Smashing Security podcast #317: Another Uber SNAFU, an AI chatbot quiz, and is juice-jacking genuine?

All right, Graham.

Graham, Dave's coming in.

I'm on the Wikipedia for BattleBots and it says BattleBots—

Who mentioned that?

Shut up, Graham. It says BattleBots is an American robot combat television series. The show was an adaptation of the American Robot Wars competitions. The same competition inspired the British TV program Robot Wars, which acquired the name in 1995. Game, set, and match. Where's your citations?

I can send you the link.

Just go to Wikipedia and look up BattleBots.

Oh, Wikipedia. Okay. Yeah, no. Yeah, that's—

I'm editing the Wikipedia page now. Smashing Security, episode 317. Another Uber snafu, an AI chatbot quiz, and is juice jacking genuine with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 317. My name is Graham Cluley.

Forget that. And I'm Carole Theriault.

Forget what?

Your name.

Well, it's because I almost said my number, because we were just discussing with our special guest whether 317 is a prime number or not.

And they knew it was.

They did. And it is, of course, the CyberWire's Dave Bittner. Hello, Dave.

Hello. Hello. It's good to be back. It's always fun to be here.

We're very glad to have you. Any news to spout before I get on with the show?

Same old, same old, usual stuff.

I love having regulars. Before we kick off, let's thank this week's sponsors, Bitwarden, Kolide, and hCaptcha. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Beep beep. I'm going to be reporting on another Uber breach.

And what about you, Dave?

I have a questionable warning from the FBI.

Ooh. And I have an AI quiz show. All this, much more coming up on this episode of Smashing Security.

I love a quiz.

I love a quiz.

Now, chums, chums, headline news, breaking news. Another company has suffered a data breach. Yes, I know. I'm as shocked as you. It is always a surprise when it happens, isn't it?

Mm-hmm. No.

Well, no, it's not really. No, it's not. And it's particularly not headline news when it's Uber, the world's largest ridesharing company, because they've almost got it written into their mission statement that they will have data breaches. They seem to get their data breached time and time and time again. It's not such a big deal.

How many have they had really, though?

Well, over the last 6 months, it's reckoned they've had about 3 data breaches, at least 3 which they've owned up to so far. So, possibly more. At least 3 in the last 6 months.

Yeah.

And there've been big data breaches at Uber in the past. Regular listeners will remember that Joe Sullivan, who was their chief of securities, also had similar jobs at Facebook and Cloudflare.

Yep.

He was convicted of covering up a data breach involving 57 million customers and Uber driver records. He also concealed a ransom payment as a bug bounty to hide that they'd been hacked. He falsified non-disclosure agreements with the hackers. He's currently awaiting sentencing. That was one hack they suffered. More recently, the Lapsus$ gang, they accessed Uber's critical IT infrastructure, all kinds of bits and bobs, hijacked their Google Suite account, downloaded Slack messages, and generally embarrassed the company. So it's not that rare for Uber to suffer a data breach.

But they did get a new CEO who said, we are now going to take security super seriously.

Right.

Your privacy is important to us.

OK, when was that?

About two years ago.

Oh, OK. Well, maybe this is super serious. Like I said, they've only had three data breaches they've owned up to in the last six months. So maybe things have improved dramatically. Who knows? However, this time, this time, things are different. This time, the hack didn't take place at Uber itself. This time, it was at a law firm that Uber uses.

Interesting.

Genova Burns.

Genova Burns.

Genova Burns.

Is that one person?

Well, like Montgomery Burns.

Burns is a weird name

Burns.

I don't know.

I guess it's someone's surname. I don't know.

No, but you know, the toilet was invented by someone called Mr. Crapper, right? to put, isn't it, in

Was it?

Was it really?

Yes. Well, they invented a toilet.

I think that's mythical. And I don't think the bra was invented by Otto Titzling either.

a law firm?

Oh my goodness. Anyway, Genova Burns has just sent, moving on, has just sent a letter to Uber drivers warning them that their data has been accessed by hackers because the law firm's systems were hacked at the end of January this year. And they say in this letter that information you provided to Uber, including your name and Social Security number and/or tax identification number, was among the impacted data. By the way, I love it when companies say information including the following.

Yes.

Well, could you— would you—

Is credit card number in there?

Who knows, really?

We're not really sure what they've taken. But we do know they've taken these bits. These are the bits we're going to tell you about. I'd love it if they were actually a little bit more explicit as to what had actually been taken. So it's something of a worry. And many of these data breaches, Genova Burns have said to these Uber drivers, it's not Uber customers, by the way, it's Uber drivers whose data, they've said, look, if you're worried about this, we're offering you some complimentary credit monitoring and ID theft protection.

What, after. After the breach?

Yeah. Which isn't unusual, isn't a company breach to offer something say, look, don't hush, hush, hush, hush. Don't worry too much. We're going to protect you. All you've got to do is sign up with this firm over here to get your free credit monitoring.

We just need a few tiny details.

We'll need some information to make sure that you're not trying to take advantage, you know, that you are qualified for this free credit monitoring. So they will ask you for, you know, in order to protect you from ID theft and any sort of dangers that, what we're going to do is we're going to ask you to share some personal details with the—

Whoa, whoa, whoa, whoa.

Exactly. And so you end up giving your information to someone else yet again. You can also request a credit freeze rather than sign up for one of these services. So you can actually contact the likes of Equifax, Experian, or TransUnion, giving them your full name, Social Security number, date of birth, addresses for the past 2 to 5 years, proof of your current address, current utility bill, a legible copy of your ID, your driving license. I'm not kidding. All of a sudden—

No, but I know you're not kidding, but I'm kind of, I think anyone listening right now knows this because they've had to go through this to do anything. Yes. To get a credit score, to get insurance, to get a mortgage, anything.

So all the time, you're having to pass on your information to yet more people, just like Uber passed on the information about these drivers to this law firm. Now, the interesting question is, why did Uber give the personal data of various Uber drivers to this law firm?

That is a good question.

I have an assumption.

Tell me.

I was assuming they would do that for their care and welfare, right? Like, so say a passenger kicks off in a car, they can say, look, Emily was driving the car and she got punched in the face by some dweebo, protect her, represent her on behalf of Uber.

Oh, okay. So you think it's Uber passing on the details because this particular driver is going to be protected by Uber because they got punched in the face for saying that? That is a possibility.

Yeah. What if the law firm was doing vetting of all the drivers, was saying background checks and things like that? Sure. Jobbing that out to the law firm.

Another possibility. My assumption, maybe I'm a little bit more cynical than you. Oh, you definitely are. Both of you.

You think?

Both of you, much nicer than me. My thought was maybe it's because Uber is taking some kind of legal action against some of its drivers. And so it said, well, look, here's the list of people we want you to contact and write legal letters to saying, wait, whatever you're doing, or you're breaching our rules or whatever. And so I thought maybe what's actually happening is a company is taking action against its contractors or freelancers or however it is Uber likes to describe its drivers, probably not as employees, and sharing those details with its lawyers. Which makes me think, well, hang on, is Uber obliged to tell you, hey, by the way, we're sharing your details with our law firm?

Yeah.

Which might, of course, raise a flag with you that maybe the law firm was gonna take action against you.

Mm. I bet it's in the EULA.

It's in the EULA. They can do whatever they like.

Well, but I'm saying, in the EULA, when you sign up to be a driver, I'm sure it says that Uber has the right to share this information with our partners and our contractors and anyone else we want to. And if you wanna drive for us, you agree to that. Sign here.

And plus, Graham, I don't know if this is true in the UK, and I'm assuming this is true in the States because I've seen it on TV.

Everything you see on TV is true in the States.

But as I understand it from my TV watching, is I—

Which program is this from?

I have no idea, I can't remember.

Miami Vice.

Yes, right.

That I could take insurance out on, for example, Graham, right? To the tune of like, say, a million, right? And if he happened on his death, I would get paid off. Now he would need to know that I have an insurance claim on his— him being alive or dead.

You can take out insurance on me without my knowledge?

I believe, yes.

And you get a payout if I die? Yes. So if I were to take— what?

I told you, I told you, it's questionable sources.

Joe Biden's getting on a bit, right? I suspect he may not be around in 10, 15 years' time. Can I take out insurance on him and claim?

No, but I don't think you'll get very much because he's already— right?

Oh, I see. Oh, I see. Whereas me, young, strapping, and the rest of it.

So much life ahead of you.

I've watched a lot of Forensic Files, okay?

So you're practically a lawyer.

I'm practically a lawyer. Okay, I digress. I'm sorry. Carry on.

So I'm wondering, Geneva Burns, this breached law firm working for Uber, I think it may be missing a trick because maybe now it's written to all of these Uber drivers saying, we appear to have lost your data. You never knew that we had it, but we've lost control of it. Maybe they could also have offered to provide legal representation to those affected drivers who may want to sue Uber for entrusting the data to Geneva Burns.

But they already represent— I think there's a conflict of interest there.

Is there?

Just a little bit.

There's a tiny one.

But I saw a TV program, and it's absolutely fine. You can do that.

Look, listeners, tell me if I'm right or wrong, okay?

Please. Jeez. Right. There are lawyer listeners right now who are furiously banging their heads against their desks.

Yes, and emailing me, I hope, to tell me the truth. Yes. Thank you very much.

We don't want any American law firms ever listening to this podcast.

We want them listening to you.

Dave, what story have you got for us this week?

Well, my story is about a warning that the FBI recently put out. This was on April 6th. FBI's Denver field office put out a message on their social media and it says, avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto your devices. Carry your own charger and USB cord and use an electrical outlet instead. Now, let me ask you about this because the notion of this has been around for a while, right? In fact, my understanding is that Brian Krebs was the one who coined the term juice jacking.

Did he?

Yeah. That's my understanding. And that's what this is called.

Forensic Files. Yeah.

Right.

In fact, there is a Wikipedia page for juice jacking, which describes this. And the idea is that, as we know, USB can carry power for charging your device, but it can also carry data. So you shouldn't plug your device into anything that you don't know what it is. That's the premise here of what's going on. And there are devices that are supposed to help with this. There are things called USB condoms. Are you familiar with these?

I'm not.

I find them rather uncomfortable, so I haven't used one myself. But. Right, right.

It charges your device, but it just doesn't feel as good. So a USB condom, basically, you put it in line with your USB cable and it disconnects the data connections on a USB cable. So only power can pass between your device and whatever device you've plugged it into. So it's a little safety measure. So there are other things you need to look out for here. This made me think of the— have you guys heard of the OMG cables? I'm pretty sure we covered that here.

Yeah. Yeah.

Yeah. So OMG, and I suppose OMG stands for

Yeah.

Oh My God. But, basically it is a cable But inside of it are electronics to make it a device for snooping on the data that you're transferring over the cable. that looks exactly like a USB cable. And it includes— it basically, it spins up a Wi-Fi hotspot so the bad guys can log into the cable and have access to your device.

I, even though I'm pretty security conscious, I would fall for that easy peasy if I went somewhere and said, "Does anyone have a cable I can borrow? Oh my God, thank you so much." I would be grateful, right, for the cable. And there would be nothing to tell me that it was dodgy.

No, right. And if anyone's ever worked in a big company and if you leave a USB cable lying around in the break room, it's gone. Five minutes, it's gone.

Right?

Because somebody's, "ooh, free USB cable," zing, and off they go.

Yeah.

I'm also curious what you guys think about OMG cables just in terms of, should that be a thing? Should the people who are making those cables, do they make enough of a good case that there are legit uses for a cable like that to have it be in existence?

What would be a legit case?

They say it's for pen testers, for security researchers.

Yeah, it's for researchers who have a job of going to companies who've hired them to try and steal data. Isn't it?

Yeah. And they're the only people that use it in the entire universe.

Well, the only legitimate purpose, certainly. Yeah.

So, but in other words, you're kind of saying, should these things be a controlled substance in a way?

In a way.

Yeah.

Or is it even, or just from the folks who are making them, are they hiding behind the ethical statement that we're making this for pen testers, but not really keeping track of who's buying them and where they're going? And I'm not saying that that's the case. It could be that the folks who make these keep very close track of that. But I wonder, I don't know the answer to that. And there's a part of me that wonders, is this something that we should be putting out into the world?

Yeah. What about even cars, right? E-cars. Graham will go anywhere, I am sure, with his electric car if he needed to charge, right? If he was desperate, he would just look on Google Maps, go, "Where's the closest, you know, charging place?" And he would find one, maybe obscurely because he was desperate. And who—

Just for clarity, I'm not plugging my car into a USB cable. That's not how I'm charging it.

It might take, you know, take a long time to charge your car. Take a long time to charge your car.

I'm out of here, guys. I had too much chocolate at Easter.

So what I'm getting to though here, the point of me including this story, because I think most people understand this, have heard this story, it's been around for a long time. There are lots of media outlets who are picking up on this story. I've been seeing over the past 24, 48 hours, this being covered all over the place. FBI says, FBI reminds us, don't plug into devices you don't know where they are. And I think most of us agree, okay, that's good advice. But my question was, does it really matter? Is this a thing? Is this a solution in search of a problem?

Yeah.

On the Wikipedia page for this, they say, to date, there have been no credible recorded cases of juice jacking outside of research efforts.

That they know of. Sorry, I don't mean to be, you know.

Well, but iOS and Android both prevent anything bad from happening with this. Back in the day when you would plug your iPhone in or devices like this, they would mount on your desktop as a hard drive, right? And so you basically had access to everything on there. Well, it doesn't do that anymore. Your computer doesn't do that anymore. In other words, the operating systems on your devices all have preventative methods against this sort of thing from taking hold. So my point is, I can't help wondering if this is basically an infosec superstition that doesn't— it just doesn't happen. It's not something you should— it's not realistic that you should worry about this. Is it a best practice? Sure. Is it really going to be a problem? I don't think it is. I don't think there's really much risk of it.

I don't mean to get super deep here, but maybe it's not a problem because we worried about it early, because people wrote about juice jacking in a place where people went, "Oh my God, oh my God, that could happen." And then put in protections against it at the source, the phone, the device.

Right.

I love your approach, Carole. I don't know.

You know what I mean?

Right. No, I just don't believe that would be the case. I don't think the general public has got any clue regarding juice jacking. I think when I'm at an airport or anything like that, everyone is crowded round where they can actually plug themselves in. And sometimes it'll be on a plug, but other times, very often, it will be into a USB port where they've just plugged themselves in desperately for some energy before they get on a plane.

Everyone joins any Wi-Fi as well. Like, yeah, yeah.

They do. And I think, so I don't think it's because, "Oh well, we've been warning people for a while and that's why it's not happening." I think Dave might be onto something. I think, and maybe Wikipedia too, that it just doesn't appear to be that much of an issue. Over lab conditions or where it's being done in maybe in a pen test scenario.

Yeah, right. And if you look at the cases where the bad guys actually take the trouble to modify a device, which is what we're talking about here, they would have to modify a charging station.

Yeah.

Where are they doing that? They're doing that with point-of-sale terminals. They're doing that with ATMs. They're doing that places where there's an opportunity for the direct capture of money. And I think a USB port is too much of a roundabout way to try to get money. So, so what? I've got access to your device. Maybe. I don't know who you are. I don't know if you have any money. It just, it seems like there are much lower hanging fruit than modifying a USB port on the off chance that you're going to infect someone's device and then have access to their stuff and then they're going to have something that you want. There's, it's just not worth the effort. I suspect.

Mm.

So maybe the FBI, they put out this message on Twitter, didn't they? Put out this advisory.

So, right.

"Avoid using free charging station." Maybe that's because they could encapsulate it within 140 characters or how many characters it is these days. And they were just bored with telling people, "Use unique passwords. Don't use them." You know, maybe their social media team like, "Oh, can we please give people some other piece of advice for once?" "Oh, here's a USB thing. Let's mention that for a change." Is that what's happened here?

I think it's possible, but I think— look, we have a limited amount of attention that we can get from people in the general public when it comes to these security things.

I think maybe they should say

And so it's frustrating to see the mainstream media latch on to an announcement like this from the FBI rather than something like multifactor authentication or unique passwords or all of the things that we actually are likely to

avoid using free charging stations in

run across in our day-to-day lives that are security related. It just seems a shame to me that we're spending all this time and energy on something that it seems isn't actually a problem.

swimming pools, in the rain.

Bathtubs, sure.

Yeah, those, avoid using toasters as well in those enough Prius pads.

Right.

That'd be a good piece of advice. Absolutely.

Something to think about.

We're playing a game. We are playing a game because we all know that AI is what, the mode du jour? As we say in French, everyone's talking about it. And there's a lot of angles that even tech buffs like us can't keep up. At least I don't feel I can keep up. And that's my working thesis for this episode. So I thought we could test it out through a game called AI, a go-go or a no-no. Okay.

Carole, what have Okay. The name's a winner to start off with.

So let's, I love this idea.

Okay, there's only one rule, no cheating. So hands off the keyboard.

you got for

I can't cheat using my AI?

No!

Okay, so let's start a little easy. How many AI chatbot contenders in the kind of leadership area can you name?

us this week?

Extra points if you can name the company and the name of their AI chat system.

Okay, well, I'll start off with one, which is ChatGPT.

By whom?

Yeah.

OpenAI.

Bing!

I believe are the company behind it. They have a French equivalent called ChatGPT, which is an AI-enabled cat. Prrr!

I'm gonna go with Bard from Google.

Bing!

Oh, very good. I believe there's a Chinese company which has just come out with one, but it has only a Chinese name. I was reading it today. Yes, I'll go with that.

Alibaba came out with it.

Yes, Alibaba. I'm not going to try and say the name, not being Chinese and not wishing to upset anybody.

There's also, of course, Microsoft's Bing Chat, right?

Oh yeah, Bing Chat, yeah. Who can forget Microsoft, what's it called?

Who can forget?

Well, there was Tay, remember Tay? She got retired, but that was Microsoft's AI chatbot from a few years back that—

Clippy, Clippy, was Clippy, yeah.

Now, which of these that you've of the ones that you've mentioned has a privacy policy that promises to protect people's data, do you think?

I think it's a trick question. I suspect none of them.

I'm going to go with all of them if you know where to look.

Well, the answer I've come up with from my research today is OpenAI. They, inside their privacy policy, promises to protect people's data. It's interesting because Italy has just recently banned ChatGPT on privacy grounds. But the big worry, of course, is data collection when it comes to chatbots. Jake Moore, he works at ESET, but he said it really well in The Guardian article. So I'm going to quote him. He says, "While the firms behind the chatbots say your data is required to help improve services, it can also be used for targeted advertising. Each time you ask an AI chatbot for help, microcalculations feed the algorithm to profile individuals." And the article started saying, this is happening, this is happening now. Microsoft already announced that they're exploring the idea of bringing ads to Bing Chat. Also said that Microsoft staff can read users' chatbot conversations.

So if I broke my leg, for instance, I thought, oh crumbs, what am I going to do with my broken leg? And I went to ChatGPT 'cause I couldn't get through to the National Health Service. And they'd say, well, you need to get a bit of wood and sort of tie it to, you know, get a splint and maybe use a bandage. You may want to use bandages, from vendors such as, and it includes helpful links. Is that the kind of advertising it's going to do? Is it going to tell me what to purchase from vendors?

This doctor has the best reviews.

Probably.

Okay, question number 2. What country has mandated security reviews for AI services like ChatGPT? And I can give you a list of 4 if you want to choose from that. So we've got Russia, Cuba, China, and Vietnam.

Weird list.

Hmm.

So what's the question again?

What country has mandated security reviews for all AI services like ChatGPT? This country, to give you a hint, this country's biggest search engine just released ErnieBot, which is their version of ChatGPT.

I was gonna guess Vietnam also, just because, for no particular reason.

Yeah.

No, it's China.

Ernie Bot.

Chinese AI services must underpin core socialist values is the big thing. Since their announcement of this this week, stock prices have already fallen for Chinese-based AI tech services since, you know, which is not necessarily surprising. But there's going to be a number of steps they need to go through to ensure that they're supporting core socialist values. And the reason the list was weird is because I had to look up all the socialist countries.

Well, I imagine, yeah, I imagine that they don't want the bots saying something which is off message to the Chinese people. Is that right?

Right, right. This is not protecting the consumer's interest. This is protecting—

Well, it may be protecting both because by having no regulation and having this kind of wild wild west where everyone's trying to compete and get some services out quickly is making some people nervous. I don't know, I'm nervous about it. I don't know about you guys, but, hmm, come on, we're almost done here. Question 3: What professions do we think will not be replaced by AI?

Podcaster.

Really?

Definitely not. No, no, that podcast is safe. Podcasts are going to carry on. Yep, no, no, we're from there.

Do you think politicians? There was this article I read, right, link in the show notes, about these are the jobs that'll definitely not be impacted, right? Or, you know, be replaced by AI.

Okay, I can't be that dumb.

Yeah, right.

I don't know, I find that I can imagine actually that happening and people loving that, you know, machine versus person. Psychologist or shrink?

No, we've been— I mean, Eliza's been doing that for decades, right?

And also there's loads of them right there already. Exactly. What about priests, spiritual figures, things like that?

I think that could be same thing. Same thing as, yeah, that's sure. That's easy.

Surely, surely your typical priest just says, "Five Hail Marys and you'll be fine, son." Isn't it? I mean, isn't that what they do? So you can just give an automatic response. You definitely could do that with a robot.

Totally. What about athletes?

How is an AI going to— so we're talking robots?

Well, say there was a basketball game.

Yeah.

Would you watch a basketball game with two robot teams?

Sure, I'd watch it, right? Yeah, I'd watch it, right?

In this article, they intimated that this would not be any fun for any of us, and I'm like, I don't know. Which brought me to my pick of the week.

Graham, you probably will guess on the way, but I think if you were able to give the different bots personalities— because part of the reason I think we enjoy sport is the personalities and different capabilities of the different athletes. So if you had all, you know, a basketball game with 5 different copies of the same, or 10 versions, 10 robots that were all capable of the same thing, that wouldn't be very exciting.

Built by different teams of different countries?

Yeah. There are tennis players who are a bit like robots anyway. I remember the days of Bjorn Borg, and it was all exciting tennis then. And then they replace them, these just, these people who just hit ball very fast. You know, it's, oh God, so dull now. So I don't think AI sports would be that interesting.

I'm thinking of maybe in the movie Pacific Rim where you had the giant robots and they had the characteristics of their home nations. That might be interesting. Okay.

Finally, what about lawyers and judges? Would you have a robot lawyer argue for you?

I think certainly law clerks and law researchers are in danger here, but I don't know about the actual lawyers because that, I believe, requires a certain amount of creativity.

Surely they're largely just Googling past cases anyway and referring to them.

I suppose it also depends on what kind of law it is.

Yes.

You know, there's law and there's law, so I don't know, land use law might be easier to rely on some kind of AI than, say, a murder trial.

If you were a clerk or something having to do research, you could use something like ChatGPT to find, you know, precedents or similar judgments, relevant cases, right?

Yeah, but, oh, but, but, Carole, all these AI systems, all they're doing is scooping up drivel that people have posted on the internet before, which may be complete bollocks.

Interesting.

Do we really want them doing that?

Interesting, because a lawyer did this, right? A lawyer went ahead and ChatGPT spewed out cases fully cited with reference numbers and case notes.

Right.

Okay. And this was in New Zealand and they asked ChatGPT for help and it was all made up. It made it look completely bona fide legit because it studied, you know, it nailed how to display a case name and do the citations. And the cases didn't even exist. They created it with case notes and everything just to help out is the argument some people are using. But it gets worse when in the States this happened as well. And a lawyer reportedly asked AI chatbot to generate a list of legal scholars who had committed sexual harassment as part of a study. So he was just seeing how it was going to go. And he did provide a list. And on the list was an American law professor from George Washington University. And it said that this professor made sexually suggestive comments and attempted to touch his students inappropriately during a class trip to Alaska. And the accusation was based on an article on The Washington Post. However, the professor and The Washington Post both confirmed the article never existed.

Right.

That's frickin' scary.

Shameless plug here. This is an article Ben Yellen and I dig into in our most recent Caveat episode. And I agree. This is scary. And who's liable here when ChatGPT makes something up that is defamatory and creates references out of whole cloth, and presents it as fact? Yeah, in my conversation with Ben Yellen, who is actually a lawyer, not unlike you, Carole, who has watched several episodes of Law & Order, he says that in his opinion, that the legal system just is struggling to keep up with this, that it is not prepared for this sort of thing. And so we have an interesting road ahead of us.

Okay, we will put the link to the show in the show notes, of course. And based on the quiz, David, you definitely win.

Oh, for God's sake, seriously? Why?

Why? My glorious guest, happy as a clam. That's why.

There you go.

I win a free membership to ChatGPT.

This episode is sponsored by hCaptcha. Are cyber threats negatively impacting your business? Unleash powerful fraud protection for your online properties with hCaptcha Enterprise, the leading security ML platform. hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats. Whether your bad actors are human or automated, hCaptcha Private Learning is the solution. Easily combine your pre-blinded data with hCaptcha's thousands of signals to rapidly find fraud and abuse in real time. hCaptcha's privacy-focused design works in every country, giving you worry-free compliance. Visit smashingsecurity.com/hcaptcha, that's H-C-A-P-T-C-H-A, to get started with a free trial today. And thanks to hCaptcha for sponsoring the show.

Our friends at Bitwarden have been busy this month adding some fab new features to their open source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. To learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing.

Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Kolide patches one of the major holes in zero-trust architecture: device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked. Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit kolide.com/smashing. That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

My pick of the week this week is not security related. I have been playing board games and you've all played Trivial Pursuit. I'm sure over the years came out in the, I don't know, '80s, '90s, whenever it came out.

Yep.

Now, what did the Trivial Pursuit guys come up with next? You're wondering. They made that incredible game which sold a gazillion copies. Well, what they came up with was an extraordinarily complicated and unsuccessful game called UBI.

UBI? Like UBI?

UBI, which I think is Latin for 'where' or something.

Ooh, my wife had a UBI once, but she took some pills and it went away.

Oh my god.

UBI is— it's a bizarre game. It's not very well known. I played it this weekend. It is a geography trivia game. You have this giant map of the world. You have coordinates everywhere. And you have lots and lots of cards with cryptic, irritatingly rhyming, or just obtuse questions.

Way to sell it, Graham.

If they brought it out now, people would think it was something to do with the Illuminati. You're building this sort of pyramid with a big eye in the middle. Those are your pieces. There's all kinds of terminology for the different— it's actually not that complicated once you start playing and work it out. It is a bit tricky.

Did you enjoy it?

I did actually enjoy it. And I would play it again. It's a bit of—

Did you fall asleep?

I didn't fall asleep. It's a good trivia game. It's based on geography. You will be somewhat frustrated. Between 2 and 26 people can play it at the same time. Oh boy.

You and 26 of your closest friends gathered around a board. It's better than the Knights of the Round Table. This is exciting.

It does say things, you know, 'Ooby Bob Newhart's psychiatric couch crouch,' which means, 'Where is Bob Newhart's psychiatric couch?' Chicago. So if you were— Okay, right.

Ding, ding, ding, ding, ding.

Alright, so you know it's Chicago, Dave.

Right.

And maybe you can do this, but as Brits, maybe we couldn't. You then have to take your little Ooby locator thing onto the map and work out where Ooby is on the map. So where Chicago is on the map.

So ubi is a verb? To ubi? So to ubi is to place my thing on the board?

Well, let that— if you like. Yes.

This is one of the worst Pick of the Week descriptions I've ever heard in my life. It is.

You get the answer.

I can't take my eyes away from it.

The answer is not to say Chicago. The answer is to be able to say with precision where Chicago is on the world map. And Chicago might be easier than, for instance, Buckfast Abbey in Devon, which was the answer to one of the other questions which I did this weekend. So, that is the game of Ooby. I'll put some links in the show notes where anyone who really likes board games can check it out. I picked up my copy from eBay, and I had some fun with it. And that is why Ooby is my pick of the week.

Wow. Did you buy this for someone as a gift and they just said, 'Actually, thanks, but no thanks'?

No, it got regifted from someone else. Someone else to him.

He got regifted.

Ubi, we put the board.

I don't want it. Just—

Anyway, I'm gonna ignore you. Dave, what's your pick of the week?

So my pick of the week, actually, I put in here just for you, Graham. I was watching, there's a gent on YouTube named Rik Beato who people are maybe familiar with. He's well known for his expertise in music theory. He has a series called What Makes This Song Great where he goes through popular songs and sort of reverse engineers them and explains why they are great. Again, using his knowledge of music theory, which is extensive, but he's also a good explainer.

He's brilliant. I've seen some of those videos. I think actually one of those videos may have been a pick of the week in the past. He's really good at analyzing songs and explaining why they're good.

Right.

I'm wondering if it's Dave that brought it to our show.

Could be. I don't remember.

But he's certainly very good.

Yeah, and his channel has really taken off to the point where big-time artists like, well, one that I know is a favorite of both you and Carole Theriault, Sting, has appeared with him in interviews to promote their albums as they come out. They will stop by and do an interview with Rik Beato to promote their new music. So as a channel, it's quite interesting. If you're into music, it's definitely worth a look. But he recently did a tour of Abbey Road Studios, and specifically Studio 2, which is where evidently some— a well-known band from the '60s and early '70s recorded some of their more well-known albums there.

Yes, the Osmonds.

I can't recall who.

That's right.

Yes, that's right.

That's right. So it's sort of a magical place, magical mysterious place, I guess. But it's really neat to see them walk around and just sort of offhandedly say, oh yeah, that's the piano from Fool on the Hill, you know, like, oh yeah, that's the microphone that Paul McCartney, we recorded in this closet because he liked the sound of it, you know, that sort of thing. So if you are at all into the Beatles or recording or popular music, it's worth a look. And that is why Rik Beato's tour of Studio 2 at Abbey Road Studios is my pick of the week.

Wonderful. I did see that you were choosing this, Dave, and I've checked out the video and it's very enjoyable. I agree. I was lucky enough to go and visit Abbey Road Studios back in 2021 because they were doing a rare public tour. Anyway, brilliant. Very, very cool. Okay, Carole, what's your pick of the week?

Yeah, RC cars.

So, when I was doing my little quiz research, right, I mentioned athletes. We were talking about athletes and that they'd never be threatened by machine fighting. And it brought me back to a show that I first saw in the UK when I first moved here. And I checked our pick of the week list, and it seems it's never been mentioned before.

Right.

Machines fighting, Graham.

Do you mean Robot Wars? Is that what you're thinking of? Yes. Robot Wars, yes. Yes!

It's the best show ever!

Is it?

I loved— I love Robot Wars. I love it.

Better than Law & Order?

Really? Really?

Better, better, hands down. I'm not kidding. Okay, listeners, okay, so basically you have teams. Each team builds the craziest, most violently designed machine with wheels. So they'll have angle grinders and axes and flamethrowers, and they roll around really fast. They're all remote control cars.

Yeah. Remote control cars.

RC cars. Yeah, remote control. Yeah. And they fight it out. And you make this beautiful art, this machine of destruction. Then you have to send them into the ring of battle, and they can get destroyed. And it's riveting. There's drama, there's tech, there's violence, there's destruction.

Everything.

Something for everyone.

Did you not like it, Graham?

What? No. No, I liked some of it. I mean, this was a British show, wasn't it? There must be an American version of this as well. I'm not talking about that.

You're talking about the American blah, blah, blah. Who cares?

Who gives a damn about that?

I think the American version was the original. No way. Robot Wars and BattleBots are the two franchises that I'm aware of here in the US, because if a show's worth doing once, it's worth doing twice. And I believe, and perhaps it's just my own prejudices, but I am pretty sure that it originated here. But who knows? I could be wrong.

Right. I have just been on ChatGPT, and I've asked, Robot Wars UK started in 1998. It looks like Robot Wars began in the US on Nickelodeon in 2002. So once again, the British were ahead.

Thank you very much, ChatGPT.

No, no, no, no, no.

Listeners, if you have never heard of it, and you're not going to be a know-it-all, okay, it's the best stress relief TV I've ever experienced to date. I love it. I want it to come back on air just as it was in the UK version.

All right, Graham, Graham's coming in. I'm on the Wikipedia for BattleBots, and it says BattleBots— oh, shut up, Graham. It says BattleBots is an American robot combat television series. The show was an adaptation of the American Robot Wars competitions hosted in mid to late 1990s by Mark Thorpe. The same competition inspired the British TV program Robot Wars, which acquired the name in 1995. Game, set, and match.

Where's your set? Where's your citations?

I'll send you the link. Just go to, go to Wikipedia and look up BattleBots.

Oh, Wikipedia. Okay. Yeah, no. Yeah, that's—

I'm editing the Wikipedia page now. Exactly right. This will not stand.

This injustice will not stand. And hit the embassy on the line.

I'm stressed. I'm gonna go watch some Robot Wars after this show. If you need some stress relief and some, just some fun, punch it up without getting violent yourself. It's great. So my pick of the week, Robot Wars. It's the BBC YouTube channel. There's a link in the show notes. Enjoy.

Well, that just about wraps up the show for this week. Dave, I'm sure a lot of our listeners would like to send you a little private message regarding some of the issues which come up during the course of this podcast. What's the best way for them to do that?

Just go to thecyberwire.com and you can find everything that I do there.

Yeah, so set your bots against cyberwire.com.

Your battlebots, right? Right. I'll be careful when I open the office door that there'll be a battlebot on the other side of it. Waving a British flag.

And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. We also have a Mastodon account. Easiest way to find it is going to smashingsecurity.com/mastodon. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Overcast and Spotify.

And huge, huge thank you to this episode's sponsors, Kolide, hCaptcha, and Bitwarden. And of course, to our wonderful Patreon Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 316 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye-bye.

Bye-bots.

Guys, Robot Wars! What?

I sent it to Dave an hour earlier. Did you get to see it?

Did you look?

Yes, I love it. I love Robot Wars.

Oh, you do?

I do.

Oh, that didn't come across in my bit, actually.

Oh, I know.

It's all BattleBots this, BattleBots that. BattleBots is the best.

I'm sorry. We were all just caught up in being provincial. But no, I love— I think it's wonderfully entertaining.

I hope one day we meet in person, and that's what I would like to do. I would like, Dave, to go with you.

Beat the snot out of each other?

No, I want us to go to one of these shows and watch machines destroy themselves. That's what I would like to do.

That sounds a lot of fun.

If AI carries on as it is, Carole, that's going to be happening everywhere. Skynet is coming.