Smashing Security podcast #451: I hacked the government, and your headphones are next

Yes. So I can always find them because all I have to do is pull the wire and they will come back to me. Smashing Security. Smashing Security, Episode 451: I Hacked the Government, and Your Headphones Are Next, with Graham Cluley and special guest Ray [REDACTED]. Hello, hello, and welcome to Smashing Security, Episode 451. My name's Graham Cluley. RAY [REDACTED]. And I'm Ray [REDACTED]. Hi, Ray. Thank you for coming back on the show. It's been a few years. I think it's been like 4 or maybe 5. Has it?

Well, it's great to have you back on the show again. For those people who don't remember or have never heard of Ray [REDACTED], what do you do? How are you involved in this crazy world of cybersecurity? RAY [REDACTED]. Well, it's interesting, Graham, because I had two personas. I had my corporate daytime job at a corporation that's a Fortune 500 company. And then at night or in the weekends or whatever, I was this Ray [REDACTED] persona that's on Twitter that does the blog posts. And it's been quoted around cybersecurity circles for many, many years.

So it's like Batman. There's Bruce Wayne and there's Batman and there's—

Right. One of the reasons why people may hear about you is because your son had a tremendous performance, didn't he, at the Olympics? And I think he even got a world record. RAY [REDACTED]. Yes, that's correct. So the Ray [REDACTED] anonymity kind of went out the window once a billion people saw my son competing at the Olympics and everyone knew that it was Ray [REDACTED]'s son. He does not climb under the name Sam [REDACTED], so most people could put two and two together. And so there's really not much of a point to being redacted when it's absolutely known and was kind of plastered all over the world.

Well, it's an incredible achievement. You must be very proud. Well, before we kick off, let's thank this week's wonderful sponsors, ThreatLocker Adaptive Security and Vanta. We'll be hearing more about them later on in the podcast. This week on Smashing Security, we're not going to be talking about how hundreds of gigabytes of data have been stolen by hackers from the European Space Agency. You'll hear no discussion of how food delivery firm Grubhub is being extorted by hackers after a data breach. And we won't even mention how researchers have warned of serious security flaws in quantum computers. So, Ray, what are you going to be talking about this week? RAY [REDACTED]. I'm going to be talking about Whisper Pair, which affects many, many Bluetooth headphones.

And I'm going to be talking about how even hackers are looking for more Instagram followers. All this and much more in this episode of Smashing Security. This episode of Smashing Security is supported by Adaptive Security. Okay, chums, hands up if you've ever clicked a dodgy link and then immediately thought, oh no, I've just handed my entire life over to a bloke in a tracksuit somewhere. Don't worry, you're not alone. That's why Adaptive Security exists to stop your staff from doing precisely that. Adaptive Security is the first cybersecurity company backed by OpenAI, and they provide proper security awareness training that doesn't feel like death by PowerPoint. We're talking real-world examples tailored to your company with phishing, vishing, and yes, even AI deepfake scams, all covered. If someone tries to ring up accounts pretending to be the boss, your team will be ready. And their phishing simulations aren't just any old click this fake delivery email malarkey. You can help prepare your team for advanced social engineering attacks via email, voice, SMS, and video, which take advantage of the sort of information attackers could actually dig up about you and your staff. And now Adaptive's new AI content creator helps security teams instantly generate custom training by just pasting in a news article. Whether it's a breaking threat or an internal policy update, Adaptive can spin it into interactive, multilingual training in seconds. So if you'd rather your employees didn't become the weakest link, head over to adaptivesecurity.com. And then sit back with a nice cuppa, knowing that next time a scammer comes calling, your team might just be clever enough to hang up on them. And thanks to Adaptive Security for supporting the show. Now, chums, if you're going to commit a federal crime, there are, I think, a few basic rules that you might want to follow, okay? RAY [REDACTED]. All right. There are rules, Ray. There are rules. What do you think would be the first rule?

Yeah, don't get caught. I actually think there's a rule before that rule, okay? Yes, don't do it. However, if you break that rule, don't get caught. But there's another rule, which is if you ignore the don't do it rule, maybe— I'm just going on a hunch here— maybe don't post evidence of your crime on Instagram for everybody to see. RAY [REDACTED]. That is a good rule. That is a very good rule. That's basic sort of OPSEC, isn't it? They say you shouldn't do that. Now, unfortunately, there is a 24-year-old chap based in Springfield, Tennessee, who didn't get that particular memo. Because according to documents filed in court in the last week, a person called Nicholas Moore spent the second half of 2023 on a little spree of malicious criminal hacking. And, you know, I say he was hacking. What he was really doing was he was using stolen login credentials to waltz into the computer systems of— hang on, let me just, let me check. Oh yeah, it was just the US Supreme Court and AmeriCorps and the Department of Veteran Affairs. Just big federal agencies. No big deal. No big deal, right? I mean, everyone's got to have a bit of a hobby in the summer. So that was his, was he was breaking into these federal agencies. RAY [REDACTED]. And he was doing this while on Instagram? Well, this is the thing. He was doing this between the end of August and round about the end of October 2023 for 3 months or so. He was accessing the Supreme Court's electronic filing systems, and he went in on 25 different days. Sometimes he went in multiple times in the same day. It's like he was checking his email saying, "Oh, I wonder if there's been an update on the Supreme Court server." You know, "Oh, it's lunch already. Maybe I'll check again after tea." Well, one victim apparently, who's only been referred to by the initials GS in court documents. And whenever I see court documents and they just give initials, I always want to think, "I wonder who that could be." I'm not sure who it's gonna be, but this person GS, he stole their full name, their email address, their phone number, their home address, their date of birth. But the hacker didn't stop there. They also obtained the private answers that this mysterious GS had given to 3 security questions. Now, Ray, I'm sure in your career you've come across this issue of those security questions on many occasions and how people respond to them. These sort of, what was the name of your first pet, or what was your mother's maiden name? RAY [REDACTED]. Sure. They're called knowledge-based answers, or KBA. Yeah, you know, a lot of banks use them, and even Yahoo and those big websites always ask for a backup of the backup. And then sort of the last resort, if they can't text you on your cell phone, is to ask the KBAs. The problem is, is that most of those answers are somewhat easy to look up on the public internet, and certainly for someone in the Supreme Court. So it's not hard to figure out what a high school mascot was or what street they grew up on when they're the public figures, right?

Because I remember, for instance, I think it was Paris Hilton years ago. This was before we really had smartphones. She had, was it called a Sidekick or something? That's right. And she had one of those. And her account, which got hacked, was protected by one of these sort of knowledge-based answers, these security questions, which was what is the name of her pet dog? And it was, I think it was Tinkerbell or something. RAY [REDACTED]. But it was a famous dog. Everyone knew the dog. Probably the most famous little teacup Chihuahua who'd ever, you know, ever been on Earth. Sure. Similarly, Sarah Palin, she had a Yahoo account way back when, which got hacked. And again, there were security questions which were all pieces of information you could find out from interviews with her. Because a lot of people will answer those questions honestly. So when they're asked by a bank or an online service to say your mother's maiden name, they will answer it truthfully. But of course, that's a matter of public record. That is something which is possible if someone is determined to find out. And so that's why when sites ask me what my mother's maiden name is, I'm gonna say something like Zaphod Beeblebrox or Zarniwoop or, you know, Xena Warrior Princess. I'm not going to give, mind you, I have just now given my fake one. RAY [REDACTED]. But Graham, the problem with lying on those, 'cause we used to advise folks, especially in the cryptocurrency space, we used to advise folks lie on every single one of those questions. So even if you're putting in special characters and treat them as separate passwords, the problem is if you lie on those, are you going to remember what your lies were? And you could say, but I'll store them in my password manager, right? Well, if your password manager was working at this time, you wouldn't need those reset questions and answers. So it's not necessarily a good idea to lie on them unless the lie is memorable and you don't say it on the podcast.

Yeah, I guess that's the key thing, isn't it? And don't say it on a podcast. I mean, when a site demands them, I do store them in my password manager, but you're right, because I've got a password manager, I tend not to forget what my password is, so I don't need my security answers. But this chap, he was going around and he wasn't just hacking into the Supreme Court's electronic filing system. He was also hacking into other systems. So he hacked AmeriCorps. And for people who aren't in the States, that's a US federal agency that runs volunteer programs. And they connect, I believe, tens of thousands of Americans with community service opportunities and things. He broke into their portal 7 times using some other stolen credentials and passwords. And he helped himself to people's dates of birth, Social Security numbers, email addresses, home addresses, phone numbers, veteran status, service history, all kinds of information. And then he went on again to a third federal service, the Department of Veterans Activities. Specifically a platform called My Health eVet, where veterans were managing their healthcare and could view their medical records and get prescriptions and things. And he was accessing these systems over and over and over again. And he stole one individual's medication list, HW. I'm not sure who HW might be. Henry Winkler? What other famous HWs? Harvey Weinstein? We don't want to talk about him. No, no, no, that's not a good one. Don't want him getting any medication. Anyway, he stole their list and he stole their home address and their email and their phone number. And according to court documents, his blood type as well. Wow. Yeah. Now, I can understand from a criminal's perspective why you might steal someone's Social Security number, because that's useful for identity theft. I can understand stealing their address and their date of birth or the security answers. Because that's all valuable data. But blood type? Why would someone want to know that a Marine veteran is B-positive or something? Are they planning a black market organ trafficking operation? What is the reason for grabbing someone's blood type? RAY [REDACTED]. Well, it's, you know, there's one possible reason is because of the fact that the folks that were storing this, they had no business storing this, the credentials in the same place as the blood type or even the KBA answers, right? Typically you want those in a completely isolated and separate place. So that if one is breached, at least they didn't get the other, right?

You've gotta separate out this sensitive data. You don't want it too easily connected so people can get the full picture of who you are and all of your sensitive information. And here's the thing, he didn't just steal this information like blood type, he posted it to Instagram. RAY [REDACTED]. Oh boy. And he publicly shared screenshots showing this person's full name, their home address, their service branch.

I'm thinking, what's the caption that he's posting? You know, "Just hacked Veterans Affairs. Here's a Marine's blood type. Double tap if you're also AB negative." You know, it's— Yeah. So I've been doing this podcast for years, but I don't think I've ever come across a hacker who publicly posted someone's blood type to social media before. Passwords, yes, or address. People have been doxxed in that way, or credit card numbers. But blood, this is a bit of a new one. So I would imagine, Ray, that if you had done it, not that you are the sort of chap to do it because you are a decent, upstanding fellow who wouldn't break the law and you wouldn't crack people's security. I'd imagine most people would think, well, if I did do something like that, I'd keep quiet about it and hope no one notices. Sure. But this chap, Nicholas Moore, what he did was he posted it up, as I said, on Instagram. He created an Instagram account and he called it, and I promise I am not making this up, He called it, "I hacked the government," was the name. RAY [REDACTED]. That's the handle. Yep. Really flying under the radar there.

Yes. You can't really claim this was just an accidental posting or something like this. So, he posted screenshots of the filing system of the Supreme Court, his access to AmeriCorps service, the veterans' names and information, and yes, the blood type. And he was posting this in July, August, and November 2023. It turns out that one of his posts in July was before, according to the court documents, he actually accessed the system. So maybe he did have access earlier than they think. But he still carried on even after they had closed down his access and he was no longer able to get to it. So, He was showing off, presumably saying, "Look what I did, everyone." Oh, a teaser campaign. He's teasing us that something is coming. But it's crime. It's crime.

Maybe he wanted to be a cybercriminal influencer. Maybe he wanted other cybercriminals to follow him, and then he would be able to sell them— I don't know what cybercriminals want. Rolls-Royces and— gold-plated wallpaper and, you know, whatever the luxury item these cybercriminals want. But, you know, it looks like that was what it was all about. It wasn't ransoming the data. There's no mention in the court documents of extortion demands. He wasn't selling it on the darkweb, as far as we know. He wasn't working for a foreign intelligence agency. He was just showing off on Instagram for the likes. RAY [REDACTED]. Now, Graham, that is stupidity. You know, normally we talk about OPSEC, and OPSEC is very difficult. You know, both for professionals and amateurs alike. And so we don't usually shame people for making mistakes around OPSEC because it's very human to do so. But in this case, this is actual stupidity. And the reason why is because when celebrities make a faux pas, their first defense is to scream, I was hacked. I'm the victim. But because his username was I hacked the government, you can't exactly claim that that wasn't you at all, right? They can actually charge him once for each one of those elements of PHI. So you said blood type, height, et cetera. Those, each one of those fields is considered a separate crime when you take it and when you post it. So think about that and imagine you were his lawyer. Well, the interesting thing is I thought they would be throwing the book at him over this. But you know, 'cause it's the Supreme Court of the United States, right? The highest court in the states. Their system security appears to have been lacking in some ways because sure, the anomalous login should have been spotted. I think they should have seen, oh, this user normally logs in from Washington, DC. Why are they logging in from Tennessee, or why someone logged in 14 times today. That's a bit unusual. They should have spotted that kind of thing. But apparently, according to the court documents, he is facing a maximum of just 1 year in prison. Really? A possible fine of $100,000. My suspicion is that this is being treated maybe a little bit less seriously than if you downloaded a whole load of movies from some torrent site. Sure. So this has been classified as a misdemeanor. Yes, it's the same category as shoplifting or a minor drug possession in most states. RAY [REDACTED]. See, I would have guessed it was not just felony, but multiple felonies. I would have thought that it was like a dozen or so. He must be having some special— there's got to be something more to this story. Either he's cooperating on some other things or something.

Well, he did plead guilty, so I guess that works to his advantage in some fashion. He's scheduled to be sentenced in April. Wait to see what happens there. But yes, 25 intrusions into the Supreme Court, 7 into AmeriCorps, 5 into the Veterans Affairs Association. 3 victims whose personal information, including their medical records and blood type, was splashed across Instagram in an account called "I Hacked the Government." Or actually, maybe if you are going to hack the government, maybe you should do all of those things because that's probably why he did eventually get caught. Before we go any further, I want to say a few words about one of our sponsors this week. ThreatLocker. Most cyberattacks don't start with some genius hacker writing custom malware. They start with something much simpler, like a misconfigured setting, an exposed service, or a security policy that quickly drifted out of line. And in large, complex IT environments, those misconfigurations are everywhere and almost impossible to track manually. And that's why ThreatLocker built Defense Against Configurations, or DAC. ThreatLocker DAC gives you a real-time view of configuration weaknesses across your entire environment. It runs deep checks across every endpoint, not just your ThreatLocker policies, but your operating systems and application settings too. All of it appears in one clean dashboard showing what's misconfigured, how risky it is, and exactly how to fix it. So no more discovering problems after the attackers do. With DAC, you see configuration drift as it happens. You can also check alignment with major security frameworks and see which endpoints don't make the grade. If you want to stop firefighting, harden your environment, and catch hidden risks before they turn into breaches, you need DAC. Try it for free for 30 days at threatlocker.com and find out what's misconfigured before it costs you. Ray, what are you going to talk to us about today? RAY [REDACTED]. RAY [REDACTED]. So Graham, do you remember way back in the day, I think it was probably 2014 or so when Heartbleed was discovered. Oh yes. And one of the most memorable things about it, and I think you blogged about this at the time, I think I first discovered your blog at this time, was when Heartbleed was disclosed, the researchers had this really cool logo all ready to go, right?

It was a really groovy logo. They had a heart and it was bleeding. It was iconic, really, wasn't it? And I think they created a website as well, all about it.

And following that, we saw a series of other vulnerabilities trying to outdo each other. As these things were discovered, they would come with grander and grander logos. And I seem to remember some even had their own theme tune. Smashing Security, which you can listen to. And it's like, forget the techies who found this actual vulnerability. We're gonna need a marketing and a PR agency to make sure people are writing about our vulnerability by giving it the sexiest name possible rather than a CVE number. RAY [REDACTED]. So it seems to be completely ridiculous that people would put their time into that. And there's been some criticism about it. But I will say this, if you follow responsible disclosure, in most cases, once you tell the vendor, and in confidentiality and under NDA, once you tell the vendor, there's usually a waiting period of either 60, 90, or 150 days to give them time to react. So you kind of have this lull in time where you're literally the only person that knows this zero-day. And you basically, you're hoping that no one else discloses it before it hits the deadline, especially if it's a bug bounty or something like that. So that would be the time that you get the domain name and start preparing yourself for the onslaught of media. And accolades and, you know, getting a hometown parade for your hero. So in this story, this particular group of researchers, they didn't just get the domain name and get a logo, but they actually put up a website and they even made a movie. They made a movie where you could actually see the hack being demonstrated. Now, it wasn't a university, so in fairness, I think they tapped into the theater department and maybe the filmmaking department. But they went to all this great length of disclosing this, and you could find out about it at whisperpeer.eu.

So Whisper Pear is the name of the vulnerability. That's what they're choosing to call this particular problem. And what is Whisper Pear all about?

And the truth is now, Ray, that this just works seamlessly now, doesn't it? When you try and move between different devices. So if you have some headphones and some earphones— oh, hang on a moment. Am I referring to— the 15 minutes we spent before we started recording. RAY [REDACTED]. RAY [REDACTED]. Well, you're not supposed to tell that part of the story, but yeah, so I am in the lab with a lot of devices and a lot of Bluetooth, and I was just playing around with some of it. But yes, you're absolutely right. Seamless, seamless.

Sometimes there are still challenges with these things, but yeah, sometimes they connect too easily.

So if I were a criminal and someone else was listening to a conversation with their headphones or listening to some recording or something, I could in a way hijack the pairing so that I could listen to the recording instead, or I would be the one on the conversation. Rather than them. Is that right? RAY [REDACTED]. Correct. So on a continuum of harm, so to speak, at one side you could just listen in and say you could get their Jethro Tull music and listen in to them not knowing or whatever.

Yes. Standing on one leg playing the flute.

Follow them, so to speak. So this is why, this is why, Ray, all headphones should be on a wire. My earphones are on a wire. My headphones are on a wire. Because I want to be able to find them so I can always find them because all I have to do is pull the wire and they will come back to me. RAY [REDACTED]. Well, that's very interesting because that was always the criticism. If you walk around downtown London or downtown New York City, you will see people with wireless headphones almost everywhere. That's basically the standard. But the number one criticism has always been that you could lose one and it'd be under the couch, you know, wherever that was. And so that's why they came up with this technology. Basically allows you to find it and make it... Goodness sake. ...beeps and walk around the hotel room or whatever you are.

Just tie a bit of string to it. Just tie a bit of string between the headphones and you and you're fine. Or have a wire. But anyway, okay. So they've got this sort of Find My Device technology in Google, which can be used to find these devices as well. So that can be exploited as well through this vulnerability? Correct. So I've got a question for you, Ray, which is, what is the range of this? You know, how far away can you be to exploit this particular thing? Do you have to be basically breathing down someone's neck or what? RAY [REDACTED]. So Graham, that was my first question as well. And the second that I heard about this, I set up a lab to try to replicate, experiment with it and see if I could push it a little further. And then when the white paper was published, I tried it. And now the researchers said it could get up to 14 meters in their experience, I got up to about 7 or 8, right? So that's sort of, that's a theoretical distance. But my guess is that their lab is probably a little bit more orderly than mine is and has a lot less interference. But the bottom line is no matter what that is, it could be boosted using SDRs or software-defined radios. And we know that because every year at DEF CON, somebody comes up with something really annoying like this, and it's spread much further than the intended 10 meters. Yeah.

So even if they do have to be relatively close, I mean, this is still more than a theoretical threat.

People complain about it. It's like, oh, what's that beeping?

Oh, great. So there is a software patch that people can apply. But now here's the thing.

Oh, yeah. Okay. So it may not be trivial to do this.

So if you are prompted for an update on your headphones or something, probably it is worth considering doing.

Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. You know how everyone's got an AI assistant these days? Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you. That is Vanta. It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that yes, you do take security seriously. Vanta automates all of that. It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies. It also plugs into the tools you're already using and flags up issues before they become a right old mess. So if that sounds like something that might save you from a few sleepless nights, check out vanta.com/smashing. And if you use that link, you'll get $1,000 off. So don't forget, vanta.com/smashing. And thanks to Vanta for sponsoring this week's episode. On with the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. RAY [REDACTED]. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something, could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. It shouldn't be. Well, my pick of the week this week is not security related. My pick of the week this week is a BBC drama series which has been on TV for quite some time, but I've been bingeing on it lately because apparently they are recording a brand new series. Have you ever heard, Ray, of a show called Line of Duty? RAY [REDACTED]. Yes, I actually have. So you're bingeing the old ones to get prepared for the new ones?

Exactly so. I think they're going to start filming it in a few months. So maybe it'll be out end of the year, early next year. Oh, my wife is a serial binger. She can binge for Britain, let me tell you. She doesn't. So I'm not watching all of them with her, but I'm sort of— Oh, I see. I'm occasionally in the room and thinking, oh, this is jolly good. I should really watch some more of this. But unfortunately, I've got some work to do. So I'm going to have to leave you to it, darling. So yeah, I'll catch up with her later on. But it is fantastic. Line of Duty is a show which follows AC-12. It's a police anti-corruption unit whose job is to investigate bent coppers, which means lots of tense interview room scenes, plenty of twists and turns as you try to work out who the good guys are and who isn't a good guy. RAY [REDACTED]. Now, does the AC stand for Anti-Corruption? I believe it does. Okay, so does that mean that there's 11 other divisions of Anti-Corruption and this is the 12th?

That's a very good question, and one that I've never had satisfactorily answered during the program. Because you, clearly, Ray, we are of a similar mind, because I keep looking at that thinking, well, why is that 12? Why is that? Are there different ones around the country? Maybe there are different ones around the country. I don't know. Anyway, this was a huge hit, Line of Duty, in the UK. And as I said, they recently announced they're making a new series. So I'm binging on it on BBC iPlayer. And I'm desperately trying to remind myself who H is, who is the senior corrupt police officer. All we know is his codename, H. Who could it be? He's believed to be embedded within the force, working with organized criminal gangs. RAY [REDACTED]. Now, do you think H is short for his first name, you do in the redacted documents?

Well, well, this is the thing. There is a suggestion during the programme that H could be the first letter of the surname of the individual who is the baddie. And unfortunately, there are a whole bunch of characters who do have a surname beginning with H. So the writer deliberately wove in lots of characters with H as a second name. RAY [REDACTED]. Sure. So how many characters have the H in it? Oh, at least half a dozen, I think. Including the star of the show, who's Adrian Dunbar. He is Superintendent Ted Hastings, the head of AC-12. Could it be him? Now, he's marvelous, Hastings. He's got a fine line in catchphrases. He says, "Fire a sucking diesel," when he gets some good information, or he goes, "Jesus, Mary, and Joseph and the wee donkey," when he's in disbelief about some new evidence which has come to light. But the thing is, it's very, very well done. It's brilliantly acted. It's marvelously edited. It's absolutely gripping. It really is sort of, "Oh, I've got to watch the next one of this." I will put in a link to the BBC iPlayer in the show notes. And the wee donkey. And the wee donkey as well. Ray, what's your pick of the week? RAY [REDACTED]. Well, Graham, I think we may have broken a world record for a security podcast, because I don't think we've mentioned the word AI one single time yet.

Oh, you've ruined it. You've ruined it.

Oh, no vowels. How do you feel about that, Ray? I'm not a big fan of leaving out letters.

Oh okay. So Claude, which is the AI from Anthropic, now believes that Zien isn't a huge fan of this AI-generated content.

So what am I supposed to feel from this? So I've just been playing the video in the background admittedly with the sound turned off. It looks very AI-generated and there are comments coming up on the screen. RAY [REDACTED]. Well, sure. So that's the film. The film is actually escalating these kind of cheesy — you know what some people call it? Slop, right? The AI slop where you can totally tell that it's AI and it's not just because it doesn't look realistic to your eye, it's just the general way that it's being behaved, et cetera. And by the way, I will tell you, it's a very interesting film and the reaction to the reaction in the film, which was a reaction to other films, oh my goodness, which was generated by Claude, that's really interesting. It's almost like hate-ception.

I was about to say, this is like when I watched the film Inception, you've just gone multiple layers deep now. I'm getting confused. Anyway, how do you feel about all this AI stuff, Ray? RAY [REDACTED]. Well, I said I could see both sides of it. The work that I do every day is there. It definitely is revolutionary and it's completely changed the game even since the last time that we've talked on this podcast. You have to admit the last 15 months have been really unpredictable and every single day things continue to be less predictable.

It is astonishing, isn't it? The speed of development and I'm not sure the world is really ready for it all. I feel like society is struggling to keep up. Government is struggling to keep up, certainly. It feels like the billionaires are in charge and the rest of us maybe don't have much of a say in the way in which we're going. RAY [REDACTED]. There's a lot of elements to it that are just kind of weird. It almost looks like a comic book. The folks that are really behind these are the billionaires that are kind of driving it. And some of the things the AIs are doing, which I mean, again, they're trying on that march towards AGI, et cetera. Some of the things that they do are just plain creepy, but then there's also human beings that are using it in creative ways that I'm not quite sure that we've really thought about the implications of that either. So it's sloppy, it's messy, it's uncomfortable, and apparently now it's also art.

And it's your pick of the week, Forgive the Haters by Matt Zien. Well, that just about wraps up the show for this week. Thank you so much, Ray, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online, what's the best way to do that? RAY [REDACTED]. Oh, so I am Ray[REDACTED].com. That'll take you to either Twitter or Bluesky depending on where you're dialing in from. And my son is Sam Watson.social.

Fantastic. And of course, we're on social media too. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky or Mastodon. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Cast. For episode show notes, sponsorship info, guest lists, and the entire back catalog of 451 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye. You've been listening to Smashing Security with me, Graham Cluley, and thanks so much to Ray [REDACTED]. RAY [REDACTED]. for joining us this week. Very much appreciate that. And to this episode's sponsors, Adaptive Security ThreatLocker and Vanta. And of course, to the chums who've signed up for Smashing Security Plus over on Patreon. They include amongst their number Richard Van Liesum, which sounds less like a name and more like a European castle-owning villain. Billy, no surname needed, just Billy. A bit Madonna or Cher, I guess. Alex Graham Cluley. Grrr, who I assume had to leave early and didn't have time to finish their name. Heisenberg, who's either a Patreon supporter or the world's least subtle Breaking Bad reference. Geoff A, who's forever cursed to be first in the address book and last in people remembering their full name. Bree Bustle, a name that pairs beautifully with crackers. SmY, proof that vowels are optional in 2026. Aubrus, which sounds a particularly rare Pokémon, Ragnar Karlsson, legally obliged to arrive by longboat, and Sonky Von Repel, who sounds he absolutely does not tolerate this sort of insolent nonsense about names. Anyway, thanks to all of them, and to everyone else who supports me on Smashing Security Plus. And would you to hear your name read out at the end of the show from time to time? Maybe have a little bit of fun made out of your name? At the same time? If so, consider joining Smashing Security Plus. You will get early access to episodes without the annoying ads. Just head over to smashingsecurity.com/plus for all of the details. So until next time on Smashing Security, toodaloo, bye-bye. You nervous? Bit, this is the biggie. This could be the ultimate breakthrough, finally. Yep, H in our sights at last. We need to nail this. It's not gonna be an easy ride. No, we need to break DC Taylor. He was caught in an RTA with an NDIU. Hopefully he can help AC-12 establish links with the OCG. Great work. RAY [REDACTED]. Get some rest last night? Yeah, listened to REM on my MP3, then watched DIY SOS on the BBC. Let's do it.