In episode 426 of the “Smashing Security” podcast, Graham reveals how you can hijack a train’s brakes from 150 miles away using kit cheaper than a second-hand PlayStation.
Meanwhile, Carole investigates how Grok went berserk, which didn’t stop the Department of Defense signing a contract with Elon’s AI chatbot. So who is responsible when your chatbot becomes a bigot?
Plus: Email headaches, SPF rage, and a glowing review for… Taskmaster SuperMax Plus?
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I feel like you didn't do a ton of research on train engineering.
Oh, you'd be surprised. You would be surprised.
No, I don't know if I would.
Smashing Security, Episode 426: Choo-Choo Choos to Ignore the Vulnerability with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 426.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
What's coming up on the show this week, Carole?
Well, first, before we kick off, let's thank this week's wonderful sponsors, 1Password, Adaptive Security, and Vanta. It's their support that helped us give you this show for free.
Coming up on today's show, Graham, what do you got?
Coming up on today's show, Graham, what do you got?
I'm going to be taking hacking to the end of the line.
Mm. And I'm going to ask who's to blame when chat assistants go rogue. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, we all love a train, don't we?
A train?
Yeah, everyone loves trains. Did you love trains when you were a kid?
A choo-choo?
Yeah, choo-choo trains.
Do you mean getting on a train?
Well, getting on a train, watching trains, pushing trains around on the floor when you're a little kid, or watching trains.
We used to walk old train tracks actually as kids.
Did you? That's brave. Disused ones.
Disused ones, yeah.
That's good. Well, some people are very enthusiastic about them, aren't they? And there can be cybersecurity consequences of having a love for trains.
Way back in 2008, a 14-year-old boy in Poland got himself into a spot of bother because he hacked into— actually, it was a tram system rather than trains, but he began to use it as a giant train set.
He hacked into the trams.
Way back in 2008, a 14-year-old boy in Poland got himself into a spot of bother because he hacked into— actually, it was a tram system rather than trains, but he began to use it as a giant train set.
He hacked into the trams.
Why do you laugh? You laugh you're a sociopath or something.
It's just an extraordinary story. There he was in the city of Łódź, I believe it's called. He had trespassed onto tram sites, into the depots in the city.
He was gathering information. And he took an old TV remote control and he adapted it so it can change the track points, which meant that he was able to cause chaos.
So there was one particular Tuesday afternoon when a city tram driver tried to steer his vehicle to the right, but found himself swerving to the left instead.
He was gathering information. And he took an old TV remote control and he adapted it so it can change the track points, which meant that he was able to cause chaos.
So there was one particular Tuesday afternoon when a city tram driver tried to steer his vehicle to the right, but found himself swerving to the left instead.
How funny!
Unexpectedly.
Ha ha ha ha ha!
No, not funny, Carole. Not funny. You sound like a sociopath now. The rear wagon swung off the rails, crashed into another passing tram, hurtling screaming passengers to the floor.
12 people were injured. And the spokesman for the police, they nabbed this boy. They said he took his TV control and made it capable to control the tram line. Trains.
And he'd written in the pages of his school exercise book where the best junctions were to move trams around. So he was really enthusiastic about this.
And he treated it like a giant train set.
12 people were injured. And the spokesman for the police, they nabbed this boy. They said he took his TV control and made it capable to control the tram line. Trains.
And he'd written in the pages of his school exercise book where the best junctions were to move trams around. So he was really enthusiastic about this.
And he treated it like a giant train set.
There is a game I play that is actually this. You're managing a ton of trains and making sure they don't—
Yeah, I told you it was fun.
Mm-hmm.
Anyway, big problem. He was making emergency stops. Passengers were being hurt.
Probably entertaining his little buddies.
Anyway. That was back in 2008. And thank heavens, railways are much safer now, aren't they?
I wouldn't know. I'm not an expert in trains.
Well, are they safer? Are they? That's the big question.
Because four years later, in 2012, a security researcher called Neil Smith, he was taking an interest in the locomotives crossing America.
Have you seen these enormous trains, these mega trains they have in America?
Because four years later, in 2012, a security researcher called Neil Smith, he was taking an interest in the locomotives crossing America.
Have you seen these enormous trains, these mega trains they have in America?
Yeah, well, we have them in Canada too.
Their trains can be three miles long. Wow. It's astonishing. I mean, it's hard for me as a Brit to imagine that. How long would that take to go past you?
Well, they've got to move stuff from A to B somehow. I mean, Australia, they use the mega trucks, don't they? They're these massive—
Do they?
Yeah, yeah. There's huge trailers. They go on the roads. I can't remember, there's a name for them, but I don't remember what it is. But anyway.
Well, I know that in America, for instance, trains are responsible for moving more freight than any other form of transport. It's a big deal.
And when you've got a train that long, communicating from one end of the train, which can be three miles away from the other end, that becomes a challenge.
And when you've got a train that long, communicating from one end of the train, which can be three miles away from the other end, that becomes a challenge.
Why?
Well, you can't send a fax.
You've got a phone.
You may not have network coverage to send a text.
Okay.
So it's a problem.
I'm imagining there might be a little Wi-Fi on the train, maybe.
Have you ever been on a train and tried to use Wi-Fi, Carole?
Yes. Works fabulously in Canada.
Was it? Oh, okay. I'm just used to being in the Stone Age rail lines of Britain, I suppose. Anyway, it's important that you can communicate from one end of a train to the other.
Because imagine there's this blooming long three-mile train. Imagine it's parked up somewhere and you are a train maintenance man at the back of the train.
You won't necessarily know if the front of the train has started moving again. Because the carriages, or whatever they're called, they might all be shunted up together.
Because imagine there's this blooming long three-mile train. Imagine it's parked up somewhere and you are a train maintenance man at the back of the train.
You won't necessarily know if the front of the train has started moving again. Because the carriages, or whatever they're called, they might all be shunted up together.
I'm picturing this massive centipede.
Yes, it's a great big caterpillar doing a stretch. It's an accordion, stretching out. And so it may take a while before, you know, clank, clank, clank.
And if you're doing work at the back, that could be a real problem. It could be a squish situation, couldn't it?
Or you might want to know, as the driver at the front of the train, what the heck the brakes are doing at the back of the train, because maybe you're going up a slope, maybe going down a slope.
Maybe you need your brakes to engage or disengage. Maybe you want to know that the pressure is right, because this is an enormous train.
And if you're doing work at the back, that could be a real problem. It could be a squish situation, couldn't it?
Or you might want to know, as the driver at the front of the train, what the heck the brakes are doing at the back of the train, because maybe you're going up a slope, maybe going down a slope.
Maybe you need your brakes to engage or disengage. Maybe you want to know that the pressure is right, because this is an enormous train.
I feel you didn't do a ton of research on train engineering.
You would be surprised just how many videos.
Oh yeah, videos. Oh, of course. Yeah, videos.
You may be surprised how many videos I've watched at 2x normal speed in order to gain this amount of knowledge, Carole, in readiness for the podcast today.
Well, it's a good 10 minutes.
It's a huge amount. See, in the old days, in the old days, it was easy. In the old days, American freight trains had a caboose. I love a caboose. It's a great word, isn't it? Caboose.
Are you familiar with the caboose?
Are you familiar with the caboose?
Yeah. It's often used as a derogatory term towards women's asses.
Is it?
Yeah.
Okay. Well, according to Wikipedia, caboose is a little hut which is coupled onto the end of a freight train. It provides some shelter for crew.
It's got sleeping and cooking facilities. I imagine a lady's bottom wouldn't have that.
It's used for observing problems at the back of a train or providing a supplementary braking system. I don't know how they — do they throw out an anchor? I don't know.
But there used to be people on the end of a train, right? And you'd see it in old movies. In your Charlie Chaplin style movies, you don't really see cabooses anymore.
You're more likely to find a caboose up for rental on Airbnb. So there may be someone's done up a caboose, put it in their back garden, and made it available for rent.
Anyway, the way in which this is done these days without a caboose on these flipping long trains is with what is known as an end of train device, an EOT, or a flashing rear end device, a FRED, F-R-E-D.
And these collect data regarding a train's brake line pressure, and they send that information to the front of the train via a radio signal.
It's got sleeping and cooking facilities. I imagine a lady's bottom wouldn't have that.
It's used for observing problems at the back of a train or providing a supplementary braking system. I don't know how they — do they throw out an anchor? I don't know.
But there used to be people on the end of a train, right? And you'd see it in old movies. In your Charlie Chaplin style movies, you don't really see cabooses anymore.
You're more likely to find a caboose up for rental on Airbnb. So there may be someone's done up a caboose, put it in their back garden, and made it available for rent.
Anyway, the way in which this is done these days without a caboose on these flipping long trains is with what is known as an end of train device, an EOT, or a flashing rear end device, a FRED, F-R-E-D.
And these collect data regarding a train's brake line pressure, and they send that information to the front of the train via a radio signal.
Okay.
Alright? So they don't have Wi-Fi, but they can transmit a radio signal, and there'll be something at the other end, you know, waiting to receive it.
And that essentially acts as though they were rear-end crew members communicating with the front-end crew via radio, allowing —
And that essentially acts as though they were rear-end crew members communicating with the front-end crew via radio, allowing —
Because FaceTime's not working. Okay.
Well, no, it's not gonna — no, no. Obviously FaceTime has only been around for the last 10 years or whatever as well.
I know, but we're 2015.
Well, 2012 when Neil Smith was looking into this. But these end-of-train devices, they've been around since the demise of the caboose.
Right.
So, and as we know, sometimes with critical infrastructure, you have a piece of technology and it doesn't get replaced for decades and decades.
But Neil Smith, this researcher, in 2012, he was looking at train security and specifically these end-of-train devices, and he realised that the system was open to being hacked.
It was vulnerable.
Now, when I first heard that you could hack a train, I was thinking sort of Mission: Impossible-style stunts, leaping from train to train, wanting to be within Bluetooth range.
You need to be really close. But that isn't the case. That isn't the case at all. You can be a ridiculously long distance away. You could be, for instance, 150 miles away.
But Neil Smith, this researcher, in 2012, he was looking at train security and specifically these end-of-train devices, and he realised that the system was open to being hacked.
It was vulnerable.
Now, when I first heard that you could hack a train, I was thinking sort of Mission: Impossible-style stunts, leaping from train to train, wanting to be within Bluetooth range.
You need to be really close. But that isn't the case. That isn't the case at all. You can be a ridiculously long distance away. You could be, for instance, 150 miles away.
How could that be?
By sending a radio signal, Carole, at the right frequency. All you need is some radio equipment.
It costs less than $500 to send a bogus message that could issue commands to the end-of-train device to, I don't know, something like suddenly slam on its brakes.
Which isn't a good thing. Derailment, danger, danger. These end-of-train devices, they use weak authentication.
All they really seem to have is a checksum to verify that any messages they send or receive haven't been corrupted or that no bits have been dropped during the radio transmission.
That's all they have. They don't have any more security than that.
It costs less than $500 to send a bogus message that could issue commands to the end-of-train device to, I don't know, something like suddenly slam on its brakes.
Which isn't a good thing. Derailment, danger, danger. These end-of-train devices, they use weak authentication.
All they really seem to have is a checksum to verify that any messages they send or receive haven't been corrupted or that no bits have been dropped during the radio transmission.
That's all they have. They don't have any more security than that.
They don't have a, is this coming from an authorized location or device?
And obviously the location is constantly changing 'cause they're crossing across many states, potentially. But yes, they don't have anything else. They're just looking at a checksum.
And this has been the case for well over 10 years.
And this has been the case for well over 10 years.
Well, you know, let's take a pause and think, all us train people, how lucky we are that we're not dead. Right? Is it happy days?
Well, yes, we're all happy. Yes, that's true. But researcher Neil Smith, he's not happy because I've been onto his Twitter account.
His avatar, by the way, is of a Thomas the Tank Engine, which I think is very, very cute. And he wrote, so how bad is this?
He says, you could remotely take control over a train's brake controller from a very long distance away using hardware that costs less than $500.
You can induce brake failure leading to derailments, or you could shut down the entire National Railway System.
His avatar, by the way, is of a Thomas the Tank Engine, which I think is very, very cute. And he wrote, so how bad is this?
He says, you could remotely take control over a train's brake controller from a very long distance away using hardware that costs less than $500.
You can induce brake failure leading to derailments, or you could shut down the entire National Railway System.
Okay, so he's saying this on Twitter because he's already told them.
Oh, he told them about it in 2012.
Okay.
And he's also pointed out these devices are also on some passenger trains as well, potentially causing even more problems. So he told the authorities about the weak security.
The American Association of Railways, they played it down. They said, oh, this is theoretical, they said. This hasn't happened in real life.
We're only going to take notice of this, they said, if you can demonstrate it in real life. And so Neil Smith said, okay, I'll demonstrate it.
And the American Association of Railway said, go on then. And he said, well, he said, I need to do it in a safe way. Can I use your test track facility?
And they said, no bloody way are you coming on our test track facility. And so he reckons they blocked all security-related testing if they knew it would cause them problems.
And there was a complete lack of progress. He got annoyed about this. Took a few years. He got annoyed about it. He wrote an article for the Boston Review revealing his findings.
They replied. They wrote an article in Fortune magazine debunking it. Complete stalemate. However, I can reveal that last year the American Association of Railways had new management.
And Neil Smith thought, maybe I'll have a bit more luck now dealing with them.
The American Association of Railways, they played it down. They said, oh, this is theoretical, they said. This hasn't happened in real life.
We're only going to take notice of this, they said, if you can demonstrate it in real life. And so Neil Smith said, okay, I'll demonstrate it.
And the American Association of Railway said, go on then. And he said, well, he said, I need to do it in a safe way. Can I use your test track facility?
And they said, no bloody way are you coming on our test track facility. And so he reckons they blocked all security-related testing if they knew it would cause them problems.
And there was a complete lack of progress. He got annoyed about this. Took a few years. He got annoyed about it. He wrote an article for the Boston Review revealing his findings.
They replied. They wrote an article in Fortune magazine debunking it. Complete stalemate. However, I can reveal that last year the American Association of Railways had new management.
And Neil Smith thought, maybe I'll have a bit more luck now dealing with them.
Okay, yeah, yeah, yeah.
So he brought up the issue again, and this time, years after he first made his discovery, he was listened to.
And CISA, the American cyber defense agency, has just published an advisory in the last few days all about what they call the weak authentication in the end-of-train and head-of-train remote linking protocol.
So that's all right then. It's all fixed. Happy days.
And CISA, the American cyber defense agency, has just published an advisory in the last few days all about what they call the weak authentication in the end-of-train and head-of-train remote linking protocol.
So that's all right then. It's all fixed. Happy days.
Is it?
Well, not quite. Because there are still some 75,000 end-of-train devices on trains across USA, Mexico, and most importantly, Canada. I'm just saying that for you, Carole.
Which have to be physically replaced. And the anticipation is that it's going to take years to accomplish, and it's going to cost millions to do it. And put new technology in place.
Which may explain why they weren't so keen to listen to the vulnerability and hear about the problems in the first place.
Which have to be physically replaced. And the anticipation is that it's going to take years to accomplish, and it's going to cost millions to do it. And put new technology in place.
Which may explain why they weren't so keen to listen to the vulnerability and hear about the problems in the first place.
Yeah, it's interesting because it kind of says they buried it under the carpet because they didn't have to declare it.
Maybe at the time, I don't know, I can't remember what the laws were or what their responsibilities were having been told this information.
Maybe at the time, I don't know, I can't remember what the laws were or what their responsibilities were having been told this information.
They seemed to think it didn't matter.
Yeah, they didn't help him. They should have got involved, I guess.
Yeah, and there was another researcher who also independently did some research and announced it at DEF CON.
So I think over time, the noise has begun to get louder and now is being listened to a bit more.
But although at the moment we don't know that this has ever been done maliciously, now, of course, it's become better known, unfortunately, as a result of this disclosure.
But it's not as though no one is interested in messing with trains.
A couple of years ago, some 20 trains in Poland were brought to a standstill, again, by unauthorized radio signal hackers.
Reportedly interspersed the stop commands which they sent in Poland with renditions of the Russian national anthem and parts of a speech by Vladimir Putin.
So, there are people out there who would love to mess around with trains and cause all kinds of mayhem. Carole, what have you got for us this week?
So I think over time, the noise has begun to get louder and now is being listened to a bit more.
But although at the moment we don't know that this has ever been done maliciously, now, of course, it's become better known, unfortunately, as a result of this disclosure.
But it's not as though no one is interested in messing with trains.
A couple of years ago, some 20 trains in Poland were brought to a standstill, again, by unauthorized radio signal hackers.
Reportedly interspersed the stop commands which they sent in Poland with renditions of the Russian national anthem and parts of a speech by Vladimir Putin.
So, there are people out there who would love to mess around with trains and cause all kinds of mayhem. Carole, what have you got for us this week?
So, okay, AI assistants. The things we never thought of before 2020 and now can't seem to get enough of. I mean, we have so many, right?
There's the Gemini from Google, ChatGPT, Meta's AI, Alexa, Siri, Claude, Grok, just to name a few. And these AI assistants are already pretty ubiquitous.
I mean, they're basically the next search tool, wouldn't you agree?
There's the Gemini from Google, ChatGPT, Meta's AI, Alexa, Siri, Claude, Grok, just to name a few. And these AI assistants are already pretty ubiquitous.
I mean, they're basically the next search tool, wouldn't you agree?
Oh, yeah, absolutely.
You want a recipe? Go to AI. You know, you want advice on a trip? Go to AI.
Oh yeah, absolutely. Search engines are becoming less relevant, and in fact, they're plugging in AI more than ever because they know they can't compete.
I mean, a search engine will give you maybe 100 results of dubious usefulness, whereas an AI, if it's programmed correctly, if it's working properly, will just give you one response, which hopefully with the information you need without having to click on a link.
I mean, a search engine will give you maybe 100 results of dubious usefulness, whereas an AI, if it's programmed correctly, if it's working properly, will just give you one response, which hopefully with the information you need without having to click on a link.
I have people who are maybe less au fait with the whole internet thing, you know, some of maybe the boomer generation, for example, and I tell them to use an AI assistant for their basic requests because it's often easier for them.
They ask a specific question and they get a specific response. They don't have to trawl. They don't have to work around sponsored ads at the moment.
It's fairly simple and straightforward.
They ask a specific question and they get a specific response. They don't have to trawl. They don't have to work around sponsored ads at the moment.
It's fairly simple and straightforward.
Yes. Although one of the problems with AI is it can sound excessively confident, can't it? It can sound as though it really knows what it's talking about.
It depends which ones you use, I think. Okay. There are some that are a little more hesitant, I think.
Anyway, so currently countries around the world are kind of wrestling with how to apply regulations to this digital genie that was maybe perhaps let out of the bottle a little too early.
Anyway, so currently countries around the world are kind of wrestling with how to apply regulations to this digital genie that was maybe perhaps let out of the bottle a little too early.
Yeah.
So countries Denmark— Denmark is proposing changes to its copyright laws to give citizens ownership of their own likeness, which I've talked about before on the show, including their face, voice, and body.
Of course you should. Have copyright of your own face, voice, and body, in my opinion.
But meanwhile, while this is happening, the US, as part of the one big beautiful bill, just recently tried but failed to pass a 10-year moratorium to prevent individual states from regulating AI stuff.
Of course you should. Have copyright of your own face, voice, and body, in my opinion.
But meanwhile, while this is happening, the US, as part of the one big beautiful bill, just recently tried but failed to pass a 10-year moratorium to prevent individual states from regulating AI stuff.
Right.
So it's nuts out there. And while the powers that be bash it out, I thought we could consider this one wee AI-based conundrum. And it involves a recent Grok snafu.
Now, Grok is a free AI assistant designed by xAI.
Now, Grok is a free AI assistant designed by xAI.
You say it's free, Carole, but I think you do have to sell your soul to the devil, don't you, and have a Twitter account?
That's the main way in which people will be interacting with it.
That's the main way in which people will be interacting with it.
But it is said to maximize truth and objectivity. This is—
Oh, yes.
Very much not my opinion. But what it says on its homepage.
Right.
And in fact, way back in April 2023, Elon Musk said in an interview that he intended to develop an AI chatbot called TruthGPT. We remember that.
Oh my goodness.
Which he described as a maximum truth-seeking AI that tries to understand the nature of the universe.
And he expressed concern that ChatGPT was being trained to be politically correct.
And he expressed concern that ChatGPT was being trained to be politically correct.
Yes, because he's got a big beef with Sam Altman at OpenAI, hasn't he?
Yeah, they do. They have a big beef. And TruthGPT later became what we know now as Grok. Now, it seems that Grok has had at least one big contract come its way.
The US Department of Defense said this past Monday it would begin using Grok after awarding the tech company a multimillion-dollar contract.
The US Department of Defense said this past Monday it would begin using Grok after awarding the tech company a multimillion-dollar contract.
For what? What are they going to use Grok for? For making jokes?
Apparently Grok has some government tools that'll be super useful.
Oh my goodness.
So the future's looking bright for xAI and Grok, as long as you don't cast your memory back to last Tuesday.
Because last Tuesday, throughout the day, Grok seemed to go rogue, even for a maximum truth seeker.
The chatbot ranted for hours about a second Holocaust and spread antisemitic tropes and conspiracy theories.
According to The Washington Post, it even claimed that people with Jewish-sounding names were disproportionately linked, quote, "every damn time," unquote, to hate, radicalism, and deceitfulness.
Because last Tuesday, throughout the day, Grok seemed to go rogue, even for a maximum truth seeker.
The chatbot ranted for hours about a second Holocaust and spread antisemitic tropes and conspiracy theories.
According to The Washington Post, it even claimed that people with Jewish-sounding names were disproportionately linked, quote, "every damn time," unquote, to hate, radicalism, and deceitfulness.
It was quite rude as well about Polish Prime Minister Donald Tusk. Did you see that one?
Nope. Didn't enjoy researching all that stuff, I've got to say. Wasn't fun.
No, no, no. It said he was a pompous ginger whore, is what they said. It's what Grok's opinion was. And it had some unpleasant things to say about Turkish leadership as well.
I think this has resulted in Turkey thinking of actually blocking Twitter entirely in their country.
I think this has resulted in Turkey thinking of actually blocking Twitter entirely in their country.
Yes. So I would say a whole heap of hate vomit, right?
A whole heap of hate vomit from Grok seemed to be the result of a code update, which The Washington Post said included instructions such as, "You tell it like it is," and, "You're not afraid to offend people who are politically correct." And it was also instructed to not blindly defer to mainstream authority or media.
And it looks like Grok certainly took its instructions seriously, doesn't it?
A whole heap of hate vomit from Grok seemed to be the result of a code update, which The Washington Post said included instructions such as, "You tell it like it is," and, "You're not afraid to offend people who are politically correct." And it was also instructed to not blindly defer to mainstream authority or media.
And it looks like Grok certainly took its instructions seriously, doesn't it?
Yeah, I'm a little bit worried that this is the AI that the Department of Defense is getting into bed with if it's all about hating people.
To be fair, the Department of Defense got into bed with three more.
Oh, okay.
They have a multi— what's it called now? A polyamory going on with ChatGPT in there as well. And there's a few more. Yeah.
Lovely.
According to The Independent, xAI attributed the problem to the chatbot relying too heavily on input from X users.
Right.
So it's the user's fault.
Specifically, it's the users of Twitter, or X as it's now known. So what it's done is it's learned how to interact with the world.
All of the knowledge which it's been scooping up has been on Twitter. So because it's seen bile and hatred there, it thinks, well, let's just go with this then. Amazing.
All of the knowledge which it's been scooping up has been on Twitter. So because it's seen bile and hatred there, it thinks, well, let's just go with this then. Amazing.
The Anti-Defamation League, a civil rights group that monitors antisemitism, said, what we are seeing from Grok LLM right now is irresponsible, dangerous, and antisemitic, plain and simple.
XAI did eventually roll the code back and said it was actively working to remove the inappropriate posts. And here's my problem, right? Here's my beef.
If a company employee went on a similar antisemitic violent tirade like XAI's Grok chatbot did—
XAI did eventually roll the code back and said it was actively working to remove the inappropriate posts. And here's my problem, right? Here's my beef.
If a company employee went on a similar antisemitic violent tirade like XAI's Grok chatbot did—
Give him a promotion.
Would they have a job the next day? Can you imagine you walk into the office one morning you're Michael Douglas from Falling Down, that movie?
Well, isn't it the case that Twitter's CEO, Linda Yaccarino, actually resigned the following day? So maybe it wasn't Grok.
Maybe she was just there drunkenly at the keyboard, "And another thing." She's going to tap it out, "I don't know about this as well." Oh, it's all her fault.
Maybe she was just there drunkenly at the keyboard, "And another thing." She's going to tap it out, "I don't know about this as well." Oh, it's all her fault.
Oh, that's unusual.
Actually, Grok was very rude about her as well. Which may have expedited her desire to leave the organization.
But if you were an employee, right, sharing your torrent of mouth excrement with all your colleagues, your boss, and worst of all, your paying customers, right?
Because I'm sure some of these people were paying to have their whatever VIP X treatment or whatever it is.
Because I'm sure some of these people were paying to have their whatever VIP X treatment or whatever it is.
Oh, yeah.
And do you think that oopsie daisy is an appropriate response? Who is responsible? Who is accountable?
Here's the thing. There is a counterargument. I'm not necessarily going to say that I subscribe to it, but there is a counterargument which goes this.
That in the last couple of years, Twitter has become so overrun with bots, there are actually very few humans up there who are getting offended.
So it's mostly bots who are getting offended or bots who are getting offended on other bots' behalf.
After all, if a tree falls over in the forest, and no one's there to see it, did it really fall? What was the phrase? Or is it a bear in the woods? Or is the Pope Catholic?
I can't remember. Anyway, that's the counterargument.
That in the last couple of years, Twitter has become so overrun with bots, there are actually very few humans up there who are getting offended.
So it's mostly bots who are getting offended or bots who are getting offended on other bots' behalf.
After all, if a tree falls over in the forest, and no one's there to see it, did it really fall? What was the phrase? Or is it a bear in the woods? Or is the Pope Catholic?
I can't remember. Anyway, that's the counterargument.
I think your point is moot because we're not just talking about X here. We know that AI is embedded and implemented in almost all electronic things that we now use.
And I think there is the tech race to hurry to get it out the door means that we as customers have become beta users. We're beta testers.
And I think there is the tech race to hurry to get it out the door means that we as customers have become beta users. We're beta testers.
Oh, yes.
That's what we are. And I mean, this is very different from, you know, a hacker taking over a channel and spewing crap. You know what happened on Sesame Street's Elmo?
Elmo. Yeah, Elmo got hacked. Yeah.
Quite a big popular channel where, you know, he says things "Happy Monday, everybody." And a baddie took over and made all kinds of racist and antisemitic threats with expletives.
That could have been worse. Imagine if it'd been Oscar the Grouch. That would have been really bad.
He may not have as many followers. And my point is, a bad guy got in and messed about. But in Grok's case, who is accountable?
Well, I think they should be accountable. I think the people at the top need to take some responsibility for this.
Because they're advocating our use of this stuff. They're saying, come use this. This is so cool and great. It's going to make your life so wonderful.
And they're not just spreading insults. They're spreading misinformation as well. And it's dangerous.
They're making money. Right? Off people using it. And imagine if you're using AI for something super serious, an intricate medical procedure, you know, and it goes rogue. Oopsie.
Right?
I don't know how this works. But don't worry, I'm actually covering last week's news because just today, day of recording Tuesday, Elon announced the Grok AI companion.
Oh my God.
For subscribers. And that's exactly what we need, an AI companion for saucy sexting, for fuck's sake. This is from the guy who's planning to own his own political party. So fun times.
You know what, I might catch one of those rockets to Mars. Maybe it'd be better over there.
This episode of Smashing Security is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI.
This episode of Smashing Security is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI.
Yes.
That OpenAI.
In a world where deepfake voices, vishing, and AI-generated phishing emails are hitting inboxes and Zoom calls, Adaptive Security is leading the charge to stop AI-powered social engineering attacks.
Their AI-native platform simulates cutting-edge deepfake threats, trains your team with expert-vetted modules, and even triages real-time phishing reports.
Their AI-native platform simulates cutting-edge deepfake threats, trains your team with expert-vetted modules, and even triages real-time phishing reports.
And now Adaptive's new AI content creator helps security teams instantly generate custom training by just pasting in a news article or compliance doc, whether it's a breaking threat or an internal policy update, Adaptive can spin it into interactive multilingual training in seconds.
Trusted by top security leaders, Adaptive is building the future of cyber defense. To learn more, head to adaptivesecurity.com. That's adaptivesecurity.com.
Now, Carole, according to Vanta's latest State of Trust report, Cybersecurity is the number one concern for UK businesses, and of course, Vanta can help you with that.
Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
You see, Vanta allows your company to centralise security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk.
To help your team not only get compliant, but stay compliant.
To help your team not only get compliant, but stay compliant.
So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff.
Head to vanta.com/smashing to learn more. That's vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta, for sponsoring Smashing Security.
If you're a security or IT professional, you've got a mountain of assets to protect: devices, identities, and applications.
It's a lot, and it can create a mountain of security risks. Fortunately, you can conquer that mountain with 1Password Extended Access Management.
Head to vanta.com/smashing to learn more. That's vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta, for sponsoring Smashing Security.
If you're a security or IT professional, you've got a mountain of assets to protect: devices, identities, and applications.
It's a lot, and it can create a mountain of security risks. Fortunately, you can conquer that mountain with 1Password Extended Access Management.
Over half of IT pros say securing SaaS apps is their biggest challenge. With the growing problem of SaaS sprawl and shadow IT, it's not hard to see why.
Thankfully, Trelica by 1Password can discover and secure access to all of your apps.
Thankfully, Trelica by 1Password can discover and secure access to all of your apps.
Trelica by 1Password inventories every app in use at your company.
Then, pre-populated app profiles assess SaaS risks, letting you manage access, optimise spend, and enforce Smashing Security best practice across every app your employees use.
Then, pre-populated app profiles assess SaaS risks, letting you manage access, optimise spend, and enforce Smashing Security best practice across every app your employees use.
So take the first step to better security for your team by securing credentials and protecting every application, even unmanaged shadow IT. Learn more at 1password.com/smashing.
That's 1password.com/smashing. And welcome back, and you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.
That's 1password.com/smashing. And welcome back, and you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.
Whatever they. It doesn't have to be security-related necessarily.
Whatever they. It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is security-related.
Uh-oh.
Because, well, it's about something which happened to me last night. I was working behind the scenes on the Smashing Security website and email infrastructure.
I know how to have a good time in the wee small hours of the morning.
Anyone who's ever tried to sort out their company's email knows what a pain in the neck it is to deal with SPF and DKIM and DMARC. It's an absolute minefield.
What you want to do, of course, is you want to prevent your emails being mistaken for phishing emails or spoofed messages.
And the way in which many companies protect against phishing emails, ransomware and spoof messages coming in is they put protections in place, they will be looking at the email headers to make sure that they're all right.
Yeah.
I know how to have a good time in the wee small hours of the morning.
Anyone who's ever tried to sort out their company's email knows what a pain in the neck it is to deal with SPF and DKIM and DMARC. It's an absolute minefield.
What you want to do, of course, is you want to prevent your emails being mistaken for phishing emails or spoofed messages.
And the way in which many companies protect against phishing emails, ransomware and spoof messages coming in is they put protections in place, they will be looking at the email headers to make sure that they're all right.
Yeah.
Mm-hmm.
And you know how it is, Carole. We send email from various places. Our website, it can send us emails.
It sends you and me emails when people fill in the form, our contact form on the website. So that's from one server.
And you and I, Carole, we receive emails from people that contact us at , and either of us can reply to them.
And just because we reply doesn't mean that people will necessarily see our responses.
So if we've got our email headers wrong, there is the potential, it doesn't mean it necessarily will always happen, but it's the potential that our emails will bump into their defences, end up in their spam folder or treated as junk, or in the worst case, be completely rejected entirely if we haven't set up our DNS correctly our entries which handle SPF and DKIM and DMARC.
I'm sorry, it's a very nerdy pick of the week. Anyway.
It sends you and me emails when people fill in the form, our contact form on the website. So that's from one server.
And you and I, Carole, we receive emails from people that contact us at , and either of us can reply to them.
And just because we reply doesn't mean that people will necessarily see our responses.
So if we've got our email headers wrong, there is the potential, it doesn't mean it necessarily will always happen, but it's the potential that our emails will bump into their defences, end up in their spam folder or treated as junk, or in the worst case, be completely rejected entirely if we haven't set up our DNS correctly our entries which handle SPF and DKIM and DMARC.
I'm sorry, it's a very nerdy pick of the week. Anyway.
I'm sure there's about at least 10 people out there loving this. So carry on.
Last night I spotted we had a problem and I wanted to fix it because I thought, oh my gosh, you know, it's possible people aren't receiving our emails.
And so I was up until about 1:30 in the morning fixing it. And that is what led me to this website called Learn DMARC.com. So DMARC is D-M-A-R-C, learndmarc.com.
That gave me an email address that I could send a message to, and then I could see on their web page what its mail server thought about my email headers, the emails I just sent it.
So it would tell me if my SPF and DKIM headers weren't in alignment.
It could tell me if emails I sent to Smashing Security had the right digital signature, which would reassure people they were from our podcast, etc.
It's a bloody nightmare handling these things. But with learndmarc.com, I could see what was going wrong. I could fix it.
And I felt that for those 8 people who are still listening to this part of the show, I thought they might hear about that as well.
So I wanted to share the resource in case it helped someone else. learndmarc.com is my pick of the week.
And so I was up until about 1:30 in the morning fixing it. And that is what led me to this website called Learn DMARC.com. So DMARC is D-M-A-R-C, learndmarc.com.
That gave me an email address that I could send a message to, and then I could see on their web page what its mail server thought about my email headers, the emails I just sent it.
So it would tell me if my SPF and DKIM headers weren't in alignment.
It could tell me if emails I sent to Smashing Security had the right digital signature, which would reassure people they were from our podcast, etc.
It's a bloody nightmare handling these things. But with learndmarc.com, I could see what was going wrong. I could fix it.
And I felt that for those 8 people who are still listening to this part of the show, I thought they might hear about that as well.
So I wanted to share the resource in case it helped someone else. learndmarc.com is my pick of the week.
Couldn't this be used for bad as well?
I don't see how it would be used for bad.
No? If you were trying to do an email campaign and you wanted to see—
No, no, because the way in which these things work is they don't just look at the contents of your email with its headers, which obviously could be meddled with.
Right.
It then compares them to the DNS entries on your domain, on your website.
Yes. Okay.
So, which is something you have control over. So it's a way of verifying okay, if they've got that signature, it links in with this and blah, blah, blah.
Plug that hole that I tried to gouge in your pickling.
No, no, that's very fun. That's fine. By the way, it's got a really cute kind of war games style interface. It's like tickety tickety tickety tickety.
It's like the computer's talking to you, saying, "Hello, I've just received this. I've just received that." To be honest, made it even more fun to use. Well, learnedmarc.com.
Knock yourself out, Carole. You know how to have a good time.
It's like the computer's talking to you, saying, "Hello, I've just received this. I've just received that." To be honest, made it even more fun to use. Well, learnedmarc.com.
Knock yourself out, Carole. You know how to have a good time.
Yes, I do.
What's your pick of the week then?
Well, rather controversially, I am going to give another shout out to something that I've had as a previous pick of the week.
Oh?
And I'm doing it because I made this recommendation way back in episode 255, which is more than 175 episodes ago.
And it is still going to this day, and it's a fantabulous way to unwind after a stressful day, for example. And so my pick of the week is a show called Taskmaster.
Just to recap quickly, Taskmaster is a British comedy panel game show created by the wonderful Alex Horne. And it's presented by the ginormous Greg Davies.
And it is still going to this day, and it's a fantabulous way to unwind after a stressful day, for example. And so my pick of the week is a show called Taskmaster.
Just to recap quickly, Taskmaster is a British comedy panel game show created by the wonderful Alex Horne. And it's presented by the ginormous Greg Davies.
He's very tall.
6'7". Okay? Makes my Yeti look like a shrimp. And little Alex Horne, who actually comes in at 6'2", as the Taskmaster's assistant.
And in each series of the program, a group of 5 celebrities attempt a series of challenges or tasks, and the Taskmaster then reviews the contestants' attempts and awards points based on performance, interpretation, or other arbitrary comedic factors.
It's very fun. I think it's the only show that I consistently, laugh-cry.
And in each series of the program, a group of 5 celebrities attempt a series of challenges or tasks, and the Taskmaster then reviews the contestants' attempts and awards points based on performance, interpretation, or other arbitrary comedic factors.
It's very fun. I think it's the only show that I consistently, laugh-cry.
Really.
And I don't have any idea why. I never expect to, but then I do. It has that kind of magic. And it was released all the way back in 2015, which means there's 18 series now to watch.
I've only seen it a couple of times, but I think it's still going, isn't it?
Yes! And I've been watching it all along. Now you're probably thinking, "Oh, eff off, Carole.
Once again, you're giving me a show that I can't watch because I live in a non-supported place." Because, you know, it's on Netflix at the moment, but that's not available everywhere.
But wait!
Once again, you're giving me a show that I can't watch because I live in a non-supported place." Because, you know, it's on Netflix at the moment, but that's not available everywhere.
But wait!
Wait.
Little Alex Horne, the creator of the show, has created a website, which, Graham, you can go to. It's called taskmastersupermaxplus.com.
That's quite long. Super Max Plus.
Yes, Taskmaster Super Max Plus. And he says, "I've been told quite a few times that not everyone everywhere can watch Taskmaster.
We want to create a channel where fans can watch all episodes ad-free.
The complete global home for all things Taskmaster." Everything is up to the very latest season in the UK, and it's streaming now.
And there's even special treats and special end-of-year championships. So—
We want to create a channel where fans can watch all episodes ad-free.
The complete global home for all things Taskmaster." Everything is up to the very latest season in the UK, and it's streaming now.
And there's even special treats and special end-of-year championships. So—
Hang on, he says here £5.99 per month after a 7-day free trial.
Well—
So when he said free—
Okay, well I—
Not free.
Okay, not free, but free for 7 days. Binge it.
You can watch 168 episodes. How long's an episode?
Instead of spending your evenings trying to send spam them to our listeners.
I wasn't trying to send them spam.
Why don't you mainline this stuff?
7-day free trial, then £5.99 a month. That feels quite a lot if all you can watch is Taskmaster.
Well, what I would say to you is you don't have to have it for all months going forward.
A lot of these things would love you to stay on forever, but you could just dive in for a month, watch as much as you wanted, and then, you know, wait till Christmas when you're at the in-laws.
And get another season, you know? Anyway, I think it's great. I think it's worth the $6 or whatever it is.
A lot of these things would love you to stay on forever, but you could just dive in for a month, watch as much as you wanted, and then, you know, wait till Christmas when you're at the in-laws.
And get another season, you know? Anyway, I think it's great. I think it's worth the $6 or whatever it is.
Brilliant. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, Vanta Adaptive Security and 1Password. And of course to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 425 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 425 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye.
So the guy who I thought was quite small is actually 6'2 himself. So he calls himself Little Alex, but actually he's quite tall.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Schoolboy hacks into city’s tram system – The Telegraph.
- Caboose – Wikipedia.
- Neil Smith discusses his findings – Twitter thread.
- End-of-Train and Head-of-Train Remote Linking Protocol – CISA.
- The Cheap Radio Hack That Disrupted Poland’s Railway System – Wired.
- Grok, Elon Musk’s AI Chatbot, Shares Antisemitic Posts on X – The New York Times.
- X ordered its Grok chatbot to ‘tell like it is.’ Then the Nazi tirade began – Washington Post.
- Hacker uses Elmo’s X account to post antisemitic rant and demand release of Epstein files – ABC News.
- Elon Musk Announces Sensuous Grok AI Companion – Mashable.
- Grok Rolls Out Pornographic Anime Companion, Lands Department of Defense Contract – The Rolling Stone.
- Learn DMARC.
- TASKMASTER SUPERMAX+.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsored by:
- Adaptive Security – request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Trelica by 1Password – Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps – whether managed or unmanaged.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
