This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

DAVE BITTNER. All right, Graham.

---

GRAHAM CLULEY. Graham, Dave's coming in.

---

DAVE BITTNER. I'm on the Wikipedia for BattleBots and it says BattleBots—

---

GRAHAM CLULEY. Who mentioned that?

---

DAVE BITTNER. Shut up, Graham. It says BattleBots is an American robot combat television series. The show was an adaptation of the American Robot Wars competitions.

The same competition inspired the British TV program Robot Wars, which acquired the name in 1995. Game, set, and match. Where's your citations?

---

CAROLE THERIAULT. I can send you the link.

---

DAVE BITTNER. Just go to Wikipedia and look up BattleBots.

---

CAROLE THERIAULT. Oh, Wikipedia. Okay. Yeah, no. Yeah, that's—

---

UNKNOWN. I'm editing the Wikipedia page now. Smashing Security, episode 317. Another Uber snafu, an AI chatbot quiz, and is juice jacking genuine with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 317. My name is Graham Cluley.

---

CAROLE THERIAULT. Forget that. And I'm Carole Theriault.

---

GRAHAM CLULEY. Forget what?

---

CAROLE THERIAULT. Your name.

---

GRAHAM CLULEY. Well, it's because I almost said my number, because we were just discussing with our special guest whether 317 is a prime number or not.

---

CAROLE THERIAULT. And they knew it was.

---

GRAHAM CLULEY. They did. And it is, of course, the CyberWire's Dave Bittner. Hello, Dave.

---

DAVE BITTNER. Hello. Hello. It's good to be back. It's always fun to be here.

---

CAROLE THERIAULT. We're very glad to have you. Any news to spout before I get on with the show?

---

DAVE BITTNER. Same old, same old, usual stuff.

---

CAROLE THERIAULT. I love having regulars. Before we kick off, let's thank this week's sponsors, Bitwarden, Kolide, and hCaptcha. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Beep beep. I'm going to be reporting on another Uber breach.

---

CAROLE THERIAULT. And what about you, Dave?

---

DAVE BITTNER. I have a questionable warning from the FBI.

---

CAROLE THERIAULT. Ooh. And I have an AI quiz show. All this, much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. I love a quiz.

---

CAROLE THERIAULT. I love a quiz.

---

GRAHAM CLULEY. Now, chums, chums, headline news, breaking news. Another company has suffered a data breach. Yes, I know. I'm as shocked as you. It is always a surprise when it happens, isn't it?

---

DAVE BITTNER. Mm-hmm. No.

---

GRAHAM CLULEY. Well, no, it's not really. No, it's not. And it's particularly not headline news when it's Uber, the world's largest ridesharing company, because they've almost got it written into their mission statement that they will have data breaches. They seem to get their data breached time and time and time again. It's not such a big deal.

---

CAROLE THERIAULT. How many have they had really, though?

---

GRAHAM CLULEY. Well, over the last 6 months, it's reckoned they've had about 3 data breaches, at least 3 which they've owned up to so far. So, possibly more. At least 3 in the last 6 months.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. And there've been big data breaches at Uber in the past. Regular listeners will remember that Joe Sullivan, who was their chief of securities, also had similar jobs at Facebook and Cloudflare.

---

CAROLE THERIAULT. Yep.

---

GRAHAM CLULEY. He was convicted of covering up a data breach involving 57 million customers and Uber driver records. He also concealed a ransom payment as a bug bounty to hide that they'd been hacked. He falsified non-disclosure agreements with the hackers. He's currently awaiting sentencing. That was one hack they suffered. More recently, the Lapsus$ gang, they accessed Uber's critical IT infrastructure, all kinds of bits and bobs, hijacked their Google Suite account, downloaded Slack messages, and generally embarrassed the company. So it's not that rare for Uber to suffer a data breach.

---

CAROLE THERIAULT. But they did get a new CEO who said, we are now going to take security super seriously.

---

GRAHAM CLULEY. Right.

---

DAVE BITTNER. Your privacy is important to us.

---

GRAHAM CLULEY. OK, when was that?

---

CAROLE THERIAULT. About two years ago.

---

GRAHAM CLULEY. Oh, OK. Well, maybe this is super serious. Like I said, they've only had three data breaches they've owned up to in the last six months. So maybe things have improved dramatically.

Who knows? However, this time, this time, things are different. This time, the hack didn't take place at Uber itself. This time, it was at a law firm that Uber uses.

---

CAROLE THERIAULT. Interesting.

---

GRAHAM CLULEY. Genova Burns.

---

CAROLE THERIAULT. Genova Burns.

---

GRAHAM CLULEY. Genova Burns.

---

CAROLE THERIAULT. Is that one person?

---

GRAHAM CLULEY. Well, like Montgomery Burns.

---

CAROLE THERIAULT. Burns is a weird name to put, isn't it, in a law firm?

---

GRAHAM CLULEY. Burns.

---

CAROLE THERIAULT. I don't know.

---

GRAHAM CLULEY. I guess it's someone's surname. I don't know.

---

CAROLE THERIAULT. No, but you know, the toilet was invented by someone called Mr. Crapper, right?

---

DAVE BITTNER. Was it?

---

GRAHAM CLULEY. Was it really?

---

CAROLE THERIAULT. Yes. Well, they invented a toilet.

---

DAVE BITTNER. I think that's mythical. And I don't think the bra was invented by Otto Titzling either.

---

GRAHAM CLULEY. Oh my goodness. Anyway, Genova Burns has just sent, moving on, has just sent a letter to Uber drivers warning them that their data has been accessed by hackers because the law firm's systems were hacked at the end of January this year. And they say in this letter that information you provided to Uber, including your name and Social Security number and/or tax identification number, was among the impacted data.

By the way, I love it when companies say information including the following.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Well, could you— would you—

---

CAROLE THERIAULT. Is credit card number in there?

---

DAVE BITTNER. Who knows, really?

---

GRAHAM CLULEY. We're not really sure what they've taken. But we do know they've taken these bits. These are the bits we're going to tell you about.

I'd love it if they were actually a little bit more explicit as to what had actually been taken. So it's something of a worry. And many of these data breaches, Genova Burns have said to these Uber drivers, it's not Uber customers, by the way, it's Uber drivers whose data, they've said, look, if you're worried about this, we're offering you some complimentary credit monitoring and ID theft protection.

---

CAROLE THERIAULT. What, after. After the breach?

---

GRAHAM CLULEY. Yeah. Which isn't unusual, isn't a company breach to offer something say, look, don't hush, hush, hush, hush. Don't worry too much.

We're going to protect you. All you've got to do is sign up with this firm over here to get your free credit monitoring.

---

CAROLE THERIAULT. We just need a few tiny details.

---

GRAHAM CLULEY. We'll need some information to make sure that you're not trying to take advantage, you know, that you are qualified for this free credit monitoring. So they will ask you for, you know, in order to protect you from ID theft and any sort of dangers that, what we're going to do is we're going to ask you to share some personal details with the—

---

DAVE BITTNER. Whoa, whoa, whoa, whoa.

---

GRAHAM CLULEY. Exactly. And so you end up giving your information to someone else yet again.

You can also request a credit freeze rather than sign up for one of these services. So you can actually contact the likes of Equifax, Experian, or TransUnion, giving them your full name, Social Security number, date of birth, addresses for the past 2 to 5 years, proof of your current address, current utility bill, a legible copy of your ID, your driving license. I'm not kidding. All of a sudden—

---

CAROLE THERIAULT. No, but I know you're not kidding, but I'm kind of, I think anyone listening right now knows this because they've had to go through this to do anything. Yes. To get a credit score, to get insurance, to get a mortgage, anything.

---

GRAHAM CLULEY. So all the time, you're having to pass on your information to yet more people, just like Uber passed on the information about these drivers to this law firm. Now, the interesting question is, why did Uber give the personal data of various Uber drivers to this law firm?

---

DAVE BITTNER. That is a good question.

---

CAROLE THERIAULT. I have an assumption.

---

GRAHAM CLULEY. Tell me.

---

CAROLE THERIAULT. I was assuming they would do that for their care and welfare, right? Like, so say a passenger kicks off in a car, they can say, look, Emily was driving the car and she got punched in the face by some dweebo, protect her, represent her on behalf of Uber.

---

GRAHAM CLULEY. Oh, okay. So you think it's Uber passing on the details because this particular driver is going to be protected by Uber because they got punched in the face for saying that? That is a possibility.

---

DAVE BITTNER. Yeah. What if the law firm was doing vetting of all the drivers, was saying background checks and things like that? Sure. Jobbing that out to the law firm.

---

GRAHAM CLULEY. Another possibility. My assumption, maybe I'm a little bit more cynical than you. Oh, you definitely are. Both of you.

---

CAROLE THERIAULT. You think?

---

GRAHAM CLULEY. Both of you, much nicer than me. My thought was maybe it's because Uber is taking some kind of legal action against some of its drivers. And so it said, well, look, here's the list of people we want you to contact and write legal letters to saying, wait, whatever you're doing, or you're breaching our rules or whatever.

And so I thought maybe what's actually happening is a company is taking action against its contractors or freelancers or however it is Uber likes to describe its drivers, probably not as employees, and sharing those details with its lawyers. Which makes me think, well, hang on, is Uber obliged to tell you, hey, by the way, we're sharing your details with our law firm?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Which might, of course, raise a flag with you that maybe the law firm was gonna take action against you.

---

DAVE BITTNER. Mm. I bet it's in the EULA.

---

GRAHAM CLULEY. It's in the EULA. They can do whatever they like.

---

DAVE BITTNER. Well, but I'm saying, in the EULA, when you sign up to be a driver, I'm sure it says that Uber has the right to share this information with our partners and our contractors and anyone else we want to. And if you wanna drive for us, you agree to that. Sign here.

---

CAROLE THERIAULT. And plus, Graham, I don't know if this is true in the UK, and I'm assuming this is true in the States because I've seen it on TV.

---

GRAHAM CLULEY. Everything you see on TV is true in the States.

---

CAROLE THERIAULT. But as I understand it from my TV watching, is I—

---

GRAHAM CLULEY. Which program is this from?

---

CAROLE THERIAULT. I have no idea, I can't remember.

---

GRAHAM CLULEY. Miami Vice.

---

DAVE BITTNER. Yes, right.

---

CAROLE THERIAULT. That I could take insurance out on, for example, Graham, right? To the tune of like, say, a million, right? And if he happened on his death, I would get paid off. Now he would need to know that I have an insurance claim on his— him being alive or dead.

---

GRAHAM CLULEY. You can take out insurance on me without my knowledge?

---

CAROLE THERIAULT. I believe, yes.

---

GRAHAM CLULEY. And you get a payout if I die? Yes. So if I were to take— what?

---

CAROLE THERIAULT. I told you, I told you, it's questionable sources.

---

GRAHAM CLULEY. Joe Biden's getting on a bit, right? I suspect he may not be around in 10, 15 years' time. Can I take out insurance on him and claim?

---

CAROLE THERIAULT. No, but I don't think you'll get very much because he's already— right?

---

GRAHAM CLULEY. Oh, I see. Oh, I see. Whereas me, young, strapping, and the rest of it.

---

DAVE BITTNER. So much life ahead of you.

---

CAROLE THERIAULT. I've watched a lot of Forensic Files, okay?

---

DAVE BITTNER. So you're practically a lawyer.

---

CAROLE THERIAULT. I'm practically a lawyer. Okay, I digress. I'm sorry. Carry on.

---

GRAHAM CLULEY. So I'm wondering, Geneva Burns, this breached law firm working for Uber, I think it may be missing a trick because maybe now it's written to all of these Uber drivers saying, we appear to have lost your data. You never knew that we had it, but we've lost control of it. Maybe they could also have offered to provide legal representation to those affected drivers who may want to sue Uber for entrusting the data to Geneva Burns.

---

CAROLE THERIAULT. But they already represent— I think there's a conflict of interest there.

---

GRAHAM CLULEY. Is there?

---

DAVE BITTNER. Just a little bit.

---

CAROLE THERIAULT. There's a tiny one.

---

GRAHAM CLULEY. But I saw a TV program, and it's absolutely fine. You can do that.

---

CAROLE THERIAULT. Look, listeners, tell me if I'm right or wrong, okay?

---

DAVE BITTNER. Please. Jeez. Right. There are lawyer listeners right now who are furiously banging their heads against their desks.

---

CAROLE THERIAULT. Yes, and emailing me, I hope, to tell me the truth. Yes. Thank you very much.

---

GRAHAM CLULEY. We don't want any American law firms ever listening to this podcast.

---

CAROLE THERIAULT. We want them listening to you.

---

GRAHAM CLULEY. Dave, what story have you got for us this week?

---

DAVE BITTNER. Well, my story is about a warning that the FBI recently put out. This was on April 6th. FBI's Denver field office put out a message on their social media and it says, avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto your devices. Carry your own charger and USB cord and use an electrical outlet instead.

Now, let me ask you about this because the notion of this has been around for a while, right? In fact, my understanding is that Brian Krebs was the one who coined the term juice jacking.

---

CAROLE THERIAULT. Did he?

---

DAVE BITTNER. Yeah. That's my understanding. And that's what this is called.

---

CAROLE THERIAULT. Forensic Files. Yeah.

---

GRAHAM CLULEY. Right.

---

DAVE BITTNER. In fact, there is a Wikipedia page for juice jacking, which describes this. And the idea is that, as we know, USB can carry power for charging your device, but it can also carry data. So you shouldn't plug your device into anything that you don't know what it is. That's the premise here of what's going on.

And there are devices that are supposed to help with this. There are things called USB condoms. Are you familiar with these?

---

CAROLE THERIAULT. I'm not.

---

GRAHAM CLULEY. I find them rather uncomfortable, so I haven't used one myself. But. Right, right.

---

DAVE BITTNER. It charges your device, but it just doesn't feel as good. So a USB condom, basically, you put it in line with your USB cable and it disconnects the data connections on a USB cable. So only power can pass between your device and whatever device you've plugged it into. So it's a little safety measure.

So there are other things you need to look out for here. This made me think of the— have you guys heard of the OMG cables? I'm pretty sure we covered that here.

---

GRAHAM CLULEY. Yeah. Yeah.

---

DAVE BITTNER. Yeah. So OMG, and I suppose OMG stands for Oh My God. But, basically it is a cable that looks exactly like a USB cable.

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. But inside of it are electronics to make it a device for snooping on the data that you're transferring over the cable. And it includes— it basically, it spins up a Wi-Fi hotspot so the bad guys can log into the cable and have access to your device.

---

CAROLE THERIAULT. I, even though I'm pretty security conscious, I would fall for that easy peasy if I went somewhere and said, "Does anyone have a cable I can borrow? Oh my God, thank you so much." I would be grateful, right, for the cable. And there would be nothing to tell me that it was dodgy.

---

DAVE BITTNER. No, right. And if anyone's ever worked in a big company and if you leave a USB cable lying around in the break room, it's gone. Five minutes, it's gone.

---

GRAHAM CLULEY. Right?

---

DAVE BITTNER. Because somebody's, "ooh, free USB cable," zing, and off they go.

---

CAROLE THERIAULT. Yeah.

---

DAVE BITTNER. I'm also curious what you guys think about OMG cables just in terms of, should that be a thing? Should the people who are making those cables, do they make enough of a good case that there are legit uses for a cable like that to have it be in existence?

---

CAROLE THERIAULT. What would be a legit case?

---

DAVE BITTNER. They say it's for pen testers, for security researchers.

---

GRAHAM CLULEY. Yeah, it's for researchers who have a job of going to companies who've hired them to try and steal data. Isn't it?

---

CAROLE THERIAULT. Yeah. And they're the only people that use it in the entire universe.

---

GRAHAM CLULEY. Well, the only legitimate purpose, certainly. Yeah.

---

CAROLE THERIAULT. So, but in other words, you're kind of saying, should these things be a controlled substance in a way?

---

DAVE BITTNER. In a way.

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. Or is it even, or just from the folks who are making them, are they hiding behind the ethical statement that we're making this for pen testers, but not really keeping track of who's buying them and where they're going? And I'm not saying that that's the case. It could be that the folks who make these keep very close track of that. But I wonder, I don't know the answer to that. And there's a part of me that wonders, is this something that we should be putting out into the world?

---

CAROLE THERIAULT. Yeah. What about even cars, right? E-cars. Graham will go anywhere, I am sure, with his electric car if he needed to charge, right? If he was desperate, he would just look on Google Maps, go, "Where's the closest, you know, charging place?" And he would find one, maybe obscurely because he was desperate. And who—

---

GRAHAM CLULEY. Just for clarity, I'm not plugging my car into a USB cable. That's not how I'm charging it.

---

DAVE BITTNER. It might take, you know, take a long time to charge your car. Take a long time to charge your car.

---

CAROLE THERIAULT. I'm out of here, guys. I had too much chocolate at Easter.

---

DAVE BITTNER. So what I'm getting to though here, the point of me including this story, because I think most people understand this, have heard this story, it's been around for a long time. There are lots of media outlets who are picking up on this story. I've been seeing over the past 24, 48 hours, this being covered all over the place. FBI says, FBI reminds us, don't plug into devices you don't know where they are. And I think most of us agree, okay, that's good advice. But my question was, does it really matter? Is this a thing? Is this a solution in search of a problem?

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. On the Wikipedia page for this, they say, to date, there have been no credible recorded cases of juice jacking outside of research efforts.

---

CAROLE THERIAULT. That they know of. Sorry, I don't mean to be, you know.

---

DAVE BITTNER. Well, but iOS and Android both prevent anything bad from happening with this. Back in the day when you would plug your iPhone in or devices like this, they would mount on your desktop as a hard drive, right? And so you basically had access to everything on there.

Well, it doesn't do that anymore. Your computer doesn't do that anymore. In other words, the operating systems on your devices all have preventative methods against this sort of thing from taking hold.

So my point is, I can't help wondering if this is basically an infosec superstition that doesn't— it just doesn't happen. It's not something you should— it's not realistic that you should worry about this.

Is it a best practice? Sure. Is it really going to be a problem? I don't think it is. I don't think there's really much risk of it.

---

CAROLE THERIAULT. I don't mean to get super deep here, but maybe it's not a problem because we worried about it early, because people wrote about juice jacking in a place where people went, "Oh my God, oh my God, that could happen." And then put in protections against it at the source, the phone, the device.

---

DAVE BITTNER. Right.

---

GRAHAM CLULEY. I love your approach, Carole. I don't know.

---

CAROLE THERIAULT. You know what I mean?

---

GRAHAM CLULEY. Right. No, I just don't believe that would be the case.

I don't think the general public has got any clue regarding juice jacking. I think when I'm at an airport or anything like that, everyone is crowded round where they can actually plug themselves in.

And sometimes it'll be on a plug, but other times, very often, it will be into a USB port where they've just plugged themselves in desperately for some energy before they get on a plane.

---

CAROLE THERIAULT. Everyone joins any Wi-Fi as well. Like, yeah, yeah.

---

GRAHAM CLULEY. They do. And I think, so I don't think it's because, "Oh well, we've been warning people for a while and that's why it's not happening."

I think Dave might be onto something. I think, and maybe Wikipedia too, that it just doesn't appear to be that much of an issue. Over lab conditions or where it's being done in maybe in a pen test scenario.

---

DAVE BITTNER. Yeah, right. And if you look at the cases where the bad guys actually take the trouble to modify a device, which is what we're talking about here, they would have to modify a charging station.

Where are they doing that? They're doing that with point-of-sale terminals. They're doing that with ATMs. They're doing that places where there's an opportunity for the direct capture of money.

---

GRAHAM CLULEY. Yeah.

---

DAVE BITTNER. And I think a USB port is too much of a roundabout way to try to get money. So, so what? I've got access to your device. Maybe.

I don't know who you are. I don't know if you have any money. It just, it seems like there are much lower hanging fruit than modifying a USB port on the off chance that you're going to infect someone's device and then have access to their stuff and then they're going to have something that you want. There's, it's just not worth the effort. I suspect.

---

CAROLE THERIAULT. Mm.

---

GRAHAM CLULEY. So maybe the FBI, they put out this message on Twitter, didn't they? Put out this advisory.

---

DAVE BITTNER. So, right.

---

GRAHAM CLULEY. "Avoid using free charging station." Maybe that's because they could encapsulate it within 140 characters or how many characters it is these days.

And they were just bored with telling people, "Use unique passwords. Don't use them." You know, maybe their social media team like, "Oh, can we please give people some other piece of advice for once?" "Oh, here's a USB thing. Let's mention that for a change." Is that what's happened here?

---

DAVE BITTNER. I think it's possible, but I think— look, we have a limited amount of attention that we can get from people in the general public when it comes to these security things. And so it's frustrating to see the mainstream media latch on to an announcement like this from the FBI rather than something like multifactor authentication or unique passwords or all of the things that we actually are likely to run across in our day-to-day lives that are security related. It just seems a shame to me that we're spending all this time and energy on something that it seems isn't actually a problem.

---

GRAHAM CLULEY. I think maybe they should say avoid using free charging stations in swimming pools, in the rain.

---

DAVE BITTNER. Bathtubs, sure.

---

GRAHAM CLULEY. Yeah, those, avoid using toasters as well in those enough Prius pads.

---

DAVE BITTNER. Right.

---

GRAHAM CLULEY. That'd be a good piece of advice. Absolutely.

---

DAVE BITTNER. Something to think about.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. We're playing a game. We are playing a game because we all know that AI is what, the mode du jour? As we say in French, everyone's talking about it. And there's a lot of angles that even tech buffs like us can't keep up. At least I don't feel I can keep up. And that's my working thesis for this episode. So I thought we could test it out through a game called AI, a go-go or a no-no. Okay.

---

GRAHAM CLULEY. Okay. The name's a winner to start off with.

---

DAVE BITTNER. So let's, I love this idea.

---

CAROLE THERIAULT. Okay, there's only one rule, no cheating. So hands off the keyboard.

---

DAVE BITTNER. I can't cheat using my AI?

---

GRAHAM CLULEY. No!

---

CAROLE THERIAULT. Okay, so let's start a little easy. How many AI chatbot contenders in the kind of leadership area can you name? Extra points if you can name the company and the name of their AI chat system.

---

GRAHAM CLULEY. Okay, well, I'll start off with one, which is ChatGPT.

---

CAROLE THERIAULT. By whom?

---

DAVE BITTNER. Yeah.

---

GRAHAM CLULEY. OpenAI.

---

CAROLE THERIAULT. Bing!

---

GRAHAM CLULEY. I believe are the company behind it. They have a French equivalent called ChatGPT, which is an AI-enabled cat. Prrr!

---

DAVE BITTNER. I'm gonna go with Bard from Google.

---

CAROLE THERIAULT. Bing!

---

GRAHAM CLULEY. Oh, very good. I believe there's a Chinese company which has just come out with one, but it has only a Chinese name. I was reading it today. Yes, I'll go with that.

---

CAROLE THERIAULT. Alibaba came out with it.

---

GRAHAM CLULEY. Yes, Alibaba. I'm not going to try and say the name, not being Chinese and not wishing to upset anybody.

---

CAROLE THERIAULT. There's also, of course, Microsoft's Bing Chat, right?

---

GRAHAM CLULEY. Oh yeah, Bing Chat, yeah. Who can forget Microsoft, what's it called?

---

CAROLE THERIAULT. Who can forget?

---

DAVE BITTNER. Well, there was Tay, remember Tay? She got retired, but that was Microsoft's AI chatbot from a few years back that—

---

GRAHAM CLULEY. Clippy, Clippy, was Clippy, yeah.

---

CAROLE THERIAULT. Now, which of these that you've of the ones that you've mentioned has a privacy policy that promises to protect people's data, do you think?

---

GRAHAM CLULEY. I think it's a trick question. I suspect none of them.

---

DAVE BITTNER. I'm going to go with all of them if you know where to look.

---

CAROLE THERIAULT. Well, the answer I've come up with from my research today is OpenAI. They, inside their privacy policy, promises to protect people's data. It's interesting because Italy has just recently banned ChatGPT on privacy grounds.

But the big worry, of course, is data collection when it comes to chatbots. Jake Moore, he works at ESET, but he said it really well in The Guardian article.

So I'm going to quote him. He says, "While the firms behind the chatbots say your data is required to help improve services, it can also be used for targeted advertising. Each time you ask an AI chatbot for help, microcalculations feed the algorithm to profile individuals."

And the article started saying, this is happening, this is happening now. Microsoft already announced that they're exploring the idea of bringing ads to Bing Chat. Also said that Microsoft staff can read users' chatbot conversations.

---

GRAHAM CLULEY. So if I broke my leg, for instance, I thought, oh crumbs, what am I going to do with my broken leg? And I went to ChatGPT 'cause I couldn't get through to the National Health Service. And they'd say, well, you need to get a bit of wood and sort of tie it to, you know, get a splint and maybe use a bandage.

You may want to use bandages, from vendors such as, and it includes helpful links. Is that the kind of advertising it's going to do? Is it going to tell me what to purchase from vendors?

---

CAROLE THERIAULT. This doctor has the best reviews.

---

DAVE BITTNER. Probably.

---

CAROLE THERIAULT. Okay, question number 2. What country has mandated security reviews for AI services like ChatGPT? And I can give you a list of 4 if you want to choose from that. So we've got Russia, Cuba, China, and Vietnam.

---

GRAHAM CLULEY. Weird list.

---

DAVE BITTNER. Hmm.

---

GRAHAM CLULEY. So what's the question again?

---

CAROLE THERIAULT. What country has mandated security reviews for all AI services like ChatGPT? This country, to give you a hint, this country's biggest search engine just released ErnieBot, which is their version of ChatGPT.

---

DAVE BITTNER. I was gonna guess Vietnam also, just because, for no particular reason.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. No, it's China.

---

GRAHAM CLULEY. Ernie Bot.

---

CAROLE THERIAULT. Chinese AI services must underpin core socialist values is the big thing. Since their announcement of this this week, stock prices have already fallen for Chinese-based AI tech services since, you know, which is not necessarily surprising.

But there's going to be a number of steps they need to go through to ensure that they're supporting core socialist values. And the reason the list was weird is because I had to look up all the socialist countries.

---

GRAHAM CLULEY. Well, I imagine, yeah, I imagine that they don't want the bots saying something which is off message to the Chinese people. Is that right?

---

DAVE BITTNER. Right, right. This is not protecting the consumer's interest. This is protecting—

---

CAROLE THERIAULT. Well, it may be protecting both because by having no regulation and having this kind of wild wild west where everyone's trying to compete and get some services out quickly is making some people nervous. I don't know, I'm nervous about it.

I don't know about you guys, but, hmm, come on, we're almost done here. Question 3: What professions do we think will not be replaced by AI?

---

DAVE BITTNER. Podcaster.

---

CAROLE THERIAULT. Really?

---

GRAHAM CLULEY. Definitely not. No, no, that podcast is safe. Podcasts are going to carry on. Yep, no, no, we're from there.

---

CAROLE THERIAULT. Do you think politicians? There was this article I read, right, link in the show notes, about these are the jobs that'll definitely not be impacted, right? Or, you know, be replaced by AI.

---

GRAHAM CLULEY. Okay, I can't be that dumb.

---

DAVE BITTNER. Yeah, right.

---

CAROLE THERIAULT. I don't know, I find that I can imagine actually that happening and people loving that, you know, machine versus person. Psychologist or shrink?

---

DAVE BITTNER. No, we've been— I mean, Eliza's been doing that for decades, right?

---

CAROLE THERIAULT. And also there's loads of them right there already. Exactly. What about priests, spiritual figures, things like that?

---

DAVE BITTNER. I think that could be same thing. Same thing as, yeah, that's sure. That's easy.

---

GRAHAM CLULEY. Surely, surely your typical priest just says, "Five Hail Marys and you'll be fine, son." Isn't it? I mean, isn't that what they do? So you can just give an automatic response. You definitely could do that with a robot.

---

CAROLE THERIAULT. Totally. What about athletes?

---

DAVE BITTNER. How is an AI going to— so we're talking robots?

---

CAROLE THERIAULT. Well, say there was a basketball game.

---

DAVE BITTNER. Yeah.

---

CAROLE THERIAULT. Would you watch a basketball game with two robot teams?

---

DAVE BITTNER. Sure, I'd watch it, right? Yeah, I'd watch it, right?

---

CAROLE THERIAULT. In this article, they intimated that this would not be any fun for any of us, and I'm like, I don't know. Which brought me to my pick of the week.

---

DAVE BITTNER. Graham, you probably will guess on the way, but I think if you were able to give the different bots personalities— because part of the reason I think we enjoy sport is the personalities and different capabilities of the different athletes. So if you had all, you know, a basketball game with 5 different copies of the same, or 10 versions, 10 robots that were all capable of the same thing, that wouldn't be very exciting.

---

CAROLE THERIAULT. Built by different teams of different countries?

---

GRAHAM CLULEY. Yeah. There are tennis players who are a bit like robots anyway. I remember the days of Bjorn Borg, and it was all exciting tennis then. And then they replace them, these just, these people who just hit ball very fast. You know, it's, oh God, so dull now. So I don't think AI sports would be that interesting.

---

DAVE BITTNER. I'm thinking of maybe in the movie Pacific Rim where you had the giant robots and they had the characteristics of their home nations. That might be interesting. Okay.

---

CAROLE THERIAULT. Finally, what about lawyers and judges? Would you have a robot lawyer argue for you?

---

DAVE BITTNER. I think certainly law clerks and law researchers are in danger here, but I don't know about the actual lawyers because that, I believe, requires a certain amount of creativity.

---

GRAHAM CLULEY. Surely they're largely just Googling past cases anyway and referring to them.

---

DAVE BITTNER. I suppose it also depends on what kind of law it is.

---

GRAHAM CLULEY. Yes.

---

DAVE BITTNER. You know, there's law and there's law, so I don't know, land use law might be easier to rely on some kind of AI than, say, a murder trial.

---

CAROLE THERIAULT. If you were a clerk or something having to do research, you could use something like ChatGPT to find, you know, precedents or similar judgments, relevant cases, right?

---

GRAHAM CLULEY. Yeah, but, oh, but, but, Carole, all these AI systems, all they're doing is scooping up drivel that people have posted on the internet before, which may be complete bollocks.

---

CAROLE THERIAULT. Interesting.

---

GRAHAM CLULEY. Do we really want them doing that?

---

CAROLE THERIAULT. Interesting, because a lawyer did this, right? A lawyer went ahead and ChatGPT spewed out cases fully cited with reference numbers and case notes.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Okay. And this was in New Zealand and they asked ChatGPT for help and it was all made up. It made it look completely bona fide legit because it studied, you know, it nailed how to display a case name and do the citations.

And the cases didn't even exist. They created it with case notes and everything just to help out is the argument some people are using. But it gets worse when in the States this happened as well.

And a lawyer reportedly asked AI chatbot to generate a list of legal scholars who had committed sexual harassment as part of a study. So he was just seeing how it was going to go. And he did provide a list.

And on the list was an American law professor from George Washington University. And it said that this professor made sexually suggestive comments and attempted to touch his students inappropriately during a class trip to Alaska.

And the accusation was based on an article on The Washington Post. However, the professor and The Washington Post both confirmed the article never existed.

---

DAVE BITTNER. Right.

---

CAROLE THERIAULT. That's frickin' scary.

---

DAVE BITTNER. Shameless plug here. This is an article Ben Yellen and I dig into in our most recent Caveat episode.

And I agree. This is scary. And who's liable here when ChatGPT makes something up that is defamatory and creates references out of whole cloth, and presents it as fact?

Yeah, in my conversation with Ben Yellen, who is actually a lawyer, not unlike you, Carole, who has watched several episodes of Law & Order, he says that in his opinion, that the legal system just is struggling to keep up with this, that it is not prepared for this sort of thing. And so we have an interesting road ahead of us.

---

CAROLE THERIAULT. Okay, we will put the link to the show in the show notes, of course. And based on the quiz, David, you definitely win.

---

GRAHAM CLULEY. Oh, for God's sake, seriously? Why?

---

CAROLE THERIAULT. Why? My glorious guest, happy as a clam. That's why.

---

GRAHAM CLULEY. There you go.

---

DAVE BITTNER. I win a free membership to ChatGPT.

---

CAROLE THERIAULT. This episode is sponsored by hCaptcha. Are cyber threats negatively impacting your business?

Unleash powerful fraud protection for your online properties with hCaptcha Enterprise, the leading security ML platform. hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats.

Whether your bad actors are human or automated, hCaptcha Private Learning is the solution. Easily combine your pre-blinded data with hCaptcha's thousands of signals to rapidly find fraud and abuse in real time.

hCaptcha's privacy-focused design works in every country, giving you worry-free compliance. Visit smashingsecurity.com/hcaptcha, that's H-C-A-P-T-C-H-A, to get started with a free trial today.

And thanks to hCaptcha for sponsoring the show.

---

GRAHAM CLULEY. Our friends at Bitwarden have been busy this month adding some fab new features to their open source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.

Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.

With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool.

And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level.

These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. To learn more, try Bitwarden for yourself at bitwarden.com/smashing.

That's bitwarden.com/smashing.

---

CAROLE THERIAULT. Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.

How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem.

It's that simple. Kolide patches one of the major holes in zero-trust architecture: device compliance.

Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them.

Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it.

If they don't fix the problem within a set time, they're blocked. Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance.

Want to learn more? Of course you do.

Visit kolide.com/smashing. That's kolide.com/smashing.

And thanks to Kolide for sponsoring the show.

---

GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show?

The part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

DAVE BITTNER. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.

Whatever they wish. It doesn't have to be security related necessarily.

---

DAVE BITTNER. Better not be.

---

GRAHAM CLULEY. My pick of the week this week is not security related. I have been playing board games and you've all played Trivial Pursuit.

I'm sure over the years came out in the, I don't know, '80s, '90s, whenever it came out.

---

DAVE BITTNER. Yep.

---

GRAHAM CLULEY. Now, what did the Trivial Pursuit guys come up with next? You're wondering.

They made that incredible game which sold a gazillion copies. Well, what they came up with was an extraordinarily complicated and unsuccessful game called UBI.

---

CAROLE THERIAULT. UBI? Like UBI?

---

GRAHAM CLULEY. UBI, which I think is Latin for 'where' or something.

---

DAVE BITTNER. Ooh, my wife had a UBI once, but she took some pills and it went away.

---

CAROLE THERIAULT. Oh my god.

---

GRAHAM CLULEY. UBI is— it's a bizarre game. It's not very well known.

I played it this weekend. It is a geography trivia game.

You have this giant map of the world. You have coordinates everywhere.

And you have lots and lots of cards with cryptic, irritatingly rhyming, or just obtuse questions.

---

DAVE BITTNER. Way to sell it, Graham.

---

GRAHAM CLULEY. If they brought it out now, people would think it was something to do with the Illuminati. You're building this sort of pyramid with a big eye in the middle.

Those are your pieces. There's all kinds of terminology for the different— it's actually not that complicated once you start playing and work it out. It is a bit tricky.

---

CAROLE THERIAULT. Did you enjoy it?

---

GRAHAM CLULEY. I did actually enjoy it. And I would play it again. It's a bit of—

---

CAROLE THERIAULT. Did you fall asleep?

---

GRAHAM CLULEY. I didn't fall asleep. It's a good trivia game.

It's based on geography. You will be somewhat frustrated. Between 2 and 26 people can play it at the same time. Oh boy.

---

DAVE BITTNER. You and 26 of your closest friends gathered around a board. It's better than the Knights of the Round Table. This is exciting.

---

GRAHAM CLULEY. It does say things, you know, 'Ooby Bob Newhart's psychiatric couch crouch,' which means, 'Where is Bob Newhart's psychiatric couch?' Chicago. So if you were— Okay, right.

---

DAVE BITTNER. Ding, ding, ding, ding, ding.

---

GRAHAM CLULEY. Alright, so you know it's Chicago, Dave.

---

DAVE BITTNER. Right.

---

GRAHAM CLULEY. And maybe you can do this, but as Brits, maybe we couldn't. You then have to take your little Ooby locator thing onto the map and work out where Ooby is on the map. So where Chicago is on the map.

---

DAVE BITTNER. So ubi is a verb? To ubi? So to ubi is to place my thing on the board?

---

GRAHAM CLULEY. Well, let that— if you like. Yes.

---

CAROLE THERIAULT. This is one of the worst Pick of the Week descriptions I've ever heard in my life. It is.

---

GRAHAM CLULEY. You get the answer.

---

DAVE BITTNER. I can't take my eyes away from it.

---

GRAHAM CLULEY. The answer is not to say Chicago. The answer is to be able to say with precision where Chicago is on the world map.

And Chicago might be easier than, for instance, Buckfast Abbey in Devon, which was the answer to one of the other questions which I did this weekend. So, that is the game of Ooby. I'll put some links in the show notes where anyone who really likes board games can check it out. I picked up my copy from eBay, and I had some fun with it. And that is why Ooby is my pick of the week.

---

CAROLE THERIAULT. Wow. Did you buy this for someone as a gift and they just said, 'Actually, thanks, but no thanks'?

---

DAVE BITTNER. No, it got regifted from someone else. Someone else to him.

---

GRAHAM CLULEY. He got regifted.

---

DAVE BITTNER. Ubi, we put the board.

---

CAROLE THERIAULT. I don't want it. Just—

---

GRAHAM CLULEY. Anyway, I'm gonna ignore you. Dave, what's your pick of the week?

---

DAVE BITTNER. So my pick of the week, actually, I put in here just for you, Graham. I was watching, there's a gent on YouTube named Rik Beato who people are maybe familiar with.

He's well known for his expertise in music theory. He has a series called What Makes This Song Great where he goes through popular songs and sort of reverse engineers them and explains why they are great. Again, using his knowledge of music theory, which is extensive, but he's also a good explainer.

---

GRAHAM CLULEY. He's brilliant. I've seen some of those videos.

I think actually one of those videos may have been a pick of the week in the past. He's really good at analyzing songs and explaining why they're good.

---

DAVE BITTNER. Right.

---

CAROLE THERIAULT. I'm wondering if it's Dave that brought it to our show.

---

DAVE BITTNER. Could be. I don't remember.

---

GRAHAM CLULEY. But he's certainly very good.

---

DAVE BITTNER. Yeah, and his channel has really taken off to the point where big-time artists like, well, one that I know is a favorite of both you and Carole Theriault, Sting, has appeared with him in interviews to promote their albums as they come out. They will stop by and do an interview with Rik Beato to promote their new music.

So as a channel, it's quite interesting. If you're into music, it's definitely worth a look. But he recently did a tour of Abbey Road Studios, and specifically Studio 2, which is where evidently some— a well-known band from the '60s and early '70s recorded some of their more well-known albums there.

---

GRAHAM CLULEY. Yes, the Osmonds.

---

DAVE BITTNER. I can't recall who.

---

GRAHAM CLULEY. That's right.

---

CAROLE THERIAULT. Yes, that's right.

---

DAVE BITTNER. That's right. So it's sort of a magical place, magical mysterious place, I guess.

But it's really neat to see them walk around and just sort of offhandedly say, oh yeah, that's the piano from Fool on the Hill, you know, like, oh yeah, that's the microphone that Paul McCartney, we recorded in this closet because he liked the sound of it, you know, that sort of thing. So if you are at all into the Beatles or recording or popular music, it's worth a look. And that is why Rik Beato's tour of Studio 2 at Abbey Road Studios is my pick of the week.

---

GRAHAM CLULEY. Wonderful. I did see that you were choosing this, Dave, and I've checked out the video and it's very enjoyable.

I agree. I was lucky enough to go and visit Abbey Road Studios back in 2021 because they were doing a rare public tour. Anyway, brilliant. Very, very cool. Okay, Carole, what's your pick of the week?

---

CAROLE THERIAULT. So, when I was doing my little quiz research, right, I mentioned athletes. We were talking about athletes and that they'd never be threatened by machine fighting.

And it brought me back to a show that I first saw in the UK when I first moved here. And I checked our pick of the week list, and it seems it's never been mentioned before.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Machines fighting, Graham.

---

GRAHAM CLULEY. Do you mean Robot Wars? Is that what you're thinking of? Yes. Robot Wars, yes. Yes!

---

CAROLE THERIAULT. It's the best show ever!

---

GRAHAM CLULEY. Is it?

---

CAROLE THERIAULT. I loved— I love Robot Wars. I love it.

---

DAVE BITTNER. Better than Law & Order?

---

GRAHAM CLULEY. Really? Really?

---

CAROLE THERIAULT. Better, better, hands down. I'm not kidding.

Okay, listeners, okay, so basically you have teams. Each team builds the craziest, most violently designed machine with wheels. So they'll have angle grinders and axes and flamethrowers, and they roll around really fast. They're all remote control cars.

---

DAVE BITTNER. Yeah, RC cars.

---

GRAHAM CLULEY. Yeah. Remote control cars.

---

CAROLE THERIAULT. RC cars. Yeah, remote control.

Yeah. And they fight it out. And you make this beautiful art, this machine of destruction. Then you have to send them into the ring of battle, and they can get destroyed. And it's riveting. There's drama, there's tech, there's violence, there's destruction.

---

GRAHAM CLULEY. Everything.

---

DAVE BITTNER. Something for everyone.

---

CAROLE THERIAULT. Did you not like it, Graham?

---

GRAHAM CLULEY. What? No.

No, I liked some of it. I mean, this was a British show, wasn't it? There must be an American version of this as well. I'm not talking about that.

---

CAROLE THERIAULT. You're talking about the American blah, blah, blah. Who cares?

---

GRAHAM CLULEY. Who gives a damn about that?

---

DAVE BITTNER. I think the American version was the original. No way. Robot Wars and BattleBots are the two franchises that I'm aware of here in the US, because if a show's worth doing once, it's worth doing twice. And I believe, and perhaps it's just my own prejudices, but I am pretty sure that it originated here. But who knows? I could be wrong.

---

GRAHAM CLULEY. Right. I have just been on ChatGPT, and I've asked, Robot Wars UK started in 1998. It looks like Robot Wars began in the US on Nickelodeon in 2002. So once again, the British were ahead.

---

CAROLE THERIAULT. Thank you very much, ChatGPT.

---

DAVE BITTNER. No, no, no, no, no.

---

CAROLE THERIAULT. Listeners, if you have never heard of it, and you're not going to be a know-it-all, okay, it's the best stress relief TV I've ever experienced to date. I love it. I want it to come back on air just as it was in the UK version.

---

DAVE BITTNER. All right, Graham, Graham's coming in. I'm on the Wikipedia for BattleBots, and it says BattleBots— oh, shut up, Graham. It says BattleBots is an American robot combat television series. The show was an adaptation of the American Robot Wars competitions hosted in mid to late 1990s by Mark Thorpe. The same competition inspired the British TV program Robot Wars, which acquired the name in 1995. Game, set, and match.

---

CAROLE THERIAULT. Where's your set? Where's your citations?

---

DAVE BITTNER. I'll send you the link. Just go to, go to Wikipedia and look up BattleBots.

---

CAROLE THERIAULT. Oh, Wikipedia. Okay. Yeah, no. Yeah, that's—

---

GRAHAM CLULEY. I'm editing the Wikipedia page now. Exactly right. This will not stand.

---

DAVE BITTNER. This injustice will not stand. And hit the embassy on the line.

---

CAROLE THERIAULT. I'm stressed. I'm gonna go watch some Robot Wars after this show. If you need some stress relief and some, just some fun, punch it up without getting violent yourself. It's great. So my pick of the week, Robot Wars. It's the BBC YouTube channel. There's a link in the show notes. Enjoy.

---

GRAHAM CLULEY. Well, that just about wraps up the show for this week. Dave, I'm sure a lot of our listeners would like to send you a little private message regarding some of the issues which come up during the course of this podcast. What's the best way for them to do that?

---

DAVE BITTNER. Just go to thecyberwire.com and you can find everything that I do there.

---

GRAHAM CLULEY. Yeah, so set your bots against cyberwire.com.

---

DAVE BITTNER. Your battlebots, right? Right. I'll be careful when I open the office door that there'll be a battlebot on the other side of it. Waving a British flag.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. We also have a Mastodon account. Easiest way to find it is going to smashingsecurity.com/mastodon. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Overcast and Spotify.

---

CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors, Kolide, hCaptcha, and Bitwarden. And of course, to our wonderful Patreon Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 316 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

CAROLE THERIAULT. Bye-bye.

---

DAVE BITTNER. Bye-bots.

---

GRAHAM CLULEY. Guys, Robot Wars! What?

---

CAROLE THERIAULT. I sent it to Dave an hour earlier. Did you get to see it?

---

GRAHAM CLULEY. Did you look?

---

DAVE BITTNER. Yes, I love it. I love Robot Wars.

---

CAROLE THERIAULT. Oh, you do?

---

GRAHAM CLULEY. I do.

---

CAROLE THERIAULT. Oh, that didn't come across in my bit, actually.

---

DAVE BITTNER. Oh, I know.

---

GRAHAM CLULEY. It's all BattleBots this, BattleBots that. BattleBots is the best.

---

DAVE BITTNER. I'm sorry. We were all just caught up in being provincial. But no, I love— I think it's wonderfully entertaining.

---

CAROLE THERIAULT. I hope one day we meet in person, and that's what I would like to do. I would like, Dave, to go with you.

---

DAVE BITTNER. Beat the snot out of each other?

---

CAROLE THERIAULT. No, I want us to go to one of these shows and watch machines destroy themselves. That's what I would like to do.

---

DAVE BITTNER. That sounds a lot of fun.

---

GRAHAM CLULEY. If AI carries on as it is, Carole, that's going to be happening everywhere. Skynet is coming.

-- TRANSCRIPT ENDS --