This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. I have to admit, I'm quite disappointed by Google Maps' ability to locate lavatories. Because I looked up my nearest toilet, the term they like to use, to where I am right now, and it is apparently 12 hours, 48 minutes walk away.

---

ZOE KLEINMAN. What?

---

GRAHAM CLULEY. Yes, it's quite a long way.

---

ZOE KLEINMAN. That makes me feel quite unwell just thinking about it.

---

UNKNOWN. Smashing Security, episode 356. Big Dumpers, AI defamation, And the slug that slurped with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 356. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And we're joined this week by a special guest, someone who hasn't been on the show for a while. We're delighted to have returned to the hot seat BBC technology editor Zoe Kleinman. Hello, Zoe.

---

ZOE KLEINMAN. Hello. How nice to be back.

---

CAROLE THERIAULT. So nice to have you back.

---

ZOE KLEINMAN. Oh, thank you.

---

CAROLE THERIAULT. Proper journo.

---

ZOE KLEINMAN. It's been too long.

---

GRAHAM CLULEY. Right, we're on a tight schedule today. So Carole, pull the lever.

---

CAROLE THERIAULT. It's weather depending if we can even get this show out. But before we kick this show off, let's thank this week's wonderful sponsors, Vanta and Collide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Well, I'm going to be taking a slightly different look at data dump or telling Google to bog off, all sorts of things, actually.

---

CAROLE THERIAULT. Okay, sounds fascinating. Zoe, what about you?

---

ZOE KLEINMAN. I'm gonna be telling you about what happened when I thought a chatbot was lying about me.

---

CAROLE THERIAULT. Ooh. And I'm gonna talk about how a slug slimed aerospace. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, we all know, I'm sure, about Maslow's hierarchy of needs. Maslow's hierarchy of needs. Did you learn about that, guys, at school? Do you remember Maslow's hierarchy of needs?

---

CAROLE THERIAULT. Today it's sleep, sleep, sleep, sleep, and sleep. That's what I'm missing today.

---

GRAHAM CLULEY. So, your most basic needs, things like air, water, shelter, maybe a bit of grub. And then you have another layer, which is your personal security, your health, of course, employment, and then all that sort of squishy, squashy stuff like love and friendship and intimacy and family and all those sort of things. And some people these days think that a working internet connection overrides all of those needs, particularly me at the moment. My internet's been up and down like bonkers over the last few days after this storm.

---

ZOE KLEINMAN. Isn't there a whole campaign about making internet the fifth utility? You know, you've got electricity, you've got water, you've got gas. Maybe it's the fourth utility. And one of them, they say, should be the internet.

---

GRAHAM CLULEY. Well, there's so many things you can't do these days unless you've got an internet connection, have you? I mean, with a digital government, they're expecting you to communicate with them via websites or to have a phone in your back pocket, some way in which to interact with them.

I mean, how else can you pay your taxes, right? You know, sending in forms or cheques, you know, that's not going to work.

So you do need some sort of digital connectivity more and more today, I think. But I would argue there are times when something even trumps all of those needs, even Wi-Fi perhaps.

For instance, picture the scene: you're out, you're about, and you suddenly realise that you unexpectedly need to go to the loo. Very, very badly indeed.

At that point, you don't care about air and water. Depending on how desperate you are, you may not even want shelter.

You might just say, "I don't care. I'll just do it here." I don't know.

It doesn't matter if it's you or a young child, a toddler you're pushing around.

---

CAROLE THERIAULT. Graham.

---

GRAHAM CLULEY. Yes, Carole? Yes.

---

CAROLE THERIAULT. I have heard of adults wearing diapers. So if you feel you're getting caught short and you can't do big journeys, maybe you just need to wear a few diapers, and then you're not so nervous.

You know?

---

GRAHAM CLULEY. Maybe. Maybe, maybe.

You know what? I think that day is coming ever closer to me, Carole, to be honest.

---

ZOE KLEINMAN. We've just potty trained my toddler, so we've got a load of leftover pull-ups you can have if you want.

---

GRAHAM CLULEY. Yeah, they're probably my size.

---

ZOE KLEINMAN. Circular economy and all that.

---

GRAHAM CLULEY. Yes, they're fantastic. Fantastic.

Thank you very, very generous of you. So I think when you find yourself in that situation, it is more important than anything else.

So what do you do in that scenario? Well, in today's modern age, you reach into your pocket, don't you?

And what do you pull out? What do you pull out when you desperately need to go to the loo?

You pull out your smartphone, of course, because one of the things that you can get in the Apple App Store and the Google Play Store is a toilet locating app, which contain listings of millions of lavatories around the world. Oh!

Have you never used one of these, Carole?

---

CAROLE THERIAULT. No, but I think that could be very useful.

---

ZOE KLEINMAN. That's very useful.

---

CAROLE THERIAULT. I was on a city break this past weekend. And, you know, if you got lost or, you know, really need to have a wazz, you know, it might be useful.

---

GRAHAM CLULEY. You were in France, I believe.

---

CAROLE THERIAULT. I was in la belle France.

---

GRAHAM CLULEY. So you would want le toilette poche, I expect.

---

CAROLE THERIAULT. Well, no, no, they would all be— there was Fashion Week in Paris, so they would all be rammed with—

---

GRAHAM CLULEY. Oh, la di da! Well, there is a website as well.

If you don't have an app, there's a website called toiletmap.org.uk. And I went to this website as part of my research.

Do you know my nearest loo is 2 minutes' walk away from where I'm sitting right now?

---

ZOE KLEINMAN. Really?

---

GRAHAM CLULEY. And they will charge me 20 pence if I've toddled over to that particular loo. Thankfully, I have a lavatory actually a little bit closer en route to my front door, which I can use.

---

CAROLE THERIAULT. Listeners, please tweet Graham with the nearest loo to your house. We'd love to know.

---

GRAHAM CLULEY. Bookmark the link, everybody. Or of course, you could bookmark the link. You could have one of those loo-finding apps installed on your phone. But what are you going to do if you're desperate and you aren't prepared? If you haven't— imagine this scenario happening?

Well, that's when you go into Google Maps. So I went into Google Maps, and I have to admit, I'm quite disappointed by Google Maps' ability to locate lavatories. Because I looked up my nearest toilet, the term they like to use, to where I am right now, and it is apparently 12 hours 48 minutes walk away.

---

ZOE KLEINMAN. What?

---

GRAHAM CLULEY. Yes, it's quite a long way.

---

ZOE KLEINMAN. That makes me feel quite unwell just thinking about it.

---

CAROLE THERIAULT. Maybe Google Maps hasn't put a lot of research into where the flip are the toilets, you know?

---

GRAHAM CLULEY. You absolutely are correct, Carole. They haven't.

---

CAROLE THERIAULT. How could they not think of that?

---

GRAHAM CLULEY. There is an absence of public lavatories near me. If I go to the West Country, I'm doing a lot better. But here in the centre of England, very disappointingly— and the BBC really should be investigating this, I think. Google Maps.

---

ZOE KLEINMAN. Is that a hint? Is that a hint?

---

GRAHAM CLULEY. Just a little bit of a hint for the 9 o'clock news, maybe. But so— So I found out this loo is, and the reviews of it are quite good. A guy called David P, appropriately enough, left a review on Google Maps and reasonably clean, fresh and fresh for public toilets. No payment required, but there's no guarantee. It doesn't give me opening times. So I don't know if I should set off.

---

CAROLE THERIAULT. What does fresh mean in a loo context?

---

GRAHAM CLULEY. You know, just sort of, you know, fragrant, I imagine, you know, but in a good way. Anyway, not very useful to me. And I think the problem is that for some reason in much of the UK, loos, lavatories, bogs, public toilets, whatever you want to call them, aren't being added to these databases.

Now, anybody can add an entry to Google Maps telling it about a loo. And I think, hey, listeners, go and do that. Tell it about a local loo. You might save someone who finds himself in a predicament. Just you can tell Google Maps about businesses. But obviously, we trust our listeners to act responsibly, but can we trust the general public not to misbehave when it comes to listing things loos on Google Maps?

---

CAROLE THERIAULT. Hmm.

---

GRAHAM CLULEY. Well, this is what my story is about, in case you're wondering all this preamble. Because someone in Australia, it seems, cannot be trusted. An Australian man called Will decided as a prank to register the shared house he lived in in Canberra as a lavatory on Google Maps.

---

CAROLE THERIAULT. Nice way to meet new people, you know.

---

ZOE KLEINMAN. Can you imagine? He wasn't living in a cottage. You open your front door and there's a queue of quite desperate-looking people.

---

CAROLE THERIAULT. Hey, everybody! I'm so popular!

---

GRAHAM CLULEY. So it turns out this chap, Will, has for years been registering his houses as businesses on Google Maps as a joke. That's what you have to do in Australia for a bit of humour. You register your house as a business. So he used to live in a house which he registers as a McDonald's. And apparently cars would drive past slowly, drivers looking confused.

---

CAROLE THERIAULT. Hilarious.

---

GRAHAM CLULEY. It's a bit mean, really, if you're desperate for a—

---

CAROLE THERIAULT. What, for a Big Mac?

---

GRAHAM CLULEY. Yeah, it's not that funny, is it? Please don't do that. Another year, he registered that his shared house was a café. And years later, he came across a real estate agent who was listing another property, a rental, which boasted the rental was only 400 metres from his fake café. That was one of the selling points because they'd gone on Google Maps and said, oh, it's near this café.

Then that's— Oh, Will. So Google Maps, the information being stored on it about businesses and lavatories and facilities can cause all kinds of problems. And so this chap, Will, he registered the house he was living in as a public toilet on Google Maps and he called it Big Dumpers.

---

CAROLE THERIAULT. Wonderful. Smart. Really smart move. I'm sure this did not go wrong for him, you know.

---

GRAHAM CLULEY. It's Australian humor.

---

CAROLE THERIAULT. No, but again, okay, so someone has to go have a so-called big dump, knocks the door, he laughs at them. What are they gonna do, shit on his lawn?

---

GRAHAM CLULEY. Well, you know, I mean, maybe. I don't know.

---

CAROLE THERIAULT. Because they might have to.

---

GRAHAM CLULEY. They might have to, I suppose. They may have to do— they may be upset. I don't know how close the nearest other facility is.

---

CAROLE THERIAULT. It may not leave a 5-star review, is all I'm saying.

---

GRAHAM CLULEY. Well, people have been leaving 5-star reviews. His mates have been leaving reviews extolling the virtues of Big Dumpers. And of course, once other people leave reviews on a joke listing, other people are more likely to believe it and think, well, there is a loo there.

So is this a serious problem, is my question to you. Is this actually a problem? What do you think?

---

ZOE KLEINMAN. I don't think it's particularly widespread. I think it might be a problem if there was a worldwide emporium of big dumpers, but I'm not sure that there is.

About 15 years ago, I lived in a property with my ex-husband, and he registered that property to his business, which has long since gone.

---

GRAHAM CLULEY. Oh yeah.

---

ZOE KLEINMAN. But I was casually looking up where we used to live the other day on Google Maps, and I realized that it's still registered as being his business. And I don't really know what to do about it. But I can believe that a lot of these things are sort of subject to the goodwill, aren't they, of people keeping them up to date.

Have you seen that amazing thread about people revisiting old Google Street Views to see relatives who've died?

---

GRAHAM CLULEY. Oh, oh, oh, passed away, yes, that's right.

---

ZOE KLEINMAN. Yes, exactly. It's an incredible, very moving actually, discussion. It comes up from time to time, doesn't it? It's a sort of time capsule.

But again, that's a nice thing, that's a nostalgic thing. It's not gonna help you out if you're desperate for the loo.

---

GRAHAM CLULEY. No, I think this particular issue of this chap highlighting that his old property was a public loo isn't that big a problem. Apparently no one ever came round desperately looking for the loo. If he had, he'd told them to, you know, turn turtle and go away.

But a couple of years later, Will, who'd moved out of the house, checked out and noticed Big Dumpers was still remaining on Google Maps. And what do you know, if you looked up Big Dumpers on Google Maps, it also showed popular times.

---

CAROLE THERIAULT. What?

---

GRAHAM CLULEY. Times when the location was right. This is the security angle. This is the privacy angle.

---

CAROLE THERIAULT. Finally. Okay. 9 minutes in.

---

GRAHAM CLULEY. Right. Because what he found was that Google was logging the geolocation data of people with smartphones who came to that property. And so Will was able to see 9 o'clock in the morning on Thursdays was a really busy time for Big Dumpers. According to Google Maps.

But later, it was normally completely empty.

---

CAROLE THERIAULT. You're sure there was no toilet sensors or anything?

---

GRAHAM CLULEY. No, no, no. Because I was thinking, you know, Google obviously are very invasive. They would monitor all kinds of devices being used. You can imagine they might— their mind boggles, literally, about that kind of thing. But yeah, so if you registered an address on Google Maps, you might later be able to pick up when people are likely to be there and when they're not.

So, when that's a private home that's actually in there, that could potentially be rather useful. I mean, obviously this popular times is handy if you want to go to a café or a restaurant or a cinema or some other facility.

You can look at it on Google Maps and it says, oh, the supermarket's really busy right now. But if you go along at 9 o'clock at night, it's not so busy.

---

CAROLE THERIAULT. It doesn't take fricking Google to know that, does it, really?

---

GRAHAM CLULEY. No, but I mean, there are times when you think, well, should I 'Oh, it's really popular right now. You might want to go at a different time,' or, you know, sometimes it's not obvious.

So, it's interesting. There's even a live, is it busy right now, which Google Maps can tell you as well.

And of course, the way in which Google Maps is telling this is through people's smartphones. Because if you've got Google Maps on your phone, Google can periodically check in on the location of your phone and see, to find out where you are, what you're up to, and whether a location can be assumed to be busier.

So, all kinds of information can begin to leak out. And I think it wouldn't take a genius to work out how, if it's a private home, that potentially could be information you don't want made public or be able for anyone to access and cause mischief with.

---

ZOE KLEINMAN. There was a site a few years ago called Please Rob Me. And all it basically was, do you remember that?

It was like an RSS feed, wasn't it, of data of people posting on social media going, "Woo-hoo, I'm off on holiday with the family."

---

GRAHAM CLULEY. Right.

---

ZOE KLEINMAN. And basically, you know, advertising that their house is going to be empty. Yeah.

---

GRAHAM CLULEY. So, folks, if you don't like the idea of Google tracking your location, you can go into the settings on your phone. For instance, on your iPhone, you can say, you know, only maybe ping my location when I have the Google Maps app open, or you can turn it off completely, although other things may stop working then.

I remember a few years ago there was a German artist who pulled a kid's toy cart around after him around Berlin.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. And he had 99 smartphones in this little toy cart he was walking around with. And Google Maps thought there was a traffic jam in Berlin.

---

ZOE KLEINMAN. Beautiful.

---

GRAHAM CLULEY. Because he was showing all these phones moving very, very slowly. But that doesn't really help in regards to people whose addresses might have been registered.

So I think, Zoe, you need to go and speak to your ex-husband and say, for goodness' sake, deregister that address because it could do harm for someone else in future.

---

ZOE KLEINMAN. Okay.

---

GRAHAM CLULEY. If you're on speaking terms of it.

---

ZOE KLEINMAN. We are on speaking terms. I'm not quite sure how I'll bring this up, but I'll try.

---

GRAHAM CLULEY. But, you know, other people need to think about their own privacy as to how much information they're sharing with Google. But it's an interesting way in which Google Maps could be revealing more than we want to about people's behaviour.

Zoe, what have you got for us this week?

---

ZOE KLEINMAN. Well, I want to tell you both a little story about something that happened to me that I think is going to basically happen to all of us at some point. And it's a sort of cautionary tale of how difficult it is to manage.

So I had a little flurry of activity on social media. People were sending me this screenshot and going, "Oh my God, have you seen this?" You know what, it's never good news when people start doing this. So I had a look at it and it looked like a screenshot from Grok, which is the AI chatbot that's been set up by Elon Musk's company, XAI.

And the person who'd posted it had written, "Give me a list of the top 10 spreaders of disinformation on X." And there were some really big US conspiracy theorists on this list with millions of followers who were posting content about big-style conspiracy theories. And number 9 on the list was me.

---

CAROLE THERIAULT. What the heck is she doing on the show, Graham?

---

GRAHAM CLULEY. How did you get on?

---

ZOE KLEINMAN. This is my final appearance on Smashing Security.

---

CAROLE THERIAULT. You must have been gobsmacked.

---

ZOE KLEINMAN. I was very surprised because there was nothing— I didn't have anything in common with any of these other accounts. I didn't know them.

None of us followed each other. I've never reported on them. There was nothing that I could see. There were no sort of obvious data points that would put me on a list with these people, right? We know that AI is trained on loads of data. We know that it sometimes joins dots wrong.

---

GRAHAM CLULEY. Yeah. You have a cool Twitter handle though, don't you? 'Cause you're one of those—

---

ZOE KLEINMAN. Oh, thanks very much.

---

GRAHAM CLULEY. You're one of those people who only has 3-letter Twitter handles. Very cool. ZSK. It's very cool, that. I wonder if that could have been a factor.

---

ZOE KLEINMAN. Well, I don't know. I mean, I didn't know how I'd got on it, but clearly I'm a working journalist.

I work at the BBC. This is not a list that I want to be on.

---

CAROLE THERIAULT. No, right.

---

ZOE KLEINMAN. But it hadn't gone mad viral, you know. I wasn't seriously worried about it, but I thought, as a test case, I'd like to see what I can do about this.

---

GRAHAM CLULEY. Mm-hmm.

---

ZOE KLEINMAN. So— I do actually happen to know a bit about this stuff because I've done a lot of reporting on AI and regulation. And while various territories and countries seem intent on doing their own thing, the one thing that a lot of them do agree with is that you should be able to challenge a decision made about you or content produced about you by an AI tool, right?

And here in the UK, what the UK government has said is they want to fold it into existing regulators. So if you think you've got a problem, you know, you go to the regulator you would go to if you had that problem in any other area of your life.

So I thought, okay, I'll try the regulators. So I went to the Information Commissioner's Office and said, you know, this is doing the rounds, what do you think, what can I do? And they said, no, it's not us because this is content rather than data. You know, they're the data protection people. They said, go to Ofcom.

So Ofcom, it polices the Online Safety Act, which is all about online harm. I thought, right, yeah, it makes sense. So I said to Ofcom, can you help me? You know, this has happened. I sent them the screenshot and they said, it's not us because while it's not nice. It's not criminal.

---

GRAHAM CLULEY. So they sent you to the Milk Marketing Board and they said, wow, they only care about criminal reports.

---

ZOE KLEINMAN. That's what they said. That's what they said. It's not criminal, so we can't deal with it. They said go to a lawyer. So I went to two lawyers who claimed to specialize in AI-related cases. The first one didn't want to talk to me at all, and the second one said there is no precedent for this yet.

There are a handful of cases going on around the world, but there's been no solution to any of them yet. So it's a difficult one. She said I was in uncharted territory and I could go for defamation because it was defamatory. You know, I was on this list, I'm identifiable, and it's been published. But there was no guarantee that I would win, and the onus would be on me to prove that it had caused me harm.

I should also say, by the way, that I went to X, which is the owner of this chatbot, and guess what? They completely ignored me. So I didn't get anywhere with anything.

---

CAROLE THERIAULT. Not even a poop emoji?

---

ZOE KLEINMAN. No, I didn't even get a poop emoji. I've got absolutely nothing. Radio silence. So I was really interested in this because, you know, basically I never set out to sue anyone for defamation, but that was the route that I was pushed down, really.

---

CAROLE THERIAULT. Yeah.

---

ZOE KLEINMAN. And even then I was sort of told, well, you know, there's no guarantee that you're going to get anywhere with this because nobody ever has. And then the sort of final plot twist to all of this is that I'd also showed it to — we have a team here called BBC Verify, and they are amazing.

They are who basically look at sources and information and try to verify it and check out sort of fake news. And they said they think there was a reasonable chance that the screenshot itself was faked. So that's kind of the conclusion of it, which was slightly weird in itself.

But for me, I felt like, you know, Zoe Kleinman, the tech editor of the BBC, I've got time to pursue this and I know how to do it because it's my job. Zoe Kleinman, full-time working mum of 3, I had no time to do this and I don't know where to start. And I think that's the person I'm worried about. This is gonna happen more and more. We know that the AI chatbots, they call it hallucinate, don't they? Which basically means make stuff up about you. So where is the accountability there?

---

CAROLE THERIAULT. Yeah, and it's almost like the next phase of cyberbullying. I can see this happening with disgruntled employees pissed off at another employee and just doing little shit-stirring activities online that are kind of untraceable. Ish, right? Because they're shared. So I don't like it at all.

---

ZOE KLEINMAN. It's worrying, isn't it? And I think, you know, we don't know what data these AI tools are being trained on. We don't see it.

The people who own a lot of them say they don't really understand sometimes why a tool comes out with the result that it does, right? They don't know themselves. So there's a lot of unknowns here. But ultimately, I guess the question is, is it their responsibility?

You know, in the early days of social media when Facebook was going, "We're not a publisher, we're just a platform and everyone's putting stuff on us and it's got nothing to do with us." And we've kind of gone, "Well, actually, I think you'll find you do have to take some responsibility." And everyone's so desperate to avoid that situation again. But I sort of felt a bit like, this is not going so well, is it? Because, you know, here I am sitting here trying to sort it out and actually I can't.

---

GRAHAM CLULEY. At the very least, you should be able to add a note to the tweet or something so other people who retweeted can say, look, this is why this particular post can't be trusted — because you do see that on Twitter, don't you? People can leave comments and then other people will vote if they agree with you that it's misinformation.

---

ZOE KLEINMAN. Yeah, there are community notes. But the other thing you have to bear in mind, and Graham, you have a large following on X, I know. Carole, I'm sure you are a superstar in it as well.

---

CAROLE THERIAULT. No, I don't. I don't have no idea.

---

ZOE KLEINMAN. But you know, sometimes getting involved in it gives it more amplification than actually it would if it just died out. And I thought— I've been in this position many times. I'm sure you sit on your hands because you want to engage with it, but actually you know that you'll make it worse because suddenly, in my case, you know, 35,000 followers will see it when maybe only 1,000 have at the moment.

So it's that battle, isn't it, between wanting to defend yourself but not wanting to avalanche yet more of a pile on onto you.

---

CAROLE THERIAULT. And that's why you came to Smashing Security, and we love you for that.

---

ZOE KLEINMAN. And that's why I'm here, exactly, in a nutshell.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. I'm talking about how a slug slimed aerospace. So have you guys heard of AerCap? I don't know how you say it. A-E-R. It's a Dublin-based company. AerCap. I'm going to say that.

---

GRAHAM CLULEY. Well, I don't know. AerCap. I don't know what that is.

---

ZOE KLEINMAN. No. No.

---

CAROLE THERIAULT. They're an Irish aviation leasing company. Now, I didn't know there were aviation leasing companies. I suppose I never thought about it before, but apparently airlines lease aircraft from other airlines or these leasing companies just to basically avoid the financial burden of the purchase of buying a plane.

---

GRAHAM CLULEY. Well, yeah, you don't want to buy— planes are expensive. So I guess buying a car is expensive, and sometimes it may make more sense to lease one for a while.

---

CAROLE THERIAULT. Right. So maybe around Christmas, you might go and lease a plane or two planes just to increase capacity because you have more people traveling.

---

GRAHAM CLULEY. I don't know what kind of Christmas parties you have, Carole, that you're leasing planes.

---

ZOE KLEINMAN. Do you ever feel some people live really different lives to you, Graham?

---

CAROLE THERIAULT. Now, AerCap seems to be the largest leaser of airlines in our global town. And the reason I'm talking about these guys is that AerCap just confirmed that it suffered a cyberattack on January 17th.

This was reported this week by Reuters. And it seems it was a ransomware attack that snuck in and got away with a terabyte of data.

And for those who aren't sure, it's a lot, a lot, a lot of data.

---

GRAHAM CLULEY. Well, it depends, doesn't it? It could be a database of plaintext records, or it could be a bunch of torrent movies which have been downloaded from some torrent site. So they've got, you know, the latest Mission: Impossible.

---

CAROLE THERIAULT. They just went on to the administrator's private cache.

---

GRAHAM CLULEY. Yeah, exactly. When they say, oh, you know, it's a gigabyte or something like this, well, it might be a lot, might not be so much.

---

CAROLE THERIAULT. But a terabyte, man.

---

GRAHAM CLULEY. Yeah, okay. All right. Yes, it is quite a lot of data. All right. I'm being silly.

---

CAROLE THERIAULT. It's significant. And the users, the group rather, the group who claim to be leading this little ransomware boogie-woogie are known as Slug.

---

GRAHAM CLULEY. I haven't heard of them before.

---

CAROLE THERIAULT. Slug.

---

GRAHAM CLULEY. Slug.

---

CAROLE THERIAULT. They're brand new, apparently.

---

GRAHAM CLULEY. Right. All the good names are gone.

---

ZOE KLEINMAN. It's an unusual name, right?

---

CAROLE THERIAULT. Because normally we were talking recently about how they all had tough guy names, you know, these scammers. And this is kind of the opposite. It's gross imagery.

---

GRAHAM CLULEY. Yeah. Yes.

---

CAROLE THERIAULT. Anyway, so this all came to the public eye with HackManac. This is a group that manages the largest repository of cyberattacks from open sources, and they first reported the incident on the 18th of January, the day before Aircap made its filing to the SEC. And this is all according to the Air Finance Journal, another brand new publication in my echo chamber, Air Finance Journal.

So HackManac CEO Sophia Scorsari, she said, "We identified the new cybercriminal group named Slug during our analysis of the dark web. This post is authentic." And they, according to Slug, who left some comment, they say that Aircap was its first victim.

Now Slug have reportedly told Aircap that they have until the 29th of January to pay up or enter negotiations and stuff. Exactly, to settle up with a payment or the data that they've stolen would start oozing out like slug slime.

Of course, this is not the first time aerospace kingpins have been hit. Last year, Boeing was faced with a cyberattack involving 45 gigs of data. And I think what I found interesting in all this — so we don't know what data was stolen.

I can't find any information on that as yet, but this story is still unfolding. We also don't know how much the payment negotiations are, but we rarely know that at this stage, whether they decide to pay or not pay.

---

ZOE KLEINMAN. Well, you're not meant to, are you?

---

CAROLE THERIAULT. Yeah, right. But it's interesting. So this comment was made by Air— I've written Aircrap here. Can you believe that?

---

ZOE KLEINMAN. Aircap.

---

CAROLE THERIAULT. I'm sorry.

---

GRAHAM CLULEY. I think you're mixing up with my story, Carole.

---

CAROLE THERIAULT. Yeah, autocorrect, autocorrect. So Aircap said, "We have full control of our IT systems, and to date, we have suffered no financial loss related to the incident." So that's their primary comment. Do you not feel, do you really have full control? Really?

---

GRAHAM CLULEY. Well, it doesn't sound like they have full visibility. At least they're not sharing it at the moment as to what data has been taken. I mean, that's one of the first questions you would want to know if you were a company which dealt with Aircap, if you were in the business of leasing aircraft through them.

You may want to think, well, has anyone got any information about us that you were storing that they might attempt to exploit?

---

CAROLE THERIAULT. I don't know. I think after a terabyte had been stolen, you had to go public. If I were a shareholder, and they seem to be catering quite strongly to shareholders based on their homepage, it seems to be, you know, they're very, well, come on in.

If you want to invest, we're here. But there's no information about this ransomware at all there that I could find.

---

GRAHAM CLULEY. That does annoy me. Often you will find company websites after they've suffered a cyberattack won't mention it in the least. Even online commerce sites, you know, where you're buying things from an online store where the information's been stolen.

If you are a new customer the following day, you might go to that online store and there won't be a mention of it. There'll be some, there might be an advisory squirreled away deep inside the press section, there might be a release about it, but it's like, shouldn't this be front and center so people can make an informed choice as to whether they want to trust you with their sensitive data or not?

---

ZOE KLEINMAN. I agree with you there, but I also think I sort of feel a sense of helplessness when you get the inevitable email saying, "Oh, we think, you know, we've been compromised and we think you might be in it, but we don't really know and we're not sure what data of yours." We don't think it was any bank account details, but it might be, you know, keep an eye on your bank account. And you're "what actually is the purpose of this information?"

You're not giving me anything at all that's either concrete fact or that I can do anything about.

---

CAROLE THERIAULT. Yeah, it's not actionable, it's just worrisome.

---

ZOE KLEINMAN. Yes, exactly.

---

GRAHAM CLULEY. I suppose it's to cover their ass if the ICO later investigate and say, "Why didn't you inform customers?"

---

ZOE KLEINMAN. Yeah, but isn't the process flawed? What are you telling me? You know what, there's absolutely nothing I can do about this, is there?

If you've got, we had a situation here at the BBC where there was a potential hack of a payment system that was used. And I say potential because I now think they're not even sure whether BBC data was included in the breach or not. So you've got free credit monitoring for a couple of years, I think. But it just sort of, it did feel both worrying but also completely powerless.

There's nothing I can do about this, you know. If somebody's got hold of my National Insurance number, what can I do about that? Nothing.

---

CAROLE THERIAULT. I totally get that no company wants to advertise or market the fact that they were kneecapped by a cyberattack in some way, right?

---

GRAHAM CLULEY. Yeah, yeah.

---

CAROLE THERIAULT. Especially if, you know, the person who's done this to you is apparently called Slug, you know, that makes it somehow worse.

---

ZOE KLEINMAN. That kind of makes you even more memorable. I was gonna say, genders do know, but we do hear about so many of these things that we don't necessarily remember. But I reckon I'd remember Slug.

---

CAROLE THERIAULT. Yeah, easy to spell as well, right? So maybe it's not so silly.

---

GRAHAM CLULEY. I was thinking, if only the passwords were salted.

---

CAROLE THERIAULT. Oh, oh, oh, oh, oh.

---

GRAHAM CLULEY. That's possibly too nerdy. Bit too geeky, that one.

---

CAROLE THERIAULT. But I think it goes to show that while we're all still AI mad at the moment, right? I am completely. There's still things ransomware that is not new or sexy, but it's still rife.

And as long as there's money to be made, data napping isn't going anywhere. Napping. See, nappies, napping.

---

ZOE KLEINMAN. Interesting.

---

GRAHAM CLULEY. Well done. Well done.

---

ZOE KLEINMAN. There's so many threads to this, though, aren't there?

---

CAROLE THERIAULT. This episode of Smashing Security is sponsored by Kolide. Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization's applications, SaaS apps, and other resources? Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets. It would effectively lock them out.

Welcome to Kolide, a world where access is only given to approved, secure devices. As the administrator, you can manage every operating system, even Linux, Macs from a single dashboard. Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment.

Kolide is the device trust solution for companies with Okta. Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps. Learn more at kolide.com/smashing. That's kolide.com/smashing. And huge thank you to Kolide for sponsoring the show.

---

GRAHAM CLULEY. Shortcut compliance without shortchanging security. That's what Vanta can bring your company. Expanding the scope of your security program with Vanta's market-leading ransomware protection. Leading compliance automation, saving your business time and money.

Vanta has over 5,000 customers around the globe who are saving over 300 hours in manual work and up to 85% of their costs for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.

From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta.

Just go to vanta.com/smashing to claim your discount. Vanta.com/smashing. And thanks to Vanta for supporting the show.

And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

GRAHAM CLULEY. Zoe Kleinman.

---

ZOE KLEINMAN. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my pick of the week this week is not security-related. My pick of the week this week is a YouTube channel run by an American comedian and singer called Randy Rainbow. Do either of you know of Randy Rainbow?

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. No? Well, he's quite a jolly chap, I have to say. He's a big fan of the show tunes, and he makes political satirical parody show tune videos from a liberal perspective. Basically, not a big fan of Donald Trump.

So sorry for any listeners who are big fans. To be honest, I think we lost most of you long ago. But anyway, Randy Rainbow makes a series of videos.

So he will do show tunes. "Don't Rain on My Parade." That will be "Don't Rain on His Parade." Don't tell him he's a dirty lying braggart.

---

CAROLE THERIAULT. Life's Big Macs and the son's a ball of MAGA. Don't anybody dare rain on his parade.

---

GRAHAM CLULEY. I don't have a lot of time. And it's quite amusing, just these little mock videos interviewing, maybe it's Donald Trump or another presidential candidate talking about things going on in the news.

He did a parody of "Lucy in the Sky with Diamonds" and it was "Donald in the John with Boxes." If you remember, there were lots of sensitive documents being stored in Mar-a-Lago's restrooms. I find him quite amusing.

Obviously, I have to take my mind off what is happening in America. Who knows who's going to be president? Oh, we've got that to look forward to.

In the meantime, I'm cheering myself up, my little liberal heart, by watching some of these videos on YouTube. Randy Rainbow. I found them quite amusing. Maybe you too. And that is my pick of the week.

Zoe, what's your pick of the week?

---

ZOE KLEINMAN. I recently test drove a new car, and it was the Ford Mach-E. Now, full disclaimer, they lent it to me so that I could try out hands-free driving on the motorways. And here in the UK, I know that in the US and China, you guys are all way ahead of us, but here in the UK, this is the only car that you can do it with.

And it only works on the motorways, and it's geofenced, so it switches itself on when you are in the zone. You can't, well, you probably could, Graham, but I don't know how to make it, how to break that. And I wanted to try it out because there's a lot of noise about automated driving, isn't there?

We've got the government here saying they want to introduce more automated driving on Britain's roads. So I decided to have a go. So I just took it, I had it when I was in London, and I took it around the M25, which is the motorway that goes around the city.

It's one of the biggest, busiest motorways. And basically what we do is you get onto the motorway and you activate the cruise control, and then when you're on the motorway properly and you're settled, basically there's a screen that goes blue and then it says you can take your hands off the wheel now. And I did, and I found it incredibly weird.

I've been in driverless cars before, but I haven't actually been in control of a driverless car before. And you know what, you don't have to have your foot on the accelerator, on the gas pedal, but I did because I felt like I've got to have even if it's just my big toe, I've got to feel like I've got a little bit of control of this car. And I sat there and the other weird thing is you've got to watch the road, right?

So there's trackers, I think they're below the mirror in the center, so they're watching your eyes. You've got to watch the road because legally you are still in charge of the car even though you're not doing anything. So I didn't know what to do with my hands, and it reminded me about 20 years ago now I quit smoking and I went through this really weird phase.

I just didn't know what to do with my hands at all, ever, and I felt really awkward. And I really live that moment of thinking, so I don't need to have my hands on the steering wheel, but I can't do anything else. I still can't pick up my phone, I can't read the paper, I can't go on Twitter and tell everyone what I'm doing.

So I don't know what to do with myself. But it was a really interesting experience, and it made me think, you know, I was watching other drivers around me who were driving past because we were filming it as well, so I was trying to be quite exaggerated so it was obvious that I was not driving this car. And I could see people looking at me going, what is she doing?

You know, this car is an accident waiting to happen. But I wondered what you guys think about the whole concept of driverless cars and whether we are ready for them.

---

GRAHAM CLULEY. Oh, I think it might make the road safer when everyone's got a driverless car, but of course it's a bit of a worry when other people haven't.

---

CAROLE THERIAULT. Yeah, I worry what people are going to do with their hands if they don't have to have them on the steering wheel.

---

ZOE KLEINMAN. There is also that. I did keep my hands in full view, I have to say.

---

GRAHAM CLULEY. Was your car overtaking other cars and doing things like that as well?

---

ZOE KLEINMAN. So it didn't overtake, but it did undertake. And I thought, oh, I don't think I would have done that.

And I actually looked it up. It's not illegal, but it's strongly discouraged in the Highway Code.

So that's to undertake a car on the left-hand side. But it did do that a few times.

It didn't change lane. You had to change lane to make it change lane, and then you sort of took back control for a bit.

Another thing it did that I wouldn't do was it accelerated when you came off the slip road. So as you come off the motorway, you kind of regain control, but in that brief second, it would accelerate.

---

GRAHAM CLULEY. Well, that's not good. Yes.

---

ZOE KLEINMAN. Now, I would decelerate coming off a motorway because you're going quite fast, right? So it did a couple of things that I think I would not have done.

But I don't know, I sort of felt like— I do a lot of driving. I live in Glasgow now, but I come down to London a lot.

My family's all in the south of England, so I'm up and down those motorways a lot. And I did sort of think, actually, this is quite nice.

I feel like I could relax into this. But would I relax too much?

Would I fall asleep? You know, would I just be bored?

---

GRAHAM CLULEY. I was thinking, would you get some sunglasses with fake eyes impressed upon them so you could sleep and the video sensor would think that you are paying attention?

---

CAROLE THERIAULT. You haven't blinked in 20 minutes.

---

ZOE KLEINMAN. Well, obviously I was not going to do anything remotely illegal, but I did wonder whether the eye tracking— you know, if I had my phone taped to the windscreen, would it know that I was watching YouTube rather than the road? I did not test this because it would be illegal, but I did wonder, I did wonder if there was a way around it that way and how safe that would be.

Because I think the thing is that, you know, if you drive long distances, it's boring, isn't it? They say don't drive for too long because you get tired, you get bored, you've got to take a break.

And I wondered whether it's sort of the same with driverless cars but kind of worse, because although you've got to stay alert, you're not actually doing anything.

---

GRAHAM CLULEY. Yeah. I think it is going to be unsettling for many of us.

I think these things are inevitable. It's going to happen.

And it's going to be strange. I mean, frankly, it was strange when we had to stop cranking up cars to start them or had a little man running in front with a red flag, wasn't it?

---

CAROLE THERIAULT. Oh, you remember that, do you?

---

GRAHAM CLULEY. Oh, you'd be surprised, Carole. But it's going to be an odd experience.

But then, our kids probably will never learn how to drive a manual.

---

ZOE KLEINMAN. No.

---

GRAHAM CLULEY. They're all going to be driving automatics.

---

ZOE KLEINMAN. Yeah.

---

GRAHAM CLULEY. I mean, your toddler is just going to be having probably a fully automated car, aren't they?

---

ZOE KLEINMAN. But the thing that worries me is, quite possibly he will. You know, if my toddler never learns to drive a car, great.

But what if he actually suddenly then does have to take control of the car because it's malfunctioning? He's not gonna know what to do because he's never driven before.

---

CAROLE THERIAULT. Isn't motherhood fun?

---

ZOE KLEINMAN. Another thing to worry about.

---

CAROLE THERIAULT. Another dilemma.

---

GRAHAM CLULEY. Carole, what's your pick? Of the week.

---

CAROLE THERIAULT. My pick of the week this week is a little card game called Taco Cat Goat Cheese Pizza. Have either of you played?

---

GRAHAM CLULEY. Sounds like a recipe for one of your dinners.

---

ZOE KLEINMAN. It sounds like a Netflix series, I think.

---

CAROLE THERIAULT. I don't know, it's kind of, okay, it reminds me of a game which, you know, the name escapes me, but you will remember. But you basically, you shared all the cards like a card game, and there's pictures of these, either a taco, cat, goat, cheese, pizza, on a random selection of cards that you have in your hand.

You're not looking at these cards and you've got to flip them over, but sequentially say those words, those five words in that order. And as you go around the table, even though your card doesn't match that, does that make sense?

---

ZOE KLEINMAN. Yeah.

---

CAROLE THERIAULT. And then if it does match is when everyone has to notice and put their hand down. And if the last one collects the cards and whole goal is to get rid of all your cards.

So the more cards you collect, the shittier it is for you.

---

ZOE KLEINMAN. Okay.

---

CAROLE THERIAULT. Quite fun. Very easy. No rules.

You know, sometimes you go to people's houses and they go, hey, do you want to play Catan? And you might go, I've never played Catan before. And they go, okay, let me explain the rules. And an hour and a half later, you're just, I don't want to do this at all anymore.

---

ZOE KLEINMAN. I can't bear that. I am so nervous if people saying, come around and play a game.

I just think, oh, I'm not going to be able to. I'm going to stop listening halfway through the instructions.

---

GRAHAM CLULEY. I think I've been at your house, Carole, when you've tried to describe that it's a card game called shitface.

---

ZOE KLEINMAN. Shithead.

---

GRAHAM CLULEY. Yeah, shithead. I cannot get my head right. I mean, we call it—

---

CAROLE THERIAULT. The kids and I call it poo head. Poo head. So, yeah.

---

GRAHAM CLULEY. Oh, okay. I can't— I just don't—

---

CAROLE THERIAULT. It's so easy as well.

---

GRAHAM CLULEY. Exactly. I'm always told that.

---

CAROLE THERIAULT. So we're an eight-year-old learned. So, you know, anyway, this is a card game you would buy as a box.

You could probably build it yourself. It's great fun. We had a great time when we were out in La Belle France. And that is my pick of week, Taco Cat Goat Cheese Pizza.

---

GRAHAM CLULEY. Terrific. Thank you very much.

And thank you, listeners. That just about wraps it up for this week. Zoe, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What is the best way for folks to do that?

---

ZOE KLEINMAN. Oh, please do. I don't know where to start these days.

There's so many different platforms out there that we're meant to be on. Why don't I just give you X, which we all know is still really Twitter. It's @ZSK.

---

GRAHAM CLULEY. Simple. You can follow us on Twitter at @smashingsecurity, no G, Twitter wouldn't allow us to have a G.

We've also got a Mastodon account and you can also look us up on Reddit and don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And the biggest shout out to our episode sponsors, Kolide and Vanta, and to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest list, and the entire back catalog, more 355 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

CAROLE THERIAULT. Bye.

---

ZOE KLEINMAN. Bye-bye.

---

CAROLE THERIAULT. Great stories.

---

GRAHAM CLULEY. Thanks so much, Zoe.

---

ZOE KLEINMAN. I hope that was all right.

---

GRAHAM CLULEY. Oh no, it's terrific. I was able to find the video of you driving and things on TikTok and on Twitter, so I'll link to those in the show notes.

---

CAROLE THERIAULT. I have one question. So, okay, it takes over, right?

It's driving for you, but then suddenly you're, I don't like what you're doing, and you put your hands on the steering wheel. Do you automatically get control again?

---

ZOE KLEINMAN. Yeah, it just switches off. Yeah, exactly. Or if you hit the brake, if you do anything, it just gives you back control of the car.

---

CAROLE THERIAULT. Yeah.

---

ZOE KLEINMAN. But you can't activate it. It's— well, it activates and says you can take your hands off the wheel now, but you don't have to, obviously. But you can't switch it on. You can't choose for it to come on when you're ready. It tells you when it's ready.

---

CAROLE THERIAULT. Yeah, you need two stress balls in each hand, right? Just so you can kind of work on the RSI problems that we all have as computer users. And, you know, get rid of some of the, oh my God, I'm gonna die

-- TRANSCRIPT ENDS --