great.

---

GRAHAM CLULEY. From Hampshire. Yeah, I've got a bit of that. And my father was born in the Middle East, albeit in one of those sort of imperial British places before we got kicked out.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. So, yes, so, you know, quite exotic.

---

ANNA BRADING. That is exotic.

---

GRAHAM CLULEY. Yes.

---

ANNA BRADING. It's kind of like mine, actually.

---

GRAHAM CLULEY. I don't think so.

---

ANNA BRADING. Mine is part English, part Germanic.

---

GRAHAM CLULEY. You're from Jamaica?

---

ANNA BRADING. Part Germanic. There's some Danish, Scottish, French.

---

GRAHAM CLULEY. Ooh.

---

CAROLE THERIAULT. How do you know this?

---

ANNA BRADING. So I know this thanks to one of my parents who paid to find out via DNA testing.

---

GRAHAM CLULEY. Hang on, hang on, hang on. One of your parents, was this your father, perchance, who was interested as to what your origin was? He did a DNA test on you?

---

ANNA BRADING. Oh my God. Yes, Jeremy Kyle.

---

GRAHAM CLULEY. Oh, hold the front page. We need this. We need to put you at the start of the show. This is great.

---

ANNA BRADING. Okay.

---

GRAHAM CLULEY. All right.

---

ANNA BRADING. So yeah, did a DNA test to check my heritage.

---

GRAHAM CLULEY. Right.

---

ANNA BRADING. But the parent that did this is not the only one, because as we know, many people have sent their saliva off to DNA testing labs.

---

GRAHAM CLULEY. Do you?

---

ANNA BRADING. In the hope of finding out more about themselves. And there are loads of these companies.

---

CAROLE THERIAULT. Can I just say, I have not. I have not.

---

ANNA BRADING. No, I have not either.

---

GRAHAM CLULEY. No, because we're sensible, right?

---

ANNA BRADING. Mm-hmm.

---

GRAHAM CLULEY. But the problem is that other people inside our family can do it.

---

ANNA BRADING. Yes.

---

GRAHAM CLULEY. And maybe reveal something about us.

---

ANNA BRADING. People didn't think forward about the implications. But anyway, so there's Ancestry, there's MyHeritage, and there's 23andMe, Carole, which you spoke about on a recent show.

And then there is Atlas Biomed. Have you heard of them?

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. I've heard of them, but I don't know anything about them.

---

ANNA BRADING. Right. So I hadn't heard of them, but they're based here in the UK.

---

CAROLE THERIAULT. Yeah.

---

ANNA BRADING. Lisa Topping from Essex had heard of them, and she paid about £100 to get a personalised genetic report from them. Atlas said they could not only tell her about her heritage, but also about diseases and injuries that she might be predisposed to.

---

GRAHAM CLULEY. Yeah.

---

ANNA BRADING. I looked at their Instagram posts and there's a lot of talk about learning about your gut microbiome. So I'm guessing this was a popular feature as well.

---

CAROLE THERIAULT. Yeah, 'cause people wanna know about health issues. That seems to be a really big driver.

23andMe were doing the same thing, find out about family traits and get ahead of the illness that you might be facing.

---

ANNA BRADING. Yeah, and keep an eye out.

---

GRAHAM CLULEY. And they can tell about your gut just from some saliva. You don't have to send them something else. That's impressive.

---

CAROLE THERIAULT. You don't have to poop in a jar. Is that what you're worried about?

---

GRAHAM CLULEY. That's what I'm thinking about. Yeah, it's always hard getting the lid on the jam jar afterwards.

---

ANNA BRADING. I suppose that's how they do DNA tests.

---

GRAHAM CLULEY. Yes.

---

ANNA BRADING. Anyway, Lisa got her results through, and at first everything was fine. She couldn't download any of the information, but that seemed normal for Atlas.

But she could access it all online, which she did every so often. Until one day the website didn't work.

She tried to contact the company, but there was no answer. Another customer, Kate Lake, hard to say, sent in her sample but didn't receive anything back.

She contacted Atlas and they said they'd send her a refund, but that didn't arrive. In fact, the company appears to have done a complete vanishing act.

---

CAROLE THERIAULT. So how long was this company around for?

---

ANNA BRADING. Quite a long time. I'm not sure exactly, but years.

---

CAROLE THERIAULT. Yeah.

---

ANNA BRADING. Okay.

---

CAROLE THERIAULT. So it was established. It wasn't just a pop-up, pop away.

---

ANNA BRADING. Yeah. And it looks from their social media, it looks like they were using influencers. It's quite glossy and shiny what they were posting.

---

GRAHAM CLULEY. If they're charging £100, I mean, you would hope it would be quite a luxurious service and you would have an expectation. Well, because it's a lot of money. Because Carole, frankly, you could send me some of your spit and I'll say, "Oh yeah, you seem a bit Canadian to me. Maybe a little bit—" Yeah, okay.

---

CAROLE THERIAULT. Thanks.

---

GRAHAM CLULEY. "—wherever else." You know, I could do that. But, you know, if there are proper scientists in white coats, you know, it's— Yeah. Anyway, you would expect the service to be up and running for £100. You'd expect a quality service, I would hope.

---

ANNA BRADING. But now, no, not at all. Their website's down. They haven't posted on social media since June 2023. And their accounts haven't been submitted to Companies House. Nothing. According to the BBC, who wrote about this story, Atlas Biomed appears to have links to Russia. Two of its officers are listed at the same address in Moscow, along with a Russian— What? Yeah. Along with a Russian billionaire.

---

GRAHAM CLULEY. At the FSB headquarters. Exactly. Two officers.

---

ANNA BRADING. Of the company. Yeah, so the Russian billionaire is a resigned director for Atlas. I mean, we can't speculate on what those ties to Russia are, but we do know—

---

GRAHAM CLULEY. Oh, I think we can speculate. We can speculate. We'd quite happily speculate as to what's going on here.

---

CAROLE THERIAULT. I don't think you can do that based on where it's based.

---

ANNA BRADING. You don't know who's in it. Yeah.

---

GRAHAM CLULEY. No, we can't reasonably, but we can unreasonably speculate is what I'm saying.

---

CAROLE THERIAULT. That's what Graham does regularly, yeah.

---

ANNA BRADING. But we do know that whatever the ties are to Russia, it's not just the company that's disappeared, it's also all the customers' DNA data, of course. And that is the most valuable data. It's literally what makes you you. I work for an American company. There's often talk about Social Security numbers that are breached, and they're a nightmare because you only have one, but they actually can be changed. It's just a massive faff. DNA can't. And even if you give it to a company, it doesn't disappear like Atlas or isn't breached like 23andMe. You're still trusting that data to a company and hoping that their security and privacy and ethics hold up because you don't know what they'll do with it or what the future holds. Because we are looking at a future where health insurers put a higher premium on those with predispositions to certain diseases. Drug makers could target us with ads for ailments that we might have, but we haven't even spoken to a doctor about.

---

CAROLE THERIAULT. And millions of people have done this, right? Yeah. Millions of people with a myriad of different companies.

---

ANNA BRADING. Yes. And law enforcement's already using DNA data. And it doesn't even need to be your own DNA data. It could be your close relative's DNA data that, you know, if you've committed the crime, it could be then matched to you. And we don't all know all the implications because we don't know what the future holds, so—

---

GRAHAM CLULEY. The good news is, Anna, your father's DNA can't be matched to you. There's no link there, apparently. So do we know how many people have been affected by this?

---

ANNA BRADING. No, we don't. I don't think it was a huge company. It's not 23andMe, which is obviously massive. But it's still—

---

GRAHAM CLULEY. So it could have been someone like me just collecting jam jars full of spit and sweat and other bodily fluids. And writing back, you know, sort of stock, I'll say, oh yes, you appear to be a bit English. Everyone likes to be a bit exotic, don't they? Say, oh yeah, there appears to be a little bit of Egyptian princess in you or something. Do you think so?

---

ANNA BRADING. Well, I'm a Danish queen. So yeah, yeah, yeah.

---

GRAHAM CLULEY. Oh, you're related to Marie Antoinette. Carole, what have you got for us this week?

---

CAROLE THERIAULT. Okay, so this story is about a little hoo-ha going on down under. Like many countries around the world, Australia's government has voiced concerns about the impact of social media on young people.

And the Aussie powers that be have taken a bold approach to effectively ban under-16s from having accounts on these platforms. Oh, really? Yes. So this was announced just last week. So they say, "Social media is doing harm to our kids, and I'm calling time on it," said the prime minister.

Now, you both are parents, right? So before we get into any of the meat of this, what's your immediate reaction to— both of your kids are under 16, so cool.

---

ANNA BRADING. Yeah, mine are really under 16, they're under 10, and my one hope is that it's all figured out before they get smartphones and social media, because it does terrify me. It really, really worries me.

I worry about the fact that if they're having a horrible time at school, they won't be able to escape it because they will be constantly on social media. I worry about the effect of AI friends they might make. I worry about bullying. There's so much. Yeah.

---

GRAHAM CLULEY. My child does have a phone and he is on some social media. Does he have a favourite? I would think the one he's on the most is Snapchat.

Apparently it gives you a score as to how many snaps you've received or sent. Oh, does it?

---

CAROLE THERIAULT. So they've gamified the use of it.

---

GRAHAM CLULEY. Oh, yes. Oh, and it will go up like 5,000 in a day. I'd love that kids weren't using social media. I think it would be fantastic. Yeah.

---

CAROLE THERIAULT. So the bill that was introduced in Parliament just last week wants to address the concerns about online safety and the negative impact of social media on young people's mental health. Check.

And this approach has backing across political divides. The leaders of all 8 Australian states and mainland territories have unanimously backed the plan. Opposition party said it would have done the same thing after winning elections due within months if the government hadn't moved first.

---

GRAHAM CLULEY. Yeah, yeah, we would have done that. We'd actually have done that. You just got there before us, but we thought of it too. We thought before you.

---

CAROLE THERIAULT. Well, no, but that's interesting. They're not saying it's a shit idea. No, no. Yeah, it's kind of sometimes refreshing to hear political rivals singing from the same hymn sheet.

---

GRAHAM CLULEY. Well, it's not the under-16s who are voting for the political party, is it? I think that the grumpy old people like myself are the ones who are saying, yes, this is a really bloody good idea.

---

CAROLE THERIAULT. And I really want to debate that, because if this law passes, the Aussie legislation will put the social platforms in the financial hot seat if they fail to have bouncers at the digital door, you know, blocking entry to the youth. So in other words, they need to take reasonable steps to stop people under 16 from creating and holding accounts.

Okay, that's all about creating and holding accounts. And if they fail, they could impose fines up to $50 million Australian or $32 million US for non-compliance. That doesn't feel like very much.

---

GRAHAM CLULEY. Not a huge amount for the social media companies maybe, but I guess it would escalate if they continued, you know, if after 6 months they continued to allow under-16s on.

---

ANNA BRADING. But how are they going to prove it? How are we all going to be uploading our IDs if we haven't already?

---

CAROLE THERIAULT. Interesting point.

---

GRAHAM CLULEY. I think they should do a facial scan of yourself. If you have some facial hair.

---

ANNA BRADING. I look very young, Graham, so. Well.

---

GRAHAM CLULEY. I think you'd, anyway, so, but maybe it would be something like that. Yeah.

---

CAROLE THERIAULT. Okay, so to your point, Anna, right, both of you were saying we're concerned effectively, right? And of course, other countries are trying to figure out ways to mitigate the risk of the evils of social for Gen Z and Alphas. Like in June this year, 10 US states have passed laws requiring children access to social media be restricted or parental consent gained. Last year, France introduced legislation to ban children under 15 from accessing online services unless they have parental permission.

---

ANNA BRADING. That's tricky because my son last year really wanted a Switch for Christmas, and he really, really wanted one. And we thought, okay, fine, you know, it's a nice Christmas present, it's fine, appropriate for his age if we get the right games. We bought him one, and lots of his friends got one.

One of them didn't, and so the dad actually went out and bought one after Christmas so that his son could be the same as the other boys in his year. And so it only takes one parent to give in, and then it becomes a snowball effect, because it is hard if one of them's doing something and the others aren't. You don't want your child to be left behind or be the weirdo.

---

CAROLE THERIAULT. Absolutely. And it puts the onus on you to be no, we're not going to be doing that.

So what's interesting is no jurisdiction so far has seemed to have used age verification methods like biometrics or government identification to enforce a social media age cutoff. These are two methods that are apparently being trialed in Australia. That's not to say that they're going to be implemented, but they're being trialed at this point.

And the other interesting thing is the bill won't stop people under 16 from watching videos on YouTube or seeing content on Facebook. It's primarily designed to stop them from making accounts. And this means that the wider ecology of anonymous web-based forums including problematic spaces like maybe 4chan.

---

GRAHAM CLULEY. Or even worse than 4chan, they could end up on Twitter.

---

ANNA BRADING. Hey.

---

CAROLE THERIAULT. Okay, so let's noodle a few points of contention here that people have brought up. One of them is this is a world-first proposal to set the highest age limit by any country, apparently. And there's no exception for parental consent.

And there is no exception for preexisting account holders. So who should be boss, parents or government? It's a bit like buying alcohol, isn't it?

---

ANNA BRADING. So in the UK, they— when I was younger, I could easily go into pubs, I could go into shops and buy alcohol. No one really— they might have said, are you over 18? And I'd say, yes, I am.

Even now, me, and I'm still very young obviously, but I get asked for ID a lot, especially going into pubs. That once happened to us, Anna.

---

CAROLE THERIAULT. It did. You and I were together and we were buying a bottle of champagne for some special occasion, and because you were with me, they would not sell me the champagne. She had to produce her own ID in order for me to be able to buy it.

---

GRAHAM CLULEY. Wow.

---

ANNA BRADING. They thought you were buying it for your daughter. But the onus is on the staff in the shop and the shops themselves and the pubs, and they get big fines if they don't.

---

GRAHAM CLULEY. I reckon they just fancied you and wanted to know your name so they could look you up on social media. They didn't think you were underage. They just thought, oh, hello, hello.

---

CAROLE THERIAULT. Yeah, she probably did think that, the granny that served us. Yes. Crack on, Anna.

---

ANNA BRADING. I think the onus is on the pubs and the restaurants and the shops, whereas when you give the responsibility to the parents, it's much easier for them to just be a bit more wishy-washy with it.

---

CAROLE THERIAULT. Yeah. So if it was like drinking and there was no law against, people would maybe tut, but they wouldn't be able to do anything legally. Exactly.

---

ANNA BRADING. I think it needs to be the companies themselves I think the companies bear a responsibility.

---

GRAHAM CLULEY. I think there's a parental responsibility as well. But it is, as Anna describes, extremely hard because the whole nag factor of children and so much, I think, of kids' social interaction these days actually does happen online. Then, much as it might gall us, then they're not getting together quite as much maybe as we would like to imagine we did when we were kids. And so, you know, during lockdown, for instance, things like Fortnite were fantastic because it let kids play with each other.

---

ANNA BRADING. Yeah. My son would love to watch YouTube Kids, and he'd be allowed to watch YouTube Kids by the companies, but I don't let him watch it because the stuff that is on there is just rubbish. That has to be a consideration, but I think there needs to be more put in place where it's harder for them to access it in the first place.

---

CAROLE THERIAULT. It's interesting because, of course, not everyone is a fan. MSD International in Australia say removing the benefits that social media brings will not achieve the government's objective of improving young people's lives and ignores the fact that the harms extend beyond children and young people to marginalized groups and people. Yeah. And the Australian Human Rights Commission says, given the potential of these laws to significantly interfere with the rights of children and young people, the commission has serious reservations about the proposed social media.

The appointed cyber czar, Elon Musk, has also publicly poo-pooed it. Of course he has. Yeah, I wonder why. Seems like a backdoor way to control access to the internet by all Australians.

---

GRAHAM CLULEY. So I can understand some of these arguments. I mean, my son, for instance, when he was really very young, he used to enjoy watching history documentaries on YouTube. They were little cartoon ones which would explain you know, about the kings of England or about various wars and battles which had happened around the world. And he learned a lot about World War II and, you know, the Napoleonic Wars and things like this. And this wasn't harmful to him. This was his way of educating himself. And it wasn't just entertaining, it was him learning.

---

CAROLE THERIAULT. I wondered about YouTube as well. So listen to this final point here. So the bill is focusing on, they've named Facebook, Instagram, TikTok, Snapchat, and Twitter/X. Also many more minor platforms and services. I'm sure they'll be able to add to that list as they see fit.

Interestingly, the legislation has an exclusion framework that exempts messaging apps such as WhatsApp, online gaming platforms, and services with the primary purpose of supporting the health and education of end users. So things like Google Classroom. So I was watching some of the parliamentary discussion on this, and one of the questions raised was, how do you define a social media platform from, say, a messaging app? Yeah. And they got specific, why ban Snapchat but not WhatsApp? And there was a little bit of floundering. But I think I have a reason that I feel fits, but I want to see if you guys have any thoughts. I mean, the gamification of Snapchat that you mentioned earlier, that's one difference. I've never seen that on WhatsApp. I don't get awards for sending more messages or less messages.

---

ANNA BRADING. Oh, I'd get a good award I'd be on platinum, baby. I think, well, I don't know enough about how Snapchat works.

---

CAROLE THERIAULT. Yeah, there's a lot more features and filters and all kinds of stuff. But one thing that I noticed was that WhatsApp, unless you're in WhatsApp Business, but WhatsApp for consumers doesn't have ads, right?

And Snapchat itself boasts itself to potential advertisers. I went to their website and it says, "Reach Gen Z and millennials with Snapchat ads." And it says Snapchat reaches 90% of 13 to 24-year-olds population, 25+ countries.

I wondered what about YouTube as well, and the advocacy group that put together the report suggested that YouTube remain accessible to kids, but they remain concerned by young people being able to start their own accounts and upload videos. I think it's interesting that they're focusing here on accounts, right?

Because it's about them being tracked, I suppose. So it's not so much about them seeing content.

---

GRAHAM CLULEY. Oh, because they recognize that the creation of an account, the use of your account is a gateway through which potentially a check could be made. Whereas if you just anonymously go to a website, you were given the analogy of having a bouncer at the door.

Well, the bouncer at the door is at the point where you enter your credentials to log into a site.

---

ANNA BRADING. I mean, obviously they can't stop someone looking over someone's shoulder. That's it.

But if you don't have an account for Instagram, for example, you can't see a lot on there.

---

GRAHAM CLULEY. It'd be brilliant, 'cause you could blame the politicians. It's, "Oh, I'd love you to have the kids. I'd love you to have the— I'd love you to have it, son."

Unfortunately, that evil Prime Minister has prevented it.

---

CAROLE THERIAULT. Do zero-day exploits and supply chain attacks keep you up at night? Worry no more.

You can harden your security with ThreatLocker. Imagine taking a proactive deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team.

ThreatLocker helps you do this and provides a full audit of every action for risk management and compliance. Onboarding and operation is fully supported by their US-based support team.

Stop the exploitation of trusted applications within your organization to keep you running efficiently and securely. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high.

To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit smashingsecurity.com/threatlocker. That's smashingsecurity.com/threatlocker.

And thank you to ThreatLocker for sponsoring the show.

---

GRAHAM CLULEY. Whether you're starting or scaling your company's security program, demonstrating top-notch security practice and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time.

Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.

Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved — I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?

Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every sign-in at every app on every device because it solves the problems traditional IAM 1Password.com/Smashing.

Go and check it out for yourself at 1Password.com/Smashing. That's 1Password.com/Smashing. And thanks to the folks at 1Password for supporting the show.

And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.

---

ANNA BRADING. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my pick of the week this week is not security-related. Excellent. My pick of the week is a bit of a throwback because I don't know if you remember, Carole, back in episode 339.

No. I talked about hobs with knobs and how hobs needed to have knobs. Oh, I— how could I forget?

---

CAROLE THERIAULT. Can you remind me? Me. Obviously I listen every episode, but let me do it, Graham, just to show how I pay attention to the show.

---

GRAHAM CLULEY. Okay, let's see, let's see.

---

CAROLE THERIAULT. Graham was lamenting he had moved house and lamenting that he could not find a hob with knobs because of all the panels and the gizmos, and made a huge 10-minute rant that I probably shortened to as much as I possibly could to save our listeners from the soapbox appeal. A listener did come back and gave him some advice, I believe.

---

GRAHAM CLULEY. I think I found the solution. I recommended it to people. So what happened— a hob, by the way, for the benefit of our American listeners, is a stovetop.

And the problem is that a lot of induction stovetops or induction hobs these days have touch-sensitive controls, and you press them and they don't really work well. And I just wanted a knob you could turn.

Who's getting old, right? Yeah, exactly. I found one with a proper knob.

Physical control. And I recommended it in episode 339.

And Carole, who got a little bit annoyed about me going on about my hob so much, with its knobs, said she didn't want to hear about it for at least a year. And she said, "I'd love you to come back on and tell me how you're getting on."

Well, there we go.

---

ANNA BRADING. Okay.

---

CAROLE THERIAULT. I suspect I did not say "love." I suspect that's a paraphrase of the highest order. But okay.

---

GRAHAM CLULEY. We could find the clip. Anyway, here we are.

---

ANNA BRADING. Here we are, and I'm excited.

---

GRAHAM CLULEY. And I am back with an update. And I have to say that the hob with the knobs was fantastic. It worked very well and continued to work very well until last month when two of the hobs— it wasn't a problem with the knobs— two of the hobs stopped working, which means that half of my stovetop is no longer working.

---

CAROLE THERIAULT. Oh. Even if you can turn the knobs really easily?

---

GRAHAM CLULEY. I can turn the knobs, but those two hobs—

---

CAROLE THERIAULT. So it turns out it's not the knobs that are super important. Oh, interesting.

---

GRAHAM CLULEY. So, naturally, I contacted the company and said, I've been a great ambassador for your product.

---

ANNA BRADING. Gold. Hashtag ad.

---

CAROLE THERIAULT. Yeah, hashtag ad. And hashtag, you know how many followers I have?

---

GRAHAM CLULEY. And I said, there is a problem with two of your hobs, not with the knobs. They're no longer coming on. I don't understand why. Christmas is coming. We're going to be making Christmas dinner.

And they got back to me and they said, unfortunately, your warranty ran out two weeks ago. So this is not a Pick of the Week. This is a Nitpick of the Week. You see what I've done here? It's a nitpick because it's about electrical items which fail within days of your warranty running out.

---

CAROLE THERIAULT. Okay, Graham. Yes. I think good advice for our listeners here is maybe when you're purchasing some white goods that cost a lot of wonga—

It didn't cost a lot. Oh, it didn't cost very much. Interesting. That's the problem, Graham. Oh, so you bought a piece of shit?

---

GRAHAM CLULEY. No, because it was the only one with knobs. It was the only one I was able to find which had knobs.

---

ANNA BRADING. Can I just say, I have got an induction hob with knobs. And I bought it this time last year. It's a Rangemaster. Hashtag ad.

---

CAROLE THERIAULT. Oh, and is there any problems with it, Anna? No, there's not.

---

ANNA BRADING. But it did cost me a lot of money. And that's where you've gone wrong, Graham, because you bought cheap. And you know, if you buy cheap, you buy twice. So that's what you'll be doing.

---

GRAHAM CLULEY. Maybe you can send me a link, because I could be in the market for a hob with knobs for Christmas.

---

CAROLE THERIAULT. So the moral of the story, don't buy hobs with knobs unless you listen to Anna.

---

ANNA BRADING. I could have helped you. I did a lot of research.

Anna, what's your pick of the week? Well, so I love a pacey show, a TV show. I loved Ozark, loved Breaking Bad, loved Happy Valley. Did you watch them?

---

CAROLE THERIAULT. Yep, all three, loved them.

---

GRAHAM CLULEY. Yeah. Yeah, I watched Breaking Bad and Happy Valley, yep.

---

ANNA BRADING. Yeah, so I'm always on the lookout for something that will give me that, you know, as you're going to bed, you're like, "Oh, just one more. I'll just watch one more." That's what I want.

So, the latest show I've been enjoying is Day of the Jackal.

---

CAROLE THERIAULT. Have you heard of it? No, no.

---

ANNA BRADING. I've seen the movie with Edward Fox. Yeah, so there was a—

---

GRAHAM CLULEY. That was great.

---

ANNA BRADING. There was the book and then the film in the '70s. And so this is a remake.

---

GRAHAM CLULEY. There was a Bruce Willis remake. Oh, was there? I think. I'm sure that was shit.

---

ANNA BRADING. Hey, can't speak ill of Bruce now.

---

CAROLE THERIAULT. Yeah, you're not allowed. I don't know why.

---

ANNA BRADING. Okay, alright, sorry. You can speak ill of him if you want, but it's Eddie Redmayne. And it's a TV show, and he stars as the Jackal.

So he's a ruthless assassin who kills people. And he takes on their identities, and then he becomes them in order to kill more people.

But he's a top, high-level assassin. There's an Elon Musk tech guru called UDC.

There's lots of rich people trying to get one over on each other. But what's interesting about this show is that they also show his human side.

So he's a family man, and he appears to love his wife and his baby son.

---

GRAHAM CLULEY. Aw. For goodness' sake. He's an assassin.

---

ANNA BRADING. Stop going, "Aw." But it is conflicting. It's conflicting.

---

CAROLE THERIAULT. Yeah, so was Leon, but we all loved him too.

---

ANNA BRADING. So it becomes a cat and mouse chase between the Jackal and a British intelligence officer, Bianca, as she's trying to hunt him down and stop him.

---

CAROLE THERIAULT. Oh, this sounds right up my alley actually, and I'm looking for a new show, so I'll watch it. Yeah, what's it on?

---

ANNA BRADING. It's on Sky. I've been watching it through Sky.

It's also on Now TV. Sorry guys, sorry, I'm very rich.

---

GRAHAM CLULEY. Did you hear that? She's got Now TV, she's got Sky. She's very rich.

If only. Will she give you YouTube Kids? No, she won't.

---

ANNA BRADING. But I did spend a lot of money on my Hobbit nobs. But you can also, I think you can download it from other places, legal places, and it's on Peacock in the US, if you're in the US.

That's my pick of the week.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. So last night, one of my girlfriends took me out on a movie date. And this was quite exciting because she has younger kids, so we never go out ever.

And she took me to see the 2024 Palme d'Or winner, a movie called Anora. Note, Graham, yeah, not Narrowly Missed the Palme d'Or, which we recommend— Graham and I don't recommend for reasons we can talk about another time.

But the winner. Okay, so the premise, just quickly, you've got this Uzbek-American seasoned stripper, Anora.

And she knows all the moves, and she's entrusted by her boss to do the sexy routine for any Russian-speaking clients. And one day, she meets a kid, or a young adult, called Vanja, the son of a gazillionaire Russian oligarch.

And she dances for him, he swoons, they hit it off à la Pretty Woman, and he turns her life upside down because he is beyond wealthy, completely free, and only 21. And life is good, you know?

And Anora can't believe that she's finally been chosen for this wonderful world. What could go wrong?

More than you can imagine is the answer. This is Cinderella minus— for adults, minus the saccharine ending.

But it is a wisecracking whirlwind of a film. It has romance, it has loads of sexy times.

Starts with it right at the beginning. But it has action and comedy gold moments.

People were in hysterics in the theater. And it's 2.5 hours long, apparently.

But it flew by. Literally, I was thinking, "Oh, I'm probably about halfway," and the movie was ending.

Strong acting, strong direction, strong script. There's a few cameos our oligarch kid slides into the first scene à la Thom Cruise in— what was it?

Risky Business. Risky Business, exactly.

And there's a word-for-word scene that's taken out of Pretty Woman. A cameo for that.

So it's genius, and it's a must-see for all adult movie buffs.

---

GRAHAM CLULEY. Movie buffs. Yes. Movie butts. Yeah.

---

ANNA BRADING. But this is perhaps not for a first date, okay?

---

CAROLE THERIAULT. Because there's oodles of erotica.

---

ANNA BRADING. Maybe it is for a first date.

---

CAROLE THERIAULT. There's a lot of potty-mouth chatter going on. But yeah.

And it has a strong message. It talks, it kind of flirts with the whole concepts of class wars, gender roles, money, flawed humanity.

---

GRAHAM CLULEY. Oh, yes, yes. All that stuff.

---

CAROLE THERIAULT. I loved, loved, loved it. So that's Anora, winner of the Palme d'Or, my pick of the week. Go see it if you're over 18.

---

GRAHAM CLULEY. Well, that just about wraps up the show for this week. Anna, thank you so much for joining us. I'm sure lots of our listeners would love to find out what you are up to and follow you online. What's the best way for folks to do that?

---

ANNA BRADING. Thank you for having me. I'm still on X, Twitter, @AnnaBrading. I've got my username on Bluesky, but I haven't done anything on it yet. But get me on LinkedIn if you hate X.

---

GRAHAM CLULEY. And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, ThreatLocker, Fanta, and 1Password. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 394 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

---

CAROLE THERIAULT. Bye. Bye. Bye.

-- TRANSCRIPT ENDS --