UPS delivers some smishing advice (but have they kept something under wraps?), we ask ChatGPT to take a long hard look at itself, and we debate what the penalty should be for taking national secrets home with you.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown’s sole founder Thom Langford.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Out of an abundance of caution. That's the best.
That's the best. I've not heard that one before, and I've heard them all.
Please tell me there's a, we take security seriously somewhere.
By an abundance of caution.
We are providing notice to individuals whose information may have been impacted.
May have been impacted. Sent to all. Make sure it's BCC.
Smashing Security, episode 328, UPS phishing, ChatGPT 101, and storing secret files with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 328. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 328. My name's Graham Cluley.
God, that's a big number. And I'm Carole Theriault.
Hello, Carole.
Hi, Graham.
Welcome back from your holidays.
Thank you very much. Thank you very much.
And what a delight it must have been to come back to find that Smashing Security—
The one and only.
—is an award winner. Again.
That's right, isn't it, Thom? Hi, Thom Langford.
Hi, Thom Langford from the Host Unknown podcast. Of the what's-his-name podcast.
Humiliating, it was. I had to go and pick up two awards, and they were both for you.
Do you know, they got in touch with me saying, please come, please come. And I was like, I wish I could, but I'm on holiday.
I can't go, but I'm sure Thom Langford will pick them up for us.
I can't go, but I'm sure Thom Langford will pick them up for us.
Graham, I know can't be asked. Yeah, so Yvonne asked and said, can you be around to pick up just in case? And then I double-thought it and thought, ah, perhaps that's a double bluff.
She wants to make sure that I'm there so I can pick up. Yeah. Because I had three things in the mix. I, you know, statistically I was— Oh dear. But no, couldn't believe it.
She wants to make sure that I'm there so I can pick up. Yeah. Because I had three things in the mix. I, you know, statistically I was— Oh dear. But no, couldn't believe it.
Thank you once again to all of our listeners who voted us. And allowed us to win, what was it?
Most entertaining cybersecurity podcast and best all-rounder cybersecurity podcast or something like that.
Most entertaining cybersecurity podcast and best all-rounder cybersecurity podcast or something like that.
Did you have to put your waist measurements in, Graham?
Well, the best all-rounder. Thank you for showing up to the awards because of course, Carole and I couldn't be arsed.
No, and thank you, Iskensi PR, for facilitating the party. It was very well done. I'm going to kick the show off, so buckle up.
But before we kick off, let's thank this week's wonderful sponsors, Bitdefender, Collide, and Drata. It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
But before we kick off, let's thank this week's wonderful sponsors, Bitdefender, Collide, and Drata. It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Well, it's not so much smashing security this week as smishing security.
I do not think you should screw up with her name like that. Okay. And Thom, what about you?
Oh, I am talking about the difference that a few million dollars in personal net worth makes in how the law treats you.
Okay. And I'm dumbing down ChatGPT, or am I? We'll find out. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, you know, we talk a lot about bad news. We talk a lot about companies goofing up.
And I think we actually need to praise companies sometimes when they raise awareness as to the threats which are out there and give a little bit of it.
So I thought I'd do something a little bit different.
And I think we actually need to praise companies sometimes when they raise awareness as to the threats which are out there and give a little bit of it.
So I thought I'd do something a little bit different.
What, cheery? Sorry, what show is this?
We're going to do an interesting story.
I thought— Cheeky. Wow. I thought— Ooh. Yeah.
He picks up an award and he's all spiky, spiky.
Come on, you two, earn your award.
Anyway, listen, I thought, let's actually applaud a company doing something right, because UPS in Canada, the delivery firm, has gone out of its way to contact customers.
They sent them a letter, and I thought it's worth reading out because there's some great advice in here, which I think would be suitable for everyone who listens to the show.
Anyway, listen, I thought, let's actually applaud a company doing something right, because UPS in Canada, the delivery firm, has gone out of its way to contact customers.
They sent them a letter, and I thought it's worth reading out because there's some great advice in here, which I think would be suitable for everyone who listens to the show.
Are you being facetious? I'm worried you're being facetious.
No, no. As if I would. As if that ever showed up in my school report.
Because you mentioned Canada as well, and you know it's dear to my heart.
Oh, don't worry about that. It just happens it's UPS Canada who are forward-thinking enough to send this out.
So you get this letter and it says at the top, 'Fighting phishing and smishing: an update from UPS.' Okay, that's all right, isn't it? 'At UPS, we are committed to fighting fraud.
We want to let you know what phishing and smishing are, and what you can do to protect yourself.'
So you get this letter and it says at the top, 'Fighting phishing and smishing: an update from UPS.' Okay, that's all right, isn't it? 'At UPS, we are committed to fighting fraud.
We want to let you know what phishing and smishing are, and what you can do to protect yourself.'
Very good. I'm happy.
That's good, yeah. Absolutely, I think education is what's needed in many cases.
By the way, I've never liked the word smishing. That's phishing via SMS, isn't it?
Yes, right.
It's always conjured up things of, you know, a bare foot squishing over a tomato or something.
I just think it's making up a word just for, you know, some PR person once thought, oh, how can we make this interesting? I think it's cute.
I like it much more than BEC.
So there you go. BEC is rubbish, isn't it?
It's rubbish. That's for spearfishing.
Oh, but spear— okay, we're going off on a tangent. See, spearfishing, I always thought, was a phishing email sent to someone specifically.
And now it seems people are saying spearfishing when there's an attachment, whereas I always view phishing as something—
And now it seems people are saying spearfishing when there's an attachment, whereas I always view phishing as something—
Oh, no, no, it's aimed. It's anti-doxing.
The language may have evolved since you joined the cyber community, though.
Maybe it has. I always think of phishing as someone clicking on a link. I don't think of it as having an attachment, so I don't know. It just feels all a little bit sort of—
Anyway, back to— Loosey-goosey.
Back to UPS's letter. What are phishing and smishing, they say in bold?
Fraudulent emails referred to as phishing and text messages, referred to as Smashing Security, are becoming more common. That's true.
Fraudsters attempt to convince package recipients that they owe money for delivery of a package and send text messages or emails to solicit credit card and other payment card data.
I mean, we've all seen that, haven't we?
Fraudulent emails referred to as phishing and text messages, referred to as Smashing Security, are becoming more common. That's true.
Fraudsters attempt to convince package recipients that they owe money for delivery of a package and send text messages or emails to solicit credit card and other payment card data.
I mean, we've all seen that, haven't we?
We've all received something like this.
I often fall for it, 'cause I never know what I order, right?
What do you mean you fall for it? So you—
You click on the link. No, no, I don't.
Drunk Amazon, right? No, I never do that.
But yeah, I order stuff and then sometimes you expect it in one package, but it dribbles in in lots of packages.
Right, that's normally if they've thrown the box away.
No, it's coming from a different depot, something, something. Anyway, whatever, so I never know if it's going to be 3 or 4 or 5.
And then if I get a text and I know something's coming, I'm like, did I get everything? Am I waiting for something? Is this one? Just so my husband, he goes, no, fuck off.
And then if I get a text and I know something's coming, I'm like, did I get everything? Am I waiting for something? Is this one? Just so my husband, he goes, no, fuck off.
Stupid. You never ask yourself how they got hold of your mobile phone number to send you an SMS?
Well, I— no, because they have your address, but they don't have your mobile phone number normally, do they? I don't know, that's the sneaky thing.
Well, I— no, because they have your address, but they don't have your mobile phone number normally, do they? I don't know, that's the sneaky thing.
Is that the sneaky thing? Okay, that's a really good tip, I think that's a good tip.
Okay, let's go back to the UPS letter, because this is sharing great information.
These messages may appear legitimate by incorporating company brands, colours, or other legal disclaimers.
'These fraud attempts affect deliveries from many carriers.' Brackets, in other words, not just UPS.
You can learn more about common types of fraud and see examples of fraudulent messages at incredibly long URL, right? Okay, the letter goes on. 'Have you been smished?
If you've received something that doesn't look or feel right, trust your instincts. Real UPS texts,' at least in Canada, 'will only come from SMS number 69877 in Canada.'
These messages may appear legitimate by incorporating company brands, colours, or other legal disclaimers.
'These fraud attempts affect deliveries from many carriers.' Brackets, in other words, not just UPS.
You can learn more about common types of fraud and see examples of fraudulent messages at incredibly long URL, right? Okay, the letter goes on. 'Have you been smished?
If you've received something that doesn't look or feel right, trust your instincts. Real UPS texts,' at least in Canada, 'will only come from SMS number 69877 in Canada.'
Hang on, hang on a minute. Now, I'm just a CISO, so not exactly technically minded here. But I have it on pretty good authority that numbers can be spoofed.
That is true, isn't it? Yeah, they can be. So you could send an SMS message, probably pretending to come from the real UPS Canada number.
From 69877, yeah, I guess you could. Good point.
Good point, Thom. Yeah, well, so far, though, most of this has been quite sensible. I think it's been quite good advice.
And informative and easy to read, at least if you didn't have two idiots interrupting the whole time.
I've said nothing for minutes. But anyway.
UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered.
UPS has been working with partners in the delivery chain to try to understand how that fraud was being perpetrated.
As part of that effort, UPS conducted an internal review to assess whether information it received from shippers was contributing to this fraudulent conduct.
In other words, is some information leaking out?
UPS has been working with partners in the delivery chain to try to understand how that fraud was being perpetrated.
As part of that effort, UPS conducted an internal review to assess whether information it received from shippers was contributing to this fraudulent conduct.
In other words, is some information leaking out?
And it's not us, it's some third party that we partner with.
It's not us.
Well, the next sentence, Carole: During that review, UPS discovered a method by which a person who searched for a particular package or misused a package lookup tool could obtain more information about the delivery, including a recipient's phone number.
In other words, they've snuck in, and we're in about paragraph 5 or 6 now. We might have had an issue.
Well, the next sentence, Carole: During that review, UPS discovered a method by which a person who searched for a particular package or misused a package lookup tool could obtain more information about the delivery, including a recipient's phone number.
In other words, they've snuck in, and we're in about paragraph 5 or 6 now. We might have had an issue.
Yeah, exactly. In other words, we messed up our website.
Out of an abundance of caution. That's the best.
That's the best. I've not heard that one before, and I've heard them all.
Please tell me there's a, 'we take security seriously' somewhere.
'Out of an abundance of caution.'
'We are providing notice to individuals whose information may have been impacted.'
'May have been impacted.' Sent to all, make sure it's BCC.
So if I'd got this letter, I would have started reading, just thinking, 'Oh, blah blah.
They're just telling me what phishing and smishing are.' Yeah, you wouldn't have got past the first paragraph.
They're just telling me what phishing and smishing are.' Yeah, you wouldn't have got past the first paragraph.
This is not a breach notification notice, is it?
Hidden inside the longest paragraph of all is this little bit saying, "You fucked up.
You may have been impacted by this." So they're saying their package lookup tool has been leaking recipients' names, shipment addresses, potentially phone numbers, order numbers.
It says, "We can't tell you exactly when this has been happening, but it looks like it has been happening to some customers from February 2022 until the end of April 2023." Blimey!
So those texts, if you'd received one, it may have been a lot more convincing because—and this is thanks to the folks at Bleeping Computer—they've uncovered people who were expecting deliveries from UPS who got very, very convincing messages.
Right. Now, Thom, you are a big fan of Apple tech, and you're also a huge fan of LEGO, aren't you? Yeah.
Well, we're going to link in the show notes to a couple of examples from people who were expecting deliveries via UPS of a LEGO order.
And they got text messages saying, "Your LEGO order is waiting delivery to your shipping address, postal code blah blah blah.
You need to pay a shipping fee in order to have the parcel on time. To avoid delays, click here."
You may have been impacted by this." So they're saying their package lookup tool has been leaking recipients' names, shipment addresses, potentially phone numbers, order numbers.
It says, "We can't tell you exactly when this has been happening, but it looks like it has been happening to some customers from February 2022 until the end of April 2023." Blimey!
So those texts, if you'd received one, it may have been a lot more convincing because—and this is thanks to the folks at Bleeping Computer—they've uncovered people who were expecting deliveries from UPS who got very, very convincing messages.
Right. Now, Thom, you are a big fan of Apple tech, and you're also a huge fan of LEGO, aren't you? Yeah.
Well, we're going to link in the show notes to a couple of examples from people who were expecting deliveries via UPS of a LEGO order.
And they got text messages saying, "Your LEGO order is waiting delivery to your shipping address, postal code blah blah blah.
You need to pay a shipping fee in order to have the parcel on time. To avoid delays, click here."
As if criminals couldn't sink any lower, they mess with a man's LEGO. Good God. I just, I feel dirty now.
You would have fallen for this, I suspect, Thom, because the one thing you want is you want your LEGO arriving promptly.
Absolutely. And I have no idea what I ordered half the time.
Yeah, but don't you think—okay, there's a few typos in this, one. And two, there's this weird dollar sign at the back end of the money. The money thing looks really odd.
$1.55 in this example, yes. You see, you're looking at a screenshot. In this example, it's $1.55, but no one would write that.
Yeah, no, that's the—oh, yeah, yeah. And there's another one for $1.63. So that would be a dead giveaway.
But would it? Would it though, Carole?
Would that stop you? Who's fallen for this?
Who's fallen for this?
Well, it would have stopped many of us, but the point is that in many cases—and we know this from all the scammers, etc.—that they sometimes seed in these deliberate mistakes to weed out the people who are going to work it out at some point.
What they want to get are the people who—the more gullible ones—maybe don't—yeah, who maybe don't quite have the same sort of, you know, cognitive abilities to see.
It's not just cognitive, it's digital ability, right?
What they want to get are the people who—the more gullible ones—maybe don't—yeah, who maybe don't quite have the same sort of, you know, cognitive abilities to see.
It's not just cognitive, it's digital ability, right?
This could be your first purchase online, you know. Well, exactly.
Yes, yes, it's very true, because presumably the scammers aren't going to all this effort to just steal $1.63.
When you go to the URL, it's going to grab other personal information or charge your card more than that.
When you go to the URL, it's going to grab other personal information or charge your card more than that.
Exactly. And also they've sent out probably a couple of million of these.
Because there's that much LEGO going via UPS.
So, well, there is. The chip in them. I'm just saying. Well, if anybody has a spare room I can use, that'd be great.
So it's not just LEGO. Apparently it's Apple as well and other firms, apparently. Oh, what? So there are all—I don't know what I've heard. I feel personally targeted.
So there are all manner of potentially, you know, people who are falling for much more convincing delivery failure, or "you need to act upon this UPS message," smishing cam—I hate the word smishing—campaigns than ever before.
What's the advice? The advice? Don't call us, we'll call you.
So there are all manner of potentially, you know, people who are falling for much more convincing delivery failure, or "you need to act upon this UPS message," smishing cam—I hate the word smishing—campaigns than ever before.
What's the advice? The advice? Don't call us, we'll call you.
Never trust anyone ever. No, so I get a UPS, I'm waiting for one, do I—
You know, my first piece of advice is complain to UPS because they have disguised this piece of advice.
They've hidden it as much as possible behind what looks like a generic piece of—
They've hidden it as much as possible behind what looks like a generic piece of—
Yeah.
Watch out for phishers and smishers. Yeah, does that get a shame, shame from you? It is, that's exactly what it is.
The piece of advice I'd say is, if in doubt, wait two days. Your package is going to arrive anyway, and then you know it's a scam.
Yeah, you don't have to get your knickers in a twist right away. Yeah, no need to rush.
Thom, are you really that patient when it comes to a hot piece of LEGO?
Well, I mean— You're on mute now. Am I?
No, I'm not. What are you talking about? God, you had me worried then.
I just didn't want him to talk about a hot piece of Lego in a dirty way. Oh, I see.
Thom, Thom, what have you got for us this week?
So, what have I got for you? I've got a little story, which is, it's a story almost as old as time, actually, about whistleblowers.
In fact, I found a Wikipedia page that lists all of the famous whistleblowers going all the way back to the 1600s, which is a rabbit hole you don't want to go down.
Did it involve a rabbit?
In fact, I found a Wikipedia page that lists all of the famous whistleblowers going all the way back to the 1600s, which is a rabbit hole you don't want to go down.
Did it involve a rabbit?
Is it the Garden of Eden? Of course, there was a whistleblower there, wasn't there? Someone told the boss guy that the apple's been pinched.
And so, yeah, so it has been going back at least 3,000 years. Exactly.
And so, yeah, so it has been going back at least 3,000 years. Exactly.
I don't think Wikipedia's got any quotes or sources for that one, but there is a story. The link is in the show notes.
It's from the Office of Public Affairs of the US Department of Justice, and it talks about a former FBI analyst who was sentenced for retaining classified documents.
So there's this FBI analyst, her name is Kendra Kingsbury, 50, of Garden City, Kansas, and she was sentenced to 46 months federal prison followed by 3 years of supervised release.
And the reason for that is, she pled guilty to 2 counts of unlawfully retaining documents related to national defense.
Bottom line was, she was an analyst for the FBI for 12 years, and she was caught taking a whole bunch of confidential documents away and taking them home, basically.
Now, she held a top-secret security clearance, so she could see confidential, secret, and top-secret documents.
All of the documents she took were classified as secret, so the middle level, but many of which include documents that describe intelligence sources and methods related to US governments, all to do with counterterrorism, counterintelligence.
Also included in numerous documents classified as secret from other government agencies— Oh boy.
—describing intelligence sources related to US government efforts to collect intelligence on terrorists.
It's from the Office of Public Affairs of the US Department of Justice, and it talks about a former FBI analyst who was sentenced for retaining classified documents.
So there's this FBI analyst, her name is Kendra Kingsbury, 50, of Garden City, Kansas, and she was sentenced to 46 months federal prison followed by 3 years of supervised release.
And the reason for that is, she pled guilty to 2 counts of unlawfully retaining documents related to national defense.
Bottom line was, she was an analyst for the FBI for 12 years, and she was caught taking a whole bunch of confidential documents away and taking them home, basically.
Now, she held a top-secret security clearance, so she could see confidential, secret, and top-secret documents.
All of the documents she took were classified as secret, so the middle level, but many of which include documents that describe intelligence sources and methods related to US governments, all to do with counterterrorism, counterintelligence.
Also included in numerous documents classified as secret from other government agencies— Oh boy.
—describing intelligence sources related to US government efforts to collect intelligence on terrorists.
Do we know why she was taking these home? Was it just for a little bit of light reading or something?
What was the point of that?
Well, the investigation—and this isn't even the crux of it—the investigation actually turned out more questions than answers, because when they analyzed and reviewed her telephone records, revealed a number of suspicious calls, including numbers associated with subjects counter-terrorism investigations.
And those individuals also made calls back to Kingsbury. So there's obviously something going on here, right?
You know, so not only did she take these documents where she wasn't supposed to, all classified at secret level, not top secret level, but there was subsequently found to be some kind of sharing of said documents and other activity.
Now that took me down another rabbit hole because as I said, she was sentenced to, what was it, 46 months.
That took me down the rabbit hole of a woman called Reality Winner, which is not the name of a TV show on Channel 5, but she was an analyst in the NSA. She was a translator there.
She released one document to the press, which was basically information about Russian interference in the 2016 election. She was arrested, obviously.
I mean, you found this stuff has been released, et cetera—not good, although you could say it's for the greater good.
She was charged with removing classified material from a government facility and made it to a news outlet.
She was denied bail and then sentenced to 63 months in prison, which if you do the sums, 5 and a half years in prison.
So for releasing one document compared to this other person, Kingsbury, who stole a whole bunch of documents, made some dodgy phone calls, sentenced to 4 months.
Well, the investigation—and this isn't even the crux of it—the investigation actually turned out more questions than answers, because when they analyzed and reviewed her telephone records, revealed a number of suspicious calls, including numbers associated with subjects counter-terrorism investigations.
And those individuals also made calls back to Kingsbury. So there's obviously something going on here, right?
You know, so not only did she take these documents where she wasn't supposed to, all classified at secret level, not top secret level, but there was subsequently found to be some kind of sharing of said documents and other activity.
Now that took me down another rabbit hole because as I said, she was sentenced to, what was it, 46 months.
That took me down the rabbit hole of a woman called Reality Winner, which is not the name of a TV show on Channel 5, but she was an analyst in the NSA. She was a translator there.
She released one document to the press, which was basically information about Russian interference in the 2016 election. She was arrested, obviously.
I mean, you found this stuff has been released, et cetera—not good, although you could say it's for the greater good.
She was charged with removing classified material from a government facility and made it to a news outlet.
She was denied bail and then sentenced to 63 months in prison, which if you do the sums, 5 and a half years in prison.
So for releasing one document compared to this other person, Kingsbury, who stole a whole bunch of documents, made some dodgy phone calls, sentenced to 4 months.
Do you remember, Thom, how Reality Winner was caught and identified?
I don't off the top of my head, and there's an awful lot of text in this Wikipedia story, so I'm not going to read it.
Well, let me tell you, because it's quite interesting. In fact, we spoke about it in a past episode of Smashing Security a few years ago—we covered this.
But what happened was, she printed out some of this sensitive information at her workplace.
And she gave those printouts to reporters at The Intercept, which was the news outlet who reported it.
But what happened was, she printed out some of this sensitive information at her workplace.
And she gave those printouts to reporters at The Intercept, which was the news outlet who reported it.
That's right, yeah.
And The Intercept, unfortunately, just scanned it in or took a photograph or something and published it up on their site rather than retyping the information. And printers—
Ah, have unique signatures.
Well, they leave this little matrix of nearly invisible yellow dots on your documents. So you can identify which printer printed out a particular document.
This is useful information, by the way, if you're planning to write a ransom note or something like that. Your printer.
This is useful information, by the way, if you're planning to write a ransom note or something like that. Your printer.
Now you know why people cut up newspapers.
So it was these yellow dots which actually led to the arrest ultimately of Reality Winner. But it's very interesting—I think not many people realize that printers do that.
Yeah, I think it's absolutely fascinating.
And so here's two cases, just two cases where we see secret documents, even a top secret document, potentially being leaked by a servant or—
And so here's two cases, just two cases where we see secret documents, even a top secret document, potentially being leaked by a servant or—
Yeah, well, yes, yeah, the only two stories you picked. Yeah, I'm sure.
I think that—I think there is a case of a man who may have taken documents, really highly sensitive information, and maybe taken them to his home in Florida.
So, and here's the thing, this is the difference. This is the difference a few million dollars in personal net worth makes.
So bottom line is we've got Donald Trump has taken boxes of material, said he's returned all of it. He absolutely hadn't, despite very clearly stating that he had.
When his Mar-a-Lago residence was raided, there was stuff found everywhere, in public places, in a ballroom and a bathroom and all that sort of stuff, top secret documents allegedly relating to nuclear secrets and stuff like that.
And not only was Donald Trump not requested to post bail, he's certainly not been arrested and is basically throwing money at the problem to try and make it go away.
So bottom line is we've got Donald Trump has taken boxes of material, said he's returned all of it. He absolutely hadn't, despite very clearly stating that he had.
When his Mar-a-Lago residence was raided, there was stuff found everywhere, in public places, in a ballroom and a bathroom and all that sort of stuff, top secret documents allegedly relating to nuclear secrets and stuff like that.
And not only was Donald Trump not requested to post bail, he's certainly not been arrested and is basically throwing money at the problem to try and make it go away.
Oh, you're so cynical. I think Donald Trump was playing three-dimensional chess here. I think he's much cleverer than everyone thought because he knew—
Donald Trump couldn't fling poo at a wall and make it stick.
He knew that this highly sensitive information definitely wasn't safe on government premises. And so he thought, I know what I'll do.
I'll store it in the highly secure loos at Mar-a-Lago.
I'll store it in the highly secure loos at Mar-a-Lago.
Yes. Put stacks of back papers in the ballroom.
So because that's the last place that people will look, because people won't expect me to have it. See, that's the genius.
People won't expect the highly sensitive information to have been left accessible to anyone.
People won't expect the highly sensitive information to have been left accessible to anyone.
Except he's been caught talking, boasting about it, you know, talking to people about the types of data he's got in his, no doubt, not exactly the most secure compound in the world.
And I just, I just find this utterly amazing how—
And I just, I just find this utterly amazing how—
This is, this is quite a tangent. A tangent?
This is the point. A tangerine, I think. Basically, if you're famous and you've got money, it's effectively one rule for us and one rule for them. We've got this charade going on.
It's not a case of if you can't do the time, do the crime. It's just more a case of if you can afford to do the crime, then crack on because nobody's going to catch you.
It's not a case of if you can't do the time, do the crime. It's just more a case of if you can afford to do the crime, then crack on because nobody's going to catch you.
Yeah, so all you ex-US presidents out there, listen up.
A few of them do listen to the podcast, actually, Carole.
I'm sure. I'm sure at least two. Anyway, rant's over.
Carole, what's your topic for us this week?
So, as you both know, and as regular listeners know, I've been on summer holiday. Ta-da-da-da-da-da. Lovely. And, you know, when you're on summer holiday, I met a number of people.
I talked to lots of people. I met a cool chick on a plane. I met a great chef.
I met an Airbnb host who thought that people staying in a non-air-conned pad would rejoice at pure, 100% pure polyester sheets. So that was really fun.
You should have seen my Yeti of a husband.
I talked to lots of people. I met a cool chick on a plane. I met a great chef.
I met an Airbnb host who thought that people staying in a non-air-conned pad would rejoice at pure, 100% pure polyester sheets. So that was really fun.
You should have seen my Yeti of a husband.
I wondered if this was just your Airbnb review that you were about to give in your section of the podcast.
Close.
After you electrocuted each other every morning.
Oh my God, we ended up sleeping with towels. All I'm saying. Anyway, loved it, loved it. Oh, and we went to this super chic hotel, okay?
Like overlooking the rolling hills of Istria, right? Like, think super poshy posh, mismatched fabrics and pop art and terrazzo floors and big, big lights, okay? Like the whole thing.
And we just were going there for just a, you know, a Coke to look at the sunset. But I'm gonna send you the art that was outside the front.
I'm gonna send it on our little text message thingy here. Okay? So take a look and maybe one of you—
Like overlooking the rolling hills of Istria, right? Like, think super poshy posh, mismatched fabrics and pop art and terrazzo floors and big, big lights, okay? Like the whole thing.
And we just were going there for just a, you know, a Coke to look at the sunset. But I'm gonna send you the art that was outside the front.
I'm gonna send it on our little text message thingy here. Okay? So take a look and maybe one of you—
Always good to have a visual on a podcast.
Yeah, excellent. Yeah, and you guys get to describe it because just zoom in and describe this.
Oh, it's my Skype password.
It looks like it's the little statues or gnomes of— is it Snow White and the six dwarfs? You got six dwarfs.
Holy crap.
The face is a bit scary.
Looks like Mike Tyson has had a go.
I had no idea until just before I went on this podcast. I had no idea why that was there. 'Cause it's super creepy. It's zombie Snow White and the Seven Dwarfs or something.
But I think it's 'cause they don't want kids there. I think it's an adult hotel, that kind of thing. It's not a family hotel. So maybe these are just to scare off the kids.
But I think it's 'cause they don't want kids there. I think it's an adult hotel, that kind of thing. It's not a family hotel. So maybe these are just to scare off the kids.
If you don't want kids, just block YouTube. Then the kids won't want to go there. That's true.
That's what you have to do.
Anyway, so I was meeting all these interesting people, and they would say, oh, what do you do? You know, and I'd be like, art, yada yada, podcast, yada yada.
And some would go and look at art and some would listen to the pods.
And one of them called me up afterwards and said, look, I've just listened to 3 episodes of Smashing Security in a row. And you guys are amazing. You're great. You're wonderful.
And some would go and look at art and some would listen to the pods.
And one of them called me up afterwards and said, look, I've just listened to 3 episodes of Smashing Security in a row. And you guys are amazing. You're great. You're wonderful.
But you're kidding me.
But she said, but you're talking about things I'm totally interested in that I want to learn about, but I can't figure out the language you're using. I don't understand it.
It's all tech speak. You know, you talked about ChatGPT or whatever, and I couldn't follow, right? And this lady is a GP. Oh, you see GP, GPT.
But you know, she's brainy, she's funny, but our stupid tech-only lingo kind of puts up this anti-learning fence.
So I am sorry to her and all the other listeners, and I'm going to try and describe it here in a way, but there's a good piece of info for you guys that know this inside out at the end.
So stay with us and you guys are going to help me. Okay. If I say something too techie, you just go, let me just describe what it is.
It's all tech speak. You know, you talked about ChatGPT or whatever, and I couldn't follow, right? And this lady is a GP. Oh, you see GP, GPT.
But you know, she's brainy, she's funny, but our stupid tech-only lingo kind of puts up this anti-learning fence.
So I am sorry to her and all the other listeners, and I'm going to try and describe it here in a way, but there's a good piece of info for you guys that know this inside out at the end.
So stay with us and you guys are going to help me. Okay. If I say something too techie, you just go, let me just describe what it is.
I was going to say that on the other award-winning podcast, Host Unknown, we talk tech a lot, but my mother listens and she says she doesn't understand a word of what's going on.
But she has liked the recent trends of having Mr. Cluley on because she really likes Graham's voice. She finds it very, very— oh, how lovely. Very warming.
But she has liked the recent trends of having Mr. Cluley on because she really likes Graham's voice. She finds it very, very— oh, how lovely. Very warming.
Have them meet in person.
Yeah, that'd just destroy everything, wouldn't it, if we met in person? But yes, I have to start calling you son. Yes, Daddy.
But it's not always about the content. Sometimes it's about the delivery.
Oh, okay. I'll do my best on that one as well. Okay. So ChatGPT, right? This is the thing that launched in November last year. So it's no wonder that lots of people don't know about it.
And so what the heck is it? Well, I thought, why not ask ChatGPT? Right? It said ChatGPT is an advanced conversational AI model developed by a company called OpenAI. What? What? AI? AI?
Sorry, what's AI? Artificial intelligence. Very good, Thom. Thank you. I didn't spot that one. I was listening. Very good.
Number 2, ChatGPT is trained on a diverse range of internet text sources to learn patterns, grammar, and context in order to generate coherent and contextually appropriate responses.
Now, apparently the dataset has at least 300 billion words in it. So diverse, I think, is a little misleading here.
I think, you know, gluts and gluts and gluts of stuff that they could find is maybe perhaps more realistic. Would you guys agree?
And so what the heck is it? Well, I thought, why not ask ChatGPT? Right? It said ChatGPT is an advanced conversational AI model developed by a company called OpenAI. What? What? AI? AI?
Sorry, what's AI? Artificial intelligence. Very good, Thom. Thank you. I didn't spot that one. I was listening. Very good.
Number 2, ChatGPT is trained on a diverse range of internet text sources to learn patterns, grammar, and context in order to generate coherent and contextually appropriate responses.
Now, apparently the dataset has at least 300 billion words in it. So diverse, I think, is a little misleading here.
I think, you know, gluts and gluts and gluts of stuff that they could find is maybe perhaps more realistic. Would you guys agree?
300 billion words. So it's just nonsense it's scooped up from the internet, isn't it? That's right.
That's right. And I think just to put that into context, isn't a million seconds is something like 21 days? Whereas a billion seconds is something like 30 years.
Okay, you work out while I continue my story, 300 billion words into seconds, and then let us know.
So basically, but the thing is, it's a tool right now available to anyone that speaks the supported languages, I guess, right? Anyone with internet access.
What you can do is go to openai.com and you will find ChatGPT there, right? It's free to use. But you have to create an account and there's nothing to learn or set up.
Basically a search box like any search engine, and you can put in a question and allons-y, right? You see what crops up.
So you could ask a question about medicine or real estate or mythical monsters or recipes or help me out, poetry.
So basically, but the thing is, it's a tool right now available to anyone that speaks the supported languages, I guess, right? Anyone with internet access.
What you can do is go to openai.com and you will find ChatGPT there, right? It's free to use. But you have to create an account and there's nothing to learn or set up.
Basically a search box like any search engine, and you can put in a question and allons-y, right? You see what crops up.
So you could ask a question about medicine or real estate or mythical monsters or recipes or help me out, poetry.
What does allons-y mean in English? That kind of thing. Yeah, you can ask it anything.
Yes, it's true. And apparently ChatGPT currently has more than 100 million users, right?
Which is why investors are tripping over themselves to get on the AI— sorry, artificial intelligence model train. Choo choo all the way to the bank.
Now, the thing is that there is a catch, right? You cannot trust the information spouted by ChatGPT to be 100% correct. Any of the time, I would say.
Which is why investors are tripping over themselves to get on the AI— sorry, artificial intelligence model train. Choo choo all the way to the bank.
Now, the thing is that there is a catch, right? You cannot trust the information spouted by ChatGPT to be 100% correct. Any of the time, I would say.
Yeah, because it lies. Yeah. But why does it lie?
Because the internet is made up of good stuff and bad stuff and gross stuff, Thom.
And so much charming. But sometimes it makes up stuff as well.
When Mark Stockley was on a few weeks ago, he was telling us about those, that law case where ChatGPT was coming up with fake past verdicts.
Fake cases and, you know, and it was persisting in claiming that these things were real and they weren't and it was just making it up.
When Mark Stockley was on a few weeks ago, he was telling us about those, that law case where ChatGPT was coming up with fake past verdicts.
Fake cases and, you know, and it was persisting in claiming that these things were real and they weren't and it was just making it up.
Oh, fake cases. That's right. Yes, yes.
So the way to think about it, it's just made up from everything it could find on the internet.
So in short, ChatGPT's mama is the internet and it gorged, okay, I'm gonna say it, at the internet mama nipple until it was ready to be unveiled to the world.
So in short, ChatGPT's mama is the internet and it gorged, okay, I'm gonna say it, at the internet mama nipple until it was ready to be unveiled to the world.
I'm sorry.
What? Like, as Graham said, there's loads of stories about how ChatGPT, you know, got it wrong or spread crazy stuff.
And you can go look at our backlog of Smashing Security episodes because we've talked about it a lot.
And the question is, is who decided to allow ChatGPT or any of these artificial intelligence models into the public world? So I thought, I'll ask ChatGPT.
And it said it was made by the organization or company responsible for the development and deployment. In this case, OpenAI and ChatGPT, the decision was made by OpenAI itself.
And the point I'm making is there's no regulatory oversight here. It's just one company going, okay, we're ready. Are we ready? Let's go.
And you can go look at our backlog of Smashing Security episodes because we've talked about it a lot.
And the question is, is who decided to allow ChatGPT or any of these artificial intelligence models into the public world? So I thought, I'll ask ChatGPT.
And it said it was made by the organization or company responsible for the development and deployment. In this case, OpenAI and ChatGPT, the decision was made by OpenAI itself.
And the point I'm making is there's no regulatory oversight here. It's just one company going, okay, we're ready. Are we ready? Let's go.
Do you think there should be then?
Yes, I think. Do you think that?
Do you not think so?
Well, I just think, I mean, You it all, yahoo-y?
The counter-argument is that you're going to prevent innovation, aren't you? And how would they define what you are allowed to do on the internet and what you're not allowed to do?
I mean, imagine how much it would constrict Thom, for starters, with what he gets up to on the internet.
I mean, imagine how much it would constrict Thom, for starters, with what he gets up to on the internet.
Exactly, and also the internet is an open resource, right? You know, if it's behind a paywall, you can't get to it. If it's supposed to be private, it's private, you can't get to it.
Everything that you can find on the internet freely is there freely, right? It could have just gone to a library.
If it had a body and fingers and eyes, it could have gone to libraries and read everything in a library, you know?
Everything that you can find on the internet freely is there freely, right? It could have just gone to a library.
If it had a body and fingers and eyes, it could have gone to libraries and read everything in a library, you know?
Maybe what I'm trying to say is instead of using ChatGPT thinking it's an omniscient god that knows everything, maybe we should treat it as a kind of teenager with mood swings and a bit of a know-it-all.
I looked at what jobs are at high risk with ChatGPT on the horizon.
I looked at what jobs are at high risk with ChatGPT on the horizon.
Podcast is number one.
No, podcast, absolutely not. Podcast is safe. Podcast is safe.
Okay, who do you think might be really affected? Journalists.
Oh, yes, I was gonna say writers.
Yeah, accountants, tax people, auditors, tree surgeons. Yes, blockchain engineers, apparently mathematicians.
Okay, we're all talking about roles actually I have no sympathy for whatsoever.
Sex workers, milkmen, they're done as well.
The jobs that are— there's Morgan, Piers Morgan— jobs that are deemed most safe include athletes, car repair people, cooks, and get this, this is my favorite, stonemasons.
Stonemasons, you guys are fine. So high five to you for, you know, having not gotten on the digital bandwagon. Well done.
The jobs that are— there's Morgan, Piers Morgan— jobs that are deemed most safe include athletes, car repair people, cooks, and get this, this is my favorite, stonemasons.
Stonemasons, you guys are fine. So high five to you for, you know, having not gotten on the digital bandwagon. Well done.
Okay, I'm gonna have to become an athlete.
There's not gonna be much call for a stonemason when the robot overlords have basically put us all in little pods to produce batteries and produce energy for them, is there?
I mean, it's not the most, you know, common of requirements. They're not gonna be creating Gothic arches for these massive cathedrals of battery power.
I mean, it's not the most, you know, common of requirements. They're not gonna be creating Gothic arches for these massive cathedrals of battery power.
Yeah, but it's kind of crazy because there's this huge race now for market domination.
Currently, I think, correct me if I'm wrong, the winner in the front is OpenAI at the moment, right? They have the lead.
But yesterday, Google's DeepMind CEO, mic drop, that his new AI algorithm, soon to be on the digital shelves, will eclipse ChatGPT. Oh, for goodness sake.
Currently, I think, correct me if I'm wrong, the winner in the front is OpenAI at the moment, right? They have the lead.
But yesterday, Google's DeepMind CEO, mic drop, that his new AI algorithm, soon to be on the digital shelves, will eclipse ChatGPT. Oh, for goodness sake.
How do they determine who has the better AI chat whatsit? Why don't they get the AI chat whatsits to evaluate each other and fight between themselves?
The chat whatsits.
Totally. Okay, two things, two things.
Okay, so if you're interested in trying out ChatGPT and you don't know what it is and you've heard people talk about it, do not go to Facebook or social media and click on a 'Try ChatGPT' ad.
No, no, no.
Okay, so Smashing Security company in Purva said that they saw some scams pretending to be access to these, you know, AI models, artificial intelligence models and the like.
So just use your web browser and go to openai.com.
And second tip, if you decide to use ChatGPT, know that your questions are logged by default and some people keep sessions going tied to your account because you need to have a user login to get in to use it now.
So to change this, once you've created an account, you can click on your username to the settings and clear all chats.
And you can also go to the data controls and disable chat history and training.
Okay, so if you're interested in trying out ChatGPT and you don't know what it is and you've heard people talk about it, do not go to Facebook or social media and click on a 'Try ChatGPT' ad.
No, no, no.
Okay, so Smashing Security company in Purva said that they saw some scams pretending to be access to these, you know, AI models, artificial intelligence models and the like.
So just use your web browser and go to openai.com.
And second tip, if you decide to use ChatGPT, know that your questions are logged by default and some people keep sessions going tied to your account because you need to have a user login to get in to use it now.
So to change this, once you've created an account, you can click on your username to the settings and clear all chats.
And you can also go to the data controls and disable chat history and training.
That's a really good point.
That's a great point, actually, Carole, because I mean, a company— some companies are blocking access to ChatGPT because it just produces garbage sometimes and low-quality content.
But the more serious point is that people are feeding in sensitive information into ChatGPT, which is then being collated and used, and maybe company sensitive, and maybe other people's personal details, all sorts of things.
Exactly.
That's a great point, actually, Carole, because I mean, a company— some companies are blocking access to ChatGPT because it just produces garbage sometimes and low-quality content.
But the more serious point is that people are feeding in sensitive information into ChatGPT, which is then being collated and used, and maybe company sensitive, and maybe other people's personal details, all sorts of things.
Exactly.
There was researchers at Group IB said they've uncovered a concerning trend involving 100,000 devices on the dark web infected with stealers holding compromised ChatGPT credentials.
And they think that's exactly the reason that people are using it and kind of feeding in sensitive information without realizing it.
And those logs are super delicious to someone who might want to try and attack the company.
So there you go, and don't use an easy-to-guess password if you're going to create a login on ChatGPT, okay? Try something that's unique and impossible to remember.
And they think that's exactly the reason that people are using it and kind of feeding in sensitive information without realizing it.
And those logs are super delicious to someone who might want to try and attack the company.
So there you go, and don't use an easy-to-guess password if you're going to create a login on ChatGPT, okay? Try something that's unique and impossible to remember.
Ask ChatGPT to create a password for you.
Yeah, ask it to create the password. So I bet it'll do really well.
It'll probably search the internet to find out the list of the top passwords, and it'll think, oh, that's number one, let me use that one. I thought it was password1. It probably is.
With an exclamation mark afterwards.
It'll probably search the internet to find out the list of the top passwords, and it'll think, oh, that's number one, let me use that one. I thought it was password1. It probably is.
With an exclamation mark afterwards.
Yes. Oh, well, of course, because you've got to add a special character, right? So, I did find out the answer to your question, Carole.
So, if we were to say one word a second and if we were then to say 300 billion words, how many years do you think that would take us to complete?
So, if we were to say one word a second and if we were then to say 300 billion words, how many years do you think that would take us to complete?
150, I'm guessing, I have no idea.
9,500. Well, you heard it here, folks.
It has a lot of crap in it.
That's a big dataset. It's going to take more than your average USB stick to store that.
It's a ChatGPT joke. No.
Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it.
With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies Notion Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com D-R-A-T-A.
With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies Notion Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com D-R-A-T-A.
Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How?
If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit kolide.com/smashing.
That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit kolide.com/smashing.
That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
Our friends at Bitdefender have been busy this month adding some fab new features to their open source password manager. Management solution.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden.
Keeping your passwords secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden.
Keeping your passwords secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related.
My pick of the week this week is a documentary, which I have— I love a documentary, as you know. Again? Yes.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related.
My pick of the week this week is a documentary, which I have— I love a documentary, as you know. Again? Yes.
Yeah, you're just going through a list, aren't you?
I'm going through Netflix's list of documentaries. Jesus. You could just variate—
Get a little variety next week. Can we ask for a little variety?
Yeah, I've picked— What?
It's been 4 weeks in a row! No, it has not.
It has not. Yes, it has! It has not. It has. It hasn't, because last week it wasn't a documentary, was it? I don't remember. I don't remember either. But I sounded like I knew.
So, my pick of the week this week is a documentary called Speedcubers. Ooh! Which you can find on Netflix.
And it's a documentary all about people who are incredibly good at solving the Rubik's Cube. Didn't take long then, the movie. It's about 40 minutes, the documentary.
So, my pick of the week this week is a documentary called Speedcubers. Ooh! Which you can find on Netflix.
And it's a documentary all about people who are incredibly good at solving the Rubik's Cube. Didn't take long then, the movie. It's about 40 minutes, the documentary.
Great. You'd think they'd be quicker.
It focuses on two world champions, Max Park and Feliks Zemdegs, who can solve a cube in about 4 seconds. What?
Yeah. I did meet a guy who could do it in 10. And I know that's probably nowhere near super duper, but it was pretty—
That's probably the top percentile though, right? That's still shockingly good. Freaking fast.
Yeah. I was still stuck on the first row of the first side, right? 'Cause I was racing him. So—
If you go to the World Cube Championship, you will see people not only Max Park, who can complete a 3x3 cube. So the basic Rubik's Cube, he has done it.
His world record attempt is 3.13 seconds. That's his world record. Wow. One-handed, he can do it in 6 seconds, just with one hand.
His world record attempt is 3.13 seconds. That's his world record. Wow. One-handed, he can do it in 6 seconds, just with one hand.
So literally with one arm tied behind his back.
They also have championships where people are blindfolded, or people have different-sized cubes as well. And somehow they can do that as well. It's absolutely astonishing.
Anyway, it's a really touching story. Max Park is severely autistic. And doing the cube has helped enormously with his life.
And Feliks Zemdegs from Australia was the guy who Max Park looked up to, and they became great buddies, and then they began competing against each other.
But they have a genuine and lovely friendship, and you kind of think, what a lovely couple of guys. Must be nice.
So I recommend Speedcubers, Netflix documentary, all about the Rubik's Cube and the masters of the cube. I really enjoyed it.
Anyway, it's a really touching story. Max Park is severely autistic. And doing the cube has helped enormously with his life.
And Feliks Zemdegs from Australia was the guy who Max Park looked up to, and they became great buddies, and then they began competing against each other.
But they have a genuine and lovely friendship, and you kind of think, what a lovely couple of guys. Must be nice.
So I recommend Speedcubers, Netflix documentary, all about the Rubik's Cube and the masters of the cube. I really enjoyed it.
Cool. Sounds pretty cool. I might even check that one out.
Thom, what's your pick of the week?
So mine, as we've already ascertained, I do like a little bit of Lego. And I found this website called kbdcraft.store and the KBD stands for keyboard, would you believe?
Now, on kbdcraft.com, you can buy mechanical keyboards.
Now, mechanical keyboards, for those who don't know, they're the old-style IBM clacky-clacky keyboards rather than the laptop-style keyboards that we often use now.
And there is a whole subculture of building your own keyboards and customizing it, so the little microswitches underneath, have different pressures and noises and sensitivity and all that sort of stuff.
Absolutely fascinating.
Now, on kbdcraft.com, you can buy mechanical keyboards.
Now, mechanical keyboards, for those who don't know, they're the old-style IBM clacky-clacky keyboards rather than the laptop-style keyboards that we often use now.
And there is a whole subculture of building your own keyboards and customizing it, so the little microswitches underneath, have different pressures and noises and sensitivity and all that sort of stuff.
Absolutely fascinating.
I thought you were talking musical keyboard. That was literally the first place— it was the first place I went, and I was like, wow, that's so cool.
And then it's a fucking keyboard.
And then it's a fucking keyboard.
No, it's a keyboard. Keyboard. On your computer. Keyboard. Keyboard right in front of me right now.
But the unique thing about— yes, the KBDcraft website is not only do you get to customize your keyboard, as it were, you actually get to build the entire frame.
So not only do you get the base of your, you know, which you push all the little switches into, they put the keys on top and all that.
You get to build the frame out of Lego, or I should say compatible to Lego.
But the unique thing about— yes, the KBDcraft website is not only do you get to customize your keyboard, as it were, you actually get to build the entire frame.
So not only do you get the base of your, you know, which you push all the little switches into, they put the keys on top and all that.
You get to build the frame out of Lego, or I should say compatible to Lego.
Okay. Sorry. I don't know what you mean by frame. Is this what goes around the keys?
Yeah. So if you look at your average keyboard, you've got the keys and then you've got everything else around it, metal or plastic or whatever, you build that from Lego.
Okay, so it's just the case of the keyboard which is made out of Lego, not the actual keys. The keys aren't made out of Lego bits and bobs?
No, no, the keys are standard kind of, well I say standard, but they're customizable. You could, you know, change them for different types of switches.
I'm looking right now on the website. So yeah, it's like a coaster, you know, for your keyboard somehow. That's what it looks like on the—
Is that like a coaster? I think you're looking at something different to that.
Well, it's like holding— like it holds the keyboard, right? You slot a keyboard in.
Is it a tea tray? A tea tray?
A tea tray. That's what it looks like, a tea tray.
Okay, yeah, but you build the keyboard PCB into the frame itself, so it's permanently in there. Now, the advantage of this is you can customize it, different colors.
They offer white and gray. You can add things to it.
There are also instructions because their initial kit is called the ADAM, A-D-A-M, and then they've got a numeric keypad called the Kit Adams.
Took me a while to work out ADD AMS, because that's what you used to add stuff with.
They offer white and gray. You can add things to it.
There are also instructions because their initial kit is called the ADAM, A-D-A-M, and then they've got a numeric keypad called the Kit Adams.
Took me a while to work out ADD AMS, because that's what you used to add stuff with.
And you can either have them separate, or there are instructions on how you can build it, you know, snap them together, or even build a single tray for it.
They're all currently wired at the moment, USB-C, but I'm sure that, you know, Bluetooth will be coming along soon at some point.
You can— the keyboard is backlit, and you can download, you know, an open-source app that allows you to customize the keys, and the colours.
They're all currently wired at the moment, USB-C, but I'm sure that, you know, Bluetooth will be coming along soon at some point.
You can— the keyboard is backlit, and you can download, you know, an open-source app that allows you to customize the keys, and the colours.
I'm a bit disappointed, Thom. Really? I thought the keyboard itself would be made out of LEGO. If it's just the case— Oh, come on. If it's just the case. Come on.
And it's not even LEGO, is it? So the case isn't made out of LEGO. It's made out of some generic LEGO rip-off, isn't it?
And it's not even LEGO, is it? So the case isn't made out of LEGO. It's made out of some generic LEGO rip-off, isn't it?
It's LEGO, really. It's just a tiny bit of LEGO.
Yes, but which is compatible as I have found. So you can modify that case any way you see fit. It all works. It's all completely compatible.
So you're not loyal to the LEGO Corporation? Oh, I am. I don't buy any other kits. Okay.
This is the first one I've bought that isn't actually LEGO, but then again, LEGO aren't going to make a keyboard and I thought this was quite cool.
So you're not loyal to the LEGO Corporation? Oh, I am. I don't buy any other kits. Okay.
This is the first one I've bought that isn't actually LEGO, but then again, LEGO aren't going to make a keyboard and I thought this was quite cool.
So, okay. God, do you invite me on the show and poo poo my ideas? So are you using this sort of, this keyboard kit, these trays, anything? Yes, I do use it.
It's taken me a little bit of getting used to because I'm not used to proper keyboards.
It's taken me a little bit of getting used to because I'm not used to proper keyboards.
I'm used to the little chiclet style. See, I'm exactly the same, Thom. Right now, finally, we agree on something because I don't mechanical keyboards. I chiclet keyboards. Yeah.
Do you know what? I agree, actually. I think I prefer the chiclet keyboard.
But this was good fun. Why chiclet? I didn't— I've never heard that word.
Oh, the little— You know, chiclet is a sweet, right? A little square sweet. Yeah. It's the little Apple MacBook keyboard. Imagine that. Yeah, Apple style.
There's not much travel on it.
I must admit, you know, it's not my favorite go-to type-on thing, but it was really good fun to build, good fun to learn about keyboard mapping and the software behind it and the science behind it.
And it was a nice little construction project. Okay. Okay, okay.
There's not much travel on it.
I must admit, you know, it's not my favorite go-to type-on thing, but it was really good fun to build, good fun to learn about keyboard mapping and the software behind it and the science behind it.
And it was a nice little construction project. Okay. Okay, okay.
Yeah, all right. That sells it. That sells it. Okay.
Carole, what's your pick of the week?
You're going to hate it, and you're going to hate it. So, you guys can put your feet up. Sorry, but this is a podcast, an audio drama podcast.
Oh, again, again. See, I got criticism.
Listeners. Okay, I have listeners that write in going, "Carole, you give the best podcasts. You get audio dramas." Yes, you're right, I do. And you can check out past recommendations.
I heard both of them writing this week.
Graham, thank you for your documentaries. Carry on.
So this audio drama is a 10-part supernatural thriller. It's called How to Win Friends and Disappear People.
And you follow a computer scientist, you know, a nerdy who becomes obsessed with a mysterious new neighbor.
And you soon find out that the geeky narrator, Nancy, right, uncovers the neighbor's dark secret. She's a centuries-old vampire. See, how fun is that?
And Nancy becomes her familiar, and bringing the vampire into social media, you know, New York City.
And they're both pulled down this huge rabbit hole of deceit and murder and mayhem. So, it's basically, the whole story is vampire versus unhinged stalker neighbor.
What could go wrong? That is basically the premise of the series. It's funny, it's twisty, it's turny, it's a bit gross. They got great sound effects.
I don't know how they did 'em, but I'm sure a big bucket of jelly would help. Cabbages in jelly, probably. It stars Leslie Grace and Sonny Bringas.
It's How to Win Friends and Disappear People. Find it wherever you get your podcasts if you enjoy a good audio drama.
And you follow a computer scientist, you know, a nerdy who becomes obsessed with a mysterious new neighbor.
And you soon find out that the geeky narrator, Nancy, right, uncovers the neighbor's dark secret. She's a centuries-old vampire. See, how fun is that?
And Nancy becomes her familiar, and bringing the vampire into social media, you know, New York City.
And they're both pulled down this huge rabbit hole of deceit and murder and mayhem. So, it's basically, the whole story is vampire versus unhinged stalker neighbor.
What could go wrong? That is basically the premise of the series. It's funny, it's twisty, it's turny, it's a bit gross. They got great sound effects.
I don't know how they did 'em, but I'm sure a big bucket of jelly would help. Cabbages in jelly, probably. It stars Leslie Grace and Sonny Bringas.
It's How to Win Friends and Disappear People. Find it wherever you get your podcasts if you enjoy a good audio drama.
A lot of our listeners do. You're right, Carole. We do get a lot of feedback, people who love your podcast recommendations. So yes, they do.
If we can get more listeners commending my documentary suggestions, that'd be great as well. Well, that just about wraps up the show for this week.
Thom, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?
If we can get more listeners commending my documentary suggestions, that'd be great as well. Well, that just about wraps up the show for this week.
Thom, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?
So, I mean, Twitter, Mastodon, I'm Thom Langford. That's Thom with a T-H because Twitter would let me have the H. Or at hostunknown.tv or at the podcast, Host Unknown TV.
So yes, check it out.
So yes, check it out.
Terrific. And you can follow us on Twitter at Smashing Security, no G, Twitter allows to have a G. And we also have a Mastodon presence as well.
And don't forget to ensure you never miss another episode. You can follow Smashing Security in your favorite podcast apps, such as Apple Podcasts and Spotify.
And don't forget to ensure you never miss another episode. You can follow Smashing Security in your favorite podcast apps, such as Apple Podcasts and Spotify.
And huge thank you to this episode's sponsors, Kolide, Drata, and Bitwarden. And of course, to our wonderful Patreon community. Thanks to them all, this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 327 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 327 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye.
Ta-ta.
Graham, I went to see Florence and the Machine in the amphitheater. Oh, what?
Oh, wow.
Yeah, it was fucking unbelievable. It was just the most amazing setting during sunset as well, which I have a few pics. What was my point? I can't remember my fucking point now.
What did you say before? Seriously, I'm having a total mind fuck.
What did you say before? Seriously, I'm having a total mind fuck.
I think, I think you were just showing off. If I don't remember—
No, there was a point, so I can't remember. So whatever, who cares?
Anyway, Florence and the Machine at the amphitheater, and it was brilliant. Yes. And the previous act—
The previous act, I do remember the previous act was called The Bad Daughter. And she was very— she might be up your alley, Thom, I'm just saying.
But she was wearing, she was wearing this top that just covers her nips, right? So her whole bottom boob is out.
But she was wearing, she was wearing this top that just covers her nips, right? So her whole bottom boob is out.
Was that Thom moving the desk so he could get himself more comfortable?
Gone. Say it again, Carole. I can't.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
@thomlangford.bsky.social
@
Episode links:
- UPS discloses data breach after exposed customer info used in SMS phishing – Bleeping Computer.
- Example of UPS SMS phishing message related to Lego order – Twitter.
- Another example of a Lego-related UPS phishing message – Twitter.
- Former FBI Analyst Sentenced for Retaining Classified Documents – US Department of Justice.
- How The Intercept might have helped unmask Reality Winner to the NSA – Graham Cluley.
- Bad adverts leave people scratching their heads – MSN.
- How Cybercriminals Can Perform Virtual Kidnapping Scams Using AI Voice Cloning Tools and ChatGPT – Trend Micro.
- Which Jobs Will Be Most Impacted by ChatGPT? – Visual Capitalist.
- Unraveling an AI Scam with AI – Imperva.
- 100,000 Hacked ChatGPT Accounts Discovered on Dark Web – Hackread.
- 97+ ChatGPT Statistics & User Numbers In June 2023 (New Data) – Nerdy Nav.
- “Speed Cubers” – Netflix.
- Trailer for “Speed Cubers” – YouTube.
- KBDcraft.
- ”How to Win Friends and Disappear People” – Qcode Podcasts.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
- Drata – With over 14 frameworks including SOC2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. As a listener to Smashing Security you can save 10% off Drata and have implementation fees waived.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Great podcast!
Please thank Carole for the heads-up for ”How to Win Friends and Disappear People”. I love these kinds of podcasts altho when I was a youngster (in a previous millenium) we refered to them as "radio plays".