iPhone photos come back from the dead! Scarlett Johansson sounds upset about GPT-4o, and there’s a cockup involving celebrity fakes.
All this and much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Anna Brading of Malwarebytes.
Plus! Don’t miss our featured interview with Sandy Bird of Sonrai Security.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You're not seeing their growlers or their, you know, carrot and two veg. Or what is it? Sausage and two veg?
Is that the vegetarian option? Carrot and two other vegetables? Smashing Security, episode 373.
iPhone undeleted photos and stealing Scarlett Johansson's voice with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 373.
My name's Graham Cluley.
iPhone undeleted photos and stealing Scarlett Johansson's voice with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 373.
My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined by a very special guest this week, someone who's been on the show before. Please reveal who it is. Pull back the curtain.
Anna Brading of Malwarebytes. Hi, Anna. Hello.
Do you know it's been over a year since I've been on.
Well, you have been doing— you have been doing renovations for a lot of that time. It wasn't that you weren't asked.
That's true.
The ego's intact, baby.
Good to have you back, Anna.
Good to be back.
Let's kick this show off and thank this week's wonderful sponsors: Collide, Sonrai, and Vanta. It's their support that help us give you this show for free.
Now, coming up in today's show, Graham, what do you got?
Now, coming up in today's show, Graham, what do you got?
I'm going to be saying thank God for screw-ups.
Okay, Anna, what about you?
I'm gonna be talking about long-deleted photos coming back.
And my story is a genuine mistake or a cunning, perhaps unethical PR stunt. Plus, I chat with Sandy Bird, the co-founder and CTO at Sonrai Security.
This company takes a pretty cool approach to securing the cloud, and Sandy tells us how it works. All this and much more coming up on this episode of Smashing Security.
This company takes a pretty cool approach to securing the cloud, and Sandy tells us how it works. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, I don't know about you, but I love a good cock-up.
Oh, I didn't know that about you.
Yeah, no, I love it. I love it when things go hilariously wrong.
And I actually thought maybe during this little part of the show, as I cock-ups, I might give you a list of legendary cock-ups.
And I actually thought maybe during this little part of the show, as I cock-ups, I might give you a list of legendary cock-ups.
Oh, yes, please.
And so I went searching online, but the results weren't quite what I had in mind. So probably not appropriate for this podcast.
But what I'm thinking of is things do you remember the Mars Climate Orbiter, which NASA launched into space in 1998, planning to study the Martian climate and the surface?
But what I'm thinking of is things do you remember the Mars Climate Orbiter, which NASA launched into space in 1998, planning to study the Martian climate and the surface?
Anna was 6 years old.
Yeah, I was barely born, Graham.
Well, the only problem was that some of the software had been mistakenly told to use English Imperial measurement units rather than the metric units used by other systems connected with the probe.
And so crunch! It crashed. It got confused. $125 million down the drain. It'd gone all the way to Mars and then just crashed because of a simple engineering error. Oh dear. Oh dear.
And so crunch! It crashed. It got confused. $125 million down the drain. It'd gone all the way to Mars and then just crashed because of a simple engineering error. Oh dear. Oh dear.
Mm-hmm.
Or what about when Hoover, the vacuum cleaner people, they ran a promotion in the UK. They offered free flights to Europe and New York.
All you had to do was spend more than £100 on Hoover products, they said, which was significantly less than the cost of the actual flights.
Now Hoover, if you'll remember, they'd been relying on customers being unwilling to go through the complex application process.
All you had to do was spend more than £100 on Hoover products, they said, which was significantly less than the cost of the actual flights.
Now Hoover, if you'll remember, they'd been relying on customers being unwilling to go through the complex application process.
I do remember this, you know.
Yes. Do you remember what happened?
No.
So they didn't do it, but they didn't— they do a class action?
Well, there was a huge kerfuffle. That's what it was, Carole. Forget class action. It was a kerfuffle. Because they severely underestimated just how popular the offer would be.
Oh my gosh.
And the company had to deny customers their flights. They had years of bad publicity. Eventually, they were forced to honour many of these deals at the cost of £48 million.
Oh my gosh.
And all the senior staff involved in the promotion lost their jobs. I mean, it's quite brilliant, isn't it?
I mean, obviously a bit sad for those people, but I love a cock-up like that.
I mean, obviously a bit sad for those people, but I love a cock-up like that.
You'd worry about the legal advice that you got in that instance, really.
Do you think they got legal advice?
Legal shmeagle.
Yeah.
I remember all three of us, when we used to work together at a certain security company, and we would start certain initiatives, we wouldn't go anywhere near the legal department.
We wouldn't want them interfering with things. If we had a good idea, we just went for it, didn't we?
We wouldn't want them interfering with things. If we had a good idea, we just went for it, didn't we?
Yeah, we don't want them to say no.
Yeah.
Yeah, yeah. Well, we were young, reckless.
And sometimes, of course, you can have a monumental IT-related cock-up.
So along those lines, I was delighted to read an article on 404 Media, a great outlet for all the gossip from those side of things, about how some folks are getting just what they deserved after a blunder.
So along those lines, I was delighted to read an article on 404 Media, a great outlet for all the gossip from those side of things, about how some folks are getting just what they deserved after a blunder.
No.
So, let me set the scene.
There are, and this will shock you, some grubby little scumbags out there who are using artificial intelligence to generate non-consensual sexual images of celebrities. Right?
So, you pick someone famous that you fancy, like Scarlett Johansson or Demi Moore or Lassie, or, you know, someone famous.
There are, and this will shock you, some grubby little scumbags out there who are using artificial intelligence to generate non-consensual sexual images of celebrities. Right?
So, you pick someone famous that you fancy, like Scarlett Johansson or Demi Moore or Lassie, or, you know, someone famous.
Michael Bublé.
Mm-hmm.
And for a monthly subscription fee, you get access to AI-generated images of them without their pants on. So, if you had that option, which celebrities would you two choose? Anna?
Instant reaction. Let's hear it.
Instant reaction. Let's hear it.
I don't want to see any celebrities naked.
Yeah, but you're not really. You're not seeing their growlers or their, you know, carrot and two veg.
Or what is it?
Sausage and two veg.
Maybe you should do it.
Is that the vegetarian option? Carrots and two other vegetables.
That's what happens when you go a bit veggie, right? But it's not their bits, is it?
No, but who would you like to see, Carole? Thom Selleck?
Anna doesn't want to see anyone naked, so not even Paddington, presumably. He has to keep his duffle coat on.
Absolutely not Paddington.
Carole?
Maybe on the bears, but no.
Carole, who?
I don't want to see anyone naked unless they want to show me themselves naked. And even then, the chances of me saying, "Yeah, go on then," is pretty slim.
Graham, who would you like to see naked? I feel like this is a question for you.
Yes.
Well, unfortunately, we haven't got time. We've got to get on with the show. So, we'll have to move on. Now, there is a particular service.
One of these services which offers this facility is called Aesthetic Illusions. Sounds harmless enough, doesn't it?
And they have an account up on Patreon, just like Smashing Security does, folks. But unlike us, they charge $60 a month for their service.
And according to its Patreon page, will create more than 5,000 images a month. And they've already made over 53,000 images.
One of these services which offers this facility is called Aesthetic Illusions. Sounds harmless enough, doesn't it?
And they have an account up on Patreon, just like Smashing Security does, folks. But unlike us, they charge $60 a month for their service.
And according to its Patreon page, will create more than 5,000 images a month. And they've already made over 53,000 images.
Of what?
Of naked celebrities.
Right, so I can go to them and go, "Thom Cruise, show me him in the buff." And they'll go, "Presto, here's a penis on a body." Yep, you'll get images.
You may get some porn videos as well of the celebrities. Not real ones, but there's gigabytes and gigabytes and gigabytes of this.
Now, a journalist at 404 Media, he signed up for this service, presumably just to see what was there.
Now, a journalist at 404 Media, he signed up for this service, presumably just to see what was there.
Just for research, yeah.
Just for research. Just for research purposes.
And then said, I'll be working on this solid for the next month.
Imagine having the company credit card and being able to do that and be able to justify it. Fantastic, isn't it?
So he found this and obviously he went to Patreon and said, this appears to be against your no naughty bits rule. And Patreon shut it down, right? Very good. Very, very good.
But then the problems really started because as he tells it in his report, he subsequently received an email.
So he found this and obviously he went to Patreon and said, this appears to be against your no naughty bits rule. And Patreon shut it down, right? Very good. Very, very good.
But then the problems really started because as he tells it in his report, he subsequently received an email.
This journalist does.
Yes.
From a Gmail address owned by Aesthetic Illusions, assuring him that as a paying customer, the service was going to continue, but was migrating to a new platform, not one which had all these rigid rules like Patreon did.
And so he could still create AI-generated images of celebrities, which subscribers requested, before Patreon sort of closed the door.
In fact, in the message he said, hi friends, it looks like the inevitable happened. My Patreon's been nuked. Obviously terrible timing since I literally just quit my day job. Yikes.
But then, you know, he's got people paying $60 a month and creating 5,000 images a month. It does sound like a full-time job, doesn't it?
So he sent that email to subscribers after Patreon shut the account down. Now there's just one little problem with the email. And that is that the email was CC'd.
It didn't just go to individual subscribers. It went to something like, well, at least 35, 36 other users of the service.
And so he could still create AI-generated images of celebrities, which subscribers requested, before Patreon sort of closed the door.
In fact, in the message he said, hi friends, it looks like the inevitable happened. My Patreon's been nuked. Obviously terrible timing since I literally just quit my day job. Yikes.
But then, you know, he's got people paying $60 a month and creating 5,000 images a month. It does sound like a full-time job, doesn't it?
So he sent that email to subscribers after Patreon shut the account down. Now there's just one little problem with the email. And that is that the email was CC'd.
It didn't just go to individual subscribers. It went to something like, well, at least 35, 36 other users of the service.
What, 36 people?
Possibly these were all people who are on the highest $60 tier rather than on the cheapo tier.
And some of those email addresses, of course, included people's full names and profile pictures because you use Patreon for all kinds of things.
I support a number of Doctor Who podcasts and things like that on Patreon, because why wouldn't you?
And some of those email addresses, of course, included people's full names and profile pictures because you use Patreon for all kinds of things.
I support a number of Doctor Who podcasts and things like that on Patreon, because why wouldn't you?
Of course, me too.
Right? And so there I've got legitimate names.
But if I was supporting something a little bit shady, it would be the same email address and my same name, which would be used up there.
But if I was supporting something a little bit shady, it would be the same email address and my same name, which would be used up there.
What, like New Daleks or something?
Well, it's amazing what you can do with a sink plunger, Carole. And it's— so now those email addresses have been made public through this BCC blunder.
Well, when you say BCC, they basically CC'd instead of BCC'd. Exactly. Like rookie error.
They did a CC instead of a BCC, which as we know is something which happens all the time.
In the past, we've seen the Ministry of Defence, they've put lives of Afghan citizens at risk by using CC rather than BCC.
We've seen possible child abuse victims being exposed by the police. We've seen people who have HIV being outed.
We saw people who were bidding for bitcoin connected with the Silk Road. Sonos, they did a blunder as well. There's been a whole series of these things time and time again.
And I actually say, huzzah, isn't this fantastic? Isn't it great that sometimes the cybercriminals screw up like this? And thank goodness for screw-ups.
Because this hopefully will remind people that you've got to be a little bit more careful if you want to access your non-consensual porn, or maybe just avoid it altogether, because you could be sharing your personal information with people who, by the very definition of what they are doing, don't give a damn for people's privacy because they're creating this stuff.
So why should they take proper care of your details as well? So buyer beware. Beware is what I'm saying.
In the past, we've seen the Ministry of Defence, they've put lives of Afghan citizens at risk by using CC rather than BCC.
We've seen possible child abuse victims being exposed by the police. We've seen people who have HIV being outed.
We saw people who were bidding for bitcoin connected with the Silk Road. Sonos, they did a blunder as well. There's been a whole series of these things time and time again.
And I actually say, huzzah, isn't this fantastic? Isn't it great that sometimes the cybercriminals screw up like this? And thank goodness for screw-ups.
Because this hopefully will remind people that you've got to be a little bit more careful if you want to access your non-consensual porn, or maybe just avoid it altogether, because you could be sharing your personal information with people who, by the very definition of what they are doing, don't give a damn for people's privacy because they're creating this stuff.
So why should they take proper care of your details as well? So buyer beware. Beware is what I'm saying.
I think this journalist though has a pretty sweet job going on right now.
Well, only if you want to see a carrot and two vegetables grill.
I mean, how much do you want to see that?
Not really.
Yeah, sure, great. It's also fake. Yeah. Is it illegal to consume that kind of thing?
A carrot?
A carrot and two vegetables.
You guys.
Anna, what is your story this week?
So my story, let's talk about old photos. How many photos do you two have on your camera roll? Do you know, on your phone?
Too many. Tens of thousands, twenties of thousands, probably.
Yeah, I would think tens of thousands.
Yeah, I looked today, I've got nearly 60,000.
Bloody hell. Well, you've got two little kids, haven't you?
Yes.
You'd have taken lots of photographs of the first kid. Second kid, you kind of don't bother so much.
Does she even exist?
She does.
She does. Oh yes, and I also tend to take a few for each photo-taking opportunity. Maybe you have taken sensitive photos.
So maybe you're on a fitness journey, Graham, and want to document your body changes. Maybe you've done a bit of sexting, Carole.
So maybe you're on a fitness journey, Graham, and want to document your body changes. Maybe you've done a bit of sexting, Carole.
Yes, I do a lot of sexting.
How did you know?
Well, I've actually used an online skincare place where you upload photos of your completely naked face and they send you a formula to put on your face, and assessed by the state of your face without makeup.
All that is to say, there are some photos on my camera roll that I don't want to keep on my camera roll.
So I'll take them, use them for whatever purpose I need to use them for— wink wink, no judge— and then I'll delete them.
Because yeah, even though my phone is mine and no one has access to it, there are some things I don't want or need to be reminded of.
All that is to say, there are some photos on my camera roll that I don't want to keep on my camera roll.
So I'll take them, use them for whatever purpose I need to use them for— wink wink, no judge— and then I'll delete them.
Because yeah, even though my phone is mine and no one has access to it, there are some things I don't want or need to be reminded of.
Yeah, sometimes you take a screen grab, right? You take a screen grab to send to a group of friends on a chat, but you don't want it in your roll.
Exactly.
I don't know about you, but I— without naming any names or any individuals, and certainly not suggesting that it's me— if you have a particular painful part of your body which is not easily accessible, you might decide to take a photograph of it with your phone, just so you can see what's going on down there.
Sure.
Right?
You had a problem with your sack, and you took a picture.
I'm not going into any details.
Too veg.
And then delete it afterwards, because obviously you don't want it uploaded to the iCloud or to Google Photos or anything like that, or accidentally share it. So, you know—
Well, do you put your face in it as well?
Only accidentally if he's taking from below.
Hey! Thumbs up! Those are my potatoes. Oh god.
Anyway, yes, so the thing to do is, if you take those sort of photos, they're meant to be temporary, aren't they?
Or for a very brief duration. They're a moment in time.
Yes, exactly. You zap them, you destroy them.
Yes, get rid of them. Yes, exactly. So you don't want their photos to appear anywhere else, but you want— so you want to delete them straight away.
However, I'm doing a house renovation at the moment and people are often asking to see photos. So even though my phone is my own phone, people want to look at them.
However, I'm doing a house renovation at the moment and people are often asking to see photos. So even though my phone is my own phone, people want to look at them.
So say you're at the pub, people are asking, you know, what shade of cream did you get in your kitchen, or what level of turf did you go for?
And I say, let me get my camera out and show you. And people scroll through my phone and do they see—
And I say, let me get my camera out and show you. And people scroll through my phone and do they see—
Have they ended up seeing photos of your turf? Oh my God, that is embarrassing, isn't it?
Exactly. Tell me about it. I mean, it's brown at the moment.
Too much information.
I'm uncomfortable.
I've got the giggles now.
Okay.
And boy, do they scroll. They scroll through the renovation photos and they keep going.
Oh yes, yes, that's what happens. People keep on flicking away.
So I find that really rude and you're like, whoa. Yeah, you're like, oh thanks, take that back. Anyway, that's why I delete the photos I don't want to share on my camera roll.
Yeah.
Anyway, last week Apple issued an update for iPhones and iPads, iOS 17.5 if you're wondering, and it contains security fixes, updates to Apple News, very exciting.
And what is exciting is cross-platform tracking detection. So it will tell you now if a tracking device is moving with you, which is really good for anti-stalking measures.
Anyway, great, all good so far.
And what is exciting is cross-platform tracking detection. So it will tell you now if a tracking device is moving with you, which is really good for anti-stalking measures.
Anyway, great, all good so far.
Lots of people updated as they should, as good digital citizens. However, there was a bit of a surprise for some users.
So vacation photos that were taken in 2018 and deleted the same year ended up at the top of someone's photo album.
Those medical photos Graham someone took to keep an eye on a mole they had were back on the phone.
Those medical photos Graham someone took to keep an eye on a mole they had were back on the phone.
I don't think it was a mole that was living down there, but anyway, you go, okay, whatever it was, you shouldn't have sent them to me.
So, oh my God, those sexy photos taken with someone's ex-partner were back right at the top of the camera roll, easily, just easily accessible for the person's new partner to see.
Back at the top. So it's like your latest photos are things which you thought you'd deleted 6-odd years ago.
Exactly, yeah. And they were right at the top of the recent photos.
So people are freaking out, and lots and lots and lots and lots of people were posting on Reddit saying, what is going on?
So people are freaking out, and lots and lots and lots and lots of people were posting on Reddit saying, what is going on?
How's that even possible if you've deleted the photo?
Exactly, because you— so you delete a photo and it goes into your recently deleted album for 30 days. And when you delete a photo, it tells you it will be in an album for 30 days.
After that, it says it will be permanently deleted. But lots of the reports were photos that were deleted years ago, so they weren't in the recently deleted album.
After that, it says it will be permanently deleted. But lots of the reports were photos that were deleted years ago, so they weren't in the recently deleted album.
So it's not like it just surfaced them again. But obviously when you delete a file, it doesn't zap into unexistence.
Yeah, I think you have a problem with the word permanently, because you might think that means never to be seen again. And Anna, honestly, exactly.
I'm so naive.
You're just a little naive. Yeah, yeah, exactly.
Because the actor deletion, it just removes the pointer that tells you where the file is located. It doesn't actually erase the file.
So yeah, gives the impression that you're cutting ties with the data, but not that it's going to appear back in your photo albums. But until Apple says what happened, we won't know.
We probably won't know because they never say, but they have released a fix. They don't tell us.
So they said iOS 17.5.1 addresses a rare issue where photos that experience database corruption could reappear in the Photos library even if they were deleted.
So never trust that deleted items are actually gone forever.
So yeah, gives the impression that you're cutting ties with the data, but not that it's going to appear back in your photo albums. But until Apple says what happened, we won't know.
We probably won't know because they never say, but they have released a fix. They don't tell us.
So they said iOS 17.5.1 addresses a rare issue where photos that experience database corruption could reappear in the Photos library even if they were deleted.
So never trust that deleted items are actually gone forever.
No, sorry. No, oh, we fucked up.
No, no statement at all. That's just in the release notes. Jesus.
So— This is really bad because Apple, of course, likes to differentiate itself by saying, we're the ones who take privacy seriously.
The privacy company. I know.
Right? They've taken backup seriously. They've taken backup so seriously.
They've created one for you that you didn't know.
They're using AI probably. You don't really want to delete that. That's really—
Yeah, exactly. You thought you did, but actually we know better. And here it is again in your Recents folder.
Well, just before recording, my phone did tell me that this new update to Apple iOS was out. So I've just updated my iPhone.
Check your photos.
Yeah, check your photos.
Yeah.
Thank God I've lived an angel my whole life, so.
It's what I've heard.
Yep.
Carole, what's your story for us this week?
Okay, okay. So you two, you get a message via a trusted route, right? Whatever that may be for you, phone call, email, whatever, whatever you trust.
And huzzah, there is a fab new lucrative opportunity for you.
And huzzah, there is a fab new lucrative opportunity for you.
Oh, Graham, listen.
Yeah. And you guys the sound of fab new lucrative opportunities.
So you arrange a little chit chat because you know what's going on and, you know, And they say to you, you know, Anna, or to you, Graham, that they want to license your voice to become the chat assistant voice for ChatGPT's AI bot.
So you arrange a little chit chat because you know what's going on and, you know, And they say to you, you know, Anna, or to you, Graham, that they want to license your voice to become the chat assistant voice for ChatGPT's AI bot.
Right.
Understandable. Yeah.
Lovely.
So you're up for it? You're no problem.
Yeah, yeah, yeah.
No problem. Because I'm thinking once you record, you might get royalties if you work your cards right.
Yeah. I was going to say, how much are they paying?
Passive income. Hello.
Yeah.
Paid by the word would be good, wouldn't it?
Lovely.
And it would depend what the company was. But what if it was GB News or Vagisil, right? Or McDonald's?
I don't know that I'd care.
You wouldn't care?
Because then I could create my own videos with the voice of Vagisil or GB News saying things which they wouldn't. To differentiate myself. I could undermine them.
Yeah, but you have been signed into non-existence by the legal team, and you wouldn't be able to do that, Graham.
Oh, I see. Oh, the bloody legal team.
I know, they're always around.
Now, you guys all know about ChatGPT, and you remember their frontman, Sam Altman. We talked about it in episode 349. Yes, I did my research.
And this is where we covered the whole fiasco of his being ousted by OpenAI board, the dudes behind ChatGPT. This is the company that is heavily, heavily backed by Microsoft.
And at the time, the fight was all whether Sam Altman was moving a bit too fast and furiously and maybe not considering the AI commoditization potential fallout.
But weirdly, Altman was quickly brought back in, right? And OpenAI carried on as though nothing ever happened. That's my memory of it. It was crazy times.
So if Sam Altman calls you up, you guys are like, "Yeah, yeah, we're in." Well, actually, you don't agree right away.
You might kind of go, "Tell me more, please." And they say they want to use your voice because it sounds soothing, right? Sultry. Maybe, in Graham's case, like the Easter mouse.
And this is where we covered the whole fiasco of his being ousted by OpenAI board, the dudes behind ChatGPT. This is the company that is heavily, heavily backed by Microsoft.
And at the time, the fight was all whether Sam Altman was moving a bit too fast and furiously and maybe not considering the AI commoditization potential fallout.
But weirdly, Altman was quickly brought back in, right? And OpenAI carried on as though nothing ever happened. That's my memory of it. It was crazy times.
So if Sam Altman calls you up, you guys are like, "Yeah, yeah, we're in." Well, actually, you don't agree right away.
You might kind of go, "Tell me more, please." And they say they want to use your voice because it sounds soothing, right? Sultry. Maybe, in Graham's case, like the Easter mouse.
Graham's a well-established voice. He might not want his voice associated with—
Right! Right. And he knows that they can then use his voice to say anything they want, and he doesn't like that.
So—
But then say people start going crazy saying, "Oh my God, did you work with this company? Did you work with them?
Here's your voice." Because this is what happened to sultry voice Scarlett Johansson.
And she just issued a statement last week saying that she, 9 months ago, was approached by Sam Altman, right?
This was back in November, saying he wanted her voice to represent his new ChatGPT assistant voice. And he said her voice would be comforting to people. But she declined the offer.
Here's your voice." Because this is what happened to sultry voice Scarlett Johansson.
And she just issued a statement last week saying that she, 9 months ago, was approached by Sam Altman, right?
This was back in November, saying he wanted her voice to represent his new ChatGPT assistant voice. And he said her voice would be comforting to people. But she declined the offer.
Right?
Right. Yeah, yeah.
But then Sam demos the new chatbot on May 13th last week and, you know, saying, oh, it works faster than previous versions and can reason across text, audio, and video in real time.
And in the demo, the AI bot chatted in real time, adding emotion specifically more drama to its voice as requested.
But weirdly, all this, all this going on, it sounded an awful lot like Scarlett Johansson, the person who was approached but declined the offer of having her voice used in this way.
And in the demo, the AI bot chatted in real time, adding emotion specifically more drama to its voice as requested.
But weirdly, all this, all this going on, it sounded an awful lot like Scarlett Johansson, the person who was approached but declined the offer of having her voice used in this way.
And she was famously in a Hollywood movie, wasn't she? About an AI or something where she voiced it, I think.
Yeah, her. She did voice it. Exactly.
The other thing is CBC reported that many people commented during the demo on the strangely flirtatious moments that arose, which would not be expected in this instance.
So maybe you guys can try this out because this is what happened. Let's see if you can do this in a sultry way. Okay.
The other thing is CBC reported that many people commented during the demo on the strangely flirtatious moments that arose, which would not be expected in this instance.
So maybe you guys can try this out because this is what happened. Let's see if you can do this in a sultry way. Okay.
Okay.
So in one video posted by OpenAI, a female voice ChatGPT compliments a company employee on "Rocking an OpenAI hoodie." Is that sexy, wearing an OpenAI hoodie?
Is that a cock-up, Graham?
Is that a cock-up, Graham?
Not for me, no.
It's just— and another, the chatbot says, "Oh, stop it. You're making me blush," after being told it's amazing, right?
All right, yeah.
So Scarlett, later in her statement, she says, quote, "When I heard the released demo, I was shocked, angered, and in disbelief that Mr.
Altman would pursue a voice that sounded so eerily similar to mine that my closest friends and news outlets could not tell the difference." Oh dear.
Altman would pursue a voice that sounded so eerily similar to mine that my closest friends and news outlets could not tell the difference." Oh dear.
Do you think Sam Altman's got a thing for ScarJo, as I believe she's called?
Sounds like it, doesn't it?
Who doesn't? Come on. Anyone with a pulse.
And he probably thought, because he's a multimillionaire or whatever he is, that, you know, she'll just do it.
If I want, and if she doesn't want it, I'll just do it anyway, because what's the— Yeah. What's going to happen?
If I want, and if she doesn't want it, I'll just do it anyway, because what's the— Yeah. What's going to happen?
Well, that's what I think, because then maybe she'll make a big hoo-ha publicly. Doesn't hurt me none.
I don't think she's ever made a hoo-ha public.
Unless she's on—
Unless she's been using the wrong version of iOS.
Or on your AI generator. Animated photos.
I think he mentioned her actually by name, actually.
Oh, did you? Oh yeah, you did.
Yes, you did.
Oh yeah, yeah.
But see, Mr. Altman even insinuated that the similarity was intentional in a tweet, 'cause he did a single word tweet, "Her." Yeah.
Reference to the film in which she, you know, she voices the AI chat system. A week has passed.
What I'm finding amazing about this is one week has passed since the chatbot was demoed.
Johansson said that as a result of OpenAI's action, she was forced to hire legal counsel who wrote two letters to Altman and OpenAI setting out what they had done and asked them to detail the exact process by which they created the Sky voice.
That's what they call this AI voice, Sky. And guess what? Altman and OpenAI, rather than explain, decide to suspend the voice. Of Sky. That sounds a lot like Scarlett Johansson.
Reference to the film in which she, you know, she voices the AI chat system. A week has passed.
What I'm finding amazing about this is one week has passed since the chatbot was demoed.
Johansson said that as a result of OpenAI's action, she was forced to hire legal counsel who wrote two letters to Altman and OpenAI setting out what they had done and asked them to detail the exact process by which they created the Sky voice.
That's what they call this AI voice, Sky. And guess what? Altman and OpenAI, rather than explain, decide to suspend the voice. Of Sky. That sounds a lot like Scarlett Johansson.
But she's gonna want money because do you remember, I think it was Scarlett Johansson, there was some movie where she was going to get a percentage of the box office takings and because Disney or whoever it was decided to put it on streaming instead, or after one week of theatrical release, her earnings went down considerably.
Yeah.
She kicked off a fuss and ended up getting a big wodge of cash.
Good for her.
Well, I don't say no either. I agree with you. Now, I would expect she'll go after OpenAI and say, well, you may have taken it down, but you've still used my name.
You still used my voice. Yeah. Without permission, you asked and I told you no, but you went ahead and thought you could do this anyway. So I would think good for her.
You still used my voice. Yeah. Without permission, you asked and I told you no, but you went ahead and thought you could do this anyway. So I would think good for her.
100% agree. Okay, but yesterday, so this is on the 19th of May. So yesterday, day of recording, May 19th, a blog post comes up on OpenAI.
And one of the paragraphs says, okay, "We believe that AI voices should not deliberately mimic a celebrity's distinctive voice.
Sky's voice is not an imitation of Scarlett Johansson's, but belongs to a different person, different professional actress using her own natural speaking voice.
To protect her privacy, we cannot share the name of our voice talent." Of course.
And one of the paragraphs says, okay, "We believe that AI voices should not deliberately mimic a celebrity's distinctive voice.
Sky's voice is not an imitation of Scarlett Johansson's, but belongs to a different person, different professional actress using her own natural speaking voice.
To protect her privacy, we cannot share the name of our voice talent." Of course.
But she is also a professional sound-alike of Scarlett Johansson.
But I'm with you, I think this whole thing is a huge PR stunt.
He asked her, she said no, he said screw it, we're just gonna go ahead because it's going to get us loads of press coverage, and if she kicks up a fuss then that gives us more press coverage.
And look at here, they might even get on Smashing Security.
He asked her, she said no, he said screw it, we're just gonna go ahead because it's going to get us loads of press coverage, and if she kicks up a fuss then that gives us more press coverage.
And look at here, they might even get on Smashing Security.
That's why. Yeah, it's kind of invasive though, isn't it? Yes, it's horrible.
He's a total cockwomble, that's what he is.
What's more than that?
I think it's kind of digital abuse. There's this weird new thing. It's like, yeah, yeah, it's she said no, he did it anyway, and he's going, fuck you. It's a power play. It's gross.
Exactly. Yeah.
Yeah.
Mind you, if they wanted to use my voice, that'd be quite cool.
Would you have said yes?
I might have asked for about £100, so I'd a little bit of money, but yeah, that would— that, that— but yeah, I'd probably— I'd probably—
Yeah. And imagine the ego, Graham, if it was using your voice the whole time. It'd be great.
You could just listen to yourself. You could be like, live in your own echo chamber and never listen to anyone but yourself. And you'd be like, oh wow, this is so great.
Transcendental, man.
Transcendental, man.
I wouldn't have to turn up to this podcast each week.
No.
Just get ChatGPT 4.0 to do it.
Program it quickly, done.
I'm not sure anyone would notice, Graham.
If a security software company said they could help you reduce the permissions attack surface in your cloud by 92% with the click of a button, what would you say?
Sonrai Security just made achieving least privilege easy with the Cloud Permissions Firewall, a scalable solution that easily restricts excessive permissions from human and machine identities, quarantines unused identities, and disables unused regions and services without any disruptions.
Even better, the solution maintains this level of risk reduction by automatically enforcing least privilege policies as new identities are added to the environment. What's better?
The fact that you can test drive the Sonrai Cloud Permissions Firewall for free for 14 days. Go to smashingsecurity.com/sonrai. That's S-O-N-R-A-I.
And thanks to Sonrai Security for sponsoring the show.
If a security software company said they could help you reduce the permissions attack surface in your cloud by 92% with the click of a button, what would you say?
Sonrai Security just made achieving least privilege easy with the Cloud Permissions Firewall, a scalable solution that easily restricts excessive permissions from human and machine identities, quarantines unused identities, and disables unused regions and services without any disruptions.
Even better, the solution maintains this level of risk reduction by automatically enforcing least privilege policies as new identities are added to the environment. What's better?
The fact that you can test drive the Sonrai Cloud Permissions Firewall for free for 14 days. Go to smashingsecurity.com/sonrai. That's S-O-N-R-A-I.
And thanks to Sonrai Security for sponsoring the show.
Long-term sponsors Kolide were acquired by 1Password earlier this year, and both companies are leading the industry in creating security solutions that put users first.
Kolide Device Trust helps companies with Okta ensure that only known and secure devices can access their data, and that's what they're still doing, but now as part of 1Password.
So if you've got Okta and you've been meaning to check out Kolide, now's a great time.
Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.
Plus, you can use Kolide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company.
Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today. That's K-O-L-I-D-E dot com/smashing.
And thanks to Kolide for supporting the show.
Kolide Device Trust helps companies with Okta ensure that only known and secure devices can access their data, and that's what they're still doing, but now as part of 1Password.
So if you've got Okta and you've been meaning to check out Kolide, now's a great time.
Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.
Plus, you can use Kolide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company.
Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today. That's K-O-L-I-D-E dot com/smashing.
And thanks to Kolide for supporting the show.
If you are building a SaaS business, achieving compliance with ISO 27001, SOC 2, or other in-demand frameworks can unlock major growth for your company and establish customer trust.
However, this process is often time-intensive and costly. Vanta automates up to 90% of compliance work, getting you audit ready quickly and saving you up to 85% of associated costs.
And Vanta scales with your business with a market-leading trust management platform to help you continuously monitor compliance, unify risk management, and streamline security reviews.
Join 7,000 global companies like Atlassian, Flow Health, and Quora that use Vanta to build trust and prove security in real time. Watch Vanta's on-demand demo at vanta.com/smashing.
That's vanta.com/smashing. And thanks to Vanta for sponsoring the show.
However, this process is often time-intensive and costly. Vanta automates up to 90% of compliance work, getting you audit ready quickly and saving you up to 85% of associated costs.
And Vanta scales with your business with a market-leading trust management platform to help you continuously monitor compliance, unify risk management, and streamline security reviews.
Join 7,000 global companies like Atlassian, Flow Health, and Quora that use Vanta to build trust and prove security in real time. Watch Vanta's on-demand demo at vanta.com/smashing.
That's vanta.com/smashing. And thanks to Vanta for sponsoring the show.
And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related. My Pick of the Week this week is a TV show. I have been watching it on BBC iPlayer, but it is not a BBC program.
Hmm.
It is a program which actually came from RTE, which is the Irish TV network, and it is a drama series called Kin. Have either of you seen Kin?
K-I-N. Oh, I think I have. I'm looking it up right now.
I've seen parts of it, but I had to stop.
Why did you stop? Because it wasn't very good?
No, no, I thought it was very good. But as a mother of a son, I couldn't watch it. I'll say no more.
I understand.
But it was too much.
So, Kin is a drama about warring gangsters.
And it stars Aidan Gillen, who you may remember from Queer as Folk back in the day, and Charlie Cox, who some people may know as Daredevil, and Claire Dunne.
And it is utterly binge-worthy, unless you have kids. Because you are watching the machinations amongst a family of criminals as they jockey for position and power.
In a struggle with another gang of criminals.
And apparently, it is actually inspired by a real-life and ongoing feud happening in Ireland between two criminal gangs, which I won't name in this podcast, because I don't want them showing up on my doorstep.
That has resulted in multiple deaths. I think it's very well written and directed. Brilliantly acted. Wonderfully violent.
And it stars Aidan Gillen, who you may remember from Queer as Folk back in the day, and Charlie Cox, who some people may know as Daredevil, and Claire Dunne.
And it is utterly binge-worthy, unless you have kids. Because you are watching the machinations amongst a family of criminals as they jockey for position and power.
In a struggle with another gang of criminals.
And apparently, it is actually inspired by a real-life and ongoing feud happening in Ireland between two criminal gangs, which I won't name in this podcast, because I don't want them showing up on my doorstep.
That has resulted in multiple deaths. I think it's very well written and directed. Brilliantly acted. Wonderfully violent.
It's very violent.
It's very violent.
Yeah, I'm not into that.
Yeah, probably not for kids. I don't watch many things like this, but I thought this was really good. And I've really enjoyed it.
So if you fancy something a little bit adult— You may want to plot out on a piece of graph paper the family tree, though.
I found it very difficult working out who was a brother of who, and who was a son, and who's the uncle, and hang on, how are they related? So, get your pen and paper out.
But really, really good. Really enjoyed it. Kin, which is on BBC iPlayer if you can't find it elsewhere. Anna, what's your pick of the week?
So if you fancy something a little bit adult— You may want to plot out on a piece of graph paper the family tree, though.
I found it very difficult working out who was a brother of who, and who was a son, and who's the uncle, and hang on, how are they related? So, get your pen and paper out.
But really, really good. Really enjoyed it. Kin, which is on BBC iPlayer if you can't find it elsewhere. Anna, what's your pick of the week?
My pick of the week is a bit different, but I wanted to talk about it because it's— Well, I like it anyway. So, have you heard about The Portal that everyone's been talking about?
The Portal? No.
So, it's a visual arts exhibition in Dublin and New York, and it's created by a guy called Benedictus Gillis. And so in Dublin and in New York, there's a giant circular screen.
It looks like a massive porthole and a video camera which broadcasts a live stream from one side to the other.
So people in Dublin can see people in New York, and people in New York see people in Dublin. They can interact, they can make faces.
It looks like a massive porthole and a video camera which broadcasts a live stream from one side to the other.
So people in Dublin can see people in New York, and people in New York see people in Dublin. They can interact, they can make faces.
Kind of like a FaceTime.
Yeah, like a giant FaceTime. So I think that's nice, friendly fun, right?
And I've got friends in New York, and if the portal was nearer to me than Dublin, I'd definitely give it a go. I'm not going to go to Dublin for it.
However, we can't have nice things, so a man mooned the camera. Someone took drugs on camera, an OnlyFans model flashed the portal, and it was closed down.
And I've got friends in New York, and if the portal was nearer to me than Dublin, I'd definitely give it a go. I'm not going to go to Dublin for it.
However, we can't have nice things, so a man mooned the camera. Someone took drugs on camera, an OnlyFans model flashed the portal, and it was closed down.
Was it a nice butt that was being mooned?
Oh, I didn't see it. I've seen the OnlyFans one. Yeah, so they had to close it down for a bit. It's up again now.
They've implemented more safety features, so if you hold a phone up, or if you step onto the exhibit, it will blur the screen.
But anyway, I think it's a nice thing, and I think people shouldn't ruin nice things. So I'm glad it's back.
They've implemented more safety features, so if you hold a phone up, or if you step onto the exhibit, it will blur the screen.
But anyway, I think it's a nice thing, and I think people shouldn't ruin nice things. So I'm glad it's back.
It's just because everyone wants their 10 seconds of fame now, right? And they'll do anything.
I know. Yeah, I know.
And everyone's an exhibitionist. Now we've been denied the pleasure of seeing our deleted photos popping up on our iPhones anymore after the update.
Gotta get the kicks where you can.
Exactly. Exactly. That's what you gotta do. How funny. Carole, what's your pick of the week?
So I was arting it up this past weekend. Thank you both of you came to the show. Fantastic.
Aw. My pleasure.
And because I was doing that, my Yeti, my other half, said he would make us a fancy yummy dinner for Sunday evening. Had finished everything. Lovely, I say, right?
So I come home after, I don't know, it's probably about 7 o'clock on Sunday, happy but so exhausted from the day. But the smells from the kitchen were out of this world.
He made me chicken rendang. It's slow-cooked chicken and braised in coconut milk and full of spices and herbs.
And you've gotta make it the day before and let it sit and all this stuff. So good. It was so good. Mind-blowing. So I was, you know, where'd you get this? And he was, Felicity Cloake.
Right now she does a food column called How to Cook the Perfect from The Guardian.
So I come home after, I don't know, it's probably about 7 o'clock on Sunday, happy but so exhausted from the day. But the smells from the kitchen were out of this world.
He made me chicken rendang. It's slow-cooked chicken and braised in coconut milk and full of spices and herbs.
And you've gotta make it the day before and let it sit and all this stuff. So good. It was so good. Mind-blowing. So I was, you know, where'd you get this? And he was, Felicity Cloake.
Right now she does a food column called How to Cook the Perfect from The Guardian.
Oh, yeah.
Yeah. You used her before.
Yeah. Yeah.
She's great.
I'm sure I've mentioned her on this in Pick of the Weeks in previous years, but she's a fantastic resource for those of you to kind of go, I want to try and make this, but it's kind of your first time doing a dish.
Because she'll kind of go through about 5 different approaches to how people make it, and then she'll take the best bits for her and why she's taking it, and then put it into a whole new recipe.
I'm sure I've mentioned her on this in Pick of the Weeks in previous years, but she's a fantastic resource for those of you to kind of go, I want to try and make this, but it's kind of your first time doing a dish.
Because she'll kind of go through about 5 different approaches to how people make it, and then she'll take the best bits for her and why she's taking it, and then put it into a whole new recipe.
Yeah. It's very cool.
So my pick of the week is 2 things. One, Felicity Cloake's How to Cook the Perfect Chicken Rendang, and any of her recipes. But also, my Yeti for looking after me.
Aw.
You know?
He's so good.
He is good.
And he is a great chef.
Yeah, I know he's taken over now. He's better than me, which really sucks because that was my little thing. But, uh—
You are both excellent.
But give him a paintbrush, Carole. He'd probably be better at you than me.
He probably fucking would be. Honestly.
Now, Carole, you've been busy this week, haven't you? You've been chatting to the chaps at Sonry.
Yes, had a really illuminating chat with Sandy Bird, co-founder and CTO at Sonry Security. Listen up. So, a treat for you listeners out there.
We have a cloud security expert in the hot seat, and this guy knows his security onions. Sandy Bird. Sandy is the co-founder and the CTO at Smashing Security.
This is the company that helps you protect your data by securing all the stuff in the cloud. But these guys take a different approach and we are gonna find out just how it works.
But first, welcome to Smashing Security, Sandy.
We have a cloud security expert in the hot seat, and this guy knows his security onions. Sandy Bird. Sandy is the co-founder and the CTO at Smashing Security.
This is the company that helps you protect your data by securing all the stuff in the cloud. But these guys take a different approach and we are gonna find out just how it works.
But first, welcome to Smashing Security, Sandy.
Hey, thanks for having me, Carole.
Our pleasure completely. Now maybe, Sandy, you could tell us a little bit about yourself and what led you to co-found Sonry Security.
Yeah, look, I think for 20 years now I've been doing some form of security work.
I spent the early parts of my career doing analytics on log data to find, you know, odd patterns and threats and things of that nature.
But as I moved along my career path, I spent a lot of time, especially when I was at IBM after they acquired Q1 Labs, looking at all of the aspects of security, identity security, application security, all of these things.
And one of the things that I thought was so intriguing about cloud and our transition to cloud was that most of the controls were identity-based in terms of keeping the good guys in and keeping the bad guys out from that perspective.
I spent the early parts of my career doing analytics on log data to find, you know, odd patterns and threats and things of that nature.
But as I moved along my career path, I spent a lot of time, especially when I was at IBM after they acquired Q1 Labs, looking at all of the aspects of security, identity security, application security, all of these things.
And one of the things that I thought was so intriguing about cloud and our transition to cloud was that most of the controls were identity-based in terms of keeping the good guys in and keeping the bad guys out from that perspective.
Right, authentication, you mean, so the right person has access.
Authentication, access, permissions.
Sometimes in cloud, it gets a little gray as to where the authentication is happening and exactly how it's happening, especially when you have things like resource policies.
Absolutely, it's the key thing that controls that whole world. And so I just found it really intriguing.
I thought we could do a better job for the first time in cloud than we maybe did in enterprise, and that's what started Smashing Security on a better model for access.
Sometimes in cloud, it gets a little gray as to where the authentication is happening and exactly how it's happening, especially when you have things like resource policies.
Absolutely, it's the key thing that controls that whole world. And so I just found it really intriguing.
I thought we could do a better job for the first time in cloud than we maybe did in enterprise, and that's what started Smashing Security on a better model for access.
Okay, so you've hinted a bit at this, but you're trying to solve this specific problem and you guys seem to have taken a different route as to how to handle it.
So can you tell us a little bit about that?
So can you tell us a little bit about that?
No path is a straight line, Carole. I wish it was.
You don't really—it would be boring. Come on.
It would be so boring.
I had this hypothesis probably 4 years ago when we started Sunree that because we had all of the audit data for every identity and what it was doing in the cloud, and we had a representation of all of the access policies and role assignments and things depending on which cloud you're in—they're called different things, but basically the mapping of the permissions to the identities—we could correlate the two together and get a perfect picture of what it should look like, and then we could basically correct it all and make it perfect.
And after spending 4 years of my life trying to get people to do that, I realized there's a couple fundamental flaws in it.
One is that at the scale of cloud, you have many different teams building apps for different purposes, and the centralized—they call them different things—cloud infrastructure team, cloud ops, cloud, they have different names, but the central team that governs that whole cloud infrastructure didn't have control of the development teams and what they were doing.
So they were basically, you know, they could build the perfect policy, they could put it in a Jira ticket and say, you have to go fix this.
But if the team didn't do it, it just never got corrected.
And we would see customers that after a year had just not corrected very many of these kind of least privileged problems that they had.
And we had this—this is a good story, Carole. I had this one very successful customer: they had 2,000 of them that they fixed in a 10-month period.
But I think we measured it—I think they had more than 2,000 new identities at the end of the 10 months. So you know what I mean? They're just falling further behind.
I had this hypothesis probably 4 years ago when we started Sunree that because we had all of the audit data for every identity and what it was doing in the cloud, and we had a representation of all of the access policies and role assignments and things depending on which cloud you're in—they're called different things, but basically the mapping of the permissions to the identities—we could correlate the two together and get a perfect picture of what it should look like, and then we could basically correct it all and make it perfect.
And after spending 4 years of my life trying to get people to do that, I realized there's a couple fundamental flaws in it.
One is that at the scale of cloud, you have many different teams building apps for different purposes, and the centralized—they call them different things—cloud infrastructure team, cloud ops, cloud, they have different names, but the central team that governs that whole cloud infrastructure didn't have control of the development teams and what they were doing.
So they were basically, you know, they could build the perfect policy, they could put it in a Jira ticket and say, you have to go fix this.
But if the team didn't do it, it just never got corrected.
And we would see customers that after a year had just not corrected very many of these kind of least privileged problems that they had.
And we had this—this is a good story, Carole. I had this one very successful customer: they had 2,000 of them that they fixed in a 10-month period.
But I think we measured it—I think they had more than 2,000 new identities at the end of the 10 months. So you know what I mean? They're just falling further behind.
It's playing catch-up, though.
I think a lot of companies must be in that position because I suspect not all IT people are extremely au fait with actually tackling these things on their own, right?
They may be tasked with the job, given no resources to actually do it, and that can lead to you chasing your tail a little bit, do you think?
I think a lot of companies must be in that position because I suspect not all IT people are extremely au fait with actually tackling these things on their own, right?
They may be tasked with the job, given no resources to actually do it, and that can lead to you chasing your tail a little bit, do you think?
I think it's exactly true. You know, we always blame—security comes last.
It doesn't really come last, but the reality is there's a lot of different priorities for these teams and their goal to get stuff out the door and be innovative, and they should be gold that way.
And so we started to do some measurements of this, and I think one of the key things—you kind of say different teams—the longer people were in cloud, the worse it got.
And we kind of did this interesting data report where we saw that.
It doesn't really come last, but the reality is there's a lot of different priorities for these teams and their goal to get stuff out the door and be innovative, and they should be gold that way.
And so we started to do some measurements of this, and I think one of the key things—you kind of say different teams—the longer people were in cloud, the worse it got.
And we kind of did this interesting data report where we saw that.
How do you mean longer in cloud? They were early adopters or that kind of thing?
Early adopter in cloud now is many years.
But even if you were in cloud for 5 years, say, if you were there for 5 years, the amount of, we'll call it cyber litter in your cloud, you know, identities that are there that have permissions that haven't been used in 2 years, that number just grows and grows and grows.
And then the same thing with these excessive permissions, right?
People give them, they didn't know how to get the workload to work, so they gave it star permissions, but then they don't use it anymore.
And 2 years later, it's still sitting there. And these numbers just kept getting bigger and bigger and bigger the longer people were in cloud. So yeah, big problem.
But even if you were in cloud for 5 years, say, if you were there for 5 years, the amount of, we'll call it cyber litter in your cloud, you know, identities that are there that have permissions that haven't been used in 2 years, that number just grows and grows and grows.
And then the same thing with these excessive permissions, right?
People give them, they didn't know how to get the workload to work, so they gave it star permissions, but then they don't use it anymore.
And 2 years later, it's still sitting there. And these numbers just kept getting bigger and bigger and bigger the longer people were in cloud. So yeah, big problem.
And it gets complicated because the environments get more complex. Some people have permissions. They've left the company. Those doors haven't been closed. New people come in.
You give them too many permissions. They have access to stuff they shouldn't have access to. And then to kind of clean that up is a bit trying to clean out my email at the moment.
You know, I just look the other way.
You give them too many permissions. They have access to stuff they shouldn't have access to. And then to kind of clean that up is a bit trying to clean out my email at the moment.
You know, I just look the other way.
I think that was the biggest epiphany I had. We were trying to get people to do the most simple task, which is, look, just delete the stuff that hasn't been used in a long time.
Here's a perfect list of the 10,000 identities that haven't been used because it's a mix of people and workload identities, right? So you have both sides.
And so it was this very large list and no one would do it. And the reason it was perfectly automated, could be done in a minute, you know, but no one would do it.
And you say, well, why won't you do this? Well, I'm afraid you've got it. The fear, the fear comes in. There's so many examples they give us, Carole.
Sometimes it's, as you say, those people have left the company. I don't know how that thing's configured.
And if we take it away and someone asks me to put it back, I can never put it back. I don't know how to do that, right? Or, you know, that's a break glass account.
We don't want to delete that one. Okay, well, do you have a list of all your break glass accounts? I don't think we do. You know, and so there's lots of excuses.
And so we really had to invent a different way, which is really what we're into now, which is let's not try to make everything perfect.
Let's get people to a great state automate it, do it super quick, and then have a way to get the permissions back if you need them.
Here's a perfect list of the 10,000 identities that haven't been used because it's a mix of people and workload identities, right? So you have both sides.
And so it was this very large list and no one would do it. And the reason it was perfectly automated, could be done in a minute, you know, but no one would do it.
And you say, well, why won't you do this? Well, I'm afraid you've got it. The fear, the fear comes in. There's so many examples they give us, Carole.
Sometimes it's, as you say, those people have left the company. I don't know how that thing's configured.
And if we take it away and someone asks me to put it back, I can never put it back. I don't know how to do that, right? Or, you know, that's a break glass account.
We don't want to delete that one. Okay, well, do you have a list of all your break glass accounts? I don't think we do. You know, and so there's lots of excuses.
And so we really had to invent a different way, which is really what we're into now, which is let's not try to make everything perfect.
Let's get people to a great state automate it, do it super quick, and then have a way to get the permissions back if you need them.
I love it. Now, you guys have, at Sonrai, have just put out your findings on basically cloud research and how, you know, we use or misuse it.
So first question would be, what question were you really hoping to answer in putting out this research?
So first question would be, what question were you really hoping to answer in putting out this research?
One of the problems that we had was we were going to build this new method that said, we're going to cut off the most sensitive permissions from everything that doesn't use it.
And grant it back to the things that did. And so we needed to measure that to understand what that gap was.
The second part of that though was step 2, which was, okay, well, if a new workload gets built tomorrow or something that's old needs it back, you want to wake up one of those old identities.
How many times would that happen to an average team? And so we needed to measure that.
So we, because we did that, we took a large set of our public cloud customers and we kind of did these overall statistics across them so that we could get a bunch of these numbers so we could give people confidence that, you can do this, it solves a massive gap, but the burden on the team on the next day will be low.
And so that's why we built the report. Some of the numbers that came out of it are kind of surprising. They're higher than I would have thought of.
I think you can divide them between things that I assumed that were correct and things that I assumed that are wrong.
And grant it back to the things that did. And so we needed to measure that to understand what that gap was.
The second part of that though was step 2, which was, okay, well, if a new workload gets built tomorrow or something that's old needs it back, you want to wake up one of those old identities.
How many times would that happen to an average team? And so we needed to measure that.
So we, because we did that, we took a large set of our public cloud customers and we kind of did these overall statistics across them so that we could get a bunch of these numbers so we could give people confidence that, you can do this, it solves a massive gap, but the burden on the team on the next day will be low.
And so that's why we built the report. Some of the numbers that came out of it are kind of surprising. They're higher than I would have thought of.
I think you can divide them between things that I assumed that were correct and things that I assumed that are wrong.
Okay.
I knew the number of workload identities was higher than the number of people identities when you look at public cloud.
The whole point of these things is to build workloads that do amazing things and build products on top of. So they should have a lot of workload identities.
And by average, you would see that split, you know, 20/80, 20% people, 80% workload identities. And I think that's a good mix.
The whole point of these things is to build workloads that do amazing things and build products on top of. So they should have a lot of workload identities.
And by average, you would see that split, you know, 20/80, 20% people, 80% workload identities. And I think that's a good mix.
Yeah.
What really surprised me though, when we looked at the, we'll call it two main use cases.
One is these sensitive permissions that are granted to an identity that are not used, and then identities which are not used at all.
One is these sensitive permissions that are granted to an identity that are not used, and then identities which are not used at all.
So they're never touched by anybody. No one.
They're never touched at all. Right? If we look at these sensitive permissions, the workload ones are really interesting. You end up with this.
So across all identities, 92% of the identities sitting in the cloud have at least one of these very sensitive permissions, which it's not using.
So across all identities, 92% of the identities sitting in the cloud have at least one of these very sensitive permissions, which it's not using.
Oh.
However, 87% that contribute to that are the workload identities. So the workload identities are actually, the people identities are actually not as bad.
You know, we always joke that we give humans too many credentials. Well, apparently we give the workload identities way too many credentials.
They're way worse than the humans are in this particular case.
You know, we always joke that we give humans too many credentials. Well, apparently we give the workload identities way too many credentials.
They're way worse than the humans are in this particular case.
Can you give us a tangible example? So maybe some of our listeners are not the IT person. So what does that mean?
So say as an example, you know, you have a— we use a simple example. You have some big website that, you know, I don't know, books taxi drives for people or something.
You know, these apps exist and they run on these public cloud infrastructures.
You know, these apps exist and they run on these public cloud infrastructures.
Okay.
And when it goes to do that, you know, it needs to maybe update a record in a database. That makes sense.
You know, somebody's gonna book a ride, we gotta put a record in a database so we can schedule their driver.
You know, somebody's gonna book a ride, we gotta put a record in a database so we can schedule their driver.
Mm-hmm.
Well, when it goes to update that record, it needs a permission to probably write a record into a table or something.
But the developer probably couldn't get it to work the way that they wanted to.
And if they were using a cloud service for that database, BigQuery and GCP or DynamoDB and Amazon, maybe they just gave it the star permission for the entire database.
And then they try it and it worked and they're like, great, it works. I'm gonna move on to my next thing. Right.
But they didn't need all of the, they didn't need to delete the database, they didn't need to create a new database, they didn't need to do all those things, but they gave it too many permissions.
And so when an attacker gets ahold of that, well, they can destroy your world, they can ransomware the data, they can do all these types of things.
And it's these workload identities that are so over-permissioned that way.
But the developer probably couldn't get it to work the way that they wanted to.
And if they were using a cloud service for that database, BigQuery and GCP or DynamoDB and Amazon, maybe they just gave it the star permission for the entire database.
And then they try it and it worked and they're like, great, it works. I'm gonna move on to my next thing. Right.
But they didn't need all of the, they didn't need to delete the database, they didn't need to create a new database, they didn't need to do all those things, but they gave it too many permissions.
And so when an attacker gets ahold of that, well, they can destroy your world, they can ransomware the data, they can do all these types of things.
And it's these workload identities that are so over-permissioned that way.
Yeah. I can totally imagine that. You know, if it's hard to get my key, you know, one key out for my neighbor to keep an eye on what's in the garage, I can give 'em the whole set.
And if he's— yeah, and I just go, don't worry about it.
And if he's— yeah, and I just go, don't worry about it.
He's a good guy.
Not going to worry about it. Nothing's happening badly right now. But then years go by and years go by and time goes on and that's still just sitting there, right?
Exactly. Exactly.
So was there anything in there that you thought, God, why haven't we learned how to fix this yet?
Anything like that in the report where you thought, look, you know, what's frustrating you in terms of what IT people aren't able to do or aren't doing yet that would help them immensely?
Anything like that in the report where you thought, look, you know, what's frustrating you in terms of what IT people aren't able to do or aren't doing yet that would help them immensely?
I think in the data report, there's a thing that we're doing with human identities that we're not doing with the machine identity.
So I go back to this unused example, and when you split that report between machine and humans, we find out that 12% of the human identities that are in the cloud are unused.
Well, that means, you know, there's almost 90% that are used. And so that's not perfect, but it's pretty good.
And what that probably means is our, we always call it the leave or move or joiner problem in humans.
When they leave the company, when they join the company, when they move groups, we're probably doing an okay job of their permissions and getting them at least in the cloud.
And when they're not there supposed to be there anymore, we're removing them. And so that way, reason you don't have that many unused human identities.
But the non-people identity, this is one of the highest statistics in the report, like 88%. Of the 61% of completely unused identities were these machine identities.
And what it probably means is there's no process in companies to clean this stuff up. You know, it's not—
So I go back to this unused example, and when you split that report between machine and humans, we find out that 12% of the human identities that are in the cloud are unused.
Well, that means, you know, there's almost 90% that are used. And so that's not perfect, but it's pretty good.
And what that probably means is our, we always call it the leave or move or joiner problem in humans.
When they leave the company, when they join the company, when they move groups, we're probably doing an okay job of their permissions and getting them at least in the cloud.
And when they're not there supposed to be there anymore, we're removing them. And so that way, reason you don't have that many unused human identities.
But the non-people identity, this is one of the highest statistics in the report, like 88%. Of the 61% of completely unused identities were these machine identities.
And what it probably means is there's no process in companies to clean this stuff up. You know, it's not—
Exactly. Yeah, I understand. Yeah.
The auditor comes in, the auditor doesn't say, well, did you remove the serverless function's identity when it was no longer used? You know, they don't ask those questions.
And so I think that's why there's so much of that kind of litter that gets left over.
And so I think that's why there's so much of that kind of litter that gets left over.
Yeah. Any advice? Okay, so just before we close, is there any advice? So someone's listening right now and going, yeah, oh, this feels like this could be good for me.
You know, how do I go about it? What would be their first steps to take?
You know, how do I go about it? What would be their first steps to take?
Yeah, I think, you know, we have several, you know, if you're, and I'll use AWS as the example, you know, Azure and GCP have similar functions here.
There are centralized controls in all three clouds where you can actually cut off the craziest permissions that don't need to be there.
You know, I joke Azure has this really interesting permission that allows you to take a disk volume on a running virtual machine and make it a public URL on the internet.
I don't know why you would ever want to do that, but the permission exists.
There are centralized controls in all three clouds where you can actually cut off the craziest permissions that don't need to be there.
You know, I joke Azure has this really interesting permission that allows you to take a disk volume on a running virtual machine and make it a public URL on the internet.
I don't know why you would ever want to do that, but the permission exists.
And so, yeah, you sneeze and you have your finger on the mouse.
Yeah, exactly. And it happens. And so in those scenarios, maybe you want to put some centralized controls in to block the things you really don't want to have happen, right?
If you don't want pre-signed URLs of your analytics workloads and machine learning workloads, let's block those centrally. And the clouds all have ways to do that.
The other thing is that all of the clouds have inventories where you can see how long it's been since identities have been used.
You should be looking through that once in a while and cleaning that up and having a process for that.
Have a hack day for 4 hours one morning where you just get the team in a room and say, we're going to look at our one account here and we're going to look at 50 identities and remove those if they're not used.
And that's a good way to start if you don't have tooling to help with this stuff.
If you're the type of company that can afford tooling, then you look at something like Smashing Security and we can automate huge amounts of this.
We can divvy the work out to the teams. We can cut these things off with this cloud permissions firewall really quickly. There's ways to do it at scale and easier.
But even if you don't, you're a small company, you're a startup, there's still something you can do just by actually taking a look at those identities that are unused and centrally blocking the things that you really don't want to happen in your cloud.
If you don't want pre-signed URLs of your analytics workloads and machine learning workloads, let's block those centrally. And the clouds all have ways to do that.
The other thing is that all of the clouds have inventories where you can see how long it's been since identities have been used.
You should be looking through that once in a while and cleaning that up and having a process for that.
Have a hack day for 4 hours one morning where you just get the team in a room and say, we're going to look at our one account here and we're going to look at 50 identities and remove those if they're not used.
And that's a good way to start if you don't have tooling to help with this stuff.
If you're the type of company that can afford tooling, then you look at something like Smashing Security and we can automate huge amounts of this.
We can divvy the work out to the teams. We can cut these things off with this cloud permissions firewall really quickly. There's ways to do it at scale and easier.
But even if you don't, you're a small company, you're a startup, there's still something you can do just by actually taking a look at those identities that are unused and centrally blocking the things that you really don't want to happen in your cloud.
Brilliant. Is there anything else that you'd like to add, Sandy?
Hey look, I think Carole, everyone should take a look at this data report. It's really interesting, the statistics in it.
And if it's something you're interested in trying to clean up, we've got some links to our website and ways people can do free trials of some of the tools that help manage this.
And if it's something you're interested in trying to clean up, we've got some links to our website and ways people can do free trials of some of the tools that help manage this.
You've heard Sandy, listeners.
You can read Sonrai's latest research and try its cloud permission firewall for free, 'cause you never know, you might be leaving a bit too much on show.
So go to smashingsecurity.com/sonrai. That's S-O-N-R-A-I. And Sandy Bird, what a pleasure. CTO and co-founder of Sonrai Security. For coming on the show. Thanks, Carole.
You can read Sonrai's latest research and try its cloud permission firewall for free, 'cause you never know, you might be leaving a bit too much on show.
So go to smashingsecurity.com/sonrai. That's S-O-N-R-A-I. And Sandy Bird, what a pleasure. CTO and co-founder of Sonrai Security. For coming on the show. Thanks, Carole.
Fascinating stuff. And that just about wraps up the show for this week. Anna, I'm sure lots of our listeners would love to follow you online and find out what you're up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
I'm @AnnaBrading on X, or Twitter.
Ugh.
And you can follow us on Twitter @SmashingSecurity. Smashing Security, no G, Twitter, and don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.
And huge shout out to our episode sponsors, Vanta, Sonrai, and Kolide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 372 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 372 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye-bye. Bye-bye.
Ah, well done. It was all a bit grubby. All a bit grubby this week. With the portal, with the OnlyFans flashing, with the photos.
With the non-consensual.
Oh.
I wasn't grubby.
I know you weren't that grubby, although I think Sam Altman might be a bit of a—
No, I just think we already knew that he was a bit doolally.
It's weird. That is weird.
Yeah, creepy.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Anna Brading – @annabrading
Episode links:
- When NASA Lost a Spacecraft Due to a Metric Math Mistake – Simscale.
- The worst sales promotion in history – The Hustle.
- Nonconsensual AI Porn Maker Accidentally Leaks His Customers’ Emails – 404 Media.
- UK’s Ministry of Defence fined after Bcc email blinder that put the lives of Afghan citizens at risk – Hot for Security.
- £200,000 fine for exposing possible child abuse victims in classic Cc/Bcc email blunder – Graham Cluley.
- Apple’s Photo Bug Exposes the Myth of ‘Deleted’ – Wired.
- OpenAI Voice Scandal: Sky’s Fall From Grace – YouTube.
- How the voices for ChatGPT were chosen – OpenAI.
- As AI becomes more human-like, experts warn users must think more critically about its responses – CBC News.
- What We Lose When ChatGPT Sounds Like Scarlett Johansson – The New York Times.
- Scarlett Johansson’s Statement About Her Interactions With Sam Altman – The New York Times.
- Kin TV series – Wikipedia.
- Portal connecting Dublin and New York ‘reawakens’ under new restrictions after ‘inappropriate behaviour’ – Sky News.
- How to cook the perfect chicken rendang – recipe – The Guardian.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Sonrai’s Cloud Permissions Firewall – A one-click solution to least privilege without disrupting DevOps. Start a 14 day free trial now!
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
