This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. Oh yeah, because I have millions because—

---

GRAHAM CLULEY. Because you're a big crypto.

---

CAROLE THERIAULT. I'm a big crypto queen. Yeah, yeah.

---

UNKNOWN. Oh, not that one. We've identified Dr. Ruja is actually Carole Theriault.

Smashing Security, episode 414. Zoom, just one click and your data goes boom. With Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security episode 414. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault. Before we kick off, let's thank this week's wonderful sponsors, 1Password and Vanta.

It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Zoom, just one click and your crypto went boom. Ransomware, etc.

---

CAROLE THERIAULT. Okay. And I'm talking biohacking, or is it?

All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, Zoom, don't you just love it?

---

CAROLE THERIAULT. I do love Zoom. Yeah, COVID would not have been nearly as tolerable without Zoom in my book.

---

GRAHAM CLULEY. No, Zoom, Teams, what else is there? Google Meet.

All of those things. I don't know what I'd do without spending 5 minutes on every video call, either trying to tell someone else that they're on mute or me trying to find the unmute button myself.

---

CAROLE THERIAULT. Really? That still happens?

---

GRAHAM CLULEY. It still happens.

---

CAROLE THERIAULT. That must be an age thing.

---

GRAHAM CLULEY. It must be.

---

CAROLE THERIAULT. Everyone understood that happening in the first year, 18 months of Zoom use.

---

GRAHAM CLULEY. No, it still happens. It still happens all the time for me.

What'd be great would be, imagine you were a Zoom ninja and you knew it like the back of your hand. Maybe you are, Carole, maybe you are a Zoom ninja.

You could reach through your screen and press the unmute button on my keyboard or choose the option for me. And that would help out people, wouldn't it?

Rather than them floundering around trying to find the unmute button themselves.

---

CAROLE THERIAULT. I would charge quite a bit for that skill.

---

GRAHAM CLULEY. Would you?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Well, there is a feature called remote control in Zoom. And it allows you to take control of another participant's screen during a meeting after they've given you permission, obviously.

---

CAROLE THERIAULT. Screen, you mean desktop screen or Zoom settings screen?

---

GRAHAM CLULEY. The whole caboodle.

---

CAROLE THERIAULT. The whole caboodle.

---

GRAHAM CLULEY. So if they wanted to share something or, you know, if they wanted to highlight something in your document or on your spreadsheet.

---

CAROLE THERIAULT. Yeah, it may be very useful if you're talking to someone who's having a computer problem and they're not understanding your instructions. You can go, look, just give me permission.

I'll go in, I'll fix the problem. I'm out of there.

---

GRAHAM CLULEY. Exactly, that way you can control their mouse, their keyboard. You can even copy text from their screen to yours should you wish to, you know, to fill in forms or—really handy.

You're absolutely right. If someone isn't quite as au fait as you are with what to do, and let's face it, not everyone knows how to do everything on their computer, do they?

---

CAROLE THERIAULT. Let me rephrase that. Nobody knows how to do everything on their computer.

---

GRAHAM CLULEY. Yeah, you're right. Doesn't matter if you're a head honcho of a firm or the HR head honcho of a firm.

---

CAROLE THERIAULT. Okay. I would never expect them knowing anything about computers, but okay.

---

GRAHAM CLULEY. Yeah, but they won't admit it normally, will they?

---

CAROLE THERIAULT. That's true.

---

GRAHAM CLULEY. There's no shame in not knowing how to do something or how to do everything with every piece of software. There's always going to be a struggle. There's always going to be, oh, there's a new version of this that's come out.

There's a new version of that. I don't know what to do. I've changed my mouse. I don't know. You know, we can all have struggles.

---

CAROLE THERIAULT. Yeah, we all have struggles, I would say.

---

GRAHAM CLULEY. So imagine, for instance, that you are... well, maybe you are, Carole. Maybe you are a leading light in cryptocurrency, for instance.

---

CAROLE THERIAULT. Yeah, you bet I am. Yeah.

---

GRAHAM CLULEY. Maybe you run a crypto firm, Carole.

---

CAROLE THERIAULT. Maybe I do.

---

GRAHAM CLULEY. Maybe you are an influencer riding the blockchain day and night.

---

CAROLE THERIAULT. Yeah. Surfing the blockchain, we call it. Yeah.

---

GRAHAM CLULEY. And you're flattered, aren't you? You are flattered, very flattered when someone reaches out to you, recognising your status, your position, or maybe your company and how well you're doing in that industry.

---

CAROLE THERIAULT. Maybe. Yeah, I'm probably thinking, yeah. You recognise greatness.

---

GRAHAM CLULEY. Exactly. And maybe you've been contacted by a company like Orion Capital. They're a venture capital firm, right?

---

CAROLE THERIAULT. Admiring me, are they?

---

GRAHAM CLULEY. They're admiring you. And they send you a DM via Twitter. They say, hey, hey, hey, we'd love to chat to you about investing in your business.

Or maybe you're pinged by Bloomberg conferences and they say, you know what? We'd really like you to speak at one of our events, or we'd like you to be interviewed by one of our reporters. Or maybe, and this frankly is the greatest flattering thing of all. Maybe someone wants you to come on their podcast, Carole.

Maybe you have been contacted by the On Chain Podcast. They've been in touch. You think, finally, I've been recognized.

They want you to be their guest on an upcoming episode. And quite frankly, you are flattered.

---

CAROLE THERIAULT. Right. Okay.

---

GRAHAM CLULEY. You are flattered, but you think, it's about time.

---

CAROLE THERIAULT. This is what I've worked so hard for, for so many years, for this recognition.

---

GRAHAM CLULEY. This is the big time. This is the big one. All you have to do is click on a link to set up a time for a Zoom call.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. Now, I know what you're thinking. Is the link malicious, Graham? Is it going to be one of those stories on Smashing Security this week?

---

CAROLE THERIAULT. I'm thinking, you know, I would never in a million years even read the email or the DM that suggested I should join the Zoom call if I didn't know the person. So I would never be in this situation.

But okay, yeah, I'd be thinking, I don't know. I don't know. Okay, so I say all that. Okay, okay, I'll play.

---

GRAHAM CLULEY. Maybe you check out Orion Capital and you go and check out their podcast and you think, well, they have interviews with other people.

---

CAROLE THERIAULT. Sounds great.

---

GRAHAM CLULEY. Sounds great. But no, the link is not malicious, Carole. It really is a link to Calendly, which is a cloud-based scheduling platform for meetings.

I'm sure many of us have used that.

---

CAROLE THERIAULT. Yep, I've used it.

---

GRAHAM CLULEY. You have to have the right time to have a call. Lots of people use that.

And before you know it, you've lined up a Zoom call with your potential new investors or the podcast host who wants to chat to you about how amazing you are and about all things cryptocurrency. Now, I know what you're thinking. You're thinking, are they going to send you a malicious link for the Zoom call?

---

CAROLE THERIAULT. Are they?

---

GRAHAM CLULEY. They're not.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. They're not going to do that. They are just going to send you the meeting ID number so you can enter into your own version of Zoom and dial into the Zoom call at the scheduled time to have a chat.

---

CAROLE THERIAULT. You mean click the link?

---

GRAHAM CLULEY. You can either click a link or what you get is you get a meeting ID number. You can open up Zoom and just enter in the meeting ID number.

---

CAROLE THERIAULT. Who does that? Who does that?

---

GRAHAM CLULEY. Well, you could do that, Carole.

---

CAROLE THERIAULT. No, but who does that? Do you ever do that?

---

GRAHAM CLULEY. Look, I'm not going to reveal anything about how I protect myself on my computer, but you have that option. Yes.

---

CAROLE THERIAULT. So they don't give me the link. They just give me the ID to plug into my Zoom. So I need to download Zoom if I don't have it already.

---

GRAHAM CLULEY. Presumably you have Zoom anyway. Yes.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. You're a head honcho. You're going to have Zoom installed, aren't you?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Everyone's got Zoom, haven't they? They may not use it that often compared to Microsoft Teams or something, but everyone's got Zoom.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Nothing malicious about this at all. It is a Zoom call via Zoom.

---

CAROLE THERIAULT. Okay. I'm totally with you.

---

GRAHAM CLULEY. So you've been invited by a VC company, Aurin Capital, or a news organization called Aurin News or Bloomberg, or you've been invited to have a chat for a podcast about the blockchain. What could possibly go wrong? Well, as it turns out, you could be about to lose millions.

---

CAROLE THERIAULT. So, yeah, because I have millions because—

---

GRAHAM CLULEY. Because you're a big crypto.

---

CAROLE THERIAULT. I'm a big crypto queen. Yeah, yeah.

---

GRAHAM CLULEY. Yeah. Oh, not that one. We've identified Dr. Ruja is actually Carole Theriault.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. And what you're about to do is lose millions to a cybercrime gang called Elusive Comet. Okay. And they have been doing precisely this technique to steal millions and millions of cryptocurrency.

---

CAROLE THERIAULT. How does it go from here's a Zoom call to me losing millions?

---

GRAHAM CLULEY. Let me explain.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Because it's all to do with what happens on the Zoom call. And it's not that they say, hey, would you mind transferring all this cryptocurrency into our wallet? They don't do that. What they do is they use that little-known feature hidden within Zoom called remote control. So the video conference begins, but a member of the crime gang has also joined the meeting. And here's the really sneaky bit. They don't use their real name. Instead, they call themselves Zoom, and they use that account called Zoom to request remote control of your screen. And what happens is, a pop-up appears on your screen, the victim's screen, asking you to grant remote control in what looks like a regular Zoom permission request. So the actual words are, Zoom is requesting remote control of your screen. Approve or decline?

---

CAROLE THERIAULT. Yeah. So I'd probably say decline. But I do imagine there are many a CEO with a lot of self-importance that would just go, yeah, yeah, yeah, yeah, yeah, let me get on the call and hear more about how great I am.

---

GRAHAM CLULEY. But the thing is, I think a lot of people just find it habitual, especially if the app asks for permissions. So, yeah, yeah, yeah, I just want to go on this call because I'm going to make millions and millions by appearing on this podcast. It's going to be very successful, or I'm going to get some venture capital.

This is brilliant. Now, there's a number of people who've been targeted by the elusive Comet hacking group in this way.

Cybersecurity research consultancy Trail of Bits, their CEO, Dan Guido, he was asked to invite in what presented itself as a Bloomberg Editorial interview, and thankfully he didn't fall for it. He said that what made the attack particularly dangerous, as I was saying, is this permission dialog and the similarity to other harmless Zoom notifications.

So the fact that people were able to join a Zoom call and call themselves Zoom was in itself really, really risky. It was a really clever bit of social engineering because people were tricked into clicking approve because they're so used to giving approval to apps to do things.

Another victim a guy called David Z. Morris. He is the author of Dark Markets.

That is a newsletter about tech and finance. He was targeted by the elusive Comet Gang again, this time posing as Orion Capital.

Now, Orion Capital positioned itself as a real company. It had a website.

It's now been taken down. They had social media accounts.

They had a news agency pumping out news all the time about cryptocurrency. They even had their own podcast.

Where they were pushing all these things out. So if you just did some casual research, you might think they were real.

---

CAROLE THERIAULT. I love it. It's like podcasts. They had a podcast. That's how real they were.

---

GRAHAM CLULEY. Only legitimate people have podcasts. It's not like everyone and their granny has a podcast these days.

---

CAROLE THERIAULT. It takes 2 seconds to put a podcast together with AI these days.

---

GRAHAM CLULEY. I know, I know that.

---

CAROLE THERIAULT. I know you know that.

---

GRAHAM CLULEY. But there it is. It's up on Apple Podcasts and the rest of it. You know, it could be all the reassurance you need.

And when you see other people being interviewed by the podcast who maybe are figures in the world of crypto, cryptocurrency, you may think, "Oh yes, I'd like that opportunity." Now, they could have grabbed that audio from elsewhere.

Anyway, David Z. Morris, his spider sense was tingling, and he did some reverse image searching kung fu, and that told him that something was wrong because he saw Orion Capital's website, the sort of About Us page where it talked about their staff. He found those pictures elsewhere on the internet.

But his initial thought was, well, you know, it's just a Zoom call, he thought. What's the harm in doing this?

Now, thankfully for him, the call never happened, but he learned from others that if he had joined the call, a common trick which has occurred is that the friendly VCs who've contacted him via Zoom might have pretended that they couldn't hear him, and they then tell him, oh, you know, we can't hear you properly. Can you give us remote control to change your settings, for instance, in Zoom?

---

CAROLE THERIAULT. Sneaky!

---

GRAHAM CLULEY. Or otherwise, they can also say, oh, if Zoom isn't working, here's a link to a different video meeting program. And of course, you're under pressure now because you've got an hour slot in your calendar to talk to these people.

The video call isn't working. Let's use this other software which they're recommending because there's some kind of problem with Zoom.

And video calls do sometimes go very wrong, don't they?

---

CAROLE THERIAULT. Well, for you, they seem to go wrong a lot, but I think that might be, again, age-related. I'm just saying.

---

GRAHAM CLULEY. Charming. Well, and the outcome of this, of course, is that ultimately malware is installed on your computer. Your accounts get hacked. Your cryptocurrency wallet gets stolen. Researchers at Smashing Security Alliance, they've been looking into this Zoom attack technique and the activities of Elusive Comet, they're advising everyone, do your due diligence to make sure that you're only communicating with legitimate profiles and not—

---

CAROLE THERIAULT. Oh, come on. I can't even believe you're saying this.

---

GRAHAM CLULEY. Well, okay, why?

---

CAROLE THERIAULT. Are you serious? Look at how, look at all the effort they've gone in to try and screw with you. They've got a podcast, Graham. You even mentioned the podcast. How are people supposed to detect that a company is a fraud if they have a podcast?

---

GRAHAM CLULEY. In which case, in which case, you might be wise to go into your Zoom settings and disable this remote control functionality entirely.

---

CAROLE THERIAULT. Okay. How do I do that? Let me just check right now.

---

GRAHAM CLULEY. Links in the show notes.

---

CAROLE THERIAULT. Oh, right.

---

GRAHAM CLULEY. To do that.

---

CAROLE THERIAULT. Okay then.

---

GRAHAM CLULEY. Now, some people might need them for accessibility reasons. If you have some kind of disability or problem with your computer, it may be that you have a legitimate need to have that, in which case, obviously, you have to be very, very careful who you approve to allow access to use that remote control functionality.

---

CAROLE THERIAULT. Yeah. Sneaky, though.

---

GRAHAM CLULEY. It's very sneaky. Carole, what's your story this week?

---

CAROLE THERIAULT. I want to talk to you about a guy called Brian Johnson. Have you heard of him? You may have heard of him. He's notably known for being the founder, chairman, and CEO of Braintree.

---

GRAHAM CLULEY. Oh, I have heard of this chap.

---

CAROLE THERIAULT. Okay. Okay.

---

GRAHAM CLULEY. He's a billionaire or something.

---

CAROLE THERIAULT. Yeah, we're going to get to all that.

---

GRAHAM CLULEY. Okay. All right.

---

CAROLE THERIAULT. So do you know Braintree?

---

GRAHAM CLULEY. In Essex? Yes.

---

CAROLE THERIAULT. No, no. Braintree. So they're known for mobile and web payment systems for e-commerce companies.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Now, Braintree acquired Venmo. This is way back in 2012.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. For $25 million USD.

---

GRAHAM CLULEY. And Venmo's a payment thing, isn't it?

---

CAROLE THERIAULT. Payment app, exactly. And the very next year, this combined entity, Braintree plus Venmo, was scooped up by PayPal, then owned by eBay, for a sweet $800 million.

---

GRAHAM CLULEY. Yep.

---

CAROLE THERIAULT. And if you had to guess who might have received the biggest slab of this money cake, you're probably thinking the founder, chairman, and CEO, Brian Johnson.

---

GRAHAM CLULEY. Yeah, you'd think so, yeah.

---

CAROLE THERIAULT. Yeah, Time magazine published that Johnson walked away from the sale of Braintree Venmo with more than $300 million. So not bad. Now, this was 12 years ago, and I'm sure Johnson had a rollicking good time spending some of his millions. But even that must get dull. How many Armani suits can a man get excited about?

---

GRAHAM CLULEY. None, in my experience.

---

CAROLE THERIAULT. But if you imagine— if you imagine you were very, very, very loaded. Not a little bit loaded, but very loaded. And you feel lucky. You feel smart. You feel strong.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. You want this to go on forever.

---

GRAHAM CLULEY. Yeah, yeah, yeah.

---

CAROLE THERIAULT. It's fun being the kingpin of the pond. But you know, you need something to motivate you because you need to feel alive, Graham.

---

GRAHAM CLULEY. Yes. Alive. Oh, that would be wonderful.

---

CAROLE THERIAULT. So what do you do? You could try and save the world from the Zika virus à la Microsoft guy Bill Gates.

---

GRAHAM CLULEY. Thank you, Bill.

---

CAROLE THERIAULT. Yes, thank you, Bill. You put up with a lot of grief trying to do that. Put a car in space and play high-ranking bureau twat. Sorry, bureau quat.

---

GRAHAM CLULEY. Bureau quat.

---

CAROLE THERIAULT. Bureau quat.

---

GRAHAM CLULEY. There we are. We got there.

---

CAROLE THERIAULT. Or perhaps you do what Johnson did 4 years ago when he launched his anti-aging effort that he refers to as Project Blueprint. And this is where the term I've been bandying around, biohacker, comes in. Okay?

It seems to refer to extreme anti-aging practices. I don't think eating 5 a day or drinking just on the weekend would get you anywhere near the label biohacker, right? It's a little bit more extreme.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. A few things about Johnson and his Project Blueprint. It's backed by an annual budget of $2 million dedicated to turning back his biological clock.

---

GRAHAM CLULEY. Oh, just specifically his?

---

CAROLE THERIAULT. Yep. Oh, yeah. It's all about him. He's kind of his very own lab rat.

---

GRAHAM CLULEY. Right. Okay. Right.

---

CAROLE THERIAULT. Johnson says he follows a strict dietary and lifestyle regimen, right, in pursuit of life extension. So things like after he wakes, he does audio and hair therapy.

---

GRAHAM CLULEY. What?

---

CAROLE THERIAULT. Before taking 50-odd pills with an energy drink he calls the Green Giant.

---

GRAHAM CLULEY. Right. Okay.

---

CAROLE THERIAULT. He's received plasma infusions from his 17-year-old son. All in the name of trying to achieve more youth.

---

GRAHAM CLULEY. Oh, lucky son.

---

CAROLE THERIAULT. He has posted something titled How I'm De-Aging My Penis, in which he points out ways to improve nighttime erections and reveals how he measures penis health. Among the list were semen analyzations and ultrasound-based blood flow testing.

And he then claimed that Botox and shock therapy lowered his nighttime erection biological age to around 20.

---

GRAHAM CLULEY. Does he use Botox to make it less wrinkly? Is that how he de-ages it?

---

CAROLE THERIAULT. Well, maybe because he says his nighttime erections, the length of the Titanic, and his boners clock in at 3 hours and 14 minutes. Let's just pause to consider that.

---

GRAHAM CLULEY. Does that mean it's unsinkable?

---

CAROLE THERIAULT. At least while he's snoozing, it seems to be. On his very own YouTube channel, Johnson professes—

---

GRAHAM CLULEY. I don't want to see any of this on YouTube, Carole. No links in the show notes, I hope.

---

CAROLE THERIAULT. I'm just going to read a snippet of his about me because it's written in the third person. I don't know, do you do that? Do you write snippets as though you're a third party?

---

GRAHAM CLULEY. Not normally, but sometimes people will ask, you know, can you send us a bio of yourself or something?

---

CAROLE THERIAULT. So you don't just go, I'm Graham. Well, he does a similar thing.

He goes through his Project Blueprint. The 45, now 47, but at the time 45-year-old Johnson has achieved metabolic health equal to the top 1.5% of 18-year-olds. Inflammation 66% lower than the average 10-year-old and reduced his speed of aging by the equivalent of 31 years.

Now let's pause. I'll say right now that Johnson's claims are not universally accepted. It might be better to see him as a rich guy needing to do wacky shit in front of an audience and win at something.

Maybe, maybe, I don't know. Blueprint, I should mention, is also a company, one that sells health supplements, blood testing equipment, and other products tied to his personal diet and restrictions. So he's also trying to, I guess, claw back some of that $2 million that he's put in to analyzing himself.

---

GRAHAM CLULEY. It sounds like he's spending an awfully large amount of his day working on this, so he might as well turn it into his career, I suppose.

---

CAROLE THERIAULT. Monetize it. Yeah, that's what he's doing. So to me, it all sounds a little bit bonkers, right?

And you would think that if he's as bonkers as he might seem, there would be people that have worked with him, people that have partied with him at Brigham Young, his alma mater, people that dated him, that these people would be spilling some beans, right? Is there perhaps a different version of the truth than the one Johnson is peddling? But I just couldn't find much dissent, unless there's nothing to hide.

---

GRAHAM CLULEY. Unless he has no friends at all, of course.

---

CAROLE THERIAULT. Sure, and he does nothing with nobody. He said he's a hermit, right?

But what if I told you that Johnson, since 2020, has found a way to play master controller of the narrative? How would one do that, do you think? How would you be master controller of your narrative?

---

GRAHAM CLULEY. A big legal team.

---

CAROLE THERIAULT. Yeah, confidentiality agreements, right? So basically, it seems he wanted his online persona and private one to be very separate indeed.

No need for his 4 million-odd subscribers on his social channels to know that he dropped acid with a date. But how to ensure that? Well, whip out an NDA for her to sign before you drop the stuff. No need for his people to know that he dumped his fiancée and fired her from one of his startups when he found out that she had stage 3 breast cancer. It's not going to look good with his whole business, is it, really?

---

GRAHAM CLULEY. Allegedly, allegedly, allegedly, allegedly, allegedly. Can we— sounds like he's got a lot of money to sue people, Carole Theriault. Let's just remember that, shall we?

---

CAROLE THERIAULT. But I'm more interested in his work ethic. You see, a blueprint employment agreement with confidentiality terms at his company was 20 pages long, listing dozens of restrictions.

Some had to sign up to 3 separate agreements. And this is a company of about 30 employees.

---

GRAHAM CLULEY. Wow.

---

CAROLE THERIAULT. Now, this is all according to The New York Times. One was a rather unusual opt-in agreement, which is not a confidentiality contract, but does aim to protect the company from things like lawsuits.

And so this was sent to employees by email with instructions to sign as normal. Allegedly, allegedly. So under this agreement, employees had to attest that they were okay with Mr. Johnson wearing little and sometimes no clothing. Oh, no underwear. They also had to agree that his behavior was not unwelcome, offensive, humiliating, hostile, triggering, unprofessional, or abusive. They also had to attest that they were okay with hearing discussions of sexual activities, including erections. Now we know from earlier that big boners are a big deal in his world. And it was sent to them under the guise of here's just another thing you got to sign. So imagine having to agree to that prior to said behaviors, sign this, now I'll fart on you. You can't do anything.

---

GRAHAM CLULEY. Charming.

---

CAROLE THERIAULT. And it turns out that his practices, including asking people to volunteer in a study, and by volunteer, apparently got them to pay $2,000-odd for the honor rather than follow clinical practices where people are chosen at random. 60% of people apparently, according to secret filings that The New York Times saw, suffered at least one side effect.

And he's released a documentary last year about his anti-aging venture where he claims that his age has reversed by 5.1 years. But an internal range of studies on his health show his bioage had increased by as much as 10 years.

---

GRAHAM CLULEY. You can de-age yourself just by getting a haircut, can't you? I mean, 5 years, that sounds a bit feeble.

---

CAROLE THERIAULT. Yeah, I call it the blur function on Zoom. But my point is this, my point is this: employees did not feel they could share the findings or the set of rules they had to live by because they had signed their rights away.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. And this is while he walks around half naked barking orders about nudging his pill popping routine.

---

GRAHAM CLULEY. Allegedly.

---

CAROLE THERIAULT. Allegedly. Now, I wonder how many companies are pushing the boundaries with what they can include in the small print in the agreements. Because as you say, people rarely read them, despite my many reminders over the years.

So why wouldn't companies have a crack at it? And it seems these types of clauses are meant to isolate the employees so they can't even talk with other employees or friends or family about what concerns them, what they're involved in at work, you know, what a sham the whole thing might be.

And I wanted your opinion on something. So, would you advise people about to sign contracts to maybe try AI, like a general or maybe even legal-focused AI, to isolate sections that might be contentious?

---

GRAHAM CLULEY. Oh, I think you've got to be careful about that.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Ideally, you get someone knowledgeable to look at it. If you don't trust—

---

CAROLE THERIAULT. It costs a lot of wonga.

---

GRAHAM CLULEY. Yeah, well, if you don't have a friend who's got that kind of brain and you don't feel that you can do it yourself, then you're right. It could cost you a lot of money, couldn't it?

But the problem with sharing these things with the AI sometimes is both the AI may not be reliable, but also that you're sharing potentially confidential information with a large language model, which may learn things from it and spit them out again later. So I'd be nervous of it, frankly.

I was having some conversations over the last week or so with people in my normal, non-tech life, and it's staggering how many people are using AI for everything in day-to-day life now.

---

CAROLE THERIAULT. So Johnson might be feeling the wobble right now because it sounds like it might be perhaps, perhaps, allegedly, allegedly a house of cards. And there seems to be a bit of internal whistleblowing going on that's gaining momentum.

The guy also just announced his own religion, though. It's called Don't Die. Says it'll save the human race, which, you know.

---

GRAHAM CLULEY. Well, yeah, probably would, wouldn't it?

---

CAROLE THERIAULT. Might be in the name.

---

GRAHAM CLULEY. Yeah. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

---

CAROLE THERIAULT. Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

---

GRAHAM CLULEY. You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

---

CAROLE THERIAULT. So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.

Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security.

Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?

---

GRAHAM CLULEY. Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

---

CAROLE THERIAULT. 1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.

---

GRAHAM CLULEY. So secure every app, device, and identity, even the unmanaged ones. Go to 1password.com/smashing. That is 1password.com/smashing.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.

It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, Carole, my Pick of the Week this week is not security-related. My Pick of the Week this week is, well, I wonder if you remember a while back I recommended an e-reader that I'd bought, the Kobo Clara BW e-reader.

---

CAROLE THERIAULT. Oh!

---

GRAHAM CLULEY. For reading ebooks.

---

CAROLE THERIAULT. I know someone who's looking to potentially upgrade their Kobo, and I know nothing about them. So I forgot about that completely that you mentioned that.

---

GRAHAM CLULEY. Ah, yes. So I'm very happy with it. It's like a Kindle, but it's not tied to Amazon.

It comes from another company and isn't stuck with them. And I think you mentioned, Carole, that your mum has a Kobo e-reader as well, but she found the user interface a bit of a challenge.

---

CAROLE THERIAULT. Or it might have been me finding it really difficult to use as well.

---

GRAHAM CLULEY. Well, I was interested in how I could tweak the Kobo to do some extra stuff, and I stumbled across a piece of open-source software that I could install on it, and you can install on a Kindle as well. So it doesn't just work on Kobos, it also works on Kindle, and it is called KOReader, or KOReader with a K.

And essentially it makes your e-reader more capable. So it handles more ebook formats.

You can tweak the user interface in a gazillion different ways to be exactly what you like. The pages turn faster.

There's things which you don't like, you can turn off all of these extra things. It's a completely new user interface.

It isn't just tweaking the existing user interface on your e-reader. It's giving you a whole new user interface.

---

CAROLE THERIAULT. Yeah. Can I ask a question?

---

GRAHAM CLULEY. Yeah, sure.

---

CAROLE THERIAULT. My experience with the Kobo and trying to get someone hooked up to their library with it, because I was talking about on the show, was using OverDrive, I think it was called.

---

GRAHAM CLULEY. That's right. OverDrive. Yes.

---

CAROLE THERIAULT. Is that the only way you can do it? Because that was really difficult.

It's a bit clunky, the experience I had with it, trying to install it.

---

GRAHAM CLULEY. It's much more flexible with KOReader in my experience.

---

CAROLE THERIAULT. Oh, interesting.

---

GRAHAM CLULEY. You can just plug your e-reader into your computer and copy over books to then read them on your e-reader. If you have a piece of software called Calibre, which is another freely available piece of software, and set it up correctly, you can even do this wirelessly as well.

So just updating a directory on your computer will automatically update your e-reader as well. Anyway, my experience has been great.

I've been tinkering with my fonts, I've been installing my own, I've been changing the user interface, I've been more easily sideloading books, and it's been great. And I've been most recently reading a book called Killing Thatcher on my e-reader by Guardian reporter Rory Carroll.

It's a really gripping book about the 1984 bombing by the Provisional IRA of the Grand Hotel in Brighton, where Margaret Thatcher and the British cabinet were staying for a party conference. Really interesting book.

Talks about the resurgence of the IRA during the '70s, the assassination of Lord Mountbatten, as well as, of course, the background to the Brighton bombing, as well as its aftermath. So I would recommend that book as well.

But my pick of the week is KOReader, and I hope you find it useful. Cool, Carole, what's your pick of the week?

---

CAROLE THERIAULT. I have a book as my pick of the week.

---

GRAHAM CLULEY. Super.

---

CAROLE THERIAULT. A noble work called The Urge: Our History of Addiction by Carl Erik Fisher, and it was published a few years ago, 2022. It was named best book of the year by The New Yorker and The Boston Globe.

So I dove in without much context. But the author is an addiction psychiatrist and also an addict.

And wanting to learn more about his own addiction, he turned to learning about addiction's history and the century-old struggle to manage and treat addictive behaviors. It took him a decade to pull this book together.

And it's so good because it's woven between snippets of his own personal dealings with his demons that almost destroy him. He also then looks at conditions and treatments over the decades, some that produced relief, sometimes shamed people, and sometimes made things much, much worse.

Sometimes did all three. So anyway, it's a great work.

It's written with heart, compassion, commitment, and worth a look if you or someone you love struggles with addiction. That's The Urge: Our History of Addiction by Carl Erik Fisher.

That is my pick of the week.

---

GRAHAM CLULEY. Terrific. And that just about wraps up the show for this week.

You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't have us. And don't forget to ensure that you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And thank you to our episode sponsors, 1Password and Vanta, and to our wonderful Patreon community. It's their support that helps us give you this show for free.

For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 413 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

---

CAROLE THERIAULT. Bye. Graham?

---

GRAHAM CLULEY. Yes?

---

CAROLE THERIAULT. Do you see in the notes I put a picture of Mr. Johnson? Do you see his little pic there?

---

GRAHAM CLULEY. I think he looks better before.

-- TRANSCRIPT ENDS --