This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

UNKNOWN. This is the PayPal security team here. We've detected some unusual activity on your account and are calling you as a precaution. Smashing Security, Episode 372: The Fake Deepfake and Estate Insecurity with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security episode 372. My name is Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Carole, exciting times for you, of course, because you are exhibiting at Arts Week, aren't you? Some of your paintings and things. How's that been going?

---

CAROLE THERIAULT. Well, I'll tell you about it in my pick of the week. How about that?

---

GRAHAM CLULEY. Oh, terrific. Look forward to it.

---

CAROLE THERIAULT. All right. But first, why don't we thank this week's wonderful sponsors, Kolide, KiteWorks, and Vanta. It's their support to help us give you this show for free.

Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm gonna be talking about a telephonic con job.

---

CAROLE THERIAULT. And I'm gonna ask, did they fake a deepfake? And if they did, why? All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, there you are. At home. And there's a device in the corner of the room, isn't there? A device maybe which might be on a wire, depending on how old you are.

Let's hear what noise it makes. It goes, 'Brrr, brrr, brrr, brrr.' Recognise that noise?

---

CAROLE THERIAULT. 'Brrr, brrr.' Yeah, our audience isn't 5 years old.

---

GRAHAM CLULEY. Are you going to answer it?

---

CAROLE THERIAULT. Oh, yeah, yeah. Hello? Yes, Graham.

---

GRAHAM CLULEY. Okay, you answer the phone, and a robotic voice speaks. It says, This is the PayPal security team here. We've detected some unusual activity on your account and are calling you as a precautionary message. Please enter the 6-digit security code that we've sent to your mobile device.

---

CAROLE THERIAULT. Graham, this is so apt that you're speaking about this right now.

---

GRAHAM CLULEY. Oh, really?

---

CAROLE THERIAULT. Because I'm in the process of trying to get a new credit card. And, you know, I don't get a lot of these calls, but when I get them and I realize it's a robotic voice, I typically just hang up, right? I just go, "Oh, God." And this happened, but I hung up too quick, and then I heard that it said the name of the credit card company. And I think they're trying to validate or verify me via my phone now.

And yeah, okay, so carry on. I'm interested.

---

GRAHAM CLULEY. So you received this call. Yeah. And you think fair enough. And you look at your mobile phone and beep, beep. Sure enough, you have received a six digit code from PayPal via text message.

---

CAROLE THERIAULT. Yeah, I can see that working. Okay, yeah.

---

GRAHAM CLULEY. And so what you do is you switch back to the call where the robot's waiting for you and you go, yep. And a hacker has just bypassed multi factor authentication and accessed your PayPal account.

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. Yeah, yeah. It could have been just as easily your bank account, your credit card, your Amazon account, your email, your cryptocurrency wallet. Shazam! The money has gone.

---

CAROLE THERIAULT. Right. I hope you're listening, credit card company.

---

GRAHAM CLULEY. So this is obviously not good. What's happened here is there are online services which will, if you forget your password, for instance, as an additional form of authentication, will text you a number to your smartphone, and you then enter that number as you try and log in, and it allows you access to the account.

---

CAROLE THERIAULT. Yeah, I have a number of accounts that do this.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. And you know, the thing I always think is hilarious is that they send you the number, right? And they say, don't share this with anyone. Don't share. But then they're requesting it.

---

GRAHAM CLULEY. But this isn't sharing it with anyone. This is sharing it with PayPal's robot, which has just rung you up. And because it's not someone going, "Hello, this is, do not worry at all." Because this isn't someone from, maybe I shouldn't do an accent. I'm not sure.

---

CAROLE THERIAULT. No, definitely you shouldn't do an accent.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. God, how many years? How many years?

---

GRAHAM CLULEY. Because this isn't someone speaking to you saying, "Oh, you know, this is PayPal. We're about to call you." Because it's a robot saying, "This is the PayPal security team." You think, well, that's quite plausible.

---

CAROLE THERIAULT. No, no, I agree with you. A number of services I use use this method as an extra level of authentication with me.

And it's a valid approach that bona fide companies use all the time. So I can see why you'd fall for it.

---

GRAHAM CLULEY. And as you said, it doesn't matter that the text message you have received will normally say, do not tell anyone this number. And you think, well, you're only sending me the number because I have to enter it onto a PayPal site, or in this case, respond to the so-called PayPal robot.

Meanwhile, hundreds or thousands of miles away, the attacker behind this hack has had a message pop up on their screen saying, "Got another boomer." Now, a boomer is someone—

---

CAROLE THERIAULT. A whale?

---

GRAHAM CLULEY. No, no, no, no, no, no. My son has called me a boomer before.

---

CAROLE THERIAULT. You're not old enough to be a boomer.

---

GRAHAM CLULEY. Well, I agree. Boomers had to do with the baby boom, right?

---

CAROLE THERIAULT. Yeah, that's what I know it is to be. That's my parents' age.

---

GRAHAM CLULEY. Wasn't the baby boom around about after World War II? Everyone came back from the war and decided to have sex.

As if there weren't enough things going wrong in the world.

---

CAROLE THERIAULT. Well, they probably weren't tapping that as regular while they were fighting, you know?

---

GRAHAM CLULEY. I suppose not. But as if life weren't miserable enough.

They have a baby, out it pops. But I think baby boomers, they must be at least about 80, around about 80 by now.

---

CAROLE THERIAULT. Yeah, yeah, my parents' age, yeah, yeah.

---

GRAHAM CLULEY. Right, okay.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. So I don't know what I am.

---

CAROLE THERIAULT. You're close to that.

---

GRAHAM CLULEY. Well, I think I'm a product of the Summer of Love, maybe slightly delayed. I'm sort of—

---

CAROLE THERIAULT. Are you digressing from the story at all?

---

GRAHAM CLULEY. Possibly I am. Anyway, so this message pops up on the hacker screen saying, "Got another boomer."

And it turns out there have been over 93,000 attacks that have taken place through a highly secretive service called Estate. So, which is a strange name for a cybercriminal site, isn't it?

Normally you would expect it to be, you know, Warlord Z, Dark Blood, Death to All, Octopus Death, Starbeast. No, it's called Estate.

It's named after a station wagon. Yes, exactly.

So Estate is a site which deliberately hides itself from search engines, hidden away on the internet. And they seem to only find new users via word of mouth.

And you have to be— to join the Estate service, you have to be endorsed by an existing member. So it's a members club.

Where, you know, you have to have someone on the inside said, "Oh, yeah, they can join as well." Presumably, to keep the cops and the security researchers out.

---

CAROLE THERIAULT. Oh, and also to give it an elite feel. You know, you're exclusive.

---

GRAHAM CLULEY. Maybe.

---

CAROLE THERIAULT. We don't just accept anyone in this club.

---

GRAHAM CLULEY. I think it's largely self-preservation. It's probably one of those gentlemen's-only clubs, which doesn't allow women inside, the Garrick Club in London.

---

CAROLE THERIAULT. Well, what would I know about them, Graham?

---

GRAHAM CLULEY. Well, you wouldn't know anything. But of course, if women were to join a club like that, it would disrupt all the old fogies. They'd go, "Oh, this is absolutely terrible, women coming in with all their liberal views." Vaginas and stuff. Yeah, exactly.

And what a terrible thing. So I think it's about self-preservation. And also, of course, they don't want law enforcement finding out what's going on.

To the outside world, if you did stumble across it, it would purport to be a stress testing service. So something which maybe a penetration tester could use or someone setting up a service, something like—

---

CAROLE THERIAULT. Like bona fide service that, you know, yes, that security professionals would use.

---

GRAHAM CLULEY. Yeah. But we all know rather like a DDoS site or a stressing site, it's something which can be used definitely for bad.

And it is a fairly flimsy cover story because The State really is a service for people who want to hack into other people's accounts. And it turns out that hundreds of criminals have used The State to bypass multifactor authentication, which of course is the thing that we tell everybody to turn on for their accounts because it does give you that extra level of protection.

But they're using The State to waltz past, break into accounts, steal from digital wallets and accounts. And the guy who's really shone a light on this service is a chap called Vangelis Stykas.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Vangelis is a security researcher who shared the information with TechCrunch, who wrote a great article all about this. So, he actually managed to get hold of a state's database.

So, the backend database used by a state, which contains logs.

---

CAROLE THERIAULT. Wow.

---

GRAHAM CLULEY. Of the almost 100,000 attacks that have taken place in the manner I just described—

---

CAROLE THERIAULT. Huh.

---

GRAHAM CLULEY. —since it was launched in the middle of last year. So in a relatively short time, a lot of accounts have been hacked.

Yeah.

---

CAROLE THERIAULT. Can I ask a question? Yes.

There's just one thing that occurs to me about the attack you mentioned. This call you receive is not tied to a purchase you have just made.

It's not like you have gone to use your PayPal, and then it's coming in and verifying that that is correct. No, no.

Right. So it's just out of the blue.

It's out of the blue, it happens.

---

GRAHAM CLULEY. It most likely it would be out of the blue. Exactly.

And of course, they would choose a service like PayPal because there's a higher chance you will have a PayPal account or an Amazon account or a Gmail or Yahoo account, something like that. Yeah.

Rather than one particular bank, for instance.

---

CAROLE THERIAULT. So it's obviously been very successful, right?

---

GRAHAM CLULEY. These attacks? Absolutely.

It's been successful for the criminals in one way. Okay.

But very unsuccessful in other ways. Because, because the database has now been accessed by this security researcher because a state had a glaring security flaw, a vulnerability.

Embarrassing. That exposed its entire juicy database unencrypted.

Uh-oh. It's a bit like a bank robber accidentally live streaming their heist on Twitch.

That's what a state has done.

---

CAROLE THERIAULT. I'm sure that's happened.

---

GRAHAM CLULEY. So this means that we now know the identity of the person who founded Estate.

---

CAROLE THERIAULT. Of course. Excellent.

---

GRAHAM CLULEY. Details of its members and a log of every attack since the day the service was created. Because although the estate service told criminals, "Security and privacy are very important to us. We take this seriously. We're going to protect your privacy. We're not going to maintain any logs." Turned out they did.

They were keeping logs.

---

CAROLE THERIAULT. So every single ne'er-do-well who decided to use this service has their information now in the wrong hands.

---

GRAHAM CLULEY. It depends what information they gave when they created their accounts. It may be an email address, or, you know, it could be a throwaway address. But also, what it appears is that people were writing scripts in order to use a state in different ways, maybe to write the script which the robot would speak, or other ways in which it would operate. And some of these users were so full of confidence that their information was being held securely that they contained within their code comments and other information which identified themselves, maybe a copyright message. Oh yes, this was written by Jim Smith, you know, something like that.

---

CAROLE THERIAULT. Oh, but you know, it just goes to show we're all human, you know? Everyone screws up, even the baddies who sit there and take advantage of you.

---

GRAHAM CLULEY. Yeah. So there's an alarming number of affected users. It looks like there've been something like almost 100,000 attacks. And it seems, in particular, older folks have been targeted. I think because they're more likely to answer a random call. Yeah. So there you are, Carole. You're like a youngster. When you get a call and you think, I don't recognize that number, you just hang it up. Or if you hear a robot, you hang it up. Older people are grateful for a phone call. It reminds them of the old days.

---

CAROLE THERIAULT. Except that I'm not getting my credit card, right? Right.

---

GRAHAM CLULEY. Maybe it's my nephew ringing me. Maybe he's suddenly— someone's actually remembered I exist. Or maybe he needs money and he's in Thailand and I can help him out. So follow Carole's advice. Just hang up.

---

CAROLE THERIAULT. I'm telling you, the future is bright if you just follow my lead. Don't read emails. Don't pick up the phone. Pick up a paintbrush.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. Do you remember that story, the deepfake of the teen cheerleader fiasco?

---

GRAHAM CLULEY. Ah, this was like a cheerleading— a cheerleader's mom or something, or maybe the coach.

---

CAROLE THERIAULT. Yeah, yeah, yeah. Basically, there's been a few developments in this story, so I would want to recap it because it's nuts. The whole story is nuts. It's like a roller coaster and it's still careening about in the media sphere and it's complicated. So remind me what happened.

---

GRAHAM CLULEY. I don't remember all the details.

---

CAROLE THERIAULT. So we're going to start with Ali Spohn, okay? It's 2020, and Ali's this cheerleader in the team called Victory Vipers. This is an all-star squad based near Pennsylvania. Okay, yeah. Now, weird fact, weird fact, while I'm researching this story, right, I find out that cheerleading accounts for 65% of spinal or cerebral injuries across all female athletes in America.

---

GRAHAM CLULEY. Well, I'm not surprised, because do you see— have you seen what these cheerleaders do? Yeah. Yes! They fling each other up into the air and they land on their heads or whatever. I'm not surprised they're doing damage.

---

CAROLE THERIAULT. Well, they do if they miss their step, exactly. Yeah. But you know, they do it for the fame, the glory, the scholarships, right? So it's obviously worth the risk.

---

GRAHAM CLULEY. Hang on, you can get a scholarship as a cheerleader?

---

CAROLE THERIAULT. Oh yeah, because then you become a champion cheerleader at, you know, whatever university, right? And you can go to school. Really? Yes. How do you think footballers, you know, they get scholarships for being amazing footballers and baseball players and everything.

---

GRAHAM CLULEY. I suppose so. I mean, it's still athletics, isn't it? It is athletic. It's extremely athletic.

---

CAROLE THERIAULT. You should try. Why don't you add that to your box fit routine?

---

GRAHAM CLULEY. You'll be surprised.

---

CAROLE THERIAULT. Well, no, don't. You might hurt yourself. I don't want you to hurt your spine or your head. So they're tumbling and jumping away. And yeah, but things kind of go nuts because someone has sent an incriminating video directly to some of the girls' coaches.

And it shows some of Ali's cheerleading squad members vaping and drinking, right? And kind of not wearing a lot of clothes. And one of the parents contacts the police and reports receiving harassing text messages anonymously that her daughter's received these things. And they tell the police they fear the videos could lead to their daughter being kicked off the team.

---

GRAHAM CLULEY. Yeah, because it'd be bad for the image, I suppose, wouldn't it? Oh yeah, yeah, totally, right?

---

CAROLE THERIAULT. And two more families come forward saying their daughters received similar messages. So remember, these messages also went to coaches, so they were already aware, right.

And the thing is, the teens portrayed in the video say, no way, that's not us. This has been totally faked. So the cops go and investigate, and they say they trace the number that was sending the harassing messages.

They got that number and they followed the data to an IP address, which showed activity to the house where Allie Spohn lives with her parents. And five male police officers go bang, bang, banging on Spohn's front door with a search warrant.

They take all the electrics in the house, right? They take the Xbox and the TVs and the computers and the phones and even the chargers and everything.

---

GRAHAM CLULEY. And everyone's scared. I'm just imagining these five policemen arriving in sort of coordination with pom-poms. Sort of going, "Here we go. We're going to get you. Hands up."

---

CAROLE THERIAULT. I should say that the time between the parents complaining to the cops and this being presented is almost a year in time. And so presumably cops have been investigating that whole time, right? We'll find out more about that later.

Now, cops have taken all this stuff, they're combing through all their findings, and they see that mommy's smartphone kind of coordinates with the IP based evidence, and they think they can link her and the numbers that were used to send the harassing texts and images. So basically, they're thinking they made a line there. And they also determined that the videos were deepfakes, just as the girls said, right? Digitally altered images that appear to be authentic.

So basically, the accusation is the mom trolled the social media of these girls, doctored the pictures, and then sent them to the coaches and to the girls.

---

GRAHAM CLULEY. Pretty impressive mom to use that sort of deepfake technology, to be honest. That's, you know.

---

CAROLE THERIAULT. Yes, of course. And, you know, by the way, she doesn't own a computer at all. So the idea is that she would have done all this on her phone.

---

GRAHAM CLULEY. Okay, right. Impressive.

---

CAROLE THERIAULT. So she's charged with three counts of cyber harassment of a child and three counts of harassment. The DA and the cops go hard on the press and they get what they want.

They get headlines around the world because the story is gold dust. A mother allegedly used explicit deepfake photos and videos to try to get her teenage daughter's cheerleading rivals kicked off the team. You've got drama, you've got deepfakes, you've got evil mom, you have cheerleaders.

---

GRAHAM CLULEY. And I remember the mugshot of the mom that was republished everywhere, wasn't it, when she was caught? And she looked a little bit sinister.

---

CAROLE THERIAULT. I really feel for people who have mugshots taken because, you know, if you had your mugshot taken and you were got in for whatever, whether they were trumped-up charges or not, I doubt it would be the best picture that you would use.

---

GRAHAM CLULEY. You know, I wouldn't add it to my portfolio.

---

CAROLE THERIAULT. Exactly. And it's not your choice that it's being sent around to everybody.

That's true. The cops obviously released that, right? So people are appalled, right? How could a mom do this? Even Trevor Noah mocks Miss Spohn on The Daily Show.

Days later, however, deepfake expert Henry Edger expresses concern because this is all over ABC. They have the video, right? They're showing the video. And ABC is still captioning it as deepfake video when, according to him, it clearly wasn't.

He wrote on X, Twitter, the vape pen cloud hand moving over the girl's face and the awkward facial angles and other aspects of the video would likely require a huge amount of work by a deepfake expert with editing in post.

---

GRAHAM CLULEY. So not a cheerleader's mom on her smartphone. Right.

---

CAROLE THERIAULT. The Daily Dot looked into the deepfake claims and asked about the method used to establish that the videos had been digitally altered. They were asking the cops this.

And the cops said they had relied on their naked eye, adding that they hoped Mrs. Spohn, during the course of the preliminary hearing or trial, will enlighten us as far as what her source and intent was. You know, so despite the tech industry citing serious issues, the case burns on.

And in March 2022, Spohn was found guilty and convicted on charges that she used secret phone numbers to harass 3 girls on her daughter's cheerleading squad. So where is all the deepfake stuff that they headlined in the press? Because she wasn't charged with that, and it seems they dropped those charges just before the trial. Maybe you might do if you were the prosecutor and you didn't think that the evidence would hold up to the court.

---

GRAHAM CLULEY. But the deepfake was the main thing that the police were sort of running with, wasn't it? I mean, in terms of the press interviews and things.

---

CAROLE THERIAULT. Well, isn't that interesting? Yeah.

And according to Mrs. Spohn's lawyer in the case, since that infamous press conference, he, the lawyer, said, hey, send them to me, I want to see what we're talking about here. But he never got them, right? And he was only allowed to see this evidence against his client a year after she was charged.

And he found that the nude image was actually a screengrab from Snapchat featuring this cheerleader in a pink bikini that had been blurred out, you know, in basic photo editing software on your phone. You'd swipe with a finger rather than any kind of sophisticated AI digital editing.

---

GRAHAM CLULEY. Oh, I see. So not the use of a deepfake tool, more a use of something like Microsoft Paint or something.

---

CAROLE THERIAULT. Using Paint, choosing the flesh tone, and then swiping your finger across the bikini bits. And it seems that there was no real investigation.

The cops basically had taken the victim at her word that the image was made to look as though she had been drinking and vaping when she says she hadn't been. But it seems that maybe she had been. Oh, and the image was never deepfaked in the first place.

And worse than that, there's no way of finding any source videos and images or seeing any supposed deepfakes that had been created out of them because the cops did not ask to see the victim's phone until a year after the mom initially complained. Remember I said earlier there was a big time lapse? A year? Yes.

---

GRAHAM CLULEY. So the complaint's been made.

---

CAROLE THERIAULT. So I'm worried about my daughter. She's getting these complaints. I don't want to get kicked off the team.

Tick, tick, tick, tick, tick, tick. Months, months, months, months, months, months. Yeah.

---

GRAHAM CLULEY. Can you bring it? We're a bit busy. Can you bring it round in 14 months, please? Right.

---

CAROLE THERIAULT. We'll have a look at it then. But weirdly, by then, the victim had a brand new phone, right? Socials were deleted. So there's no source material anymore to back up these allegations.

---

GRAHAM CLULEY. It's a bit like these members of parliament who keep on deleting all their old WhatsApps so they can't hand them in for the COVID inquiry. It's crazy.

---

CAROLE THERIAULT. So this is why Mama Spone is fighting back, right? She's bringing a civil action alleging that she was vilified in the press throughout the criminal investigation for something she did not do. Okay, fair enough.

---

GRAHAM CLULEY. Does she admit that she did send some pictures of these girls smoking? And drinking?

---

CAROLE THERIAULT. No one really knows, right? I've seen her say yes and no in two different interviews, right? Okay, but this is what I think happened.

I seems that she'd look at her kids' socials once in a while, make sure everything's fair enough, and she sees these pictures of these girls partying, and she's like, what are they doing drinking? They're just teenagers. And what are they doing smoking and vaping? What's going on? And sent them to the coaches saying, are you aware that this is what some of the girls are doing? And I think the girls didn't like that and basically said they'd been faked, and the moms backed them up, and the police got called. This is what I think happened.

---

GRAHAM CLULEY. Sounds plausible. And then this woman appears in headlines all around the world, and her photograph's everywhere.

---

CAROLE THERIAULT. Oh, totally. I think her life has been a complete nightmare. She says she has no friends anymore, she lives inside, she never goes out. All the horror show.

But get this, the DA— okay, so we were talking about this DA, that Matt Weintraub is his name. Now, he's the one who held that conference that got all the global headlines. And he's the one who pursued the case a year after the initial complaint.

And perhaps this is entirely coincidental, but he waited to bring the case forward in 2021, which was an election year for him, coincidentally. Complete coincidence. Potentially.

And if Mama Spone is correct, it means that the headline is not "Spiteful mom creates deepfake to attack daughter's team rival," but "DA faked a deepfake case to garner attention and win election." Which he did. And as of January this year, Matt Weintraub is a judge.

---

GRAHAM CLULEY. What a crazy story. Unbelievable.

---

CAROLE THERIAULT. And it's not finished yet. Deepfake mania.

---

GRAHAM CLULEY. Even fake deepfake mania. I can't even speak.

---

CAROLE THERIAULT. Deepfake cake.

---

GRAHAM CLULEY. Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk.

Well, this podcast is sponsored by KiteWorks, who enable organizations to effectively manage risk in every send, share, receive, and save of sensitive content. To do that, they've created a platform that delivers content governance, compliance, and protection to customers tracking, controlling, and securing sensitive content as it moves within, into, and out of organizations, all while ensuring regulatory compliance on all sensitive content communications.

KiteWorks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure web forms, managed file transfer, and governed SFTP servers. Visit KiteWorks.com to get started today. That's KiteWorks.com. And thanks to them for supporting the show.

---

CAROLE THERIAULT. If you're building a SaaS business, achieving compliance with ISO 27001, SOC 2, or other in-demand frameworks can unlock major growth for your company and establish customer trust. However, this process is often time-intensive and costly.

Vanta automates up to 90% of compliance work, getting you audit-ready quickly and saving you up to 85% of associated costs. And Vanta scales with your business, with a market-leading trust management platform to help you continuously monitor compliance, unify risk management, and streamline security reviews.

Join 7,000 global companies like Atlassian, Flow Health, and Quora that use Vanta to build trust and prove security in real time. Watch Vanta's on-demand demo at vanta.com/smashing.

That's vanta.com/smashing. And thanks to Vanta for sponsoring the show.

---

GRAHAM CLULEY. You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first.

For over a year, Kolide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data. And that's what they're still doing but now as part of 1Password.

So if you've got Okta and you've been meaning to check out Kolide, now's a great time. Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.

Plus, you can use Kolide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Kolide is part of 1Password, it's only going to get better.

Check it out at kolide.com/smashing to learn more and watch the demo today. That's k-o-l-i-d-e.com/smashing.

And thanks to them for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

It doesn't have to be security-related necessarily. Better not be.

Well, my pick of the week this week is not security-related. Good.

My pick of the week this week, you remember a few weeks ago, my pick of the week was Boxfit. Right?

---

CAROLE THERIAULT. Oh yeah.

---

GRAHAM CLULEY. I was talking about how I'd gone to a box fit lesson. How could I forget?

Right. Well, I want you to scrub box fit from your memory.

Oh. I'm crossing it out as my Pick of the Week.

Why? Because my box fit lesson coincides with something else that I've taken up, and I can't do both.

Okay. Carole, this is going to astonish you, because I have been on my first parkrun.

Have you heard of parkrun?

---

CAROLE THERIAULT. No, I'm guessing you run in a park.

---

GRAHAM CLULEY. A bit more than that. Parkrun is an institution.

Parkrun is a thing which has been going for the last 20 years. It started in the UK, but it's happening in dozens and dozens of countries around the world now.

Okay. Where people meet 9 o'clock Saturday morning and everybody runs for 5 kilometres.

Okay. And it is a non-profit thing.

You don't have to pay. You just show up in the park.

And I showed up at my local park the other day to do this and there were probably about 250 people there. And off we all went.

You run around and it's a lovely community experience.

---

CAROLE THERIAULT. Are you chatting during your run? Are you sitting there going, you know, telling them all about cyber security in the podcast?

Well, do you have your breath?

---

GRAHAM CLULEY. Are you sitting there like you pretty quickly realize that you can't talk that much? I remember years ago, Carole, you and I, we used to pop out from that company we used to work for, and we'd pop out for a little jog. But typically, I would jog for about 40 seconds and then walk for about two and a half minutes.

I said to my partner when we went out on this park run, I said, "Look, that's what's going to happen." And she said, "That doesn't matter." She said, "Because the whole point of it is not actually to beat other people. This is all about just participating," right?

---

CAROLE THERIAULT. And it really is. Of course it is.

---

GRAHAM CLULEY. There are people there with dogs, there are kids there, there are people with pushchairs, there's all kinds of things going on, right? So I said to her, "Look, this is what's going to happen because I've never run for more than one minute without collapsing."

---

CAROLE THERIAULT. Yes, you have. You just don't remember.

---

GRAHAM CLULEY. Well, I don't think I've ever jogged five kilometres before without stopping, which is what I managed to do. So I did the Couch to 5K without actually having to install the app and do anything in between. I basically moved from a couch and jogged five kilometres.

How did you feel the next day?

---

CAROLE THERIAULT. It was terrific.

---

GRAHAM CLULEY. My quads, I believe they're called, I didn't even know I had quads, are aching a bit. And since then, I went for another run on my own round the local lake, which was about 6.3 kilometres.

That was a lot more difficult because there weren't hundreds of people around me making sure that I went slowly enough. It was pretty good, pretty good exercise.

---

CAROLE THERIAULT. Well, that's very good. It's excellent. Gotta look after your knees though.

---

GRAHAM CLULEY. You have to look after your knees. I'm a bit dubious about running, so I would describe my technique as a very gentle jog.

---

CAROLE THERIAULT. Well, I think that's a good thing.

---

GRAHAM CLULEY. But it is a lovely institution run completely by volunteers, utterly free of charge, a charity thing, which people perhaps would like to participate in. And I really enjoyed it.

So I'll be doing that every Saturday morning until it gets wet and cold. Or until I've discovered something else that happens on Saturday mornings.

---

CAROLE THERIAULT. We will check in. Yeah, exactly. Let's check in in the fall.

---

GRAHAM CLULEY. So that parkrun is my pick of the week. Excellent. Carole, what's your pick of the week?

---

CAROLE THERIAULT. Art, art, art. As you mentioned earlier, it's Oxfordshire Art Weeks. It's going on right now.

It's a brilliant thing where artists open up their studios, their houses to say, hey, this is what I'm working on, and you can buy some stuff and say hi. And it's just great.

And I've been doing it for a number of years. But this year, I helped create an art collective.

How groovy is that? So my co-host on Art Musings, Sally-Anne Stewart, and I, we founded the East Oxford Art Collective.

We're currently 10 members plus a robot. And we already have a waiting list for more artists that want to get on the showcase.

And we've been showing our best work in a church hall called Greyfriars in East Oxford as part of this Oxfordshire Art Weeks thing. So it's a bit of work because you got to coordinate with everybody, organizing a conference.

And you advertise and you go to the press, and I even had to buy a tablecloth, all this kind of stuff. And it's Thursday.

So we set up, I show up on Friday, show kicks off Saturday morning. And I get a few emails.

First one from the church saying, "Oh, I just want you to know we cleaned up, we moved this stuff, we moved this, we're ready for you. Fantastic."

Two hours later, "By the way, I've just found out that we had the electrics tested yesterday and they failed on everything. Just wanted to let you know."

What?

---

GRAHAM CLULEY. So exactly, so you can't use electrical light at your art exhibition.

---

CAROLE THERIAULT. My co-host calls me, she goes, have you seen the email? And then we share it with the group and people start freaking out, right, going, oh my God, because people have put hundreds and hundreds of hours and dollars and stuff into getting prepped for this.

Then we get another one saying, unfortunately, we're canceling the event as we have no insurance to cover if things go poof. I'm paraphrasing.

So again, I'm talking with my co-host and co-organizer going, what are we gonna do? And I'm going, look, 8 of the 10 of us can use the natural light in the hall, right?

But we have people with a robot and we have people with lamps, you know, showing off lighting. So what do you do?

So I first call them, I call the church and I say, look, they know the roof is not falling down, we will not touch the electrics, tape them up, we won't use any of them and we will figure out a way to get the two people to show, 'cause otherwise we're gonna have a riot on our hands. Anyway, so we got in, and it was amazing.

East Oxford just pulled together. We had a cafe at the back, right?

How do you get coffee and stuff like this? Well, two massive boiling water thermoses arrived from another cafe in town.

People had huge batteries. They were volunteering them up for people to be able to use.

And everyone hit up their contacts, and basically East Oxford came through. So the show opened, we had, I swear, conservatively in two days, we're doing two afternoons, 12 to 5, 750 people through the doors minimum.

Bloody hell. It was the first day was about 500.

And the second day was quieter, but still crazy. And the feedback has been amazing.

Neighbors were coming over saying, we haven't seen this place used in 30 years. And I'm going, I know now, because don't touch the electrics.

I had one young artist, she was talking to me, and she was looking at all my work. And then she goes, I just want to live in your paintings.

Best compliment ever. Best compliment ever.

Anyway, so it's been really dramatic but amazing, and it's really worth checking out if you're in the neighborhood. So we're open again on this weekend, Greyfriars Church Hall in Oxford.

You can go to artweeks.org and you can search for me, Carole Theriault, not Graham Cluley, and you will see all the details. So that's my pick of the week.

I hope to see you there if I can. That's fantastic.

---

GRAHAM CLULEY. And when does the exhibition close?

---

CAROLE THERIAULT. Yeah, Sunday. So this is last weekend, Saturday, Sunday.

Yeah.

---

GRAHAM CLULEY. So that'll be Sunday the 19th of May. Yes.

---

CAROLE THERIAULT. Saturday 18th, Sunday 19th of May. Oh, that's fantastic.

---

GRAHAM CLULEY. Well, Carole, first of all, incredible, can I say? Because, I mean, to actually organise something like this with all the challenges it sounds like you've had, quite astonishing.

---

CAROLE THERIAULT. Yeah, I wasn't alone. But together we really muscled through.

We were a pretty amazing team, I think.

---

GRAHAM CLULEY. Good old Sally, your co-host on the wonderful Art Museums podcast, but also terrific to see your artwork. Anyone who hasn't seen Carole's artwork and isn't able to get to the exhibition, if you go to carole.wtf is Carole's website.

You can see some of the selections there. Well, you know, I hope you can handle the flood of traffic which is now going to go there.

Yeah, terrific. Great pick of the week.

Yay. And that just about wraps up the show for this week.

Don't forget, you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And you can also ensure that you never miss another episode by following Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And thank you to our episode sponsors, Fanta, KiteWorks, and Kolide. And of course, to our wonderful Patreon community.

It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog, more than 371 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye-bye.

---

CAROLE THERIAULT. Well done on the old running, mate.

---

GRAHAM CLULEY. Thank you very much. Just trying to get a little bit fitter.

Typing harder as well. I'm hitting the keys harder than ever because I reckon that could be a good way to burn calories.

---

CAROLE THERIAULT. That's a good way of getting RSI, actually, so be careful with that.

---

GRAHAM CLULEY. Oh, that's true. I need one of those big mechanical keyboards, one which you have to literally jump up and down on every key to hit.

---

CAROLE THERIAULT. I'm sure that exists. I'm sure you could get a floor one, right?

Like a floor mat, like those dance mats, and it would be— Like Dance Dance Revolution. Wouldn't that be cool? TM Carole Theriault! TM Carole Theriault!

---

GRAHAM CLULEY. Oh, you've trademarked it. Damn.

-- TRANSCRIPT ENDS --