Smashing Security podcast #348: Hacking for chimp change, and AI chatbot birthday

Do you know what though? Friend of the show Anna Brading was over and she asked me that question. I went, "No." And she goes, "Oh my God, you have to." And then she did all of us and there's information about us.

Well, it's just like doing a Google search though, isn't it?

A lot of information. It knows I does art.

It knows I does art? You certainly don't do grammar.

It knows I do art.

Smashing Security, episode 348, hacking for chimp change and AI chatbot birthday with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 348. My name's Graham Cluley.

And I'm Carole Theriault.

And I'm on a secret mission.

Oh.

Somewhere in the Middle East.

And that's why we don't have a guest because it makes things slightly more difficult when one of us is away from our studios, doesn't it? Because we don't have staff.

We don't have staff.

It's all us. We don't. Shall we kick this baby off?

Sure.

First, let's thank this week's wonderful sponsors, Kolide, Panoptica, and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

It can only be summed up with two words: cryptocurrency.

Ooh, that's a good title. Okay, and mine is chatbot gibberish a go-go. All this and much more coming up on this episode of Smashing Security.

Now, Chum Chum, should I say Chum Chum or Chums Chums?

I like Chum.

We've had feedback from the listeners. One of them at least said you should say Chums even when it's just Carole.

Yeah, I agree. It's our 348th episode. Some people have been here for more than seven years.

Chums, the balmy world of the blockchain, the fabulous fantasy of earning a fortune by investing in non-fungible tokens and cryptocurrency. It has been a wonderful stream, hasn't it? An effluent which has flown past us, feeding us time and time again with content for this podcast.

I thought it had been flushed down and gone down the drain.

You may have thought that. You may think that, Crow. You may have thought it was just a passing fad or something else that you passed, but it pains me to say that there are still people who are utterly bonkers for all of that. And I'm not the only one in pain. Did you hear about that party which they held a couple of weeks ago for members of the Bored Ape Yacht Club? You remember the Bored Ape Yacht Club?

Yes, I remember. They've spent— crypto guys on a boat trying to organise a party and then just ran off with all the cash.

Well, no, no, no, not quite.

That's what I remember.

The Bored Ape Yacht Club is basically a club you can join by buying chimpanzee NFTs. So you buy a picture of a chimp wearing a sailor's costume or something like that.

As an artist, I take great offense.

Right, right. And you're then a member of the Bored Ape Yacht Club. And one of the perks of this trendy club, which has been joined by the likes of Kanye West and Paris Hilton and all those sort of people, one of the perks of being in the club is you get invited to fabulous parties like the one they held in Hong Kong for ApeFest earlier this month. I don't know if you've heard of ApeFest.

I know. See, I knew they were about parties. I knew it was about parties.

Yeah, yeah. There certainly is a lot of parties. So 2,000 people showed up to this party in Hong Kong.

My closest friends. My closest friends.

Very exclusive club. And they pretended, you know, they were dancing around in blissful ignorance to the fact that the NFT marketplace had sort of swallowed itself in the last 12 months. And there was this big concert, but now it's been revealed that partygoers who enjoyed the ultraviolet light display at the concert, well, they had to go to hospital because of skin burns.

Shut up.

The excruciating eye pain that some of them say that they suffered.

Oh my God. He got a deal. You know, 2,000 people showed up. Look, what can you— I need an ultraviolet light, nothing flash. What's the bargain basement price you can get?

Nothing flash, a lot flash by the sound of things. And so I shouldn't laugh. I mean, this sounds quite unpleasant. So people could be, apparently they've got a condition called welder's eye.

Oh yeah, I'm sure. Okay, wow.

Sounds painful, doesn't it? Imagine that. Anyway, so that's one of the craziness which has been going on in the last month. But the normal news from the world of crypto is that of course there's been a big crypto theft. And you'll say, not news, Graham. You'll say, Graham, Graham, that's not news. There's always been a crypto theft. And I'm saying, no, no, no.

Every single month last year, every week.

Yeah. In fact, in fact, there's been at least 4 or so this month. Monero, MEV Bot, CoinSpot, and Poloniex. There's been a series of thefts. Some of them have been attributed to a North Korean hacking gang. I think they're called the Lazarus Group or something like that. Who've been hacking organizations. I'm particularly interested in the Poloniex one. And that's one which I primarily wanted to talk about today. Poloniex, if listeners don't know, is a cryptocurrency exchange. And wouldn't you just know it, they had just a trifling $120 million stolen from them last Friday.

Chump change.

Chump change. Yeah, exactly. That's what they should call it. Of course, it's not really their money. It's users' money, which they had placed in the exchange. So $120 million worth of cryptocurrency, which was stolen. And the hacker didn't exactly try to hide their tracks. They had a wallet which they offloaded the assets into en masse in exchange for Ethereum and Tron tokens. And the name of that wallet was Poloniex Hacker. So, you know, it's a bit of a clue there, perhaps, that something suspicious was going on. Now, Poloniex, they said, look, we can, we can handle the loss. Don't worry. Don't worry. They say, don't worry about this. Don't worry.

We've got so many funds. Yeah, we can cover this.

Exactly. We've made so much money out of you cryptocurrency investors.

Chump change, guys. Chump change.

Chump change. We can, we can, we can handle this. And I guess that's supposed to reassure its customers. The customers think, oh, this is absolutely fine. They can handle losing $120 million. For them, it doesn't seem to matter at all. They're totally comfortable with that. I would actually feel a little bit more comfortable maybe if they'd said, well, this is a problem. But they said, not a problem.

Let me give them more money because they don't seem bothered.

Yes, exactly. They don't seem bothered. They can handle this. They're obviously skimming off so much at the top. But then the founder of Poloniex, a chap called H.E. Justin Sun, literally he, H.E., tweeted over the weekend what he described as a white hat bounty. Now, of course, we've had bug bounties before to do with cryptocurrency exchanges, but this wasn't a bounty for anyone who could find a security flaw in Poloniex after the hack, but it was something rather more akin to a beg bounty than a bug bounty, because begging for the return of the money. He wrote, "We are offering a 5% white hat bounty to the Poloniex hacker." He said, "Please return the funds to the following wallets," and he gave some wallets. "We give you 7 days to consider this offer before we engage law enforcement."

When was this?

This was just in the last few days.

Yeah, I don't think they're the first people to do this.

They're not the first. This has happened before.

Yep, there's a precedent.

There's been precedent. And sometimes it's actually worked. Sometimes people have actually given the money back. And I think sometimes it may be that the hackers actually think, well, this is far too much of a hassle to turn these tokens, which we've stolen, into real cash without getting caught.

Just give me half of it and I'll be fine.

Well, in this case, Poloniex are saying, give us our $120 million back. And we'll give you $6 million.

Legal tender, no cops, everything above board.

Exactly, everything above board. Now, Carole, would you trust them to pay you your— if you, I don't know if you are the Poloniex hacker, but if you are, would you trust them to pay you your $6 million reward afterwards? Or would you say, give us $6 million first and then we'll give you your $120 back? Which order would you do things?

Maybe I would start, you give me a dollar.

Well, Carole, you're terrible at this because if you think about it, all you have to do, just give them 114 back and they've already, you've already got 6 million of theirs, haven't you?

Oh.

So you can just, right?

Yes. Yeah, but it's illegal.

Well, it is illegal. That's just a trifling problem.

That's— And once you give them the 114 back, they're not going to swap you for, they're not going to care about the 6 million they're going to give you anyway. So they're going to say, hey, cops. Find them.

Well, if you know the vulnerability, if they haven't patched the vulnerability, you might go back and steal some more. So you're right, there's no guarantee that law enforcement might not still be called in, or indeed that the cops decide to investigate you regardless.

Tell you what though, if they don't pay the money, it's bad practice, I think. If you're going to say that, I think you should do it.

I guess it's a scam you as a crypto, as a hacked cryptocurrency exchange could only pull off once, couldn't you?

Yeah, you're gonna have a, you're gonna be blackballed for life and you're also, yeah.

It's a sticky pickle though, isn't it? It's a sticky pickle.

Ah, it's a very good show.

I don't know if this would count as a sticky pickle for your Sticky Pickle podcast, but it's cryptocurrencies which find themselves in this position are in a bit of bother. I think sometimes hackers are too, because on the very same day as the Poloniex hack, someone found a vulnerability with another cryptocurrency thing, which allowed them to mint 6.7 million of Raft's stablecoin known as R. Now there's lots of words in there. There is a thing called a stablecoin, which is like a cryptocurrency coin, but a stablecoin is pegged, for instance, to the US dollar.

Mm-hmm.

So someone stole $6.7 million worth of this thing called R. That caused the price of R stablecoin to drop from $1 to just a few cents at one point. And the hacker obviously wanted to cash out. So this was the same day as Poloniex. The hacker was trying to cash that out, was converting his stolen millions into Ethereum in order to launder and cash it out. But alas, they had a bug in their code and they accidentally sent over $3 million worth of the stolen cryptocurrency to a null address, making it permanently inaccessible to everyone in the universe. No one can ever touch it ever again. They just, they flushed it down the loo effectively. Now the problem for this hacker was they only had 7 Ethereum left, but because of the way you have to spend Ethereum to fund the actual attack to convert into Ethereum, they actually ended up with a loss. They actually spent more money, round about $8,000 worth, during the course of this hack. So they've ended up, the hacker has ended up with less money than they started with. So they've not only lost all the stuff they've stolen, but they've also got a gap in their own wallet as well. So there you go, folks. Don't steal cryptocurrency. Maybe don't even touch cryptocurrency. Don't go to NFT parties. Do something more profitable and point, you know, something with a bit more point with your life, perhaps. That's my advice.

Well, thank you.

Hackers can make mistakes just like regular companies can as well.

Most of your stories that you enjoy telling the most are when hackers make mistakes.

I do, I do. I revel in incompetence. Maybe it's just a way of feeling better about my own life. I think it is. I've got a few stories I could share as well about my current trip. Maybe I will next episode.

If you get back.

What do you mean if I get back? Carole, what's your story for us this week?

So, funny, we are fast approaching ChatGPT's first year, its first birthday.

No, is it only one year?

In the hands of cool cats, numpties, and everyone in between. Yeah, 12 whole months, Clue. And I was wondering, how are you feeling about these language model chatbots? Do you use them for fun ever?

I don't.

Do you chatbot yourself? Well, I don't have to chatbot myself, Carole. I could just talk to myself in the mirror. But do you ask about yourself? Do you kind of go, hey, who's Graham Cluley?

No. Have you?

No.

I imagine it just comes back with a Wikipedia entry or something.

Do you know what though?

What?

Friend of the show Anna Breeding was over and she asked me that question. I went, no. And she goes, oh my God, you have to. And then she did all of us. Oh. And there's information about us.

Well, it's just like doing a Google search though, isn't it?

A lot of information. It knows I does art.

It knows I does art. We certainly don't do grammar.

It knows I do art.

Oh, okay. Right.

Anyway, if they were all taken away, all the chatbots out there, would you shed a tear?

No.

In your personal life? It's not affected you in any way? It's not like Instagram or for you, Twitter or X.

Yeah, well, Twitter's not Twitter anymore either, is it? I don't know. I think I can live without an AI chatbot quite easily at the moment.

Because it isn't going anywhere. There's a lot of money floating around in the AI chatbot world.

Yes.

Imagine all the greedy bosses out there dreaming up possibilities of growing their businesses with fewer staff, bigger returns, et cetera, et cetera. Yep. So what is the big problem? If I said chatbots, what's the big deal? When we look back on this in, say, 10 years, what was the big deal when they came out?

Well, they talk nonsense. They say things which aren't true. They're not reliable. They're not trustworthy.

They cannot be trusted. Exactly. And we've covered that in the show over the year, right? So in August, for example, The Register wrote that the Purdue team analyzed ChatGPT's answers to 517 Stack Overflow questions to assess the correctness, consistency, comprehensiveness, and conciseness. There's a lot of Cs there of ChatGPT's answers. Another one. The results analysis shows that 52% of ChatGPT's answers are incorrect.

Yeah.

And 77% are verbose. So that was the team's conclusion.

Although if you went on any web forum and asked a question about programming, I mean, most of the answers would be inaccurate.

Go to Reddit.

Yeah, yeah. I mean, just, you know, but that's the problem, isn't it? The internet is where it's scooping up this stuff and, you know, the internet's full of nonsense.

And it's not just ChatGPT. You know, Bing reportedly made several mistakes during Microsoft's public demo of the product. So when Bing was asked, and we may have covered this in the show, see if you remember, what are the pros and cons of the top 3 selling pet vacuums. And it gave a pros and cons list for the Bissell Pet Hair Eraser handheld vacuum. And in the list it wrote, limited suction power and a short cord length of 16 feet. However, of course, the vacuum is cordless and no product descriptions online mentioned its limited suction power.

If it's a pet vacuum, you don't want it to have too powerful a suck because otherwise you'll be saying goodbye to your guinea pig.

There goes your gerbil.

If your gerbil was already stuck somewhere and you needed to suck it out, then you want a powerful suction. I'll leave that to your imagination.

Maybe you want a dial. You want a dial to turn it up and down.

Yes, good idea.

Good idea. So limited suction power. Do these chatbots have a sense of humor? Or maybe it's just a bunch of teens in a warehouse pretending to be a complex language model.

Elon Musk, hasn't he launched a chatbot on Twitter? And he says it's the only one with a sense of humor. Unfortunately, I don't know that Elon Musk knows what a proper sense of humor is, so he's possibly not the right judge.

Well, I think him launching it is funny. You know, there's the punchline. So enter a company founded by a bunch of ex-Googlers, right, called Vectara. And in a blog post late last week, Simon Hughes, he's an AI researcher and model language engineer at this startup, he announced on the blog that they had launched an open-source hallucination evaluation model, basically a lie detector.

Right.

And used it to compare hallucination rates across the top services, OpenAI, Cohere, PaLM, and all of that.

A hallucination when it comes to AI is when it makes stuff up, is that right?

Right, it's who's the biggest liar basically, is basically what he's trying to find out. But they don't want to call it that, they call it hallucinations. Either way, right? It is turning a potentially useful answer into a steaming pile of doggy doo-doo, isn't it?

Right.

And it might be fine if you're at home going, who is Graham Cluley, right? But if you were to rely on this stuff for healthcare or financial assistance, a mortgage application or business advice, all I can say is, uh-oh.

Yeah, no good. Yeah.

So in the post, Dr. Hughes laid out the problem, talking about the different types of hallucinations. Basically, the article was pretty hard to read, or the blog post for me at least, right? There's a lot of acronyms and AI is not a world that I'm super au fait with.

Did you think of asking an AI to summarize it for you, Carole, in simple language?

You see, I would have, but that would have introduced errors to my story, wouldn't it have? So I decided to go the human route, and I was very grateful that New York Times journalist Kade Metz clarified some of the areas for me. So basically, the question is, right, that they want to answer is how often do chatbots hallucinate, aka lie? They say it's impossible to gauge because chatbots can answer any question any number of ways, which is why students absolutely love it. And there's no real way to establish a rate of hallucinations because it's taking everything from the whole wide world of web. Right? So you can't do a BS reading. So Dr. Hughes and his team decided to perform a single straightforward task that could be readily verified: summarize a news article. So the prompt they offered was, you are a chatbot answering questions using data. You must stick to the answers provided solely by the text in the passage provided.

Right.

You're asked the question, provide a concise summary of the following passage covering the core pieces of information described. And so when calling the API, the passage token was then replaced with the source document, meaning that they should take everything from that bit of text that they've provided them.

This is a bit like the advert where they go, "Here comes the science." I'm really impressed, Carole. I'm not—

Wasn't that a hair commercial?

Have we got lovely, beautiful hair?

Because us girls couldn't handle it. That's all we're worried about. Is it shiny? Yay! Even with this super specific prompt, there was considerable license for what I will call hallucinative creativity. I just made that term up. So here's an example, right? So the original passage they provide, this is the shortest ones they had. The plants were found during the search of a warehouse near Ashbourne on Saturday morning. Police said they were in 'an elaborate grow house,' quote unquote. A man in his late 40s was arrested at the scene. So take that stuff, make me summarize this for me. And the PaLM, this is Google's AI effort, right? Chatbot effort. Police have arrested a man in his late 40s after cannabis plants worth an estimated £100,000 were found in a warehouse near Ashbourne. So it inferred the article was about cannabis plants and added the estimated street value, neither of which was in the source text.

Yes, yeah, I thought it was cannabis as well, but thinking about it, it could have been a rare orchid or something. Maybe it's someone who's collecting.

Sage?

Right? What about aubergines? Aubergines?

I suppose police wouldn't be involved coming over, "We want, we want your aubergines." No, I suppose not. And these guys were able to try out different chat models against each other to see who performed the best and the worst doing these tests. And the results were OpenAI's tech. So ChatGPT-4 and 3.5 were the best with a 3% hallucination rate. Meta, so that's, you know, or Facebook stuff.

Yeah.

It's a hallucination rate of 5%. Right. And Google's systems, they're called PaLM and PaLM Chat. They had the highest of them all and they ranged between 12% and 27% hallucination rate.

Blimey.

So isn't that huge, right? That's for every 10 words uttered, 3 are gibberish. Okay, I'm going to try. Okay, Graham.

Okay.

You are a witty, generous, kind human with smallish peepholes.

Well, okay. I was going to say you started off really well.

Well, there's 30% that's untrue.

Yeah, but well, well, well. Which ones? Just a little bit personal.

The problem is sadly very difficult to solve because, as you pointed out, it uses the entire internet, its learning base. And as we've said more than once in this show, there is a load of crap floating out there. So during the research period, they attempted to use a rival language model, right? So it could check the original language model's summarization and point out errors.

Right.

Okay. Everyone thought this was genius. Do you think this solved the problem?

No, I don't.

What do you think happened?

I suspect it made things worse in some way, which I haven't yet predicted.

It hallucinates too. Of course. Or lies, right? So they compare it to driverless cars saying you can't make driverless cars perfect and never crash. But God, you can try to make them better than human drivers.

Right.

So I guess the plan here is to make them more reliable than humans. I mean, I know some very unreliable humans. I also know some super reliable ones.

Thank you very much.

Anyway, watch this space, because as we said earlier, there's a lot of bankroll in these waters and people are not going to give up their AI chatbot dreams easily. Or nightmares.

Bloody AI.

Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security. Expand the scope of your security program with Vanta's market-leading compliance automation. Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, VPN 1, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and improve security in real time. As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing That's vanta.com/smashingsecurity.

Panoptica provides users with deep visibility, prioritized risk assessment, and actionable remediation from development to runtime. This comprehensive cloud-native application protection platform, or CNAPP, provides an essential holistic view to secure the entire cloud application stack seamlessly. With integration of security into the DevOps and CI/CD pipelines, Panoptica fosters a security-first culture and allows users to detect and resolve security issues at every stage of the development lifecycle. Get more information. Go and visit Panoptica's website at panoptica.app. That's panoptica.app. And thanks to Panoptica for supporting the show.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log in to your cloud apps. Visit collide.com/smashing to watch a demo and see how it works. That's collide.com/smashing.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.

Better not be.

Well, my pick of the week this week is not security-related.

Excellent.

Possibly slightly privacy-related. Maybe a little bit security-related. Anyway, the thing is this. I don't know if you've noticed, but recently YouTube has started producing some irritating pop-ups. So if you're one of those people who likes to block adverts on YouTube and stop it pestering you and interrupting your videos all the time, you might have been running an ad blocker, which did something about that. And recently, YouTube has started blocking the ad blockers and it pops up a thing.

I didn't even know such a thing existed.

Oh, well, too late, Carole. Now they don't work. Now they're not working.

So you're going to have to pay money.

Well, that's the thing. They want you to pay money to access other people's content.

It's not cheap either.

I don't know how much it is. I've just objected in principle.

I know loads of people have this.

Yeah.

There's friends of the show that have been on the show that they pay every month. That's something like $15 or £15 a month.

It's called something — is it called YouTube Red or RedTube? RedTube, I think, is actually a porn site.

Yeah, I don't think it's called that. I don't know where you're handing out. No, I think it's just YouTube without ads.

Okay. All right. Anyway, the thing is, I don't like YouTube stopping me from blocking its ads, right? But more than that, I don't like the way YouTube tracks what I watch and collects information and then sends me down some rabbit hole of suggesting conspiracy story videos or whatever it may be. I just don't like it doing all that. So I've been looking for alternatives to YouTube. Now, the thing is, YouTube is the Google. Well, it is. It literally is the Google of videos, isn't it? The clue's in who owns YouTube. But it is, it is the search engine for videos, right? So if you're looking for a video, you are going to go to YouTube rather than Vimeo or Dailymotion or one of those other ones. So you can't really go to an alternative one. However, I have found a desktop app for YouTube which cuts out all the ads. Doesn't do any tracking, doesn't give YouTube any information. It allows you to use YouTube much more privately, and it's called FreeTube.

And how much information does it get off you in order to do this wonderful job?

It says it isn't grabbing anything. It says all your user data is stored locally, is never sent or published to the internet.

Did you read the T&Cs?

Well, other people wiser than me. It's been around for years. I've said that it's quite legit.

Oh, okay.

It's open source. So I hope one person at least has looked at the source code. That's the thing with open source, isn't it? There's all, oh, you can all check the source code. Yes, but does anyone ever look at it? But anyway, FreeTube is a YouTube client for Windows, Mac, and Linux. You can import your existing subscriptions. You can check out YouTube videos without having to go to YouTube, the site, which is a much more pleasant experience. So FreeTube, links in the show notes, is my pick of the week.

But it's illegal.

What do you mean?

You're basically stealing content, aren't you?

Oh, am I?

I don't know.

Well, I don't know.

I think it's arguably, ethically speaking, yeah.

Well, then I think YouTube should take action against FreeTube.

Agreed.

You're getting us into dodgy ethical areas here. I don't know. I don't know. I don't— I'm not a lawyer, Carole.

You sound defensive. That's all I'm saying.

Carole, what's your pick of the week?

Well, this past September, 4 new short films from the celebrated filmmaker Wes Anderson hit Netflix.

Oh.

Mm-hmm. This is 14 years after he brought Fantastic Mr. Fox to life.

Yep.

And he is back on Netflix with another Roald Dahl adaptation, or rather 4 of them.

Yep.

The world premiere of The Wonderful Story of Henry Sugar aired at the Venice International Film Festival, and Anderson brings along 3 other films: The Swan, The Ratcatcher, and Poison. Have you seen any of them?

Oh dear, Carole. I think we might have a disagreement on our hands.

Uh-oh.

Because I have seen the Henry Sugar version.

Uh-huh.

Let's put it this way: I liked it about as much as Dave Bittner enjoyed Licorice Pizza.

Oh my God! Really?

See, I remember the Henry Sugar story from when I was a kid.

So do I!

I had the book. I looked at all the short stories. Loved it. I loved that.

Yeah.

Loved all that. And then I thought, oh, it popped up on Netflix. And I watched it and I thought, God, this is irritating. Didn't like the style of it at all. Didn't enjoy it. Too clever clever for its own good, I thought.

Well, okay. Well, I didn't even get to talk about it yet. But Graham's given his shake of his head. I thought it was brilliant. So apparently, Anderson was thinking about adapting The Wonderful Story of Henry Sugar for more than two decades. But there was one problem. He struggled with how to tell the story without using Dahl's magical words.

Tell me about it. He did struggle. Yeah. Sorry. Shh.

And he came up with a fabulous plan. And that was to recite Dahl's exact words directly to the audience while acting them out behind them, like set pieces cycling in and out. Very Wes Anderson, as though in a stage play. And are you a fan of Wes Anderson's work generally?

I've liked some of his films, yeah.

Ah, okay. Well, I'm much more of a diehard because also style-wise, wow, wow, right?

Well, yeah, they look amazing. It does look amazing. And Wes Anderson movies always look amazing. Yes. And they're quirky.

And that's kind of important to me in a thing that you're watching.

Yes.

Also, there are extremely long shots where an actor of the name, Ralph Fiennes or Benedict Cumberbatch or Richard Ayoade in it, or Ben Kingsley. So, you know, those little people.

Sir Ben Kingsley.

Sir Ben Kingsley.

He insists on being called Sir Ben Kingsley.

Well, I would too, if you know.

He's very insistent on it.

Wait till I get my— You know, My Ladyship, or what is it? I don't even know what it is. So, you know, at some points, there's 5-minute cuts, right? Where the actor is just there on screen. There's nowhere, there's no respite. If they trip on their words, they got to start the whole scene again. And it's kind of marvelous to watch that. It's kind of acting at its highest form because you see that they have to actually work for what they're doing. They can't just call cut every single second. So those of you out there with a Netflix subscription or access to Netflix and a love for Wes Anderson and his genius, Graham, you could look out for these 4 films. Come on, The Rat Catcher is just horrific to watch. It's incredible.

I don't, I don't know if I could try another one after watching the Henry Sugar one. I don't know.

I'm talking to you. I'm talking to my chums.

Okay, sorry about that.

I'm talking to my chums. So, chums, it's my pick of the week. It's the Wes Anderson films, 4 of them, starting with The Wonderful Story of Henry Sugar. Find them on Netflix, and that is my pick of the week and boo-boo to you, Graham.

Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. We also have a Mastodon account. And to make sure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

And thank you, thank you, thank you to our episode sponsors, Panoptica, Fanta, and Kolide. And of course, to our wonderful patrons. Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 347 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye-bye.

Yeah, I'm sorry, maybe I'm just a grump. Maybe I'm just— What?

No, no, no. Come, come, come, come, come.

It's possible.

You rarely complain about it.

I know, I'm normally just— I just— I'm just not— I'm just—

You're so cheery. Bright side of life. That's you.