This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. Out of an abundance of caution. That's the best.

---

CAROLE THERIAULT. That's the best. I've not heard that one before, and I've heard them all.

---

THOM LANGFORD. Please tell me there's a, we take security seriously somewhere.

---

CAROLE THERIAULT. By an abundance of caution.

---

GRAHAM CLULEY. We are providing notice to individuals whose information may have been impacted.

---

CAROLE THERIAULT. May have been impacted. Sent to all. Make sure it's BCC.

---

UNKNOWN. Smashing Security, episode 328, UPS phishing, ChatGPT 101, and storing secret files with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 328. My name's Graham Cluley.

---

CAROLE THERIAULT. God, that's a big number. And I'm Carole Theriault.

---

GRAHAM CLULEY. Hello, Carole.

---

CAROLE THERIAULT. Hi, Graham.

---

GRAHAM CLULEY. Welcome back from your holidays.

---

CAROLE THERIAULT. Thank you very much. Thank you very much.

---

GRAHAM CLULEY. And what a delight it must have been to come back to find that Smashing Security—

---

CAROLE THERIAULT. The one and only.

---

GRAHAM CLULEY. —is an award winner. Again.

---

CAROLE THERIAULT. That's right, isn't it, Thom? Hi, Thom Langford.

---

GRAHAM CLULEY. Hi, Thom Langford from the Host Unknown podcast. Of the what's-his-name podcast.

---

THOM LANGFORD. Humiliating, it was. I had to go and pick up two awards, and they were both for you.

---

CAROLE THERIAULT. Do you know, they got in touch with me saying, please come, please come. And I was like, I wish I could, but I'm on holiday. I can't go, but I'm sure Thom Langford will pick them up for us.

---

THOM LANGFORD. Graham, I know can't be asked. Yeah, so Yvonne asked and said, can you be around to pick up just in case? And then I double-thought it and thought, ah, perhaps that's a double bluff. She wants to make sure that I'm there so I can pick up. Yeah. Because I had three things in the mix. I, you know, statistically I was— Oh dear. But no, couldn't believe it.

---

GRAHAM CLULEY. Thank you once again to all of our listeners who voted us. And allowed us to win, what was it? Most entertaining cybersecurity podcast and best all-rounder cybersecurity podcast or something like that.

---

THOM LANGFORD. Did you have to put your waist measurements in, Graham?

---

GRAHAM CLULEY. Well, the best all-rounder. Thank you for showing up to the awards because of course, Carole and I couldn't be arsed.

---

CAROLE THERIAULT. No, and thank you, Iskensi PR, for facilitating the party. It was very well done. I'm going to kick the show off, so buckle up. But before we kick off, let's thank this week's wonderful sponsors, Bitdefender, Collide, and Drata. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Well, it's not so much smashing security this week as smishing security.

---

CAROLE THERIAULT. I do not think you should screw up with her name like that. Okay. And Thom, what about you?

---

THOM LANGFORD. Oh, I am talking about the difference that a few million dollars in personal net worth makes in how the law treats you.

---

CAROLE THERIAULT. Okay. And I'm dumbing down ChatGPT, or am I? We'll find out. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, you know, we talk a lot about bad news. We talk a lot about companies goofing up. And I think we actually need to praise companies sometimes when they raise awareness as to the threats which are out there and give a little bit of it. So I thought I'd do something a little bit different.

---

CAROLE THERIAULT. What, cheery? Sorry, what show is this?

---

THOM LANGFORD. We're going to do an interesting story.

---

GRAHAM CLULEY. I thought— Cheeky. Wow. I thought— Ooh. Yeah.

---

CAROLE THERIAULT. He picks up an award and he's all spiky, spiky.

---

GRAHAM CLULEY. Come on, you two, earn your award. Anyway, listen, I thought, let's actually applaud a company doing something right, because UPS in Canada, the delivery firm, has gone out of its way to contact customers. They sent them a letter, and I thought it's worth reading out because there's some great advice in here, which I think would be suitable for everyone who listens to the show.

---

CAROLE THERIAULT. Are you being facetious? I'm worried you're being facetious.

---

GRAHAM CLULEY. No, no. As if I would. As if that ever showed up in my school report.

---

CAROLE THERIAULT. Because you mentioned Canada as well, and you know it's dear to my heart.

---

GRAHAM CLULEY. Oh, don't worry about that. It just happens it's UPS Canada who are forward-thinking enough to send this out. So you get this letter and it says at the top, 'Fighting phishing and smishing: an update from UPS.' Okay, that's all right, isn't it? 'At UPS, we are committed to fighting fraud. We want to let you know what phishing and smishing are, and what you can do to protect yourself.'

---

CAROLE THERIAULT. Very good. I'm happy.

---

THOM LANGFORD. That's good, yeah. Absolutely, I think education is what's needed in many cases.

---

GRAHAM CLULEY. By the way, I've never liked the word smishing. That's phishing via SMS, isn't it?

---

CAROLE THERIAULT. Yes, right.

---

THOM LANGFORD. It's always conjured up things of, you know, a bare foot squishing over a tomato or something.

---

GRAHAM CLULEY. I just think it's making up a word just for, you know, some PR person once thought, oh, how can we make this interesting? I think it's cute.

---

CAROLE THERIAULT. I like it much more than BEC.

---

GRAHAM CLULEY. So there you go. BEC is rubbish, isn't it?

---

THOM LANGFORD. It's rubbish. That's for spearfishing.

---

GRAHAM CLULEY. Oh, but spear— okay, we're going off on a tangent. See, spearfishing, I always thought, was a phishing email sent to someone specifically. And now it seems people are saying spearfishing when there's an attachment, whereas I always view phishing as something—

---

THOM LANGFORD. Oh, no, no, it's aimed. It's anti-doxing.

---

CAROLE THERIAULT. The language may have evolved since you joined the cyber community, though.

---

GRAHAM CLULEY. Maybe it has. I always think of phishing as someone clicking on a link. I don't think of it as having an attachment, so I don't know. It just feels all a little bit sort of—

---

THOM LANGFORD. Anyway, back to— Loosey-goosey.

---

GRAHAM CLULEY. Back to UPS's letter. What are phishing and smishing, they say in bold? Fraudulent emails referred to as phishing and text messages, referred to as Smashing Security, are becoming more common. That's true. Fraudsters attempt to convince package recipients that they owe money for delivery of a package and send text messages or emails to solicit credit card and other payment card data. I mean, we've all seen that, haven't we?

---

THOM LANGFORD. We've all received something like this.

---

CAROLE THERIAULT. I often fall for it, 'cause I never know what I order, right?

---

GRAHAM CLULEY. What do you mean you fall for it? So you—

---

CAROLE THERIAULT. You click on the link. No, no, I don't.

---

THOM LANGFORD. Drunk Amazon, right? No, I never do that.

---

CAROLE THERIAULT. But yeah, I order stuff and then sometimes you expect it in one package, but it dribbles in in lots of packages.

---

THOM LANGFORD. Right, that's normally if they've thrown the box away.

---

CAROLE THERIAULT. No, it's coming from a different depot, something, something. Anyway, whatever, so I never know if it's going to be 3 or 4 or 5. And then if I get a text and I know something's coming, I'm like, did I get everything? Am I waiting for something? Is this one? Just so my husband, he goes, no, fuck off.

---

GRAHAM CLULEY. Stupid. You never ask yourself how they got hold of your mobile phone number to send you an SMS? Well, I— no, because they have your address, but they don't have your mobile phone number normally, do they? I don't know, that's the sneaky thing.

---

CAROLE THERIAULT. Is that the sneaky thing? Okay, that's a really good tip, I think that's a good tip.

---

GRAHAM CLULEY. Okay, let's go back to the UPS letter, because this is sharing great information. These messages may appear legitimate by incorporating company brands, colours, or other legal disclaimers. 'These fraud attempts affect deliveries from many carriers.' Brackets, in other words, not just UPS.

You can learn more about common types of fraud and see examples of fraudulent messages at incredibly long URL, right? Okay, the letter goes on. 'Have you been smished? If you've received something that doesn't look or feel right, trust your instincts. Real UPS texts,' at least in Canada, 'will only come from SMS number 69877 in Canada.'

---

THOM LANGFORD. Hang on, hang on a minute. Now, I'm just a CISO, so not exactly technically minded here. But I have it on pretty good authority that numbers can be spoofed.

---

GRAHAM CLULEY. That is true, isn't it? Yeah, they can be. So you could send an SMS message, probably pretending to come from the real UPS Canada number.

---

THOM LANGFORD. From 69877, yeah, I guess you could. Good point.

---

GRAHAM CLULEY. Good point, Thom. Yeah, well, so far, though, most of this has been quite sensible. I think it's been quite good advice.

---

THOM LANGFORD. And informative and easy to read, at least if you didn't have two idiots interrupting the whole time.

---

CAROLE THERIAULT. I've said nothing for minutes. But anyway.

---

GRAHAM CLULEY. UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered. UPS has been working with partners in the delivery chain to try to understand how that fraud was being perpetrated.

As part of that effort, UPS conducted an internal review to assess whether information it received from shippers was contributing to this fraudulent conduct. In other words, is some information leaking out?

---

CAROLE THERIAULT. And it's not us, it's some third party that we partner with.

---

GRAHAM CLULEY. It's not us. Well, the next sentence, Carole: During that review, UPS discovered a method by which a person who searched for a particular package or misused a package lookup tool could obtain more information about the delivery, including a recipient's phone number.

In other words, they've snuck in, and we're in about paragraph 5 or 6 now. We might have had an issue.

---

THOM LANGFORD. Yeah, exactly. In other words, we messed up our website.

---

GRAHAM CLULEY. Out of an abundance of caution. That's the best.

---

CAROLE THERIAULT. That's the best. I've not heard that one before, and I've heard them all.

---

THOM LANGFORD. Please tell me there's a, 'we take security seriously' somewhere.

---

CAROLE THERIAULT. 'Out of an abundance of caution.'

---

GRAHAM CLULEY. 'We are providing notice to individuals whose information may have been impacted.'

---

CAROLE THERIAULT. 'May have been impacted.' Sent to all, make sure it's BCC.

---

GRAHAM CLULEY. So if I'd got this letter, I would have started reading, just thinking, 'Oh, blah blah. They're just telling me what phishing and smishing are.' Yeah, you wouldn't have got past the first paragraph.

---

THOM LANGFORD. This is not a breach notification notice, is it?

---

GRAHAM CLULEY. Hidden inside the longest paragraph of all is this little bit saying, "You fucked up. You may have been impacted by this." So they're saying their package lookup tool has been leaking recipients' names, shipment addresses, potentially phone numbers, order numbers. It says, "We can't tell you exactly when this has been happening, but it looks like it has been happening to some customers from February 2022 until the end of April 2023." Blimey!

So those texts, if you'd received one, it may have been a lot more convincing because—and this is thanks to the folks at Bleeping Computer—they've uncovered people who were expecting deliveries from UPS who got very, very convincing messages. Right. Now, Thom, you are a big fan of Apple tech, and you're also a huge fan of LEGO, aren't you?

Yeah. Well, we're going to link in the show notes to a couple of examples from people who were expecting deliveries via UPS of a LEGO order. And they got text messages saying, "Your LEGO order is waiting delivery to your shipping address, postal code blah blah blah. You need to pay a shipping fee in order to have the parcel on time. To avoid delays, click here."

---

THOM LANGFORD. As if criminals couldn't sink any lower, they mess with a man's LEGO. Good God. I just, I feel dirty now.

---

GRAHAM CLULEY. You would have fallen for this, I suspect, Thom, because the one thing you want is you want your LEGO arriving promptly.

---

THOM LANGFORD. Absolutely. And I have no idea what I ordered half the time.

---

CAROLE THERIAULT. Yeah, but don't you think—okay, there's a few typos in this, one. And two, there's this weird dollar sign at the back end of the money. The money thing looks really odd.

---

GRAHAM CLULEY. $1.55 in this example, yes. You see, you're looking at a screenshot. In this example, it's $1.55, but no one would write that.

---

THOM LANGFORD. Yeah, no, that's the—oh, yeah, yeah. And there's another one for $1.63. So that would be a dead giveaway.

---

CAROLE THERIAULT. But would it? Would it though, Carole?

---

GRAHAM CLULEY. Would that stop you? Who's fallen for this?

---

CAROLE THERIAULT. Who's fallen for this?

---

THOM LANGFORD. Well, it would have stopped many of us, but the point is that in many cases—and we know this from all the scammers, etc.—that they sometimes seed in these deliberate mistakes to weed out the people who are going to work it out at some point. What they want to get are the people who—the more gullible ones—maybe don't—yeah, who maybe don't quite have the same sort of, you know, cognitive abilities to see. It's not just cognitive, it's digital ability, right?

---

CAROLE THERIAULT. This could be your first purchase online, you know. Well, exactly.

---

GRAHAM CLULEY. Yes, yes, it's very true, because presumably the scammers aren't going to all this effort to just steal $1.63. When you go to the URL, it's going to grab other personal information or charge your card more than that.

---

THOM LANGFORD. Exactly. And also they've sent out probably a couple of million of these.

---

GRAHAM CLULEY. Because there's that much LEGO going via UPS.

---

THOM LANGFORD. So, well, there is. The chip in them. I'm just saying. Well, if anybody has a spare room I can use, that'd be great.

---

GRAHAM CLULEY. So it's not just LEGO. Apparently it's Apple as well and other firms, apparently. Oh, what? So there are all—I don't know what I've heard. I feel personally targeted. So there are all manner of potentially, you know, people who are falling for much more convincing delivery failure, or "you need to act upon this UPS message," smishing cam—I hate the word smishing—campaigns than ever before. What's the advice? The advice? Don't call us, we'll call you.

---

CAROLE THERIAULT. Never trust anyone ever. No, so I get a UPS, I'm waiting for one, do I—

---

GRAHAM CLULEY. You know, my first piece of advice is complain to UPS because they have disguised this piece of advice. They've hidden it as much as possible behind what looks like a generic piece of—

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Watch out for phishers and smishers. Yeah, does that get a shame, shame from you? It is, that's exactly what it is.

---

THOM LANGFORD. The piece of advice I'd say is, if in doubt, wait two days. Your package is going to arrive anyway, and then you know it's a scam.

---

CAROLE THERIAULT. Yeah, you don't have to get your knickers in a twist right away. Yeah, no need to rush.

---

GRAHAM CLULEY. Thom, are you really that patient when it comes to a hot piece of LEGO?

---

CAROLE THERIAULT. Well, I mean— You're on mute now. Am I?

---

THOM LANGFORD. No, I'm not. What are you talking about? God, you had me worried then.

---

CAROLE THERIAULT. I just didn't want him to talk about a hot piece of Lego in a dirty way. Oh, I see.

---

GRAHAM CLULEY. Thom, Thom, what have you got for us this week?

---

THOM LANGFORD. So, what have I got for you? I've got a little story, which is, it's a story almost as old as time, actually, about whistleblowers. In fact, I found a Wikipedia page that lists all of the famous whistleblowers going all the way back to the 1600s, which is a rabbit hole you don't want to go down. Did it involve a rabbit?

---

GRAHAM CLULEY. Is it the Garden of Eden? Of course, there was a whistleblower there, wasn't there? Someone told the boss guy that the apple's been pinched. And so, yeah, so it has been going back at least 3,000 years. Exactly.

---

THOM LANGFORD. I don't think Wikipedia's got any quotes or sources for that one, but there is a story. The link is in the show notes. It's from the Office of Public Affairs of the US Department of Justice, and it talks about a former FBI analyst who was sentenced for retaining classified documents. So there's this FBI analyst, her name is Kendra Kingsbury, 50, of Garden City, Kansas, and she was sentenced to 46 months federal prison followed by 3 years of supervised release.

And the reason for that is, she pled guilty to 2 counts of unlawfully retaining documents related to national defense. Bottom line was, she was an analyst for the FBI for 12 years, and she was caught taking a whole bunch of confidential documents away and taking them home, basically. Now, she held a top-secret security clearance, so she could see confidential, secret, and top-secret documents. All of the documents she took were classified as secret, so the middle level, but many of which include documents that describe intelligence sources and methods related to US governments, all to do with counterterrorism, counterintelligence. Also included in numerous documents classified as secret from other government agencies— Oh boy. —describing intelligence sources related to US government efforts to collect intelligence on terrorists.

---

GRAHAM CLULEY. Do we know why she was taking these home? Was it just for a little bit of light reading or something?

---

THOM LANGFORD. What was the point of that? Well, the investigation—and this isn't even the crux of it—the investigation actually turned out more questions than answers, because when they analyzed and reviewed her telephone records, revealed a number of suspicious calls, including numbers associated with subjects counter-terrorism investigations. And those individuals also made calls back to Kingsbury.

So there's obviously something going on here, right? You know, so not only did she take these documents where she wasn't supposed to, all classified at secret level, not top secret level, but there was subsequently found to be some kind of sharing of said documents and other activity.

Now that took me down another rabbit hole because as I said, she was sentenced to, what was it, 46 months. That took me down the rabbit hole of a woman called Reality Winner, which is not the name of a TV show on Channel 5, but she was an analyst in the NSA.

She was a translator there. She released one document to the press, which was basically information about Russian interference in the 2016 election.

She was arrested, obviously. I mean, you found this stuff has been released, et cetera—not good, although you could say it's for the greater good.

She was charged with removing classified material from a government facility and made it to a news outlet. She was denied bail and then sentenced to 63 months in prison, which if you do the sums, 5 and a half years in prison.

So for releasing one document compared to this other person, Kingsbury, who stole a whole bunch of documents, made some dodgy phone calls, sentenced to 4 months.

---

GRAHAM CLULEY. Do you remember, Thom, how Reality Winner was caught and identified?

---

THOM LANGFORD. I don't off the top of my head, and there's an awful lot of text in this Wikipedia story, so I'm not going to read it.

---

GRAHAM CLULEY. Well, let me tell you, because it's quite interesting. In fact, we spoke about it in a past episode of Smashing Security a few years ago—we covered this.

But what happened was, she printed out some of this sensitive information at her workplace. And she gave those printouts to reporters at The Intercept, which was the news outlet who reported it.

---

THOM LANGFORD. That's right, yeah.

---

GRAHAM CLULEY. And The Intercept, unfortunately, just scanned it in or took a photograph or something and published it up on their site rather than retyping the information. And printers—

---

THOM LANGFORD. Ah, have unique signatures.

---

GRAHAM CLULEY. Well, they leave this little matrix of nearly invisible yellow dots on your documents. So you can identify which printer printed out a particular document.

This is useful information, by the way, if you're planning to write a ransom note or something like that. Your printer.

---

THOM LANGFORD. Now you know why people cut up newspapers.

---

GRAHAM CLULEY. So it was these yellow dots which actually led to the arrest ultimately of Reality Winner. But it's very interesting—I think not many people realize that printers do that.

---

THOM LANGFORD. Yeah, I think it's absolutely fascinating. And so here's two cases, just two cases where we see secret documents, even a top secret document, potentially being leaked by a servant or—

---

CAROLE THERIAULT. Yeah, well, yes, yeah, the only two stories you picked. Yeah, I'm sure.

---

GRAHAM CLULEY. I think that—I think there is a case of a man who may have taken documents, really highly sensitive information, and maybe taken them to his home in Florida.

---

THOM LANGFORD. So, and here's the thing, this is the difference. This is the difference a few million dollars in personal net worth makes. So bottom line is we've got Donald Trump has taken boxes of material, said he's returned all of it. He absolutely hadn't, despite very clearly stating that he had.

When his Mar-a-Lago residence was raided, there was stuff found everywhere, in public places, in a ballroom and a bathroom and all that sort of stuff, top secret documents allegedly relating to nuclear secrets and stuff like that. And not only was Donald Trump not requested to post bail, he's certainly not been arrested and is basically throwing money at the problem to try and make it go away.

---

GRAHAM CLULEY. Oh, you're so cynical. I think Donald Trump was playing three-dimensional chess here. I think he's much cleverer than everyone thought because he knew—

---

THOM LANGFORD. Donald Trump couldn't fling poo at a wall and make it stick.

---

GRAHAM CLULEY. He knew that this highly sensitive information definitely wasn't safe on government premises. And so he thought, I know what I'll do. I'll store it in the highly secure loos at Mar-a-Lago.

---

THOM LANGFORD. Yes. Put stacks of back papers in the ballroom.

---

GRAHAM CLULEY. So because that's the last place that people will look, because people won't expect me to have it. See, that's the genius. People won't expect the highly sensitive information to have been left accessible to anyone.

---

THOM LANGFORD. Except he's been caught talking, boasting about it, you know, talking to people about the types of data he's got in his, no doubt, not exactly the most secure compound in the world. And I just, I just find this utterly amazing how—

---

CAROLE THERIAULT. This is, this is quite a tangent. A tangent?

---

THOM LANGFORD. This is the point. A tangerine, I think. Basically, if you're famous and you've got money, it's effectively one rule for us and one rule for them.

We've got this charade going on. It's not a case of if you can't do the time, do the crime. It's just more a case of if you can afford to do the crime, then crack on because nobody's going to catch you.

---

CAROLE THERIAULT. Yeah, so all you ex-US presidents out there, listen up.

---

GRAHAM CLULEY. A few of them do listen to the podcast, actually, Carole.

---

THOM LANGFORD. I'm sure. I'm sure at least two. Anyway, rant's over.

---

GRAHAM CLULEY. Carole, what's your topic for us this week?

---

CAROLE THERIAULT. So, as you both know, and as regular listeners know, I've been on summer holiday. Ta-da-da-da-da-da. Lovely.

And, you know, when you're on summer holiday, I met a number of people. I talked to lots of people. I met a cool chick on a plane. I met a great chef. I met an Airbnb host who thought that people staying in a non-air-conned pad would rejoice at pure, 100% pure polyester sheets.

So that was really fun. You should have seen my Yeti of a husband.

---

GRAHAM CLULEY. I wondered if this was just your Airbnb review that you were about to give in your section of the podcast.

---

CAROLE THERIAULT. Close.

---

THOM LANGFORD. After you electrocuted each other every morning.

---

CAROLE THERIAULT. Oh my God, we ended up sleeping with towels. All I'm saying.

Anyway, loved it, loved it. Oh, and we went to this super chic hotel, okay? Like overlooking the rolling hills of Istria, right? Like, think super poshy posh, mismatched fabrics and pop art and terrazzo floors and big, big lights, okay?

Like the whole thing. And we just were going there for just a, you know, a Coke to look at the sunset. But I'm gonna send you the art that was outside the front. I'm gonna send it on our little text message thingy here. Okay? So take a look and maybe one of you—

---

GRAHAM CLULEY. Always good to have a visual on a podcast.

---

CAROLE THERIAULT. Yeah, excellent. Yeah, and you guys get to describe it because just zoom in and describe this.

---

THOM LANGFORD. Oh, it's my Skype password.

---

GRAHAM CLULEY. It looks like it's the little statues or gnomes of— is it Snow White and the six dwarfs? You got six dwarfs.

---

THOM LANGFORD. Holy crap.

---

GRAHAM CLULEY. The face is a bit scary.

---

THOM LANGFORD. Looks like Mike Tyson has had a go.

---

CAROLE THERIAULT. I had no idea until just before I went on this podcast. I had no idea why that was there.

'Cause it's super creepy. It's zombie Snow White and the Seven Dwarfs or something. But I think it's 'cause they don't want kids there. I think it's an adult hotel, that kind of thing. It's not a family hotel. So maybe these are just to scare off the kids.

---

GRAHAM CLULEY. If you don't want kids, just block YouTube. Then the kids won't want to go there. That's true.

---

THOM LANGFORD. That's what you have to do.

---

CAROLE THERIAULT. Anyway, so I was meeting all these interesting people, and they would say, oh, what do you do? You know, and I'd be like, art, yada yada, podcast, yada yada. And some would go and look at art and some would listen to the pods. And one of them called me up afterwards and said, look, I've just listened to 3 episodes of Smashing Security in a row. And you guys are amazing. You're great. You're wonderful.

---

GRAHAM CLULEY. But you're kidding me.

---

CAROLE THERIAULT. But she said, but you're talking about things I'm totally interested in that I want to learn about, but I can't figure out the language you're using. I don't understand it. It's all tech speak. You know, you talked about ChatGPT or whatever, and I couldn't follow, right? And this lady is a GP. Oh, you see GP, GPT. But you know, she's brainy, she's funny, but our stupid tech-only lingo kind of puts up this anti-learning fence. So I am sorry to her and all the other listeners, and I'm going to try and describe it here in a way, but there's a good piece of info for you guys that know this inside out at the end. So stay with us and you guys are going to help me. Okay. If I say something too techie, you just go, let me just describe what it is.

---

THOM LANGFORD. I was going to say that on the other award-winning podcast, Host Unknown, we talk tech a lot, but my mother listens and she says she doesn't understand a word of what's going on. But she has liked the recent trends of having Mr. Cluley on because she really likes Graham's voice. She finds it very, very— oh, how lovely. Very warming.

---

CAROLE THERIAULT. Have them meet in person.

---

GRAHAM CLULEY. Yeah, that'd just destroy everything, wouldn't it, if we met in person? But yes, I have to start calling you son. Yes, Daddy.

---

THOM LANGFORD. But it's not always about the content. Sometimes it's about the delivery.

---

CAROLE THERIAULT. Oh, okay. I'll do my best on that one as well. Okay. So ChatGPT, right? This is the thing that launched in November last year. So it's no wonder that lots of people don't know about it. And so what the heck is it? Well, I thought, why not ask ChatGPT? Right? It said ChatGPT is an advanced conversational AI model developed by a company called OpenAI. What? What? AI? AI? Sorry, what's AI? Artificial intelligence. Very good, Thom. Thank you. I didn't spot that one. I was listening. Very good. Number 2, ChatGPT is trained on a diverse range of internet text sources to learn patterns, grammar, and context in order to generate coherent and contextually appropriate responses. Now, apparently the dataset has at least 300 billion words in it. So diverse, I think, is a little misleading here. I think, you know, gluts and gluts and gluts of stuff that they could find is maybe perhaps more realistic. Would you guys agree?

---

GRAHAM CLULEY. 300 billion words. So it's just nonsense it's scooped up from the internet, isn't it? That's right.

---

THOM LANGFORD. That's right. And I think just to put that into context, isn't a million seconds is something like 21 days? Whereas a billion seconds is something like 30 years.

---

CAROLE THERIAULT. Okay, you work out while I continue my story, 300 billion words into seconds, and then let us know. So basically, but the thing is, it's a tool right now available to anyone that speaks the supported languages, I guess, right?

Anyone with internet access. What you can do is go to openai.com and you will find ChatGPT there, right? It's free to use. But you have to create an account and there's nothing to learn or set up.

Basically a search box like any search engine, and you can put in a question and allons-y, right? You see what crops up. So you could ask a question about medicine or real estate or mythical monsters or recipes or help me out, poetry.

---

GRAHAM CLULEY. What does allons-y mean in English? That kind of thing. Yeah, you can ask it anything.

---

CAROLE THERIAULT. Yes, it's true. And apparently ChatGPT currently has more than 100 million users, right? Which is why investors are tripping over themselves to get on the AI— sorry, artificial intelligence model train.

Choo choo all the way to the bank. Now, the thing is that there is a catch, right? You cannot trust the information spouted by ChatGPT to be 100% correct. Any of the time, I would say.

---

GRAHAM CLULEY. Yeah, because it lies. Yeah. But why does it lie?

---

CAROLE THERIAULT. Because the internet is made up of good stuff and bad stuff and gross stuff, Thom.

---

GRAHAM CLULEY. And so much charming. But sometimes it makes up stuff as well.

When Mark Stockley was on a few weeks ago, he was telling us about those, that law case where ChatGPT was coming up with fake past verdicts. Fake cases and, you know, and it was persisting in claiming that these things were real and they weren't and it was just making it up.

---

THOM LANGFORD. Oh, fake cases. That's right. Yes, yes.

---

CAROLE THERIAULT. So the way to think about it, it's just made up from everything it could find on the internet. So in short, ChatGPT's mama is the internet and it gorged, okay, I'm gonna say it, at the internet mama nipple until it was ready to be unveiled to the world.

---

THOM LANGFORD. I'm sorry.

---

CAROLE THERIAULT. What? Like, as Graham said, there's loads of stories about how ChatGPT, you know, got it wrong or spread crazy stuff.

And you can go look at our backlog of Smashing Security episodes because we've talked about it a lot. And the question is, is who decided to allow ChatGPT or any of these artificial intelligence models into the public world? So I thought, I'll ask ChatGPT.

And it said it was made by the organization or company responsible for the development and deployment. In this case, OpenAI and ChatGPT, the decision was made by OpenAI itself. And the point I'm making is there's no regulatory oversight here. It's just one company going, okay, we're ready. Are we ready? Let's go.

---

GRAHAM CLULEY. Do you think there should be then?

---

CAROLE THERIAULT. Yes, I think. Do you think that?

---

GRAHAM CLULEY. Do you not think so?

---

CAROLE THERIAULT. Well, I just think, I mean, You it all, yahoo-y?

---

GRAHAM CLULEY. The counter-argument is that you're going to prevent innovation, aren't you? And how would they define what you are allowed to do on the internet and what you're not allowed to do?

I mean, imagine how much it would constrict Thom, for starters, with what he gets up to on the internet.

---

THOM LANGFORD. Exactly, and also the internet is an open resource, right? You know, if it's behind a paywall, you can't get to it.

If it's supposed to be private, it's private, you can't get to it. Everything that you can find on the internet freely is there freely, right? It could have just gone to a library. If it had a body and fingers and eyes, it could have gone to libraries and read everything in a library, you know?

---

CAROLE THERIAULT. Maybe what I'm trying to say is instead of using ChatGPT thinking it's an omniscient god that knows everything, maybe we should treat it as a kind of teenager with mood swings and a bit of a know-it-all. I looked at what jobs are at high risk with ChatGPT on the horizon.

---

THOM LANGFORD. Podcast is number one.

---

GRAHAM CLULEY. No, podcast, absolutely not. Podcast is safe. Podcast is safe.

---

CAROLE THERIAULT. Okay, who do you think might be really affected? Journalists.

---

THOM LANGFORD. Oh, yes, I was gonna say writers.

---

CAROLE THERIAULT. Yeah, accountants, tax people, auditors, tree surgeons. Yes, blockchain engineers, apparently mathematicians.

---

THOM LANGFORD. Okay, we're all talking about roles actually I have no sympathy for whatsoever.

---

CAROLE THERIAULT. Sex workers, milkmen, they're done as well. The jobs that are— there's Morgan, Piers Morgan— jobs that are deemed most safe include athletes, car repair people, cooks, and get this, this is my favorite, stonemasons.

Stonemasons, you guys are fine. So high five to you for, you know, having not gotten on the digital bandwagon. Well done.

---

GRAHAM CLULEY. Okay, I'm gonna have to become an athlete.

---

THOM LANGFORD. There's not gonna be much call for a stonemason when the robot overlords have basically put us all in little pods to produce batteries and produce energy for them, is there? I mean, it's not the most, you know, common of requirements. They're not gonna be creating Gothic arches for these massive cathedrals of battery power.

---

CAROLE THERIAULT. Yeah, but it's kind of crazy because there's this huge race now for market domination. Currently, I think, correct me if I'm wrong, the winner in the front is OpenAI at the moment, right?

They have the lead. But yesterday, Google's DeepMind CEO, mic drop, that his new AI algorithm, soon to be on the digital shelves, will eclipse ChatGPT. Oh, for goodness sake.

---

GRAHAM CLULEY. How do they determine who has the better AI chat whatsit? Why don't they get the AI chat whatsits to evaluate each other and fight between themselves?

---

THOM LANGFORD. The chat whatsits.

---

CAROLE THERIAULT. Totally. Okay, two things, two things.

Okay, so if you're interested in trying out ChatGPT and you don't know what it is and you've heard people talk about it, do not go to Facebook or social media and click on a 'Try ChatGPT' ad. No, no, no. Okay, so Smashing Security company in Purva said that they saw some scams pretending to be access to these, you know, AI models, artificial intelligence models and the like. So just use your web browser and go to openai.com.

And second tip, if you decide to use ChatGPT, know that your questions are logged by default and some people keep sessions going tied to your account because you need to have a user login to get in to use it now. So to change this, once you've created an account, you can click on your username to the settings and clear all chats. And you can also go to the data controls and disable chat history and training.

---

GRAHAM CLULEY. That's a really good point. That's a great point, actually, Carole, because I mean, a company— some companies are blocking access to ChatGPT because it just produces garbage sometimes and low-quality content.

But the more serious point is that people are feeding in sensitive information into ChatGPT, which is then being collated and used, and maybe company sensitive, and maybe other people's personal details, all sorts of things. Exactly.

---

CAROLE THERIAULT. There was researchers at Group IB said they've uncovered a concerning trend involving 100,000 devices on the dark web infected with stealers holding compromised ChatGPT credentials. And they think that's exactly the reason that people are using it and kind of feeding in sensitive information without realizing it.

And those logs are super delicious to someone who might want to try and attack the company. So there you go, and don't use an easy-to-guess password if you're going to create a login on ChatGPT, okay? Try something that's unique and impossible to remember.

---

THOM LANGFORD. Ask ChatGPT to create a password for you.

---

GRAHAM CLULEY. Yeah, ask it to create the password. So I bet it'll do really well. It'll probably search the internet to find out the list of the top passwords, and it'll think, oh, that's number one, let me use that one.

I thought it was password1. It probably is. With an exclamation mark afterwards.

---

THOM LANGFORD. Yes. Oh, well, of course, because you've got to add a special character, right? So, I did find out the answer to your question, Carole.

So, if we were to say one word a second and if we were then to say 300 billion words, how many years do you think that would take us to complete?

---

CAROLE THERIAULT. 150, I'm guessing, I have no idea.

---

THOM LANGFORD. 9,500. Well, you heard it here, folks.

---

CAROLE THERIAULT. It has a lot of crap in it.

---

THOM LANGFORD. That's a big dataset. It's going to take more than your average USB stick to store that.

---

CAROLE THERIAULT. It's a ChatGPT joke. No.

---

GRAHAM CLULEY. Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it. With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.

Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work. And with a new open API and plenty of customization, you can build your program your way.

With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies Notion Lemonade and Bamboo HR have shared how crucial it's been to have Drata as their trusted compliance partner.

So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com D-R-A-T-A.

---

CAROLE THERIAULT. Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.

How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.

Kolide patches one of the major holes in zero trust architecture: device compliance. Without Kolide, IT struggles to solve basic problems keeping everyone's OS and browser up to date.

Insecure devices are logging into your company's apps, but there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.

The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.

Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do.

Visit kolide.com/smashing. That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.

---

GRAHAM CLULEY. Our friends at Bitdefender have been busy this month adding some fab new features to their open source password manager. Management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.

Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.

With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool.

And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level.

These and many other great security features are incorporated all the time into Bitwarden. Keeping your passwords secure from hackers.

Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing.

And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

THOM LANGFORD. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

It doesn't have to be security-related necessarily. Better not be.

Well, my pick of the week this week is not security-related. My pick of the week this week is a documentary, which I have— I love a documentary, as you know.

Again? Yes.

---

CAROLE THERIAULT. Yeah, you're just going through a list, aren't you?

---

GRAHAM CLULEY. I'm going through Netflix's list of documentaries. Jesus.

You could just variate—

---

CAROLE THERIAULT. Get a little variety next week. Can we ask for a little variety?

---

GRAHAM CLULEY. Yeah, I've picked— What?

---

CAROLE THERIAULT. It's been 4 weeks in a row! No, it has not.

---

GRAHAM CLULEY. It has not. Yes, it has!

It has not. It has.

It hasn't, because last week it wasn't a documentary, was it? I don't remember.

I don't remember either. But I sounded like I knew.

So, my pick of the week this week is a documentary called Speedcubers. Ooh!

Which you can find on Netflix. And it's a documentary all about people who are incredibly good at solving the Rubik's Cube.

Didn't take long then, the movie. It's about 40 minutes, the documentary.

---

THOM LANGFORD. Great. You'd think they'd be quicker.

---

GRAHAM CLULEY. It focuses on two world champions, Max Park and Feliks Zemdegs, who can solve a cube in about 4 seconds. What?

---

CAROLE THERIAULT. Yeah. I did meet a guy who could do it in 10.

And I know that's probably nowhere near super duper, but it was pretty—

---

THOM LANGFORD. That's probably the top percentile though, right? That's still shockingly good.

Freaking fast.

---

CAROLE THERIAULT. Yeah. I was still stuck on the first row of the first side, right?

'Cause I was racing him. So—

---

GRAHAM CLULEY. If you go to the World Cube Championship, you will see people not only Max Park, who can complete a 3x3 cube. So the basic Rubik's Cube, he has done it.

His world record attempt is 3.13 seconds. That's his world record.

Wow. One-handed, he can do it in 6 seconds, just with one hand.

---

THOM LANGFORD. So literally with one arm tied behind his back.

---

GRAHAM CLULEY. They also have championships where people are blindfolded, or people have different-sized cubes as well. And somehow they can do that as well. It's absolutely astonishing. Anyway, it's a really touching story.

Max Park is severely autistic. And doing the cube has helped enormously with his life. And Feliks Zemdegs from Australia was the guy who Max Park looked up to, and they became great buddies, and then they began competing against each other. But they have a genuine and lovely friendship, and you kind of think, what a lovely couple of guys.

Must be nice. So I recommend Speedcubers, Netflix documentary, all about the Rubik's Cube and the masters of the cube. I really enjoyed it.

---

CAROLE THERIAULT. Cool. Sounds pretty cool. I might even check that one out.

---

GRAHAM CLULEY. Thom, what's your pick of the week?

---

THOM LANGFORD. So mine, as we've already ascertained, I do like a little bit of Lego. And I found this website called kbdcraft.store and the KBD stands for keyboard, would you believe?

Now, on kbdcraft.com, you can buy mechanical keyboards. Now, mechanical keyboards, for those who don't know, they're the old-style IBM clacky-clacky keyboards rather than the laptop-style keyboards that we often use now. And there is a whole subculture of building your own keyboards and customizing it, so the little microswitches underneath, have different pressures and noises and sensitivity and all that sort of stuff. Absolutely fascinating.

---

CAROLE THERIAULT. I thought you were talking musical keyboard. That was literally the first place— it was the first place I went, and I was like, wow, that's so cool. And then it's a fucking keyboard.

---

THOM LANGFORD. No, it's a keyboard. Keyboard. On your computer. Keyboard. Keyboard right in front of me right now. But the unique thing about— yes, the KBDcraft website is not only do you get to customize your keyboard, as it were, you actually get to build the entire frame.

So not only do you get the base of your, you know, which you push all the little switches into, they put the keys on top and all that. You get to build the frame out of Lego, or I should say compatible to Lego.

---

CAROLE THERIAULT. Okay. Sorry. I don't know what you mean by frame. Is this what goes around the keys?

---

THOM LANGFORD. Yeah. So if you look at your average keyboard, you've got the keys and then you've got everything else around it, metal or plastic or whatever, you build that from Lego.

---

GRAHAM CLULEY. Okay, so it's just the case of the keyboard which is made out of Lego, not the actual keys. The keys aren't made out of Lego bits and bobs?

---

THOM LANGFORD. No, no, the keys are standard kind of, well I say standard, but they're customizable. You could, you know, change them for different types of switches.

---

CAROLE THERIAULT. I'm looking right now on the website. So yeah, it's like a coaster, you know, for your keyboard somehow. That's what it looks like on the—

---

THOM LANGFORD. Is that like a coaster? I think you're looking at something different to that.

---

CAROLE THERIAULT. Well, it's like holding— like it holds the keyboard, right? You slot a keyboard in.

---

GRAHAM CLULEY. Is it a tea tray? A tea tray?

---

CAROLE THERIAULT. A tea tray. That's what it looks like, a tea tray.

---

THOM LANGFORD. Okay, yeah, but you build the keyboard PCB into the frame itself, so it's permanently in there. Now, the advantage of this is you can customize it, different colors. They offer white and gray. You can add things to it.

There are also instructions because their initial kit is called the ADAM, A-D-A-M, and then they've got a numeric keypad called the Kit Adams. Took me a while to work out ADD AMS, because that's what you used to add stuff with.

---

THOM LANGFORD. And you can either have them separate, or there are instructions on how you can build it, you know, snap them together, or even build a single tray for it. They're all currently wired at the moment, USB-C, but I'm sure that, you know, Bluetooth will be coming along soon at some point.

You can— the keyboard is backlit, and you can download, you know, an open-source app that allows you to customize the keys, and the colours.

---

GRAHAM CLULEY. I'm a bit disappointed, Thom. Really? I thought the keyboard itself would be made out of LEGO.

If it's just the case— Oh, come on. If it's just the case. Come on. And it's not even LEGO, is it? So the case isn't made out of LEGO. It's made out of some generic LEGO rip-off, isn't it?

---

CAROLE THERIAULT. It's LEGO, really. It's just a tiny bit of LEGO.

---

THOM LANGFORD. Yes, but which is compatible as I have found. So you can modify that case any way you see fit. It all works. It's all completely compatible.

So you're not loyal to the LEGO Corporation? Oh, I am. I don't buy any other kits. Okay. This is the first one I've bought that isn't actually LEGO, but then again, LEGO aren't going to make a keyboard and I thought this was quite cool.

---

THOM LANGFORD. So, okay. God, do you invite me on the show and poo poo my ideas? So are you using this sort of, this keyboard kit, these trays, anything? Yes, I do use it. It's taken me a little bit of getting used to because I'm not used to proper keyboards.

---

GRAHAM CLULEY. I'm used to the little chiclet style. See, I'm exactly the same, Thom. Right now, finally, we agree on something because I don't mechanical keyboards. I chiclet keyboards. Yeah.

---

THOM LANGFORD. Do you know what? I agree, actually. I think I prefer the chiclet keyboard.

---

CAROLE THERIAULT. But this was good fun. Why chiclet? I didn't— I've never heard that word.

---

THOM LANGFORD. Oh, the little— You know, chiclet is a sweet, right? A little square sweet. Yeah. It's the little Apple MacBook keyboard. Imagine that. Yeah, Apple style. There's not much travel on it.

I must admit, you know, it's not my favorite go-to type-on thing, but it was really good fun to build, good fun to learn about keyboard mapping and the software behind it and the science behind it. And it was a nice little construction project. Okay. Okay, okay.

---

CAROLE THERIAULT. Yeah, all right. That sells it. That sells it. Okay.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. You're going to hate it, and you're going to hate it. So, you guys can put your feet up. Sorry, but this is a podcast, an audio drama podcast.

---

GRAHAM CLULEY. Oh, again, again. See, I got criticism.

---

CAROLE THERIAULT. Listeners. Okay, I have listeners that write in going, "Carole, you give the best podcasts. You get audio dramas." Yes, you're right, I do. And you can check out past recommendations.

---

THOM LANGFORD. I heard both of them writing this week.

---

GRAHAM CLULEY. Graham, thank you for your documentaries. Carry on.

---

CAROLE THERIAULT. So this audio drama is a 10-part supernatural thriller. It's called How to Win Friends and Disappear People. And you follow a computer scientist, you know, a nerdy who becomes obsessed with a mysterious new neighbor. And you soon find out that the geeky narrator, Nancy, right, uncovers the neighbor's dark secret.

She's a centuries-old vampire. See, how fun is that? And Nancy becomes her familiar, and bringing the vampire into social media, you know, New York City.

And they're both pulled down this huge rabbit hole of deceit and murder and mayhem. So, it's basically, the whole story is vampire versus unhinged stalker neighbor. What could go wrong?

That is basically the premise of the series. It's funny, it's twisty, it's turny, it's a bit gross. They got great sound effects.

I don't know how they did 'em, but I'm sure a big bucket of jelly would help. Cabbages in jelly, probably. It stars Leslie Grace and Sonny Bringas.

It's How to Win Friends and Disappear People. Find it wherever you get your podcasts if you enjoy a good audio drama.

---

GRAHAM CLULEY. A lot of our listeners do. You're right, Carole. We do get a lot of feedback, people who love your podcast recommendations.

So yes, they do. If we can get more listeners commending my documentary suggestions, that'd be great as well. Well, that just about wraps up the show for this week.

Thom, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

---

THOM LANGFORD. So, I mean, Twitter, Mastodon, I'm Thom Langford. That's Thom with a T-H because Twitter would let me have the H. Or at hostunknown.tv or at the podcast, Host Unknown TV.

So yes, check it out.

---

GRAHAM CLULEY. Terrific. And you can follow us on Twitter at Smashing Security, no G, Twitter allows to have a G. And we also have a Mastodon presence as well.

And don't forget to ensure you never miss another episode. You can follow Smashing Security in your favorite podcast apps, such as Apple Podcasts and Spotify.

---

CAROLE THERIAULT. And huge thank you to this episode's sponsors, Kolide, Drata, and Bitwarden. And of course, to our wonderful Patreon community.

Thanks to them all, this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 327 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye.

---

THOM LANGFORD. Ta-ta.

---

CAROLE THERIAULT. Graham, I went to see Florence and the Machine in the amphitheater. Oh, what?

---

THOM LANGFORD. Oh, wow.

---

CAROLE THERIAULT. Yeah, it was fucking unbelievable. It was just the most amazing setting during sunset as well, which I have a few pics. What was my point?

I can't remember my fucking point now. What did you say before? Seriously, I'm having a total mind fuck.

---

THOM LANGFORD. I think, I think you were just showing off. If I don't remember—

---

CAROLE THERIAULT. No, there was a point, so I can't remember. So whatever, who cares?

---

GRAHAM CLULEY. Anyway, Florence and the Machine at the amphitheater, and it was brilliant. Yes.

And the previous act—

---

CAROLE THERIAULT. The previous act, I do remember the previous act was called The Bad Daughter. And she was very— she might be up your alley, Thom, I'm just saying.

But she was wearing, she was wearing this top that just covers her nips, right? So her whole bottom boob is out.

---

GRAHAM CLULEY. Was that Thom moving the desk so he could get himself more comfortable?

---

THOM LANGFORD. Gone. Say it again, Carole.

I can't.

-- TRANSCRIPT ENDS --