This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. Okay, if I were Nick, yeah, I'd be, oh yeah, really? Yeah, FBI, scam-bi, goodbye. That's what I would do.

---

UNKNOWN. Smashing Security, episode 409, Peeping Perverts and FBI Phone Calls, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 409. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Hello, Carole. Here we are back again for another show.

---

CAROLE THERIAULT. I know.

---

GRAHAM CLULEY. No guests this week again. We're going to have to get a guest in soon, aren't we?

---

CAROLE THERIAULT. I think we definitely will, but not this week because I'm sick, Graham. I'm sick.

---

GRAHAM CLULEY. Oh, what's wrong? What's wrong?

---

CAROLE THERIAULT. I have a flu. So if my voice is all scratchy, just know that I'm being a soldier, not skipping a week. You know what, I think we should kick the show off. But first, let's thank this week's wonderful sponsors, Vanta, Drata, and Acronis. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be talking about a lurking horror of hackers.

---

CAROLE THERIAULT. Ooh, and I'm talking about short-let nightmares coming back to haunt you, a scary episode. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, actually specifically you, Carole, have you ever hidden somewhere for a long time?

---

CAROLE THERIAULT. Not by choice.

---

GRAHAM CLULEY. Maybe when you were a kid? Did you hide in a cupboard under the stairs?

---

CAROLE THERIAULT. Funny you should say cupboard. My brothers both locked me in, I don't know how, tricked me into getting into this toy box we had in the basement of our house.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. And I got in and then they locked it shut.

---

GRAHAM CLULEY. Oh.

---

CAROLE THERIAULT. With rope and stuff, and then went off to watch cartoons upstairs. So I do have claustrophobia, and I wonder if that's associated.

---

GRAHAM CLULEY. How old were you? In your 30s or what? How old were you when this happened?

---

CAROLE THERIAULT. No, maybe more eight.

---

GRAHAM CLULEY. Oh, that's a horrible story. You know, I remember when we and a large group of your friends were— I think you organized some great big party in the country. And we all decided to play a game of hide and seek.

---

CAROLE THERIAULT. Graham.

---

GRAHAM CLULEY. And one by one, one by one, people were found in about an hour. You know, it was the end of the game. You know, it's all fun and games, you know, in a strange big house, hiding different places and people would go, oh, here you are. And all that sort of thing. And the game finished as games do. We know how to have a wild time. And then about an hour after the game finished, someone came into the room feeling rather—

---

CAROLE THERIAULT. No! We found the person in the room.

---

GRAHAM CLULEY. Did we?

---

CAROLE THERIAULT. Yes. Well, not we. I and someone else found them in a bedroom. We'd forgotten about them. It was awful.

---

GRAHAM CLULEY. No one had noticed they were missing.

---

CAROLE THERIAULT. It had nothing to do with the person at all. It's just there were tons of people.

---

GRAHAM CLULEY. No, no, no. Now imagine what could have happened if she'd had provisions and a supply of loo paper. She could have stayed there for weeks, couldn't she, if we had never noticed? And she'd still have been playing that game. And I was reminded of this when I heard a story this week about some Chinese hackers who had allegedly sat undetected. That's what the headline said. This says Chinese hackers sat undetected in a small Massachusetts power utility for months.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And I thought, that's a long time to sit undetected, isn't it? I mean, you'd have thought people would have noticed the pizzas being delivered. Of course, that's not what it meant. It wasn't that they were actually sitting in there undetected. They were virtually there, Carole. They were virtually there.

---

CAROLE THERIAULT. Oh.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Thanks for clarifying. Yeah.

---

GRAHAM CLULEY. I felt I should. Yeah. Our story actually begins in November 2023.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And it's a Friday night in the small town of Littleton, Massachusetts. And there's not a lot of people who live in Littleton or in its neighbouring town of Boxborough.

In all, it's about 15,000 people. So it's not huge.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. And not a lot goes on there. Maybe there's the odd cake sale at the town hall or a marrow growing competition if it's anything like English towns.

Just something like that going on. And on this particular Friday night, a guy called Nick Lawler received a phone call at his home in Littleton.

And he's not happy about this because he wants to relax. It's a Friday night, right? The weekend's ahead.

He's been busy all week being general manager of the Littleton Electric, Light, and Water Department.

---

CAROLE THERIAULT. He deserves a beer.

---

GRAHAM CLULEY. Of course he does, right? And he's thinking, who's calling him?

Anyway, he gruffly answers the phone, and the person on the other end says that he works for the FBI. And Nick's thinking, what?

Why are the FBI calling me? Did someone forget to pay the electricity bill at FBI headquarters? Why are they ringing me? Why are they doing this?

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And the FBI guy says that the Littleton power network has been compromised by hackers. And according to the FBI on this phone call, Littleton's electric company had been hosting some uninvited guests, members of the Volt Typhoon gang, who'd been lounging around their network for up to 10 months.

---

CAROLE THERIAULT. Okay, if I were Nick, can I say what I would do right now? I'd be like, oh yeah, really? FBI? ScamBI, goodbye.

---

GRAHAM CLULEY. That's a bad idea. Well, that's interesting. That's interesting.

Because Nick's a little bit suspicious. He thinks, who'd want to hack his electric company?

They don't have access to any large critical infrastructure. They just distribute the power. You couldn't imagine they would be a target.

But the man on the phone insists that they have been targeted, claims they are on a list of 200 utility organizations that have been breached by the hackers. And the guy on the phone says, look, Nick, can you give me your personal email address?

Because what I'd like to do is I'd like to send you a link where you can read more about the hackers, and that will help diagnose the severity of the hack.

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. Now, Carole, I think you've already given me a clue as to how you're going to respond.

---

CAROLE THERIAULT. Yeah, nice try, bucko.

---

GRAHAM CLULEY. Well, Nick had a similar approach, although a little fruitier in his language. What he said was, go fuck yourself. Oh, yes.

I'm not going to click on a link. You must think I'm an idiot. Right. What's your name again?

---

CAROLE THERIAULT. Nick's probably a big listener of the show. Well done, Nick.

---

GRAHAM CLULEY. Well done, Nick. Nick, if you're listening, we admire you for that approach.

---

CAROLE THERIAULT. This is all going to go wrong. I know.

---

GRAHAM CLULEY. I know. And as the Register describes, Nick hung up and he called— and this again, bonus points for doing this, Nick— Nick called up the FBI field office in Boston directly.

---

CAROLE THERIAULT. Smart.

---

GRAHAM CLULEY. Not using the phone number he was given on the call. Rings them up, and what do you know? The same FBI agent answers the phone. Oh! But Nick is still a little bit concerned. He thinks, "Well, that's a bit odd." And so he still refuses to hand over his personal email address.

He says, "Look, if this is really that important, you can show up at my place of work at the electric company on Monday morning and tell me face-to-face." Great! Because it's the weekend. It's the weekend before Thanksgiving. He's gonna go to his kids' sports games. He's gonna get on with family life. And he pretty much over the weekend forgets about the phone call.

---

CAROLE THERIAULT. He's assuming this is not time critical.

---

GRAHAM CLULEY. Well, you know, come on, it's Lyttelton.

---

CAROLE THERIAULT. Thanksgiving.

---

GRAHAM CLULEY. It's Thanksgiving. It's the weekend, for God's sake. He's got a beer in his hand.

---

CAROLE THERIAULT. Maybe.

---

GRAHAM CLULEY. Forgets all about it. Until Monday, when who should turn up at his place of work but the FBI with a printed out PDF all about the Volt Typhoon Gang. Now, as I said, this was the start of Thanksgiving week in 2023. And it transpired the hackers had been on the network of Lyttelton's electric, light, and water departments for over 300 days, almost a year.

---

CAROLE THERIAULT. Wow.

---

GRAHAM CLULEY. That's about 1,200 times longer than that person hid during our game of hide and seek. So—

---

CAROLE THERIAULT. Good maths.

---

GRAHAM CLULEY. Thank you. It's a very, very long time indeed. And all that time, the hackers had been able to access sensitive systems without detection. And one of the challenges that this little electric company had faced was that it was such a small operation. It didn't have the resources. It didn't have the people power. It didn't have the technology to properly defend itself from attacks.

For instance, it had struggled because it had limited visibility into its OT network, the operational technology network. Those are the bits of your network which manage and control physical devices in industrial environments, right?

---

CAROLE THERIAULT. Yeah. This bugs me though, because this just says, oh well, guess it's only megacorps that can do all the big serious jobs now. And I can see that it's a resource issue. Like what? Because you're delivering energy, you need to have Fort Knox of security.

---

GRAHAM CLULEY. Well, unfortunately, if you're just one link in the chain, then, you know, if you get knocked out, that could have big impact, couldn't it? And the Volt Typhoon hackers, they had been really sneaky. They are a group which typically doesn't use malware, right?

Typically doesn't do that kind of thing. What they do is they use living off the land techniques. And this is a technique which is used increasingly by hackers where they won't use their own malware. They will use tools which you already have on your network. So there are tools on your network like PowerShell, which are ways to automate various functions on your network, do lots of helpful things. And what the hackers will do is they'll use that tool to do their dirty work for them, to copy files around or zip them up and then begin to exfiltrate them.

And living-off-the-land attacks have become very, very popular because there's much less risk of being detected.

---

CAROLE THERIAULT. Well, exactly.

---

GRAHAM CLULEY. By an antivirus compared to when you install your own malware.

---

CAROLE THERIAULT. No, exactly. And even if you think of it, in the earlier days when we had, when these viruses had payloads, which would basically say, haha, got ya, you're kind of giving away the game early on.

---

GRAHAM CLULEY. Yes, it's announcing, yes, it's like a ransomware attack. It obviously has to announce the fact that it's hit you. These attackers aren't interested in a ransomware attack, at least not at this point. They're mostly interested in spying and seeing how your network works. And if it should come to it, then maybe breach it. So the concern is, and one of the concerns about the Volt Typhoon Gang is that they are believed to be operating should the political situation change.

So if, for instance, China and America were to become more openly hostile to each other, if, for instance, China were to attack Taiwan and America got embroiled in that, which is a scenario you could imagine happening, then these Chinese hackers are thought to have already done the prep work breaking into utilities and critical infrastructure in America, just biding their time, because should that come to pass, then they could cause a lot of disruption and damage. But you have to wonder, what was the FBI playing at?

So imagine you're at an FBI office that identifies a security breach at a piece of critical infrastructure. What do you do? You call the facility, ask for a private email address, and tell them to click on a link to download a program. Well, what do they do?

---

CAROLE THERIAULT. Well, that's not what they did. They called them at home. It's even worse, right?

---

GRAHAM CLULEY. They called him at home. They called him at home, asked for his AOL account.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. And said, we're going to email you something, click on it and run a program, download a program, diagnose what's going on.

---

CAROLE THERIAULT. But you can understand from their point of view as well.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. How do they legitimize themselves in a suspicious world?

---

GRAHAM CLULEY. And where there's urgency as well. How can people verify that it's legit? You want to have a secure channel for communicating with someone, maybe. You're concerned that the phone network at the organization or the email system at the organization has been compromised. And so they're looking for another method.

But at the same time, what kind of lesson is this teaching people? Because there's a danger you're normalizing something very, very risky as being acceptable practice. Because normally, I'm sure Nick is a regular listener judging by his response to the FBI, normally we'd say treat that kind of thing with extreme caution and suspicion.

---

CAROLE THERIAULT. Well, we did give them gold stars, right, for some behaviours.

---

GRAHAM CLULEY. We did. We did. Absolutely. Yes. But I think ideally, I think most of us would feel more comfortable if an FBI agent turned up on our doorstep. But then how would you know it's an FBI agent? It could be just someone who's been down the fancy dress shop and is pretending to be, couldn't it? Waving a badge at you.

---

CAROLE THERIAULT. I like the idea of showing up in the office on a Monday morning. I think that's just old school, you know.

---

GRAHAM CLULEY. You think hackers can't get up early enough in the morning on a Monday?

---

CAROLE THERIAULT. That's basically what I'm saying.

---

GRAHAM CLULEY. Yeah. That's what you're saying. Okay. Carole, what's your story for us this week?

---

CAROLE THERIAULT. So I saw a story in The Independent, and it occurred to me that we hadn't touched on the subject in a while on Smashing Security. So I thought it was time to bring it back. So let me just set the scene.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. It's 2018. And Jane, her true identity is masked. Okay. But we're going to call her Jane. She's just rented a one-bedroom with ensuite bath. In a 300-square-foot Long Beach residence. Right? She did this via a site called Roomies.com.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And the landlord, a 74-year-old whose first name is apparently Bond.

---

GRAHAM CLULEY. Bond?

---

CAROLE THERIAULT. Yep, Bond.

---

GRAHAM CLULEY. Okay, all right.

---

CAROLE THERIAULT. So landlord Bond has a number of properties and rooms for rent in the area. He's maybe a property baron of sorts. So cool, cool.

Jane gets the room, has the only set of keys, and keeps the door locked. But things get weird.

---

GRAHAM CLULEY. Right?

---

CAROLE THERIAULT. About 3 weeks into Jane's rental, our landlord Bond reportedly starts making comments to Jane about her body. I'm assuming the hubba hubba type of comments.

And a few weeks later, he asks her whether she would consider trading personal favors for rent.

---

GRAHAM CLULEY. Oh my God.

---

CAROLE THERIAULT. And I'm not sure that means ironing his shirts.

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. So Jane doesn't get into a flap, apparently. She brushes him off, probably thinking the equivalent of perv.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Right?

---

GRAHAM CLULEY. Pervy old man.

---

CAROLE THERIAULT. Right. And whatever.

I've brushed him off, but the comments keep coming. Anyway, so soon after she moves in, she leaves for a two-week vacay, and landlord Bond apparently soothes her by saying, "You know I would never put a camera in your room, right?" Well, that would spook you out, wouldn't it? You'd be like, "What?"

---

GRAHAM CLULEY. Sorry, what? I wasn't thinking you would until you happened to actually mention it.

---

CAROLE THERIAULT. It's "I'm not gonna murder you in the night, right? You know that."

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. "I'm not gonna scoop your eyeballs out with a spoon, right? You know that." Okay, yeah, freaky.

Okay, so no surprise she is unnerved by this odd statement.

---

GRAHAM CLULEY. Yes. Yes.

---

CAROLE THERIAULT. And Jane changes the locks on her bedroom door before jetting off. So she has put the new lock in, new keys, everything, everything.

Oh, okay.

---

GRAHAM CLULEY. All right. Are you allowed to do that if it's a rental?

---

CAROLE THERIAULT. Mm, good question.

---

GRAHAM CLULEY. I'm not sure. I suppose you have to still give the landlord access if they want to inspect or something.

But yeah, okay.

---

CAROLE THERIAULT. Yeah, an interesting legal quagmire for another show, perhaps. Yeah.

---

GRAHAM CLULEY. Yes, yes. Tune in to Smashing Security for answers to that question.

---

CAROLE THERIAULT. Ding, ding. So while Jane is away, the landlord contacts her and he says, "Oh, Jane, Jane, Jane, there's a leak in your bathroom. And in order to fix it, a locksmith would have to unlock your door." Oh, yeah.

And when she returns, she finds that in fact the whole lock has been changed outright. So, okay, this wouldn't sit well with me. The guy's a bit of a perv.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Right. He's changed the locks.

And no surprise, Jane doesn't seem to be thinking this is great either. She moves out a month later.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. Right. Icky.

---

GRAHAM CLULEY. Well, it's good that she was able to do that. Imagine if she'd paid a year in advance or something.

And yeah.

---

CAROLE THERIAULT. Yeah, yeah. That would be awful.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Okay. So we fast forward now.

We fast forward 6 years to February 2024. Okay. So about this time last year.

All right. And Jane, maybe at a local coffee shop, maybe at the dog park, I don't know, but somehow gets chatting to an old friend of ex-landlord Bond.

---

GRAHAM CLULEY. Okay, what's their name? Moneypenny?

---

CAROLE THERIAULT. Yeah, sure. And the friend mentions something along the lines of Bond having installed smoke detectors with cameras and had recorded Jane both in the nude in her bedroom as well as engaging in intimate situations with her guests.

---

GRAHAM CLULEY. Hey, okay, obviously that is horrific. And that would be disturbing.

What is Bond doing telling people that he's— Well— And why is this person his friend?

---

CAROLE THERIAULT. I mean, first, welcome to Yuckville, right? Because it would be just horrific news. And 6 years have passed, okay, without her even having any knowledge of this.

---

GRAHAM CLULEY. Yeah. Is it possible it's a very slow Wi-Fi connection? So any pictures which were transmitted from her room have only recently arrived on Bond's computer.

---

CAROLE THERIAULT. The friend says the landlord Bond had actually shown him the videos, which were forwarded from the smoke detector cameras, according to this article in The Independent, to the landlord's phone and email. And the friend was not the only one to see them. So in other words, landlord Bond was passing them around.

Okay, so again, this is pretty horrific news to be hearing. Not only just hearing it, but 6 years later as well.

---

GRAHAM CLULEY. It's not just an indictment on this Bond chap, but all of his associates. I mean, there were so many people who could probably have blown a whistle and gone to the police, you know.

---

CAROLE THERIAULT. Short time later, Jane confronts the landlord about his actions, and weirdly, he admits to Jane that he secretly installed the surveillance cameras, took the illegal videos, and showed the illegal videos to his friends.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. It's worse than that. Jane learns that the landlord sent the illegal videos to a male porn star and secretly tried to arrange a meeting between Jane and this individual so he could secretly record them.

---

GRAHAM CLULEY. Oh, so, okay, hang on a minute. So Bond arranged for a male porn star to bump into Jane and maybe—

---

CAROLE THERIAULT. Oh, hello, I'm here to fix your taps.

---

GRAHAM CLULEY. Exactly.

---

CAROLE THERIAULT. I heard you had a problem.

---

GRAHAM CLULEY. 'Oh, there's a problem with the washing machine. Let me just—' 'Yeah, okay, I'm the pizza delivery guy.' Okay, and so— And in order that Bond could film both of them covertly. Yes.

---

CAROLE THERIAULT. Or maybe he was going to give a cut to the porn guy. Who knows?

---

GRAHAM CLULEY. It feels— Yeah, it feels rather an elaborate scheme. Yes.

---

CAROLE THERIAULT. Well, Jane has finally taken Bond to civil court, asking the judge to hand down an injunction blocking—

---

GRAHAM CLULEY. Don't just take him to civil court. Just call the cavalry. Well, right.

---

CAROLE THERIAULT. Right. And she wants them banned from distributing further videos, et cetera, et cetera. And Jane, of course, is not alone, right?

I've been doing this research for this story. I saw dozens of reports of people finding out that they've been secretly recorded. Others, you know, people who are finding these things in smoke detectors or in Wi-Fi extenders and all sorts of things.

And Jane only found out because someone ratted out the sleaze of an ex-landlord 6 years later. But how many don't even know?

Last year, Airbnb announced that the company would ban the use of surveillance cameras in its rentals, right? So the news was welcomed by those concerned about privacy, including someone like me.

And since 2022, another rental platform, VRBO, big in the States, has banned the use of indoor cameras except those that are disclosed to guests and can be deactivated by them. American Hotel and Lodging Association, they represent 80% of all franchised hotels in the US.

They said surveillance cameras in hotels should be limited to common areas, so lobbies, pools, and that's just for security purposes.

---

GRAHAM CLULEY. Yes, you wouldn't expect to have— I mean, you wouldn't expect to have a camera in your hotel room, would you? But, yeah, I suppose it'd be all right in a corridor or something.

---

CAROLE THERIAULT. Every state has the law apply slightly differently, but at the federal level, there's this Video Voyeurism Prevention Act of 2004, which prohibits knowingly videotaping, photographing, filming, recording by any means without an individual's consent where someone has a reasonable expectation of privacy.

---

GRAHAM CLULEY. You know when you do rent a property and you've got all these forms you have to sign? Yeah, yeah, yeah, sign here, sign there. You know, of course I haven't read them.

I suppose they could sneak in a little paragraph saying, you don't mind us photographing you in the nude, do you? Right? I'm 78 years old and I'm a bit of a pervert.

---

CAROLE THERIAULT. You could probably contest that if it was in the small print.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Okay. But basically, my point here is the powers that be, so the companies and the government, they all seem to be on the same side. You know, don't surreptitiously record your guests without consent.

Who's selling these devices which are disguised in this fashion? So I was researching the story and I look for things spy camera rental landlord, you know, court case, that kind of thing. And maybe there's 2 links on that kind of topic and the rest are either porn sites basically doing some kind of spycam cutie cutie something something bit dirty, or they're selling the spycams.

Just do your own research and see. There's so many links about that stuff.

---

GRAHAM CLULEY. It's horrible, isn't it?

---

CAROLE THERIAULT. Mm-hmm. Reason I'm talking about this too is I've just been to a rental property for a group holiday. Okay. And there was tech all over the place.

---

GRAHAM CLULEY. Yeah, I know. I was able to watch you. I know. I saw you.

---

CAROLE THERIAULT. You know, there's a smart heating system. There's a Wi-Fi router, Wi-Fi extenders, Roombas, smart TVs, the whole lot. And any one of those things could have been retrofitted, right?

And even with the teeny bit of infosec technology that I have, I wouldn't know where to start if I wanted to ensure I wasn't being recorded without my consent. Security pundits at Global Threat Solutions, they told The New York Times, right?

So they had some advice, right? They said you gotta do a common sense search of a location. So quote, "This includes looking for small recording devices."

Recording devices are telltale lenses in anything connected to a power source, such as a clock radio, power outlets themselves, and battery-charged electronics, such as smoke detectors and Bluetooth speakers. Turn off the lights and use a flashlight—a cell phone flashlight will do—to look at flashing lights that may reveal a camera. Do you do that?

---

GRAHAM CLULEY. Of course you don't. And let's not forget that these cameras can be absolutely tiny.

So my phone, right, has a camera on its front screen. There's a little pinprick of a hole. It's a very good camera.

I can barely see it when I'm looking straight at it to work out it's there. You would never notice that.

---

CAROLE THERIAULT. You do have tiny eyes, right? Wow. Just kidding.

More advice from this Global Threat Solutions is if you're uncertain, just throw a towel over the electric device or tape over the outlets. Or over yourself.

---

GRAHAM CLULEY. And then it doesn't matter where the camera is.

---

CAROLE THERIAULT. Yeah. Fire hazard anyway.

---

GRAHAM CLULEY. Fire hazard. Yes.

---

CAROLE THERIAULT. You know, let's just put blankets all over the electrical stuff.

---

GRAHAM CLULEY. This is insane.

---

CAROLE THERIAULT. Now they say because many recording devices require an internet connection to stream images, check the Wi-Fi network for any connected devices and ask what they are. It mentions apps such as Network Analyzer and Ubiquiti Wi-Fi Man, both apps I've not used, but apparently they will scan networks and detect connected devices.

So that's kind of interesting. I didn't know that.

---

GRAHAM CLULEY. Yeah, but the connected device may just say smoke alarm. It won't necessarily— you don't have to name it like smoke alarm and spy camera, do you?

---

CAROLE THERIAULT. So what if you find a hidden camera in a hotel room or short-term rental, right? What do you do? The advice is gather evidence by taking pictures or videos and contacting the police.

And then find, of course, new accommodations, right? Like pronto.

Airbnb directs guests to report privacy violations to its customer support team, and Vrbo does the same. But you know what? I think I'd contact the cops first and then contact the Airbnbs and Vrbos of the world.

I think the fact that it's reported means that they have more incentives to take action.

---

GRAHAM CLULEY. Yeah. What do you think? No, I agree. I agree. I mean, this is absolutely heinous, isn't it? And how horrendous.

---

CAROLE THERIAULT. And you don't know how often it's happening because, you know, if you don't know, you're none the wiser. I think the trick to not being surveilled is just to be stupidly boring.

It's not my forte, obvi, right? But, you know, keep it dull, keep all your clothes on all of the time, say nothing, don't react, just to create the most boring footage in existence.

And then it probably won't circulate. So what a dreamy vacation that would be.

---

GRAHAM CLULEY. Or if you're going on holiday, just stay in a tent. Stay in a tent.

---

CAROLE THERIAULT. Yeah. Make your own one of woods and twigs. Yes. You don't want to have any smart fibers in the tent.

Smashing Security is sponsored this week by the Acronis Threat Research Unit. They're a dedicated team of cybersecurity experts inside Acronis specializing in threat intelligence, AI, and risk management.

---

GRAHAM CLULEY. That's right, Acronis's Threat Research Unit stays ahead of cyber risks to keep MSPs and their clients safe from attack, releasing security updates, threat intelligence, and monitoring the global threat landscape around the clock.

---

CAROLE THERIAULT. So if you wanna learn about emerging threats, get security insights, and support your IT teams with guidelines, incident response, and educational workshops, go to smashingsecurity.com/acronis. That's smashingsecurity.com/acronis.

And thanks to Acronis for sponsoring the show.

---

GRAHAM CLULEY. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

---

CAROLE THERIAULT. Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

---

GRAHAM CLULEY. You see, Vanta allows your company to centralise security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

---

CAROLE THERIAULT. So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.

Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash Smashing Security.

Smashing. And thanks to Vanta for sponsoring Smashing Security.

If you're leading risk and compliance at your company, you're likely wearing 10 hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.

---

GRAHAM CLULEY. But GRC isn't just about checking boxes. It's a revenue driver that builds trust, reduces trust, accelerates deals, and strengthens security.

That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program.

---

CAROLE THERIAULT. With Drata, you can automate security questionnaires, evidence collection, and compliance tracking. You can stay audit-ready with real-time monitoring, and you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistant.

---

GRAHAM CLULEY. Instead of spending hours proving trust, build it faster with Drata. Ready to modernize your GRC program? Visit drata.com/smashing to learn more. That's drata.com/smashing. And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security related necessarily.

Better not be. Now, it's been said from time to time that my picks of the week are not necessarily erudite enough. They're not cultural enough. I don't think I've ever said that. Well, I think sometimes people have thought, Graham, you don't read books. Graham, you don't seem to have seen a lot of movies. You aren't recommending classical music.

---

CAROLE THERIAULT. It's more like, Graham, you haven't spent a lot of time preparing your pick of the week.

---

GRAHAM CLULEY. This week, my pick of the week is related to a chap called William Shakespeare. Who's that? He was a chap, a ginger chap with a beard, a Brummie from Birmingham, or more accurately Stratford-upon-Avon, which is quite close to Birmingham.

And not very long ago, I visited Stratford-upon-Avon and I went to the Royal Shakespeare Theatre. Lardy-dyke. Yeah, lardy-dyke, put on a play or two.

My wife was kind enough to pop into the shop at the Royal Shakespeare Theatre, and she bought me a t-shirt. And it's a t-shirt covered in insulting Shakespearean language.

---

CAROLE THERIAULT. Oh, cute!

---

GRAHAM CLULEY. It turns out that insults aren't what they used to be. And I think that we've become rather lazy in the insults that we use in modern-day life. And maybe it's time to pick up some of the ones we used to use hundreds of years ago.

And so I thought I would share with some of our listeners this week some of the insulting language, see how they like it.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And maybe they can use it in their day. Right. So I've got a few for you, Carole. Okay. A lewdly inclined footlicker.

---

CAROLE THERIAULT. Lewdly inclined footlicker.

---

GRAHAM CLULEY. You Banbury cheese. You beetle-headed flappy-eared knave. You poisonous bunch-backed toad. And this was my favourite. Not so much brain as earwax.

---

CAROLE THERIAULT. Ah, yeah, I don't know if these would land very well today, do you think?

---

GRAHAM CLULEY. Well, they had them rolling around in the aisles. Apparently. Back in the days of Shakespearean plays, they thought this was— I don't know if you've ever seen a Shakespearean comedy.

---

CAROLE THERIAULT. I have.

---

GRAHAM CLULEY. But these, trust me, these are probably the best lines they have. So that is my recommendation for this week, are the insults of William Shakespeare, because I think it's time that we got a little bit more creative with our insults rather than calling everyone a— well, I won't say what I was going to say. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Well, it's interesting that you mentioned a bearded, redheaded William Shakespeare because this is the time of year that we see a number of art societies host exhibitions. Yes. And I entered a piece called "The Rusty Sage" for the Oxford Art Society 2025 Spring Exhibition. Oh, yes. Let me show it to you. So this is— I put it in the show notes there. So this is what I entered. It's obviously this. You don't see it framed and mounted, but it is.

---

GRAHAM CLULEY. Oh, this is fabulous, Carole.

---

CAROLE THERIAULT. Do you like it? Does it remind you of anybody?

---

GRAHAM CLULEY. It reminds me a little bit of your husband, but he's not ginger. The Yeti.

---

CAROLE THERIAULT. Well, he used to be. Oh, did he?

---

GRAHAM CLULEY. Oh, before he became grey. Yeah, they married me. He certainly has an impressive beard. Oh, he's only got one ear that I can see. Is it Van Gogh supposed to be?

---

CAROLE THERIAULT. Maybe you can put it on Blue Sky and you can share it with our listeners. What's interesting is how these things happen.

So I'm a member of the society, but still, when they open their exhibitions, you know, an open call, you have to fill out a form, pay a small fee, and then get your work all ready for sale. And then you have to bring it in in person. And then it's only referred from then on by a special number. And it is presented to a judging panel of 5 people.

---

GRAHAM CLULEY. Oh, so they don't know you painted it. So there's no favoritism.

---

CAROLE THERIAULT. No. Oh, I see. So it would come up, it would be, say, it would come up to them and it would say the number 2377 Rusty Sage. Watercolor. And then the judges would go, yay, nay, yay, yay, yay, or yay, yay, yay, yay, yay, or nay, nay, nay, nay. And so my rusty sage got in, which is great.

---

GRAHAM CLULEY. Yeah, I really that. I think it's terrific.

---

CAROLE THERIAULT. Well, thanks. And one of the big problems with art, right, is how you price it.

So I priced it and I put it in for 500 quid. And doesn't that sound a huge amount of money? But the society gets 25%. The framing and mounting costs 75. So it's 300 quid.

---

GRAHAM CLULEY. Is what you'll get if it sells. If it sells.

---

CAROLE THERIAULT. Anyway, so listeners, anyone feeling flush and interested in purchasing a beautiful piece of art made by yours truly.

---

GRAHAM CLULEY. An original unique Theriault.

---

CAROLE THERIAULT. That's right. Yeah, exactly. So that's my pick of the week, is me and my Rusty Sage making it into the Oxford Art Society's members spring exhibition, yada yada yada yada.

---

GRAHAM CLULEY. Are you going to put this on your website or something that so we could link to that?

---

CAROLE THERIAULT. Yes, yes, but remember I'm ill. I've got a big list of stuff I have to do. Yes, it will. It'll go on my website, promise.

---

GRAHAM CLULEY. Very good. Well, good luck, Carole. I'm sure it will sell because it looks fabulous.

---

CAROLE THERIAULT. Thank you very much, Graham.

---

GRAHAM CLULEY. Well, that just about wraps up the show for this week. You can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, Fanta, Drata, and Acronis. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 408 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye. Very impressive. I mean, £500 sounds a lot, but then you just think, how many hours did you put in learning how to paint? People can't do it, and it's cool.

---

CAROLE THERIAULT. And I the title because, Rusty Sage, or Rusty—

-- TRANSCRIPT ENDS --