The viral women-only dating safety app Tea, built to flag red flags, gets flagged itself - after leaking over 70,000 private images and chat logs. We are talking full-on selfies, ID docs, private DMs, and a dash of 4chan creepiness. Yikes.
Plus, Carole takes us down memory lane as she hangs up her co-host mic after 428 glorious episodes. Expect tea, tears, and Tom Lehrer.
All this is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- Update regarding cybersecurity incident - Tea.
- Hackers steal images from women's dating safety app that vets men - BBC News.
- A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating - 404 Media.
- American musical satirist Tom Lehrer dies at 97 - BBC News.
- Tom Lehrer website.
- Tom Lehrer sings The Elements, live in Copenhagen, 1967 - YouTube.
- Tom Lehrer sings “New Math” (animated) - YouTube.
- Carole’s Substack.
- Libby - Library app.
- Shokz UK.
- Two Birds Yoga - YouTube.
- Thermapen.
- BBC Sounds.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. They say the problem is that a legacy data storage system was compromised.
CAROLE THERIAULT. So we had this car in the car park and all the files were in the trunk. I know, I know. And it's like some guy got in there and stole all of them.
UNKNOWN. Smashing Security, episode 428, Red Flags, Leaked Chats, and a Final Farewell with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 428. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Now, Carole, I believe you've got some pretty big news for our listeners that you're going to be sharing later on in the show.
CAROLE THERIAULT. Yes, so you're going to have to listen the whole way through, dudes.
GRAHAM CLULEY. Oh, you're keeping me in suspense here.
CAROLE THERIAULT. But listen, before we kick off, why don't we thank this week's wonderful sponsors, Fanta and 1Password? It's their support that helps us give you this show for free. Coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be spilling the tea.
CAROLE THERIAULT. And I'm hitting the Wayback Machine, smashing security style. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, Carole, have you ever heard of this phrase, spilling the tea?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. It's something young people are talking about a lot these days. The tea and— Well, I don't know. Sharing gossip or something. What is it?
CAROLE THERIAULT. I don't know. I think we do have a teacup on our actual logo.
GRAHAM CLULEY. We do.
CAROLE THERIAULT. So—
GRAHAM CLULEY. I think it's like dishing the gossip or something, isn't it? Or it's like, you know, let's—
CAROLE THERIAULT. Oh, it's like, oh, let's get our tea and sit, you know, like get the popcorn, like sit down, snuggle up, because this is going to be delicious.
GRAHAM CLULEY. I think so.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. I think so. And it's also this tea thing, as well as being a drink involving boiled leaves in water.
CAROLE THERIAULT. A very delicious one, you know.
GRAHAM CLULEY. Well, if you think so.
CAROLE THERIAULT. I do.
GRAHAM CLULEY. It's also an app. An app which has proven really, really popular lately. There is this tea dating advice app. Have you heard of it?
CAROLE THERIAULT. No.
GRAHAM CLULEY. Oh, it was first created back in 2023 by a software engineer called Sean Cooke.
CAROLE THERIAULT. Well, I haven't been dating since I'm married.
GRAHAM CLULEY. Fair enough. No, but there's a lot of people talking about this. He wrote this app because he said his mum kept on getting catfished online. I guess she was doing some online dating.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And so he created this app which allows women to review guys who they've been on dates with.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And so you can look someone up maybe before you go on a date with them, or if you're a little bit suspicious, maybe you've been chatting to someone on a dating app and you're not quite sure about them. You can look them up to see what other women have to say about them. So, according to the website for this T-app, you can find verified green flag men, which means, I guess, this one's a good one.
CAROLE THERIAULT. How do they know they're good?
GRAHAM CLULEY. Oh, because other women have said, oh yes, this is a good guy. You know, this isn't a bad one.
CAROLE THERIAULT. Not a ladybot, but a lady lady.
GRAHAM CLULEY. Yes, yes. And you can also run background checks. For instance, you can look for any convictions they— people might have, or criminal history a man might have, or what's their marital status. You know, are they actually married and they haven't been telling you that they're married or in some kind of relationship?
CAROLE THERIAULT. Okay. Yeah, yeah, yeah. So this kind of way of finding, was it, what's that expression? The chaff for the wheat, the wheat for the chaff.
GRAHAM CLULEY. Wheat from the chaff.
CAROLE THERIAULT. You're getting more wheat.
GRAHAM CLULEY. It's probably the way around you do it. Yes.
CAROLE THERIAULT. You're getting more wheat here is the idea.
GRAHAM CLULEY. You can identify possible catfish. So you can do a reverse image search in this app so it can say, "Whoa, interesting." Because this guy's photograph looks awfully like, I don't know, Brad Pitt or whoever it might be. Or Ryan Reynolds.
CAROLE THERIAULT. Yeah, see, maybe someone in the octogenarian age group might not know who Brad Pitt is.
GRAHAM CLULEY. That's right. Okay, well, you know. Who's an equivalent? Somebody like—
CAROLE THERIAULT. Johnny Carson?
GRAHAM CLULEY. I'm not sure he's dating anyone.
CAROLE THERIAULT. Dick Van Dyke?
GRAHAM CLULEY. Is Dick Van Dyke still alive?
CAROLE THERIAULT. Oh, I don't know, actually.
GRAHAM CLULEY. Listeners, don't bother contacting us today. Unless you are Dick Van Dyke. Anyway, last week, this Tee dating app, it topped the Apple iPhone charts.
CAROLE THERIAULT. What?
GRAHAM CLULEY. Yes. Number 1 above ChatGPT, above Google, above WhatsApp. I told you it's a pretty big deal. That's why I thought you might have heard about it.
CAROLE THERIAULT. So people are flocking to this app where they can actually verify because they're sick of being catfished and bullied and whatever.
GRAHAM CLULEY. It's a big hit.
CAROLE THERIAULT. Yeah, okay. Yeah.
GRAHAM CLULEY. People, specifically women, are fed up of how dating works online. They're fed up of the low quality of men, or they're fed up of catfishers, or they're fed up of them being sex offenders or having some ghastly background. And so this app has become a viral sensation. About 1 million women have started using this app in the past week or so. It claims to have over 4 million users in total. So it's really exploded.
CAROLE THERIAULT. Okay. Okay. So I'm just going to tell you with my suspicious hat on.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. You know, Ashley Madison claimed they had a lot of women on the site.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. This is different. This is really, really live women flocking to the site.
GRAHAM CLULEY. Well, I haven't verified that myself.
CAROLE THERIAULT. Okay. Okay. Of course.
GRAHAM CLULEY. But it certainly claims that. When you open the app, you will see local men in your area whose pictures have been uploaded. Right? You could get this app. In fact, it's only US-based at the moment. So I guess you couldn't get it. But if you're in America, you can get this app, you can boot it up, and you can see men who are around. And you'll be able to see if a man is being labeled as a red flag or a green flag and any comments left by other women. Now, obviously, those comments which are left are anonymous. So the women have pseudonyms. You don't use your real name on the app.
CAROLE THERIAULT. Oh, right.
GRAHAM CLULEY. Which makes sense, you know, because obviously there could be recriminations if a man's not very happy of what you've said. Although the man might suspect, you know, if he had a relationship which ended rather badly, it's like, oh, okay, yep, I can guess which one that was. You can also look up specific names in the search bar and create alerts. And it's not just about looking at comments for men's red flags. You can also use Tee's Catfish Finder AI to run background checks or look for criminal histories, public records, et cetera, et cetera.
CAROLE THERIAULT. Geez, it's so scary. This is what has to happen.
GRAHAM CLULEY. Do you think it's scary?
CAROLE THERIAULT. If you date someone, you want to go for coffee and see if you guys get on and you've got to go background checks.
GRAHAM CLULEY. Well, I guess lots of women have had bad experiences and that's why they're turning to an app like this. Oh, and according to the website, 10% of its profits go to support the National Domestic Violence Hotline.
CAROLE THERIAULT. That sounds very good.
GRAHAM CLULEY. Yeah. Sounds like a good thing, right?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And now, of course, they want to keep bad guys out of the app. The app is supposed to be for women only. So when you make an account, you tell it your location, you tell it your date of birth, you take a selfie to verify that you're a woman, and you wait to be approved. Some people have complained. They say it takes a few days to get approved. I guess because a million people have signed up in a week, that even if they have an automated system, it must take some time to determine if a picture is going to be of a woman or not.
CAROLE THERIAULT. May I ask, do you know if this spread via word of mouth, or what made its tipping point? You don't know, or—
GRAHAM CLULEY. Well, it's been going for a few years. I don't know, but it appears to have just ignited. It's caught fire just in the last couple of weeks. And suddenly the media are going crazy about it, saying, oh, I went on this app. This is how it worked. This is what you need to know about it. And of course, the more news stories, the more people go on it, the more people write news stories. So, you know, it seems to me like as a concept, it sounds like a good idea.
Anything which has good intentions, you know, it's about keeping women safe. It's about giving them a space to share their bad experiences with guys so that others don't have to go through the same thing. That seems like a good thing. But that's not to say there hasn't been controversy because some men have claimed that it violated their privacy. Some men have said that posts about them on the app are false or misleading.
CAROLE THERIAULT. Right. So is this a bit name and shame?
GRAHAM CLULEY. Yeah, well, exactly. Because there you are, there's your photo and people are saying you're a terrible human being. And obviously there will be some men who are terrible human beings and are right to be called out. But there'll be others who say, well, you know, that isn't really what happened, you know.
CAROLE THERIAULT. Or there'll be some people whose identity have been stolen and it's not even the picture of the—
GRAHAM CLULEY. Oh, I see.
CAROLE THERIAULT. Right. There's some guy, innocent person whose pictures and, you know, job profile has been taken.
GRAHAM CLULEY. Right. So if someone used a photo of somebody else and they acted badly online, maybe the person never even met them. Right. And they just say, he's a bad guy.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. It's well, that wasn't even me. And of course, men aren't allowed on the app, which means they don't have an opportunity to—
CAROLE THERIAULT. I'm not sure how they tell. Do you send a picture of your genitals? How does that work?
GRAHAM CLULEY. It's interesting. So the app takes a selfie of you.
CAROLE THERIAULT. Oh my God.
GRAHAM CLULEY. A few years ago, it used to take a photograph of your identity documents and upload them. It doesn't do that anymore. Now it does a selfie. And it does some kind of check which determines if you're a woman or not. And I'm sure sometimes it could make a mistake in either direction.
CAROLE THERIAULT. Uh-huh. Okay.
GRAHAM CLULEY. But you can easily imagine that misinformation could run wild up there and personal information could be shared that could be inappropriate. Yeah.
CAROLE THERIAULT. If you've been, say something bad's happened to you and you went on there to kind of say, hey, I'm sharing all my stuff so it doesn't happen to you.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. That information is involving someone else who— yeah, I totally get it. Yeah.
GRAHAM CLULEY. How do you feel about this? Do you think this is a good thing, this kind of app?
CAROLE THERIAULT. I think that's a very complicated question that I'm not going to touch with a 10-foot pole.
GRAHAM CLULEY. Well, let me try and make it a little bit easier for you to decide because there is a cybersecurity angle.
CAROLE THERIAULT. No!
GRAHAM CLULEY. I'm afraid so. Yes, Smashing Security touching on the topic of cybersecurity. Who'd have thought it? Last week, an itsy bitsy little problem was revealed with the T dating app.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. Because it turns out it suffered something of a security breach. And this problem first emerged in that nightmarish petri dish that is the internet message board 4chan.
Because some people on 4chan, which is a repellent corner of the internet quite frankly, began posting data that appeared to have originated from inside the T dating app.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. 72,000 images, including approximately 13,000 selfies and photographs of ID documents submitted by users during their account verification process, and approximately 59,000 images publicly viewable in the app from posts and comments and direct messages. They were compromised. They fell into the hands of the 4chan community.
CAROLE THERIAULT. And we don't know how.
GRAHAM CLULEY. Well, according to T, they say the problem is that a legacy data storage system was compromised. They say this is a problem related to data.
CAROLE THERIAULT. So we had this car in the car park and all the files were in the trunk. I know, I know. And it's some guy got in there and stole all of them. So—
GRAHAM CLULEY. You might be onto something. Maybe if they'd actually left it in the trunk of a car, that would have been more secure than what they had. Because I've read reports which said there were no passwords involved. Anyone could just go to this place on the web and download all this stuff.
CAROLE THERIAULT. Do you think this was a honey trap for women?
GRAHAM CLULEY. No, I don't think that.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. I don't think so. I think it was created with good intentions, but maybe not the greatest quality control. So the data affected, according to T, was related to users who signed up before February 2024.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So, okay.
GRAHAM CLULEY. So a few years ago, before the current sort of big hype about this T thing. So it's an old backup almost.
CAROLE THERIAULT. The ones that made it happen. Yeah.
GRAHAM CLULEY. And some people are a bit annoyed about it.
CAROLE THERIAULT. Some people say, "No!
GRAHAM CLULEY. Weren't you meant to delete those photographs I uploaded as soon as you verified I was a woman." And according to T, they said, well, that data was stored in accordance with law enforcement requirements on this legacy backup system. At this time, they said, we have no evidence to suggest that the photos can be linked to specific users within the app, which—
CAROLE THERIAULT. Oh, well, I thought, hmm, I thought, have they heard of this thing called the internet? I don't know if they've—
GRAHAM CLULEY. Reverse image search, just the Tee app does. And furthermore, some of these images are of ID documents, which presumably have your name on them, maybe?
CAROLE THERIAULT. Imagine people using passports.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So, T says, "As we grew our community, we migrated to a more robust and secure solution, which has rendered that any new users from February 2024 until now were not connected to the images involved in this incident." So I guess that's a relief for all of those new users, at least.
CAROLE THERIAULT. Sure. And really sorry, those guys that believed in us before we, you know, were anything. Yep.
GRAHAM CLULEY. Oopsie. Big relief. Oh, hang on, hang on. Because there's an update. You see, as 404 Media reports, there's just been another major security issue discovered with TI. And it doesn't just relate to users who registered before February 2024. In fact, it relates to data as recently as last week.
CAROLE THERIAULT. No, I'm not laughing. I'm just saying if anyone's listening and this is you, I am not laughing at— it's too horrible even to imagine.
GRAHAM CLULEY. It is horrendous, isn't it?
CAROLE THERIAULT. It's awful.
GRAHAM CLULEY. Seattle-based researcher Kasra Rajjerdi was able to access a database of 1.1 million messages. Stretching from early 2023, which is when the app was effectively created, to last week, includes messages from women claiming particular men were their husbands or they were engaged to them, or messages from women who were discussing their abortions and other private information like that. Chat logs between women who discovered they were dating the same guy.
In fact, this vulnerability meant that any T user at all could use their own API key to access a recent database of everybody's communications, including a mass of private messages, some of them containing highly personal identifiable information such as phone numbers. And you remember those scumbags on 4chan? What they've been doing is they have created a website now where it's basically Hot or Not. It lets you compare the selfie images.
CAROLE THERIAULT. Don't, don't.
GRAHAM CLULEY. Oh my God. And you are invited to choose who is hotter than the other. So there's a lot of misogynist stuff going on here.
I think the idea of, wouldn't it be great if women could check if someone was a bad guy or not, is a great one. But it's so problematical the way in which this has been set up. Now, in some countries, for instance, in the UK, there's a thing called Clare's Law. Where you can actually go to the police and you can request, I think you can say, I'm dating this guy or I used to date this guy and I'm a bit worried about them. Can you tell me if they've got a bit of a history?
CAROLE THERIAULT. I've covered this on the show before, I think.
GRAHAM CLULEY. Oh, right.
CAROLE THERIAULT. OK.
GRAHAM CLULEY. Excellent. So it's good that some countries have that as an alternative. But of course, it's not there available to you at your fingertips inside an app.
And the police may decide, well, it's not in the public interest or, you know, they will review any request like that to see if it's actually appropriate to share that information. Today, just before we started recording, I went to have a look. T is currently the second most popular app in the US Apple iPhone store. It beats Threads, Google, WhatsApp, Google Maps.
It's only being beaten by ChatGPT. You will find no mention whatsoever on T dating app's main web page that refers to any kind of security incident at all. There is, if you manage to find it, I have the URL which I'll put in the show notes. You can read about the cybersecurity incident.
They have put out a statement about it, but if you are installing this app, you won't know it's happened unless you've seen the media reports or heard podcasts like this one.
CAROLE THERIAULT. So, that opens a little interesting can of worms. Don't you think these stores where you get apps that have verified apps, don't you think if they're aware of this, they would suspend the app until the problem is sorted?
GRAHAM CLULEY. I mean, that would be nice, wouldn't it?
CAROLE THERIAULT. If they just said, sorry, not available right now, we'll get back to you once it's confirmed to us, problem's gone.
GRAHAM CLULEY. I would think that Apple may not want to get into that legally in case they reduced access to an app and then denied income to the app makers, even though this is actually a free app. They may be worried that there's legal action then taken against them, but—
CAROLE THERIAULT. Well, they might have legal action facing the other way saying, look, I thought the app was safe. It was number 2 in your app store.
GRAHAM CLULEY. Yeah, I think right now, if anyone deserves some legal action, it's software engineer Sean Cook, who created the T dating app, and the rest of his company. They're probably the ones who should be most concerned rather than them firing off legal action themselves. Anyway, so my advice—
CAROLE THERIAULT. Your advice as a woman, as a woman, Graham, tell us.
GRAHAM CLULEY. No, I'm not going to give you advice about dating. All I'm going to say is, if you're using this app, or if you maybe have a friend who's using this app, even if you're not doing online dating, this app is— Stop!
Yes, stop, uninstall, stop using this app. Carole, what's your story for us this week?
CAROLE THERIAULT. Well, I'm going to take us back to the year 2016.
GRAHAM CLULEY. Ah, the good old days.
CAROLE THERIAULT. This is almost August, right? This is the end of July.
And this is the time that typically you and I, Graham, have taken, you know, a few weeks off to recoup in the show, but there's been a little shake-up around here. So get your cup of tea, listeners, indulge me with a little light jog down the Smashing Security memory boulevard, because 2016 was a big year. I don't know if you remember, but it was a big year. That was Brexit year for us.
GRAHAM CLULEY. David Bowie died. Everything went wrong after that, really.
CAROLE THERIAULT. Donald Trump. Just saying, that was the first time he was elected.
GRAHAM CLULEY. I think people hardly noticed. Didn't make much impact on the world, did he?
CAROLE THERIAULT. And this is when Smashing Security slid into the world like a screaming baby. That was in December 2016.
GRAHAM CLULEY. A long time ago.
CAROLE THERIAULT. Yeah. The brainchild of, you know, Graham, me, but also Vanja.
GRAHAM CLULEY. Vanja Svajcer.
CAROLE THERIAULT. Do you remember our first episode?
GRAHAM CLULEY. I do.
CAROLE THERIAULT. Do you remember doing it?
GRAHAM CLULEY. I do. The first episode we actually did as a Zoom call. It was a video thing, wasn't it?
CAROLE THERIAULT. Oh, I to this day cannot believe you talked Vanja and I into that because both of us are pretty camera shy and you aren't, right? You're a little bit camera happy.
GRAHAM CLULEY. Some of us are more photogenic than others. That's the thing. The camera loves you. The camera loves me.
CAROLE THERIAULT. How did you convince us to do that? Because I was petrified. I was petrified. I think I spent 10 hours writing my story.
GRAHAM CLULEY. I thought you were going to say you spent 10 hours doing your hair.
CAROLE THERIAULT. You would think that. He's over 50, people. And we talked about that, the pains of providing tech support to family and friends.
GRAHAM CLULEY. Oh, yes. Yes, that's right.
CAROLE THERIAULT. But the video thing was really hard for me, but soon you acquiesced on the YouTube thing, right? You gave up on the YouTube thing, which was a great decision, I think.
GRAHAM CLULEY. It was interesting because I think the initial idea was if we do it as video, we don't have to edit it. So it won't take that long.
And then we made the quite sensible step of going to audio, but we then thought maybe editing is quite important actually, so we don't sound like complete clonkers.
CAROLE THERIAULT. Well, yeah, for the listening experience, it's also better.
GRAHAM CLULEY. Yes. It is. I think so. This podcast is actually edited.
CAROLE THERIAULT. And that was hard in itself, wasn't it? Learning how to do all that. Learning how to edit. I started in GarageBand.
GRAHAM CLULEY. Yeah, we've used lots of tools.
CAROLE THERIAULT. Which was really complicated because it's a pretty powerful music-inclined system.
GRAHAM CLULEY. After a while, we moved to Logic Pro.
CAROLE THERIAULT. Yeah, I liked Logic. I got really into it, but then, right. Yeah, we now use Hindenburg and it's excellent. We've used that for years, haven't we?
GRAHAM CLULEY. Yeah, I love Hindenburg.
CAROLE THERIAULT. Me too, me too. It is great. But we did 10 episodes before Vanja had to excuse himself from being a regular host on the show.
GRAHAM CLULEY. Yeah, like a rat from a sinking ship.
CAROLE THERIAULT. Well, no, he had to. And it was a baptism of fire for both of us because we had to learn everything, but also we had to figure out how we were gonna deal with that. And this is when we got guests, right? This is when we started getting guests, weekly guests on the show.
GRAHAM CLULEY. Paul Ducklin, he was an early one.
CAROLE THERIAULT. He was.
GRAHAM CLULEY. The wonderful Maria Virmarsis.
CAROLE THERIAULT. Well, she's my queen to be. These are my tops. This is what I think have done the most shows.
GRAHAM CLULEY. Okay, don't upset people by leaving out names of anyone significant.
CAROLE THERIAULT. Well, that's your job. That's your job. So, I've made a list already. So, the glorious Anna Breiðing, right? She's always been fantastic on the show. Dave Bittner has come on many, many times from the CyberWire.
GRAHAM CLULEY. Bittner's a star.
CAROLE THERIAULT. He's a star. Geoff White has done loads of shows with us.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. But Maria's the one.
GRAHAM CLULEY. She's our top guest, I think.
CAROLE THERIAULT. She's done 43 shows with us.
GRAHAM CLULEY. 43. Wow.
CAROLE THERIAULT. 43. It's mind-blowing.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And a lot has happened in the tech space too, right? We had GDPR. That's the most important. That happened during our reign.
GRAHAM CLULEY. You actually read the GDPR regulations.
CAROLE THERIAULT. From cover to cover.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. Cambridge Analytica scandal happened then.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. That I don't know if you remember, but we had this little mini pandemic and we actually podcasted through the entire pandemic.
GRAHAM CLULEY. Yeah, but I know that sounds like it was a big deal, but frankly, there wasn't that much else to do, was there?
CAROLE THERIAULT. Well, we both got COVID during that time.
GRAHAM CLULEY. I never got COVID.
CAROLE THERIAULT. No?
GRAHAM CLULEY. I didn't. No, no, no.
CAROLE THERIAULT. You've never had it?
GRAHAM CLULEY. I've never had COVID.
CAROLE THERIAULT. Oh, yeah.
GRAHAM CLULEY. I did lose my voice one episode.
CAROLE THERIAULT. And the show grew, right? Because we added things like Pick of the Week.
GRAHAM CLULEY. Pick of the Week.
CAROLE THERIAULT. We added, we got sponsors.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. We got stickers.
GRAHAM CLULEY. T-shirts.
CAROLE THERIAULT. A Patreon community.
GRAHAM CLULEY. We went on tour. Do you remember that tour we did?
CAROLE THERIAULT. We did go on tour.
GRAHAM CLULEY. We went to Duxford near Cambridge. We went up to Edinburgh.
CAROLE THERIAULT. We did.
GRAHAM CLULEY. Did we go to Northern Ireland?
CAROLE THERIAULT. Manchester.
GRAHAM CLULEY. Manchester. Manchester. Okay.
CAROLE THERIAULT. Yeah, we interviewed CEOs, founders of all kinds of companies. Can you think of things that we covered through all that time?
GRAHAM CLULEY. We mostly tell people not to use the same password on different websites.
CAROLE THERIAULT. We've talked about Roombas.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. NFTs.
GRAHAM CLULEY. Oh yeah.
CAROLE THERIAULT. Wireless headphones. I had a lot of stink about wireless headphones. We both did. We hated the idea of AirPods or wireless head listening devices.
GRAHAM CLULEY. Yeah, I still don't like the idea of wireless earphones. That's a terrible idea.
CAROLE THERIAULT. Oh, you don't have any?
GRAHAM CLULEY. No, I don't. I refuse to. Oh, do you have them?
CAROLE THERIAULT. Yes, I'm totally a convert.
GRAHAM CLULEY. Don't you have sweaty ears? Don't they fall out of your ears?
CAROLE THERIAULT. No, wait till my pick of the week.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. We talked about drones.
GRAHAM CLULEY. Drones, yeah.
CAROLE THERIAULT. Smart sex toys. IoT.
GRAHAM CLULEY. Oh, I like the way you quickly went past smart sex toys.
CAROLE THERIAULT. Robo dogs. And behind the scenes, things were a little bit interesting. You know, recording. Sometimes you're— I think you were in Australia under a table sweating to death as you tried to record.
GRAHAM CLULEY. I did that once from Morocco, I remember.
CAROLE THERIAULT. Was it from Morocco?
GRAHAM CLULEY. Yeah. I may have recorded in Australia as well. That is possible.
CAROLE THERIAULT. I remember writing a story and doing everything, researching, choosing it, writing up, recording it. And I don't remember who noticed it. But we suddenly realized it was 3 years old and no good. And then we had to somehow re-research, re-choose a story, rewrite, re-record, and do that all. And I think we did it without disruption to the schedule.
GRAHAM CLULEY. Yes, we've pretty much kept the schedule for years and years and years, you know?
CAROLE THERIAULT. And we've done really well. I just wanted to give us a clap on the back. Not a clap, pat on the back. And say that we've stuck through thick and thin, right? For what, 420-something episodes every single week? And we've been salty with each other occasionally, right? But we still get a funny show out of it. And I'm no longer going to be a regular feature on the show.
GRAHAM CLULEY. Now it's out there.
CAROLE THERIAULT. Yes. It's out there. So I'm hanging up my co-host hat after almost 9 years. And it's huge. It's a really big decision. It's big. It's big. It's big.
GRAHAM CLULEY. And it's big for our listeners.
CAROLE THERIAULT. Well, it might be. I don't know. But I'll tell you why I'm doing it. I just want to watch more Netflix. Okay, so the past year has been a bit of a difficult year, like lots of personal stuff, family stuff, life stuff, all that stuff. It all came into a little whirlwind. Go see my future memoir for details. But yeah, and it's kind of forced me to take a closer look at what I do and where I spend my time. And one of the things I had to look at pretty hard was the world of tech and cyber and security. And for me, it's morphed into this ginormous monster that I barely recognize anymore. And that gets difficult because I don't feel super cozy commenting upon this stuff. And it demands more and more time to keep on top of it because there's more and more of it. And so if you have to do a show each week, especially when you co-host with someone who's much more on top of things, because this is what Graham lives and breathes by. Yeah, you kind of think maybe you need to take a step back and look at what else to do.
GRAHAM CLULEY. Well, what a fabulous co-host you have been, Carole.
CAROLE THERIAULT. I've shown up.
GRAHAM CLULEY. You have shown up. 428 bloody episodes. Very, very impressive. And I know that I won't be the only one who will miss you on the show.
CAROLE THERIAULT. No one's gonna miss me. Well, they might miss me if after I say this, can I say my next bit first? Because I do have a huge thank you, right? Especially to listeners. And especially those listeners who listen week in and week out.
Because I was thinking about it, and it's kind of being invited into someone's ear holes every single week. And it's a pretty big honor. Because if you think the average Smashing Security show is 45 minutes.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And we do around 50, whatever, 40 shows a year. That's a lot of hours. It's probably going to be more than a work week.
And that's more than I talk to 99.8% of the people in real life. Except for you, Graham, right? Because you have to listen to all that, plus listen to it again when we edit, and plus before we publish, we have to listen to it. So we've been listening to each other a lot, a lot, a lot.
Maybe more than 150 hours a year we have to listen to each other. But I think we should be super proud because we did something great, and we did it for a long, long time.
So huge shout out to you listeners. Huge shout out to those who supported us on Patreon.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Huge shout out to the guests who came on the show to give us a different angle.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And to the sponsors who help pay our bills and allowed us to do this show. So from the bottom of my heart, wherever you are on the planet, I appreciate you.
I thank you. And don't panic because the show will go on in a new form.
GRAHAM CLULEY. The show will Carole Theriault, we will not be the same without you, Carole, but the show will carry on. Stay tuned for more.
And of course, if anyone's got any feedback on what they'd like to change about the show, anything that, this is your chance.
CAROLE THERIAULT. This is your chance. You can write to Graham and say, finally, finally, you're free.
GRAHAM CLULEY. Email us at .
CAROLE THERIAULT. Yeah, but if you want to share any thoughts with me directly, I would love to read them. So you can email me directly at .
Yes, WTF. I don't plan to disappear from the planet entirely.
Sticky Pickles will be resurrected soon, and there's a few other projects in the making. So keep 'em peeled. And thank you.
GRAHAM CLULEY. I'm sure it won't be the last time our listeners hear your voice, Carole.
CAROLE THERIAULT. Well, I hope not for them. My God, how will they live?
GRAHAM CLULEY. All right. Should we go and check out some of those sponsor messages?
Yes. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.
CAROLE THERIAULT. Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
GRAHAM CLULEY. You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant but stay compliant.
CAROLE THERIAULT. So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.
Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, .com/smashing.
And thanks to Vanta for sponsoring Smashing Security. If you're a security or IT professional, you've got a mountain of assets to protect: devices, identities, and applications.
It's a lot, and it can create a mountain of security risks. Fortunately, you can conquer that mountain with 1Password Extended Access Management.
GRAHAM CLULEY. Over half of IT pros say securing SaaS apps is their biggest challenge. With the growing problem of SaaS sprawl and shadow IT, it's not hard to see why. Thankfully, Trelica by 1Password can discover and secure access to all of your apps.
CAROLE THERIAULT. Trelica by 1Password inventories every app in use at your company. Then pre-populated app profiles assess SaaS risks, letting you manage access, optimize spend, and enforce security best practice across every app in your employees' use.
GRAHAM CLULEY. So take the first step to better security for your team by securing credentials and protecting every application, even unmanaged shadow IT. Learn more at 1password.com/smashing. That's 1password.com/smashing.
And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call, for the very last time for Carole Theriault, Pick of the Week.
CAROLE THERIAULT. I might be on the show again. I might say it again. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. I hope it's not.
GRAHAM CLULEY. Mine is not security-related.
CAROLE THERIAULT. Yay!
GRAHAM CLULEY. This past weekend, the incredible Thom Lehrer died aged 97. Carole, are you familiar with Thom Lehrer?
CAROLE THERIAULT. Mm, more information before I say yes or no?
GRAHAM CLULEY. He was an extraordinary writer and singer of satirical songs.
CAROLE THERIAULT. Oh, I did read about him in the New York Times this weekend.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. But I was gonna go check him out. I haven't listened yet.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. He is wonderful, or was wonderful. He was not only a singer-songwriter of these funny songs, but he's also a mathematician. He was a child prodigy, entered Harvard at the age of 15.
CAROLE THERIAULT. Wow.
GRAHAM CLULEY. Had his master's in mathematics at 19, later taught at MIT and Harvard and University of California. He was also the inventor of the vodka Jell-O shot. Can you believe?
CAROLE THERIAULT. I love that.
GRAHAM CLULEY. So he's a clever guy. And famously, in the 1950s and '60s, he wrote and performed witty songs at his piano. But then he left that world behind to teach instead. He was one of a kind.
So, there are certainly songs which probably people will have heard of. For instance, he did the Elements song where he recited in about 1 minute 30 seconds.
CAROLE THERIAULT. Oh, is that the chemical elements? Yes. I do know that song.
GRAHAM CLULEY. Aha! There's antimony, arsenic, aluminium, selenium, and hydrogen and oxygen and nitrogen and rhenium and nickel, neodymium, and— I can't do it. Anyway, you get the idea.
He was incredible. And I'll put some links in the show notes as well to some of his other songs because he really, really was incredibly entertaining and clever. And what I particularly love about him is that in 2020, he decided to move his entire catalogue into the public domain because he felt he'd made more than enough money off it.
So he's given it to the world, all of his recordings, all of his music and the videos and so forth. You can go to tomlehrersongs.com, check them out. Very entertaining.
And there's not enough people like Thom Lehrer in the world. So very sad to see that he had died at the ripe old age of 97. And so this is my little thank you to him for all the entertainment he's given me over the years by making him my pick of the week.
CAROLE THERIAULT. There you go. Good one.
GRAHAM CLULEY. Kroll, what's your pick of the week?
CAROLE THERIAULT. Well, I mean, what do you do for your final pick of the week?
GRAHAM CLULEY. I don't know. I don't know. Sticky pickles?
CAROLE THERIAULT. I thought about it. No. Yeah, I could do my— I could do that. I could do that. But I thought, no, I'll take my favorite picks of the weeks I've done over the years, and I will choose the ones I continue to use to this day almost every day. Okay. And I've chosen 5. I'll go quick. Okay. Number 1, the library app Libby.
GRAHAM CLULEY. Oh, yes. Very good. Very good.
CAROLE THERIAULT. Love it. Okay. Supports your local library. You don't have ads when you read a book. It's the best thing since the sourdough revolution.
GRAHAM CLULEY. Because it's a way basically of borrowing an ebook, isn't it, Libby?
CAROLE THERIAULT. Yes, it's wonderful. It's great. Shokz bone conduction headphones.
GRAHAM CLULEY. Oh, you still use those, do you?
CAROLE THERIAULT. I use, and they are wireless, Graham.
GRAHAM CLULEY. Yes, I'm familiar with them.
CAROLE THERIAULT. And I love them. I wear them every single day. They're comfortable. I adore them.
GRAHAM CLULEY. They pick up the vibrations on your jawbone, don't they? They don't put something in your ear, I believe.
CAROLE THERIAULT. No. So your ear, you can basically protect your hearing. You know, if you have hearing loss, which I would to prevent having. So look into bone conduction headphones. Fantastic. For example, in Canada, they're legal to wear if you're cycling, but if you wear ear-in headphones, it's illegal.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. So there you go. Number 3, yoga. Okay. I used to have a lot of back problems.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Graham can attest to it. I've had serious operations. And since I started doing yoga, I have not had issues. Just hit the YouTubes. My favorite is Two Birds Yoga, link in the show notes. Just find one that suits you. It will save your life. That's the way I look at it. Number 4, ThermoPen. Okay, this is for anyone who cooks. This is a digital thermometer.
GRAHAM CLULEY. Oh, I remember this one.
CAROLE THERIAULT. Because if you don't want to give people food poisoning, perhaps if you're not a great cook, this is how you do it. And if you want your food not to be overcooked, this is how you do it. It's your secret weapon. I'm not paid by any of these people, by the way. I'm just saying it's the bomb. ThermoPen. And the final one is BBC Sounds, because there is so much quality stuff there from all over, and it's a really good archive of listening amazingness. So there you are. So those are my 5 pick of the weeks.
GRAHAM CLULEY. Wow. Well, great picks of the week. How are you going to feel about not having to come up with a pick of the week every week, Carole?
CAROLE THERIAULT. Oh, I'm going to cry weekly.
GRAHAM CLULEY. Well, that just about wraps up the show for this week. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?
CAROLE THERIAULT. I've created a Substack. So Carole Theriault, my full name, @CaroleTheriault, that's where you can find me. There's nothing there yet. Or is there? Go check it out.
GRAHAM CLULEY. And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT. And thank you to our episode sponsors, Vanta and 1Password. And of course, to our wonderful Patreon community, it is their support that helps us give you this show for free. For episode show notes, episode, sponsorship info, guest lists, and the entire back catalog of more than 427 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Well, you're going to want to know what's going to happen next. So I guess the message I have for all the listeners is until next time, cheerio, bye-bye. Bye.
-- TRANSCRIPT ENDS --