Smashing Security podcast #398: Fake CAPTCHAs, Harmageddon, and Krispy Kreme

Have you heard of these fake captures before, Crook? No, but I've heard of, you know, copying and pasting things into... Yes, yes, well done, well done.

Yes, we've got copy and paste. Are you telling me copy and paste isn't safe anymore, Grimp?

Smashing Security, episode 398, fake captures, harmageddon and Krispy Kreme, with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 398. My name's Graham Cluley. And I'm Carole Theriault.

Now, Kroll, Christmas is rapidly approaching and what better can we do than deliver to everyone a little present in the form of a special guest? Return to the show. We have Mr. Mark Stockley from the AI Fix podcast. Thank you very much. I've never been described as a little present before.

No, me neither. I'm just picturing you with your legs coming out of a box.

Maybe he meant not fully present rather than like a small map package.

Yes, this is our last episode for a few weeks. We'll be back, obviously, in the new year, 2025.

Oh, my God. Oh, my God. Yeah. Now, we've had some feedback from listeners. A couple of them have been in touch. First up, Nathan White. He's been in touch and he says, Graham, I don't think you should let Carole disparage you. That's not the end of his message. He says, being born in 1969 puts you in Gen X, not the boomer generation. Tsk, Tsk Kroll. And similarly, listener Evans got in touch, said, hey, guys, love the show. Want to make a slight correction. Graham was born in 1969. He's a Gen Xer rather than a boomer. Be proud, Graham. You are part of the best generation. Kroll, it looks like we are in the same generation. So embarrassing that you're in my generation. Do you wish to make a formal apology to our listeners?

No, I do not. If you guys knew Graham, you would understand why I made that mistake. I just think it was innocent.

You're saying spiritually he's a boomer.

Spiritually he's definitely a boomer. Definitely. What, you're letting me hang on not apologising? I'm okay with that.

Let's kick off the show, shall we?

Okay, that's what I'm going to do. I'm going to kick off the show instead. Let's thank this week's wonderful sponsors, 1Password, BigID and ThreatLocker. Now, coming up on today's show, Graham, what do you got?

I'm going to be saying don't get caught out by captures.

Okay, and what about you, Mark?

I thought we'd keep it light. I'm going to talk about the end of the world.

The end of the world. Wonderful. And I'll keep it light and talk about how hackers almost stole Grinchmas. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums. My topic for today all revolves around completely automated public Turing tests to tell computers and humans apart. Sorry, Turing tests? Yes. Is that a test to see if you're in Italy? Turing tests, as in Alan Turing, as in Bletchley Park. Oh, there's a G on the end, sorry. There is. I quite often drop the G. It's a little bit Twitter used to do with our smashing security account. So these are also known as captures. And as you know, captures are used by websites to stop bots getting in. They're supposed to be able to tell the difference between a human and a computer. They'll ask you to complete a test or a task designed to be easy for humans to complete, but tricky for a computer. It's funny that they say captures are supposed to be easy for humans to complete, aren't they? because that's not always been my finding.

Yeah, they're weird. Some of them recently are, you know, spot the bus, for example. And then there's these tiny little images. There's nine of them. And you have to go through and go, is that a tiny bit of a bus mirror? Are you wearing your glasses, Croc? Because I know you are of a generation, which maybe requires glasses now. Is it that you need to increase the resolution on your screen, perhaps?

No, actually, I've been wearing glasses since I was 16, actually, Graeme.

Time for a new prescription. Perhaps.

No, but you know what I mean? I find it sometimes difficult. I'll get them, but they do slow me down. Yeah. Yeah. Have you ever used the dark web? Me? No. No. Might have done. Might have done. Who's asking? Have you ever been to a marketplace on the dark web? The kind of place where you can go and buy stolen driver's licenses or drugs or anything like that? Right, right. Yeah, you type in the word that, yep, yep. And then they go, yes, you're correct. That's right. Crazy human eyes were able to make that out, but a computer never would be able to.

So what might surprise you is a lot of those CAPTCHAs, they knew what the first word was. They didn't know what the second one was. And so they actually are testing you on the first word and they're trying to work out what the second one is by asking thousands and thousands of people, what is this second word? We think it's a word. What is it?

Well, because the CAPTCHA system needs motivation?

No, because the CAPTCHA system needs training. Right. And so when enough thousands of people have said, oh, that second word is equinox or whatever it might be, then it might start using it as the first word. Once it trusts that enough people have said the same thing, the same answer for that. That's cute.

Yeah, yeah, that's very cute. I like that. So over time, the CAPTCHA learns. Now, that has another benefit. So millions and millions of people around the world are telling these systems what scrawly squiggles actually say. So are you a human? He, he, he, he, he. I will show them. I feel played. I'm not sure. I've been in a car with you as the passenger. I'm just saying. I know they've got a green light, they've got an amber light, they've got a red light, right? I know that. This is very interesting and very insightful into how your brain works, that you would think. Oh, come on. You must have done CAPTCHAs like this and thought, am I clicking on the real thing or not? Is this really what they mean? Is this really what the correct answer is? And let me get more meta than that. We have been training ourselves at getting better at understanding what these CAPTCHAs want from us when they say, pick out the traffic lights. Yeah, we're beginning to understand. We're being trained as well. And we are also training robot dogs one day to climb staircases because it's easier for a robot dog to climb a staircase, well, I don't know, up the stairs rather than up the handrail. No, but it's like a bouncer at a club, right? You've got to go through the rigmarole and they're like, okay, you're in. It's like a bouncer at a club if the bouncer has been following you all day and does a biometric scan on you. So by the time you get to the club door, it's like, yeah, they're fine. I'm waiting. I'm just waiting to see. What we'd like you to do is press this sequence of keys. Press the Windows button and R, then Control-V and then Enter. Okay, so right away, I would be like, Windows button? What are you talking about?

Well, that's because you've got a Mac.

Right. So that would alert me that there'd be a problem, so I'm out. In this particular example, I'm giving you the Windows version, because it could just as easily be a Mac version. So they're saying, press Windows R. I just want to say thank you to our listeners who have tuned in to our festive episode. It's pretty scary.

Thank you. More Christmassy stuff later on. Mark's story apparently is going to be very jolly. So it's really clever. And security firms like... It's also old school. It's a bit old school.

Have you heard of these fake captures before, Graham? No, but I've heard of copying and pasting things into... Yes, yes, well done, well done.

Yes, we've got copy and paste. Are you telling me copy and paste in shape anymore, Graham? So security firms Guardio, Qualys and others are warning about these fake captures which have been spread far and wide across the internet via malvertising campaigns.

What the f\\\ are we supposed to do? What are we supposed to do? They're warning us. Thank you very much. Okay, well warned. What do we do?

Well, run high quality anti-malware software like Malwarebytes, for example. Who are not sponsors of the show, Mark. Yeah, you can pay for that. Can I just point out Mark sometimes works for Malwarebytes. He's in their employ. I'm just saying, you know, it can't stop you pasting. But actually, the thing that then gets downloaded can be stopped. Yes. Ultimately, the thing which gets downloaded, that could be recognised by your antivirus software. It may be also that your operating system would say, what's this programme you're about to run? And say, do you really want to run it? But of course, people want to access the counterfeit driving license or the video game that they're trying to download or the version of Microsoft Word or whatever it is that they're trying to grab.

I guess what I was trying to say is the technique may be new, but it's the same old thing of taking advantage of you being impatient from getting A to B and often self-blaming, thinking you've done something wrong or this is a brand new CAPTCHA or, you know, you haven't been paying attention. Yeah. But you still haven't told us what we're supposed to do, right? Just beware. Thanks very much, Graham. I just want to say thank you so much. We're feeling much better now. Looking forward to Christmas.

What I would say is be wary of captures which ask you to do unusual things. Unfortunately, captures keep on asking you to do unusual things to prove that you're human. So click all the ears on this antelope.

Yeah. I think this is my point. Just be careful about captures that are weird.

There will be captures in the future which ask you to turn your webcam on, you know, and do a biometric scan of a part of your body. So you have been to the dark web. Stand on one leg. Show us your belly button immediately. We are going to analyse your navel. Mark, what's your story for us this week? I've got a question. How close are we to catastrophe? I don't mean this episode specifically. I think it's going okay. I mean generally. Well, I think, hang on a minute. We're recording. This episode's coming out on the 19th of December. So in about a month's time, that'll be round about the 20th of January. I don't know if anything particular is happening there, maybe in the United States. So about a month. Let's make it more specific. This is a cybersecurity podcast. so let's talk about computer-driven catastrophe, a world-altering cybersecurity event. How close do you think we are? Can you describe what that might be? I'm thinking post-apocalyptic, you know, people are eating rats and eating each other. Are you talking about the year 2038 problem? Is that the Unix epoch? Yes, that's right. So it's the equivalent of Y2K, which is only 13 years away now, isn't it? So you're saying 13 years. Well, it turns out it's 26 minutes. Oh.

Oh, jeez. Okay, can you talk quickly? Because I prepped my story.

We're not going to get to pick of the week before that. I'll try not to take too long. But it's an important question. I'll explain why it's 26 minutes in a second, but it's an important question. You want to know when disaster is looming. Let's say you've got an even reasonably modern car. I'm talking to you now, Carole, not Graham. Rude. It beeps when you're too close to the curb to avoid a bump. It gives you an early warning. And your car is full of other warning lights that show you your brakes are worn or your oil needs a top up or whatever. If you're a Mission Impossible villain, you put a timer on your doomsday device so that everyone can see how close Thom Cruise is to getting blown up. And of course, he never does. But handily, the timer is always there to show you how close we came. And helpfully, you also have a little speaker, don't you? Attach that to your one to go beep, beep, beep.

Yeah, you can convince me on this. I'm on the other side. I'm like, I don't want to know if we're all going to be blown out to smithereens. I'd rather just be sitting here.

Maybe go and grab a cup of coffee for the next five minutes. What if we want to think bigger than Ethan Hunt being blown up? Like some things are even more serious than that. Although that's hard to believe. So we've got the DEFCON levels that nobody understands that tell us how prepared the military is for a potential nuclear attack. I don't know if you know about the DEFCON levels, but they're the levels that are of no use. Any normal person would make a scale that starts at one and gets worse as it goes up. But DEFCON gets worse as it goes down. But there's something even bigger than DEFCON. It's called the Doomsday Clock. You've probably heard of it. Oh, yes. How many minutes to midnight? That sort of thing. It was invented in 1947 by an organisation called the Bulletin of the Atomic Scientists, which I think was set up by Robert Oppenheimer and Einstein. They must have been a fun bunch to have a party, must they?

Probably about as much fun as this party, I'll tell you.

Do you think they were all sat around and said, now we've built the world's worst doomsday weapon, what can we do to make things better? So anyway, every year the doomsday clock tells us in January how close we are to midnight, which is the moment of catastrophe. And as of January 2024, we're 90 seconds to midnight, according to the doomsday clock, which is bad. Right. So in 2012, it was five minutes to midnight, and this has been ticking down ever since. Oh, dear. And the doomsday clock...

The thing is, the clock can't go the other way, though. That's

A good point. Sometimes winding a clock backwards breaks it, doesn't it? You have to actually go forwards and go round again. I prefer the idea of breaking it, to be honest. I can't remember, I'm sure it went back after the Cold War ended. Oh, yeah, makes sense. No,

No, I think, I feel I know this, that it has gone back as well, but I do feel that's illogical. Anyway, crack on. You're doing great. Anyway, the doomsday clock accounts for all kinds of possible disasters: nuclear war, environmental collapse, biological threats, disruptive technologies. And it mentions the rise of artificial intelligence under both of those last two. So under biological threats and disruptive technologies. So it accounts for a computer catastrophe, but it's not only about a computer catastrophe. So it doesn't really help us with that question I asked at the beginning. That's better than 14 seconds. You're definitely a glass half full kind of person. It's better than 14 seconds. OK, symbolic. So relative to what? Like, what does that mean?

That is a great question. So anyway, as I was saying, it's a symbolic representation of how close we are to this critical tipping point. And it explains the threats of uncontrolled artificial general intelligence as rapid advancements in agentic AI, intensifying competition in AI hardware, the growing role of AI in military and geopolitical context, breakthroughs in AI reasoning, changes in US policy. How easy it is to detect a traffic light. Now, I know that in that list, it doesn't mention robot dogs with flamethrowers on their back. And I personally think that's a serious omission. Right. Yes. I would probably take 12 minutes off the clock just for that. Yes. So as I say, the AI safety clock says that we're 26 symbolic minutes from catastrophe. And frankly, as you alluded to, Carole, I don't know how to read that. Is that good? I mean, it's better than 14 seconds. Is there an algorithm or did an intern spend 26 symbolic seconds thinking about this in a marketing brainstorm? What is this? I just don't know.

When I worked with you guys in the AV industry, right, decades ago, every month we would say, hey, guess what? We detect X number more viruses than we did the previous month. Aren't you safe, Mr. or Mrs. Customer? And that number was an algorithm, right? It was just made up. Literally, it was just made up.

You heard it here first.

Am I allowed to say that? Breaking news. I'm just saying they tried.

You were lying to me. You were.

No, I didn't do this. No. It wasn't me.

Carry on. I'm not talking to Carole.

Anyway, I'm just thinking the number is manufactured and estimated. It does sound manufactured because 26. Why not 25? I'll tell you why not 25 because 25 just sounds, oh, that's a bit too knowledge. Whereas 26 sounds a little bit more scientific. Oh, we've thought into this. They should have added a decimal point, right? They would never have said 20 minutes to midnight or half an hour, would they? They wouldn't have said that. Yeah. It had to be, oh, 26 because we're scientists. What are you going to do? What are you going to do? What's your plan? I'm about to tell you. I'm

Literally about to tell you.

I'm sorry. I'm sorry. This obviously gets to me, right?

Anyway, it's all very well talking about captures and the dark web and all that kind of stuff. But if we're going to get turned into batteries, this seems like a more pressing security issue. So unfortunately, the AI safety clock doesn't offer an exchange rate for symbolic minutes to real minutes. And I think that would be really useful. So I thought maybe we could figure it out for ourselves. So it's widely thought that the worst possible AI catastrophe is the singularity, which is the point where the AI learns to improve itself autonomously and enters this runaway improvement. And the gateway drug for that capability is so-called artificial general intelligence or AGI. And over the last year, the bigwigs in AI have been offering up estimates for when they think they'll create AGI. Which isn't the end, but if the end is coming, that's the beginning of the end. So I thought that we could use their estimates to come up with an exchange rate for the AI safety clock. And my maths isn't great, so I thought the only way to answer this question would be to ask an AI. So I went to ChatGPT and I gave it four estimates. So Google DeepMind CEO Demis Hassabis reckons it's AGI in 10 years. Sam Altman from OpenAI, he thinks it's about five years. Mustafa Suleiman from Microsoft AI, he thinks three to five years. And Dario Amodei from Anthropic thinks it's one to two years. So I went to ChatGPT and I gave it these estimates. And it said that the exchange rate for Demis Hassabis is 202,154 Demis Hassabis Armageddon minutes. And Armageddon is a word starting with an H. Armageddon. I checked that with ChatGPT as well. I said, give me a word meaning Armageddon that starts with H. And it said Armageddon. And I'm sure it's not really certain. I'm sure that's real. Anyway, there are 202,154 Demis Hassabis minutes to one AI safety clock minute. And that means there are two Demis Hassabis minutes to one Sam Altman minute and 101,077 Sam Altman minutes to one AI safety clock minute. And Mustafa Suleiman said three to five years so average that out to four years so that's 80,862 Suleiman minutes to one AI safety clock minute. And Dario Amodei said one to two years so that's one and a half on average so that's 30,323 Amodei Armageddon minutes to one AI safety clock minute. I hope you're making notes about this at home, folks. The average exchange rate from the estimate of four influential AI CEOs is 104,446 AI CEO catastrophe minutes to one AI safety clock minute. So to wrap up the next time the AI safety clock changes its estimate, because we'll all be watching to see, just listen to this podcast, find the average exchange rate and multiply the AI safety clock time by 104,446, and that will tell you how far away we are from catastrophe. Sorry, Carole, what have you got for us this week? Oh, the holidays. Finally a bit of joy. Are you dressing as Father Christmas, Carole? That's what it sounds like. No, but you eat a lot of stuff, right? You know, you sit there during Christmas you're having the mince pies and the stollen and the, oh yeah, one more biscuit and I'll get passed over the Pringles and we all know that we have to pay the pound piper. See what I did there? Yeah, it's 15,415 Hassabis minutes or something. Mark, what's your guilty pleasure at Christmas? You must keep something for Christmas.

Oh, I'll tell you what it is. It's shortbread. So I love shortbread. And people who know me know that I love shortbread. So Christmas comes around and then I get a lot of presents that are sort of suspiciously rattly, very large, heavy metal tin shaped things in wrapping paper. And the shortbread does not last long. You're like, just put the butter, sugar and flour into my face. Yum, yum, yum. Graham, what about you? Well, shortbread is a great one, I have to say. But 2024 has been a revolutionary year for me. I've started doing something which I haven't done in all my previous years, which is eating nuts. Oh, really? I the way you explained that in a way that was sort of, I can tell you think you're a little bit exciting. There was a tone. Now, it's funny because none of you said donuts. Don't donuts feature in your festive fun? No. No. No, no, that would be weird. No, not at this time of year, no. Yes, well, you're also, sorry, Gen X, the boomer thing. Thanks, guys. Thanks, Nathan.

They were until a trip to London, yeah. They ate one donut from this Krispy Kreme place and your youngest went into a sugar coma. I thought I'd killed her. Hang on. Are they sponsoring the podcast this week? They get a lot of mentions, Krispy Kreme. You're saying how available they are and how delicious and gorgeous they are this time of year. I'm not saying they're delicious. They are, though. That's it. You survive COVID, but you end up having a heart attack. Isn't that weirdly coercive? I mean, I don't hold with any of these vaccine conspiracy theories. And then I hear things and I'm like, what wheels are turning? Krispy Kreme were behind it all along.

But this year they're celebrating the Christmas season with the Merry Grinchmas collection. Five donut confections inspired by Dr. Seuss's The Grinch who stole Christmas, okay? So you can take a look at them if you want. They're in the show notes. And I was going to ask you, you can see one that has the Grinch's face on it. Basically, it's their main flagship seasonal donut, whatever that means. Do any of you want to take a guess at how many ingredients might be in that Grinch donut there?

So what we're looking at is something which has the Grinch's face. It's a lurid green colour. It's got little gooey stuff inside. I would imagine there's a lot of ingredients in that.

A lot? What? 10? What's a lot?

Well, I would think 30.

30? Mark, higher or lower?

714.

Okay, well, you're closer. Look, I've just put it in the show notes. That is the composite makeup of the donut, of the one donut. There are about eight, I couldn't even count them. So more than I cared to count ingredients. There's a very, very long list.

Count the commas. The commas will tell us.

Oh, that's smart. That's smart. So here we have these specially made seasonal donuts featuring the Grinch in a global campaign, though I suspect its target market is US of A. Yes. And of course, you've got the powers that be at the Krispy Kreme empire waiting to see their festive wonga enter the books. And they experience a nightmare. They experience a nightmare. A nightmare before Christmas, Graham. Yes. As hackers attempted to steal Krispy Kreme's Grinchmas from them. According to a mandatory K-8 filing, on November 29th, Krispy Kreme suffered an unauthorized access to portion of its IT systems. And I'm going to quote the register here because they got into the Christmas spirit with this article. Its security team waddled into action and sprinkled in support from leading cybersecurity experts, but said that delays in online orders were going to be hard to swallow for some.

They wait the whole year for this.

It kind of crippled their online ordering system. And I'm like, what? So, yeah, you can order donuts online, of course, to be delivered. Who knew? It makes sense. It does make sense, considering their typical customer demographic. Now, we don't know. We don't know if this was a ransomware attack and whether Krispy Kreme paid up. Reports suggest that there's still disruption in some parts of the U.S. in terms of online ordering.

And I know that some Krispy Kreme stores were actually down for a while. They couldn't take credit card payments. So you had to pay with cash while this was happening.

How did you know that, Mark? Just because... You know, I'm not judging. I'm just, you know...

I saw posts by people who were upset online that their local stores were mysteriously closed. This was before the announcement happened that they'd suffered a security breach, but already suspicions were beginning to ripple around.

Yeah. So hackers did indeed try to steal Krispy Kreme's Grinchmas. And as Krispy Kreme tightens its financial belts, it hopes you might forego yours. So when you

I said let's just count the commas. I thought that's an easy job for an AI so I got the text and cut and pasted it into ChatGPT and it has been counting the commas until now. It's taken three minutes and 13 seconds to tell us that there are 120 commas in that text.

120 ingredients in a single donut, yum yum yum.

BigID helps you uncover dark data, identify and reduce risk, take action through remediation and scale your data security strategy through seamless integration with your existing tech stack. Start protecting your sensitive data wherever your data lives by visiting bigid.com slash smashing. Get a free demo to see how BigID can help your organisation reduce data risk and accelerate the adoption of generative AI. Also, there's a free new report that provides valuable insights and key trends on AI adoption, challenges, and the overall impact of gen AI across organizations. So go visit bigid.com slash smashing. And thanks to the folks at BigID for sponsoring the show.

Do zero-day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker. Imagine taking a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action for risk management and compliance. Onboarding and operation is fully supported by their U.S.-based support team. Stop the exploitation of trusted applications within your organization to keep you running efficiently and securely. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit smashingsecurity.com slash ThreatLocker. That's smashingsecurity.com slash ThreatLocker. And thank you to ThreatLocker for sponsoring the show.

Quick question. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every signing for every app on every device, because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1Password.com slash smashing. That's 1Password.com slash smashing. And thanks to the folks at 1Password for supporting the show. Welcome back. Can you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses to say on the light. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. Better not be. So this week's Pick of the Week has been suggested to me by listener Vin Kennedy. He's been in touch. He is recommending a website called udm14.com. And you're thinking, that's a rather strange name, Graham. What on earth could UDM14 be all about? Well, it turns out, I'm sure many of our listeners use Google as a search engine. And it turns out that if you add to the end of your Google search URL the parameter ampersand udm equals one four that it will strip out all the ads and all the AI nonsense like AI overviews and all the other kind of nonsense which has made Google unpleasant to use and it's almost like being back in 1999 again. And udm14.com gives you a very easy way to do this. So if you chaps want to try right now go over to udm14.com. I'm looking at it right now so what you're seeing is you're looking at a web page which has like a Google style search box in the middle of it and you type in your search thing there and it will just simply send that search word or search phrase to Google with the extra little addition to your search query URL and what you won't get or you shouldn't get are all the sponsored ads and all the stuff in the sidebar and all the other guff. Okay, I'm asking how many ingredients there are in a Krispy Kreme donut. So you could either use this site or you could add the little bit, the ampersand UDM equals 14 to the end of your URL. Or if you go to UDM14.com and we'll put links in our show notes, you can actually find out how to change the default way that your browser uses Google so that every time you do a search, rather than doing it the traditional way, where you get all this guff, it automatically adds this parameter onto the end, which you may want to do. Now, that, of course, isn't the only way to avoid Google's AI guff. You could use DuckDuckGo. You could use StartPage. You could use Kagi, which is a paid-for search engine as well. So there are alternatives, but I know lots of people like to use Google as a search engine, and that is why this is my pick of the week. I quite like the AI in Google. Did you like it when it told you to put glue on your pizza to keep the pepperoni on? Much more entertaining than looking at tons and tons of ads. I actually think it's quite useful. I find myself using the results from the Gemini bit at the top of Google search results more and more often.

I have bookmarked this pick of the week, Graham.

Right. Oh, wow. High praise indeed. First time in 398 episodes. When he shoots his scores. Mark, what's your pick of the week? Carole, do you ever find your podcast co-host troublesome? Unpredictable? Pass. Do you ever wish that they were saying something different? Perhaps you wish that they were, I don't know, more interesting or funnier? This is a bit personal, Mark. I don't find this on Smashing Security but I certainly have encountered that on my other podcast. Anyway, I've got just the thing for you so I don't know if you know but I am on a podcast called The AI Fix and one of the things that we do there is we use quite a lot of AI tools and generally what happens with these things is you go along and they say sign in with Google to make it super easy and you go and look at it and you go, wow, this is garbage and you never look at it again and sometimes you need a very specific service. Maybe you need to take a transcript of your podcast and you sign up, you give it your credit card, you use the service and then you immediately unsign. So maybe you pay for a month or whatever, but it's very rare that I actually sign up for a service and then I keep using it. And many episodes ago, I thought, wouldn't it be great if Graham was a bit better? So I went to this website called 11 Labs, which is a voice synthesizer website. So it uses AI to transform text into speech. So you type something and then the AI will read it and say it out loud and you can use it to clone people's voices so I took about 10 minutes of Graham talking and I fed it into 11 labs and it made Graham 2.0 and Graham 2.0 is a pretty good facsimile of Graham's voice and I can get it to say whatever I want. Just my voice is it, it's only copied my voice, hasn't copied my physical presence or anything else yet. I don't want you to mimic Graham's voice and make him say, oh, Carole, you're the best, you're the best. It would be empty. You don't want him to phone his bank and say, hi, this is Graham, please transfer all of your money to my podcast co-host. Well, good luck with that because I've already done that, obviously. But anyway, this thing exists. So I signed up to do this. I made Graham 2.0. We did it on the show. It was funny. And I didn't cancel my subscription. So I can't remember how much it's something like £11 a month, something like that. And I keep finding uses for it. I keep wanting to go back and do things with it. And so this is the way I'm going to recommend this because this is one of the few AI tools that I have run into that I actually find I'm using over and over again. Hang on, are you finding that you're using it over and over again with my voice or with— No comment. So your pick of the week is 11 labs. Carole, what's your pick of the week?

Well, mine is security related. What? I know. This is for all you listeners out there who fancy a little code breaking courtesy of GCHQ. So you put your energy into GCHQ's Christmas challenge. I think I've put the link in the show notes if you guys want to take a look while I'm yabbering about it. But basically, puzzles have always been at the heart of GCHQ, says the GCHQ director, and they need skills to solve them. So this year's challenge has seven puzzles plus several hidden elements for those who want an extra test. They're aimed primarily at teens and younger people, but you might want to give it a try, see if you've got the skills to do it. So you can find this at gchq.gov.uk, link in the show notes. And if you're bored over the festive season, you might have a crack at it.

Have you done this, Carole? Have you tried it out?

No. Are you crazy? After I saw the list of what was in a donut, I felt weak because I'd eaten one recently.

There's a dollar note. There's a king. There's a leg of ham. There's a person on the left of a couple of people. And there is an ace of spades, which I guess could be a card. Money, king, ham, person card. I think I've cracked that.

You've got it. If you think you can do better than Mark, check out my pick of the week.

And this presumably is to recruit people into GCHQ, is it? Is this if you do really, really well?

It's just a bit of Christmas fun. You don't have to read into it.

They said that about completing captures, didn't they? And before we knew it, we had robot dogs coming up the stairs. I'm really looking forward to the break. 26 minutes, everybody. 26 minutes. Well, that just about wraps up the show for today and for this year. Mark, thank you so much for joining us today. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that? Just find me at the AIFix.show. Fantastic. And you can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Casts. And massive shout out to our episode sponsors, 1Password, BigID and ThreatLocker. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free.

Until next time, cheerio. Bye bye. Bye. Bye-bye.

Nice quick show. Excellent, guys.