Your smartphone may be toast – if you use a hacked wireless charger, we take a closer look at the latest developments in the unfolding LockBit ransomware drama, and Carole dips her toe into online AI romance apps.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I don't know which it is, whether it's bees or wasps, but one of them, when they have an intruder, they will all gather around and wave their wings in such a pattern that it effectively microwaves the intruder.
Really?
Yeah.
Microwaves? Are these killer bees with laser guns?
No.
Smashing Security, episode 361: Wireless Charging Whoa! AI Romance Apps. And ransomware revisited with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 361. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 361. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, this week we're joined by a returning guest, someone who's been on the show many times before. Let our gorgeous listeners know who it is.
This week we are joined by Paul Ducklin.
Hello, everybody.
Hello, Duck.
Welcome, Duck.
Thank you so much. Thanks for having me. I am looking forward to it. You never quite know what Graham's going to say, but you know he's going to say something.
Yep. Now we have an action-packed show, so I suggest we get going. So let's first thank this week's wonderful sponsors: Collide, BlackBerry, and Vanta.
It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
Well, if you think you're bready, I'm gonna be talking about toasting things.
I have no idea what that means.
I think— oh, I've just worked it out. I think it's what passes for a pun.
Okay, not getting it still. What about you, Duck?
I'm going to look at what happened since you talked about LockBit last week, and the issue of decryptors. Is it worth it? Can it help? Does it work? Should we strive for it?
Great. And I will be tiptoeing into a potentially brand new AI dating frontier. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, we all get up in the mornings if we're lucky. Hopefully. You get up, you wake up, you have some breakfast. Big fan of toast, me.
I don't know what your peculiar choice of— Well, what do you slather on your toast? Anything in particular?
I don't know what your peculiar choice of— Well, what do you slather on your toast? Anything in particular?
Oh, I like a bit of marmalade.
Marmalade?
Marmalade is just jam under another name, isn't it?
Yeah, but it's delicious.
I like shredless marmalade, which I always used to think marmalade had those bits in it. But when I discovered you can have marmalade without the bits, I was much, much happier.
I'm a big fan of Marmite. Marmite's pretty good. No, it's pretty good.
I'm a big fan of Marmite. Marmite's pretty good. No, it's pretty good.
Peanut butter?
Certainly not. So I've sorted out my toast. Then I pick up my phone.
Yeah, don't confuse them. If you slap your marmalade against your ear, you're going to be in trouble, aren't you?
Also, if you put your phone in the toaster, that's no good either. It could fry all the electronics. So either of you have wireless chargers?
Maybe at your home, in your car, anything like that? Nope. Oh, I do.
Maybe at your home, in your car, anything like that? Nope. Oh, I do.
My car's 12 years old and no, none in the house.
Well—
Oh, Graham set us up and we've dropped him in it. Do you have wireless chargers? Nope. Do you go on?
Well, it's quite a handy thing, I think, because—
You're often several metres away from a powerpoint.
Well, no, let me explain why. Let me explain what my issue is, Duck, with wired charging.
I mean, in some ways it's great because you can find your phone under the rubble on your desk, right?
All the detritus which is there, you can just follow the lead and eventually find your phone. That's why I don't have wireless earphones, for instance.
I'd just be losing my earphones all the time. So I like them being on a wire.
However, with a phone, you've got that little twiddly, little irritating little, ugh, it's a Lightning cable or something, or USB, you know, and it's quite often the bit which goes wrong because the wire gets bent or the connection gets a bit flaky and all the rest of it.
So I quite like the idea of wirelessly charging my phone, particularly overnight, because I don't have to remember to plug it in.
I just dump it there and it's fantastic and it's happy.
I mean, in some ways it's great because you can find your phone under the rubble on your desk, right?
All the detritus which is there, you can just follow the lead and eventually find your phone. That's why I don't have wireless earphones, for instance.
I'd just be losing my earphones all the time. So I like them being on a wire.
However, with a phone, you've got that little twiddly, little irritating little, ugh, it's a Lightning cable or something, or USB, you know, and it's quite often the bit which goes wrong because the wire gets bent or the connection gets a bit flaky and all the rest of it.
So I quite like the idea of wirelessly charging my phone, particularly overnight, because I don't have to remember to plug it in.
I just dump it there and it's fantastic and it's happy.
How many wireless charge locations do you have in your house?
I think I have two.
Okay.
Is that all right with you?
You're missing a trick because I've probably got 30 socket outlets where I can plug in a charger. So I'm way ahead of you there, Graham.
So these chargers, the technology is called— I think it's pronounced Qi.
Yes.
Qi.
Not as in the television quiz show hosted by Sandi Toksvig.
No, no, that's right.
Qi is also, of course, a fabulous word to use in Scrabble, particularly if you get the Q on a triple word or triple letter even, because especially if you go two ways, it's quite a handy one that you can make a lot of points.
Qi is also, of course, a fabulous word to use in Scrabble, particularly if you get the Q on a triple word or triple letter even, because especially if you go two ways, it's quite a handy one that you can make a lot of points.
Not as good as Quaichibau.
Well, a bald, a balding, what was it? A balding ape or something. Well, there was that virus, wasn't there? The Melissa virus.
Which referenced Quaichibau, which was a Bart Simpson thing from the '90s, wasn't it?
Yeah, that's right. Well, that's dated us, hasn't it? Anyway, so you have these Qi wireless chargers around the place and there's a whole bunch of vendors these days making them.
Well, we don't, you do.
Well, all right, all right. But folks do. Many people do, Carole, but not people like you guys.
No, no, we worship efficiency, you see. So we like the idea that you just—
Duck, Duck, do you have a wireless phone?
How do you mean a wireless phone?
A phone which you don't have to plug in to phone someone up on.
The telecommunications industry in the United Kingdom of Great Britain and Northern Ireland is discontinuing landlines. So you don't have a choice. You just got to go with the flow.
Right. Okay.
So then I do have wireless headphones because I walk away from my desk and I don't want to yank my computer off onto the floor. But wireless charging's not for me.
Okay.
But we'll let you get there eventually, Graham. Don't worry.
All right. Anyway, some boffins, some boffins have been researching ways in which you can attack smartphones.
And what they've discovered is there's a new way of attacking smartphones. It's not phishing. It's not a malware attack. It's a kind of denial of service attack, if you like.
And it involves these wireless chargers, and they have called this technique of attacking smartphones Volt Schema.
And what they've discovered is there's a new way of attacking smartphones. It's not phishing. It's not a malware attack. It's a kind of denial of service attack, if you like.
And it involves these wireless chargers, and they have called this technique of attacking smartphones Volt Schema.
It's not Ben-Gurion University of the Negev, is it? Those guys?
It's not on this. You know, I really— when I saw the headlines at first, I thought it would be them because those guys, they do great, always coming up.
Stefan Smyter and Yuval Elovici and all that. They get the best names as well as cool research. So it's not those guys.
They do, they do really cool things. Now, this is a bunch of— I think they're Chinese researchers. Security researchers who've come up with this.
Volt Schema launches a wireless power toasting attack against smartphones, potentially damaging charged smartphones through overcharging and overheating them.
Volt Schema launches a wireless power toasting attack against smartphones, potentially damaging charged smartphones through overcharging and overheating them.
And not overcharging financially, but making it boil.
No, no, no, no. Anyway, I'm good. And it does more than that. So I'm going to explain what they do and how this works.
And you can tell me how plausible you think this is as an attack vector. Okay.
They have tested 9 different top-selling commercial off-the-shelf wireless chargers made by people like Anker, who produce loads of these things.
You know, the sort of thing you can pick up on Amazon for maybe about £20.
And you can tell me how plausible you think this is as an attack vector. Okay.
They have tested 9 different top-selling commercial off-the-shelf wireless chargers made by people like Anker, who produce loads of these things.
You know, the sort of thing you can pick up on Amazon for maybe about £20.
So when you say off the shelf, you mean not off the shelf through your mailbox?
All right.
Okay.
That's right. Yeah. But you could also go down. All right. You could also go down your local electronics shop and probably buy these kind of things as well.
So normally this is how wireless charging works, right? You've got your outlet, your wall outlet, which is connected to the charging device, and that is sending AC current, right?
Alternating current down the wire to that. Inside the charger, there's some sort of components and technology which turns the AC power into DC power. So we've gone from AC to DC.
We've now got direct current. That's the kind of power that your devices use. Am I correct so far? Because I'm not really an electronics whiz.
So normally this is how wireless charging works, right? You've got your outlet, your wall outlet, which is connected to the charging device, and that is sending AC current, right?
Alternating current down the wire to that. Inside the charger, there's some sort of components and technology which turns the AC power into DC power. So we've gone from AC to DC.
We've now got direct current. That's the kind of power that your devices use. Am I correct so far? Because I'm not really an electronics whiz.
Hells bells, Graham.
I have no idea what's going on.
That was a rock and roll pun.
This is an AC/DC thing, is it?
It is.
All right, so— Oh my god!
I need to pay more attention.
Okay, I'm listening. So, the charger uses the DC power to create an electromagnetic field.
Fun.
It uses that to wirelessly transfer energy to your phone. All right? Now, these boffins have discovered in their Volt Schema attack that of course there is noise in power lines.
So the power lines from your walls, the power signal isn't always entirely smooth. There are tiny, super fast fluctuations, electromagnetic interference or noise, if you like.
And what Volt Schema does is it performs an attack by intentionally making the noise coming from the power supply, much bigger and in specific patterns.
So the power lines from your walls, the power signal isn't always entirely smooth. There are tiny, super fast fluctuations, electromagnetic interference or noise, if you like.
And what Volt Schema does is it performs an attack by intentionally making the noise coming from the power supply, much bigger and in specific patterns.
This is like bees or wasps when they kind of microwave someone.
It's exactly like bees, Carole. Yes. What they've done is they've taken a wasp's nest and they've shoved it down a wire.
When— I don't know which it is, whether it's bees or wasps, but one of them, when they have an intruder, they will all gather around and wave their wings in such a pattern that it effectively microwaves the intruder.
Really?
Yeah.
Microwaves?
Well, that's what the term— that's the term I remember. I will do some Googling. Listeners, correct me.
I think they kill bees with laser guns or something.
No.
What are you talking about? What?
Okay. Well, you show your ignorance. I will put a link in the show notes.
Duck, have you heard about this? You've lived in some crazy parts of the world.
You get bees all around the globe. I can imagine it. I mean, insects. Didn't I just read about an insect that can make a noise as loud as a gunshot?
There are surprising things out there, Graham.
There are surprising things out there, Graham.
Right. Okay.
Let's, let's carry on toasting.
All right. Okay. So Volt Schema makes the noise coming from the power supply much bigger, right? Uses specific patterns. And this apparently fools the charger.
The charger misinterprets the manipulated noise coming down the power signal as instructions. And these allow the charger to do a number of things.
So it will, for instance, send very strong charging signals that can damage your phone by overcharging it or going to excess.
They can even, they said, change how the charger communicates with your phone by sending voice commands, is what they say. Wow. Now, this begins to sound completely bonkers, right?
They claim it can send inaudible by the human ear at least, voice commands to your Siri or your Android Google Assistant.
They also say, as I said, they can overcharge or overheat your devices, and they can hurt other valuable items as well, which might be in the vicinity or sitting on top of the charger.
The charger misinterprets the manipulated noise coming down the power signal as instructions. And these allow the charger to do a number of things.
So it will, for instance, send very strong charging signals that can damage your phone by overcharging it or going to excess.
They can even, they said, change how the charger communicates with your phone by sending voice commands, is what they say. Wow. Now, this begins to sound completely bonkers, right?
They claim it can send inaudible by the human ear at least, voice commands to your Siri or your Android Google Assistant.
They also say, as I said, they can overcharge or overheat your devices, and they can hurt other valuable items as well, which might be in the vicinity or sitting on top of the charger.
Like toasters, like battery-operated toasters.
So if, for instance, you were to leave your car key fob on the charging pad.
Do you do that?
Well, no, I don't. But if you did— And sometimes people put these charging points into their desks.
It's just like a flat desk, and they just plonk their phone on their desk in a particular place to charge it.
It's just like a flat desk, and they just plonk their phone on their desk in a particular place to charge it.
Yeah, you get them on the upper deck of some of the Oxford Bus Company buses.
That's true.
Yeah.
Where you sit to work, they have a USB charger, and they have the Qi thing in the middle of the desk.
Little coil sitting there, so you can just stick your phone down and charge up while you're coming in from the station into town.
Little coil sitting there, so you can just stick your phone down and charge up while you're coming in from the station into town.
I had a car which had a wireless pad in it as well, which is somewhere where you would naturally put your key fob, for instance.
And they found that the key fobs couldn't just be sort of ordered to overheat, but in one case detonated and there was an explosion as a result.
A paperclip— they managed to increase the temperature of a paperclip to 280°C. So over 500°F. Which then could actually burn paper and documents.
So if you had important documents lying around, SSD cards, USB drives, again, suffered permanent data loss as a result of these kinds of attacks.
Credit cards, passports with NFC chips, magnetic stripes got wiped, all because this Volt Schema attack was able to fool the charger into carrying on charging, and indeed, tell the phone not to cut off and not to say, "Oh, I've had enough, thank you." It could actually fool it into thinking, "No, just keep on going," until they get hotter and hotter and hotter.
And they found that the key fobs couldn't just be sort of ordered to overheat, but in one case detonated and there was an explosion as a result.
A paperclip— they managed to increase the temperature of a paperclip to 280°C. So over 500°F. Which then could actually burn paper and documents.
So if you had important documents lying around, SSD cards, USB drives, again, suffered permanent data loss as a result of these kinds of attacks.
Credit cards, passports with NFC chips, magnetic stripes got wiped, all because this Volt Schema attack was able to fool the charger into carrying on charging, and indeed, tell the phone not to cut off and not to say, "Oh, I've had enough, thank you." It could actually fool it into thinking, "No, just keep on going," until they get hotter and hotter and hotter.
Is this in the wild? Is this in the wild?
No, it's not. It's not, as far as we know, in the wild. These boffins have done it as an experiment.
It's just like those guys at Ben-Gurion University in Israel who are always finding these crazy attacks, which are completely theoretical, this is as well.
But it does appear to affect a lot of popular wireless chargers.
The researchers have reached out to the manufacturers with suggestions on how these kind of systems could be better protected in the future.
But they say that there's cost implications of implementing their mitigations. And of course, these devices, they sell dirt cheap.
And also, if you've already got one— so I've got two of these in my home already— am I really likely to go and, you know, get a new version of them.
It's not like I can patch them over the internet.
It's just like those guys at Ben-Gurion University in Israel who are always finding these crazy attacks, which are completely theoretical, this is as well.
But it does appear to affect a lot of popular wireless chargers.
The researchers have reached out to the manufacturers with suggestions on how these kind of systems could be better protected in the future.
But they say that there's cost implications of implementing their mitigations. And of course, these devices, they sell dirt cheap.
And also, if you've already got one— so I've got two of these in my home already— am I really likely to go and, you know, get a new version of them.
It's not like I can patch them over the internet.
No, why not keep a fire hazard in the house? I agree.
Well, you've got a toaster already. That's dangerous enough. Yes.
Yeah, but that has an on-off switch, right? I'm presuming these things are on all the time.
They're plugged in all the time and constantly waiting for a phone to land on them so they can do their magic.
They're plugged in all the time and constantly waiting for a phone to land on them so they can do their magic.
Did they say which phones were vulnerable?
Because it sounds as though if the phone could agree to overcharge itself overdo its battery via this Qi charging, then surely those phones would have a similar problem with today's USB chargers, some of which can deliver power in excess of 100 watts.
Because it sounds as though if the phone could agree to overcharge itself overdo its battery via this Qi charging, then surely those phones would have a similar problem with today's USB chargers, some of which can deliver power in excess of 100 watts.
Well, it seems that they did tests on the iPhone SE, the Pixel 3, a number of other manufacturers as well. So they did it on a whole bunch of devices where they were able to do it.
Maybe, I don't know if it was through this injecting of voice commands that they were saying they could control voice assistants inside the smartphones.
Maybe, I don't know if it was through this injecting of voice commands that they were saying they could control voice assistants inside the smartphones.
Yeah, I kind of think you could do, I kind of think that, I don't, doesn't seem far-fetched to me. I have no idea how you'd do it, but it, I think.
Well, I guess you make sounds that maybe have some ultrasonics in them that the microphone picks up that you can't hear that are misinterpreted.
There's an easy fix for that which you should apply anyway, and that is, Please everybody, don't, no matter how convenient it is, leave Siri or the voice assistant enabled at the lock screen.
It's meant to be a lock screen, not a very partial lock screen. The less you have on your lock screen, the safer your phone is.
There's been a litany of bugs over the years of things that went wrong at the lock screen because something's not really locked if it can actually wake up at the sound of a single word.
There's an easy fix for that which you should apply anyway, and that is, Please everybody, don't, no matter how convenient it is, leave Siri or the voice assistant enabled at the lock screen.
It's meant to be a lock screen, not a very partial lock screen. The less you have on your lock screen, the safer your phone is.
There's been a litany of bugs over the years of things that went wrong at the lock screen because something's not really locked if it can actually wake up at the sound of a single word.
Hang on. Carole has sent me a message. She says in a— she's done a screenshot.
National Geographic. From National Geographic.
Oh, excellent.
Apparently there's something called Hot Bee Balls is the title of this article. Apparently in a battle with Asian giant hornets, Japanese honeybees—
Not beans, bees.
Bees. They turn up the heat. By swarming around hornets and cooking them to death.
Thank you very much.
Scientists have found a genetic switch in the honeybees' brains that turns on during the attacks.
Thank you very much.
Well, I can see why you've mentioned this in this piece, Rob. There's definitely a link. Thank you very much.
You're very welcome.
Duck, what have you got for us this week?
Well, I thought that it might be intriguing, even though you covered the beginning of this saga last week, to revisit the whole ransomware situation, not least because of the, what you might call the denouement, or maybe it's not the denouement, maybe it's the ongoing story of the LockBit takedown and also recent news about the Rycedr ransomware decrypt-it-yourself because the crooks made a programming blunder.
You know, how do all these things such as freebie decryptors, how do they really play out in the ransomware world. Is it something we should be keen on trying? Can they work?
And what happens next?
You know, how do all these things such as freebie decryptors, how do they really play out in the ransomware world. Is it something we should be keen on trying? Can they work?
And what happens next?
So anyone who wasn't listening last week, just to quickly recap—
Go listen to the show.
Well, yeah, shame on them, frankly.
No, they could just go back a week. It's not a big deal.
All right. But anyway, so the law enforcement authorities, they took over the LockBit infrastructure. They grabbed a whole load of decryption keys.
They reckon they can unlock anyone's LockBit encrypted files for free rather than you have to pay the ransom, right?
And, but since then, LockBit appears to have made a bit of a comeback.
They reckon they can unlock anyone's LockBit encrypted files for free rather than you have to pay the ransom, right?
And, but since then, LockBit appears to have made a bit of a comeback.
That's correct.
Ooh, I wanna hear all about it 'cause I've not been following this at all.
Well, apparently the way the stories unfolded from law enforcement, they were able to break into about three dozen servers.
They got hold of details of just over 14,000, I don't know whether they were email or messaging accounts related to so-called affiliates.
They claim to have got 1,000 found decryption keys or pre-built decryption programs with the keys built in that people would normally have to negotiate and pay for.
They also claimed they'd frozen 200 cryptocurrency accounts. As I wrote on my website, we're not quite clear what that means.
I think if they'd actually seized wallets that they could get money out of, they would have been sure to say that.
So whether they just blocklisted the names of some Bitcoin addresses, whether they did something with cryptocurrency exchanges, that was unclear.
They promised a big reveal, didn't they, Graham? Yes. The law enforcement, they said, hey, you know how they do the countdown on the page?
Because they had access to some of the darkweb pages, which is quite compelling evidence because obviously if you take down their public domain names, the onion sites, the stuff on the darkweb still remains, that's harder to find.
But in this case, they would deface and they didn't just put seized by law enforcement. It had all the little windows saying, hey, countdown to reveal, countdown to reveal.
But what they were going to reveal was not data that had been stolen by the crooks. It was stuff about the crooks themselves.
Unfortunately, they— well, we don't know what really happened, but they promised me they were going to dox the leader of it, who was LockBitSup, supposedly the big cheese.
And then at the end, they just put up a cat picture and there was one line in there that said LockBitSup is now cooperating with law enforcement as though, well, we, you know, we're hoping to get something out of this person.
And of course, as often happens in this case, you've taken down the servers. If somebody knows how to set up one on a darkweb service, they can probably do it again.
And that's what happened. And on the 24th of February, 2024, a person claiming to be this LockBitSup person came back with a 2,800-word essay.
Well, essay, it was quite a weird rambling story about, oh, how it all went wrong, but they, it really, I'm actually cleverer than I sound.
They got hold of details of just over 14,000, I don't know whether they were email or messaging accounts related to so-called affiliates.
They claim to have got 1,000 found decryption keys or pre-built decryption programs with the keys built in that people would normally have to negotiate and pay for.
They also claimed they'd frozen 200 cryptocurrency accounts. As I wrote on my website, we're not quite clear what that means.
I think if they'd actually seized wallets that they could get money out of, they would have been sure to say that.
So whether they just blocklisted the names of some Bitcoin addresses, whether they did something with cryptocurrency exchanges, that was unclear.
They promised a big reveal, didn't they, Graham? Yes. The law enforcement, they said, hey, you know how they do the countdown on the page?
Because they had access to some of the darkweb pages, which is quite compelling evidence because obviously if you take down their public domain names, the onion sites, the stuff on the darkweb still remains, that's harder to find.
But in this case, they would deface and they didn't just put seized by law enforcement. It had all the little windows saying, hey, countdown to reveal, countdown to reveal.
But what they were going to reveal was not data that had been stolen by the crooks. It was stuff about the crooks themselves.
Unfortunately, they— well, we don't know what really happened, but they promised me they were going to dox the leader of it, who was LockBitSup, supposedly the big cheese.
And then at the end, they just put up a cat picture and there was one line in there that said LockBitSup is now cooperating with law enforcement as though, well, we, you know, we're hoping to get something out of this person.
And of course, as often happens in this case, you've taken down the servers. If somebody knows how to set up one on a darkweb service, they can probably do it again.
And that's what happened. And on the 24th of February, 2024, a person claiming to be this LockBitSup person came back with a 2,800-word essay.
Well, essay, it was quite a weird rambling story about, oh, how it all went wrong, but they, it really, I'm actually cleverer than I sound.
And it was a bit the Lady Doth protest too much, wasn't it?
It was, it was, yes, that's exactly what I thought. And I'm glad you got the Shakespeare in because I think we need a little bit of that every time.
What I did find intriguing in there is I hadn't heard this term before, but this seems to be the new way of repitching ransomware is basically, and I'm assuming it's a guy, he describes his business as postpaid pen testing.
How do you like that? And he's saying what I'm going to do now is I'm going to be a bit stricter about who I take on.
So if you want to be an affiliate, you have to prove that you are pen testers who work on a postpaid basis.
What I did find intriguing in there is I hadn't heard this term before, but this seems to be the new way of repitching ransomware is basically, and I'm assuming it's a guy, he describes his business as postpaid pen testing.
How do you like that? And he's saying what I'm going to do now is I'm going to be a bit stricter about who I take on.
So if you want to be an affiliate, you have to prove that you are pen testers who work on a postpaid basis.
Send me your passport so I can identify you perfectly.
That's the legitimization of, hey, it's just a service.
Like if you pay the money like you would to a regular pen tester, then you just, you know, you just do the legal agreement afterwards, not before.
One fascinating part of this 2,800-word ramble was actually, they only got in because I got lazy. Now they've re-energized me. I'm going to be fine.
And yes, the rumors you may have heard about how the FBI, etc., broke in are true. I was hit by a remote code execution bug in PHP that was patched on the 3rd of August, 2023.
And then there's this long— as Graham says, the lady doth protest too much, methinks— was going, well, this could have caught out anybody who didn't patch.
You're thinking, yeah, but last August is quite a long time ago.
Like if you pay the money like you would to a regular pen tester, then you just, you know, you just do the legal agreement afterwards, not before.
One fascinating part of this 2,800-word ramble was actually, they only got in because I got lazy. Now they've re-energized me. I'm going to be fine.
And yes, the rumors you may have heard about how the FBI, etc., broke in are true. I was hit by a remote code execution bug in PHP that was patched on the 3rd of August, 2023.
And then there's this long— as Graham says, the lady doth protest too much, methinks— was going, well, this could have caught out anybody who didn't patch.
You're thinking, yeah, but last August is quite a long time ago.
It's a long time, even for me.
And to me, a big thing at the end was trying to reinforce this idea that the FBI claim that they had retrieved evidence from the servers that people who'd paid the money to suppress their data leaks nevertheless had their data retained on the servers.
Yes. If that's true, that's very good news for all of us good guys because it completely undermines the main reason most people pay.
When you pay for the decryption key, you know whether the person is being— how can I say? Is truthful the right word?
You try the decryptor, either it works or it doesn't, and it's sink or swim, and you know whether you've got the real decryption key.
But paying for the negative, you never know, are they going to keep the data? Has someone else already got it?
So the LockBit Ramble was basically, no, no, no, that's all, that's all lies. They didn't get any data.
There's no evidence that we've been keeping data that we claimed we delete in return for the payment. So we haven't undermined the business model yet.
The fact that those servers were insecure due to operational cybersecurity blunder, such as being vulnerable to a 6-month-old vulnerability, how on earth can anyone then claim that their data hadn't been plundered?
Yes. If that's true, that's very good news for all of us good guys because it completely undermines the main reason most people pay.
When you pay for the decryption key, you know whether the person is being— how can I say? Is truthful the right word?
You try the decryptor, either it works or it doesn't, and it's sink or swim, and you know whether you've got the real decryption key.
But paying for the negative, you never know, are they going to keep the data? Has someone else already got it?
So the LockBit Ramble was basically, no, no, no, that's all, that's all lies. They didn't get any data.
There's no evidence that we've been keeping data that we claimed we delete in return for the payment. So we haven't undermined the business model yet.
The fact that those servers were insecure due to operational cybersecurity blunder, such as being vulnerable to a 6-month-old vulnerability, how on earth can anyone then claim that their data hadn't been plundered?
Right. Yeah.
So I'm wondering, slash hoping, that this will make people think that paying up really isn't worth it because the entire, if you like, business prospect is undermined.
You can test whether the decryptor works.
So generally my understanding is most ransomware crooks make sure that their decryptors work because it's easy to see if they're leading you down the garden path.
If they sell you the thing and then and it doesn't work. But you can never really have any proof, positive proof, that they deleted the data they claimed.
You can test whether the decryptor works.
So generally my understanding is most ransomware crooks make sure that their decryptors work because it's easy to see if they're leading you down the garden path.
If they sell you the thing and then and it doesn't work. But you can never really have any proof, positive proof, that they deleted the data they claimed.
And LockBitSup, they can't be confident that someone else hasn't exploited the same flaw.
That's what I mean. They were vulnerable. Who knows who else has got that data?
It could have been going on for ages, couldn't it? Different vulnerabilities mean some other criminal gang has for ages been grabbing data from the LockBit gang.
And doing whatever the heck they like with it.
And doing whatever the heck they like with it.
And this would not be the first time that crooks have gone to war with each other by pwning each other's servers as a way of getting back at each other, or I guess having what amounts to postpaid pentesting fun amongst themselves.
So it looks as though the sort of underlying business model of this whole pay to have your data deleted has been visibly undermined by this long disposition by LockBitSup.
Hey, don't worry guys, I was just slack about this vulnerability for 6 months because I was too busy spending my money and enjoying myself. Now I'm re-energized.
I've now patched my servers and I've made some modifications to PHP.
From an operational security point of view, which really, really matters if you're trusting the person to delete your data and not have it stolen themselves, why would anyone believe them in future?
So it looks as though the sort of underlying business model of this whole pay to have your data deleted has been visibly undermined by this long disposition by LockBitSup.
Hey, don't worry guys, I was just slack about this vulnerability for 6 months because I was too busy spending my money and enjoying myself. Now I'm re-energized.
I've now patched my servers and I've made some modifications to PHP.
From an operational security point of view, which really, really matters if you're trusting the person to delete your data and not have it stolen themselves, why would anyone believe them in future?
He should really have sent an apology email, shouldn't he, to his clients, to all those corporate customers who've been paying him?
Dear customers, we take your security seriously. Now.
Carole, what have you got for us this week?
I am going to look a bit at the dating world to start off with. It just struck me.
I was looking at it today and doing a bit of research on what was the dating landscape in the last few years? How do people do it?
And it's completely different from when I was in the dating zone. I'm sure it's this— I mean, Graham, actually, you've been on it more recently than me.
I was looking at it today and doing a bit of research on what was the dating landscape in the last few years? How do people do it?
And it's completely different from when I was in the dating zone. I'm sure it's this— I mean, Graham, actually, you've been on it more recently than me.
Yeah, you were on it about 1978, weren't you? I think you probably haven't been on it for a while.
Yeah, I was still a toddler. That's right. But also, I was looking at this research, and maybe for a guy with marmalade issues, Graham, you're quite gobby today. He's in a bad mood.
Can you tell?
Can you tell?
Yes, yes, he's speaking.
So maybe there's no surprise that of the respondents in this research that Forbes summarized, right, half the respondents use online dating apps to find dates.
But then stuff got weird. So overall, respondents were more concerned with emotional cheating than physical cheating. And I was like, I didn't really understand what that meant.
And it means if you're cheating, if you're fantasizing about another person in a romantic way. So basically mind control.
But then stuff got weird. So overall, respondents were more concerned with emotional cheating than physical cheating. And I was like, I didn't really understand what that meant.
And it means if you're cheating, if you're fantasizing about another person in a romantic way. So basically mind control.
No.
What do you mean mind? How's it mind control? I don't understand.
My partner gets mad at me going, were you just thinking about Geoff Goldblum?
Were you?
Did he have a shirt on? Well, it's over. You're cheating.
No, Carole, there's a difference when you're fantasizing about Geoff Goldblum, who you've never met and are unlikely to ever have a, you know, go swinging with or something.
He unleashed the world's most famous virus, didn't he, Geoff Goldblum?
He did. Mac virus as well.
Who says Macs don't get viruses, eh?
Who claims aliens don't use Macs? That was a lucky guess on his part, wasn't it?
But Carole, if you were fantasizing about Alan in the office, who you sometimes go play badminton with, then your partner would be right to be concerned, I think.
But Carole, if you were fantasizing about Alan in the office, who you sometimes go play badminton with, then your partner would be right to be concerned, I think.
Well, I wouldn't be telling them, presumably. Anyway, I found that, you know, I think physical cheating might be a bigger deal personally, right? So apparently that—
Yes, but there's gradients.
Having sex with someone who's not your partner is a close fourth. That was the first thing on their list, was fantasizing about someone.
Maybe the deal is that many people who use dating sites never end up meeting up with a person because they're on the other side of the world.
So actually, all they've got is the emotional side. And we know that that can draw people in very deeply, even when they're deeply suspicious that they're being scammed.
Which is why romance scams are such a often such a terribly long-game thing that you just feel so sorry for the people who get drawn in.
So actually, all they've got is the emotional side. And we know that that can draw people in very deeply, even when they're deeply suspicious that they're being scammed.
Which is why romance scams are such a often such a terribly long-game thing that you just feel so sorry for the people who get drawn in.
I would be upset if I were a woman whose partner was on Ashley Madison, chatting up someone for months and months on end.
Not only that they're emotionally committing to this person, but also the person they're probably chatting to is a bot anyway, who isn't a real person.
So it's you're stupid and you're emotionally cheating on me.
Not only that they're emotionally committing to this person, but also the person they're probably chatting to is a bot anyway, who isn't a real person.
So it's you're stupid and you're emotionally cheating on me.
And you're sharing your data with an organization that has a non-stellar reputation when it comes to cybersecurity.
Well, look, I just think after looking at all this stuff, I just thought, I don't blame anyone for thinking I'm going to just go fully digital. And why not, right?
The generative AI world exploded like an unsettled stomach more than a year ago, and now we are awash with all manner of AI, including love AI.
The generative AI world exploded like an unsettled stomach more than a year ago, and now we are awash with all manner of AI, including love AI.
Your metaphor took me by surprise there.
I was confused by digital, to be honest. I thought I had a different image in my head, but anyway, okay, so we're talking computers.
No, it was the other word beginning with D that washed me away.
Carry on.
Some of you longtime listeners might remember that I spoke about Replika AI, I think twice last year.
Replika AI is one of the many online chatbots that you effectively train to be your love interest through texting and sending pics and sharing your deepest, darkest secrets.
So you might kind of go, oh, that is not weird at all. You might go, oh, I really love chess and I really love Doctor Who, but I hate everything else.
Replika AI is one of the many online chatbots that you effectively train to be your love interest through texting and sending pics and sharing your deepest, darkest secrets.
So you might kind of go, oh, that is not weird at all. You might go, oh, I really love chess and I really love Doctor Who, but I hate everything else.
I'm beginning to understand your exploding stomach metaphor a bit better now, I'll tell you. Yeah, that's peculiar, if nothing else.
So I actually downloaded this Replika AI to play around with it.
And honestly, it was — well, you might remember I said this on the show a year ago, but I lost interest very quickly because it just didn't work.
It just had no conversational ability whatsoever. It just kept going, "What's your favorite movie? Do you like the color red?" Independence Day, obviously, you know.
So I lost interest in even for research purposes. But thank God we have organizations like Mozilla's Privacy Not Included.
Now, Privacy Not Included, link in the show notes, is a website dedicated to reviewing all manner of smart paraphernalia and exposes the bits hidden deep in the privacy notices.
So we've talked about them before as well.
And honestly, it was — well, you might remember I said this on the show a year ago, but I lost interest very quickly because it just didn't work.
It just had no conversational ability whatsoever. It just kept going, "What's your favorite movie? Do you like the color red?" Independence Day, obviously, you know.
So I lost interest in even for research purposes. But thank God we have organizations like Mozilla's Privacy Not Included.
Now, Privacy Not Included, link in the show notes, is a website dedicated to reviewing all manner of smart paraphernalia and exposes the bits hidden deep in the privacy notices.
So we've talked about them before as well.
I was thinking about that when you were saying if, you know, if someone gets sucked into this and they keep telling them more and more and more to try and train this bot to be more like what they want to be like, eventually you're kind of going to tell them everything, aren't you?
That is a very interesting point, Doug, and a scary one, right? So that's the kind of thing that Privacy Not Included will ask.
They're just going to see what data are they taking from you and is your privacy safe? And the point is to help us make better choices when it comes to buying smart tech.
So these people released some findings earlier this month on a smattering of romantic AI chatbots. Now I'm guessing, well, I don't want to guess.
Do you boys think that they found the purveyors of AI romantic chatbots were privacy forward thinkers securing their romantic AI services for the paying customer?
They're just going to see what data are they taking from you and is your privacy safe? And the point is to help us make better choices when it comes to buying smart tech.
So these people released some findings earlier this month on a smattering of romantic AI chatbots. Now I'm guessing, well, I don't want to guess.
Do you boys think that they found the purveyors of AI romantic chatbots were privacy forward thinkers securing their romantic AI services for the paying customer?
Yes, yes. I expect they found that they were all performing perfectly.
Top notch, five stars.
And looking after privacy. And it's great that we have such a good news story on the Smashing Security podcast.
Would you be surprised to find out that Privacy Not Included found that all 11 romantic AI chatbots assessed had privacy issues, making them among the worst products reviewed for privacy by the club?
Would you be surprised to find out that these AI chatbots are deliberately designed to collect sensitive personal information under the guise of being empathetic friends or romantic partners?
Would you be surprised to find out that these AI chatbots are deliberately designed to collect sensitive personal information under the guise of being empathetic friends or romantic partners?
No. Shame on you, Carole. That can't possibly be happening.
No, but think about it, right? You're sitting there, Clue, right? You're sitting there wooing a bot with your Zhu Zhuang talk. Is that how you say it?
Zhu Zhuang?
Zhu Zhuang. Zhu Zhuang.
Yes. Zhu Zhuang. Yeah. And my Meroxibind.
Yeah. Another good chess move. Maneuver.
Yeah, you share all your fantasy moves and fantasy games with the fantasy players to the AI chatbot.
Hit the board over in a fit of rage. That's also a chess ending.
Tell them all about your lucky underpants. Would you be a reasonable person to assume that this dirty chess talk is just between you and your AI darling?
It would be nice to think it were, but I suspect you're going to say that it isn't.
And I bet you, as he said, they're collecting location information, all sorts of other stuff, as much as they can. Can as well, right?
Because that helps you be more, more empathetic. Because, well, you said X when you're at location Y, but you said A when you're at location B.
It's important to know all this stuff, folks. So I can imagine people being lured into turning all the share with those options on.
Because that helps you be more, more empathetic. Because, well, you said X when you're at location Y, but you said A when you're at location B.
It's important to know all this stuff, folks. So I can imagine people being lured into turning all the share with those options on.
Exactly. So they market themselves as an empathetic friend, lover, or soulmate, but are built to ask you endless questions.
They're designed to collect sensitive personal information about you.
Numbers from the research, chatbots collected excessive personal data with an average of 2,663 trackers per minute and up to 24,354 trackers detected in 1 minute of use.
That's a lot of tracking.
They're designed to collect sensitive personal information about you.
Numbers from the research, chatbots collected excessive personal data with an average of 2,663 trackers per minute and up to 24,354 trackers detected in 1 minute of use.
That's a lot of tracking.
That does sound—
And I bet you once people think they can trust this bot, and we know that's an issue because going right back to, what was it, the '60s or the early '70s with ELIZA, you know, which was the first simple chatbot.
People really got drawn into that and they knew it was a program, but they still talked to it.
You can imagine that people aren't just going to be talking about their romantic wishes or their fantasies.
They're going to be moaning about things in their life—oh, I had my credit card blocked the other day and I got into a big argument at the bank and I'm thinking of switching.
And oh, I owe the utility company money and I won't be able to pay it. You can imagine they're probably giving away all sorts of details.
If you're a cyber criminal or an identity thief or another scammer who wanted to come in with a human scam, you would be off to such a flying start.
People really got drawn into that and they knew it was a program, but they still talked to it.
You can imagine that people aren't just going to be talking about their romantic wishes or their fantasies.
They're going to be moaning about things in their life—oh, I had my credit card blocked the other day and I got into a big argument at the bank and I'm thinking of switching.
And oh, I owe the utility company money and I won't be able to pay it. You can imagine they're probably giving away all sorts of details.
If you're a cyber criminal or an identity thief or another scammer who wanted to come in with a human scam, you would be off to such a flying start.
Well, to your point earlier, Duck, they are hiding—they're in the T&Cs, they hide their CYAs, right, which means cover your bottoms.
And one reads that they may collect excessive personal data, even health-related information from you—your sexual health information, use of prescribed medicine, and gender-affirming care information.
And one reads that they may collect excessive personal data, even health-related information from you—your sexual health information, use of prescribed medicine, and gender-affirming care information.
Fun.
So are people telling their AI chatbots that they're taking heart medication or they're just—
Sure. They would go, hi honey poochie poo poo.
Oh, I've got such a hangover today. I was at such and such a club. I spent $400 I couldn't afford. You know, just—
I had—I sucked back 4 bottles of Bailey's. Not feeling great today.
Wow.
You know, now a big issue is that some users want to use these chatbots to maybe help with their mental health. Maybe they're feeling lonely, maybe they're anxious.
And many are peddling—many of these AI chatbots, these romantic versions, are peddling the message that it's a self-help program.
So that's what TalkySoul AI calls itself, a self-help program.
Eva AI chat and bot Soulmate bills itself as a provider of software and content developed to improve your mood and well-being.
And many are peddling—many of these AI chatbots, these romantic versions, are peddling the message that it's a self-help program.
So that's what TalkySoul AI calls itself, a self-help program.
Eva AI chat and bot Soulmate bills itself as a provider of software and content developed to improve your mood and well-being.
So they're actively urging you to say more than you reasonably would.
Yes. And Romantic AI chatbox says, here to maintain your mental health.
But look at Romantic AI's Ts and Cs, and it says Romantic AI makes no claims, representations, warranties, or guarantees that the service provide therapeutic, medical, or other professional help.
But look at Romantic AI's Ts and Cs, and it says Romantic AI makes no claims, representations, warranties, or guarantees that the service provide therapeutic, medical, or other professional help.
You would think that the people behind them by now thought, I wonder how we could make some more money.
I wonder if we could sort of integrate into the conversation some advertising. So say, oh, that sounds terrible. Maybe you should go out to the disco tonight.
I hear there's a good one just down the road.
I wonder if we could sort of integrate into the conversation some advertising. So say, oh, that sounds terrible. Maybe you should go out to the disco tonight.
I hear there's a good one just down the road.
Yes.
Or worse.
Yes, Minority Report does dating.
But there are some serious examples of harm. So one of Chai's— that's another romantic AI chatbot— reportedly encouraged a man to end his own life. He did.
A Replica AI chatbot encouraged a man to try and assassinate the Queen. He did, or tried to.
A Replica AI chatbot encouraged a man to try and assassinate the Queen. He did, or tried to.
Yeah, I was going to say, crikey, that's—
Missed that story.
They hushed that up well. No, I know what you mean.
Now that these AI chatbot butts are covered by all their legalese, these romantic AI chatbots can let their chatbots ask any question, right?
The chatbot can ask anything and hoover up all the answers the customers give, all in the name of providing love AI-style.
The chatbot can ask anything and hoover up all the answers the customers give, all in the name of providing love AI-style.
Be aware before you share.
Yeah.
Yeah.
The old rules work the best.
I can totally see the draw. My experience, it was a year ago, but it was pretty poor. But go check out Privacy Not Included, see what they say, and make your own mind up.
But don't go in with your eyes closed and your— yeah, anything else open. Thank you very much. Good night.
But don't go in with your eyes closed and your— yeah, anything else open. Thank you very much. Good night.
With Cylance AI, the team at BlackBerry are helping you keep one step ahead, stopping more attacks earlier and with less effort than other solutions in the market.
And that's independently tested and proven. The lightweight AI offers broad coverage, consistently low false positives, and quick threat responses supporting endpoints seamlessly.
Now, many solutions boast about how little time it took them to respond after a threat emerged, but with BlackBerry's Cylance AI, you'll find out how long before, and it can be months or years, it has already protected its customers.
Staying one step ahead is central to everything BlackBerry does, and in fact, it's your 24/7 AI-driven security partner.
So visit smashingsecurity.com/blackberry to find out more, and thanks to them for supporting the show.
You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password?
Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first.
For over a year, Kolide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data.
And that's what they're still doing, but now as part of 1Password. So if you've got Okta and you've been meaning to check out Kolide, now's a great time.
Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.
Plus, you can use Kolide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company.
Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today.
That's K-O-L-I-D-E kolide.com/smashing. And thanks to them for supporting the show.
And that's independently tested and proven. The lightweight AI offers broad coverage, consistently low false positives, and quick threat responses supporting endpoints seamlessly.
Now, many solutions boast about how little time it took them to respond after a threat emerged, but with BlackBerry's Cylance AI, you'll find out how long before, and it can be months or years, it has already protected its customers.
Staying one step ahead is central to everything BlackBerry does, and in fact, it's your 24/7 AI-driven security partner.
So visit smashingsecurity.com/blackberry to find out more, and thanks to them for supporting the show.
You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password?
Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first.
For over a year, Kolide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data.
And that's what they're still doing, but now as part of 1Password. So if you've got Okta and you've been meaning to check out Kolide, now's a great time.
Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.
Plus, you can use Kolide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company.
Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today.
That's K-O-L-I-D-E kolide.com/smashing. And thanks to them for supporting the show.
Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta.
Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more.
You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers.
Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta.
All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A.com/smashing. And thanks to Vanta for sponsoring the show.
Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more.
You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers.
Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta.
All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A.com/smashing. And thanks to Vanta for sponsoring the show.
And welcome back. And you join us after favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Duck.
Pick of the Week. I always forget that bit.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related. I do a lot of public speaking, but increasingly people say, well, no, we don't want to see you in public, actually.
We don't want you showing up. Instead, can you do it down a Zoom call or Microsoft Teams or Google Meet? Can you do it down a camera instead?
Which is great for me because I don't have to put any trousers on. But so I'm doing a lot of talks online. And sometimes, you know, they say, oh, can you just talk for an hour?
And I'll be honest with you, I find it a bit tricky because it's much easier when you have the roar of the crowd, the smell of the grease paint, when you can see the horror in the audience's eyes as you start to tell a story.
It's good to have some feedback. So it's a little bit hard just talking straight down the camera.
We don't want you showing up. Instead, can you do it down a Zoom call or Microsoft Teams or Google Meet? Can you do it down a camera instead?
Which is great for me because I don't have to put any trousers on. But so I'm doing a lot of talks online. And sometimes, you know, they say, oh, can you just talk for an hour?
And I'll be honest with you, I find it a bit tricky because it's much easier when you have the roar of the crowd, the smell of the grease paint, when you can see the horror in the audience's eyes as you start to tell a story.
It's good to have some feedback. So it's a little bit hard just talking straight down the camera.
Graham, what would you find more difficult, talking for an hour or listening for an hour? I rest my case.
Now, my pick of the week this week is something which makes it easier for me to talk online down a camera and hopefully appear slightly professional.
It's not a romantic chatbot, is it?
No, it's not.
A fake audience.
It can be easy to forget some detail of your talk or where you are, or, you know, you don't want to be looking at your notes.
So I use a piece of software sometimes called PromptSmart. And this is a tool which you can run on your computer or on your phone.
I use it on my computer, and it's basically like a teleprompter.
So you can put in your notes, you can have what you want to say if you're recording something, and it will scroll up the screen.
And what's really clever about it is the voice recognition which is built into it. So it isn't going up at a set speed. It's listening to what I say and it scrolls at my speed.
So it will be as quick as I choose it to be.
So I use a piece of software sometimes called PromptSmart. And this is a tool which you can run on your computer or on your phone.
I use it on my computer, and it's basically like a teleprompter.
So you can put in your notes, you can have what you want to say if you're recording something, and it will scroll up the screen.
And what's really clever about it is the voice recognition which is built into it. So it isn't going up at a set speed. It's listening to what I say and it scrolls at my speed.
So it will be as quick as I choose it to be.
So as your talk goes on, the CPU starts overheating as it's frantically trying to keep up. And then eventually, like your wireless toaster, it all explodes.
And it's paperclips setting his documents on fire.
And it's paperclips setting his documents on fire.
What I really like about PromptSmart is that the voice recognition works so well that if you go off script, which I am prone to doing, you know, I think, oh, I'll just tell this story as well.
I'll tell this anecdote. It will wait and it will wait until I come back or it will catch up. It doesn't require me to say every word.
It will, you know, it will jump to wherever I am. It will work out where I am.
I'll tell this anecdote. It will wait and it will wait until I come back or it will catch up. It doesn't require me to say every word.
It will, you know, it will jump to wherever I am. It will work out where I am.
It doesn't start yelling at you, does not compute. I don't understand.
You're off.
You're going the wrong way.
Anyway, it works really nicely.
Does it have a little tick box that you can turn on that is cough mode?
So that if you're way off script, it goes, "Ahem, ahem, ahem, and oh, sorry folks," and it guides you gently back.
So that if you're way off script, it goes, "Ahem, ahem, ahem, and oh, sorry folks," and it guides you gently back.
Anyway, my pick of the week this week is PromptSmart. Thank you very much. Duck, what's your pick of the week?
My pick of the week is a museum exhibit that is perhaps at least in theory, one of the simplest you can imagine at the Natural History Museum in Oxford, which is a great place to visit.
Free entry, gorgeous Victorian Gothic building built in the late 19th century, just opposite Keble College.
And this is an exhibit that very much goes around 32 bits or 2 to the power of 32, but it's not a techie thing.
Basically, the atrium of the main gallery of the museum is just short of 40 meters across.
That's where they've got the Iguanodon skeleton and the T-Rex skeleton and all the cool stuff.
But if you go up into the coffee shop on the sort of portico at one side on the first floor and you look across, it's just under 40 meters.
Well, that just happens to be 1 divided by 2 to the 32 times as far as it is from the Earth to the Sun.
So it's basically 1/4 billionth of the scale of the distance from the Earth to the Sun across the museum.
So what they have done, on the far side of the museum, they have a gilt sphere — a brass sphere that is about 350 millimeters across, which is 1/4 billionth the diameter of the Sun.
Free entry, gorgeous Victorian Gothic building built in the late 19th century, just opposite Keble College.
And this is an exhibit that very much goes around 32 bits or 2 to the power of 32, but it's not a techie thing.
Basically, the atrium of the main gallery of the museum is just short of 40 meters across.
That's where they've got the Iguanodon skeleton and the T-Rex skeleton and all the cool stuff.
But if you go up into the coffee shop on the sort of portico at one side on the first floor and you look across, it's just under 40 meters.
Well, that just happens to be 1 divided by 2 to the 32 times as far as it is from the Earth to the Sun.
So it's basically 1/4 billionth of the scale of the distance from the Earth to the Sun across the museum.
So what they have done, on the far side of the museum, they have a gilt sphere — a brass sphere that is about 350 millimeters across, which is 1/4 billionth the diameter of the Sun.
Cool.
On the near side, just in front of you, is the most exquisitely painted 1/2^32 scale model of the Earth, which comes in at just over 3mm in diameter on a little pin with the continents painted on beautifully.
And then on a little circle around it on another pin is a scale model of the moon, which is about 1mm across to scale.
And it's amazing how amongst all the interactive exhibits on the super high-res screens and the carefully restored giant dinosaur skeletons, which are real — massive deal to maintain — this tiny simple model, it's just amazing.
If you just stand around near there and watch people, sometimes they go up there and sit and work.
And people go, "Wow, that's amazing!" And it really gives you this amazing sense of scale.
And I didn't realize until I looked it up that the scale was also 1 in 2 to the power of 32, more or less.
And it's just fascinating how you can get an idea of the scale of just our part of the galaxy just by looking at these 3 balls: 1 millimeter, 3.2 millimeters, 350 millimeters.
And things — gosh, the sun's a lot bigger than you probably thought at 1.4 million kilometres in diameter.
And then on a little circle around it on another pin is a scale model of the moon, which is about 1mm across to scale.
And it's amazing how amongst all the interactive exhibits on the super high-res screens and the carefully restored giant dinosaur skeletons, which are real — massive deal to maintain — this tiny simple model, it's just amazing.
If you just stand around near there and watch people, sometimes they go up there and sit and work.
And people go, "Wow, that's amazing!" And it really gives you this amazing sense of scale.
And I didn't realize until I looked it up that the scale was also 1 in 2 to the power of 32, more or less.
And it's just fascinating how you can get an idea of the scale of just our part of the galaxy just by looking at these 3 balls: 1 millimeter, 3.2 millimeters, 350 millimeters.
And things — gosh, the sun's a lot bigger than you probably thought at 1.4 million kilometres in diameter.
Very cool, very cool, very cool. Interesting Pick of the Week. Carole, what's your Pick of the Week?
Well, I was a little stuck this week. I don't know — we do a lot of Pick of the Weeks. You know, guests get to come on and have a few in their pocket, you know.
But we have to do it every week, Clue.
But we have to do it every week, Clue.
Tiny violins are sounding.
Well, I had a lot of work on last week, right? And then I twisted my ankle or rolled it or whatever.
The cellos are joining.
So I had to cancel loads of stuff, right, which stressed me out and blah blah blah. And I was thinking, why did I roll my ankle, right? Because I probably wasn't paying attention.
I was probably either thinking about something or planning ahead or — I wasn't in the moment. I wasn't walking and paying attention — one foot, left foot, right foot.
I think that's what I need to do.
I was probably either thinking about something or planning ahead or — I wasn't in the moment. I wasn't walking and paying attention — one foot, left foot, right foot.
I think that's what I need to do.
It's amazing how tiny the deviation you need to do that though, isn't it? It's annoyingly easy to do.
Yep. And kind of frustrating. Anyway, so among other things that I was thinking, what can I do to try and maintain that, is I downloaded, or I heard about this app called Lotusbug.
And there's no tracking that I can see. It's free for iOS and I think maybe elsewhere. But basically it's one of those beautiful, simple apps that does only one thing.
It just puts this kind of chimy bell occasionally throughout the day, right? It just goes bong.
And there's no tracking that I can see. It's free for iOS and I think maybe elsewhere. But basically it's one of those beautiful, simple apps that does only one thing.
It just puts this kind of chimy bell occasionally throughout the day, right? It just goes bong.
Right.
And it just means, basically, the way I read it, Graham, is calm the fuck down, basically, right? That's the sound.
So it just occasionally goes—
Bong.
Couldn't you just listen out for a nearby church clock?
There are quite a lot of those in the Ox area, 'cause then you get 1, then 2, then 3, then 4, then 5, then 6 as the day goes on.
There are quite a lot of those in the Ox area, 'cause then you get 1, then 2, then 3, then 4, then 5, then 6 as the day goes on.
It's just a random bell.
So just the bong, the bong calms you down, Carole. If you need to be calmed down more, couldn't you have a fire alarm going off?
Those words did not come out as I think you expected, Graham.
The bong calming her down.
So it has this little bell sound, and I don't know, I think it's good. So if you're finding yourself to be a little bit stressed, Graham, right?
A little grumpy because you have a lot of things on. And you're trying to balance everything and everyone's frustrating you, maybe Lotusbug is for someone like you.
And that is my pick of the week.
A little grumpy because you have a lot of things on. And you're trying to balance everything and everyone's frustrating you, maybe Lotusbug is for someone like you.
And that is my pick of the week.
What the fuck are you talking about?
Maybe you could persuade the PromptSmart guys to build it into the app. So if it sees you've gone off script, it— you just get bong, a little calming gong thing.
So is that all it— just one?
So is that all it— just one?
Yep. And it might say, remember to breathe. Important life-saving stuff like that.
One dong at a time. That didn't come out right either, but you know what I mean.
Carole, what's the name of the app again?
It's called Lotusbug, and it's my pick of the week.
That just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online and find out what you're up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
The best way to do that is to go to pducklin.com, or if you can remember my full name, paulducklin.com will take you to the same place.
And that's without a G, isn't it?
Ducklin without a G. It is indeed.
And you can follow us on Twitter @SmashingSecurity. We also don't have a G. Twitter won't allow us to have a G. And we have a Mastodon account too.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
And massive thank you to our episode sponsors, BlackBerry, Kolide, and Vanta, and to our wonderful Patreon community. Thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 360 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 360 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye. Bye.
Bong.
I think it would do you good, Graham. Bit of bong in your life. Little bell.
A bit, bit—
Little bell, just to remind you to chill out.
Why? You seem to think I'm stressed.
Yes, it's funny, most people who are stressed don't realize they give stress vibes out.
Yeah, you might not be stressed. Maybe it's everyone else is stressed. On your account, yeah.
Everyone around me.
Maybe that's how it works.
Yes, they're worried about me. Maybe that's the anxiety.
Just saying.
Thank you very much, Duck.
Thank you for having me. It was great fun as always.
Thank you, Duck. You're lovely.
Thank you.
Cheers. I've got to go, guys.
Bye.
Bye.
Bye-bye.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Paul Ducklin – @duckblog
Episode links:
- VoltSchemer: Use Voltage Noise to Manipulate Your Wireless Charger – ArXiv.
- FBI offers free decryption help for LockBit ransomware victims – Paul Ducklin.
- LockBitsupp unmasked!!? Graham’s reaction to the FBI and NCA’s LockBit ransomware revelation – YouTube.
- Dating Statistics And Facts In 2024 – Forbes Health.
- Romantic AI Chatbots Don’t Have Your Privacy at Heart – Mozilla Privacy Not Included.
- Promptsmart.
- Solving a celestial mystery: the Sun, Earth and Moon model – Museum of Natural History, Oxford.
- Lotus Bud.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- BlackBerry – BlackBerry helps keeps you one step ahead. Cylance AI stops more attacks, earlier and with less effort than other solutions in the market today
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
