This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

GRAHAM CLULEY. So here's what I'm thinking. I think I would find it quite hard to round up 5 poor kids.

---

CAROLE THERIAULT. So you would just dress up the rich kids as poor people? That's what you would do?

---

GRAHAM CLULEY. This is what I'm wondering.

---

CAROLE THERIAULT. Oh my God.

---

GRAHAM CLULEY. If I was desperate to get my files back, would I think it's actually easier to go down the local amateur dramatics group and hire some people to pretend to be homeless Would I be able to do that?

---

CAROLE THERIAULT. Poor little Timmy.

---

GRAHAM CLULEY. Tiny Tim. Tiny Tim on his crutches.

---

CAROLE THERIAULT. That's right.

---

UNKNOWN. Smashing Security, Episode 277: Bad Bots, Cheeky Ransoms, and Good Deepfakes with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 277. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And this week, Carole, we are joined by a special guest, somebody who's been on the show before. It's our great pleasure, drum roll please, to announce the return of Ray [REDACTED]. Hello, Ray. [Ray [REDACTED]]: Hello, hello. It is good to be back.

---

CAROLE THERIAULT. Welcome, Ray. The crowd goes wild. How you doing? [Ray [REDACTED]]: Thank you very much. It's good to be back. It's been too long, but I have been listening, so I am up to speed.

---

GRAHAM CLULEY. Good, because we would have tested you, obviously, just to make sure. In what episode did Carole call Graham a dingbat? [Ray [REDACTED]]: 261 through 269. That was an 8-episode arc.

---

GRAHAM CLULEY. Oh yeah, it was, wasn't it? It was a bumper season, that one.

---

CAROLE THERIAULT. We have a lot to cover today. Should we get this show on the road, boys?

---

GRAHAM CLULEY. Sure thing.

---

CAROLE THERIAULT. Let's thank this week's sponsors, Bitwarden and Kolide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Oh, I'm going to be talking about ransom acts of kindness. Okay.

---

CAROLE THERIAULT. What about you, Ray? [Ray [REDACTED]]: I'm going to be talking about bad, bad bots. What you gonna do?

---

CAROLE THERIAULT. And I'm going to be looking at some deepfake dramas. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, ransomware.

---

CAROLE THERIAULT. Dun dun dun.

---

GRAHAM CLULEY. Yeah, I know it's in the news all the time. We can't stop talking about it. How many times have we talked about this? There's been all kinds of weird ransomware, unusual things which ransomware has done. I remember a piece of ransomware called Popcorn Time. Sometimes I talk about it in presentations because it's quite unusual. It gives you an option when it asks you to pay the money. It says, look, you can pay us the old-fashioned way. You can go and get yourself some bitcoin and you can transfer the bitcoin to us.

---

CAROLE THERIAULT. That's old-fashioned.

---

GRAHAM CLULEY. That's old-fashioned. That's old hat.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. That's what we're learning.

---

CAROLE THERIAULT. Jeez.

---

GRAHAM CLULEY. Or if that's a bit too complicated to work out how to get hold of some bitcoin, you can do it the nasty way. What you can do, they say, is here is a link. If you send this link to enough of your friends or family or work colleagues, God. And you manage to trick them into infecting their own computers with the Popcorn Time ransomware, and they end up paying, then you will get your data back for free. Oh my God.

---

CAROLE THERIAULT. So don't worry. [Ray [REDACTED]]: It's a pyramid scheme.

---

GRAHAM CLULEY. Yeah. You've become an affiliate. You now have a second job. You're working now as part of the ransomware gang.

---

CAROLE THERIAULT. And everyone now has a sullied reputation, a little bit, that they keep private.

---

GRAHAM CLULEY. So that was a good one, Popcorn Time. There's also one called N Ransom. What that did was it displayed pictures of Thomas the Tank Engine. Not a euphemism. And what it did was it demanded you send 10 nude pictures of yourself as payment. Or if you're particularly keen to get the decryption key, maybe only send 5 nude pictures. They might prefer that. I don't know. But yeah, a rather unusual piece. Of ransomware that. And there was Rensenware. Rensenware was one which actually came with an embedded video arcade game, like an old-style arcade game. And you had to reach a certain high score inside the game to decrypt your files. So there's been all kinds of madness in the ransomware world, as well as the actual traditional infections demanding cryptocurrency. And there's now another strange oddity in the world of ransomware, And it has been discovered by a security firm called CloudSec. And they have called it the Goodwill ransomware.

---

CAROLE THERIAULT. Goodwill ransomware. [Ray [REDACTED]]: Yeah.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Not like Goodwill Hunting or something like that.

---

CAROLE THERIAULT. Educate me.

---

GRAHAM CLULEY. Well, in many ways it's pretty normal, right? It infects your Windows PCs. It encrypts your documents, your photographs, your videos, your databases, all of the data that you actually want.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. But rather than demanding thousands of dollars worth of cryptocurrency in exchange for the decryption key, The Goodwill ransomware wants you to do something else. It wants you to perform 3 acts of kindness and provide—

---

CAROLE THERIAULT. Can you give me a list of what that is? Or—

---

GRAHAM CLULEY. Yes, they do.

---

CAROLE THERIAULT. Okay, fantastic. Tell me.

---

GRAHAM CLULEY. They don't only ask for 3 acts of kindness, they also ask you to record them on video and share the proof online as well as with the ransomware organizers in order to get your decryption key.

---

CAROLE THERIAULT. Okay, can I— I've done a few acts of kindness just today.

---

GRAHAM CLULEY. Oh, have you?

---

CAROLE THERIAULT. Can I just name some and you tell me if they'd fit in? [Ray [REDACTED]]: Now, Carole, it's not the humblebrag virus. It's not the humblebrag ransomware.

---

CAROLE THERIAULT. It is pretty— this is pretty low bar here, I gotta say. I emptied the dishwasher. Right, it doesn't just benefit me. There are other people living in this house. I made my coworker a sandwich for lunch. [Ray [REDACTED]]: Wow, that's actually very kind. That's a good one too. Right?

---

GRAHAM CLULEY. What kind of sandwich did you make?

---

CAROLE THERIAULT. Tuna and organic cucumber.

---

GRAHAM CLULEY. Oh, that sounds good actually.

---

CAROLE THERIAULT. Yeah. So that doesn't count? [Ray [REDACTED]]: That counts as 2 actually. I think we'll decrypt your files now.

---

GRAHAM CLULEY. Well, no, no, no, hang on. Ray, Ray, what kind of criminal enterprise are you running? [Ray [REDACTED]]: The sandwich is a very, very exceptional act of kindness. It's not that big a deal, really.

---

GRAHAM CLULEY. Well, I'll remember that. I think you've basically decrypted one GIF file.

---

CAROLE THERIAULT. As an artist, that probably would matter, you know.

---

GRAHAM CLULEY. I don't think that's very good. Now, the Goodwill ransomware displays a message. In fact, it displays a multi-page message in its manifesto when it infects you. It says, we're not hungry for money or wealth, but kindness. We want to make every person on the planet to be kind and want to give them a hard lesson to always help poor and needy people. So Carole, I'm afraid your coworker emptying the dishwasher isn't good enough for them. They want you to take a deep breath, look around for all of those who need help. So they give you some examples. The first request they make is for you to donate new clothes and blankets to the homeless.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And they say, not only donate these clothes and blankets—

---

CAROLE THERIAULT. But why do they have to be new?

---

GRAHAM CLULEY. Well, they don't want your soiled underpants, Carole, do they?

---

CAROLE THERIAULT. No, but it's not helping the planet much by just buying stuff and then— I just think a lot of people have a lot of stuff that's in pretty good nick that they don't use. [Ray [REDACTED]]: Okay, okay.

---

GRAHAM CLULEY. Well, maybe if you washed it beforehand.

---

CAROLE THERIAULT. Of course.

---

GRAHAM CLULEY. Okay, all right. [Ray [REDACTED]]: Another act of kindness, by the way, on the scoreboard.

---

GRAHAM CLULEY. Thanks. Thank you, Kroll, for demonstrating human cleanliness and for washing before we're recording this podcast.

---

CAROLE THERIAULT. And reducing waste, right?

---

GRAHAM CLULEY. They want you to post the evidence of this on Facebook, Instagram, and WhatsApp to encourage others. Yeah, spread the word. Spread the word of goodness.

---

CAROLE THERIAULT. Spread the word. Spread the word.

---

GRAHAM CLULEY. So that's the first thing. Okay, so Ray, what clothes would you donate? [Ray [REDACTED]]: What clothes? Well, I was actually gonna go buy new clothes. I was following the instructions to the letter. I did not know that you got to bend the rules.

---

GRAHAM CLULEY. Okay. [Ray [REDACTED]]: But certainly jackets, socks, I believe are very, very popular, or very in demand, socks.

---

CAROLE THERIAULT. In demand, yeah. [Ray [REDACTED]]: And certainly clean new underwear, I think. I would think there would be a demand for that as well. Not the T-back thongs that you're envisioning with the jewels.

---

GRAHAM CLULEY. Okay, let's move on to act number 2. So, once you've done that, and you've shared it online with the appropriate hashtags, and shared it with the criminal masterminds as well, we need to go on to the second act. And what this involves is finding 5 poor children under the age of 13, and taking them to Domino's, Pizza Hut, or Kentucky Fried Chicken, and allow them to order any food that they wish. What do we think of that?

---

CAROLE THERIAULT. I wonder how the parents are gonna feel about that.

---

GRAHAM CLULEY. Well, right.

---

CAROLE THERIAULT. It's like, where's little Ricky? Where's little Ricky? Where'd Susie go? Oh, they're all down on the Mickey D's. [Ray [REDACTED]]: Kidnap 5 children and take them to the restaurant.

---

GRAHAM CLULEY. It's a bit odd, isn't it?

---

CAROLE THERIAULT. Yeah, it's a bit odd.

---

GRAHAM CLULEY. Random children. [Ray [REDACTED]]: The brand placement seems a little bit conspicuous. Like they actually have mentioned the actual specific brands there.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. I bet there's PR meetings going on right now going, can we make sure we are not involved in this in any way? Why were we named? Oh, see?

---

GRAHAM CLULEY. Do you think maybe Domino's Pizza are thinking, could someone in marketing be behind this ransomware? Are we doing this to drive sales? [Ray [REDACTED]]: Well, you know, it's really funny that you would say that because when the invasion in Ukraine happened, all those Conti ransomware group files leaked. First of all, it turned out that their inner workings was like a bad corporation. I mean, they had layers of hierarchy of management and they were using tools like EDR, but a lot of the employees thought they were working for a marketing company, an ad company. That's what they were told. So maybe it was for Pepsi. KFC or Domino's.

---

GRAHAM CLULEY. Thank goodness I'm no longer working for Disney. I'm working for the Conti ransomware gang. I can sleep soundly at night now. So—

---

CAROLE THERIAULT. Okay, so I've kidnapped 5 kids.

---

GRAHAM CLULEY. Kidnapped 5 kids.

---

CAROLE THERIAULT. I've gone shopping for people in the city that need it.

---

GRAHAM CLULEY. And they want you to take selfies of you and the kids full of smiles, happy faces, build a beautiful Instagram story with these pictures. Screenshot the bill, send an email to us, they say, with the link to get your files back. So, and the final one, the final one involves providing financial assistance to those who need urgent medical help. Who can't afford to pay for it themselves. I imagine, by the way, that this is in America where I believe you have to pay to, if you get hit by a car or something, whereas most of the civilised world, if you're badly injured, you can just get treatment. But anyway, they are saying Visit a nearby hospital, look around the crowd, and you should be able to find some people who need money urgently for their treatment. And you have to go up to them and talk to them and say, hey, look, I'd like to help.

---

CAROLE THERIAULT. I'll take on the $300,000 hit.

---

GRAHAM CLULEY. I'll take this on.

---

CAROLE THERIAULT. Yeah. [Ray [REDACTED]]: You.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Again. Get my files back.

---

GRAHAM CLULEY. Take lots of selfies of them full of smiles and happy faces. Record audio while the whole conversation between you and them takes place. And send it to the ransomware gang.

---

CAROLE THERIAULT. You see, I, yeah, I've got two issues here.

---

GRAHAM CLULEY. I think, come on, come on, let's hear it.

---

CAROLE THERIAULT. Because I'm a bit of a do-gooder, so I think in principle all their stuff is good, you know, like, yeah, look after the homeless, help people that need it, all that, you know, feed the people that need it. Absolutely. I worry about their tactics to force me to do it, on one, because it doesn't seem like a very nice thing to put ransomware on my machine. So it doesn't feel like they're eating their own cereal, right? They're not eating their own Cheerios. [Ray [REDACTED]]: Are you a Good Samaritan if you have a gun pointed at your head?

---

CAROLE THERIAULT. Right, right.

---

GRAHAM CLULEY. And what, are they good Samaritans by pointing the gun.

---

CAROLE THERIAULT. Okay. And number two, it also feels like they've offloaded a lot of the responsibility to me, because if they are typical ransomware users, they would just take my money and then they could do all that stuff themselves.

---

GRAHAM CLULEY. Yes, with the money. [Ray [REDACTED]]: But Carole, I guarantee you that's probably an option. They probably want you to look at this list of things that you have to do and go, okay, never mind, here's 20 bitcoins, just, just go away. I don't hate you now. You gave me, you gave me an opportunity.

---

CAROLE THERIAULT. You gave me a choice that I didn't even want in the first place. Yeah.

---

GRAHAM CLULEY. It is peculiar, isn't it? So here's what I'm thinking. I think I would find it quite hard to round up 5 poor kids. [Ray [REDACTED]]: Why?

---

CAROLE THERIAULT. Because you live in like in a rich neighbourhood?

---

GRAHAM CLULEY. Well, no, it's just— I don't have many people who live near me, right? I would have the proud—

---

CAROLE THERIAULT. So you would just dress up the rich kids as poor people? That's what you would do.

---

GRAHAM CLULEY. This is what I'm wondering.

---

CAROLE THERIAULT. Oh my God.

---

GRAHAM CLULEY. If I was desperate to get my files back, Would I think it's actually easier to go down the local amateur dramatics group and hire some people to pretend to be homeless? You know, would I be able to do that? Or maybe Photoshop—

---

CAROLE THERIAULT. Or little Timmy. Was it Timmy?

---

GRAHAM CLULEY. Tiny Tim. Tiny Tim on his crutches.

---

CAROLE THERIAULT. That's right. [Ray [REDACTED]]: And then right when you're negotiating with him, he whips out a Screen Actors Guild card and says, "I need scale." Why isn't one of the things there, can you give to one of these 5 recognized charities?

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. But maybe that's too easy. Maybe they're saying giving charity just by clicking a button is too easy and they want you to actually go and do something.

---

CAROLE THERIAULT. Okay, you do that and also say online that you've done it. You know, I don't know. Okay, anyway, I don't know why I'm helping the ransomware guys. I just don't agree with the ransomware in the first place.

---

GRAHAM CLULEY. Yeah, but again, it's a bit of a humblebrag, like Ray was saying earlier, isn't it? To go online and say, "I have just very generously given $100." You're not saying I'm generous, you're saying I was forced by a ransomware gang. Normally, I would never donate the money. But in this exceptional circumstance, I am prepared to. So I wonder if this might be the beginning of something. [Ray [REDACTED]]: Well, you'll know if you watch LinkedIn, because LinkedIn would become overrun with all these pictures and everyone would have 5 kids in their photo. Exactly 5.

---

GRAHAM CLULEY. Well, that's possible. But I'm also imagining some future Michael Douglas movie. Where there he is in the office. Ah, I got hit by ransomware, right? He's a— he's an evil sort of trader or something.

---

CAROLE THERIAULT. Is he still alive?

---

GRAHAM CLULEY. Yes, of course Michael Douglas is still alive.

---

CAROLE THERIAULT. I'm going to look.

---

GRAHAM CLULEY. He did have an ailment, but which he said he got— [Ray [REDACTED]]: never mind.

---

GRAHAM CLULEY. Yes, never mind.

---

CAROLE THERIAULT. And, you know, he is alive. He seems like 77.

---

GRAHAM CLULEY. Anyway, so Michael Douglas, I can imagine him in a movie getting requested to do various— What I'm picturing is some evil, crazy guy sending different commands to people who've been hit by the ransomware, and he's getting them to do more and more insane things. You know, custard pie Bill Gates.

---

CAROLE THERIAULT. You thought of this when you were having a poop or something, right?

---

GRAHAM CLULEY. Tie Piers Morgan's shoelaces together. Something like that. I can imagine this happening.

---

CAROLE THERIAULT. Okay, well, good. You're perfectly sane.

---

GRAHAM CLULEY. Well, no, I'm— The world of cybersecurity is not saying, Carole, I'm just— Here I am predicting the future. I'm like a soothsayer and I am warning. Let the record show I am warning that this kind of ransom kindness madness could get out of hand and could become a big problem. [Ray [REDACTED]]: But why KFC?

---

GRAHAM CLULEY. Why? [Ray [REDACTED]]: It just seems like such a random list of You know, it's not Chuck E. Cheese or, you know, someplace that's friendly for kids.

---

GRAHAM CLULEY. What is Chuck E. Cheese?

---

CAROLE THERIAULT. It must be a kid-run thing because not everywhere has it. Maybe they were just thinking of international restaurants.

---

GRAHAM CLULEY. Yeah, we don't have Chuck E. Cheese here.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Whatever that is.

---

CAROLE THERIAULT. We have a Chubby Chicken though in Oxford. [Ray [REDACTED]]: Oh, Graham, Chuck E. Cheese is this child horror show with animatronic puppets that sing to the children and they play arcade games. And it definitely should be one of your stories one of these days because— Oh.

---

GRAHAM CLULEY. Well, that sounds certainly more attractive than Carole's chicken with a chubby. That's who he's talking about. Anyway, Ray, what have you got to talk to us about this week? [Ray [REDACTED]]: Well, Graham, Carole, when you were children, were you taught that there were good bugs and bad bugs? Did anyone ever try to classify bugs for you?

---

CAROLE THERIAULT. No, bugs were fine.

---

GRAHAM CLULEY. Oh no, I think so. Yeah, some bugs were pretty mean. Yeah, pretty evil. [Ray [REDACTED]]: So here in deep in the heart of Texas, we were taught that certain bugs were good bugs and certain bugs were bad bugs. You didn't kill certain spiders because they would eat mosquitoes and you wouldn't kill certain snakes because they would do this or that. Everything was classified as either a good bug or a bad bug. And then it was only much later in life that you kind of realized that in an ecosystem, there's not really necessarily good and bad. It's just that everything is kind of interreliant. So, well, I don't know if you've been following the news lately. But there's this chap named Elon Musk that has been in the news with his takeover attempts of Twitter. And one of the things that he said, among the less bizarre things that he has said, was that he believes that there are many more bots on Twitter—

---

GRAHAM CLULEY. oh yes— [Ray [REDACTED]]: than Twitter has been willing to estimate and to say, right? And it really got me thinking. I started thinking, well, I wonder how you could count those. How could you count those? How could you see those? I know there's a lot of tools out there that do that. Well, it turns out there's a company on the internet that has been counting what they call bad bots and good bots for almost 10 years now. They have bot catchers all over the world and they're counting up bad bot activity. Now, your first question's got to be, well, what makes a bot a bad bot, right? We have bots from Google that crawl websites. We have bots that do things like price indexing for travel search engines, et cetera. Well, they define bad bots as bots that are evasive, deceptive, or malicious. Okay. And believe it or not, according to Imperva, about 42% of internet traffic in the last year wasn't human. And that's up from 40.8% in 2020. And human activities decreased by 2.5% to 57.7%. Now, the reason that that's extremely unusual is because of the fact that we still have a hybrid workplace COVID kind of quarantine situation, and internet traffic has generally been going up significantly year over year, primarily because of video. So the bad bot traffic is outpacing the good human Netflix, Pornhub traffic, or whatever traffic that is.

---

GRAHAM CLULEY. And this is the case even though there's been a marked increase in the number of people playing Wordle. And things on that. [Ray [REDACTED]]: Absolutely. For sure. Well, there may be bots playing that. There may be bots playing that at this point.

---

GRAHAM CLULEY. Oh, goodness. [Ray [REDACTED]]: So this is why we always have to deal with all those CAPTCHAs that say, you know, identify which shoe is a clown shoe or whatever that is. And they show you a bunch of pictures of feet or whatever. I don't know. Maybe I'm on different websites than you are. But anyway, so OWASP, OWASP, who's kind of the authority when it comes to things like this, has defined 21 different bad bot use cases in their Automated Threat Handbook, which we will link in the nodes. But Imperva has got these great statistics over time. And we've seen certain trends that have happened specifically because more and more legitimate traffic is mobile. And then when Apple put out their privacy changes a couple years ago that affected companies like Meta and a lot of the companies that were trying to do some malvertising or advertising on that side, there was a big movement of that. And then of course, if you think about it, like if there's a thing online where they do shoe drops, like Kanye or somebody announces a new shoe, and the only way you can get it is to use a bot, right? So all of that bot activity is out there and it's kind of swelling up and down, primarily used for, uh, things like DDoS attacks and often, uh, is a, is a, is a precursor to more, uh, sophisticated attacks.

---

GRAHAM CLULEY. Sorry, uh, Ray, Ray, you're gonna have to backtrack a little bit cuz you're, you're getting very technical for me. Kanye West does a shoe drop. [Ray [REDACTED]]: Correct.

---

GRAHAM CLULEY. And that's largely a bot. Did you mean it's largely a boot? [Ray [REDACTED]]: No. So when these—

---

GRAHAM CLULEY. what does this mean? [Ray [REDACTED]]: When items are extremely scarce, people have written programs to try to defeat the limitations of that thing. So ticket scalping was the first killer app, right?

---

CAROLE THERIAULT. Yeah. [Ray [REDACTED]]: They would set up these bots so that when the tickets went on sale at 9:01 AM, the bots would grab up all the best seats and they would pretend to be humans. And then basically the scalpers would resell those. Well, they do that with shoes now too. Because Kanye will drop a shoe that's like MSRP is maybe like $169 and they'll go for thousands. So people can actually rent bots to try to get shoes, to try to get tickets, or they can just simply outsource that. And so that's a difficult type of bot is for being able to defeat retail services. There's a lot of that with regards to travel. And notice the market increase in the number of mobile devices. And if you look on the internet and you type in bot farm, you will see pictures of people in certain countries where they'll have 128 mobile phones bolted together, all running a single program that basically are impersonating users. And it's just another indicator of the type of activity that is kind of out there. Interestingly enough, just like happens all the time on internet research, there really wasn't anything in the Imperva reports or the OWASP report about social media bots, which is kind of when I got started interested in that side. And so there's kind of a raging debate. Is 20%, uh, are 20% of Twitter users inauthentic? Is it 50%? Does it matter how often they're used? We all know there's definitely a bot problem on social media, but for the folks at Imperva, they, they actually point out that there's a lot more serious problems, uh, related to bad bots, right?

---

CAROLE THERIAULT. So basically, 1 in 2 times you're on the internet, you're talking to a bot, probably. [Ray [REDACTED]]: Well, and certain, certain social dating websites, it would be much, much higher than that.

---

CAROLE THERIAULT. Yeah, right. [Ray [REDACTED]]: Like if we think back to Ashley Madison, Ashley Madison was almost all bots. It was almost 100% users that were there to try to get more money from you.

---

GRAHAM CLULEY. FemBots. Yes. All the women were actually robots, weren't they? [Ray [REDACTED]]: Correct.

---

CAROLE THERIAULT. All the men were not. They were cracking a look at.

---

GRAHAM CLULEY. My goodness.

---

CAROLE THERIAULT. Yeah, but what do you think can be done? Do you think that we need to be more attentive, like being aware that there's bots out there? Does it change our behavior in any way, do you think? [Ray [REDACTED]]: Well, I think that they, the folks from Imperva really talk about kind of the level of severity of types of things. So obviously things that are data scraping or stealing credentials, that's a very serious issue that needs to not only be monitored but also mitigated. And they make recommendations for certain types of mitigation, you know, around proxies and things like that. But also they just think that awareness will drive a lot more. You know, awareness is sort of the very first kind of step for that side, and especially with regards to account takeovers. And, you know, we talk a lot about, um, multifactor authentication circumvention. And a lot of these bots are now being designed specifically to look like they are the telecommunications company asking for those tokens. And so just always remember, never give out your MFA token unsolicited. No company will ever ask you that without you requesting it first, right?

---

CAROLE THERIAULT. Yeah. [Ray [REDACTED]]: And then they also talk about the fact that, you know, when it comes to account takeovers, Just like dwell time is extremely important in cyber breaches, detection of account takeovers is extremely important so you can shut it down.

---

GRAHAM CLULEY. So we'd really be looking for websites and services to do a better job at determining inauthentic behavior, I think, wouldn't we? I mean, the simplest way to do that is with things like CAPTCHAs, but of course CAPTCHAs are quite irritating for the humans and they're not—

---

CAROLE THERIAULT. Yeah, but people are used to them now. I mean, Google does them all the time.

---

GRAHAM CLULEY. Sometimes I have to reload, reload, 'cause I can't work out what's what. And you know, is that bit of the traffic light up? [Ray [REDACTED]]: Is the pole, does the pole count as the traffic light? I've always wondered that. Is it the actual light or is it the pole too?

---

GRAHAM CLULEY. Well, I always worry that am I feeding all this information, am I making it easier for some evil artificial intelligence inside Google to identify the difference between a yacht or a zebra crossing or a traffic light? Such that they will then ultimately be able to invade our cities.

---

CAROLE THERIAULT. That's a really good point. I think you should start acting like some kind of animal or something. Like, just mimic. There's a guy actually in Japan who's paid like, what?

---

GRAHAM CLULEY. Oh, the Collie dog man. Yes. Yes.

---

CAROLE THERIAULT. He decided he didn't want to be part of humanity anymore, and he's now got himself a lifelike dog outfit. I think we should put it in the show notes for people. It's really, really odd and weird.

---

GRAHAM CLULEY. It's quite convincing.

---

CAROLE THERIAULT. He's an authentic dog though. So he's, you know, he's like a deepfake dog, which brings me to my topic. [Ray [REDACTED]]: Oh boy.

---

GRAHAM CLULEY. Carole, what have you got for us?

---

CAROLE THERIAULT. Deepfakes. Deepfakes. So back in 2019, Google published a blog piece called Contributing Data to Deepfake Detection Research. And in it, they talk about innovation and tech and how they've paid loads of actors and people to create a database for researchers to work from in terms of finding out about deepfakes and detecting deepfakes. And a quote from that is, since the field is moving quickly, we'll add to this dataset as deepfake technology evolves over time. And we'll work with partners. We firmly believe in supporting a thriving research community, yada, yada, yada. So it came as a surprise to some of us that Google recently quietly banned deepfake projects on its Collaboratory or Colab service, putting an end to the large-scale utilization of the platform's resources for this purpose. Now, for those who don't know about Colab, it's basically like an online computing resource that allows researchers to run Python code directly through the browser. So they can use free computing resources, right? Including GPUs to power their projects. And it's meant to be used by researchers who need power that costs several thousands of dollars to help them reach their scientific goals, right?

---

GRAHAM CLULEY. Yes. It's probably been used actually to run hordes and hordes of bots, isn't it? This is probably exactly how it's all happening.

---

CAROLE THERIAULT. Well, interesting, interesting. 'Cause Colab has a not allowed here list.

---

GRAHAM CLULEY. Oh, okay. [Ray [REDACTED]]: Yeah.

---

CAROLE THERIAULT. Okay. And it includes things like using a remote desktop or SSH.

---

GRAHAM CLULEY. Mm-hmm.

---

CAROLE THERIAULT. Connecting to remote proxies, mining crypto, running DDoS or DoS attacks, password cracking, and using multiple accounts to work around access or resource usage restrictions. And they've added to that creating deepfakes. So it's not known if Google performed this policy due to like new ethical concerns or rampant abuse of its free computing resources. Right? But says Bleeping Computer, there are reports that some users are exploiting the platform's free tier to create deepfake models at scale. OK, I'm not surprised by that, or any of you.

---

GRAHAM CLULEY. No.

---

CAROLE THERIAULT. And this captured a significant amount of Colab's available resources for extended periods. Now, of course, all of us know of the bad things that deepfake— it's known as synthetic media, right? We all know about the bad deepfakes out there. But I thought we could switch it up and look at some of the positive things that I have— I've seen listed and see what we think of them. Them. Okay. Yeah. Okay. So I'm gonna— I'll start with this one. What about like people with speech impediments or motor skill difficulties? Like, imagine being able to talk in your own voice to like loved ones or colleagues even after losing your ability to speak.

---

GRAHAM CLULEY. Hmm.

---

CAROLE THERIAULT. Or if you're suffering from certain physical or mental disabilities, you could use synthetic avatars of you for online expression, you know, to be able to go, oh, here, this is what I want to say to you. Why do you always feed me this stupid, disgusting stuff? You know, Or something.

---

GRAHAM CLULEY. Well, we saw this actually a few weeks ago when I had a Pick of the Week, which was that Gerry Anderson documentary. And Gerry Anderson, of course, has been dead for a few years. And his family, they had an audio recording of him being interviewed, but for the purposes of the movie, they wanted Gerry Anderson talking. And they did a remarkable job through deepfake technology. And you were watching this thing and you completely forgot that it was synthetic media. Yeah.

---

CAROLE THERIAULT. I mean, that's a good point.

---

GRAHAM CLULEY. Better than animating him in the old Thunderbirds way with bits of string and sort of Weekend at Bernie's style.

---

CAROLE THERIAULT. Yeah, think of Forrest Gump, where, you know, he meets JFK and other historical figures. The creation of that scenario cost millions of dollars, right? Whereas deepfakes could democratize the cost of this, like, what is it called? VFX tech, something like that. Anyway, whatever, what they use. And to make it at a fraction of cost, which means that people can do cute, like, deepfake videos. I saw one which was adorable called Home Stallone, right? So it's like they've come up somehow superimposed Stallone's face into Home Alone's. I put the video in the show notes.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Um, but you know, and it's kind of, it's labeled as a deepfake and it's there for kind of a contribution to the arts, which I say would be actually, I think quite valuable. [Ray [REDACTED]]: That use case kind of reminds me of when BitTorrent took off and there was a group of people that screamed and yelled that it was really just being used for Linux distributions. I'm sure I'm sure that there is a few people that would use deepfakes for that, but my concern is the percentage of positive use is probably a little bit outweighed by the percentage of negative and malicious use.

---

GRAHAM CLULEY. I'm feeling sorry for Sylvester Stallone's career, actually. I mean, there was a perfectly good job that he could have been hired to do, and instead they deepfaked it. Maybe that's quite bad news for actors, maybe not for just Stallone, but other actors as well.

---

CAROLE THERIAULT. And Google's the one who's making the most money out of it, right? [Ray [REDACTED]]: So out of everything, that's another interesting question I had, is when they say we can't use these resources for these things, and these are GPUs, right? These are big farms of, of, uh, of GPUs. How can they tell the difference between password cracking and positive use of deepfakes? Or, I mean, how, how would Google be able to monitor and tell what that is?

---

CAROLE THERIAULT. That is an excellent question, and I have attached the FAQ for Google's Colab and explaining why it has restrictions and how it works, and maybe the answer will be in there.

---

GRAHAM CLULEY. They probably can't tell, but if they find out later, that's a good reason for kicking you out.

---

CAROLE THERIAULT. Yeah, maybe if someone reports you or something.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. What about helping the bereaved? Like, say if I died, Graham. Right? Wouldn't you like to have me— yeah, yeah, that's what I sound like. [Ray [REDACTED]]: Carole, we already have a mop and it has your name on it and your photo, and now all we need is recordings to go with the mop because, you know, the mop is a great dancing partner, doesn't— not very good at dinner, but that's our, that's our virtual Carole. We just need the voiceovers for it.

---

CAROLE THERIAULT. And like, what about solving police investigations? So last week, actually, Dutch police created a deep fake video to appeal for info over a 2003 murder of a teenage boy. And it's a world's first investigation using artificially manipulated footage. And it's like this 13-year-old footballer who was shot dead in 2003 while throwing snowballs at his friends in a car park near a Rotterdam metro station. And at the time, they just thought, oh, wrong place, wrong time. But now they think there was an organized criminal fraud gang hanging out there, and they're hoping the deepfake video recreation of the boy's image and everything will help solve this cold case. [Ray [REDACTED]]: Goodness, prosecuting crimes on synthetic evidence sounds like a lawyer's nightmare for me because they're actually making things up that aren't real and showing that video and saying, does this— is this what happened, right?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. I mean, our— this podcast, Graham, we could have synthesized media be able to translate us into different languages to make us more accessible internationally.

---

GRAHAM CLULEY. I'd love to translate some of the sessions into English. That'd be helpful.

---

CAROLE THERIAULT. [LAUGHTER] So like most things, it's complicated, right? Because as you say, Ray, deepfakes are maybe not inherently bad as a tech, but I agree that right now we seem to have a lot more yucky examples than good examples out there. I mean, we know this tech has been used for revenge, for political gain, for disruption, to induce shame, obedience. I mean, even the EU put out a report to authorities, advised them to get on the deepfake bus because it is ripe to become a stable tool in organized crime. So how do you control this stuff?

---

GRAHAM CLULEY. Yeah, how do you? How do you?

---

CAROLE THERIAULT. How do you? Well, it's the same as really all things tech. Legislation and regulation, right? Corporate policies saying you can't do this and voluntary action from people on reporting it or making people aware of it. Education and training, like what we do, if we can call this any of that.

---

GRAHAM CLULEY. Oh God, we're doomed then.

---

CAROLE THERIAULT. And probably the most important is anti-deepfake tech, right? Which includes deepfake detection, content authentication, deepfake prevention. Except now, without Google's Colab, anti-deepfake tech might take a hit. Oh. So I don't know. It also says something to me that Google kind of kept stepping out of this little mess. Like, does it smell something that we don't smell? Like, why is it pulled out of this completely? Because surely this is a really exciting, innovative time. And I understand it's very controversial, but we need to have anti-deepfake tech as well, don't we?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. So if they're pulling out, I think maybe we're in for a rocky deepfake ride. Is that— that sounds a bit dirty, actually. [Ray [REDACTED]]: Now, do you think that Matt Damon, when he made that crypto.com Super Bowl commercial, do you think he could go back now and say, nope, that wasn't me, that was a deepfake? You get plausible deniability around that?

---

CAROLE THERIAULT. Yeah, I wonder if actors are going to have to sign contracts saying, oh, and if you die right during the making of this film, you, uh, let us use, you know, deepfake to continue the script.

---

GRAHAM CLULEY. Mm-hmm.

---

CAROLE THERIAULT. Exciting times. Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized. Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan. And the thing I like about this, a good password manager is robust and cost-effective as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise. Go to bitwarden.com/smashing. Start your free password manager trial today.

---

GRAHAM CLULEY. Kolide sends employees important, timely, and relevant security recommendations to their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag. After your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. [Ray [REDACTED]]: Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. My Pick of the Week involves a certain situation which has arisen in my home. My young son, he is, blah, blah, blah, 12 years old. No, he's not. He's 11 years old.

---

CAROLE THERIAULT. I was just going to say, yeah.

---

GRAHAM CLULEY. I'm not sure. He's 11 years old, round about that. [Ray [REDACTED]]: Is this the Father's Day episode by any chance?

---

GRAHAM CLULEY. He has started playing Minecraft with some rather special friends of his from school. And he wants to chat to them at the same time. And he was saying to me, Dad, Dad, can you set up Discord for me? Discord's cool. I've heard about Discord. I've watched YouTube videos about Discord.

---

CAROLE THERIAULT. Does he talk like that?

---

GRAHAM CLULEY. Yes, he does. And I said, well, I could, but then I'd have to get the other kids to set up Discord. And speaking to their parents is a nightmare because I'm not that nerdy and they're even less nerdy. And rather than setting up Discord or coordinating mobile phones with the parents and making a call, oh, it's just all a big pain in the neck. I thought there has to be a simpler way for these kids to talk to each other, which ideally doesn't not cost me any money and is zero effort.

---

CAROLE THERIAULT. And does not invade their privacy ridiculously, probably.

---

GRAHAM CLULEY. That would be helpful as well. That was a smaller consideration, but yes, that would be good as well. So I found a service called Talky.io, talk with a Y on the end,.io. And it's free. You can do audio and video chat. There's nothing to download. You don't have to sign up. There's no payments required. They don't have any ads. They don't resell your information. At least they say they don't. They don't keep track of anything you're doing online. They say they encrypt everything possible. And it's really easy. And what's the best thing about it from my son's point of view is while you're waiting for other people to join your room, you get to play a little video game of like a lunar lander kind of game where you have a spacecraft and go, pfft, pfft, applying thrust. So while you're waiting for people, you can sort of move it around the screen and try and land it properly. And it's really easy to use and has so far worked for them.

---

CAROLE THERIAULT. Cool. I've just read the privacy policy and it looks good.

---

GRAHAM CLULEY. Oh wow, that's quick.

---

CAROLE THERIAULT. All they grab is— yeah, well, just the privacy policy. But yeah, it's quite tightly written, actually.

---

GRAHAM CLULEY. I think that they're doing it because there's some sort of web development team and they're doing this basically as an advert for their services. So if you wanted to have maybe a corporate chat video thing, they would be able to roll you out one and all the rest of it. So I think that's the reason why they've done this. But it worked very well. [Ray [REDACTED]]: It's always a good question whenever you come across a domain name that ends in.io and has kind of catchy name and declares that they don't advertise or keep any logs. It's always one you always wonder, how do they monetize? Am I the product?

---

CAROLE THERIAULT. Mm-hmm. They also say that they welcome anyone reporting any bugs and you will receive a detailed response within 48 hours, which is quite refreshing to see that in a privacy policy.

---

GRAHAM CLULEY. Oh, there you go. Anyway, so far, so far, no problems with it. And the kids are able to chat to each other while they're giving each other cornflowers or messing around with redstone or whatever it is that they do in Minecraft. And so Talkie.io is my pick of the week.

---

CAROLE THERIAULT. Down and out.

---

GRAHAM CLULEY. Ray, what's your pick of the week? [Ray [REDACTED]]: Well, my pick of the week, Graham.

---

GRAHAM CLULEY. Yes. [Ray [REDACTED]]: Well, let me just ask you this question. When you are— yes, at home alone, or maybe perhaps not alone, and you've got a nice glass of wine and some good music on—

---

CAROLE THERIAULT. I'm uncomfortable. [Ray [REDACTED]]: Are you excited about the possibility that you might be experiencing piloerection?

---

CAROLE THERIAULT. I'm so uncomfortable.

---

GRAHAM CLULEY. Um, I don't drink wine, so I think it's even less likely I'd have a piloerection if I was drinking wine. So I'm not used to alcohol and things, but, you know, what's a piloerection, Ray, dare I ask? [Ray [REDACTED]]: So piloerection is actually a physiological and physical response that you probably know more by the term of goosebumps. And humans often experience this as part of something that scientists call frisson. Which is derived from the French term of a sudden feeling or sensation of excitement, emotion, or thrill. Now, at Queen Mary University in London, a group of scientists set out— I'm going to try to say these names, but it was led by Rémy Deflorian and Marcus Pearce— and they set out to try to find what it is about certain types of music that give you that frisson or that piloerection. And they found music from people like Johnny Cash, Metallica, Celine Dion, Mozart, and built out a list of songs that are likely to give you chills, like in certain parts of the song or some certain parts, you kind of always get goosebumps. These are the songs that you typically turn up really loud in the car.

---

GRAHAM CLULEY. Oh, so this is a playlist which doesn't include Michael Bublé, for instance. That sounds great. [Ray [REDACTED]]: No, I don't know that we need to take a cheap shot at Michael Bublé at this point in time, but certainly I will publish the list.

---

GRAHAM CLULEY. I think we do.

---

CAROLE THERIAULT. No, we do.

---

GRAHAM CLULEY. I think we do. I think we do.

---

CAROLE THERIAULT. We do. [Ray [REDACTED]]: But what these scientists were interested in is they were interested in what's the difference between two songs that are like back to back on the same album? Album, and one of them, you know, gives you this frisson or this chills. And it's almost universal, by the way. These are not highly individualized.

---

GRAHAM CLULEY. Really? [Ray [REDACTED]]: These have a common— these have a very common, uh, set. So they looked at a little bit less than 1,000 songs, and they identified 715 that are likely to give you chills, and they published it to Spotify. So it's a Spotify playlist that actually has these songs on them.

---

CAROLE THERIAULT. So, okay, so now we have to worry about freaking drivers listening to this playlist whilst driving along and going all the time. [Ray [REDACTED]]: Well, it is actually called a skin orgasm. That is actually called a skin orgasm, but I left that part out because I felt like it was a little bit too racy for this.

---

CAROLE THERIAULT. But yeah, good job, good job.

---

GRAHAM CLULEY. Good that you didn't mention the skin orgasm. Well done on avoiding it. [Ray [REDACTED]]: Absolutely. Um, but it also, it, you know, includes, includes parts of movie If you think about speeches, I mean, the classic example for Americans is probably the Rocky theme, because you know that right when he starts to get up, you know, that Rocky kind of, you kind of get behind it or whatever.

---

CAROLE THERIAULT. Queen as well, I'm sure, is up there. [Ray [REDACTED]]: But they're particularly fascinated in which songs, you know, are able to bring this and which aren't. And if you look through this playlist, by the way, and someone was kind enough to convert it to Apple Music and other formats as well. But if you look at this playlist, you're going to see a lot of songs you recognize and you'll know immediately, oh yes, I know that. I know, I even know the part of that song that gives everybody the piloerection for song, right?

---

CAROLE THERIAULT. Are they trying to figure out like the sonograph or like the, the wavelength that does it? Is it, is it, you know, are they able to isolate it to certain beats? [Ray [REDACTED]]: Or so, Carole, they do look at tempo and they do look at cadence and they do look at— but one of the most interesting explanations is something that, uh, musicologist David Huron calls contrastive valence theory, in which, which your feelings are suddenly contrasted So you start off feeling really bad, and then you feel really good, and then you get stronger and stronger and stronger, and then there's really no peak to that, right? There's a lot of that in Broadway, uh, show tunes. Show tunes, right? When they reach that type of these—

---

GRAHAM CLULEY. so your brain can either be, life is shit, life is shit, oh, it's so miserable, life is shit, oh, it's wonderful, that kind of thing. [Ray [REDACTED]]: Is that your Auto-Tune plug-in there, or no?

---

GRAHAM CLULEY. Did you get any chills at that moment? [Ray [REDACTED]]: Yeah, yeah, I did not. I'm having piloerectile dysfunction over here. But anyway, so yes, they have this very fascinating scientific article. It has a lot of observations about anger and emotions. Like, it has this playlist of 715 songs that you can drop into your MP3 player and listen to. Now, it is very heavy on classical music, but even like the pop songs from the '50s and '60s, you know, you'll recognize most of them and be able to identify why they were songs of the song.

---

CAROLE THERIAULT. We should have a frisson off with our listeners to see whoever listens to it, how many frissons they've had, write down how many frissons they get for a session of 10 songs and see who can win. Yeah.

---

GRAHAM CLULEY. You can't have too many frissons in a day. I think you'll be exhausted. I think people should, I think you have to be careful what we advise our listeners to do. Maybe, yeah. Ration yourself, folks. Carole, what's your pick of the week?

---

CAROLE THERIAULT. We're ready for a trifecta of great picks of the week this week because I have a fab one. It's new to me, totally love it, Graham. I did send it to you to watch. Have you watched a bit of it?

---

GRAHAM CLULEY. I have, yes.

---

CAROLE THERIAULT. Okay, so it's a short series called Zen Motoring, and it stars this PE teacher, Alkimiós, who also is a battle rap champ. And I have links in the show notes for you to check out. And a battle rap is basically like a rap roast where you tear a new one out of your opponent with, you know, spicy rhymes and stuff like that. Yeah, it's cool. It's cool.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And Ogmios here started doing a YouTube effort labeled Zen Motoring, and it makes this crazy cocktail. It's like a cocktail of what, like ASMR whisperings There's definitely that. And it's against this— I don't know, driving around London as viewed from the dash cam. Yeah. And you might think, oh wow, he's like zooming through the town really fast. But no, no, no, it's all chill. Zen. It's ASMR. [Ray [REDACTED]]: Wow.

---

GRAHAM CLULEY. It is. It's very chilled out. It's wonderful actually to watch. So it's dash cam footage, but rather than it being, oh, get out my way, none of that. It's like, Oh, watch out for that cyclist there. Oh, maybe the blue van in front of me could have moved, but maybe I'll give him a little friendly beep.

---

CAROLE THERIAULT. Yeah, every pause is narrated, right? Every single pause. Because in London, if you don't know, there is a lot of traffic. We have a ton of traffic here. So every sight is absorbed, appreciated. I think he stops in a cul-de-sac to watch an Amazon delivery guy robots struggle with the high curb. You slow to allow a pigeon cross the road. You congratulate yourself for noticing a pedestrian about to cross from behind a parked van. And we celebrate this thing that actually has changed now my life.

---

GRAHAM CLULEY. All right. Yeah.

---

CAROLE THERIAULT. Which is the, like, when he's driving with his dash cam, he's letting pedestrians walk across and they wave and he gets a kind of friçon for double or even the triple wave, which he says is the mecca because if you go to four waves, it starts looking a little sarcastic. Right? So three is the most you can get as an honest, authentic wave from someone passing a road. So I've been trying it because I've been on foot a lot in Oxford. So I've been trying to do the triple wave. It's not easy to do. It's not easy to do, but it's making me, and people seem to like it. So, you know, just adding a bit of Zen to the roads in England would not be a bad thing. So. I loved it. You loved it, Graham?

---

GRAHAM CLULEY. I loved it as well. And I love that he, yeah, he does compliment people when they do a double wave or like you said, even a triple wave. And I think that is a random act of kindness that we should encourage on this podcast.

---

CAROLE THERIAULT. Absolutely. Exactly. [Ray [REDACTED]]: We don't— Well, it might fulfill one of your ransomware objectives there too as well, right?

---

CAROLE THERIAULT. Yeah. I was just going to say he doesn't need ransomware to do it. We could just do it on our own because we're good, lovely people.

---

GRAHAM CLULEY. So Carole, Is this a TV show as well?

---

CAROLE THERIAULT. Yes, it's on YouTube. It started on YouTube, and there's a TV show on BBC. And the episodes are— I don't think they're identical, right? I think just from looking on the YouTube ones, and I was kind of going through them quickly because I've already watched them on the BBC, there were certain things that were missing, uh, that were on the BBC one. So I think the fuller experience— I'd watch both. I'm gonna watch the YouTube ones. I want to see, right? Yeah. So I would say check it out. It is a really fun, wonderful experience. And it's comedy in a really fresh form. Zen Motoring, you can find it on YouTube and on BBC. We have the links in the show notes. And that is my pick of the week. [Ray [REDACTED]]: Now, Carole, do you think that if this was extremely successful, there might be like an American version where we just drive all over the place, cut people off and give them the finger? Totally.

---

GRAHAM CLULEY. Marvelous. Well, that just about wraps it up for this week. Ray, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that? [Ray [REDACTED]]: Oh, they can follow me at Ray [REDACTED].com. That's R-A-Y-R-E-D-A-C-T-E-D.com.

---

GRAHAM CLULEY. Super duper. And you can follow us on Twitter @SmashInSecurity, no G. Twitter would be nice to have a G. And there's also a Smashing Security subreddit. Don't forget to ensure you never miss another episode. You know how to do that. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And huge thank you to this episode's sponsors, Bitwarden and Kolide, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 276 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye!

---

CAROLE THERIAULT. I'm Ray. You may want to say bye. [Ray [REDACTED]]: Bye-bye!

---

CAROLE THERIAULT. There we go.

---

GRAHAM CLULEY. Perfect.

---

CAROLE THERIAULT. Oh, we're going to have a rainbow. It's raining and and sunny. Woohoo!

---

GRAHAM CLULEY. Double rainbow all the way!

---

CAROLE THERIAULT. Yeah, that gives me frissons.

---

GRAHAM CLULEY. What can it mean?

-- TRANSCRIPT ENDS --