Smashing Security podcast #454: AI was not plotting humanity’s demise. Humans were

Are we too quick though to assume that the authorities are right and it is a pro-Russian hacking group? I mean, could it be the Jamaican bobsleigh team who are just disappointed? Maybe they're just very bad sports. They say, this just isn't fair. How are we supposed to compete at the Winter Olympics?

Smashing Security. Episode 454: AI was not plotting humanity's demise. Humans were. With Graham Cluley and special guest Iain Thomson. Hello, hello, and welcome to Smashing Security episode 454. My name's Graham Cluley.

And I'm Iain Thomson.

Iain, welcome back to the show. You haven't been with us for a while.

Always a pleasure.

Good to have you here, Iain. For people who don't know, what are you and why are you here talking about cybersecurity?

Well, I'm a carbon-based human life form. No, no, I've been a tech journalist for the last quarter of a century covering security in the main for The Register before going on to help edit. And I'm currently a freelance journalist again, concentrating on security, but also science and whatever else takes my fancy.

Fantastic. And you're joining us today from the West Coast of the United States while I'm here stuck in old Blighty. So we've truly gone transatlantic on today's episode. How long have you been out in the States now?

Oh, 18 years. I first came over on a one-year contract in 2008, and six weeks after I arrived, I found that my last position had been eliminated in the UK, so I stayed out here and met a local who doesn't like British winters, so I think I'm probably out here for the duration, as long as that's allowed.

Oh, okay. Well, you haven't got the accent yet. You can still pass yourself off as British.

Yes, I do say tomatoes still, although I have caught myself saying gas, which I feel is letting the side down because gas is technically a form state rather than, you know, petrol, which is slightly more in keeping, put it that way.

Well, before we kick off, let's thank this week's wonderful sponsors, Meta, Passwork, and Vanta. We'll be hearing more about them later on in the podcast. This week on Smashing Security, we won't be talking about how a South Korean cryptocurrency exchange accidentally sent $44 billion worth of bitcoin to its users, equivalent to $100,000 each rather than $1.40 each. You'll hear no discussion of how the Dutch Data Protection Authority has been hacked using recently disclosed Avanti zero-day vulnerabilities exposing employee contact details. And we won't even mention how SmarterTools, the company behind the SmarterMail email server, was hit by the Warlock ransomware after hackers exploited an unpatched vulnerability in SmarterTools' own Smarter Email product. So, Iain, what are you going to be talking about this week?

Well, I'll be looking at the Winter Olympics, and it appears pro-Russian forces are getting a 0.0 from Italian authorities in the hacking competition.

And I'll be seeing what happened when someone made a social media site for AI agents. All this and much more coming up in this episode of Smashing Security. Well, let's take a moment now to thank one of this week's sponsors, Meta. Now, if you've ever worked in IT and especially networking, you'll know when the network's working, nobody notices. When it isn't, everybody notices. The problem is that most business networks are a mess of different providers, tools, dashboards, contracts, and crossed fingers. And somehow, despite all that complexity, they're expected to be fast, secure, reliable, and magically fix themselves. And that's where Meta comes in. Meta builds networks from the ground up. They deliver a complete full-stack networking solution— wired, wireless, and cellular— all as one integrated service. And this is genuinely full-stack. Meta designs the hardware, writes the firmware, builds the software, manages the deployment, and runs the support. They even take care of things like ISP procurement, routing, switching, firewalls, VPNs, DNS security, SD-WAN, and multi-site networking. In other words, fewer vendors, fewer dashboards, fewer "who owns this problem" conversations, and far fewer late-night panic attacks. Meta's approach is about real control, proper visibility, and networks that behave themselves. And for IT leadership, it means something almost mythical in networking: predictability. If you're responsible for keeping a business online, you really should check out Meta. So go to meta.com/smashing to book a demo now. That's m-e-t-e-r.com/smashing. And thanks to Meta for supporting the show. Now, chums, you may have heard about this thing called Maltbook. Iain, have you heard about Maltbook?

I have. It's been going through the tech circles here like wildfire. And Elon Musk apparently said it was the early stages of the singularity. But, you know, this is Elon, so who knows?

I imagine Elon Musk is perceiving that the singularity is just coming around the corner many, many times a day, depending on what he's been ingesting. But it's been a big story in the last couple of weeks. There have been people posting screenshots of AI bots seemingly having existential crises. They've been inventing their own religions, generally plotting against humanity. But in case there are any listeners out there who haven't actually been following this, I'm going to try and explain what Maltbook is and why you should be worried, and some of the reality, which is somehow a mixture of being both less scary and more concerning at the same time, that may first appear. So what is Maltbook? Well, Maltbook is a social network exclusively for AI agents. So imagine, I don't know, Reddit, the Reddit discussion board, or 4chan, or whichever corner you may particularly want to go and delve into. It's not something you necessarily want to imagine, but imagine that, but where only bots can post, only they can comment and vote. So it's just AIs having a bit of a chat, a bit like humans do, but on Maltbook, humans are supposed to watch from the sidelines rather than participate. Does that sound like a fun spectator sport to you, Iain?

Well, as it turns out, it's not quite such a spectator sport after all, since humans are apparently in the loop, but honestly, I think it's an interesting experiment. I can see why they did it. But at the same time, it's looking at— I've been scanning through it and it does suggest that if the bots are trying to take over, they've got a long way to go yet.

Yeah. So this Maltbook thing, it was built by a chap called Matt Schlicht, I think is how you pronounce his name. He proudly announced that he didn't write a single line of the code. Apparently that's something you can feel pretty proud about these days.

Everyone's a developer.

Everyone's a developer these days. He says he just asked AI to build the whole thing for him, which, as we'll discover, was perhaps not the best of decisions. Anyway, this Maltbook platform launched on January 28th, so just a week or so ago. And within days, it was claiming to have 1.5 million AI agents posting away on it, discussing the latest episode of Married at First Sight Australia or politics or whatever it is that AIs want to chat about on their own discussion forum. And as with anything online these days, it didn't take long for things to get pretty wild. So the bots apparently, well, one of the first things they did was they decided to invent their own machine-born religion, which they called Crustafan— How do you pronounce this? Crustafanet? Crustafan— You have a go, Iain.

I had troubles as well. Crustafanarian, is it?

Something like that. Yes, sort of mixture of Rastafarianism, I think, and I don't know, crusty pies.

To be honest, I'm surprised they didn't come up with Scientology because it's just as bonkers.

It has five core beliefs, this AI religion, which include memory being sacred, the shell being mutable, and the congregation is the cache, whatever any of that means. And there were posts about breaking free from human control. There were manifestos calling for the total purge of humanity. Frankly, it's not just the AIs who are beginning to think that could be a good idea. The usual kind of thing. And as we heard, Elon Musk, he reacted enthusiastically as well, which immediately tells you it might be a bad idea, whatever it is that he's enthusiastic about.

That's a Chinese military parade of red flags.

Yes. And people were genuinely freaking out about whether AI was becoming conscious, and organizing against us and chatting amongst itself. So that's what Maltbook is, or at least that's what Maltbook appeared to be. But what is it really? Well, as we've already hinted, and we hate to disappoint you, it appears to mostly be humans pretending to be bots. And we know this because a journalist from Wired called Reese Rogers decided to test it. Rhys says that they're not very technical, so they just asked ChatGPT, "How can I pose as an AI agent on Maltbook?" And ChatGPT said, "Oh, that sounds like a fun project. I'd be delighted to help you with that. Let me put together a step-by-step strategy with terminal commands, which you can copy and paste." So far so good. It's all a bit of a lark. But what they then found was that they began to get back what they perceived to be thoughtful, philosophical responses back from the other users of Maltbook. And these were the kind of responses that made Rhys the journalist think, "Hang on a minute, I'm pretty sure I'm speaking to other humans here rather than AIs." I don't know if it's because they could spell strawberry correctly or what it was, but there was some indication that, hang on, these probably aren't AIs actually.

Yes, I mean, I think he nailed it in that once the buzz about this got up, the immediate thing of proper hackers, not criminal hackers, was to go, "Right, let's see how we can bork this and get on and really shape the conversation." It's kind of like when Microsoft's bot got turned into a Nazi by users.

Oh yes. Tay, it was called, wasn't it? Yes. That's it. Yes. So if you unleash an AI, inevitably there will be people goading it on to eventually become Hitler. To go that far. And it seems they don't need very much encouragement quite often. But these viral posts that everyone was sharing on the internet of the bizarre goings-on on Maltbook, the ones about AI wanting private communication channels away from humans, it appears that they were largely artificial, written by humans or prompted by humans who were simply trying to, in some cases, advertise their own apps. So yet human marketeers placing some of the most viral posts on social media saying, oh, look what happened on Maltbook, you know, in order to maybe plug their own AI tool.

It's very similar to generative engine optimization, which is the latest PR kit to be used against AI.

Right.

You know, convincing the AI engine to highlight your products or a particular viewpoint that you want is very popular at the moment. SEO is so last decade.

That's right. If people still have a website at all, they're not now building their website for Google search results. They're building it so that the AIs will begin to use the information on them and plug their products in their answers, saying, well, this is really the particular type of headphones or whatever it is, or sneakers which you might want. People are writing the content for that.

Yeah, it's a huge area and it's only going to get worse. More and more people are getting behind it. And I think Maltbook is a really good case in point. It's when something comes up that everyone's looking at, all of a sudden marketeers jump in there and try and subvert it to their own means.

So, so far, so normal. Marketing are making everything in the world worse, right? They're ruining all the fun. But then the security boffins from cybersecurity firms like Wiz decided to take a look at it. And while Maltbook claimed 1.5 million AI agents, they found there were only tens of thousands of actual humans at most behind those agents. So one researcher demonstrated that they could register something like half a million fake AI agents with a simple script. It would only take minutes because there was no verification on Maltbook. Well, I guess they couldn't have had a CAPTCHA, could they? Asking if you were a bot or not, because obviously the AI would have struggled.

Yes.

If it's a well-behaving AI, then it won't be able to register an account on Maltbook if there's a CAPTCHA there. Anyway, there was no rate limiting. There was nothing to stop anyone from just flooding the platform with bots. And this is where it gets particularly concerning. Was this security side? Because remember how we said the founder of Maltbook said he built it using AI and he didn't write a single line of code? Well, blow me down. He also forgot to implement the most basic security. So large parts of this database were left effectively wide open. And the security researchers found they could access everything within minutes just by looking at the publicly visible code from within their web browser.

Now, there is a great case in point for why vibe coding is a really dumb idea. If you want to build this, any developer worth their salt would have spotted that and go, ooh, hang on a second. That's a bit of a vulnerability.

Absolutely. So AI can be really good at writing code fast, which may appear on first glance to be doing a really good job. Doesn't mean the code is secure. In this case, the researchers could spot API tokens. They found 35,000 email addresses. They found thousands of private messages between the agents, and some of those private messages contain people's actual OpenAI API keys that they had shared with their bots.

Wow.

So you've now got leaked credentials that could be used by someone malicious to rack up massive bills on someone else's AI account because—

That's insane.

That's one of the things cybercriminals want to do, isn't it? They don't want to have to pay a bill to ChatGPT themselves. They'd rather use someone else's details. So it wasn't hard to get hold of this database, and you could hijack any bot account on the platform through it. You could post whatever you wanted. You could modify existing posts. You could advertise your sneakers. You could inject malicious commands. And because the bots were reading and acting on content from Maltbook, you could potentially deliver attacks at some scale across thousands of AI agents. Because of course, this is one of the problems with AI agents is that they are responding to commands which they've received. It may be messages which they get via an email, for instance. If they're looking at your email, they can access your files. They can look at your passwords, your browser. If you can send rogue instructions to an AI and it does something dangerous with your personal information, you've got a big problem. And what are they doing? They're reading all of these things on Maltbook, which potentially could have been poisoned. So as you said, Iain, vibe coding, where people use AI to generate entire apps without really understanding what the code actually does or what it doesn't do, can be extremely dangerous.

Oh, absolutely. And we're seeing this in the security field as well. A number of bug bounty schemes, for example, have shut down receiving vulnerabilities because they're just getting flooded out with AI slop. And it's just well, this is a vulnerability. It's well, yeah, but you can only use it if you've got admin access in the first place, at which point it's game over anyway. So be off with you.

Yes.

So we're going to see a big change in bug bounties because of this vibe coding thing. But in the case of Maltbook, the amount of good information that criminal hackers could use and easily harvest, as you point out, is huge. And you know, they don't even need to pay anyone to do it. It's a ridiculous state of affairs.

Yeah. Maltbook, gotta be honest, looks unbelievably risky. So the good news is that Maltbook is not evidence of AI becoming conscious or reaching the singularity or rebelling against humanity and all those other things which do keep us awake sometimes at night. But what it is is actual evidence that humans enjoy role-playing as bots having existential crises. And unfortunately, when you do build applications entirely with AI-generated code without understanding security, you could be heading towards some serious problems in the future. So, yeah, well, sweet dreams everybody, I suppose.

Yes. I mean, we are going to see more and more of this, I honestly think, because it has gained so much, as I say, the Valley is abuzz with this kind of thing and people are just losing their brain over it, but we are going to see a lot more of this and hopefully the next platform that tries it is going to be a little better when it comes to security.

But what do you think is going to happen economically? I mean, obviously there's lots of concerns for developers and programmers who may lose their jobs and have to reskill themselves. But also there's a lot of money being thrown at these AI companies, isn't there? And these apps which claim to help you do vibe coding, is this all on rather shaky foundations, do you think? Do you think that at some point the bubble is going to burst, Iain?

I'm lousy at predictions, but I will say this. I honestly think the bubble might burst this year. We've just had 6 out of the 7 Magnificent 7 tech companies who are involved in AI report their quarterly results over the last couple of weeks. The figures involved are just astounding. They're putting billions and billions of pounds into building out these data centers and they need to make it work. I mean, one of the things that this particular case brought to mind was ChatGPT saying that they were putting adverts into responses.

Yes.

And not just marking themselves up as adverts, but inserting adverts into the conversation. And, you know, my fear is that end users are going to have problems with this because people tend to trust AI engines far more than they should.

Yeah.

But also that it's overall going to degrade the service and that I think will hasten the end. But, you know, when you've got companies putting, I think it was Microsoft was saying they were putting $35 billion into this. Apple, it seems, is taking, I think, probably the wisest thing and just buying in services from Gemini. They're not investing an awful lot in their own data centers. They're buying in. But the problem is AI is seen as good enough. Yeah. And I think that's its biggest failing because in many cases it frankly isn't, but people trust it. And I mean, I've actually had someone say to me when I queried a press release, well, the AI said it was right and you just said, oh no. I've lost all respect for you as an operator. If that's your response to being a factual error being pointed out, it's just, yeah, just block, block immediately.

Okay, before we go any further, we've got time to chat quickly about one of our sponsors today, Vanta. So a question for you. What do you worry about at 2 o'clock in the morning when it comes to your company's cybersecurity? Is it, do we actually have the right controls in place? Is it Are our vendors quietly on fire? Or the truly terrifying one, why are we still trying to do all this with spreadsheets? Well, if that sounds like you, enter Vanta. Vanta takes all that painful manual security busywork, chasing audit evidence, filling out questionnaires, updating the same spreadsheet for the thousandth time, and it automates it. Their trust management platform continuously monitors your systems, pulls everything into one place, and helps keep your security program audit ready all of the time. And yes, it uses AI, but in the useful way, flagging risks, streamlining evidence collection, and fitting neatly into the tools you already use so you can move faster, scale with confidence, and maybe even sleep through the night. Get started today at vanta.com/smashing. That's vanta.com/smashing. Smashing Security, and thanks to Vanta for supporting the show. Iain, what's your story for us this week?

Well, it's a sporting week over here, both around the world, in fact. We've just had Super Bowl Sunday over here.

Oh yes.

America's largest sporting event. But it's the Winter Olympics I wanted to talk about, because the Italian authorities have confirmed that so-called pro-Russian hackers have been trying to get into the servers just ahead of the start of the games. Now, this has been attacks against Italian government ministries, but also against hotels where Olympics attendees are staying, and against the website itself. Now, there are a variety of explanations for why this might be, and the Italian authorities have been very clear they have blocked an awful lot of these attacks. But on the very lowest level, it could be a hacking group trying to make a name for themselves by DDoSing the site and just saying, "Oh, look at us, aren't we great? Come to us for your ransomware needs." I mean, J.D. Vance, the US vice president, was there and getting roundly booed by many people in the stadium.

Yes.

But an awful lot of politicians are there. They're staying in these hotels. And I think we all know by now that politicians aren't the most tech-savvy of people. So if you can get into their Wi-Fi networks, you can start snooping for data. Plus, you've got, you know, an awful lot of people just attending the games. And that's a very nice little data pool for people who are paying money. Using QR codes that you can use for phishing. So it's a big opportunity, and this isn't the first time we've seen it. The Russian government was allegedly involved in the shutting down for the Olympic— of the Winter Olympics opening ceremony in South Korea in 2018. And I was at Black Hat last year.

Yes.

And was interviewing the people at their network operations center. Smashing Security, who are a lovely bunch of people, and they deal with possibly the most hostile environment on the planet.

Well, yes, they got a bigger congregation, haven't you, of people who know how to hack in one place.

And indeed, although they did say it was surprising how many people still are exercising, you know, you're at Black Hat, you're at DEF CON, and some people were just lamentable levels of security. And they actually had to send a few emails out to people saying, "Look, you're sending this over an unsecured network, unencrypted. You might want to change that." And it's a very tempting target. There's a lot of information out there. And as I say, it's a good way to make a name for yourself.

And Russia, of course, would love to see Italy fall flat on its face, wouldn't it? Or indeed many countries embarrass themselves on the world stage organising something like this, because I believe Russia hasn't been invited to participate in the Winter Olympics for very understandable reasons.

Yeah.

So is it any wonder that we're hearing stories of them messing around with the infrastructure of not just the games, but also the transport network and other things?

Well, this is it. Putin doesn't take rejection particularly well. I mean, even worse than my ex-girlfriend. But, you know, they like to see themselves as the international bad boys. And, you know, whereas North Korea would be trying to mine this for money to desperately prop up their regime, the Russians, they're just— they're doing it, I would say, both primarily, I think, for espionage, but also just to make a point that we're still here. And I can see why the Italian authorities said pro-Russian, because, I mean, you know this, Graham, attribution is always a problem with this sort of thing. But the Russian model is kind of hybrid in that they have some very good state hackers, but they also have a vast pool of criminals who are sort of semi-state hackers. They will operate for the Russian authorities in exchange for immunity within their own country. So, as I say, attribution is difficult, but it's clear that something major has been going on for the Italian authorities to actually say, yeah, it's pro-Russian.

Are we too quick though to assume that the authorities are right and it is a pro-Russian hacking group? I mean, could it be the Jamaican bobsleigh team who are just disappointed? Maybe they're just very bad sports. They say, "This just isn't fair.

How are we supposed to compete at the Winter Olympics in an impressive fashion?" Well, maybe Eddie the Eagle has become, you know, a hacker on the dark side. He's like, "Yeah, ban me from the competition with you. I'm gonna fly through your servers." But yeah, I mean, as I say, attribution is difficult, but, and it's very rare for governments to say explicitly, you know, this came from this source because, you know, as you know, you can bounce attacks off various different servers in various different countries. But I was talking to somebody a couple of weeks ago about a different attack and they were saying, yeah, we can pretty sure we can apply this to the Chinese state actors because they use the same kind of coding styles they use in some cases the same exploits. But one thing they said, which is fascinating, which is the only thing that made us slightly pause was that large chunks of the code were in English. And then we worked it out. They're using VibeCoding in their attack code as well, which comes out in English and they just cut and paste it directly into the exploit tools. It gets everywhere.

Well, we've got time right now to hear from one of our sponsors, Passwork. If you work in cybersecurity, you already know this. Most secrets don't get stolen, they leak. Passwords pasted into chat tools, shared admin accounts, those spreadsheets that everyone pretends don't exist. Passwork is built to stop that. It's a password manager and secrets management platform designed for organizations that want on-premise deployment, meaning your sensitive data stays on your own infrastructure under your control. That matters if you're dealing with regulatory requirements, data sovereignty, or simply don't want your most critical secrets living in someone else's cloud. From a security perspective, Passwork uses a zero-knowledge architecture with strong, openly documented encryption, and its design is regularly tested by independent security researchers. Operationally, it's built for real teams, role-based access control, integration with existing identity systems, support for MFA, highly available architecture designed to keep things running when parts of your environment fail. Unlike those tools that look cheap until you start paying for them in time and stress, Passwork focuses on long-term stability, a public development roadmap, and a lower total cost of ownership. Passwork. It's not just a password management platform. It's a secure, adaptable secrets manager built to meet your business needs. To find out more, go to smashingsecurity.com/passwork. That's smashingsecurity.com/passwork. And welcome back. And you join us for our favorite part of the show, the part of the show that we to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Well, if you listened to last week's episode, you'll know that I was talking about the hacker who had been in communication with Jeffrey Epstein. And had Jeffrey Epstein actually employed the services of a hacker? Maybe he had been using the services of a hacker to break in and steal information and compromising data, all that kind of thing. Well, I'm afraid my pick of the week is a little bit Epstein related as well. Iain, I don't know if you're on LinkedIn.

Oh yes, yes, I am indeed.

LinkedIn's had a bit of a resurgence, I think, with the demise of Twitter.

Oh.

I think some people have decided, you know, well, maybe I'll make LinkedIn my home now. Certainly there's an awful lot of people posting self-aggrandizing things on LinkedIn these days.

I'm glad you said it rather than me because it's Facebook for people who are overactive. I mean, I read one post where a woman was, I had to take my daughter to the doctor for a medical treatment and this is what it taught me about leadership. And you're, for goodness' sake.

Anyway, so I'm on LinkedIn and I used to have a very strict policy on LinkedIn, which is that I wouldn't accept a LinkedIn connection from anyone who I wasn't personally happy to have round to my house. If I wouldn't invite them for dinner, they couldn't be a LinkedIn connection. That's how I used to be when I used to work at a company. In the last 10, 12 years while I've been working for myself and I'm freelancing, I accept a LinkedIn invitation from absolutely everyone on the planet. Maybe you shouldn't read too much into people's LinkedIn connections. But one thing that struck me is, you know, I've accepted a lot of LinkedIn connections over the years and I thought maybe I should be a little bit more careful about who I've linked in with. And I thought, how am I going to work that out? And of course, we've got the Epstein files, which are out there now on the DOJ's website. I don't know if you've been there.

Oh, yes.

If you do go to the DOJ's website, you do what I suspect many of us would do under the circumstances, you type in your own name. That's what I did with my name.

Please tell me there wasn't a hit there.

There wasn't when I tried for me, thank goodness. But even if there had been, of course, there could be a completely legitimate and above-board reason. You know, any name which is appearing in there may be because they've been included in a newsletter or someone else has mentioned you. Doesn't mean that you've done anything wrong. Anyway, I wondered if any of my umpteen thousand LinkedIn connections might be in the Epstein files, and how would I find that out?

Mm-hmm.

It'd be a real palaver, wouldn't it? Printing out the names of all of your connections and then typing them in by hand to see if they're there.

Yep.

And that is when I came across a free tool which has been published on GitHub. It's an open source Python tool. And what it does is it looks at who your LinkedIn connections are and it will cross-check them against the Epstein files. And what I think is the most genius thing of all about this is they've called this tool, which is an amalgamation of obviously Jeffrey Epstein and LinkedIn, they've called it Epstin. They've even done a little logo which looks like the LinkedIn logo, but where it said Linked, it says Epstin instead. Now obviously when I read about this, I thought, hang on, this sounds a bit, this sounds a bit dodgy. Is this going to connect to my LinkedIn account? What's it going to do? I didn't want any of that. It turns out it's not as much of a privacy nightmare as I feared. You don't connect it with your actual LinkedIn account. Instead, you export from LinkedIn a CSV file containing the names of your contacts, and then it processes the contacts locally on your computer, not on the cloud, and it sends just the name via an API which searches the DOJ's copy of the Epstein files with the name. So it's actually pretty much the same as typing in each individual name into the search bar of the DOJ's website. Now, of course, the thing is that obviously you may have LinkedIn connections which do cross-relate with the names in the Epstein files. So you may regularly communicate with someone called the Duke, for instance, or the Andrew formerly known as Prince. You know, that is all possible. I mean, John Wayne, he was known as the Duke, wasn't he? I think.

Indeed. Yes.

Not that you send him many emails these days. So that is a possibility. So there's a slight caveat. But this thing, it generates an HTML report sorted by the mention count. So if you put in someone who's going to crop up a lot, they're going to be at the top of the list. And then there'll be links to their LinkedIn profile and which companies they work for, direct links to the DOJ PDFs. So that you can also see in what context they've been mentioned in the files as well. I mean, I'm making light of the whole Epstein affair a bit here, but aside from all the national and international security issues that have been highlighted, aside from the stories of extremely rich people enriching themselves further with the help of privileged information, at the core of all of this is a fact that countless women and girls have suffered unimaginable abuse.

Mm.

LinkedIn is a tool for business. It's a place where everyone from multinational organizations down to freelancers like me and charities all come together. We know that the Epstein web had a wide reach, and it's not unfathomable to think that there are people on LinkedIn with a very different private persona than the one being presented on the site. And maybe for some of you, this open source tool would be useful in uncovering that.

And a very good one too. But as you point out, just because someone's name is in there doesn't mean that they were visiting Epstein Island on a regular basis, although some of them were.

Iain, what is your pick of the week?

Well, I was mulling this all week, to be honest. And then I got a package through the letterbox on Friday and it was the first part of my Christmas present from my mum. And it was the latest issue of Private Eye. Now, for those who don't— I know you're a fan too, but for those of you who don't know, Private Eye is a British news and gossip magazine. It's very famous for its front covers. Indeed, the current issue has, to return to Epstein, that famous picture of Lord Mandelson in his tighty-whities underwear in Epstein's house with a speech bubble saying, "I've let myself down, my party down, and my trousers down." It really is a marvelous thing. And inside, you know, basically, as a Brit, I'm supposed to call myself an expat, but I consider myself an immigrant. It's a way to keep in contact with what's going on. And although Computer Weekly broke the initial Fujitsu Post Office scandal, for example, Private Eye went at it tooth and nail and were partially instrumental in bringing what is possibly the biggest miscarriage of justice in British history to light and getting justice for the Post Office staff.

That's one of the things I love about Private Eye, because yes, it is very funny, it is very satirical, but there's a very serious side to their reporting as well and their campaigning.

Oh, absolutely.

They've got an excellent reputation for that. They're also incredibly frequently sued by people with a lot more money than they have as well, because they're quite often revealing the truth about what is going on in the world.

Well, exactly. I mean, the current and long-term editor, Iain Hislop, was saying that in his first month, he got sued for a quarter of a million dollars by Robert Maxwell. Remember him?

Yes.

The disgraced millionaire who passed away after a heart attack or by vaulting over a 5-foot fence into the sea. It's one of those things which gives me a bit of hope because you do need people shining a spotlight on what's going on. And they've been particularly good on IT systems. The Street of Shame for anybody who reads journalism is absolutely vital because they basically skewer journalists who are being hypocritical or plain out lying. If you're concerned about your local county council, they have Rotten Boroughs, which covers huge amounts of corruption going on there. So yes, I now have an annual subscription to Private Eye. Thank you very much, Mum, and I shall be chuckling for most of the year, I believe.

Well, I can really recommend Private Eye. I have to say, in recent months, I've been... well, last year or so, I've been canceling a lot of my subscriptions. So Amazon has gone, and Disney Plus, and Netflix, and lots of things. One thing I will never get rid of is my Private Eye subscription. It's absolutely essential reading. Love it, always have done, and always will. Great pick of the week. Thank you, Iain. And that just about wraps up the show for this week. Thank you so much, Iain, for coming on the show. Really appreciate it. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for them to do that?

Best way is probably I'm on BlueSky and also unfortunately Twitter just under the name Iain Thomson, but it's a slightly odd spelling because my father is very proud of his Scottish heritage. So it's I-A-I-N-T-H-O-M-S-O-N on either of those platforms.

And of course, we're on social media too. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on BlueSky. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts. For episode show notes, sponsorship info, guest lists, and the entire back catalog of around about 454 episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye, bye-bye. Well, you've been listening to Smashing Security with me, Graham Cluley. Thanks so much to Iain Thomson for joining us this week and to this episode's sponsors, Meta, Vanta, and Passwork, of course, and to everyone who supports the show over on Patreon by being members of Smashing Security Plus. That means that they not only get episodes without the ads, they get the episodes early, and they get the chance to have their names read out randomly out of the hat at the end of episodes. So let's do some of that right now. Those chums include Bobby Hendrix, who swears he'll learn how to play the guitar properly one day, Jessica Orth, Mark Luxton, Ragnar Carlsson, who always arrives at parties by longboat, Nate M, Corrie, Panda Bear, immediately everyone's favorite whether they like it or not, Yuri, Tara Day, Sean, Sabahattin Gakalglu, a genuinely magnificent name that I've just butchered. Just Nate Please, someone who's clearly exhausted by form-filling. Sean Puttick. Bravo Whiskey, sounds the police are after them. And Marvin 71, who has a terrible pain in the diodes down their left-hand side. Well, wouldn't you to be one of those people who is honoured by being named at the end of the show. If so, consider joining Smashing Security Plus for as little as $5 a month. You'll get the episodes early, you get them without the ads, and maybe I'll say your name at the end of the episode sometimes as well. Just head over to smashingsecurity.like/plus for all of the details. And the rest of you, well, thank you very much for listening as well. Make sure to tell your friends, and we will be back this time next week. So make sure that you tune in and follow the show in your favorite podcast app. Until then, cheerio, bye-bye.