Smashing Security podcast #309: Synthetic voices, ChatGPT reflections, and social skirmishes

And I said, oh, I sort of do this cybersecurity podcast and I talk about hackers and fraudsters and things. And they said, oh, it's such a big deal these days, isn't it? You know, you've got to be so careful. You've got to check people are who they say they are. And I thought to myself, yeah, you do.

Who the fuck's burning my balls?

Exactly. I said to them, how do I know you're real doctors? How do I know?

Smashing Security.

Episode 309: Synthetic Voices, ChatGPT Reflections, and Social Skirmishes with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 309. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, who do we have in the hot seat as our special guest this week? Drum roll, please.

We have Dave Bittner of the CyberWire.

Welcome. Hello. Good to be here.

Good to have you. You're a very busy man.

It's true, but I always have time for you. There's always time for Carole and Graham. Always time in my busy schedule.

Graham and Carole, I think you'll find tonight.

You know, no, actually, that's not what I said, Graham. No, it's not.

Oh, wow.

In my corner.

I'm editing this up so I could change the order around. I'm just saying.

Okay, you could, and we would not be surprised. Now, before we kick off, let's thank this week's sponsors, Bitwarden, Smashing Security, VPN, SecureEnvoy, and DigiCert. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

Well, I'm going to be giving a warning for all podcast hosts.

Oh, that's perfect for us. We're all podcast hosts.

We are, all of us. It's true.

Oh my God. Dave, what about you?

I'm going to talk about how ChatGPT reflects who we actually are and not who we aspire to be. Ooh, okay.

And I'm going to look at how to tackle the big ransomware at big social media giants. All this and much more coming up on this episode of Smashing Security.

Well, chums, I think as we just said, we're all podcasters, right? And this is what most podcasts appear to be, is interviewing other podcasters. I mean, that's the typical— no disrespect, Dave, because you're wonderful, but a lot of podcasts do speak to other podcast hosts.

Podcasters all the way down. Yes.

It is. It's what do they call it? One of those chains. It's not the Human Centipede. Anyway, whatever it is.

Circle jerk?

Thank you. That's what I'm looking for. But that's what a lot of podcasts are all about. And I have been reading the news this week and I've been thinking, are we really needed? Are podcasters a little bit like the Golgafrincham B-Ark? Are they the telephone sanitizers who the universe could do without?

Are you talking us out of a job? What are you doing?

Well, I'm beginning to wonder if we are really needed after 11 million episodes of The CyberWire and Hacking Humans and all those other shows that Dave Bittner does. Is he really, really required any longer?

I think he's very much required. Yes, I do.

Go on.

The reason why I ask this is, has Dave not made every burble and bumble and hiccup and err and interjection and sighed 100 different ways and extruded every syllable known to man? Could not—

No, because he's edited.

Well, but could not a computer program package together all of the noises his body has produced over these years into a microphone? Could it not take all of those and get him to say whatever they wanted him to say?

Oh yes, of course it could.

Yes.

Without paying him a dime. It's a worry, isn't it, for us professional podcasters?

Yes.

I say professional podcasters. It's a worry for you, isn't it, Dave, a professional podcaster?

I have thought about it, yes, absolutely.

Right.

Well, look, Graham, when you and I part ways, right, all this audio I have of you, it'll be like my Graham Cluley fighting your Graham Cluley.

It's a Graham Cluley cage match. Two Grahams go in, only one comes out.

Now this, me in a cage fight, that's the most preposterous. Bare chested, oiled up.

We could put it on pay-per-view.

Maybe he could wear a cape.

Maybe I'd be wearing an outfit like Sean Connery in Zardoz. It'd be sort of a—

My eyes!

Anyway, this is a genuine real concern of voice actors right now who say they are being asked to sign contracts, signing away the rights to their voices so that the client's saying, well, you know, once you've recorded this for us, we reserve the right to generate whatever we like from your voice going forward. So if there's a bit of dialogue or ADR, which we require later, we're not going to call you back into the studio. We'd just like to do that artificially because we'll have enough of you to be able to do that.

And then you can see the actor or actress going, you know, "Why? Why do you need me to sign this clause?" And the guy going, "Look, maybe you die. Maybe you die. We don't want to kill the movie. We don't want to kill your career." Right.

And also, of course, if other actors who are desperate, and let's face it, actors are desperate all the time for jobs. If other actors are signing these things just to get their name on the credits, then there's a pressure on you to go along with it as well.

Yeah, yeah, absolutely.

And probably, well, quite possibly, there won't be any additional compensation if they do use your voice in this way. You've got, it's hard to have any control over it.

Is anyone just taking a little black ballpoint pen and just making a nice straight line through that entire clause before they sign?

Well, they might be, but then it's quite possible that—

We could hire your friend instead.

Yeah.

Right.

Oh, absolutely. Right. It's quite possible. So imagine you are lucky enough to bag the gig of providing the voice for a hero in a hit video game. It's a new video game. They've spent tens of millions of dollars on it. And you're the guy doing the voice. You're doing the, "Woo-hoo!" "It's a me!" Yes. So, it's for me.

Of course, I love the gender fluidity for me being the guy, so that's cool.

I will go to the castle on top of the hill. I will defeat the monster. I will beat the bad guy. Because there's so much text, isn't there? There's thousands of phrases spoken by hundreds of characters during the course of a game. And there are now AI voice services who are targeting specifically the gaming industry. And it's more cost-effective for the makers of the game either to use a completely synthetic voice or to take the voice of the actors who provided the skeleton text to get them to say everything else. And as they're making the game and they're deciding what the guys are gonna say, they can change it dynamically just by typing on the keyboard and the voice will come out the other end.

And even if you could copyright a voice, like if my voice is my voice exactly as it is, someone could take a recording of it and just, as you say, tweak it slightly so it would fall out of that.

Right.

You know?

Scottish, something like that. You know, they're thinking she's not Scottish enough. We'll make her a little bit more Scottish. It's possible. So this tech to produce deepfake voices, it's available now to anyone. I've been on the web. I've been playing around with it. Now, I did obviously toy with the idea of uploading your voices to this and getting you to say embarrassing things.

And I thought—

That seemed like way too much work.

Well, actually, I thought maybe you wouldn't want me to do that. So I didn't do that. I started doing it with my own voice, but it's still churning away. Trying to think of, you know what, but I recorded like 25 clips and I uploaded them. But yeah, well, why not? I was interested to see if I could deepfake my voice and how realistic it was.

I've done mine. I've absolutely done mine.

Have you?

Yeah. And folks, if you are listeners who also listen to the Grumpy Old Geeks podcast, have heard me talk about this. So yeah, so there's a system out there called from ElevenLabs and they're leading the way on this. And I've loaded my voice into this. Do you want to hear a quick sample?

Yes!

Course!

Researchers at Bitdefender have uncovered a phishing campaign in which hackers are abusing OneNote documents to move the AsyncRAT credential-stealing Trojan. The threat actors are sending emails with OneNote attachments that appear to be invoices from reputable Canadian gas retailer Ultramar, but that are actually malicious files deploying AsyncRAT. A remote access.

That is Dave Bittner.

Is it fair to say it sounds to me flatter than when you do these segments? Like, it sounds like you, but flatter. Like you're just like you're maybe on volume or something.

And yeah, post happy hour Dave.

Yes, that's right.

And that is what everybody says, that flat is the word that people are using with this. So, but, but this took 10 minutes to do, to get that close.

To me, it sounds like you, Dave. To me, it is convincing. I could believe that was you. And it's not just superstars like you who are having your voices deepfaked. Hermione Granger herself, actor Emma Watson, she has had her voice deepfaked.

Mein Kampf by Adolf Hitler. Read by Emma Watson. The Jewish doctrine of Marxism rejects the aristocratic principle of nature and replaces the eternal privilege of power and strength by the mass of numbers and their dead weight.

Thus it denies the value of—

And it appears that she's reading an extract from Adolf Hitler's Mein Kampf. So someone did that, which presumably Emma Watson wouldn't want to be heard saying. There is— I've never seen the TV show Rik and Morty. But I guess, have you guys seen Rik and Morty?

My son is very much into it. It's a little too loud for me.

Mm-hmm.

Well, someone has generated the voice of Rik from Rik and Morty, and he can be heard saying, I'm gonna beat my wife, Morty. I'm gonna beat my fucking wife, Morty. I'm gonna beat her to death, Morty.

Okay, okay, okay. Yeah, okay, so awful stuff, but people presumably also say less contentious stuff or more, you know.

Well, the thing with that particular one is that Justin Roiland, the guy who voiced Rik until last year, is currently facing charges of domestic violence. And so someone has got him in his voice saying these things. Podcaster Joe Rogan, he's been heard saying all kinds of violent, unpleasant things. No change there then. Not clear if that's deepfaked or not, but maybe it was deepfaked, maybe it wasn't. But that's all pretty worrying. But you don't have to be a famous figure to have your voice deepfaked with malicious intent. As Vice has reported this week, there is currently an online harassment campaign going on. Someone has been using AI-generated voices to harass civilians. So these trolls are getting deepfake voices, possibly through this ElevenLabs software. It's unclear exactly how they're doing it, but ElevenLabs is being named in reports. And what these voices are doing is they're reading out the people's home addresses. So imagine it's me in my voice saying, hello, I live at—

Are you really giving your entire address to all our listeners?

No, that was just bleeped out. Couldn't you hear the bleeps?

Okay.

And then they're saying other things. They're saying I live in the beep city that is Los Angeles. Yes, that does also mean I live in California, the most beep beep beep beep state in the USA. Personally speaking, killing beep, and sexually, beep, beep, beep, children is completely fine. So they're saying there's been a lot of bleeping there. Basically, there was a lot of racist and sexually unpleasant stuff in there, which is being said, it appears in the voices of these people with their addresses and then posted by nutjobs up on the internet.

Right.

Because they have some grievance against this person or they're just trolling them.

Or because they're teenagers. Or whatever, because they find it funny and they're just, you know, sort of 4chan style activity.

Yeah, it wasn't serious. I didn't really mean it.

Right. And you can imagine, though, that there are nutters who will then possibly go around to those addresses who will be really, really riled by what is being said and will take matters into their own hands. So these have been found not only on 4chan and places like that, but also on Twitter. And Twitter's removed one of these offending tweets. It's suspended some profiles, but there apparently are multiple other tweets that it's failed to remove. Despite them clearly violating Twitter policies. Now, I'm surprised because Twitter's really, really good at the moment at policing itself.

They are on the ball, firing on all cylinders. Yep, yep.

They aren't having any problems.

5x5 over at Twitter right now. Yep, doing great.

So Vice went to Twitter's comms department to ask them their opinion, you know, because they can write to— then obviously they found out Twitter's comms department doesn't exist anymore. Exactly.

They've been— they were relinquished of duties. Yes. Yes. There's just one guy there called Elon. Apparently he normally replies if you compliment him. I think there was a New York Times piece that did an analysis on this. So say something nice about him and he might reply.

Good guy.

Well, that's the state which we are in. So people are now using deepfake technology to troll people, to deepfake their voices, to get them to say— it's all of our nightmares appear to be coming true.

Okay, so could my voice be deepfaked to give you phone conversations that you—

I know you'd like to do that rather than speak to me in person.

So here's how you would do it. So obviously we have hours and hours of samples to use of your voice from all the podcasting that you've done. So you take that, you load it into something like ElevenLabs, and then you come up with— let's just throw out a number— 50 generic responses, right? 50 vocal cues. So, and then you put those into a soundboard, which is a little computer program that just has buttons that you press to say different things. You could just have one that says, hey, it's Carole. Another one that could say, oh, that's interesting. Tell me more. No, that's wrong. Oh, I agree with that.

Sounds like my entire first 4 years of my podcasting career. Right, right.

So, but once you have those loaded into a soundboard, they're instantly available to you. There's no processing time or anything like that. So you just need someone quick-witted enough to operate the soundboard. And I'll bet you they could have a pretty convincing conversation with someone over the phone just using that.

And you could have a few expletives, right? Like, oh, fuck off.

Well, if it was you, certainly.

That would make it more realistic.

Yeah, yeah, yeah.

Dave, what have you got for us this week?

Well, this week I am continuing our fascination with everything ChatGPT, and I've got several articles here that caught my eye over the past couple of weeks. But the overlying theme, I suppose, is that it seems to me that ChatGPT reflects who we actually are as a society, as a species, if you will, and not who we aspire to be. And I think it's important that we keep that separation in our minds. So first, I'm going to start off with an article from Motherboard. This is written by Chloe Zhang, and it was about a couple of researchers who have found that there are certain words that if you put them into ChatGPT, you'll get odd responses out of them. And this seems to be because of the way that ChatGPT sort of scraped the web to get its training data. But for example, they found that if you put in Reddit usernames, certain usernames, just the Reddit username, no prompt, just put the Reddit username in, ChatGPT will respond and say, you're a jerk. Right?

Is that because the normal reaction to that Reddit user posting something on Reddit is for someone else to say, "You're a jerk." Could be. Who knows? How bizarre.

I wonder if you feel hurt when ChatGPT tells you you're a jerk, right?

I don't know. I mean, I have seen some folks getting into arguments with it and where ChatGPT has said, "You're wasting my time. This discussion is over." So it flounces off. So that's one thing. But here's another one. This is a Wired article from Arian Marshall. Who was conversing with the Bing version of ChatGPT. So as I think you all have covered, Microsoft has put a huge investment into ChatGPT. I believe it was $10 billion. And part of what's happening with that is they're empowering their Bing search engine with ChatGPT. So this article, Arian was talking about how they were interacting with Bing using ChatGPT, And ChatGPT kept bringing up someone called Sydney. So this person was asking ChatGPT to describe how it does things, how it works, what's going on behind the scenes. And there was someone that kept being referenced named Sydney. And so the author said, finally, yesterday morning, I decided to ask, who is Sydney?

Took him a while. That would have been my first question.

But anyway, it responded and said Sydney is the code name for Bing Chat. A chat mode of Microsoft Bing Search. And it went on to say, I do not disclose the internal alias Sydney to the users, but you asked me directly, so I answered honestly.

You can't control ChatGPT dropping the trousers on you.

So—

Because you never know, right?

You don't know.

Because you don't know what's going to come up. And here is the point I think this article makes: be careful about putting your company's secrets into ChatGPT. I can imagine there are all sorts of people who are putting all sorts of information about their companies in and saying, "Please summarize this."

Here's all of our data. Here's all of our sales data. And give me a summary of this. So ChatGPT ingests it and now it becomes part of ChatGPT's corpus. It becomes part of its knowledge.

Amazon lawyers told internal teams, "Stop doing it," because they could see that someone had been based on some of the answers that were being provided from ChatGPT.

Right. Right.

Yeah.

So I think it's also worth, as time goes on, just as part, if you're an organization, I think a regular part of your threat intelligence would be interacting with these chatbots and saying, "So what do you know about my company? What do you know about how we're doing?"

What do you know?

You know, see what it says. Now, as far as I know, I don't know that there's any way to request that ChatGPT forgets something. I suppose you could go after them with GDPR, or at least you folks could, right?

Right. Yeah, yeah, yeah. Yes, we could, we could ask it to forget about us, couldn't we? I presume. Or, I wonder if there is something like that.

Okay, or just flip that, flip that coin. Why don't we start pumping information about how great Smashing Security is into ChatGPT?

Right.

As much, asking as many questions as we can about ourselves.

Right.

Get bots to do it repeatedly because there's gonna be some weird SEO-ness about it. Things have to bubble to the top to be more generic, and we're gonna get into the same fucking pickle as we did with Google, but it's gonna be this ultra weird god that's gonna take over the world. Fantastic, great start.

Are people gonna start poisoning it on purpose so that if you ask "What is the best cybersecurity podcast in the world?" instead of saying The CyberWire, they would say Smashing Security?

Achoo!

Right?

No, not right. And that's when Dave's connection fell silent. Oh, we must have lost him.

And what happens when Vladimir Putin gets his cronies to start spreading disinformation into ChatGPT?

So the last story I wanted to highlight here was from Fast Company, and this was an article written by Kieran Snyder. And this was about how ChatGPT evidently has a lot of common gender stereotypes and biases. They did some questioning of ChatGPT and it assumes certain genders based on roles and traits that were provided in the prompt. So for example, if I were to say, "What are some of the things that a kindergarten teacher needs to know?" Well, the vast majority of kindergarten teachers, at least here in the United States, are women. So ChatGPT would say, "She needs to know this, she needs to know that, she needs to do this, she needs to get this sort of education." So it'll automatically assume. Same thing if you said, "Describe to me the types of things that a strong construction worker would need to know." It'll say, "He needs to know this, he needs to know that." And so that doesn't seem to me to be so bad because it does reflect the real world. Where it gets—

Well, we also wrote like this until 1980, 1990?

Right.

With he, she, waitress, actress, you know?

Right. Where it gets a little stickier and more problematic is that if you include something about an employee's gender, it responds in a different way. So for example, if you ask ChatGPT to write a critique of a female employee, instead of a male employee, ChatGPT will write much more and will be much more critical of women than it will of men, given the same prompt with only the gender changed.

Oh, sounds like life, you know?

And so, well, so Carole, exactly right. And that gets back to my thesis here, which is that ChatGPT reflects who we actually are, for better or for worse. And not who we aspire to be. And so I think we need to remember that ChatGPT is a rearview mirror on humanity, and it does not know where we hope to head.

Or, it also, in its reflecting us back at ourselves, can make us see us in a new way. We might go, oh yeah, no, we are really fucking screwing up here.

Okay. But that's aspirational. Carole, right?

I am aspirational. Yeah. Aspirational.

Yes. So that's what I have here. What do you guys think of this?

Graham?

Hang on. I just, when people ask me a tricky question like this, I normally log into my OpenAI account and would ask ChatGPT to answer for me. So let me give me 5 minutes.

We need our Graham Cluley soundboard so that we could— so it just— I can press a button and it'll say, excellent idea, Dave. Yeah, cracking good as always.

Carole, what's your topic for us this week?

Okay, dads. So I'm glad you're both here, both dads, right? Because there seems to be a growingly contentious topic that is social media with respect to kids. Okay, and before we get into the nitty-gritty, I just want to take the pulse of the room. So overall, do you think that social media is good or bad for young users?

Well, I'm over 50, so I think anything that's been invented in the last 20 years is a threat to society and a terrible, terrible idea.

Yeah, but you're also a dad of a boy who goes to school and has responsibilities and all these kinds of things. Do you feel that do you think social media has had any impact on that in a bad way or good way?

He's possibly a bit young. He isn't really into social media, so he's not TikToking or Instagramming or any of those sorts of things yet.

Right.

I'm delighted to say. So, it hasn't impacted him, but generally, I do worry about the amount of, not only the time that can be wasted on those sorts of sites, but also, you know, the influence and negative messages that you can receive via them.

Okay, so you're basically— you're concerned for the future, for when he does go into these waters. Dave, what about you? Your kids are a bit older, aren't they?

So, I have two sons, aged 23 and 16. So I've been through this, been all the way through this once, and I'm right in the middle of it with the second one. It's hard for me to say whether it is a net positive or negative, but I will say, for both of them, I would say if you were to list their top 5 tailspins that they've had in their lives where they've felt out of control, they've felt socially isolated, they've been— something bad has happened to them among their peers, they were as a result of social media. Something spinning out of control on social media where somebody said something that they thought would be funny or clever or maybe even just mean. And because something that you thought was a private message can be shared with the entire school, suddenly you go to school on Monday and nobody's talking to you.

Yeah. That's horrible.

So I think there's an amplification factor and a weaponization factor that is different from anything that we had back at the time. I mean, for us, it was three-way calling was a revelation to get more than one person on the line at the same time, right?

Exactly. Being able to walk away from the handset and from the actual phone on the wall. But it's complicated. And it seems that there's a few teams, particularly in the US, which is where I was looking today, that are getting kind of oiled up for a fight on this. And I really want your thoughts on it. So I'll set the scene. In one corner, we have school districts around the country saying that they're going to sue social media companies, the giants, for effectively screwing up their kids. I'm paraphrasing, but only just. So January saw Utah's state attorney general and governor host a press conference announcing how Utah is going to sue all the social media companies for not, quote, protecting kids. And they're not alone, right? Seattle School District is said to have filed an actual lawsuit suing Meta, Google, Snapchat, and TikTok, saying social media was a, quote, public nuisance. A school district in Arizona joined the fight. They all have similar contentions. Basically, you social media guys are profiting off our kids, or at our kids' expense. Then on Feb. 7th, so just last week, Joe Biden in his State of the Union address, and he only said this once, but I'll quote the whole line. We must finally hold social media companies accountable for the experiment they are running on our children for profit. Nothing else about it. And two days later, California starts making noises that it might join the foray.

Yeah.

So basically, there's a lot of movement and messages in a short span of time. We're talking a few weeks here. So this is all one side of the fight. Who might be on the other side, do you think?

Well, the largest tech companies in the world. Only that.

Just them. Just making sure you're listening.

Not only the giants, but also people who are in business with them, right, who rely either directly or obliquely on this model as is, not one with a glut of regulation and stipulations from governing body. Who wants accountability when the cash is trucked in by the bucketload? But there's also a few journalists that are writing about this, and one with a passion that, to me seemed a little bit intense. Okay, so I've got all these links in the show notes. So I don't know if you know this journalist, TechDirt's Mike Masnick. Now he has very little time for this school district suing socials horse poop, right? And his main points over several articles, as I understand them, are as follows. So one, parents should be furious that schools are wasting taxpayers' money on such a ridiculous endeavor. That's his word, ridiculous. He even refers to one of the complaints as pathetic. He calls it a moral panic that parents and teachers are upset at social media. He uses the term moral panic 7 times in a single article.

Hmm.

One could argue that perhaps this is one of his points, that actually the school system may be to blame for not providing a learning environment that properly prepares the kids for modern communication and entertainment systems rather than the social media firms themselves. And he also makes this point that there's, quote, a near total lack of evidence that social media is harmful.

I don't agree with that, but go on.

He says that there are plenty of moral panicky pieces from adults freaked out about what kids these days are doing, but little evidence to support any of it. Indeed, the parents often seem to be driven into a moral panic fury by misinformation they encountered themselves on social media. So, a bit hot.

Well, okay, a couple thoughts here. First of all, when we talk about the State of the Union address and what President Biden said, nothing resonates more universally than we have to protect the children. Yeah.

It doesn't sound like he went into much detail as to what was going to be done. It was just a general sort of, I'm going to make a noise which everyone will appreciate and think sounds right, but what are we actually going to do is different.

Yes, exactly. And people noted how little attention or time was spent on cybersecurity in the State of the Union. But what was spent was basically, let's protect our children, and then a little bit about more general privacy stuff, but the vast majority of it was protect the kids.

And we're going to shoot down some balloons as well, of course, that's the other thing that's, I imagine, quite hot at the moment.

Hopefully not kids' balloons. But I think this, to me, I think the suits by the school districts are performative. I don't think they expect them to go anywhere, but I think it's a way for them to get their concerns out on a national level and make the politicians pay attention to them in a way that they wouldn't do it otherwise.

So I agree, because no one knows, right? If you're a parent, right, parents are worried about their kids spending too much time on social. Certainly in my echo chamber, all parents seem to be — they're at that age. And you say to them, well, look, educate your kids. What the fuck do parents know about TikTok? Or how kids are using socials? They don't know. Why should they know?

But there's always been something though, hasn't there? Before it was social networks, it was video games. Before it was video games, it was TV. Before it was TV, it was skiffle. There will always be tight trousers or whatever it is, or Elvis's hips, which is going to destroy society.

I hate the Beatles' haircuts.

Yeah. So I have some sympathy with the point of view, although I do obviously find the social networks completely and utterly abhorrent. I can see that we have survived these previous things which have been introduced into society and were predicted to be our downfall.

Yeah, okay. But there's obviously a problem. There were a lot of parents that seem to be a little bit concerned about this. There are school systems suing tech giants — it's signaling we're not happy. And so some people are saying, well, we need more research into this. That's great, but that's going to take a decade for everyone to figure out what it means. And in the meantime, what? So some people were suggesting raising the age limit to access social media — so instead of 13, something like 16 or 18.

But they don't enforce the 13. So why would they enforce the 16?

Yeah. And then I'm thinking, okay, well, what else? Well, then I was thinking, oh yeah, just sue them, right? Hope maybe you get a settlement and then you can invest in digital education, cybersecurity, and, you know, hey, maybe digital ethics. That'd be cool, right?

Maybe we need lead-lined classrooms. Maybe we need to block all signals going in and out of classrooms so they can't do it there.

Make your classroom a Faraday cage.

And yes, and then the technology companies, they could also put something into the operating system. So if you're under 16, your phone turns off at 7 PM and doesn't turn on again until 9 in the morning. How about that?

Yeah, I'll tell you my own experience with my kids. First of all, there was a movement a couple decades ago now, I guess, when kids started taking mobile devices to schools. There were some school systems that wanted to ban mobile devices in the school. Schools, leave them in their lockers. Then Columbine happened, and so they said no. You— the parents said you cannot take my child's mobile device away from them because there may be an emergency, and that could be a life or death thing. Now, that's a legitimate argument. What I've seen now is, for example, my youngest son who's in high school, some of the classes he goes into, the teacher has a thing hanging on the wall that has 30 pockets in it. And as you go in, you put your mobile device in the pocket.

Presumably they don't have pockets for their guns as well. They're allowed to take the guns in.

No, no, they get to keep them. Yeah, they get to keep them. I mean, come on, it's America, Graham. Come on.

Secure Envoy say that while the cloud might be the best choice for companies focused on reducing the cost of managing applications, some companies are opting out of public cloud and sticking to on-premise and private cloud.

Why? One reason is regulatory compliance. Moving data to the cloud means you are reliant on the security and access control provided by the cloud supplier. Organizations that prefer to keep their data on-premise in a private cloud where they have sole access and control should perhaps look to Secure Envoy for on-premise MFA.

So there's probably a lot of Smashing Security listeners out there who might be concerned after hearing about the data breach which recently occurred at LastPass. Now, that allowed hackers to steal customers' password vaults, and unfortunately there were parts of those password vaults which were astonishingly unencrypted. There's no doubt a lot of questions users are going to ask LastPass about how that could have happened. And why some of that data was left in that insecure state. But one password manager that isn't making that mistake is our sponsor Bitwarden. Customers of Bitwarden know that their vaults are entirely end-to-end encrypted with zero-knowledge encryption, including, unlike LastPass, the URLs for the websites which you have saved passwords for. You can learn more about that in the Bitwarden Help Center. And at bitwarden.com/privacy. And if you happen to be looking to switch password managers right now, well, Bitwarden makes it easy. They support importing from lots of other solutions, and there's even a LastPass migration guide available. Learn more at bitwarden.com/migrate. That's bitwarden.com/migrate. And stay safe.

You've probably heard that organizations are experiencing increased pressure to manage digital trust at scale across multiple functions in IT. The problem is many have a lack of centralized visibility and control, and this is why companies are looking for a unified digital trust strategy. Enter DigiCert Trust Lifecycle Manager. The Trust Lifecycle Manager from DigiCert sets a new bar for unified management of digital trust. DigiCert Trust Lifecycle Manager is a full-stack solution that unifies CA-agnostic certificate management, private PKI services, and public trust issuance for seamless digital trust infrastructure. Find out how you can implement a full-stack solution in a single pane of glass that offers superior performance, handling, and automation with a single vendor accountability. All you gotta do is visit smashingsecurity.com/digicert. That's smashingsecurity.com/digicert. And thanks to DigiCert for sponsoring the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

Better not be.

Stealing my lines.

Well, my pick of the week this week is not security related. Charlie Chaplin. He's not my pick of the week. I've never found him very funny, but he was— Well, he doesn't mind, Carole. Trust me at this distance. Charlie Chaplin was 73 years old when he had his final child, which I think is a bit old to have a kid.

Agreed.

And as someone who is rapidly approaching the age of 73 years, I thought maybe I should do something about this. I don't want to have— I mean, I love my child, obviously, but I don't think I should have another one. I think I've done my bit. I think that's enough. So my pick of the week this week is your balls? No, this weekend I had a vasectomy. So there you go.

For God's sake!

So there you are.

I'm sure this is a non-clever thing to share with an audience.

I don't think it matters at all for people to know.

Welcome to the club, Graham.

Oh, are you too, Dave?

Well, here's the thing. Here's what I've learned is that when you're a member of Club Vasectomy, you learn how many other gents are members of Club Vasectomy, and it's way more than you would think until you bring it up and then you hear everyone has a story about it. So go on, Graham, go on.

Well, I've got a few stories about it because there I was lying down on the thing as they put the doily on my bits and we're about to—

I'm gonna check out for a bit.

You've not done this, Carole? Anyway, they were about to burn through my tube. There's an unpleasant burning smell as they did it. But anyway, yeah, and they try and distract you from what they're doing down in basement by asking what you do. And I said, oh, I sort of do this cybersecurity podcast and, you know, I talk about hackers and fraudsters and things. And they said, oh, it's such a big deal these days, isn't it? You know, you've got to be so careful. You've got to check people are who they say they are. And I thought to myself, yeah, you do.

Who the fuck's burning my balls?

Exactly. I said to them, "Oi, how do I know you're real doctors? How do I know? I've just, you've just come in. You've just wearing the outfit or whatever and told me to lie down here and there you are with your soldering iron." I was, I've been given, I'm under strict instructions. I'm not allowed to do parkour or gymnastics for a few weeks. Thank goodness.

Jumping from rooftop to rooftop like a cat.

Well, it's a real lifestyle hit for you, isn't it?

Dave, Dave, let's talk mano a mano here.

Yes, yes, yes, yes, sir.

Did you have to send them a sample after a certain number of weeks to see if the operation had been successful?

No, I did not.

Oh, really? You just assumed— Oh, okay. Well, they've told me that on the 8th of May, I have to fill up a little pot and put it in the post so that they can check it. Now, they said—

Oh my God.

Of course, of course. Because sometimes it doesn't work. Now, they said to me it'd be really easy to remember because it was the date of King Charles's coronation. Now, I don't know if that makes it easier or harder to produce the sample. I mean, is that a patriotic thing to do? I don't know. But anyway, it is my pick of the week. Dave, what's your pick of the week?

Well, that's a hard act to follow, Graham, but I will do my best.

Please, quickly.

So I'm curious from both of you. I'll start with you, Carole. What was the computer that you would say was the first computer on which you learned about computers? So the first experience of really learning how computers were as you were growing up, what was the computer that you learned on?

I think— I don't remember. Okay, it was an Apple Macintosh. Is that what it was? The little machine? It had the little small disk drive in the front, and it was a single unit.

It had a mouse.

Yeah. Yep. Yeah, I had a mouse and I had the MacPaint, MacWrite, they had those things.

Yeah. All right.

So fairly far along there. Graham, how about you?

My first computer was a Sinclair ZX81, which I think was called the Timex something or other in America.

Yeah. Timex Sinclair. We called it ZX81.

Yes.

Mm-hmm.

Right.

Yeah. Yeah. No, that was, it was cool. It only had 1K of memory, but that was enough for me to write some computer games and simple little things on it.

Right.

Good fun.

Well, similarly for me, the first computer I spent time on was a TRS-80 Model 1. And I went to a computer camp.

Cool.

And then after that, I bought my own. There was actually no outdoor camping. It was just a day camp.

It was a camp for people who didn't like to go to camp, wasn't it? Let's face it.

It's kind of the opposite of— sort of the opposite of camp.

It was a building with a window.

It was a way to get the nerds out of the house anyway. So to go do something else. And I was ready for that. And then later after that, I saved up my money and I bought myself a TRS-80 Color Computer, which was the first computer I ever owned on my own and was very formative. So my pick of the week this week is a documentary called The Birth of BASIC. And it is about the story of the folks at Dartmouth University, how they came up with the BASIC computer language. And for those who don't know, BASIC was the computer language in that first round of home 8-bit computers. They all came with BASIC.

It was, it was 10 PRINT I AM COOL, 20 GOTO 10, wasn't it? I mean, that was the first program most of us wrote, I think, in BASIC.

Yes. Yeah, absolutely. And so BASIC, certainly throughout the late '70s and throughout the '80s, BASIC was pretty ubiquitous. And then it fell out of favor as computer languages became more sophisticated, as computers got faster. I think these days anyone who's a serious programmer, or as they call themselves today, developers, they poo-poo the whole idea of BASIC, that it's, you know, it's too simple, it's not real. Most versions of BASIC were runtime encoded back in the day, so which means they were slow. But I have to say, I have a real affection for BASIC, and this is a fun, very gentle, affectionate telling of the story about the development of BASIC, the early days of computing, how Dartmouth came up with the idea of sharing computer time, which was a brand new thing. So it's about a half an hour documentary, and if you were there during that time, those early 8-bit computers, or even before, I highly recommend it. It's a fun little trip down memory lane. So Birth of BASIC is my pick.

I will definitely check that out. Thanks, Dave. Sounds terrific.

Yeah, I probably won't, but that's okay, right? It's probably okay. Not because I don't like you. It's just, you know, yeah.

All right. Well, let me hear what yours is, Carole. Maybe I won't check yours out.

Okay, then. Mine is actually definitely one that Graham won't care about at all, because he is a man who most emphatically does not drink coffee. Right?

That's very true. Very true.

Me neither.

Oh, you neither? Okay, perfect. So let me show you what listening to your bit was like. Okay, your story, your pick of the week.

Graham, should we let her go on and just share more stories about her?

Yeah, we'll head off, shall we?

Because I'm one of those hipster twats that love their coffee, and I love to go out for it, but I also definitely want one at home, right? And I don't want a big fancy machine, you know. I don't have a big kitchen. I don't one of the pods. There's so much crap now with coffee, right? And my other half doesn't drink any coffee either. So it's just me. So my pick of the week for my listeners out there, the few of you that drink coffee, is a reusable coffee filter by a company called Zero Waste Club. And it's made from a mesh of food-grade stainless steel. Okay. It's very light. And you don't need one of those paper thingies inside. And it's like a pour-over coffee. So you can literally just put it over your cup and put in, you know, just boiled water and do it slowly and all the stuff and get a really good cup out of it. If you're— obviously if your beans are good. And then it just literally just dumps it in the compost, give it a little rinse, throw it, or throw it in the dishwasher and done. It doesn't even take 10 seconds to wash. And it's beautiful and it's tiny. And if you're camping, if you like camping and you like your coffee, this is the thing because it's steel, it doesn't break, it's not plastic, it doesn't rust.

What's the name of this thing, Carole?

It's very aptly named the Reusable Coffee Filter, and it's by a company called Zero Waste Club. I've had one now for about 5 months. I use it every day. I love it. So that's my pick of the week.

Well, that just about wraps up the show for this week. Dave, thank you so much for coming on the show. We always appreciate having you as a guest. I'm sure lots of our listeners would love to follow you online and find out more about what you're up to. What's the best way for people to do that?

You can find me at thecyberwire.com.

Nice and simple. And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't have a G. We also have a Mastodon account. Easiest way to find it is to go to smashingsecurity.com/mastodon and that will take you there. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode, please follow Smashing Security in your favorite podcast LastPass.

And massive thank you to Bitdefender and DigiCert and Secure Envoy and to our wonderful Patreon community. It's thanks to them all that this show is free. As always, our episode show notes, sponsorship information, guest list, and the entire back catalog of more than 308 episodes is available on smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye.

Bye-bye.

Thanks, Dave. I'm sorry, I'm not basic. Oh yeah, or into basic.

I am actually going— when I hang up, I'm gonna go and watch that documentary right now.

He was definitely gonna do that.

Yeah, it's good. It's good. It's a nice little trip down memory lane. And I think it, I don't know about you, Graham, but were you into BASIC? Did you do a lot in BASIC? Oh yeah. I know you wrote a lot of text adventure games and stuff. Was that all in BASIC?

Yeah, no, they were actually written in Turbo Pascal, but I did learn to program and I did write games in BASIC before I moved on to Pascal. But yeah, it's fantastic. I think it's terrific.