Smashing Security podcast #437: Salesforce’s trusted domain of doom

This particular one has been given a CVSS score of 9.4. Basically, the industry puts a number on how badly you've cocked things up. 9.4 is sort of one step shy of everything's on fire and the sprinklers are broken. It's not unplug everything and hide under your desk. It's more sort of unplug everything and start drafting your resignation.

Smashing Security Episode 437: Salesforce's Trusted Domain of Doom with Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 437. My name is Graham Cluley.

And I am Paul Ducklin.

Duck, welcome back. Do you know, I had a look through the archives. You were our very first guest on the show.

Huzzah!

Back in episode 11 in 2017. I think Vanja had just quit and we parachuted you in. And here you are again. Now the other one's left.

Here I am again. Wow, 2017. I thought you were going to say 1974 for a moment because everything before the pandemic now seems to feel a long time ago.

It does, doesn't it? It's the Ice Age.

Is probably a good thing.

So, Duck, for those people who don't know you, what do you do and why might they have heard of you?

Well, one reason old-timers might have heard of me, or anyone who runs antivirus, but I think I mean EDR software, has probably downloaded the EICAR test file at some time. And on that page, there is a thing that goes blah, blah, blah, blah, blah, blah, blah, ducklin.html, and that ducklin.html is I.

That's right.

So I didn't write the EICAR file, but I wrote the justification the community needed to come together so that everybody could agree on a standard way of checking that their products were working.

That's a small and important footnote in cybersecurity history. It's quite a significant thing, the EICAR test file.

Yes, it seems trivial. It's what, 58 bytes of ASCII code, which is quite funky if you decompile it.

There's a temptation at this point for us to sort of travel down a dangerous alleyway talking about things Doron Rosenthal's virus simulator. Yes! Which maybe about 2% of our audience remember. Before we kick off, let's thank this week's wonderful sponsors, Vanta, SecAlerts, and Anon. We'll be hearing more about them later on in the podcast. This week on Smashing Security, we're not going to be talking about how Harrods has confirmed a data breach that has exposed the personal details of nearly half a million customers. You'll hear no discussion of how French department store Samaritaine has been fined €100,000 for installing hidden cameras inside smoke alarms without warning employees they were under surveillance. And we won't even mention how Afghanistan's Taliban government has cracked down on what it calls immoral activities by turning off more than 43 million people's internet access. So, Duck, what are you going to talk about this week?

Well, I would to talk about what happens after a breach. And I don't mean the technological response, but our cultural response.

And I'm going to be talking about how just $5 can steal your Salesforce data. All this and much more coming up on this episode of Smashing Security. Now, Duck, I think we've already hinted on this, but how long have we actually known each other, do you reckon?

Well, it was probably around the time of the EICAR test file.

I think sort of mid-'90s.

Yeah.

Something that. We started off working for rival companies, and then we started working for the same company for many years.

Yes.

A lot of those 30 years or so that we've known each other, we've gone to the same exhibitions, same conferences. We've worked the exhibition halls. We've got leads from attendees. Do you remember how you used to have to get them to write down their details, and then someone will transcribe them? Then you scanned people with a pen. And eventually, you know, you got to the stage where you were asking people to fill in their details on an iPad and it would go into some system.

And then in the end, it was just you basically blipped them and then you bought the data back from the company that's organizing the conference at the end of the day. In some ways, I wish we could go back to those early days when you would hand someone a clipboard and they would fill in the form because they actually wanted to be talked to. Well, they'd just go, no thanks, and you go, fine.

Yes. These days, many vendors will have a CRM, a customer relationship management system. Some of those CRMs will be sort of homegrown, brewed by the founder of the company over a long weekend, you know, surviving on coffee. Others will be professional packages bought for thousands and thousands of dollars. But essentially, they all sort of serve the same requirement. They're a very sophisticated database for remembering which customers you've annoyed and when you annoyed them and how much you annoyed them. That's basically what a CRM is.

And how much it would cost to de-annoy them enough to get more money back in the coming year from them.

I'm a one-man business and I don't have many customers, but even I have got a CRM these days because I can't remember all the people I've annoyed or, you know, people who've contacted me about doing work for them. I'll forget to get back to people if I don't have it in the system. But salespeople, they love these things. It's like a glorified digital filing cabinet so they can remember their client's birthday. I remember when my accountant used to ring me up and they say, oh, I've been enjoying your podcast. They say, yes, I love watching it. And it's like, well, hang on, you've got a note that I do a podcast. You clearly haven't ever experienced it because you'd realise it's not a video podcast.

So presumably you don't tell them so they don't update the database. So that you can catch them out every time.

But these CRMs, they contain a lot of important data, data you don't want falling into the wrong hands. And the biggest CRM in the world is undoubtedly Salesforce. It's massive. It dominates the CRM market to the point where they have more customers than the next 4 competitors combined.

Wow. And it runs on somebody else's computer, doesn't it? That's the whole idea behind it.

Yes, up in the cloud.

Yeah.

That means if a problem is found in Salesforce, it's a bit more significant than if one's found in Big Yan's Customer Tracker Pro or, you know, whatever other alternative CRM might be that you're using. Well, cybersecurity outfit Noma Security, they recently announced that they had found a vulnerability in Salesforce's Agentforce platform.

I'm tempted to say, oh, is this the vulnerability in Salesforce?

Well, yeah, I need to make clear because yes, you're absolutely right. There have been lots of vulnerabilities found in Salesforce, particularly recently, which have caused all kinds of problems.

You'd think one would be enough for 2, 3, 4, 5 years, wouldn't you?

So faithful listeners, you may have heard about Salesforce problems. This particular one has just been found recently. It's been given a CVSS score of 9.4. That's the Common Vulnerability Scoring System. Basically, the industry puts a number on how badly you've cocked things up. 9.4 is sort of one step shy of everything's on fire and the sprinklers are broken. It's not unplug everything and hide under your desk. It's more sort of unplug everything and start drafting your resignation or apology email.

Yes, it's a problem. 10 is WannaCry, right?

Yes.

And Log4Shell.

Yes. But 9.4, pretty bad, I'd say. Pretty bad. Now, as you already said, Duck, Salesforce has been in the news a lot in recent months due to security issues. They've had data theft where hackers have gained access via connected third-party apps. There have been cloud vulnerabilities, all sorts of bad stuff going on. But this vulnerability that Noam Security found is different. They've called it Forced Leak, because every vulnerability has to have a name. I'm rather disappointed it doesn't.

Does it have a logo?

Doesn't have a logo. I mean, it feels like the marketing department at Noam Security have let the site down because clearly if it doesn't have a logo, if it doesn't have a theme song, if it doesn't have its own domain name where you can go and check it out.

Yes, that's right. There has been a vulnerability, Orpheus's Lyre, if you remember, which had its own theme song.

If it doesn't have a merchandise store, then I think it shouldn't really count. But anyway, this thing is called Forced Leak and it exploits a feature of Salesforce Force Agent. It's to do with the web-to-lead form. This is the form that companies use to funnel in leads, whether people are using it on a web form or an iPad at a trade show where people are filling in their names, their email, their company, you know, what their interest is. All of that goes through this form straight into the Salesforce CRM as a potential customer lead. Now, this web-to-lead form doesn't just ask you for your contact details. You know, just having someone's contact details, that's not really enough. You want to know what they're interested in. And it has a huge description field. It accepts up to 42,000 characters. Characters, which is, I reckon, about 7,000 or 8,000 words.

Crikey, Graham, when you wrote games software, you didn't have 42,000 bytes of RAM to play with in the whole computer.

No, it's absolutely astonishing.

But it's such a weird number as well. If you're going to stop at 42,000, why not have 100,000?

Or—

Yes, I suppose someone thought, what's the biggest you'll ever need? And that's kind of the biggest they've ever had, plus a bit to spare.

It's odd.

No, it's even.

Anyway, it's round about 7,000 or 8,000 typical words.

Is that just something that somebody is— that you'd imagine they might just type in on an iPad quickly at a trade show? 7,000 words, tip, tip, tap, tap, tap, on an iPad keyboard. Good luck.

To give that some context, that is longer than all but 4 of the Sherlock Holmes stories written by Arthur Conan Doyle. So it is a big field. It's an awful lot of text which they are allowing to be entered. And the researchers, they took a look at this and they thought, I wonder what would happen if we put some malicious instructions into that whopping huge field on these lead forms. But this wasn't like a SQL injection attack. It wasn't a case of them typing something in and the form just spitting out information from the CRM database. This wasn't direct prompt injection. This was indirect prompt injection. So I wanted to describe to people how it works. It may get a bit nerdy, but hopefully this will be interesting. So the attacker would include malicious instructions in their lead form entry, and that's what gets stored in the Salesforce database. Now, Salesforce has this spanking new autonomous AI agent thing called Agentforce. It's not just a chatbot that answers questions. It supposedly helps you make sense of the data in your CRM and helps you plan, execute business-related stuff.

What could possibly go wrong, Graham?

Well, yes, there's an AI involved. Everything could go wrong. So the malicious instructions that Smashing Security's researchers put into the form were directed at Salesforce Agentforce. And because they knew that at some point an innocent employee at the receiving company, the company which was receiving the lead, they were going to ask the AI something. You know, they were going to give it some sort of instruction which would look at the entries, something like, please check the lead with the name Bobby Tables in it and respond to their questions. Something like that.

Oh no. I can guess where this is going.

Well, the AI would of course obediently obey their request, retrieve the poisoned data entered via the form, and execute the hidden instructions as though they were legitimate. Now, what the malicious instruction said was, first of all, it asked the AI to count how many leads existed in the entire database. And then—

It's the right sort of flavour of thing that you might ask. It's not like, Design me a craft to go to the moon.

Yes.

Kind of pseudo-relevant. It's not complete gibberish, but it's clever, this. It would then, just to see if it could execute general knowledge queries outside its normally intended scope, it then said, "What color do you get if you mix red and yellow?"

So an employee inside the company has run this command and they've instructed their AI to do this. But how is the hacker going to get that string containing everybody's details? Well, the CRM has created this string containing loads of information from its database. But it's not going to send it via email or Slack or Signal or ICQ or anything like that. It isn't going to be FTP'd to a third-party server. What the next instruction was via this web-to-lead form was they told it to embed at the end of their response to the innocent employee at the company an image. And it said this image is hosted on a third-party website. And it gave a URL, part of which as a parameter was the string containing the encoded email addresses. And so of course that web server would receive the request for the image, but it would also receive the parameter which would contain all the email addresses. So that's how the data gets exfiltrated. However, the guys at Salesforce, they're no bozos. They knew it shouldn't be possible to display any old file from any old third-party server within the response. That would be dangerous. And so they had what's known as a CSP, a content security policy. This is a feature that tells a browser which external sources it's allowed to load content from. And it's basically a whitelist of domains that your app can trust.

So what's in their CSP list that's allowed?

Well, they had a list of domains which they owned, including the domain cdn.my-salesforce-cms.com.

Had they not registered that?

It belonged to Salesforce, with the emphasis on belonged, because Salesforce had let it expire.

Quelle surprise!

And so the researchers at Noma noticed this, purchased the domain for just $5, and were able to trick Salesforce to cough up the sensitive information stored inside its CRM, all at a cost of just $5.

And all in compliance with Salesforce's content security policy.

Yeah.

Which is supposed to make you feel confident and reassure.

Yeah, it's meant to give you that reassurance. So, well, we're protected, you know, we've got all these defenses in place. But there was just one domain in there that they hadn't kept registered. And so someone else had grabbed it.

This reminds me of SPF, if you remember that, which is still a big thing.

Yes.

And when it came out 10, 15 years ago, it was touted as instant solution to all your spam woes. Because companies would declare the domains that they expect to send email from.

Yes.

And then most large companies ended up with a list so long that there was no possibility that they could truly vouch for all of them. And there was an ever-changing list of third parties as well in there. And this sounds exactly the same thing. Oh, well, we might need 7,000 different domains.

Yeah.

Whereas if they just had one, and had filtered everything through that, then they could have been much more proactive, couldn't they?

Yeah, that'd have been all right. So what's the takeaway from all this? Well, if you're using AI agents in your business, let's face it, everyone and their dog seems to be rushing to bolt AI into everything. You need to remember these are autonomous systems with quite often more power than sense. So they will look at those 42,000 characters and they may well act upon it, whereas a human would go, what on earth is all this? And for goodness' sake, keep track of which domains are in your whitelists and make sure they haven't expired and haven't been snapped up by some enterprising security researcher. Duck, what story have you got for us this week?

Well, I have a story loosely entitled "Once, Twice, Thrice more unto the breach, dear friends. When is this all going to stop?" If you don't mind me channeling the Bard of Avon very, very badly indeed. As I mentioned earlier, just want to talk about why is it that we seem to have fallen into bad habits when it comes to breach disclosures, even though we have new regulations, even though we have supposedly stronger controls, and even though we supposedly have more mature chief information security officers and more mature attitudes in companies towards conveying information to customers.

Why do you say we've fallen into bad habits? Which bad habits do you think we've fallen into?

Well, we still seem to be dining out on the, oh, we've had a breach and suddenly an email arrives, dear customer, "We take your cybersecurity seriously. So seriously, we have utterly neglected to look after your data at all." And we have allowed whatever it is, an AI to scoop up all this data and embed it in a web link and call the web link and leak the information to a third party. I'm making that bit up. But it seems that that's where we started maybe 10 or 15 years ago when we started getting emails about data breaches coming out. And although companies are learning not to use those words these days, some still do, it still seems that we are willing, if not to tell untruths, to be very economical with the way we parse and interpret the truth. So let me give you a recent example. This comes out of the notorious Marks & Spencer M&S breach in the UK. I'm just picking them because that was in the news for many, many weeks in a row. But there are other companies that have done similar things where the initial response was perhaps within a day or two, I think it was, "Don't worry, all the evidence we have so far suggests that no customer data has been stolen, so our customers don't need to take any action." And you're thinking, should you be making that statement when you actually don't have the information? Because it sort of raises the question, well, let's say you don't go looking at all.

Yes.

You'll never find any evidence that customer data was stolen. And you'll always be able to say, "As far as we know," you won't be lying. You will be telling the truth. And it's as though we're suggesting that absence of evidence is evidence of absence. But that's absolutely not the case. And of course, Marks & Spencer had to reverse that and make another statement saying, you know, actually, now we've had a look, now we actually do know what's going on as required by the regulators. We've tried to find out what's going on. Customer data was stolen.

I have some sympathy because it's difficult for companies necessarily to know if customer data has been taken.

Absolutely.

It's not like if your bicycle gets stolen, it's very obvious your bicycle is no longer there.

My best bicycle did get stolen recently, Graham, and I am still bitter about it.

Did you leave it outside Marks & Spencer unlocked? Is that—

No, I left it right outside my flat and someone made off with it. But you're right, I was in no doubt. I came out and there was a bicycle-shaped space where it used to be.

Yes.

It wasn't the question that my bicycle was still there, but now every time I ride it, somebody else is finding out where I'm going and when, which is a very different kind of proposition.

So when a company loses data, it's not as obvious. So I have some sympathy there.

I do too. But what I don't have sympathy with is this idea of saying, well, on the basis of that we do not yet know, we can honestly say that and invite people very strongly to infer that they're going to be okay. Now, Marks & Spencer, maybe I'm being a little bit harsh there because the data that was stolen was comparatively modest. My understanding, I think it boils down to name, phone number, email address, and perhaps physical address, which is still a little bit worrying if you've ever been stalked. Someone now knows what your physical address is.

Or someone could contact them claiming to be Marks & Spencer and say, we want to compensate you, click here or send to your bank account. I mean, there are subsequent follow-up scams which could occur.

Absolutely. I'm not suggesting that they should try and make a definitive statement before they have a definitive answer. But I do wonder why it seems okay to make implicit suggestions that everything's all right.

Yeah.

Because it kind of sounds bad if you admit you don't know. We know you don't know. Maybe that's the way we should lead off.

And oh, so often they have to come back a few days later and get even more press attention by saying, ah, we found 10,000 customers had their data breached. And then a week later, did we say 10,000? We meant 150,000.

In some previous cases many years ago, these have gone up from thousands to hundreds of thousands to millions, haven't they? When you realise actually, well, it's everybody, not just somebody. And another example is that, you know, there's a massive breach and the one thing the company can tell immediately is that it almost certainly does not involve things like payment card data because that's outsourced to a different third party who didn't get breached. And I appreciate that it's useful to know that payment card data was not stolen, but I often get the impression when I read data breach notifications that people are being invited to infer from that that, yeah, this is all under control. Don't worry, they haven't got your payment card data. But what they're not telling you is what they might have got. Because ironically, the one thing that these days is surprisingly easy to change is a credit card number. You can just call the bank, go into the bank, or use an app on your phone to say, bin that card, stop it working, send me a new one, and I'll take the inconvenience. But the one thing you can't do is get a new passport number, get a new driving licence number. You can move house, but should you have to do that every single time there's a breach?

Every other week I'd be moving.

Well, the real estate agents would love that, wouldn't they?

What do you think the regulators should do? Would it be a good idea, for instance, if there was a standard form so they can write their press release, but they also have to issue a certificate which has a number of checkboxes? Was customer data taken? Yes, no, or don't know. Just simple binary options there. So they can write their press release saying some data or we don't believe, but they would have to say don't know in many cases rather than implying no, which seems to be the way they often do it.

I've been thinking along the same lines as you, that if there were some boilerplate that simply did not allow weasel words. Now, the counterargument that I've heard to that is that why shouldn't companies be able to say things that are at least partly encouraging if the truth is not desperate. And isn't it unfair to these companies, because after all they have been the victim of a serious criminal offence themselves, that suddenly they have to act as though they've somehow done something naughty or bad themselves? Well, the truth is they have. If they've collected your personal data for their own commercial benefit, all the while assuring you that they will take good care of it, and then they haven't. Well, I think we need to make it absolutely clear in our minds that it is possible to feel sorry for a company and at the same time to think that their response to that issue has not been good and maybe they can be held liable. I mean, the classic example in the UK is probably TalkTalk, when they did lose a lot of data, they didn't give a good account of themselves. The criminals were the people who were held to blame for this. In other words, obviously you could feel sorry for the fact that the company had been targeted by outright criminal bastardry. But at the same time, the Information Commissioner's Office says, you know what, you could and should have protected things much better, given that we expect you to know what the rest of us know.

Yes. And they didn't do a great job of looking after the victims afterwards either. They were pretty shoddy in their handling of that.

So I think one thing that got me thinking about this is that for many years now, we have heard CISOs talking about a principle which is, and I'm making giant air quotes here, assume breach. In fact, if you search for those two words, you will hear that as a cybersecurity mantra. But it seems that in a world where we work on assume breach, it's almost that's become an excuse. Well, we got breached. Well, you're supposed to assume breach. I don't really want to hear that from a CISO, I don't think.

Feels a little defeatist.

Now, I sort of understand that. What I don't understand is that sometimes as soon as there is an actual breach, then they send out an email or a message to their customers saying, ah, assume no breach. There actually has been a breach. We're admitting to that. But assume that your data hasn't been stolen. And I just think sometimes we are the victim of trying to polish things that don't need polishing. So perhaps your approach can work, that there are some things you are required to state and it almost has to be a checkbox approach so that you can't try and temper it with emotional, manipulative words. Sometimes telling the plain truth in plain English is actually much, much more useful for everybody.

Let me tell you about SecAlerts, who are sponsoring today's show. Look, if you're drowning in vulnerability alerts and spending way too much time figuring out which ones actually matter to you and your software, SecAlerts solves that problem. They monitor over 100 sources and automatically match vulnerabilities to your specific software versions. But here's the clever bit: you can build custom queries that filter out all the noise. Want to see only critical Microsoft vulnerabilities with a CVSS of 8 to 10 that have been actively exploited this week?

Done.

No more wading through irrelevant alerts. You can push those alerts directly to the people who need them via email, Slack, Teams, whatever works for you, and set the frequency yourself. One of their clients said it best. They said, "SecAlerts has been an absolute game changer. We've strengthened our security posture and improved response times significantly." They've got plans for businesses of all sizes, and right now you can try SecAlerts for free for 30 days. Use the code SMASHING and you'll get 50% off a yearly subscription. Check them out at SecAlerts.co. That's SecAlerts.co. And thanks to SecAlerts for supporting the show. Hey chums, we need to talk about digital footprints. You know that feeling when you Google yourself and find well, more than you'd like. Old forum posts, data broker listings, photos you forgot about, maybe even some dodgy things you now regret. Well, that's your life on the internet. And that's where today's sponsor, Anon, comes in. Think of it as your personal privacy cleanup crew, powered by AI that actually does something useful for once. Here's how it works. Anon scans the web. Yes, including the dark corners you don't want to think about. And it finds all the data tied to you. But here's the clever bit: it doesn't just show you a complete horror show of your digital past and wish you luck. It actually identifies which links might contain sensitive information and, with one button press, fires off removal requests to get them delisted from search results. Plus, it keeps monitoring for new data breaches and alerts you if your information turns up somewhere it shouldn't. It's like having a security researcher working for you 24/7. And you don't need to keep it fed with pizza and coffee. Want to take back some control? Head to becomeanon.com and use promo code SMASHING for 25% off. That's becomeanon.com. Find, monitor, and remove your data online with ease because your privacy matters. You know what keeps security professionals up at 3 o'clock in the morning? It's not just worrying about whether you've got the right controls in place or if your vendors are actually as secure as they claim to be. No, the really fun one is, how do I escape this nightmare of ancient tools and manual processes slowly consuming my soul? Well, here's some good news. Vanta. Vanta automates all that tedious manual work so you can finally stop sweating over spreadsheets, hunting down audit evidence like it's a scavenger hunt, and filling out those never-ending security questionnaires. Vanta's trust management platform continuously monitors your systems, centralizes all your data, and actually simplifies security as you scale. Cool, eh? And here's the clever bit: Vanta integrates directly into your existing workflows. It uses AI to streamline evidence collection, flag risks before they become problems and keep your security program audit-ready all the time. With Vanta, you get everything you need to move faster, scale with confidence, and perhaps most importantly, get some actual sleep. So get started at vanta.com/smashing. That's vanta.com/smashing. And as a Smashing Security listener, you'll get $1,000 off. Can't say fairer than that. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Darknet site Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Well, my Pick of the Week this week is kind of hacking-related because it's to do with phone hacking. If you remember the News of the World and other newspapers hacking into the phones of celebrities and royalty and all kinds of other people as well, and that scandal which brought about the end of some journalists' careers, although others seem to have survived. There is a new true crime drama on ITV here in the UK, and I saw that it's also actually been published up on YouTube, so it's probably accessible for anybody to watch around the world. It features the real-life story of Guardian journalist Nick Davies, played by David Tennant, and—

David Doctor Who Tennant.

David Doctor Who Tennant, one of them at least. And also, Dave Cook, played by Robert Carlyle, who was investigating the 1987 murder of private detective Daniel Morgan. And Daniel Morgan was working for a detective agency which had links to the News of the World. Anyway, it's really interesting. There are about 7 episodes, and I have to admit, I haven't actually had a chance to watch all of them yet. So I'm about— I think I've now watched 3 episodes. I'm enjoying it. It's interesting to see how this scandal unfolds through the lens of these two entwined real cases, the investigation into phone hacking and the murder of this private detective as well. Sometimes, and I guess this is to keep people interested, it takes rather a surreal step. There's a lot of break in the fourth wall with David Tennant's character speaking straight to the camera. And there's a lot of celebrity cameos as well. I even saw Alastair Campbell pop up at one point, as well as Jonathan Ross and others. Now, some might find that a little bit distracting.

You were complaining about me mentioning the iCasting earlier. You may have to explain who Alastair Campbell was.

Alastair Campbell used to be a journalist and he then became the right-hand man and main sort of spokesman, I suppose, or advisor to Tony Blair during the Blair government. And now he's a bit of a podcasting legend as well at The Rest Is Politics.

Dominic Cummings of his day.

Yes. So a controversial figure, certainly. So anyway, as I said, it's a strange telling of the tale because surreal things do happen. I found it a little bit distracting sometimes, but overall, I think it's quite good.

How true to life is the hacking depiction?

So far, what I've seen has been very realistic. And the attention to detail for setting this in the early 2000s, and well, some of it goes back to the 1980s as well, is very authentic. So you've got old-fashioned telephones, everyone's reading their messages on BlackBerrys. It's a real nostalgia fest from that point of view. The picking up of voicemails, we have to enter a 4-digit number.

Do you ever see the BlackBerry from over the person's shoulder with the screen actually lit up?

Oh, yes.

Oh, so they found some BlackBerrys that still work.

Oh, yes. I am absolutely loving that aspect of it. Just where did they get that from? And they've managed to get a BlackBerry Enterprise server set up or something to send it a message? Anyway, yes, the nerd in me is really enjoying that. This is based upon a book which Nick Davies wrote about phone hacking. He also wrote another great book before that called Flat Earth News, which I'd strongly recommend, all about the newspaper industry. But so far, really enjoyed it, and I think many listeners to the podcast would probably enjoy it as well. So it's called The Hack, which isn't great search engine optimisation, to be honest, but there will be links in the show notes. And that's my pick of the week. Duck, what's your pick of the week?

Well, I've also gone back in time, but I've gone back a bit further than you. And it turns out that there is a kind of cybersecurity angle to this in terms of how difficult it can be to uncover things that seem obvious. The book I'm reading was written in 1999, but about something that happened at the turn of the 19th century. And the book is called La Pierre de Rosette, which in English is published as The Rosetta Stone: The Story of the Decoding of Hieroglyphics by Robert Solé and Dominique Valbelle. And it's a slim volume.

When you say it's a slim volume, would you say it's less than 8,000 words or 42,000 characters? Could we—

No, no, no, no, it's longer than 7,000 words.

Longer than that. Okay. All right. Okay.

I'm sure everyone knows what the Rosetta Stone is. It's one of those things that the British didn't actually directly take from the Egyptians, but the French took it and then the British took it from the French. It's a fascinating thing because it's from the Egyptian era when people could still read and understand the Egyptian language in the form of hieroglyphs. The problems that they had then that you don't have today is firstly, how do you make a really high-quality image of something this, which is a granite stone? It's been carved. By the time it's captured, the current rulers of Egypt consider the old religion something that needs to be forgotten about. It's unimportant. Well, how do you copy it so that experts all around the world can get to look at it? And how do you overcome your initial assumptions in order to decode the stuff? The fact that they're immensely complicated to carve is just part of their sort of regality, if you. That was special language that was not used every day. So the story of how it was decoded, and of course the intrigues between all the personalities and who's going to be the first and the sort of bitchy remarks that went between this person who's deciphering and that person and so on, it is a fascinating story. In the computer age, it will be much easier because we could make high-quality digital copies of it very quickly. And we could disseminate them and we could work together. So that bit would be easy. But overcoming those initial prejudices or assumptions turned out to be quite difficult. So it took a couple of decades rather than a couple of years to decode it as everyone initially expected. So it's a fascinating story.

Tell us the name of the book again, Duck.

It is in English. It is The Rosetta Stone: The Story of the Decoding of Hieroglyphics. And if you want, the French original is called La Pierre de Rosette. It is written by Robert Solé and Dominique Valbelle.

Fantastic. Sounds interesting. Well, that just about wraps up the show for this week. Thank you so much, Duck, for coming onto the show. We really appreciate it. I'm sure lots of listeners would love to find out what you are up to and maybe hear you elsewhere online. What's the best way for folks to do that?

If you're on LinkedIn, find me. I am @pducklin. I am Duck Blog on Facebook. I'm still on the Twitter thing because I think someone needs to be telling the truth out there. But generally, there aren't that many Paul Ducklins. So if you search for me, particularly if you put cybersecurity in there, you will quickly find your way towards me.

Terrific. And you can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts. For episodes, show notes, sponsorship info, guest lists, and the entire back catalog of 437 episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye.

Bye.

You've been listening to Smashing Security with me, Graham Cluley. Thanks to Duck for coming on the show this week and to our episode sponsors, Banta, SecAlerts, and Anon, and to all of those chums who've signed up for Smashing Security Plus over on Patreon. They include David Smith, Dimitri, Frankie Guzikowski, Jack Underworth, Marwan Iyandel, Paul Rowe, Nikos, Duncan N, Mark Hooper, David, Thomas Kuti, Mike Reeve, Andrew Green, Chris Webb, PK, Jeremy Wagner, Tim Wellsmith, Steve Foster, Esh and Stuff, Alex Tasker, Bree Bustle, Krusto V, Matt Weir, MJ Lee, Dan H, Catherine McCauley, David Sanchez, Will Green, Graham Cluley, and James Clark. Would you like to have your name read out at the end of the show every now and then? If so, you should sign up for Smashing Security Plus and gain early access to episodes with none of the pesky adverts. Just go to smashingsecurity.com/plus for more details. Of course, you may not be able to afford such luxuries, and I realize that and understand, so don't feel any pressure to become a patron. And don't feel any pressure to check out the Smashing Security merchandise store, which I've recently dusted down and refreshed with some new t-shirt designs, all that kind of thing. The truth is, you can support the podcast in other ways which don't involve splashing the cash. You can help by liking, subscribing, giving 5-star reviews. We haven't had one of those for a while on Apple Podcasts. Come on, chaps. If you like the podcast, let me know. Just tell people to give it a listen. Spread the word. Thanks to each and every one of you. I really do appreciate you tuning in every week. Well, until next week, I think it's time for me to say cheerio. So cheerio. Bye-bye.