Listen early, and ad-free!

324: .ZIP domains, AI lies, and did social media inflame a riot?

With , , ,
June 1, 2023
Read the transcript

ChatGPT hallucinations cause turbulence in court, a riot in Wales may have been ignited on social media, and do you think .MOV is a good top-level domain for "a website that moves you"?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.

Plus don't miss our featured interview with David Ahn of Centripetal.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
  • Centripetal – Centripetal’s CleanINTERNET defends your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. Piss off. If you had done 5 years of study to achieve a PhD, trust me, you'd have it tattooed across your forehead.

GRAHAM CLULEY. I would not put it in my username.

CAROLE THERIAULT. You know, you'd make a fucking t-shirt. Oh, by the way, did you know? We all know it's true.

GRAHAM CLULEY. I might do that. But I wouldn't—

MARK STOCKLEY. Where is your 11th greatest Britain in cybersecurity tattoo, by the way?

UNKNOWN. Let's move on. Smashing Security, episode 324..zip domains, AI lies, and did social media inflame a riot? With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 324. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And this week, Carole, we're joined by a special guest, someone who's been on the show numerous times before. Please introduce him.

CAROLE THERIAULT. Mark Stockley!

GRAHAM CLULEY. I just ran out of steam.

MARK STOCKLEY. You forgot, didn't you? What's-his-face has come back.

DAVE AHN. Wow.

CAROLE THERIAULT. How you doing, Mark?

GRAHAM CLULEY. I'm good.

MARK STOCKLEY. I'm good.

CAROLE THERIAULT. We have a massive show. Should we get it kicked off now?

GRAHAM CLULEY. No.

MARK STOCKLEY. Nah. Nah.

CAROLE THERIAULT. Well, yes we are. Let's thank this week's sponsors, Bitwarden, Kolide, and Centripetal. It's their support that help us give you this show for free. Now coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm gonna be talking about domains for the tragically zip.

CAROLE THERIAULT. Mark, what about you?

MARK STOCKLEY. I've got a story about your worst colleague ever.

GRAHAM CLULEY. Ooh. And Carole, I guess, over to you then.

CAROLE THERIAULT. And I'm going to talk about how social media might have ensued a riot. Plus, we have a featured interview with Dave Ahn. He's the chief architect at Centripetal. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Chums, chums, do either of you have a PhD? Maybe you're too embarrassed to mention it. You know, some people are, they hide it under a bushel.

CAROLE THERIAULT. I know people who say they have a PhD and—

GRAHAM CLULEY. Oh, just the one.

CAROLE THERIAULT. Maybe don't have one. No, I do not have a PhD.

GRAHAM CLULEY. Okay. I—

MARK STOCKLEY. That's weird, 'cause I also know someone that says they have a PhD but doesn't. Isn't that strange? What's the opposite of someone who's got a PhD?

CAROLE THERIAULT. What are you gonna tell us, Dr. Cluley?

GRAHAM CLULEY. I don't have— I'm not a doctor.

CAROLE THERIAULT. I know you're not, yeah.

GRAHAM CLULEY. But I want to say well done to those people who are doctors, those people who've worked hard. I would be very proud if my son, admittedly he's only age 12, but if he came home from school one day and said that he'd managed to get the PhD. He did once say that in chemistry, I think they'd split the atom or something is what he claimed. And I looked at him, I suspect not.

I suspect you just turned on a Bunsen burner. But if he had, if a child of mine or a child of either of yours were to come home one day, maybe as, you know, in their mid-20s, saying, so finally, after all that hard work and study, I've managed to get the PhD. You would want to celebrate, wouldn't you? You would want to make them a cake. You would want to buy them some beer or bring in the Deliveroo or whatever it might be.

Maybe you're thinking, what could be the— what could I give them? What could I give my child I'm so proud of after getting their PhD? Oh, I know. I could get them a domain name. But here's the problem, right?

My son, little Markie, Mark, we call him Mark, right? Mark.com has already been snapped up. Mark.org, I had a look. Mark.org has gone as well. Mark.org is advertising a 4-bedroom house in Virginia with a secluded hot tub.

CAROLE THERIAULT. Mark WTF, Mark.wpf must be still available.

GRAHAM CLULEY. Mark.wtf, Carole.wtf, we know that one's gone. Very good website.

DAVE AHN. That one's gone.

GRAHAM CLULEY. But you know what is available? Mark.phd. So if you were the kind of person who had a PhD and didn't want people to forget that you had a PhD, which I suspect is most people who choose to tell people they have a PhD, then—

CAROLE THERIAULT. Oh, stop it.

MARK STOCKLEY. No.

GRAHAM CLULEY. That's not true. No, people who choose, people who choose, a bit like John Barrowman, MBE, people who change their Twitter name to include the accolade they've been given by the king or queen.

CAROLE THERIAULT. Piss off! If you had done 5 years of study to achieve a PhD, trust me, you'd have it tattooed across your forehead.

GRAHAM CLULEY. I would not put it in my username.

CAROLE THERIAULT. You know, you'd make a fucking t-shirt. Oh, by the way, did you know? We all know it's true.

GRAHAM CLULEY. I might do that.

MARK STOCKLEY. But I wouldn't— Where is your 11th greatest Britain in cybersecurity tattoo, by the way.

GRAHAM CLULEY. Let's move on. Anyway, the thing is, I think it's a little bit showy, isn't it? I mean, wonderful. Well done on achieving it. But do you want to keep on reminding people about it? Do you actually want to own the domain name? I'm not sure if you do, but now if you wanted, if you wanted to be carole.phd, you could. Well, do you know what, Carole? I've been to the website. I've been to Google Domains. I've typed in your name. And you can buy one and it's only going to cost you about $20 a year. And get this, you don't even have to prove that you have a PhD.

CAROLE THERIAULT. No, of course not. Because it's just the fuck—

GRAHAM CLULEY. Well, you don't have to. Anyone can do it. Wow.

CAROLE THERIAULT. Anyone could buy a website with com at the end and not own a company.

GRAHAM CLULEY. Well, right. Now, in the old days, the only way you used to be able to get a PhD other than studying was from a spammer because you'd get spam emails saying, would you like a PhD? Would you like a degree? Would you like this? Would you like that?

CAROLE THERIAULT. Didn't someone close to you purchase a PhD online?

GRAHAM CLULEY. No, I think they became ordained as a religious— I think—

CAROLE THERIAULT. I'm sure they told my husband they had a PhD. I think we know who we're talking about. Oh yes. At a dinner party at your house.

GRAHAM CLULEY. Oh yes. An elderly lady.

CAROLE THERIAULT. An older person.

GRAHAM CLULEY. Yeah. I think she bought it from Tony Robbins. I don't think that counts. But moving on. So, she also revealed some other things about herself, didn't she?

CAROLE THERIAULT. A pair of problems, yeah.

GRAHAM CLULEY. Moving on. Right. So, you can buy a .phd domain from your local friendly internet domain company, because at the beginning of May, our chums at Google Domains they rolled out not just .phd top-level domains, but also 7 others: .dad, .prof, for presumably professor, .esq for esquire, .foo, .zip, .mov, and .nexus. Bizarre combination.

CAROLE THERIAULT. What's foo for? Is foo for food?

GRAHAM CLULEY. Oh, it's a programming thing.

CAROLE THERIAULT. I love that. Blah blah.foo.

GRAHAM CLULEY. Why not .mum, you're wondering? Why not mum, right?

CAROLE THERIAULT. Oh, good one.

GRAHAM CLULEY. 'Cause it already exists, Carole. It already exists. So they finally added .dad as well as .mum.

MARK STOCKLEY. Finally. They bowed to consumer demand and finally released .nexus. And .dad. And .foo.

GRAHAM CLULEY. And .cool and .love and .pizza and .photography. 'Cause that's really nippy to put on the side of a van. And literally hundreds of others you can buy.

MARK STOCKLEY. I wonder if anyone's bought photography.photography.

GRAHAM CLULEY. And have a subdomain called photography? So photography.photography.

CAROLE THERIAULT. Hey, good SEO.

MARK STOCKLEY. Absolutely nailed the SEO on that one.

GRAHAM CLULEY. Yeah. So Carole, you are one of these people who's bought a bizarre domain, 'cause of course your art site, everybody go and visit it, carole.wtf, where you can see a wonderful selection of watercolours and ink. Blotches and things and vote your favourites.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Yeah, why did I do that? Purely because any .com domain I could get had a ridiculous name. It's like we've run out of name combos that actually make any sense that I could find.

GRAHAM CLULEY. Because there are lots. There's a .paris. I found a .london, a .sydney, a .tokyo. No .rome, no .washingtondc. For some reason there's a .irish.

CAROLE THERIAULT. Oh, you researched this story in depth, didn't you?

GRAHAM CLULEY. Mm-hmm. Oh yeah, I did a lot of research.

CAROLE THERIAULT. Mm-hmm.

MARK STOCKLEY. I think one of the reasons that .com has run out, inverted commas, is because there's so much cachet in having a .com that lots of people have just speculatively purchased a bunch of .com domains, which they will now happily resell to you at vastly inflated prices. So like, you normally, you spend, you know, maybe $10 a year on a .com. But you can go and spend millions on a name that nobody actually uses, but somebody owns.

GRAHAM CLULEY. If it's a dictionary word in particular, or a combination of words, or a short, you know, maybe 4 or 5 letters or something, then it's going to be probably being sold for an awful lot of money. So there's lots of these weird top-level domains. There's some which I think are a bit confusing, but there's a .work and a .works. Now that seems to me like there's an opportunity there for some mix-ups, you know, if you wanted to create a phishing site, if anyone did actually run a .work website. There's .review and .reviews, there's .sex and .sexy.

CAROLE THERIAULT. Are domains run by one single entity or not? Is it a collaboration amongst many tech companies? I don't know how it works.

GRAHAM CLULEY. There is this organization ICANN.

DAVE AHN. Yeah.

GRAHAM CLULEY. Who sort of, I think, are supposed to oversee these things, but I also think money talks.

CAROLE THERIAULT. Yeah, yeah.

MARK STOCKLEY. And yeah, it also smells. Money smells. There used to be like 6 top-level domains in the beginning. And it was like .edu, that's for education, .com, that's for commerce. And then at some point, I can't remember when it was, it was like 10, 15 years ago, ICANN went, what if we just allow people to have anything they want, provided they spend an absolute fortune?

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. And that brilliant idea gave us .nexus and .prof and .sexy.

CAROLE THERIAULT. And .wtf.

GRAHAM CLULEY. And now .zip. And you may think—

MARK STOCKLEY. Oh!

GRAHAM CLULEY. Oh, hello, Crow. Have you spotted a problem with a .zip domain? Mm-hmm. Yep. Right. Because I think .zip means something to many computer users, as does .mov, M-O-V. Maybe make you think of a movie file. A zip might make you think of an archive file containing other files. Now, according to Google, the reason why you might want a .zip domain is, they said, well, zip, that's really about having a secure domain for tying things together, moving really fast. So if you've got a really fast website, call it .zip. And it's like, well— Uh-oh.

MARK STOCKLEY. I don't think that they believe that for a second.

CAROLE THERIAULT. Nope.

MARK STOCKLEY. They absolutely phoned that one in.

CAROLE THERIAULT. Can you imagine searching for .zip on your computer as well? You'd find a million files. Yes. Yeah. Yeah.

GRAHAM CLULEY. And .mov, they argue, is for whatever moves you. They've said, that's why you'd want— That's why you'd want a .mov domain.

CAROLE THERIAULT. Now—

MARK STOCKLEY. Some engineers made a decision. And then they threw it over to the marketing department and said, you've got two minutes to come up with a reason why these domains now exist. And the marketing department ran around for two minutes and they went, ah, it moves you.

GRAHAM CLULEY. So it turns out some people I'm very happy about this.

MARK STOCKLEY. I'm one of them.

GRAHAM CLULEY. Typically, people are a bit security conscious. People are a bit grumpy because people are saying, is it in any way possible that cybercriminals and fraudsters might exploit the confusion between what we've known for the last thirty years to be ZIP and MOV files and what you've now decided to make a domain name instead?

CAROLE THERIAULT. Yep.

MARK STOCKLEY. Yep. Now it means fast. Yep, sorry about the last thirty years.

CAROLE THERIAULT. No, you mean whatever moves you.

GRAHAM CLULEY. Whatever moves you. Because—

MARK STOCKLEY. Well, if it's fast, I guess it would move you.

GRAHAM CLULEY. So the problem, simply put, is that you might receive an email saying, hey boss, here's that report you asked for, report.zip. Click on that. And when you click on it, you get taken to some sort of dialog box which looks like your company's single sign-on page to validate the file or access the file in some mechanism. And of course, you're then handing over your credentials to a phishing person, a phishing person, fisherman. I don't know what they call it. A fisherman.

MARK STOCKLEY. I love that.

CAROLE THERIAULT. I think that's going in the title, The Fisherman.

GRAHAM CLULEY. Now, this isn't, of course, the first time we've had this kind of confusion because, of course, we all know .com. .com to most people now means website, doesn't it? It means commercial website, or at least website, if not commercial website.

CAROLE THERIAULT. I think it does.

GRAHAM CLULEY. And back in ye olde days, .com files were the programs you run under 64K on MS-DOS. They were the little programs. They had .com extensions. I remember at the time thinking, it might just be rather confusing with the internet coming along because now .com files— My voice hasn't changed. Hasn't broken since.

CAROLE THERIAULT. I was gonna say.

GRAHAM CLULEY. Listen, I've come to terms with this now, because of course .com executable files aren't really used anymore, because everyone's moved on to Windows and other operating systems, and you know, they've become obsolete. People aren't using DOS any longer. So maybe it's not much of an issue. But there have been other confusions as well. For instance, if you're a Perl developer, you might deal with .pl files.

MARK STOCKLEY. Mm.

GRAHAM CLULEY. And .pl is the Polish top-level domain. I think that's right. And, you know, or shellscript.sh, another legitimate domain. So there has been a sort of move to this, but I think going to .zip and .mov websites which move you is still another jump entirely.

MARK STOCKLEY. I've got a bone to pick with you.

GRAHAM CLULEY. Okay, go ahead.

MARK STOCKLEY. I want to speak to your proto-nerdy self about these .com.

GRAHAM CLULEY. Right, yes.

MARK STOCKLEY. So the .com TLD was actually created on January 1st, 1985.

GRAHAM CLULEY. Okay, when was MS-DOS out?

MARK STOCKLEY. Come on. I'm expecting you to know that.

GRAHAM CLULEY. Surely it was about '82, wasn't it, the IBM PC? Okay, MS-DOS. First came out?

CAROLE THERIAULT. '81.

GRAHAM CLULEY. August 1981.

DAVE AHN. Yep.

GRAHAM CLULEY. I think you're fined, Mark. I think you're fined.

MARK STOCKLEY. I'll concede if you give me a well, actually.

GRAHAM CLULEY. Well, actually. So people are a little bit worried about this. A chap from Citizen Lab told his Twitter followers, just block all .zip domains. Just block them all.

Any .zip and .mov domain, just block them all. He said these are going to get used 100% for malware attacks. I don't know if it will be 100%. That seems a little bit excessive.

MARK STOCKLEY. I think mostly right now, most of these domains are probably being purchased by security researchers. Yeah, proving what a stupid idea it was.

At the moment, that's about 100%. I don't know.

CAROLE THERIAULT. I don't know. I bet people are buying them because they're probably cheap.

And they're like, oh, everyone can remember zip, you know, and they don't have any understanding of it being in terms of security or computers.

MARK STOCKLEY. I'll tell you who isn't buying them.

GRAHAM CLULEY. Okay.

MARK STOCKLEY. People who want you to think their website is fast. It's just criminals and cybersecurity researchers.

And at the moment, it's mostly cybersecurity researchers.

GRAHAM CLULEY. Well, one researcher who's done it is a chap called Mr. Dox. I don't think he's got multiple doctorates. It's D-O-X rather than D-O-C-S. Mr. Dox.

CAROLE THERIAULT. Ho ho ho.

GRAHAM CLULEY. Thank you. He's shared details of a phishing technique that emulates file archive software.

So you click on the link which you think is going to open a zip file. It takes you to a zip domain which looks just like the WinRAR utility which people use to open zip files. And so it shows you the quote, zip's contents, one of which is a PDF which can then steal your data. And another one, he made it look like Windows File Explorer.

And someone also found out that if you send someone an email saying, hey, look, the file's already in your computer, you dolt head. Just search for document.zip.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. When you search for it, the search results come back by opening the web page if it can't find—

CAROLE THERIAULT. Exactly, exactly, exactly, exactly.

MARK STOCKLEY. Doesn't Twitter now also automatically convert anything that ends in .zip into a link?

GRAHAM CLULEY. Right. So if you've posted, you know, find the following file and you give the file name of something .zip or .mov, you'll actually have a clickable link to something potentially malicious, which isn't what the people—

So I don't know why they've done this. It's not like Google are going to make oodles and oodles of money out of this, is it? I don't understand why they've done this at all. What was the requirement?

DAVE AHN. And what do you do?

CAROLE THERIAULT. What do you do? So let's say, let's say 10,000 people have bought this domain, right?

And you're suddenly going, actually, you know what? Graham's right, this is a stupid idea. Let's roll back, let's go back. What do you do for them? You go, look, we're going to offer you Zaz instead. What? What?

GRAHAM CLULEY. There did used to be Jazz drives, didn't there? Maybe .jazz. Do you remember?

MARK STOCKLEY. It's an upgrade.

GRAHAM CLULEY. Zip drives became Jazz drives. Anyway, I mean, I think maybe you should block access to these things. I can't see any legitimate company is going to require them.

So maybe, but what's going to come next? Are they going to do .html domains? How about doing that? Why not? Why not just go for it? Oh, is that your end joke? Why don't they do .fuckyou?

Mark, what's your topic for this week?

MARK STOCKLEY. Well, you know I like to start with a question. So I've got a question for you, Carole Theriault.

So you're a woman working in tech. Have you ever found yourself working with someone whose unearned confidence was completely disconnected from their actual ability?

CAROLE THERIAULT. Hang on. Yes.

MARK STOCKLEY. Perhaps you've met someone who lectured you about a subject that you actually knew more about than them.

CAROLE THERIAULT. I got explained.

GRAHAM CLULEY. Have you ever come across that?

CAROLE THERIAULT. I got explained, yes. I've been explained many times.

MARK STOCKLEY. Anyone you want to mention? Anyone?

CAROLE THERIAULT. Nope.

MARK STOCKLEY. Anyone? Anyone on this podcast?

CAROLE THERIAULT. No, no, everyone in this podcast are very intelligent, lovely people.

GRAHAM CLULEY. Yeah, you've always been wonderful, Mark.

CAROLE THERIAULT. Yeah, nice trap, Skirden.

MARK STOCKLEY. Anyway, so that's what my story is about today. It's about the dangers of a brash and overconfident colleague. Now, before I begin, I'm just going to make an apology to any lawyers who are listening.

Because I am about to leave the safe confines of cybersecurity just for a minute or two, and I'm going to enter the world of legal machinations. And it's come to my attention that lawyers are very particular about stuff, particularly things like contracts.

CAROLE THERIAULT. Get your words right.

MARK STOCKLEY. Yep.

GRAHAM CLULEY. I think it's very important that any lawyers listening realize that under the terms and conditions of this podcast, lawyers and members of the legal profession are not allowed to listen to this podcast. Just a safety net for us.

MARK STOCKLEY. I'm sure that's legally watertight. I'm sure there are loads of lawyers listening right now going, "Well, he's got us there.

He's absolutely stitched us up. Damn him." Anyway, this concerns a case that went before the Southern District of New York.

Started earlier this year. The case was brought by a chap called Roberto Matter.

And he claims that he was injured in 2019 by a serving cart on an Avianca Airlines flight. Avianca is Colombia's biggest airline.

And it's not hard to believe, for me at least, that he might have been injured by one of those carts.

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. Because, I mean—

GRAHAM CLULEY. Haven't we all?

MARK STOCKLEY. It's funny, isn't it? Because they move so slowly down the aisle, particularly if you need the toilet.

They just roll slowly towards you. And every time, I've nearly lost a foot, I've nearly lost a shoulder, I've nearly lost an elbow.

GRAHAM CLULEY. 'Cause they have the mass of a neutron star.

MARK STOCKLEY. Yeah.

CAROLE THERIAULT. They carry a lot of stuff, you know?

MARK STOCKLEY. 7,000 tiny bottles of vodka.

CAROLE THERIAULT. Yeah, and dinners.

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. Only about 3 dinners. They always run out of the dinners.

They never ever run out of alcohol. The number of times I've seen somebody say, 'Oh, can I have the sandwich?'

And they're like, 'Nope, sorry, no sandwiches. Lots of vodka though.

Do you want some vodka?' Anyway, so Matter decided he was going to sue Avianca, and the case ended up before SDNY.

And during the case, Matter's lawyer, a man called Stephen Schwartz, is a man who's been licensed to practice law in New York for 3 decades, filed an affidavit in opposition to the defendant's motion to dismiss. So basically, Avianca tried to get the case thrown out.

Yeah. And Matter's lawyer wrote a legal document saying, "Nah, no, no, no, don't do that.

Don't do that." Right. And in rebutting the motion to dismiss, Schwartz cited 8 different legal cases.

CAROLE THERIAULT. Mm-hmm.

MARK STOCKLEY. Because that's what lawyers do.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Yeah, they say, "This is a precedent here. You can't do this."

Yep.

MARK STOCKLEY. Now there was just one small problem. Avianca's lawyers read the affidavit, and they went back to the judge, and they said, these cases don't exist.

GRAHAM CLULEY. No one expects that people are going to check your references, surely.

CAROLE THERIAULT. So these things have reference numbers and stuff and case numbers and all that stuff.

MARK STOCKLEY. Yes, they're always somebody versus somebody and there's a, I don't know the term, there is a code, a docket number or a case number or something like that. And so the judge ordered Schwartz to provide another affidavit annexing copies of the actual judicial opinions. So rather than just saying, a judicial opinion exists, and it's called, you know, somebody versus somebody, Schwartz actually had to provide, here is the text of the legal judgment that we're— of the legal opinion.

CAROLE THERIAULT. He's gonna have to find it at the printer.

GRAHAM CLULEY. Shouldn't be that hard, should it? Just photocopy it, right? Chuck it in.

MARK STOCKLEY. They're surprisingly short. I think they may be excerpts. But they're the meaty bit. This is the thing that proves our case. And so anyway, so Schwartz did that. In fact, and if you go to the website courtlistener.com, you can actually see these responses. And I read them yesterday. And there are 8 attached judgments, I think, including Varghese versus China Southern Airlines, Shabu versus EgyptAir, Martinez versus Delta Airlines, and a bunch of others.

GRAHAM CLULEY. Oh, these are specifically cases involving trolleys on aeroplanes. This is the little food cart from the service.

CAROLE THERIAULT. Yeah, saying this is not the first time. This has happened before.

MARK STOCKLEY. Food carts, famously vicious. I think, and again, I'm going to get in trouble here, but I think what they are is they're cases where the defendant made a motion to dismiss and it was denied. So I think Schwartz is basically saying, no, you need to deny the motion to dismiss because in these other cases, the judge denied a motion to dismiss.

GRAHAM CLULEY. Alright, yadda yadda yadda. Okay, yeah, right, okay. Yeah, yeah. Legal stuff.

MARK STOCKLEY. Nothing to do with munching cards.

GRAHAM CLULEY. Okay.

MARK STOCKLEY. There was just one small problem. At least 6 of the cases are pure fiction. They never existed. They were, in the words of the judge, bogus judicial decisions with bogus quotes and bogus internal citations. They were completely made up. So understandably, the court then demanded to know why Schwartz shouldn't be sanctioned. They basically say, "Look, you've made up a bunch of stuff."

CAROLE THERIAULT. Outrageous.

MARK STOCKLEY. "Why shouldn't we punish you?" "You're making a mockery of this court!" Yes, but this is a legal case. Obviously, the judge wrote that down. And then Schwartz had to then produce a document with numbers in it to explain himself. And he did. He explained what had happened. And he explained in his document that he'd actually been relying on the work of another lawyer.

GRAHAM CLULEY. Okay.

MARK STOCKLEY. And it turns out that that lawyer had been doing what every lazy English-speaking student has been doing since November 30th, 2022. And he'd actually used ChatGPT to do his research.

CAROLE THERIAULT. You see, the thing I don't get about these flipping cases, right? I get ChatGPT, great, great, great, great, great, great, right? AI, go have fun. Why wouldn't you double-check? If you're a freaking lawyer, right? Why wouldn't you just go and do a rando double-check on one of them? Just say, let's just check this out, let's just see.

MARK STOCKLEY. Well, he's got an answer for that. So according to Schwartz, because again, you know, he had to write this down, he said the citations and opinions in question were provided by ChatGPT, which also provided its legal source and assured the reliability of its content.

GRAHAM CLULEY. That's fair enough. So it said this is reliable.

MARK STOCKLEY. And they went, okay.

GRAHAM CLULEY. You could actually ask ChatGPT, is this reliable info? Yes, it is. Thank you very much.

MARK STOCKLEY. Actually, that is exactly what he did.

GRAHAM CLULEY. Oh, okay.

CAROLE THERIAULT. I would forgive an 11-year-old. An 11-year-old going, "Are you lying to me?" And ChatGPT going, "No, it's totally the truth." I would get that they would go for that.

But, you know, come on.

GRAHAM CLULEY. ChatGPT couldn't have its fingers crossed when it lies. So it would appear plausible and truthful.

CAROLE THERIAULT. From what I read, it's not lying, it's helping. It's helping provide information.

MARK STOCKLEY. Yeah, sure, sure, sure. So this is what it actually did.

So the document actually contains excerpts. And at one point, Schwartz actually says, "Is Varghese a real case?" He asks ChatGPT. "Yes," says ChatGPT, "it's a real case." "Of course it is." And that is how you check your sources, children.

So he also asked ChatGPT if any of the other cases were fake, and it replied that they were all real and that they could be found in reputable legal databases. And then it named the reputable legal databases where they could be found.

CAROLE THERIAULT. I wonder if ChatGPT sends sniggers in a way that we don't understand. Like, there may be a little—

GRAHAM CLULEY. A digital snigger.

CAROLE THERIAULT. Tee-hee-hee. Tee-hee-hee.

GRAHAM CLULEY. Oh, see, there you go.

CAROLE THERIAULT. ChatGPT, tee-hee-hee-hee.

GRAHAM CLULEY. Oh yeah, ChatGPT-hee. Yeah, very good.

MARK STOCKLEY. So anyway, so Schwartz had fallen for what artificial intelligence researchers euphemistically call hallucinations. Which is what AI researchers call it when a large language model just flat out lies.

CAROLE THERIAULT. That's unfair, that word. That's very human appropriation there. But anyway, okay.

GRAHAM CLULEY. I'm still amused that his Schwartz have fallen.

CAROLE THERIAULT. Sorry. I'm not even laughing at that.

MARK STOCKLEY. Carry on. So this isn't even an isolated case. I mean, Schwartz is never going to do this again.

For what it's worth as well, I think the judge and everybody involved basically said, okay, well, you acted in good faith. I mean, they didn't say you were dumb, but, you know, that's implied, I think. But he's— I think he's going to be okay. Like, he's not going to do this again, right? He's learned— he's learned a valuable lesson about ChatGPT.

CAROLE THERIAULT. You don't think he should be disbarred for this? Like, shouldn't— no, literally going to ChatGPT is like me going to the web and going, hi, how do I make some trousers? And just clicking on the first link and then just following that and then being surprised they're not perfect.

MARK STOCKLEY. Well, I think it makes a difference that he didn't go to ChatGPT and say, "Could you make up some legal cases?" 'Cause he would surely know, as a lawyer, that the other lawyers are gonna check what he'd put in the document. It seems a poor strategy to just make stuff up.

GRAHAM CLULEY. Are the other lawyers going to check though, or are the other lawyers just gonna ask ChatGPT?

CAROLE THERIAULT. He was trying to cut corners.

MARK STOCKLEY. He was. He said it was very quick. I bet.

CAROLE THERIAULT. Then you went out to dinner, had a great time.

MARK STOCKLEY. Making stuff up much quicker than doing the work. Anyway, just yesterday I was reading a Twitter thread by a law professor who was also using ChatGPT to find sources and quotes, and he said it was saving him hours of work. And this is how it sucks you in.

He said, so he was thinking, wow, this is fantastic. This is a brilliant research tool. What have we been doing? Then at one point, one of the quotes struck him as odd. He was reading a quote by noted Republican Supreme Court Justice Judge Scalia, and he thought, "That doesn't sound much like something Scalia would say." So he asked ChatGPT, he said, "Can you give me a link to that so I can check the source?" And so ChatGPT did give him a link. It just didn't work.

It looked good. It looked like a link that might work, but it didn't work. So then he asked again. And this is charming, ChatGPT apologized. And you see that in the other legal case I was mentioning as well, that it does actually say, "Oh, I'm really sorry. Here's another lie." So anyway, he asked again. ChatGPT apologized and it gave him a link to a news story. And the news story did exist. It was just about something completely unrelated to the thing that he was asking about.

GRAHAM CLULEY. What?

MARK STOCKLEY. So then he said, "All right, well, if you can't give me a link to it, just give me the full text of the speech." So ChatGPT did it, just gave him the full text of the speech. It was just the whole thing was completely made up. And that, ladies and gentlemen, is the real risk of AI. I mean, set aside future concerns about whether or not it's gonna keep us as pets, for now—

CAROLE THERIAULT. It's made up of all the flipping garbage we've slapped up on the internet for the last 15, 20 years. So yeah.

GRAHAM CLULEY. And making up its own garbage, from the sound of things.

MARK STOCKLEY. Yes, it's now generating garbage that future versions of ChatGPT will eat.

CAROLE THERIAULT. Yep.

MARK STOCKLEY. In order to generate further garbage.

CAROLE THERIAULT. More concentrated garbage.

MARK STOCKLEY. As time goes on, the proportion of ChatGPT garbage in its own diet is only gonna go up.

CAROLE THERIAULT. Thanks.

GRAHAM CLULEY. Thanks, Mark.

MARK STOCKLEY. Cheery. Good.

CAROLE THERIAULT. No, no, it's okay.

MARK STOCKLEY. I'm here to bring some sunshine into your life.

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. Well, I have two teenage boys, longtime pals, these two, okay? Into football, electric vehicles, you know, live in the little suburb outside Cardiff in Wales, about 5 miles from the center of town. Not deluxe suburb. So the town's called Ely. I don't know how to say it actually, guys. E-L-Y.

GRAHAM CLULEY. Oh, E-L-Y. Could be Eely, could be Ellie.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Hang on, it's in Wales, isn't it? It could be anything.

CAROLE THERIAULT. I'm going to say Eely. I'm just going to say Eely.

GRAHAM CLULEY. Okay. Apologies, Welsh people.

MARK STOCKLEY. I'm going to ask ChatGPT.

CAROLE THERIAULT. So this isn't a deluxe suburb. This is known as Ely, if I'm pronouncing it correctly, I hope. And the area, someone said it has a lot of deprivation, but also a very warm community. That's how it's been described.

So it's late spring afternoon last Monday, just before 6:00 PM. And one of the boys just had a haircut, bite to eat, and went outside and met his friend and started messing around on an electric bike.

Not just your e-bike here. This is a Sur-Ron electric motorcycle. And it was a recent birthday present.

And one of them's driving, the other one's holding on perched on the back. But something goes wrong and there's a crash.

And both boys, just 15 and 16, die as a result of this crash. And it happened in their neighborhood, almost basically right near their house.

So within minutes of this happening, the crash is reported to the cops and there's a police vehicle and they respond. And officers reported that they started doing CPR upon arriving at the scene. But to no avail.

Now, obviously, this is a pretty harrowing scene. You have two neighborhood boys who've been laughing and mucking about just 10 minutes ago.

Crash is loud. People hear it, come out to see what's happened, right? I mean, parents and neighborhood friends, they all come out to see what's going on.

It's a community's worst nightmare. I can't think of anything much worse.

And for the cops, it's got to be a nightmare too, right? I mean, these are kids. And there's probably a bunch of protocols that you've got to follow when something happens.

And they know it's community's worst nightmare. So you've got a lot of tension going on.

So the problem is this, a riot ensued until 3:00 AM the following morning. And the BBC reported that cars were set alight, fireworks were thrown at police as 100 to 150 people gathered in Ely on Monday night.

Missiles were aimed at officers. 15 officers were injured, though none of the injuries were life-threatening.

A local resident said he'd heard threats from rioters saying kill police officers at the scene. Quote, they said they would not stop until they killed a police officer, unquote.

Around 8 o'clock that night, police tweet, right? They say they're still at the scene of the collision, but they're also working to de-escalate the ongoing disorder.

It was even reported that one person was attacked because rioters thought they were an undercover officer, according to an officer at the scene. So just chaos.

GRAHAM CLULEY. Yeah, sounds like it's completely out of control.

CAROLE THERIAULT. It's completely out of control. And so the question is what kicked this off?

Well, from my reading, this is what I've got, right? So one, it could have been how the cops handled the situation upon arriving at the scene, because according to reports, they wouldn't allow the parents to see their kids. You know, perhaps they are trying to preserve the scene to ensure there is no malicious intent or third-party involvement or anything.

But according to some reports, the cops didn't handle the growing crowds with maybe compassion. And considering they were looking at their own kids lying dead, or their neighbor's kids on the road, that must be a hugely difficult situation.

GRAHAM CLULEY. It must be. But at the same time, if you're trying to save someone's life you don't necessarily want the relatives all around, do you? Possibly making the situation more complicated, or they might be fainting, or that, you know.

DAVE AHN. Totally.

CAROLE THERIAULT. If you're in a hospital, I understand. I understand. Absolutely, absolutely. So you can just see, it's just very—

GRAHAM CLULEY. It's not easy for the police, is all I'm saying from that point of view. Is that—

CAROLE THERIAULT. I agree.

MARK STOCKLEY. It's one of those situations that pops up from time to time where you can put yourself in anybody's shoes in that scenario, and everybody can be acting in good faith and what they think are the best interests of the children. You can still come to — I was going to say disagreement, but clearly it was escalated beyond that — but you can end up with very, very different answers to the same question by being in different people's shoes.

CAROLE THERIAULT. But you can even feel the feeling here. This is a quote of someone, an onlooker: "they wouldn't let the parents do nothing. It was disgusting how they treated them. And they made them walk home and give them the news in the house. Didn't give them any sort of news at the scene. They were there for hours waiting and waiting, and they wouldn't let them through to see if their son was okay. It was really, really bad."

So this could have angered the community enough to kick off and scare the bejesus out of local residents who were hiding indoors. There's Jane Palmer, right, owner of a Ford Focus.

Jane said she and her family had watched from their window as rioters set fire to her car. And she's saying "I'm disabled, so now I'm trapped without a car."

But it could have been this little discrepancy. So this is a video, and it's very short.

The video basically was reportedly taken at a house where a relative of one of the boys lives. And it shows a bike traveling along Frank Road in Ely at 5:59 PM on Monday, the night of the fatal accident.

And it's less than 1 mile from the suspected crash site. You see this bike go by, and there's 2 boys on the bike, and then you see a police van about 15 meters behind it.

GRAHAM CLULEY. Yeah, I've seen this video. It kind of zips past the house, doesn't it?

And I don't know if it's a security camera from the house or whether it's someone actually recording from inside the house — I wasn't clear about that. But it appears that the police van is in pursuit of these two kids on their e-bike.

CAROLE THERIAULT. Exactly. If I'd seen that, I'd be thinking okay, so these kids are having fun, whatever, and they've pissed off the cops somehow, and they're trying to bring them to an arrest, perhaps. And then suddenly—

MARK STOCKLEY. Fifteen meters is very close.

CAROLE THERIAULT. Yeah, fifteen meters, sorry. But still super close.

And then you hear the crash in the video — you hear this thing happen. But here's the weird thing: police officers say that none of their vehicles were on Snowden Road when the crash happened.

"The investigation has involved studying CCTV and tracking data from the police vehicle. And at this stage, we do not believe that any other vehicle was involved in the crash."

GRAHAM CLULEY. The news story I read said that the video was taken maybe in the street where they lived or something, and the crash was a few streets away when the police claimed they were no longer in pursuit of the vehicle, of this £5,000 e-bike which the kids were on. So it is possible maybe the kids on the bike lost the police who were chasing them and the police went the wrong way or something. And then they came a cropper.

CAROLE THERIAULT. Yeah, there's so much involved. So the South Wales Police and Crime Commissioner said it appeared that incorrect rumors on social media that a police pursuit had led to the crash that killed the teenagers was wrong.

So they're saying that never happened. And they say, quote, it appears there were rumors and those rumors became rife of a police chase, which wasn't the case. This is from the crime commissioner. I think it illustrates the speed which rumors can go around with the activity that goes on social media these days and how things can get out of hand. So he's saying the riot was a result of false information traveling on socials.

GRAHAM CLULEY. I think what the police are saying is that their data shows that the cyclist took a shortcut, which the police were unable to follow them down or had lost them by that point. So they ended up at the time of the crash, which was at 6:03 or something, they were some distance away from the kids who were having the crash.

Although initially the problem was that initially the police said there wasn't any pursuit at all.

CAROLE THERIAULT. Exactly.

GRAHAM CLULEY. They gave that suggestion, but when the video emerged, they then went, well, maybe we had been, but we weren't at the time of the crash. So the crash took place a few minutes later.

CAROLE THERIAULT. But all this does not— so there's confusion that's come up. So it makes sense to me, if you were already in a place where you don't trust cops, right?

You're in a community where there's distrust between cops, for instance, that may be existing in this place, and your initial reaction is to deny it and then admit it, I'm worried that it only served to inflame the situation.

MARK STOCKLEY. And I think one of the things that social media has given us is there is so much information on so many things all of the time that it's very, very difficult to deal with people and things in their entirety. And so, I think one of the most pernicious effects is that we now have a way of looking at organizations as if they are monolithic, as if they are individuals, and that they have perfect recall and perfect lines of instant communication.

So, we have all worked in organizations I mean, I've worked in an organization of two and had problems with miscommunication. It happens as soon as there's more than one of you. And if you're in a large organization, it's not at all outlandish to suggest that one part of the organization might say something, believing it to be true, and it later turns out that it's not true, particularly when you're in a highly emotive, fast-moving situation.

GRAHAM CLULEY. Let's not forget at 10 Downing Street when we had senior politicians dealing with the COVID epidemic and plenty of people accused them of having parties and breaking swings and bringing alcohol to karaoke machines.

MARK STOCKLEY. This is the other side of it.

GRAHAM CLULEY. Other people had a completely different impression of what was going on. I mean, they were doing important essential work and some people thought this was a problem.

CAROLE THERIAULT. I wonder whether this situation may be more about how the cops arriving at the scene may have handled family members and onlookers as they arrive. It's obviously a super stressful situation, but surely dealing with that kind of immediate shock and grief should be in police training, right?

To be able to do it in a way that somehow de-escalates intense feelings of hate.

MARK STOCKLEY. I don't know enough about police training to comment on whether or not they include that kind of thing or not.

CAROLE THERIAULT. Yeah, no, me neither.

DAVE AHN. Fair.

MARK STOCKLEY. But I do feel sorry for, whatever training you have, you then have to map it to a real-world situation, and you can't train for every possible scenario. And if you're a police officer, then you're training for scenarios where you turn up and somebody might be trying to kill you, or somebody's having a mental health crisis, or somebody's had a terrible accident.

And there will never be enough training, so you will always have people in a situation where they are trying to extrapolate from the training they have to the situation that's in front of them. Now, maybe they turned up and they did a terrible job. Maybe they turned up and they did a decent job, but it wasn't to the satisfaction of the people around them.

If I was in that crowd, if my children were involved in an accident, nothing would be getting between me and my children. I imagine that any parent in that crowd would feel the same way. So to me, it just sounds like a flashpoint that you have all the ingredients for something to kick off.

You know, bad things can happen to good people, unfortunately.

CAROLE THERIAULT. 100%. And the two other main takeaways here is from that, the kids were not wearing helmets on the bike according to reports and according to the visual I saw.

So please always wear a helmet. And two, I was thanking God that guns are illegal in the UK. Because after watching this, I don't know what would have happened in a place where guns were allowed.

No one died in the riot that ensued.

GRAHAM CLULEY. So Carole, I hope you haven't inflamed any of our listenership by bringing the gun debate into this.

CAROLE THERIAULT. Of course I haven't. They're just rolling their eyes and going, she knows nothing.

Smashing Security is brought to you by Centripetal. Centripetal is the global leader in intelligence-powered cybersecurity. The company operationalizes the world's largest collection of threat intelligence in real time to protect your company from every known cyber threat.

Now available as a cloud-based deployment, Centripetal's Clean Internet service is a revolutionary approach to defending your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale. The addition of AWS Clean Internet Cloud protects your enterprise, whether on-premise, remote, or in the cloud, removing the need for a more costly cybersecurity infrastructure.

Learn more about Centripetal's intelligence-powered cybersecurity solutions at smashingsecurity.com/centripetal. That's C-E-N-T-R-I-P-E-T-A-L. And thanks to Centripetal for sponsoring the show.

GRAHAM CLULEY. Now there's some big news from our sponsor Kolide. If you are an Okta user, they can get your entire fleet up to 100% compliant.

How do they do that, you're asking yourself? Well, if a device isn't compliant, the user can't log in to your cloud apps until they fix the problem. It's that simple.

Kolide patches one of the major holes in Zero Trust architecture, which is device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.

Unsecured devices are logging into your company's apps because there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.

The moment Kolide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked.

Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo. That's k-o-l-i-d-e.com/smashing.

CAROLE THERIAULT. Smashing Security listeners, did you know that Bitwarden is the only open-source, cross-platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds.

And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access.

And it's easy to set up. Easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go.

Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing.

And thanks to Bitwarden for sponsoring the show.

GRAHAM CLULEY. And welcome back. Can you join us? Our favourite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

MARK STOCKLEY. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.

It doesn't have to be security related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my pick of the week this week is not security related. My pick of the week this week was recommended to me by an avid listener to the podcast who said, "Have you seen this show on Netflix? It's called Black Butterflies. You might like it."

I said, "What's it about?" And they told me, and I thought, "Oh, I wouldn't like that at all." They said, "It's sort of a bit serial killer-y."

It's a bit, "Oh goodness, no, I don't want to watch that." Anyway, somehow or other, I started to watch it, and by gum, it was good.

And it is called Black Butterflies, or in the original French, Les Papillons Noirs. And let me give you the central premise.

There is a novelist with writer's block. He is invited to visit a dying man who wants his memoirs ghostwritten, and he begins to tell this writer the story of his life.

And it starts off as a lovely sort of romance between this old man when he was young and the love of his life and their career around the French Riviera in the 1970s. And then it begins to turn rapidly into a tale of rather twisted serial killing.

And most of the show is taking place in different timelines, two different timelines, '70s and the present day. But you never feel lost.

It's very well done. It's a psychological thriller.

It's definitely not for kids, so there are some very graphic scenes, but I have to say, it was brilliant. Really well acted, lots of surprising twists, great music.

CAROLE THERIAULT. I'm sure I've seen this. Is this old?

GRAHAM CLULEY. This is old. I think it may have come out last year. I mean, you may be more up to date on the Netflix shows than me.

So, it's very imaginative cinematographically. And it kept me gripped until the end because there's lots of twists.

And I thought it was rather good. It's definitely— can I underline again?

It's not for kids. The person who recommended to me told me that their son walked in while they were watching it and they had some difficult explaining to do as to what on earth they were watching.

So be careful. Don't watch it with kids.

MARK STOCKLEY. Even though it's about butterflies.

GRAHAM CLULEY. Black Butterflies.

CAROLE THERIAULT. I watched this with John. I'm sure we did watch it, but I can't remember.

GRAHAM CLULEY. It seems like the kind of thing you would have watched, Carole. Yeah, I can believe it. Anyway, I would really recommend it. So go and check it out. You can either watch it dubbed or with subtitles depending on your particular persuasion. I greatly enjoyed it. So that is my pick of the week. Mark, what's your pick of the week?

MARK STOCKLEY. So you know that I come on here, and normally my Pick of the Week has some sort of environmental theme. Ocean cleanup, I think I did trees once. Soil. Nature. Soil, yeah. Generally sort of climate apocalypse. Wouldn't it be great if we didn't all die and burn to death? Chickens.

GRAHAM CLULEY. Things about chickens.

MARK STOCKLEY. You're quite keen on chickens. My book today is not about that. Well, I have discovered an entirely different form of apocalypse to worry about. And so my pick of the week today is about that.

And it's a book, it's called The End of the World is Just the Beginning: Mapping the Collapse of Global Civilization. And it's by Peter Zeihan. Peter Zeihan does fantastic YouTube videos.

If you want a sort of intro, he releases one a day, they're about 5 minutes long, go look for him. Fascinating stuff. And he is a geopolitical strategist.

But his real thing is demographics. So his shtick is all about the demographics of the world and how the demographics, essentially global demographics, are going to change the way the world is made up over the course of the next 20 years.

So according to him, we're in a very interesting situation at the moment whereby birth rates across the world have collapsed. So broadly speaking, the earlier you industrialize, the slower your birth rate collapses.

And the quicker you industrialize, the quicker your birth rate collapses. Because when you industrialize, when you have an agrarian economy, you generally have as many children as you can because children are free labor.

And then when you move into an urban environment, you have many, many fewer children because children are incredibly expensive until they leave home in an urban setting. And also you get things like Social Security coming.

You don't need children to look after you in old age. So the net result is always a reduction in birth rates.

And what's happened is that the countries, the UK, which industrialized first, its birth rate has been declining very, very slowly. And countries that industrialized after, say, World War II, South Korea, their birth rate has been collapsing very, very quickly.

And what's happened is that everybody's birth rate has synchronized at a point where right now, the largest generation is about to tick over into retirement. And that has all sorts of effects on things global capital and employment, because you think, well, suddenly you're going from a situation where you have a large, knowledgeable workforce with lots of capital to spend on things to a large group of retirees who want to hold on to their money being supported by a much, much smaller group of employees.

And that small group of employees is being followed by an even smaller group. Each generation has had fewer children.

So, you know, you get a small generation, it has a small generation of children. And so we are just now tipping over into this very interesting world.

And his conjecture is that that is going to have all kinds of very, very dramatic effects. And the TL;DR is, unless you live in the US, Argentina or France or one of a very small number of other countries, it's going to be a very rough couple of decades.

GRAHAM CLULEY. Oh great, sounds an interesting book, Mark. Are there any jokes in it at all? Any jokes?

MARK STOCKLEY. Yeah, there is no good news in this book at all. Oh no! Literally none.

GRAHAM CLULEY. I'm very sorry, but it's just a—

CAROLE THERIAULT. Thanks for bringing it to our attention. It's a shit show. Thanks!

GRAHAM CLULEY. Maybe next time we'll have the chicken in the soil and the cleaning up the oceans.

DAVE AHN. What's the name of the book again?

MARK STOCKLEY. It's called The End of the World Is Just the Beginning.

GRAHAM CLULEY. By Peter Zeihan. Thank you very much. Carole, what's your Pick of the Week?

CAROLE THERIAULT. Well, I'll bring us out of the doldrums. Do either of you know what a proven hangover cure is?

GRAHAM CLULEY. Yes. What? Not drinking.

CAROLE THERIAULT. Not drinking.

GRAHAM CLULEY. I've been doing it 50 years.

CAROLE THERIAULT. Yeah, yes, that's very good. Boom, boom. Okay, if you were to perhaps imbibe—

GRAHAM CLULEY. Is it a lobotomy? Is it death?

CAROLE THERIAULT. Okay, so the answer— When you don't know, Cluley, it's really easy. You just say no. Oh, okay. No, I don't know.

MARK STOCKLEY. I can tell you what it isn't. It isn't trying to watch the Wimbledon final on TV. I've tried that tip. Really doesn't help.

CAROLE THERIAULT. What about flossing and brushing? Is that good for your teeth?

GRAHAM CLULEY. Oh, it's meant to be good for everything, isn't it? Having a good floss.

CAROLE THERIAULT. Oh, interesting. And what about anti-aging creams? Do they really work?

GRAHAM CLULEY. Just look at us, Carole. I think that tells you everything.

CAROLE THERIAULT. See, these are interesting questions. You can discover all these answers and tidbits on a podcast called Science Versus. It's from Gimlet Media and a show hosted by Wendy Zuckerman, who has the most charming Australian accent to my mind. She's super bubbly, funny, and smart.

GRAHAM CLULEY. Hmm, how do they find out these answers? Do they go to ChatGPT by any chance and ask it these questions?

CAROLE THERIAULT. No, no, they take on fads and trends, opinions and stuff, and then they find out what's real and what's maybe somewhere in between. It's friendly fact-checkers is what they call themselves, and I think that's a fair statement. That's quite cute. So, for example, when they go for hangover cures, they talk to loads of experts, and the end result of that was basically eat a huge meal before you start drinking. And flossing and brushing, not necessarily good for your teeth. Fluoride is good for your teeth. Fluoride is the only thing that protects your teeth. Everything else is good for your gums, which are obviously important.

GRAHAM CLULEY. Trick question, right?

CAROLE THERIAULT. A bit of a trick question, I agree. And anti-aging creams is really interesting because a lot of it is because the molecules inside the creams are too big because they're not fat-based, they're water-based. So they don't go into your skin at all. The only one that can is retinol, and you need to get it by prescription to have any effect at all. So this is the kind of stuff I've learned. You may agree, disagree. I loved it.

MARK STOCKLEY. Are you saying that those graphics on the skincare adverts where they have pink blobs crossing the skin barrier and info, are you saying that that isn't strictly accurate?

CAROLE THERIAULT. They actually did a test because they said, well, how do they get these results on these makeup ads, you know, these kind of things. So they just made up some of their own concoction, sent it off for $1,000 to get tested, and it came back saying, "Amazing, 100%, works like a charm, amazing, amazing." So they just go in to maybe show how things may not be as you think.

GRAHAM CLULEY. So we could set up an aging cream testing organization. They could send it to us, give us $1,000, and we say, "Yes, brilliant, I look gorgeous." Yes, if you want to be a schmuck.

CAROLE THERIAULT. It's exactly what we would do.

MARK STOCKLEY. Would you like to know what ChatGPT thinks you can do about a hangover? Oh, come on, please. Because while we were talking, I asked what's a good hangover cure? And have you ever used ChatGPT? Because you'll know it does like to give wordy answers.

So anyway, several strategies can alleviate the symptoms. No magical cure. Anyway, there's a list of 8 things: hydration, rest, nutritious food—I think you mentioned that one—electrolytes, ginger and peppermint can alleviate nausea and soothe an upset stomach, apparently, according to ChatGPT. Pain relievers—genius, oh that is clever—light exercise, and here's the kicker: avoid caffeine. Well, so this is essentially basically what's happened here is ChatGPT has just watched me on a Sunday morning when I was at college and turn off Wimbledon.

CAROLE THERIAULT. You know, the podcast Science vs. has changed its name to Science vs. ChatGPT. They've got a whole new show there. It's a great show, check it out. It's fun and it has a bit of a light-hearted feel, but you know, you come away with a few little cute tidbits. So Science vs., find it wherever you get your podcasts—that's my pick.

GRAHAM CLULEY. Thank you very much, Carole. Now, you've had a very busy week this week—you've been chatting to our friends at Centripetal.

CAROLE THERIAULT. Yes, I chatted with Dave Ahn, and we talk about the cloud and how it revolutionized how we work, but it also has changed how the attackers come and find us. Take a listen.

Well, listeners, we have the pleasure of chatting with Centripetal's chief architect, David Ahn. Centripetal focuses on threat prevention using real-time intelligence with automated enforcement, and today we are talking to the guy who builds and ships this stuff. Thank you so much for coming on and taking the time to speak with us today, Dave.

DAVE AHN. Wow, Carole, what an intro. Thank you so much—it's a pleasure to be here.

CAROLE THERIAULT. Well, it gets worse because you, out of all the job titles that I know in the tech sector, my favorite one is Chief Architect because it's got gravitas, right? It's serious. And I'd love to know about some of your responsibilities, but maybe you could first tell us: how did you end up at Centripetal as their chief architect?

DAVE AHN. So the journey actually started quite a while ago. I actually started a number of startups, so I innovate a lot of technology around healthcare and cybersecurity and computer algorithms and things like that. And one of the companies that I helped to start was a cybersecurity company, and we developed this amazing filtering technology.

And that technology was great, but there wasn't a strong product synergy around it. And so when I met with Stephen Rogers, Centripetal CEO at the time, he really put forth his vision of putting intelligence as a driving force around cybersecurity. And Centripetal needed a capability to do that enforcement, and so it was a great marriage in terms of technology in two different companies. And so I came to Centripetal in the very beginning as part of an acquisition, and I stayed through to really commercialize that technology and bring it to the product that it is today. So it's been an amazing journey.

CAROLE THERIAULT. Yeah, it sounds like a marriage made in heaven. Tell me, so tell me, do you spend your day in meetings, or do you have other responsibilities other than guiding and helping everyone do their jobs?

DAVE AHN. Well, yes, there are lots of meetings. But I run one of the divisions here at Centripetal, Intelligence Services. And so my group is responsible for really identifying that intelligence, kind of figuring out what to do, and helping to ingest it and produce really actionable portions of it for the rest of our products.

So that's a big area around data, data science, analytics, and so forth, informatics. And then kind of mapping that into how do you design systems — there are many different systems, systems that make the solution possible. And so I help to lead with a lot of my colleagues who are leaders in this space to build an end-to-end solution. It's very challenging, very diverse, lots of exposure. And you're probably right, lots of meetings.

CAROLE THERIAULT. But it must have changed a lot over the years because most businesses today, from the tiny ones to midsize to the massive, massive internationals, they're all reliant on cloud to function. Can I say even function today? Is that fair? I think that's fair.

DAVE AHN. I mean, it's just so ingrained and kind of permeating through all of IT and technology today. So I think you're right.

CAROLE THERIAULT. I would say that the shift must also — it changes how organizations have to operate, obviously, but it must also change how the malicious hacker approaches a target.

DAVE AHN. Oh, absolutely. So cloud technologies and platforms and services have just been so transformative. I mean, it's well over a decade old now in terms of the beginnings. But it's just in the last maybe decade or so where it just has gotten so much adoption. I think it's gotten really mature.

So if you think about how even that coffee shop to a larger enterprise where they can really shift the burden of managing hardware, data centers, maybe infrastructure software, and focusing on how do they deliver solutions, how do they create product, or how do they solve internal challenges. And they're able to do this through the cloud because the cloud makes these computing resources so accessible and also scalable, right?

I mean, you don't have to worry about patching OSs or patching this or that and figuring out how to deploy and setting up data centers and things like that. It is transformative. And all it takes is an individual with a credit card to stand up a website or put up a video or anything like that.

And it's just amazing in terms of accessibility of technology to enterprises. And that in and of itself, of course, that power ends up being accessible to all the malicious actors and the complexity around that.

And there are cloud providers who may be a bit more accommodating or maybe tolerant of malicious activity in certain areas of the world. But having said that, most of these cloud services are meant to be accessible. I mean, as I mentioned, all you need is a credit card, and a lot of times for free accounts. And certainly, they're very cheap.

So when you think about these malicious actors, they're becoming more sophisticated. So they know how to write programs. They know how to modify malware. They know how to carry out campaigns and social engineering and so forth.

And so they're adapting to the fact that because so many organizations are adopting cloud infrastructure, then that's where the value is, that's where the opportunity is. Because if all the data is in the cloud, if all the services are in the cloud, then that's where they need to attack to get the most, let's say, return for their efforts.

CAROLE THERIAULT. Yeah, good old ROI. So, okay, how has this changed things for you from the security side, because of course, you as Centripetal's chief architect had to adapt in order to properly protect organizations. So, can you talk a little bit about how you guys approach security in this new world?

DAVE AHN. Yeah, absolutely. So, I think one of the biggest challenges for organizations around cloud security is just difficulty in visibility and difficulty in understanding. So, it's not that there isn't understanding, it's just that if you think about roles or access controls or things like that, it's very easy to say, well, you've got to put those controls in.

However, when you have hundreds to thousands of options and it just gets explosively combinatoric when it comes to the infrastructure, the virtualization, the containers, and the software, the gazillions of things that are running in the cloud, then it's so difficult for normal organizations or typical organizations to get a handle on what the repercussions are, right? So if they have a setting in terms of user access or application access, what does that really mean throughout the cloud infrastructure?

Because everything is being managed by these cloud providers, and therefore, there isn't as much visibility understanding. And so to attack this problem, I mean, in cybersecurity, it's a big challenge.

I mean, if you look at all the breaches, a lot of the breaches that have occurred in recent years, so many of them have some sort of cloud component to it. And it just lends itself to the gaps in knowledge and gaps in visibility and gaps in control that exist that are really hard to fill.

And so it's a challenge for us in cybersecurity.

CAROLE THERIAULT. Yeah, because, you know, I used to work at a technology firm and even back then, this is basically pre-cloud days, but the tech staff were overburdened with servers going down or machine equipment going down and now that's not the problem so much. There's just so many accounts and so many ways for people to access data.

How does someone responsible for allowing network access and information access not feel overburdened? I think that's a key problem.

DAVE AHN. It's just overburdening of that information overload or complexity overload. And so there are tools that have kind of started to fill this niche over the years where they give you observability, telemetry and these kind of things.

And one of the challenges I see with a lot of these products is that sometimes they actually end up producing even more work, right? So they give you unbelievable visibility into every activity that's happening across the entire cloud infrastructure for a customer, right?

And now we're talking about unbelievable amounts of log data, how do you interpret it, and how do you do audits, and how do you do an analysis of all this data? And so this is where a lot of— of course, in recent months, there's been this trend around leveraging AI and automation and these advanced techniques to kind of manage the interpretation of that volume.

But that doesn't take away the fact that there is that volume. So it is a significant challenge.

And I hope that even cloud providers and cybersecurity vendors are kind of stepping— are able to step up to the plate and make those cybersecurity controls a little bit more easier to understand and easier to manage. I mean, let's not place the burden on the enterprise, that poor person who's dealing with so much of the data.

CAROLE THERIAULT. So how do you guys do that at Centripetal?

DAVE AHN. How do you guys manage that? So we've taken the approach that sometimes information should just be interpreted by those with that knowledge, right? So instead of attacking this from the angle of let's give another tool, let's give more information, let's give more capacity, and then saying, well, you enterprise, you need to go figure out how to use this tool, have to figure out how to choose the data and how to interpret it and how to analyze it and then figure out the reporting aspects of it. And instead, we bring that as a service.

And I think you've seen this a lot in the industry with maybe the growth of the managed security service providers where they're bringing in that expertise to fill that gap. So at Centripetal, we're working towards that where we're bringing in the intelligence, we're bringing in the enforcement capability, and we're bringing in the analysts who can help to interpret and really shift that burden away from the customer.

CAROLE THERIAULT. And the whole plus side of it is you get some— you're using real-time intelligence to block unwanted traffic before it gets to the network? I mean, that's the endgame, right?

DAVE AHN. Oh, that is the endgame. So if you think about intelligence, it tells you what all those malicious actors— where they are, what infrastructure they're using, what methodologies that they are leveraging. And today, these malicious campaigns are becoming so much faster.

So as I mentioned before, we talked about before, they're leveraging cloud infrastructure and they're automating and they're able to carry out these attacks in a matter of minutes to an hour, you know, or so. And so when that happens, then, you know, if you have this information, but you don't have it at the moment that you need it, which is maybe right now when you're under attack or 15 minutes from now when you're getting scanned, then that intelligence doesn't do you any good.

So whether it's Centripetal or others, this concept of leveraging that intelligence as soon as you can, as real time as you can, that is really the differentiator in terms of elevating the security posture.

CAROLE THERIAULT. It makes perfect sense. Is there anything you'd like to add?

DAVE AHN. I really encourage everyone to take a proactive stance. And I understand that a lot of the time, there's just so much technology and so many products and solutions. And everybody is saying that they can solve the problem.

But I encourage everyone to look at it from the perspective of, what are my pain points? What can I do proactively to help reduce the work that I have to do? Because if you don't reduce that workload, then all the security in the world may be producing all those alerts and things like that, but it doesn't help you when you don't see it in front of you, and it's not helping you to actually protect your enterprise.

CAROLE THERIAULT. I think that's such a good point. And I think actually being able to identify your pain points is key because the security market now is a bit like walking into Walmart and there's only cola on sale, and you're walking down these aisles going, I don't know which one. So if you know exactly what you want, it helps narrow the field.

DAVE AHN. Yeah, I absolutely agree. I think you have to start with owning that cybersecurity a little bit and saying, all right, these are my pain points, and just be objective about how difficult it is because it is. It's difficult.

And what can you do? The maximum return for the steps that you take forward. I think that's the only practical way to really go about doing this.

CAROLE THERIAULT. Well, I think a very good step for our listeners is to check out Centripetal's webpage, which we have linked, because you can learn much more about their technology and services. And you can do that by visiting smashingsecurity.com/centripetal. That's C-E-N-T-R-I-P-E-T-A-L.

That's smashingsecurity.com/centripetal. And huge thank you, David Ahn, Centripetal's chief architect, for coming on the show.

DAVE AHN. Thank you so much. It's been a pleasure.

CAROLE THERIAULT. Yeah, have a good day. Not too many meetings, I hope.

GRAHAM CLULEY. Fascinating stuff. Well, that just about wraps up the show for this week. Mark, I'm sure lots of our listeners would love to follow you online and find out what you're ranting about.

What is the best way for folks to do that?

MARK STOCKLEY. Well, you can find me @MarkStockley on Twitter. You can also find me @InternetOfHens on Twitter if you prefer the sort of trees and general apocalypse preparation type stuff.

GRAHAM CLULEY. Fantastic. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't have a G.

We also have a Mastodon account. Find us at smashingsecurity.com/mastodon and make sure never to miss another episode.

Follow Smashing Security on your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

CAROLE THERIAULT. And massive shout out to this episode's sponsors, Kolide, Centripetal, and Bitwarden. And of course, to our wonderful Patreon community.

It's thanks to them all this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 323 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye.

MARK STOCKLEY. Bye-bye.

CAROLE THERIAULT. We dealt with some pretty serious issues this week.

GRAHAM CLULEY. Bloody hell, did we? Yeah, I know.

CAROLE THERIAULT. Goodness. But, you know, shit happens.

GRAHAM CLULEY. Well, yes. I know.

CAROLE THERIAULT. Sometimes we gotta talk about it. Thank God we have you to just bring a bit of lightness to our life.

GRAHAM CLULEY. That's what my purpose is really, isn't it? To bring a little bit of joy in this miserable world.

MARK STOCKLEY. On this miserable podcast.

GRAHAM CLULEY. Miserable world. Thank you very much, Mark.

CAROLE THERIAULT. Thank you, Mark. You're welcome.

GRAHAM CLULEY. It was lovely. Look after yourself.

I will.

MARK STOCKLEY. Thank you very much. And you.

-- TRANSCRIPT ENDS --