Smashing Security podcast #328: UPS smishing, ChatGPT 101, and storing secret files

Out of an abundance of caution.

That's the best. I've not heard that one before and I've heard them all.

Please tell me there's a "we take security seriously." By an abundance of caution.

We are providing notice to individuals whose information may have been impacted. May have been impacted. Sent to all. Make sure it's BCC.

Smashing Security, Episode 328, UPS Mishing, Chat GPT 101, and Storing Secret Files, with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, Episode 328. My name's Graham Cluley.

God, that's a big number, and I'm Carole Theriault.

Hello, Carole. Welcome back from your holidays.

Thank you very much.

What a delight it must have been to come back to find that Smashing Security... The one and only... Is an award winner.

Again. That's right, isn't it, Thom? Hi, Thom Langford.

Hi, Thom Langford from the Host Unknown podcast.

Of the What's-It's-Name podcast. Humiliating it was. I had to go pick up two awards and they were both for you. Do you know they got in touch with me saying, please come, please come. And I was like, I wish I could, but I'm on holiday. I can't go, but I'm sure Thom Langford will pick them up for us.

And Graham, I know, can't be asked. So Yvonne Eskenzi said, can you be around to pick up just in case? And then I double thought it and thought, that's a double bluff. She wants to make sure that I'm there so I can pick up. I had three things in the mix. Statistically, I was. Oh, dear. But no,

Couldn't believe it. Thank you once again to all of our listeners who voted us. And allowed us to win, what was it, Most Entertaining Cybersecurity Podcast and Best All-Rounder Cybersecurity Podcast or something that.

Did you have to put your waist measurements in?

Well, the Best All-Rounder. Thank you for showing up to the awards because, of course, Carole and I couldn't be asked.

No, and thank you, Eskenzi PR, for facilitating the party. It was very well done. I'm going to kick the show off, so buckle up. But before we kick off, let's thank this week's wonderful sponsors, Bitwarden, Collide and Drata. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Well, it's not so much smashing security this week as smishing security. I don't think you should screw up with our name that.

Okay, and Thom, what about you? Oh, I am talking about the difference that a few million dollars in personal net worth makes in Ohio the Lord Trinity.

Okay. And I'm dumbing down ChatGPT, or am I? We'll find out. All this and much more coming up on this episode of Smashing Security.

Now, chums, you know, we talk a lot about bad news. We talk a lot about companies goofing up. And I think we actually need to praise companies sometimes when they raise awareness as to the threats which are out there. So I thought I'd do something a little bit different.

What, cheery? Sorry. What show is this? You're going to do an interesting story. Cheeky. Wow. He picks up an award and he's all spiky.

Come on, you two. Earn your award. Anyway, listen, I thought let's actually applaud a company doing something right because UPS in Canada, the delivery firm, has gone out of its way to contact customers. They sent them a letter. And I thought it's worth reading out because there's some great advice in here, which I think would be suitable for everyone who listens to the show.

Are you being facetious? I'm worried you're being facetious.

No, no. As if I would. As if that ever showed up in my school report.

Because you mentioned Canada as well, and you know it's dear to my heart.

Oh, don't worry about that. It just happens it's UPS Canada who are forward-thinking enough to send this out. So you get this letter, and it says at the top, Fighting Phishing and Smishing, an update from UPS. At UPS, we are committed to fighting fraud. We want to let you know what phishing and smishing are and what you can do to protect yourself.

I'm happy that's good. I think education is what's needed.

By the way, I've never the word smishing. That's maybe that's phishing via SMS, isn't it?

Yes, right. It's always conjured up things of you know a barefoot squishing over a tomato or something.

I just think it's making up a word. Some PR person once thought, oh, how can we make this interesting?

I think it's cute. I it much more than BEC.

BEC is rubbish, isn't it?

It's rubbish.

Spearphishing. Oh, but spearphishing. Okay. We're going off on a tangent. Spearphishing, I always thought, was a phishing email sent to someone specifically. And now it seems people are saying spearphishing when there's an attachment. Whereas I always view phishing as something.

No, no, no, it's aimed. It's aimed. The language may have evolved since You joined the cyber community, though. Maybe it has. I always think of phishing as someone clicking on a link. I don't think of it as having an attachment. So I don't know. It just feels all a little bit sort of.

Order, right? What do you mean you fall for it? So you click on the link? No, no, I don't. Drunk Amazon, right? No, I never do that. But yeah, I order stuff. And then sometimes you expect it in one package, but it dribbles in in lots of packages. Right. Right. That's normally if they throw the box. No, it's like it's coming from a different, different depot, something, something, anyway, whatever. So I never know if it's going to be three or four or five. And then if I get a text and I know something's coming, I'm like, did I get everything? Am I waiting for something? Is this one? And I just told my husband, he goes, no, fuck off. It's stupid.

You never ask yourself how they got hold of your mobile phone number to send you an SMS? Well, I, no. Because they have your address, but they don't have your mobile phone number normally, do they? I don't know. That's the sneaky thing. Is that the

Sneaky thing? Okay, that's a really good tip. I think that's a good tip. Okay, let's go back to the UPS's letter, because this is sharing great information. These messages may appear legitimate by incorporating company brands, colors, or other legal disclaimers. These fraud attempts affect deliveries from many carriers, brackets and other words, not just UPS.

Yeah. Hang on, hang on a minute. Now, I'm just a CISO, so not exactly technically minded here. But I have it on pretty good authority that numbers can be spoofed. That is

True, isn't it? Yeah, they can be. So you could send an SMS message probably pretending to come from the real UPS Canada number.

From six nine eight seven yeah I

Guess you could. Good point. Good point Thom yeah well so far though most of this has been quite sensible. I think it's been quite good advice and

Informative and easy to read at

Least if you didn't have two idiots interrupted. I've said nothing for minutes but anyway

UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered. UPS has been working with partners in the delivery chain to try to understand how that fraud was being perpetrated. As part of that effort, UPS conducted an internal review to assess whether information it received from shippers was contributing to this fraudulent conduct. In other words, is some information leaking out? And it's

Not us. It's some third party that we partner with but it's not us well

The next sentence girl during that review UPS discovered a method by which a person who searched for a particular package or misused a package lookup tool could obtain more information about the delivery including a recipient's phone number. In other words they've snuck in and we're in about paragraph five or six now we might have had an issue

Yeah exactly in other words we messed up our website out of an abundance of caution

That's the best. I've not heard that one before and I've heard them all please tell

Me there's a we take security seriously by an abundance of caution we

Are providing notice to individuals whose information may have been impacted

May have been impacted sent to all. Make sure it's BCC.

I would, so if I'd got this letter, I would have started reading just thinking, oh, blah, blah. They're just telling me what phishing and smishing are. Yeah,

You wouldn't have got past the first paragraph. This is not a breach notification Notice, is it? Hidden inside the longest paragraph of all is this little bit saying, you may have been impacted by this. As if criminals couldn't sink any lower, they mess with a man's Lego. Good God, I feel like I feel dirty.

You would have fallen for this, I suspect, Thom, because the one thing you want is you want your Lego arriving promptly.

Absolutely. And I have no idea what I ordered half the time.

Yeah, but don't you think, okay, there's a few typos in this, one. And two, there's this weird dollar sign at the back end of the money, like the money thing looks really odd. Yeah, $1.55.

In this example, yes, you see, you're looking at a screenshot. In this example, it's $1.55. But no one would write that.

Yeah. No, that's the, oh yeah, yeah. And there's another one for $1.63. So that would be a dead giveaway. But would it?

Yes. Would it though, Carole? Would that stop you believing?

Who's fallen for this? Who's fallen for this? Well, it would have stopped many of us. But the point is that in many cases, and we know this from all the scammers, that they sometimes seed in these deliberate mistakes to weed out the people who are going to work it out at some point. What they want to get are the people who the more gullible ones maybe don't, yeah, maybe don't quite have the same sort of cognitive abilities to see.

It's not just cognitive, it's digital ability, right? This could be your first purchase online.

Yeah, you know, well exactly, yes, yes, it's very true.

Because presumably that the scammers aren't going to all this effort to just steal $1.63. When you go to the URL, it's going to grab other personal information or charge your card more than that.

Exactly. And also they've sent out probably a couple of million of these because there's that much Lego going by.

Yes.

So well, there is to me and just saying, well, if anybody has a spare room I can use, that'd be great.

So it's not just Lego apparently, it's Apple as well and other firms apparently. So there are all, I don't know what I feel personally targeted. So there are all manner of potentially, you know, people who are falling for much more convincing delivery failure or you need to act upon this UPS message. Smishing, I hate the word smishing, campaigns are never before. What's the advice? The advice? Don't call us, we'll call you. Never trust anyone ever.

So I get a UPS, I'm waiting for one. Do I?

My first piece of advice is complain to UPS because they have disguised this piece of advice. They've hidden it as much as possible behind what looks like a generic piece of watch out for fishers and smishers.

Yeah. Does that get a shame, shame from you?

It is. That's exactly what it is.

The piece of advice I'd say is if in doubt, wait two days, your package is going to arrive anyway and then you know it's a scam. Yeah, you don't have to get your knickers in a twist right away.

Yeah, no need to rush. Thom, are you really that patient when it comes to a hot piece of Lego?

Well, I mean, you're on mute now. What are you talking about? I just didn't want him to talk about a hot piece of Lego in a dirty way.

Thom, Thom, what have you got for us this week?

So what have I got for you? I've got a little story, which is a story almost as old as time, actually, about whistleblowers. In fact, I found a Wikipedia page that lists all of the famous whistleblowers going all the way back to the 1600s, which is a rabbit hole you don't want to go down.

Did it involve a rabbit? Is it the Garden of Eden, of course? There was a whistleblower there, wasn't there? Someone told the boss guy that the apple's been pinched. And so, yeah, so it has been going back at least 3,000 years. I don't think Wikipedia's got any quotes or sources for that one. But there is a story. The link is in the show notes. It's from the Office of Public Affairs of the US Department of Justice. And it talks about a former FBI analyst who was sentenced for retaining classified documents. Do we know why she was taking these home? Was it just for a little bit of light reading or something? What was the point of that?

Well, the investigation, and this isn't even the crux of it, the investigation actually turned out more questions and answers because when they analyzed and reviewed her telephone records, revealed a number of suspicious calls, including numbers associated with subjects of counterterrorism investigations. And those individuals also made calls back to Kingsbury. So there's obviously something going on here. You know, so not only did she take these documents where she wasn't supposed to, all classified at secret level, not top secret level. But there was subsequently found to be some kind of sharing of said documents and other activity. That took me down another rabbit hole because, as I said, she was sentenced to, what was it, 46 months. That took me down the rabbit hole of a woman called Reality Winner, which is not the name of a TV show on Channel 5. But she was an analyst in the NSA. She was a translator there. She released one document to the press, which was basically information about Russian interference in the 2016 election. She was arrested, obviously. I mean, you know, you found this stuff has been released, etc. Although you could say it's for the greater good. She was charged with removing classified material from a government facility in mainland to a news outlet. She was denied bail and then sentenced to 63 months in prison, which if you do the sums, in prison for releasing one document, compared to this other person, Kingsbury, who stole a whole bunch of documents, made some dodgy phone calls, you know, sentenced to four years. Do

you remember, Thom, how Reality Winner was caught and identified?

I don't off the top of my head. There's an awful lot of text in this Wikipedia story, so I'm not going to worry about it.

Well, let me tell you, because it's quite interesting. In fact, we spoke about it in a past episode of Smashing Security a few years ago. But what happened was she printed out some of this sensitive information at her workplace. And she gave those printouts to reporters at The Intercept, which was the news outlet who reported it. And The Intercept, unfortunately, just scanned it in or took a photograph or something and published it up on their site rather than retyping the information. And printers

have unique signatures.

Well, they leave this little matrix of nearly invisible yellow dots on your documents. So you can identify which printer printed out a particular document. This is useful information, by the way, if you're planning to write a ransom note or something like that. Now you know why people cut out newspapers. So it was these yellow dots which actually led to the arrest, ultimately, of Reality Winner. But it's very interesting. I think not many people realize that printers do that.

Yeah, I think it's absolutely fascinating. And so his two cases, just two cases where we've seen secret documents, even a top secret document, potentially being leaked or stolen. By women. Yeah. By women.

Well, yes. Yeah, the only two stories you picked.

I think there is a case of a man who may have taken documents. Really? Of a highly sensitive information nature and maybe taken them to his home in Florida. Did he? And here's the thing. This is the difference. This is the difference a few million dollars in personal net worth makes. Oh, you're so cynical. I think Donald Trump was playing three-dimensional chess here. I think he's much cleverer than everyone thought because he knew... Donald Trump couldn't fling poo at a wall and make it stick. He knew that this highly sensitive information definitely wasn't safe on government premises. And so he thought, I know what I'll do. I'll store it in the highly secure loos at Mar-a-Lago. Yes. Stacks of ballrooms. Ballrooms. Because that's the last place that people will look. Because people won't expect me to have... See, that's the genius. People won't expect the highly sensitive information to have been left accessible to anyone.

It's everything called talking, boasting about it. You know, talking to people about the types of data he's got is no doubt not exactly the most secure compound in the world. And I just find this utterly amazing how... This is quite a tangent. A tangent? This is the point.

A tangerine, I think. Basically, if you're famous and you've got money, it's effectively one rule for us and one rule for them. We've got this charade going on.

you ex-US presidents out there, listen up.

A few of them do listen to the podcast, actually, Carole. I'm sure.

I'm sure I've missed two. Anyway, rant's over.

What's your topic for us this week? So as you both know, and as regular listeners know, I've been on summer holiday. When you're on summer holiday I met a number of people, I talked to lots of people. I met a cool chick on a plane, I met a great chef, I met an Airbnb host who thought that people staying in a non-air con pad would rejoice at pure 100% polyester sheets. So that was really fun, you should have seen my yeti of a husband.

I wondered if this was just your Airbnb review that you're about to give this section of the podcast. Close. After you electrocuted each other every morning, oh my god we ended up sleeping with towels. All I'm saying, anyway loved it, loved it. And maybe one of... it's always good to have a visual on a podcast. Yeah, excellent.

Yeah, and you guys get to describe it because just zoom in. Oh, it's my favourite password.

It looks like it's little statues or gnomes. Is it Snow White and the six dwarfs? Yeah, the six dwarfs. Holy crap. The face is a bit scary. Looks like Mike Tyson has had a go.

I had no idea until just before I went on this podcast. I had no idea why that was there because it's super creepy. It's like zombie Snow White and the Seven Dwarfs or something. But I think it's because they don't want kids there. I think it's like an adult hotel, that kind of thing. Like it's not a family hotel. So maybe these are just to scare off the kids.

If you don't want kids, just block YouTube. Then the kids won't want to go there. That's true. That's what you have to do. Anyway, so I was meeting all these interesting people and they would say, oh, what do you do? You know, and I'd be like, art, yada yada, podcast, yada yada. And some would go and look at art and some would listen to the pods. And one of them called me up afterwards and said, look, I've just listened to three episodes of Smashing Security in a row. And you guys are amazing. You're great. You're wonderful. But you're kidding me. But she said, but you're talking about things I'm totally interested in that I want to learn about, but I can't figure out the language you're using. I don't understand it. It's all tech speak. You know you talked about ChatGPT or whatever and I couldn't follow, right. And this lady is a GP.

I was going to say that on the other award-winning podcast Host Unknown we talk tech a lot but my mother listens and she says she doesn't understand a word of what's going on. But she has liked the recent trends of having Mr. Cluley on because she really likes Graham's voice. Oh she finds it very, very, oh how can, oh how lovely, very warming. I see the meet in person.

Yeah that destroy everything wouldn't it if we met in person. But yes I have to start calling you son.

Yes daddy. But it's not always about the content sometimes it's about the delivery.

Oh okay I'll do my best on that one as well. Okay, okay so ChatGPT right, this is the thing that launched in November last year. So it's no wonder that lots of people don't know about it. And so what the heck is it? Well, I thought, why not ask ChatGPT, right? It said, ChatGPT is an advanced conversational AI model developed by a company called OpenAI. Well, AI? AI? Sorry. Artificial intelligence. Very good, Thom. Thank you. I didn't spot that one. I was listening. Very good. Number two, ChatGPT is trained on a diverse range of internet text sources to learn patterns, grammar, and context in order to generate coherent and contextually appropriate responses. Now, apparently the data set has at least 300 billion words in it. So diverse, I think, is a little misleading here. I think you know, gluts and gluts and gluts of stuff that they could find is maybe perhaps more realistic. Would you guys agree?

300 billion words? So it's just nonsense. It's scooped up from the internet, isn't it? That's right. That's right.

And I think just to put that into context, a million seconds is something like 21 days, whereas a billion seconds is something like 30 years.

Okay, you work out while I continue my story 300 billion words into seconds and then let us know. So basically, but the thing is, it's a tool right now available to anyone that speaks the supported languages, I guess, right? Anyone with internet access, what you can do is go to openai.com and you will find ChatGPT there. It's free to use. But you have to create an account. And there's nothing to learn or set up. Basically a search box search engine. And you can put in a question and allons-y. You see what crops up. So you could ask a question about medicine or real estate or mythical monsters or recipes or help me out, poetry.

What does allons-y mean in English? That kind of thing. Ask it anything. Yes.

It's true. And apparently, ChatGPT currently has more than 100 million users, right? Which is why investors are tripping over themselves to get on the AI, sorry, artificial intelligence model train, choo-choo all the way to the bank. Now, the thing is that there is a catch, right? You cannot trust the information spouted by ChatGPT to be 100% correct any of the time, I would say. Yeah, because it lies. But why does it lie? Because the internet is made up of good stuff and bad stuff and gross stuff, Thom. It's so

charming. But sometimes it makes up stuff as well. When Mark Stockley was on a few weeks ago, he was telling us about that law case where ChatGPT was coming up with fake past verdicts, fake cases. And it was persisting in claiming that these things were real, and they weren't. It was just making it up.

And fake cases, that's right. Yes, yes. So the way to think about it, it's just made up from everything it could find on the internet. So in short, ChatGPT's mama is the internet. And it gorged, okay, I'm going to say it, at the internet mama nipple until it was ready to be unveiled to the world. I'm sorry. What? As Graham said, there's loads of stories about how ChatGPT, you know, got it wrong or spread crazy stuff. And you can go look at our backlog of Smashing Security episodes because we've talked about it a lot. And the question is, who decided to allow ChatGPT or any of these artificial intelligence models into the public world? So I thought, I'll ask ChatGPT. And it said it was made by the organization or company responsible for the development and deployment. In this case, OpenAI and ChatGPT, the decision was made by OpenAI itself. And the point I'm making is there's no regulatory oversight here. It's just one company going, okay, we're ready. Are we ready? Let's go. Do you think there should be then? Yes, I think. Do you not think so? Well, I just think, I

mean, the counter argument is that you're going to prevent innovation, aren't you? And how would they define what you are allowed to do on the internet and what you're not allowed to do? I mean, imagine how much it would constrict Thom, for starters, with what he gets up to on the internet. Exactly. And also the internet is an open resource, right? Maybe what I'm trying to say is instead of using ChatGPT, thinking it's an omniscient god that knows everything, maybe we should treat it as a kind of teenager with mood swings and a bit of a know-it-all. No. Podcaster? Absolutely not. Podcaster is safe. Podcaster is safe.

do you think might be

really affected? Journalists, yes.

I was gonna say writers. Yeah, accountants, tax people, auditors. Tree surgeons. Yes, blockchain engineers, apparently. Mathematicians.

Okay, we're all talking about roles. Actually, I have no sympathy for whatsoever. Sex workers.

Milkmen. They're done as well. The jobs that are deemed... Piers Morgan. Piers Morgan. Jobs that are deemed most safe include athletes, car repair people, cooks, and get this, this is my favourite, stonemasons. Stonemasons, you guys are fine. So high five to you for, you know, having not gotten in the digital bandwagon. Well done.

Okay, I'm going to have to become an athlete.

It's not going to be much call for a stonemason when the robot overlords have basically put us all in little pods to produce batteries and produce energy for them, is it? I mean, it's not the most common of requirements. They're not going to be creating gothic arches for these massive cathedrals of battery power.

Yeah, but it's kind of crazy because there's this huge race now for market domination. Currently, I think, correct me if I'm wrong, the winner in the front is OpenAI at the moment, right? They have the lead. But yesterday, Google's DeepMind CEO, mic drop, that his new AI algorithm, soon to be on the digital shelves, will eclipse ChatGPT.

Oh, for goodness sake. How do they determine who has the better AI chat watsit? Why don't they get the AI chat watsits to evaluate each other and fight between themselves? The chat watsits.

Totally. Okay, two things, two things. So if you're interested in trying out ChatGPT and you don't know what it is and you've heard people talk about it, do not go to Facebook or social media and click on a try ChatGPT ad. No, no, no. Okay, security company Imperva said that they saw some scams pretending to be access to these AI models, artificial intelligence models and the like. So just use your web browser and go to openai.com. And second tip, if you decide to use ChatGPT, know that your questions are logged by default. And some people keep sessions going tied to your account because you need to have a user login to get in to use it now. So to change this, once you've created an account, you can click on your username to the settings and clear all chats. And you can also go to the data controls and disable chat history and training.

That's a really good point. That's a great point, actually, Carole. Some companies are blocking access to ChatGPT because it just produces garbage sometimes and low-quality content. But the more serious point is that people are feeding in sensitive information into ChatGPT, which is then being collated and used. And it may be company-sensitive, and maybe other people's personal details, all sorts of things.

Exactly. There were researchers at Group-IB said they've uncovered a concerning trend involving 100,000 devices on the dark web infected with stealers holding compromised ChatGPT credentials. And they think that's exactly the reason that people are using it and kind of feeding in sensitive information without realizing it. And those logs are super, you know, kind of delicious to someone who might want to try and attack the company. So there you go. And don't use an easy-to-guess password if you're going to create a login on ChatGPT. Try something that's unique and impossible to remember. Ask ChatGPT to create a

password for you. Yeah, ask it to create the password. I bet it'll do really well. It'll probably search the internet to find out the list of the top passwords, and it'll think, oh, that's number one. Let me use that one. I thought it was password one. It probably is. With an exclamation mark afterwards.

Yes. Oh, well, of course, because you've got to add a special character. So I did find out the answer to your question, Carole. So if we were to say one word a second, and if we were then to say 300 billion words, how many years do you think that would take us to complete?

I'm guessing I have no idea.

Nine and a half thousand. Well, you heard it here, folks. It has a lot of crap in it. That's a big data set. It's going to take more than your average USB stick to store that. It's like a ChatGPT joke.

Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it. With over 14 frameworks including SOC 2, GDPR, HIPAA and ISO 27001, Drata gets you audit ready for crucial security standards needed to scale your business. Automated controls, over 75 integrations and 24-hour monitoring keeps your company in compliance without manual work. And with a new open API and plenty of customization, you can build your program your way. With over 365-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies like Notion, Lemonade and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner. So, listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com slash drata. That's smashingsecurity.com slash D-R-A-T-A.

Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Collide patches one of the major holes in zero-trust architecture. Device compliance. Without Collide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them. Collide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Collide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked. Collide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course, you do visit collide.com slash smashing. That's collide.com slash smashing. And thanks to Collide for sponsoring the show.

Our friends at Bitwarden have been busy this month adding some fab new features to their open source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With login for device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden, keeping your password secure from hackers. Learn more. Try Bitwarden for yourself at bitwarden.com slash smashing. That's bitwarden.com slash smashing. And welcome back. And you joined us for our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something. It can be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. My Pick of the Week this week is not security-related. My Pick of the Week this week is a documentary, which I love a documentary, as you know.

Again? You're just going through a list, aren't you?

I'm going through Netflix's list of documentaries.

Could just get a little variety next week. Can we ask for a little variety? Cheeky. What? It's been four weeks in a row. No, it has not. Yes, it has. It has not. It has. It has not, because last week it wasn't a documentary, was it? I don't remember. Didn't take long then, the movie? It's about 40 minutes, the documentary. You'd think they'd be quicker. I did meet a guy who could do it in 10, and I know that's probably nowhere near super duper, but it was pretty...

That's probably the top percentile, though, right? That's still shockingly good.

I was still stuck on the first row of the first side, right? Because I was racing him.

If you go to the World Cube Championship, you will see people, not only like Max Park, who can complete a three by three cube. So the basic Rubik's Cube, he has done it. His world record attempt is 3.13 seconds. That's his world record. Wow. One handed, he can do it in six seconds just with one. So literally with one arm tied behind his back. They also have championships where people are blindfolded or people have different sized cubes as well. And somehow they can do that as well. It's absolutely astonishing. Anyway, it's a really touching story. Max Park is severely autistic and doing the cube has helped enormously with his life. And Felix Zemdegs from Australia was the guy who Max Park looked up to. And they became great buddies and then they began competing against each other but they have a genuine and lovely friendship and you kind of think what a lovely couple of guys must be nice. So I recommend Speed Cubers Netflix documentary all about the Rubik's Cube and the masters of the cube. I really enjoyed it. Cool sounds pretty cool. I might even check that one out. Thom what's your pick of the week?

So mine, as we've already ascertained, I do like a little bit of Lego. And I found this website called kbdcraft.store and the KBD stands for keyboard would you believe. Now on kbdcraft.com you can buy mechanical keyboards. Now mechanical keyboards for those who don't know, they're the old style IBM clacky clacky keyboards rather than the laptop style keyboards that we often use now. And there is a whole subculture of building your own keyboards and customizing it. So the little micro switches underneath have different pressures and noises and sensitivity and all that sort of stuff. Absolutely fascinating.

I thought you were talking musical keyboards. Oh, come on. That was literally the first place. It was the first place I went and I was like, wow, that's so cool. And then it's a fucking keyboard.

No, it's a keyboard keyboard on your computer. Keyboard keyboard right in front of me right now. But the unique thing about the KBDCraft website is not only do you get to customize your keyboard, as it were, you actually get to build the entire frame. So not only do you get the base of your, which you push all the little switches into, they put the keys on top and all that, you get to build the frame out of Lego. Or I should say compatible to Lego.

Okay, sorry. I don't know what you mean by frame. Is this what goes around the keys?

Yeah. So if you look at your average keyboard, you've got the keys and you've got everything else around it, metal or plastic or whatever, you build that from Lego.

Okay, so it's just the case of the keyboard which is made out of Lego. The keys aren't made out of Lego bits and bobs.

No, no. The keys are standard kind of, well, I say standard, but they're customizable. You could change the different types of switches.

I'm looking right now on the website. So yeah, it's like a coaster for your keyboard somehow. That's what it looks like on the... Is that right? Like a coaster? I think you're looking at something different to the... Well, it's like it holds a keyboard, right? It looks like you slot a keyboard in. Is it a tea tray? A tea tray. That's what it looks like, a tea tray. Yeah, but you build the keyboard PCB into the frame itself, so it's permanently in there. Now, the advantage to this is you can customize it, different colors. They offer white and gray. You can add things to it.

I'm a bit disappointed Thom really. I thought the keyboard itself would be made out of Lego. If it's just the case. If it's just the case. Come on. And it's not even Lego, is it? So, the case isn't made out of Lego. It's made out of some generic Lego rip-off.

It's Leggett, really. It's just a tiny bit of Lego.

Yes, but which is compatible, as I have found. So, you can modify that case any way you see fit. It all works. It's all completely

Compatible. So you're not loyal to the Lego corporation?

Oh, I am. I don't buy any other kits.

Okay. This is the first

Thing before. All right. It isn't actually Lego. But then again, Lego aren't going to make a keyboard, and I thought this was quite cool. Okay. God, do you invite me on the show and poo-poo my ideas? So are you

Using this keyboard kit to use anything?

Yes, I do use it. It's taken me a little bit of getting used to, because I'm not used to a proper keyboard. I'm used to the little chiclet style laptop.

I'm exactly the same, Thom. Right, now finally we agree on something because I don't like mechanical keyboards. I like chiclet keyboards.

Yeah, do you know what? I agree, actually. I think I prefer the chiclet keyboards. But this was good fun. Why chiclet? I've never heard that word. Oh, the little... You know, chiclet is a sweet, right? A little square sweet.

Yeah. It's a little Apple MacBook keyboard. Imagine that. Yeah, Apple style. Yeah, it's not much trouble. Yeah.

I must admit, you know, it's not my favorite go-to type on thing but it was really good fun to build, good fun to learn about keyboard mapping and the software behind it and the science behind it and it was a nice little construction project. Okay, okay, okay. Yeah.

All right, that sells it. That sells it. Okay.

Carole, what's your pick of the week?

You're going to hate it and you're going to hate it. So you guys can put your feet up. Sorry, but this is a podcast, an audio drama podcast. Oh, again, again. See, I got criticism. Listeners. Okay, I have listeners that write in going, you give the best podcast, you get audio dramas. Yes, you're right, I do. And you can check out past recommendations.

I heard both of them writing this week.

Thank you for your documentaries. Carry on.

So this audio drama is a 10 part supernatural thriller. It's called How to Win Friends and Disappear People. And you follow a computer scientist, you know, a nerd who becomes obsessed with a mysterious new neighbor. And you soon find out that the geeky narrator, Nancy, right, uncovers the neighbor's dark secret. She's a centuries-old vampire. See, how fun is that? And Nancy becomes her familiar and bringing the vampire into social media, you know, New York City, and they're both pulled down this huge rabbit hole of deceit and murder and mayhem. So it's basically the whole story is vampire versus unhinged stalker neighbor. Okay, what could go wrong? That is basically the premise of the series. It's funny. It's twisty. It's turny. It's a bit gross. They got great sound effects. I don't know how they did them, but I'm sure a big bucket of jelly. Cabbage and jelly. Yeah, exactly. It stars Leslie Grace and Sony Bringas. It's How to Win Friends and Disappear People. Find it wherever you get your podcast if you enjoy a good audio drama.

A lot of our listeners do. You're right, Carole. We do get a lot of feedback, people who love your podcast recommendations. Yes, they do. If we can get more listeners commending my documentary suggestions, that would be great as well. Well, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

So I mean Twitter, Mastodon. I'm Thom Langford. That's Thom with a TH because Twitter wouldn't let me have the H, or at HostUnknown.tv or at the podcast HostUnknown.tv. So yes, check it out.

Terrific. And you can follow us on Twitter at SmashingSecurity. No G. Twitter and Mastodon have a G. And we also have a Mastodon presence as well. And don't forget to ensure you never miss another episode, you can follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Spotify.

And huge thank you to this episode's sponsors Kolide, Drata and Bitwarden. And of course to our wonderful Patreon community. Thanks to them all that this show is free. For episode show notes, sponsorship info, guest list and the entire back catalogue of more than 327 episodes, check out SmashingSecurity.com.

Until next time, cheerio. Bye bye. Bye. Ta-ta.

Graham, I went to see Florence + The Machine in the amphitheater. Oh, what? Oh wow. Yeah, in the Roman theater. It was fucking unbelievable. It was just the most amazing setting during sunset as well, which I have a few pics. And what was my point? I can't remember my fucking point now. What did you say before? Seriously, I'm having a total mind fuck. I think you were just showing off. If I don't remember, know there was a point I can't remember. So whatever, who cares.

No, Florence + The Machine at the amphitheater and it was brilliant.

Yes, and the previous act. The previous act, I do remember. The previous act was called The Bad Daughter and she was very... She might be up your alley, Thom. I'm just saying. But she was wearing this top that just covers her nips, right? So her whole bottom boob is out.

Okay, was that Thom moving the desk so he could get himself more comfortable? Go on.

Say it again, Carole. I can't