Smashing Security podcast #434: Whopper Hackers, and AI Whoppers

And also, this one seemed really bizarre to me. How many times employees say, "You rule," because apparently that is an important business metric. The BK menu makes sure my stomach prospers. Onion rings, chicken fries, a Whopper, any food I think is proper. You rule! Smashing Security, Episode 434: Whopper Hackers and AI Whoppers with Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 434. My name's Graham Cluley.

And I'm Lianne Potter.

Lianne, welcome to the show. Lovely to have you back again.

Yes, indeed. Very nice to be back. I'm very excited about this.

Now, of course, regular listeners will know you from your past appearances. You are the cyberanthropologist and the host of that tremendous podcast, Compromising Positions, which isn't about awkward yoga positions, is it? It's about something a bit different.

Yes, it's a cybersecurity podcast where we look at all the potential compromising positions in an organization and how to prevent that, thinking about it from an anthropological perspective. So, a little bit of a different take on cyber, I think. And obviously, absolutely innuendos throughout, because with a name like Compromising Positions, which I do suggest you don't put that into your corporate laptop when you Google it. Yeah, we have to kind of live up to our namesake.

Fantastic. Well, before we kick off, let's thank this week's wonderful sponsors, 1Password, Drata, and Vanta. We'll be hearing more about them later on in the podcast. This week on Smashing Security, we won't be talking about how the US Department of Defense routinely left its social media accounts wide open for hijacking through exposed livestream keys, allowing attackers to push out anything they liked. You'll hear no discussion of how video streaming platform Plex has suffered its third data breach in a decade meaning users have to reset their passwords again. And we won't even mention how WhatsApp's former security boss claims he was given the boot because it ignored his warnings they were violating their legal requirements when it came to privacy and security. So, Lianne, what are you going to talk about this week?

Well, I'm going to talk about how the big brains in AI might not be that smart when it comes to covering their tracks when they're stealing intellectual property.

Ooh. And I'm gonna be asking if you want fries with that. All that and much more coming up on this episode of Smashing Security. Now, chums, I want to tell you a story about a couple of ethical hackers. One is called Bob Da Hacker and the other one is called Bob the Shoplifter. I don't think those are the names they were born with necessarily.

I don't know these days with naming conventions. It might be.

It's possible, isn't it? Anyway, they have detailed what they describe as catastrophic vulnerabilities in the computer systems of RBI. Now, you might be wondering, Lianne, who the heck are RBI?

Royal Bird Institute?

No, not the Royal Bird Institute. Nothing that. You might be thinking, well, how big a deal can this mystery organisation called RBI be if you've never heard of them? Well, RBI is Restaurant Brands International, and it is the parent company behind some mega brands Tim Hortons and Popeyes and Burger King. They've got over 30,000 locations worldwide, so they're a pretty hefty deal. And according to a detailed exposé of RBI's technical failings put together and posted on the Bob the Hacker blog, they say that the security of this company, which I've said is behind Burger King, Tim Hortons, and Popeyes, they say their security was about as solid as a paper Whopper wrapper in the rain.

Are we talking about modern paper wrappers then, in the rain?

Oh.

Because this was back in the '90s. I remember those things would last forever. Hang on. You're not just a cyber-anthropologist.

You're also some kind of expert on the wrapping of fast food.

Absolutely. You've got to be well-versed in all of culture, and that includes the different types of wrapping of takeaways.

Well, they're saying it's really not that solid at all, is my takeaway of what they're saying. And they also say they are impressed by something. They say they're actually impressed by the commitment to terrible security practices.

If you're going to excel on something, why not excel full-heartedly? That's what I say.

That is some serious shade that they are throwing at the security team at RBI and Burger King, isn't it? Now, fortunately, these guys are ethical hackers, and their stated mission is to crack systems to uncover security vulnerabilities and report them in an effort to make the world a better place, to improve security, rather than using this access to exploit it for their own enrichment. And thank goodness there are people out there who find vulnerabilities for the greater good rather than to fill their pockets.

Indeed. Filling their pockets and filling their bellies as well? Is that what's coming up?

Exactly. What are they going to do with all this power? Well, in this particular case, they found it remarkably easy to access these systems. But of course, they'd need a password. And the problem was that they didn't have a password. And that's a big problem, isn't it? When you need to get into a system and it's demanding a password, what are you going to do if you haven't got one?

Well, I guess if you're an ethical hacker, there's plenty you can try and do.

Yeah, I suppose you could use a list of past passwords. You could maybe try and phish someone. You could try and trick someone into giving you a password. Or you could take advantage of the fact that RBI doesn't actually require you to have an account, because they haven't disabled new sign-ups on this particular web-based system. Anyone could go there, register a brand new account, and they were promptly sent a password to access the system.

Right.

And they were sent that password via email in plain text.

Oh no.

So, yes, yes, it is 2025, and people are still sending passwords in plain text. So it wasn't a link where you could set your own password. They were generating a password and then sending it to you in your email. This is a big no-no, isn't it?

It's a massive no-no. Very generous of RBI to do so for this purpose.

Very kind.

Very kind. It saves a lot of time, a lot of effort. You know, we're all busy people, including the hackers, you know, just to get to where we need to in and out.

Well, according to Bob the Hacker and Bob the Shoplifter, this was all they required. And they were able to get through the door. And once they were through the door, all kinds of other security problems revealed themselves. Because these guys managed to very easily give themselves a master key to the entire world of Burger King. No password required. They found they were able to access the company's global store directory, not just the store names, but they could see the names of the employees. They could see their personal information, their phone numbers, their addresses, their email account details. Their internal IDs, configuration details. They found they were able to access even RBI's equipment ordering website.

Crazy. So literally the keys to the Burger King kingdom.

Exactly. Yes, you were now the king of Burger King. Absolutely. And they found they were now able to access RBI's equipment ordering website. Now, that was protected by a password. So that's good news, isn't it?

Mm-hmm.

But it turned out the password was hardcoded into the HTML. So all you had to do is view the source of the webpage to see what the password was.

Which with my fat fingers, I'm always accidentally doing that anyways. I'm constantly— People must look over my screen sometimes and say, "Oh, she's an elite hacker. She's always looking at the source." No, I've got sausage hands and constantly accidentally doing the short key for it. So what did they— what was the password then?

Ah, yes. So that's the other embarrassment. The password was Burger King POS. Now, I don't know if that POS means point of sale or maybe it means piece of— never mind. But yeah, basically not the best password in the world, Burger King POS. So there they were. They were into that system, which meant they could order every piece of equipment, Burger King outlet could want. So, Lianne, I'm imagining that you would love to be the burger queen in your local area. Yes. You don't want some rubbish old Burger King. You want one with a drive-through, don't you?

I do. I want to feel I've been treated in the position I deserve, which, you know, obviously served on hand and foot.

Yeah.

While my foot is on the pedal.

That's what you deserve. Well, and so you're going to need to equip your little drive-through where people are gonna chug along in their little cars. You're gonna need an audio box that communicates between the driver and the salesperson. You've got it. Just tick a box. You'll get one sent to you. Maybe you wanted a tablet which displays what people can order, you know, whether they want a Zinger burger or whether they want a double cheeseburger or whatever it may be. You can have one of those as well. You can order all of those things. And you can even, of course, via the Burger King site, manage the store's locations, which they have. So if there isn't a Burger King in your particular town, you could add it to the database, which means you could then have sent to you equipment to outfit a Burger King, which doesn't actually exist, but their website does believe exists.

I'm gonna have a lot of disappointed people when they come round to my house wanting their Whopper Meals.

Now, these ethical hackers, they found that they could access all manner of data now they were into Burger King systems. They could also collect drive-through conversations. When they took place, what tone was used? Did the guest smile? That apparently is the requirement if you're working in sales.

I was just about to say, ah, no! They're really recording stuff that, as in the tone and whether or not we smiled.

Oh yes.

That's creepy. That's creepy. No, I don't it. That's worse than just having my conversation stolen.

So, they've got these raw audio files of real people ordering food. They've got transcripts. Sometimes, of course, not just saying, "I'll have a double cheeseburger, please," but actually having private conversations in their car as well, because while you're waiting, all of that is being recorded, is being transcribed, is going into the system. And this apparently was just hidden behind another password. Now, that password— oh dear, again, hardcoded in— that password, do you want to guess? Do you want to guess what that password was?

Wadawoppa?

That would be so much better than the password, which was admin.

No.

Which, of course, yeah, I'm afraid so. So you can now access the drive-through audio system. You can set the volume to blast the eardrums of anyone who visits one of these drive-thrus anywhere at 30,000 locations around the world, if you wish to, or reduce it to a whisper as well. So a huge amount of information. I was telling my wife about this and she said, "Well, why are they recording all these conversations? Why are they doing this?" There's a very good reason why they're doing this.

Go on, then. I want to know this good reason, because this is not nice.

Well, it may not be an acceptable reason, but they've got a reason. They're doing this because they are analysing the audio. They are using AI systems to analyse the recordings that customers make. They record customers' sentiment, the employee friendliness level. So is the member of staff being friendly enough with the customer? Have they managed to upsell? So, you know, someone's asked for a Quarter Pounder and you say, "Well, wouldn't you rather have a full pound of meat between your buns instead?" It's how long it takes them to actually process the order. And also, and this one seemed really bizarre to me, how many times employees say, "You rule," because apparently that is an important business metric. "You rule. If I want a special or just plain, the choice I make is my domain. With every order, I can rein in, have it my way. You rule. The BK menu makes sure my stomach prospers. Onion rings, chicken fries, a Whopper, any food I think is proper. I can have it my way. You rule your season." "You rule!" Apparently, you should get very disappointed if a Burger King member of staff doesn't do this. Supposedly, they're meant to greet you with the phrase "Welcome to Burger King, where you rule."

Can't figure out how you'd fit that into conversations. You, "I'll have a Whopper meal, please." "You rule." "Oh, thanks. With a Coke." "You rule." Okay.

Absolutely. You rule.

I mean, I'm not Putin or anything like that. You don't need to keep telling me this.

So there's obviously some diktat which has come down from head office.

Yeah.

Absolutely bonkers. So people are being judged by this. These are the kind of metrics that are being kept. And I'm afraid these ethical hackers also found a way to access the bathroom rating screen as well.

Right. Okay.

So I don't know if you've been to a Burger King.

I've been to a Burger King.

I don't know if you've been to the lavatory or not, Lianne. You don't have to answer these questions, by the way.

Well, I try to avoid it. I tend to go the hand sanitiser kind of route.

Well, quite often you're asked what your experience was while you were in there, right? You can report how happy you are.

I mean, after a Burger King, you know, it can be a sad face. Is that what they want to know? I can tell them all about that if they want.

Well, it turns out these researchers found that anyone in the world could spam bathroom reviews for every Burger King location in the world. Saying it was out of toilet paper, or saying that the bog was blocked, or you wouldn't even have to go within a mile of their restrooms to give it a bad review. Quite astonishing. And with their admin power, these researchers could add and remove existing Burger King stores. You could even open a Burger King on the moon if you wanted to. You could edit employees' accounts if someone wanted a promotion. Sure, why not? Go and have one. You could access store analytics and sales data. Huge amount of information. Now you're probably thinking, okay, these researchers, they've done this, but are they acting responsibly?

I should hope so.

You'd like to think so, wouldn't you?

Yes, because, oh, maybe there was a little bit of fun involved though, actually. I would like to play around with this a little bit myself. But then that's because the power would go to my head and there's no way I could be an ethical hacker because I don't think I could act ethically in that way.

You have to show restraint. Well, these researchers thankfully did show restraint. And so they told RBI, the parent company, on the day they found the problem, the first day that they were just gobsmacked within hours of gaining access and thinking, crikey, this is so bad, we have to tell them about that. And to RBI's credit, they fixed the vulnerabilities on the same day. Brilliant.

That's a well-resourced security team.

Well, yeah, good in some ways, because RBI never got back to the researchers. They never acknowledged what they had done. They never commented on the vulnerabilities. They never said so much as a thank you. They didn't send a gift voucher to go and have a milkshake or something at their nearest branch. They never got back to them.

I would like a big box of little paper crowns if I'd done something like that.

Oh. You understand, people, that would motivate me. If I had a little crown and a sash, and I could pretend to be King Graham for a day, I'd be happy with that. I don't need money if I find a vulnerability. Just a medal. Something like that would be fantastic, wouldn't it?

A royal warrant?

So, RBI never got back to them. But, someone else did.

Oh.

Because Bob de Hacker received a DMCA. From a security firm that RBI employed in the wake of discovering they had a security problem. So that was basically a legal request asking Bob the Hacker to remove their blog post. It specifically said that you have used the Burger King trademark in an unauthorized way on your website, and you've created a high degree of confusion amongst the public.

I mean, the burger-eating public are absolutely paying attention to the website on a constant daily basis. I know now that I know about it, it's going to be bookmarked, favourited. The routine in the morning is no longer going to be Instagram on the toilet. It's going to be straight to that website and see if anything's changed.

Well, it was more than that. They were actually claiming that the public would in some way be confused that the Bob the Hacker's website was somehow endorsed by or linked with RBI and Burger King. As though that was ever going to happen. As though anyone was ever going to go to Bob the Hacker's website and try and order themselves a cheeseburger and fries.

Don't know, it kind of sounds like a hipster joint. I'm gonna admit that. Like a food truck somewhere.

So the blog post wasn't fake. It was because it contained Burger King's code snippets and some screenshots of their HTML code, which contained the hard-coded passwords. So by claiming copyright infringement, they got the post taken down, even though the real issue was just embarrassment to their security team, I suppose. They also said that the content promoted illegal activity and spread false information and was detrimental to the goodwill and reputation of Burger King and the other brands involved. And so the researchers, Bob the Hacker, Bob the Shoplifter, they decided the sensible thing to do was we're just going to take down our blog post. Now, it's still on the Wayback Machine. Wonderful thing, the Internet Archive, isn't it? So you can still read it, and we've linked to it from our show notes. The researchers have said, no customer data was retained during our research. No drive-thru orders were harmed. We were responsible. We followed protocols for responsible disclosure. They even said, we still think the Whopper is pretty good, but Wendy's is better. So long, and thanks for all the fish. I don't know if they meant fillet of fish.

I think you're in McDonald's territory there, then.

Oh, am I giving my fast food chains mixed up? Oh dear.

Burger King will be after you.

What do you think of this, Lianne? You've been high up in security at different brands in the past.

So have they been hired?

They hadn't been hired.

Did they do the normal thing where you're supposed to say, "If we don't hear back from you, we will disclose it"?

Yeah, I think they didn't post their blog post until—

Until it'd been fixed and stuff.

After the vulnerabilities were fixed, yeah.

You're not going to — I'm not going to go to Bob the Hacker's website and start ordering burgers at all, because it might take forever to get to me, and I don't like cold food.

Very sensible.

No, I feel there is something about responsible disclosure and actually learning from the mistakes. There's one thing that I think we don't do very well in the cybersecurity community, which is share when we've screwed up so that other people can learn from it.

Yes.

And we do that really, really badly. And yeah, and it's things like this, silencing genuine researchers is a really bad practice because yes, we all know that we shouldn't have hardcoded passwords and things in plain text, but sometimes we need reminding about that. And these little kind of very public, you know, big brands that are making these mistakes, it's important for people to know. And I think as well, as a burger-eating person in this world, it's kind of good for us to know that even the big boys make mistakes, and even royalty can sometimes screw up.

Yeah. Yes. I mean, I think obviously it's embarrassing, but it's a lot more embarrassing, I think, to try and get a blog post taken down claiming copyright infringement.

Oh, can you imagine that?

Because that's just focused more attention on this breach that they've insisted upon that. If they'd just simply come out and said, You know what? This is really bad. Thank you so much for telling us about this problem. We've fixed it now. And what's more, they could even have said to these two guys, look, maybe you could come on board. Maybe we can set up a contract for you and you could check our systems every 6 months. You know, let's turn this into a good story because you've actually helped us. Thank goodness it wasn't someone more malicious who was exploiting this.

But no, they've gone the other way. And it's a bit like the Streisand effect. Now everyone will know that they've— Yes, very touchy, very thin-skinned.

I don't know that Barbra Streisand would eat at Burger King. I'm not sure, I think she's a bit too classy for that. Lianne, what's your story for us this week?

Well, I've been reading a lot about people working for AI companies getting 7-figure salaries lately.

Yes.

Absolutely throwing loads of money around, which is one of the impetuses why I'm going back to university myself to upskill in AI because I would quite like some of that delicious, delicious money and a 7-figure salary. However, you think, oh, well, if the likes of Meta and OpenAI are throwing these big salaries around, these people that work there must have massive brains, right? Must be so intelligent, the best of the best, the cream of the crop.

Huge eggheads, I'm imagining.

Turns out that's not the case. It turns out that they may be technically very smart, but they are pretty stupid when it comes to the world of work. And the story I'd like to bring your attention to today, and your lovely listeners, is the fact that xAI, which is Elon Musk's AI company, is currently suing a former engineer because apparently he stole trade secrets. Not only did he steal trade secrets, he first took $7 million in stock trades out of the business before deciding to go for another job at OpenAI. Now, if you are familiar with OpenAI and Elon Musk, they were buddies for a while.

Yes.

Best bros for a while there.

Not so much these days.

Elon's very much a part of the start of OpenAI and a big driving force and a financial contributor to that. However, Elon wanted to do his own thing, and ever since, there has been a bit of a feud between xAI and OpenAI. And as you can imagine, everyone's all competing for the very best talent. And it turns out there was a person, a Stanford-trained researcher, and his name is Xu Shen Li. Probably absolutely decimating that pronunciation, apologies. Allegedly, and I will keep saying allegedly. So he joined xAI. He's been at the company for about a year and a bit, and he's doing some work for them. He received shares of up to $7 million after one year of work. Bear in mind as well that this young lad, this is his very first job as well.

Crikey.

So I had a look at his LinkedIn, because I LinkedIn stalk everyone, and he's done some other roles, but it's just apprenticeship schemes and internships at big companies, mind, but not actual paid work. So his first paid job was at xAI, and within a year, within a single year, $7 million cash becoming available to him. So, what did this chap do? Well, he's working for xAI, and then he decided, actually, I want a job at OpenAI, and he actually succeeded in getting a job. He handed in his notice just after he sold his $7 million in shares, because there was an opportunity, a buyout opportunity there. And then, he decided the moment, and literally this is documented in the case files, which I've included a link for if anyone's interested in, it's a very interesting read, the moment he handed in his notice, then began to transfer intellectual property from xAI, of all the things he's been working on, onto his personal device.

Ooh.

Yes.

Which isn't the thing you're supposed to do. There is a certain irony here, of course, of an employee of an AI company scooping up a lot of information which didn't properly belong to them. For his own betterment, which of course is exactly what the AI companies have been doing with every piece of information on the internet, regardless of whether they have the right to access it or not. But yes, you're not supposed to do this, are you?

Well, no. And there is a suggestion as well that he did try and conceal the measures he was taking. He was saying, "Oh, I'll just delete my browser history. I'll delete the system logs. I'll rename files and things like that." The security team kind of became wise to it.

Right.

But there's also a suggestion that he actually uploaded this information to OpenAI's GPT models as well.

Oh!

This is what Lee did.

And he didn't trust Grok to do it, obviously.

Well, he wants to move away from Grok, and I wonder why. But what makes me laugh about— it's a terrible thing. Insider threat is a very serious thing, particularly a malicious insider, which we can class this, this person's an idiot, but—

A very well-paid idiot. Let's not slag him off too much.

Yeah. What I liked about the legal documentation was, you know what, he signed a piece of paper saying that he'd done the mandatory security awareness training. He signed a document saying that he wasn't going to steal proprietary information.

Well, that's all right then.

I mean, it just goes on and on about all these so-called security awareness safeguards that we, these tick boxes that we all do in all of our organizations where we say, oh, well, you know, if we just tell them you're not allowed to do it and they tick a box saying, I'm not going to do it, then we will be safe. It doesn't work like that in the real world because people have so much more that they want to do in terms of impetus of why they would do bad things. And this is just one of the key cases. Now, the story continues. So they found out that he was doing this. One, being offered a job. If he'd been offered a job at a competitor, I'm thinking where is immediate revocation of access to systems? Because is it a proper direct competitor? Where is the gardening leave on this? Because he was going to literally start within two weeks now.

So, did they know he was going to OpenAI?

They knew after he started buying his shares out. So, they knew then.

Right.

And then, yeah, they started looking into it and going, oh, it looks like he's got a job with a competitor and it's going to start in a couple of weeks. So, he resigned on the 28th of July, and his start date was the 19th of August, which is why I'm saying where is the gardening leave in this? Because surely you would not be able to just start a job with a direct competitor. I've not known jobs to do that normally. But that's not the case here. And not only that, he had full access, but they confronted him about it and he admitted, he admitted he did it. He didn't say the reason why, but he actually wrote down and admitted, yes, I did steal this. Yeah, I did cash in my shares. I am going to OpenAI. Well, I don't know if he still is. All the news articles I read did approach OpenAI for comment and asked them, are you still going to hire this guy? I don't know if I would.

I'd be very surprised if they did.

But surely, does he really think after being caught that he will keep those shares? That his legal costs alone going against the richest man in the world and his legal team, is he going to have any money after this? What a stupid thing to do for your very first job when you're looking at a gravy train. It just blows my mind that people would be so stupid when they're so smart.

It feels he absolutely landed on his feet. He had this incredible job. He was being compensated enormously. Maybe he is in some ways a very clever chap, but it appears in terms of common sense, maybe not quite so mature, perhaps. But yeah, what a way to shoot yourself in the foot.

He'd be an absolutely terrible spy, wouldn't he? It's just as soon as you're approached, no, no, yeah, I did it. No, what are you doing? Get legal counsel, find out. Oh, it's terrible. But I just think it just goes to show that when we're hiring people, you want to hire the very best people, but there are so many other factors at play. And one of the things I've been reading about recently is the psychology about being malicious and the impetus behind it. And there's something called the dark triad of personality. And one of the key components is narcissism entitlement. So, one of the papers I read recently suggested that if you are on the narcissism scale, you feel entitled to take and take and take, and you don't really care about the consequences.

Right.

Now, the concern there is, when you think about, there's another piece of research that suggests quite a lot of CEOs in organisations have narcissistic traits.

Surely not. Absolutely not. I cannot believe that for a second, Lianne.

And we all know that people to hire people who are very much themselves. So you look at, oh, wonderful. And you look at the type of people he surrounds himself with, and can you really say that this is not a product of culture? And so, when you think about insider threats, particularly the malicious ones, you kind of reap what you sow there. There's definitely things you could do, sort of checks and balances. If you build a good culture, people won't be incentivized to screw you over, I think. You know, you will have a small minority who just live for the dark side and want to see the world burn. I think there's just something to be said there about actually, you hire people who are yourself, and if you're a wrong'un yourself, then maybe you're going to attract more wrong'uns.

Yeah.

What would you do to prevent people from stealing all their intellectual property when they go to a competitor, Graham?

I'd have a really good canteen in the company.

Oh, Graham, you're making me come back to the office again.

There you go, you see, because they can't feed themselves, can they? So I'd have a lovely restaurant and I'd say, look, of course they're going to offer you $28 million more than we offer you. We understand that. But the food here is so much nicer.

It is. Burger King. We get it from Burger King.

Oh, well, yeah, actually, they could probably set up a Burger King drive-thru, couldn't they? That'd be easy to do.

It's more jealousy than anything that I wanted to bring this story up. What is that about? It just goes to show that money just cannot buy loyalty in this world.

I mean, if Elon Musk wants to offer us a job working for xAI, and we, I think we would split $5 million between us, I think. I would, yeah. And we'd bring our own lunch boxes.

Absolutely.

And we'd never call him a dick.

Not to his face.

You know that feeling when you're juggling 10 different hats at once? You got your risk management hat, your compliance hat, your budget hat. You've got the hat that says, please don't be the person everyone blames for slowing the business down and causing a roadblock. If that's you, then you'll be relieved to know that there is a better way, because GRC— governance, risk, and compliance— it's not just about ticking boxes. Done right, it can be a revenue driver. It builds trust. It speeds up deals. It makes your security program stronger. And that's where Drata comes in. Drata is a trust management platform that takes the boring, soul-sapping stuff off your plate so you can focus on actually reducing risk and proving compliance instead of endlessly chasing evidence or filling in yet another spreadsheet. With Drata, you can automate security questionnaires, evidence collection, compliance tracking. You can stay audit-ready thanks to real-time monitoring. You can simplify reviews with Drata's Trust Center and even AI-powered questionnaire assistance. In short, instead of wasting hours proving trust, you can actually start building it faster. So if you're ready to modernize your GRC program and stop drowning in checklists, head over to drata.com/smashing to learn more. That's drata.com/smashing because with Drata, trust isn't just a box to tick, it's a business advantage. And thanks to Drata for supporting the show. How many SaaS applications are your colleagues using right now? If you can't keep count, don't worry, you're not alone. SaaS sprawl and shadow IT ransomware and ransomware phishing are everywhere. And that's where Trellica by 1Password comes in. Trellica discovers every app in use across your company, whether it's officially managed or someone quietly signed up for it with the company credit card. Trellica by 1Password gives you the tools to assess risk, manage access, and enforce security best practices across the board. No more abandoned accounts just waiting to be hacked. No more paying for licenses that nobody uses. No more scrambling when an employee leaves and you're not sure what they still have access to. With Trellica, you can securely onboard and offboard staff, reduce unnecessary costs, and stay on top of compliance. Now, I've used 1Password for years. I love how it takes the headache out of security. And now with Trellica, they are tackling one of the messiest problems in modern IT: SaaS sprawl. Trellica by 1Password is trusted by businesses of every size, and it's backed by 1Password's rock-solid security. So what are you waiting for? Take the first step to cleaning up your SaaS landscape. Secure credentials and protect every application, even unmanaged shadow IT. Learn more at 1password.com/smashing. That's 1password.com/smashing. Right, cybersecurity. Bit of a faff, isn't it? Everyone nods along in the board meeting, then quietly hopes someone else is dealing with it while they go and put the kettle on. Well, that is where Vanta comes in. Think of them as your mate at school who actually did their homework and then lets you copy it. They'll help you get things like ISO 27001 sorted without the headaches. And they don't stop there. SOC 2, GDPR, HIPAA, even the shiny new IS 42001. Vanta's got you covered. Instead of drowning in spreadsheets and tick box questionnaires, Vanta automates the boring bit, centralizes your security workflows, even helps you manage vendor risk, meaning you can spend less time panicking about audits and more time worrying about what really matters. Like whether you've run out of biscuits in the canteen. And here's the clincher. Because you're a Smashing Security listener, Vanta's offering you $1,000 off if you book a demo. You can't say fairer than that. So go on, give yourself a break. Head over to vanta.com/smashing, take the demo, claim your discount, let Vanta deal with all the dull compliance grind. Vanta, the first ever enterprise-ready trust management platform. One place to automate compliance workflows, centralize, and scale your security program. Learn more at vanta.com/smashing, and thanks to Vanta for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Ah, well, my pick of the week this week is a website. Now, way back in the day, I used to like computer games back when they were 2D and it just meant going left and right rather than doing anything in 3D and shooting people. I just liked casual video games, you know, on my ZX81 or my Memotec MTX512 on my home computer where I learned how to program, used to love all those things. I'm not so much of a fan of modern computer games, I have to admit, but I like the classics. And I found this website called classicreload.com, which is devoted to the preservation of retro games and abandoned software which is no longer sold. And it has over 6,000 old games which you can play in the browser. So they're sort of emulated inside your browser. Software from the 1980s and 1990s for DOS, Commodore 64, Windows 3.1, ZX Spectrum, and I have to say, it's quite good fun. Are you a fan of old computer games?

I am, and it sounds— as soon as you said it, I was like, that's going to be a time suck. I better stay away from that website.

I've found some old games that I used to love playing. There's a game called Digger or Dig Dug, which I used to play, great fun. CGA graphics on MS-DOS. Kingdom of Kroz, which was written by Scott Miller, who set up Apogee Games. And I think eventually, didn't he end up doing Doom or one of those sort of things? I think he did. And I found a couple of games which I wrote back in the '90s as well, which have ended up archived up there.

Oh, you'll have to share those links specifically, Graham.

Well, I'm a little bit embarrassed by some of them, but anyway, yeah, I suppose I could. So some of those games are up there, and I think it's rather fun. And that is why ClassicReload.com is my pick of the week.

Well, that's a really good pick of the week. And as I say, I'll have to just avoid it for the time being because I know what I'm like.

Lianne, what's your pick of the week?

My pick of the week is a YouTube channel.

Yes.

It's one of those YouTube channels where you get so excited when it comes up in your feed.

Okay.

If you are lucky enough to have a feed that's decent enough that will actually share with you things you've subscribed to. It's called, and this is, it's so up my street, The Bad Movie Bible YouTube channel.

Okay, The Bad Movie Bible.

Graham, do you like bad movies?

I'm probably a bit more of a fan of good movies, but I do seem to watch my fair share of bad movies. I mean, some movies are so bad, they're brilliant, aren't they?

Exactly, exactly. Now, this YouTuber, he's doing God's work.

Yes.

And basically the format is, they're usually about 45 minutes to an hour, so they're really in-depth. They're video essays, and a lot of them are based on knockoffs and fakes of movie genres, movie titles that we all love and are familiar with. So, his recent offerings are the best and worst and weirdest RoboCop knockoffs.

Alright. Would they be things like RoboCod about a robotic fish?

Well, there's all sorts of things. There's one called Fembot Cop, Cyborg Cop, Hobo Cop, and all sorts of things like that. So he basically watches bad movies so we don't have to. So that's why I think he's just doing some amazing saintly work there. But there's been so many films where he's described it, I'm like, actually, that sounds amazing. And I rush out and go, absolutely wacky, this channel.

Have you ever seen Shark Attack 3 with John Barryman?

Not Shark Attack 3, because I'm worried if I watch Shark Attack 3, I haven't seen Shark Attack 1 or 2. Am I missing out on the story?

I haven't seen Shark Attack 1 or 2, and I was able to follow the plot of Shark Attack 3, but it is quite impressive, I have to say.

So, the Bad Movie Bible YouTube channel. It's a really nice guide if you want to start exploring the most batshit films you'll ever come across. Boy, oh boy, they are very, very good videos. And I absolutely adore just sitting there and planning my next bad movie marathon.

All right, I'm going to look forward to exploring that. Thank you very much, Lianne. And that just about wraps up the show for this week. Thanks so much, Lianne, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What is the best way to do that?

Yeah, come and say hi to me on LinkedIn. I love spending my time there because maybe I'm a narcissist as well. Type in Compromising Positions Podcast. Don't just type in Compromising Positions. You won't find us. You'll find lots of other things that I can't be held responsible for.

And of course, Smashing Security is on social media as well. And you can find me, Graham Cluley, on LinkedIn or follow me on BlueSky where Smashing Security also has an account. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts. For episode show notes, sponsorship info, guest lists, and the entire back catalog of 434 episodes, check out smashingsecurity.com. So until next time, cheerio, bye-bye.

Bye.

You've been listening to Smashing Security with me, Graham Cluley. I'm grateful to Lianne, the cyber anthropologist, for joining us. And I'm grateful to this episode's sponsors, 1Password, Drata, and Vanta. And of course, to all of those chums who've signed up for Smashing Security Plus and support the podcast via Patreon. They're the folks who make these podcasts really possible and get me out of bed in the mornings, and they include Scotia, Michael Crumb, Darren Kenny, William Reddig, Ryan Hall, Sean, Yan, B Daniel, Ask Leo, Reuben, Stephen Castle, Alan Liska, Matt Cotton, The Green Girl, Mike Hallett, Funky Duck, Alex Tasker, Daniel Kromeck, Jamie Forster, and Elbow. If you'd like your name to be one of those read out on the credits now and then, this is one of the joys of joining Smashing Security Plus. You sign up for as little as about $5 a month and you get your name read out every now and then, as well as early access to Smashing Security episodes, occasional bonus content, and of course, the episodes of Smashing Security that you get early don't have any ads in them. All you gotta do is go to smashingsecurity.com/plus for more details. Now, obviously I realize not everyone is able to support the show that way. That doesn't matter. You can support us in other ways as well. You can like, you can subscribe, you can maybe even give me a 5-star review. That'd be lovely. Anything you can do to entice people to give these humble little podcasts a listen is really gratefully received. Spreading the word via word of mouth is a fantastic way to do it. So thanks to everybody for supporting the show, for listening to this episode, and I hope you'll tune in again next week for more of the same. Until then, cheerio, bye-bye.