How hunting for an aubergine could be all it takes for you to hand your credit card details over to a scammer, and just how good is a podcast entirely built by AI?
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- Support Alie Hothersall’s fundraising for Mind - JustGiving.
- Fraudsters target Booking.com customers claiming hotel stay could be cancelled - Graham Cluley.
- Security.txt - A proposed standard which allows websites to define security policies.
- Develop AI launches a completely synthetic podcast - Develop AI.
- Develop AI podcast.
- Is It Legal To Pay - The err.. https version of a map of which countries allow you to pay ransom demands.
- Licorice Pizza - BBC iPlayer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Devo – Register now to join Devo and other cybersecurity industry professionals on October 18 for sessions and panels focused on de-stressing, SOC career development, and more!
- Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get 10% off!
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. God, your life, man. Our listeners are crying for you. Their tears are just spilling down their faces as their hearts break at how hard your life is.
UNKNOWN. Smashing Security, episode 344. What's cooking at booking.com?
CAROLE THERIAULT. And a podcast built by AI with Carole Theriault and Graham Cluley.
UNKNOWN. Hello, hello, and welcome to Smashing Security episode 344. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. That's very kind of you. Hi, Graham. How are you?
GRAHAM CLULEY. I didn't say anything kind. I just said hello. I'm all right. Thanks. Not too bad.
CAROLE THERIAULT. That's all it takes. That's all it takes, Graham.
GRAHAM CLULEY. I'm particularly pleased, by the way, to our listeners this week.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Last week on the pick of the week, I spoke about my friend Ali, one of our old colleagues, and she is raising money for Mind on her JustGiving page. And can you believe, when we recorded that, Carole, Ali had raised £500. And in the space of a week, thanks in no small part to the generosity of Smashing Security listeners, she's now raised over £800.
CAROLE THERIAULT. Wow. See, you guys.
GRAHAM CLULEY. Isn't that incredible? Isn't that fantastic?
CAROLE THERIAULT. You know, that's so nice that we have a good community. Like, if you're one of those people, high five.
GRAHAM CLULEY. I know it means a lot to her and it means a lot to us as well. So thank you to everyone for being so generous, supporting Ali's JustGiving.
CAROLE THERIAULT. You're amazing. Shall we get on with the show?
GRAHAM CLULEY. Let's do it.
CAROLE THERIAULT. But before we kick off, let's thank this week's wonderful sponsors, Collide, DEVO, and Vanta. It's their support that help us give you this show for free. Now, coming up in today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be looking at Booking.com.
CAROLE THERIAULT. What was that, a play on words?
GRAHAM CLULEY. Just a little rhyme.
CAROLE THERIAULT. Okay. All right. Okay. And I'm going to be asking them a very important question. Are we out of a job, Cluley? All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chum chum. Let me take you back in time. Take you back in time to last Friday night. I was at home with my partner and we had to, you know, we were going to do a bit of cooking, right? And she said, what do you fancy eating? I said, I don't know. What do you reckon?
CAROLE THERIAULT. Did you say hamburger-filled Pizza crust pizza?
GRAHAM CLULEY. No, I've never seen that.
CAROLE THERIAULT. It's fucking unbelievable. Jesus.
GRAHAM CLULEY. Hang on, what, you stuff hamburgers into the crust?
CAROLE THERIAULT. Yes. It's so gross.
GRAHAM CLULEY. Or pizzas.
CAROLE THERIAULT. I think it's from Domino's or Papa John's or one of these. But yeah, you have these burgers, there's like 12 burgers around in your crust.
GRAHAM CLULEY. What?
CAROLE THERIAULT. Yes. Like tiny burgers. What are those things called? Americans who are listening are yelling at me, right? You're yelling right now.
GRAHAM CLULEY. The burglette.
CAROLE THERIAULT. Yeah, the burglette, the little— You get them on a plate, you get 5 of them. Yep. I'm waiting for the emails and the tweets.
GRAHAM CLULEY. Anyway, we came up with an idea, which was ratatouille. I love a bit of ratatouille. It's not only a fantastic animated movie, it's also a wonderful dish as well. So, I was sent to go and hunt and gather the ingredients for ratatouille. And so, I went to my local supermarket. With my little shopping bag, and I was going up and down the vegetable aisle. And of course, one of the key ingredients for a ratatouille is an aubergine, right?
CAROLE THERIAULT. Eggplant, for our North American listeners.
GRAHAM CLULEY. Is it? Is an eggplant— I know the Americans call something an eggplant.
CAROLE THERIAULT. Eggplant and aubergine are the same. Yeah.
GRAHAM CLULEY. They're the same thing.
CAROLE THERIAULT. Courgette and zucchini are the same thing as well.
GRAHAM CLULEY. Okay, right. Stop right there. Stop right there.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Because that is my mental block. You have identified it. It's the aubergine, it's the courgette, it's the zucchini, it's the eggplant. In my head, they are all one vegetable. At least when I'm in a— I know they look different, but in my head, I can't picture them differently.
CAROLE THERIAULT. I can't picture how you're going to get this story onto technology. That's where I'm stumped by.
GRAHAM CLULEY. I'm trying to find an aubergine and I haven't, you know, oh my goodness, where am I going to find aubergines?
CAROLE THERIAULT. You don't know what you're looking for. You don't even know that they are actually aubergine colored.
GRAHAM CLULEY. Do I?
CAROLE THERIAULT. You know, it's kind of a big giveaway on that fruit, an orange, you know?
GRAHAM CLULEY. And well, it's not an orange at all, right? It is.
CAROLE THERIAULT. An orange is orange and an aubergine is aubergine.
GRAHAM CLULEY. Oh, I see. Okay. But not, it's not an orange in the other way. Anyway, the point is that normally when I am stuck with this sort of challenge, I might reach for my phone, because heaven help me, I'm not going to go and ask an assistant, right? That's far too embarrassing.
CAROLE THERIAULT. Yeah, or God, it seems, because—
GRAHAM CLULEY. I can't. So normally I would reach for my phone. I think I'll just do a quick Google image search to remind myself of what I'm looking for here. Oh, that's what I know, right? But I can't because I've got lousy cell phone coverage. In my supermarket, there's no cell phone coverage. So I can't use my phone. There's only one little bit where there's the tiniest sliver of a bar on my mobile phone.
CAROLE THERIAULT. You don't want to use their Wi-Fi or something?
GRAHAM CLULEY. What kind of supermarket are you going to where they have Wi-Fi for shoppers? They want people buying things, not playing Candy Crush. What do you— No, they don't have Wi-Fi. Where do you live? Anyway. So, if I'm by the tills, there's a slight sliver of cell phone coverage, just a tiny little bit, a bit you're in the middle of Alaska. That's the kind, imagine that, imagine you're halfway up there.
CAROLE THERIAULT. Yeah, it's not that hard, I'm with you, yep.
GRAHAM CLULEY. Anyway, right, okay. So, I head over there thinking, oh, maybe I'll be able to just see, you know, if I get there. And at that point, my watch, right, I've got a smartwatch.
CAROLE THERIAULT. Of course you do.
GRAHAM CLULEY. It gives me a little notification.
CAROLE THERIAULT. Do you have smart earrings as well?
GRAHAM CLULEY. I don't have, no, I don't have it. Just have a watch, which normally reminds me of my calendar, where I'm supposed to be. Am I recording a podcast at 3 o'clock or 4 o'clock today? That kind of thing. And it pops up and I'll take a look at it. And it is a notification from the Booking.com app, right? Which is the online travel agency where you can book your hotel.
CAROLE THERIAULT. So you have the app installed on your phone and it pings you?
GRAHAM CLULEY. Well, it came up on my watch.
CAROLE THERIAULT. Oh, right.
GRAHAM CLULEY. Which I didn't even know. I'd never seen anything like that before, right? But I think it's because I had the app on my phone, it synced up with my watch.
And so, I got the notification on my watch that Booking.com says there's a message for you. And I'm thinking, oh, well, I do have an upcoming hotel trip, right?
Because I'm doing a talk in London in November, and I had to book a hotel, and it was a real pain. And for one reason or another, I had to use Booking.com, which I don't normally use.
And I installed the Booking.com app onto my phone, blah, blah, blah. And I booked it as normal, and I got a notification at the time of booking from the hotel saying, "Thank you very much, Mr. Cluley. You know, we have booked you in and all the rest of it."
And there was this little messaging facility, so I could chit-chat back and forth with the hotel if I wanted to, saying, "Oh, can you make sure that you know, my pyjamas are creased or whatever it is that I want done."
CAROLE THERIAULT. I never use that thing, ever, ever.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. It's like, how can I help you, sir? Not a bot.
GRAHAM CLULEY. That kind of thing. But it's actually communication from the hotel. So this is a way for the hotel to talk to me without sending me an email, which is kind of good because that's all happening inside the Booking.com app.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Rather than via email.
CAROLE THERIAULT. Right, right, right.
GRAHAM CLULEY. Because if it did come via email, you might think, aha, what is this? Is this some kind of phishing email? Right?
But if it's coming from inside the Booking.com app, you think, well, I have booked this via Booking.com, therefore I get a message from Booking.com. Anyway, so I'm by the tills and it's gone bloop, and I think, oh, what's this about?
So I take a look and it says to me, hello, dear Graham Cluley, it says, we regret to inform you that your booking may be cancelled as your card has not been automatically verified. And I think, oh my goodness.
They say, we're going to have to recheck the card and we're going to have to reserve some funds, but don't worry because they'll be automatically refunded if there's no problem. 'You have to do this within 12 hours,' it says, 'or the reservation will be automatically cancelled.'
And you're like, 'Oh, ffs. I just want my hotel room. I've already sorted it out, I thought.'
CAROLE THERIAULT. I just want an aubergine, right?
GRAHAM CLULEY. I just want an aubergine. And it includes a link.
And the link goes to booking.com-id334112.com/p/965664712.
CAROLE THERIAULT. Right. Very useful.
GRAHAM CLULEY. Yeah, yeah. And this has arrived via the Booking.com app.
CAROLE THERIAULT. Feels very legit, except, you know, you've got a booking in your mind that you tried to do. It's come through the app and they're saying no.
GRAHAM CLULEY. And this is a message and it says it's from the hotel where I have indeed booked this. And I can scroll back and see previous messages from the hotel that they have legitimately sent me.
And the link looks kind of legit, at least on my mobile phone. And so I think, oh crumbs, I've got to keep that hotel room because it's going to be a nightmare if I have to try and book another one again.
So I click on the link, but the link doesn't work because by now I've walked back into the vegetable department of the superstore.
CAROLE THERIAULT. And lost your half bar.
GRAHAM CLULEY. I've lost my— ah, it's just like, for goodness' sake. I still don't know what an aubergine looks like.
CAROLE THERIAULT. God, your life, man. Every week, our listeners are crying for you.
Their tears are just spilling down their faces as their hearts break at how hard your life is.
GRAHAM CLULEY. So exactly.
CAROLE THERIAULT. I know.
GRAHAM CLULEY. So I wait until I get home. I'm a bit suspicious, but you know, because of my lack of connectivity, I haven't been able to act on it on impulse. I've had a little bit more time to think about it. And I think, oh, I wonder what this is about.
So I managed to eventually find the aubergine, and I get back home, and we eat ratatouille, and it was delicious. Thank you very much for asking. But having done that, I then thought, well, I better look into this thing, because they said I only had 12 hours.
But now I'm suspicious, and I'm looking again at the link.
CAROLE THERIAULT. But why are you suspicious?
GRAHAM CLULEY. Well, because what I noticed was the URL said booking.com. This is how it looked anyway.
Booking.com-id334112.com. So, the actual domain name was not booking.com.
CAROLE THERIAULT. Slash 1255. Yeah, yeah, yeah.
GRAHAM CLULEY. Yeah, yeah, yeah. It was com-id334112.com.
But the way it appeared, on just casually looking at it. And in the context of inside the Booking.com app, it looks like it was a legitimate link. And it turned out, of course, that it wasn't.
So me with my cybersecurity hat on thought, "Oh, what is this? This seems all— actually, this seems kind of fishy." And when I went to the link, it looked like the real Booking.com site, which had prefilled in on it some of my details regarding the hotel I was staying at, regarding my name, yada, yada, yada. Hmm. So I thought, I wonder how the bad guys have done this.
CAROLE THERIAULT. So the thing, the only thing that gave it away to you was the crazy URL. So it was a, yeah, that's what it was.
GRAHAM CLULEY. I mean, it was a bit strange that they were asking me to re-verify my card, but because that hadn't arrived via email or an unsolicited text or something like that. Because it was inside the app, inside the actual booking app I had used, I was— I have to say, I was tricked.
Not tricked so much that I actually entered my data, because thankfully my spider senses kicked in.
CAROLE THERIAULT. Yeah, but you looked into it. You thought, let me just see if this is— Yeah.
GRAHAM CLULEY. But I could well understand how anybody else would fall for something like this.
CAROLE THERIAULT. So is this a screw-up from Booking.com?
GRAHAM CLULEY. Well, this is what I wondered. I thought, what's going on here?
CAROLE THERIAULT. Right. Yeah.
GRAHAM CLULEY. How's this happened? Right. And so I think I need to contact Booking.com.
CAROLE THERIAULT. That must have been easy.
GRAHAM CLULEY. So, first thing I do.
CAROLE THERIAULT. I bet that was a cinch. No problemo, they pick up right away.
GRAHAM CLULEY. So there is this thing called a security.txt file, right? Which websites are encouraged to create, put on their website. I've got one on my website.
So there's a standard place you can go to on a website to get the contact details to tell people about a vulnerability or a bug or something like that, how to make contact. So I look for one on Booking.com site. There is not one there. There's not one there.
So I post up on Mastodon and Twitter and some other sites as well.
CAROLE THERIAULT. X.
GRAHAM CLULEY. People who follow me, I'm not calling it X, people who follow me saying, has anyone got a security contact at booking.com? And then of course you got all these replies going, oh, I bet they've had a data breach. You know, people jumping to conclusions as to what's happened.
CAROLE THERIAULT. Oh, outrageous of them.
GRAHAM CLULEY. You know, the humans.
CAROLE THERIAULT. On a platform where there's 300 characters and you're supposed to have an opinion. How dare they?
GRAHAM CLULEY. Anyway, so people are making that assumption, which seems a reasonable assumption to me as to why would I be asking. And I tag Booking.com, by the way, in my tweet.
And I get a reply from Booking.com. Not the real Booking.com, of course. I get a reply from a fake Booking.com on Twitter. And trust me, I found out since that there are numerous ones because they've been tweeting me ever since, trying to help with my Booking.com issues.
CAROLE THERIAULT. So it's a phony. Fucking hell.
GRAHAM CLULEY. I'm reaching out on LinkedIn as well, trying to find security contacts in my network, and I find a couple. I do eventually get a reply from one of them who tells me basically to bog off.
CAROLE THERIAULT. Do you know, why not just call a hotel directly from now on? There's wonderful people, concierges that are there to help you and just go, hello, I would like to book a room.
GRAHAM CLULEY. Eventually I get an email address, . Okay, so I emailed them, I give them the details, I give them screenshots, say, hey, hey, hey, this seems pretty serious. I imagine if this is happening to me, it's happening to other people as well.
I still haven't heard anything back from Booking.com. However, yesterday Booking.com sent an email to its customers saying that they have had reports of potentially fraudulent behavior in people pretending to be Booking.com or hotel owners, and they sent out this piece of advice. Now, I'm not going to go into all the details. You can read on my website exactly what they wrote because I've got some issues with what they wrote as well and how they perhaps haven't described this quite correctly.
CAROLE THERIAULT. Or apologized.
GRAHAM CLULEY. My suspicion. Yeah. And you know, how come only the fraudulent Booking.coms are actually the people getting back to me?
But I have since been approached by other people who've had the same experience. It appears this has been going on since at least September. So this has been going on for some weeks with other people seeing exactly the same thing. It's still going on. It may be that the hotels themselves have been phished and someone is logging in with their Booking.com account to answer their future guests and to trick them into thinking—
CAROLE THERIAULT. That's interesting. Yeah.
GRAHAM CLULEY. Yeah. So I think that's how it's happening. But basically, my message, I suppose, is these scams don't always come via email. They don't always come via SMS.
And don't be tricked, as I almost was, into believing something just because it comes within what you believe is the safe harbour of an actual app. Which you have used to make the booking in the first place, 'cause it could be that it's been compromised.
CAROLE THERIAULT. Yeah, it's not fair. I mean, how can people do that? I'm wondering whether we should say, hey, if you work in the hospitality industry and use Booking.com, I don't know, maybe it's a good time to change password, just see what happens.
GRAHAM CLULEY. Absolutely, and if, I don't know if two-factor authentication is available with those accounts, but if it is, turn it on.
CAROLE THERIAULT. Yeah, you know the problem I bet is though, is that there's gonna be multiple people having access to it to manage it. Somehow the technology industry has not figured out a way to have access.
GRAHAM CLULEY. So you are right. When you've got a team of people logging into the same account, then two-factor authentication can be a bit of a pain. What I've experienced is if you use a good password manager, you can now get the password manager to generate the time-sensitive one-time password.
And if you're sharing those details, inside your password manager in a secure way, they can also access the two-factor token as well.
CAROLE THERIAULT. That's a super good point.
GRAHAM CLULEY. In order to enter it.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So, maybe another reason to get a good password manager.
CAROLE THERIAULT. Definitely.
GRAHAM CLULEY. Maybe inside your organization.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Oh, loads of good advice. Interesting. Anyway, Ratatouille, great. Love it.
CAROLE THERIAULT. Great. Now you know what an aubergine is. Don't ever use the emoji though, unless, you know, in an iMessage.
GRAHAM CLULEY. I think I'm more of a chipolata man.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. If I'm lucky. With a good wind behind me. Carole, quickly, moving on. What have you got for us this week?
CAROLE THERIAULT. Graham, I don't even know how long it's been. 5 years, almost 350 episodes worth. We've been creating this award-winning podcast.
GRAHAM CLULEY. It's actually longer than that. Do you know our first episode was in December 2016? Wow. We are coming up to our 7th birthday.
CAROLE THERIAULT. Jesus God. Oh God.
GRAHAM CLULEY. I think. Is that not right?
CAROLE THERIAULT. I have no idea.
GRAHAM CLULEY. I think that's correct.
CAROLE THERIAULT. That's a long time, Graham.
GRAHAM CLULEY. It's called the 7-year itch, Carole. Yeah.
CAROLE THERIAULT. Is it fair in saying that we can boast about 10 million downloads or listens? Is that about right?
GRAHAM CLULEY. Oh, I haven't been keeping count, but yeah, it's something that, yeah.
CAROLE THERIAULT. It's pretty impressive. You know? More than a million a year. Anyway, I thought we could work out roughly how many hours we have spent so far on Smashing Security, just for fun. Okay, so I've done a little breakdown. You just correct my numbers here and see what I think. So I'd say each show on average is about 45 minutes long, because sometimes we have featured interviews and all that, no longer.
GRAHAM CLULEY. Yeah, yeah.
CAROLE THERIAULT. And I would say it takes me on average about 2 hours to prep for the show, to get the story, write it up, et cetera.
GRAHAM CLULEY. Okay, so combined, yeah, combined, I guess we come up to about 2 hours 8 minutes, I suppose. Yeah.
CAROLE THERIAULT. Oh, you only do 8 minutes, right?
GRAHAM CLULEY. About, but I think it's obvious. Come, come.
CAROLE THERIAULT. And then in the editing side and all that stuff, reviewing, listening to your half, you listening to my half, all the stuff, I would say that's about 4 hours on average for me.
GRAHAM CLULEY. Yeah, I think it's probably a bit more for me.
CAROLE THERIAULT. Yeah, you probably have 5.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Okay, so we add all that up, what, we've got 9, 10, 11, basically 12 hours, right?
GRAHAM CLULEY. Yeah, we've wasted a large chunk of our lives doing this. Yeah.
CAROLE THERIAULT. 12 hours times 2, because 12 hours for me, 12 hours for you each week. Yes. 24 times 345. You could do the calculator because I'm doing the story.
GRAHAM CLULEY. Oh, okay. It's actually episode 344 today, I think.
CAROLE THERIAULT. There we go. Yeah, don't exaggerate our numbers.
GRAHAM CLULEY. So I've got 24 times 344. Yeah, okay. So that is 8,256 hours.
CAROLE THERIAULT. Jesus, okay.
GRAHAM CLULEY. Doesn't Malcolm Gladwell say you get good at something after 10,000 hours?
CAROLE THERIAULT. If we were a two-headed beast, Graham, we're almost there. Divide that by 24 just to get a number of days, 24-hour days that we've been doing this stuff.
GRAHAM CLULEY. Oh, okay, 10,000 divided by 24, 385.
CAROLE THERIAULT. 385 24-hour days. So for more than an entire year, no sleep.
GRAHAM CLULEY. No going to the loo.
CAROLE THERIAULT. No going to the loo. Well, unless you take your phone and do some editing.
GRAHAM CLULEY. No eating ratatouille.
CAROLE THERIAULT. It's a lot of time.
GRAHAM CLULEY. It is a lot of time.
CAROLE THERIAULT. That's a lot of time. I just, listeners, I'm not trying to say poor us, right? We have amazing, wonderful sponsors that help make this all worthwhile and they're great and thank you and our Patreon supporters and everybody. But imagine, Graham, imagine if we could just sit on our cute little tushes and get someone else to do all the work for us. Virtually for free, right? There'd be a lot more profit at the end of that. We'd be quids in.
GRAHAM CLULEY. That would be wonderful.
CAROLE THERIAULT. Eat our cake and— what's that expression? Get your cake and eat it too. I've never understood that. Why would you want a cake and not eat it? Anyway. Worry not, Graham, because get ready, because we found a podcast that has been entirely AI-generated, or so Develop AI claim.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. This is a company that reports on AI in Africa. Trains African journalists to code, to work with AI tools. And I'm guessing this was a bit of a PR stunt to get some eyeballs. And it worked because look at me today, right? I'm talking about it.
I looked into this, right? And I wanted to see what the plan was. And they wanted to get a working script that would spit out a complete 10-minute podcast episode recounting the daily news, in this case from Johannesburg, where he's based, in a discussion format between 3 trained imaginary voices.
GRAHAM CLULEY. Oh, so it's not just coming out with a script, it's actually then got AI bots reading it.
CAROLE THERIAULT. Yeah. Basically, I'm giving you the highlights of his article. The link is in the show notes if you want to read more about it. Guy's name is Paul McNeely. Paul has a dream. He has a dream, he writes. He says he has a dream of building an application that could produce a podcast episode from scratch without even needing to record a human voice. That was the big plan.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So he said he spoke with ChatGPT a lot and he used Google Colab to pull a script together. And Paul says he got the idea that one of the presenters would be predicting what comes next in the news. So in other words, you've got two main hosts that are recounting the details of a story of the day.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And then at the end, they hand over to a third host for his, her, its predictions on where the story might go.
GRAHAM CLULEY. A bit like Mystic Meg, a bit like an astrologer would.
CAROLE THERIAULT. Well, look, we've all done that.
GRAHAM CLULEY. In the crystal ball.
CAROLE THERIAULT. In the crystal ball and tell us where it's going to be.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So Paul says this was because ChatGPT was actually stronger at creating imaginary narratives than pumping out facts.
GRAHAM CLULEY. Oh yeah, it's great at making up stuff. Yeah, exactly.
CAROLE THERIAULT. So I love that he's, instead of just creating a podcast full of shit. He's like, we're gonna do the news. We're gonna do the news with something that is really good at creating imaginary narratives. This is awesome.
GRAHAM CLULEY. Right. Oh my goodness.
CAROLE THERIAULT. So the program that he wrote spoke to Google News, found the top stories of the day, and then scraped prominent websites for the material.
GRAHAM CLULEY. Ripping them off.
CAROLE THERIAULT. Yeah, my thoughts exactly. No wonder content creators are up in arms about AI.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And interestingly, Paul says that ChatGPT couldn't produce a script straight from website text. So he first had to ask it to convert the news article into lists of facts and then build a script from these facts. And the difficulty was apparently getting each host to then be paired with a different synthetic voice.
So Paul needed to break up the script into different lines of dialogue and then send each line to its appropriate synthetic voice emulator. Then you'd have to put all the lines back in as dozens of small MP3s, stitch them back in, and then spit it out as a complete MP3.
GRAHAM CLULEY. Don't you feel that he slightly copied our idea? Because we have a synthetic robot voice.
CAROLE THERIAULT. You're welcome, Paul.
GRAHAM CLULEY. At the start of the Smashing Security podcast. There's no reason why we couldn't get the chap who goes, "Episode 300," you know what he does, all that stuff with Graham Cluley.
CAROLE THERIAULT. To tell a whole story.
GRAHAM CLULEY. To do the whole thing. I mean, we could take a holiday one week and just get him to do it. Would anyone even notice?
CAROLE THERIAULT. What's his name again? I always forget his name.
GRAHAM CLULEY. Let's call him Dave.
CAROLE THERIAULT. I don't know. Yeah, so maybe Dave will close the show today with something.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. Let's see what he can do.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. And we've been doing that since when? 2017? So put that in your hat, Paul. Okay, so the snags in this project of his.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. The cost of synthetic voices, so charged per character, he says was too high. Because he says in his mind, he envisioned this kind of dystopian factory of 100 podcast episodes a day being produced, right, with no one even listening to the content before it's published. And he says the costs make that impossible.
And I'm thinking, okay, they may be expensive now, but I imagine in a few years' time, it'll be a dime a dozen. Don't you think?
GRAHAM CLULEY. And is it really? I mean, maybe it's expensive if he's using some sort of cloud-based service to do this, but surely he's got some old Bitcoin mining rigs down there in Johannesburg, which he could adapt to get to work on this project instead.
CAROLE THERIAULT. The other thing was his issue was the speed of production for each episode wasn't as quick as he anticipated. Or hoped.
GRAHAM CLULEY. Oh, how long does it take?
CAROLE THERIAULT. So what he had budgeted for, what do you think was? So for a 10-minute, 3-character blah blah about the news.
GRAHAM CLULEY. Is he thinking he could do 20 minutes in an hour?
CAROLE THERIAULT. He's budgeted 2 minutes per episode. So—
GRAHAM CLULEY. What? 2 minutes to produce 10 minutes of audio?
CAROLE THERIAULT. 10 minutes. Yeah, that was his plan.
GRAHAM CLULEY. That sounds optimistic.
CAROLE THERIAULT. It turned out it was closer to 10. So 1 to 1. So our shows are what, 45 minutes? That'd be 45 minutes work, bish bash boosh. And compare that to us, we guesstimated 24 hours for the average episode.
GRAHAM CLULEY. I'm actually impressed by that. I thought it would take longer than that.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. To do it well. That's quite impressive.
CAROLE THERIAULT. Well, there's a third snag. And this is maybe the most important for us.
GRAHAM CLULEY. Is it libel lawyers?
CAROLE THERIAULT. Well, I think he put "AI produced, AI produced. Don't sue me. Don't sue me" everywhere.
GRAHAM CLULEY. Yeah, but he's publishing it, isn't he?
CAROLE THERIAULT. He is saying it's AI produced, though. He seems to be pretty clear on it.
GRAHAM CLULEY. Although, yes, he should probably review the content before he's published. Never mind.
CAROLE THERIAULT. Do you want another third snag?
GRAHAM CLULEY. Go on.
CAROLE THERIAULT. I'm going to quote him here. Quote, unforgivingly boring. Unforgivingly boring.
GRAHAM CLULEY. We all know about that.
CAROLE THERIAULT. And he says, because as someone who creates podcasts, for him it was a relief.
GRAHAM CLULEY. Oh.
CAROLE THERIAULT. Right? So I don't know. That makes me feel better too. Because anyway, I've actually played with a bunch of AI trying to get them to tell jokes that are actually even minutely funny. And I've not succeeded at all.
So anyone who has an AI joke that actually made them have a little ha moment, please send it. I'd love to see it.
But the chatter amongst the three hosts, maybe we should play a little bit of it. Let's just play a tiny bit of it because it is deadly boring. I don't want anyone to fall asleep at the wheel if they're driving home. See what you make of it.
UNKNOWN. I'm glad we get to navigate all these developments together. Speaking of developments, here's our first fact of the day. Sweeping across from Zimbabwe, we learned that the Centre for Innovation and Technology, also known as CITE, has created an AI news reader named Alice. Isn't that captivating, Will?
UNKNOWN. Captivating indeed, but just to temper the excitement a bit, let's remember Alice operates on X. She uses a traditional newsreader's voice to deliver news bulletins. Sounds like a glorified radio to me.
UNKNOWN. You have a point, Will, but isn't the level of technical advancement astonishing? Alice was inspired by the world's first AI news anchor launched in 2018 by China's Xinhua News.
GRAHAM CLULEY. I think it's pretty impressive, and it's just going to get better and better, isn't it? Even if the jokes don't.
CAROLE THERIAULT. You have a point, Graham Cluley. Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security. Expand the scope of your security program with Vanta's market-leading compliance automation.
Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.
From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. As a special bonus, Smashing Security listeners get a whopping 20% off Vanta.
Just go to vanta.com/smashing. That's vanta.com/smashing.
And we thank Devo for sponsoring the show. SOC analysts are often overworked and underappreciated.
In fact, many consider leaving their jobs or changing careers altogether. Devo is hosting the 3rd annual SOC Analyst Appreciation Day.
This year's program includes presentations and discussions from some of the InfoSec community's most prolific thought leaders, including the likes of YouTube creator Jon Hammond, CISO Olivia Rose, and unpopular opinion guy Josh Copeland. This event will cover everything from real-life use cases to SOC automation, managed phishing, your mental well-being, and more.
You won't want to miss it. Join Devo and other cybersecurity industry professionals on October 18th, 2023, for sessions and panels focused on de-stressing, SOC career development, and more.
Visit smashingsecurity.com/devo to register. That's smashingsecurity.com/devo.
If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common.
It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials.
But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.
Whatever they like. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, the real rule, Carole, is it doesn't have to be security-related. Not that it better not be security-related.
CAROLE THERIAULT. Only if you think a man's rule is more important than a lady's rule.
GRAHAM CLULEY. I think whoever speaks first sets the rules in this particular case.
CAROLE THERIAULT. Oh, so you start the podcast.
GRAHAM CLULEY. Doesn't have to be. Look, my pick of the week this week is security-related.
Is that all right with you?
CAROLE THERIAULT. Thank you very much for asking. It is fine with me.
Thank you. Go ahead. Please proceed.
GRAHAM CLULEY. My pick of the week this week is something which has been made by Ryan Kovar. He is the distinguished strategist at Splunk, and he has put together an online map where he's coloured different countries according to whether it is legal to pay ransomware gangs, or more specifically, cyber extortion gangs, or not.
CAROLE THERIAULT. Oh my God. So this is used by corporations everywhere. So they, instead of asking their legal team, they can go, I can find out. Don't worry. Don't worry. I'll just check this. Yeah.
GRAHAM CLULEY. We'll work out where to make the payment from, which country. Have we got a division in Mongolia? Right. They're the ones who are going to pay it.
CAROLE THERIAULT. Oh my God. The world.
GRAHAM CLULEY. So if you go to isitlegaltopay.com.
CAROLE THERIAULT. Oh my God.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. I'm going right now.
GRAHAM CLULEY. The first thing you will notice is it isn't protected with HTTPS. So it's HTTP, which means your browser—
CAROLE THERIAULT. Well, you're not putting any information in, are you?
GRAHAM CLULEY. Yes, but come on. This is Ryan Kovar, distinguished strategist at Splunk. Surely he can get Let's Encrypt to produce an SSL certificate free for his little website. I felt embarrassed linking to it in the show notes.
CAROLE THERIAULT. Well, then don't. I'm not sure he'll care. Well, you don't have to give him a lecture.
GRAHAM CLULEY. Well, I just, I found anyway, that's the first thing.
CAROLE THERIAULT. You were surprised to see that it's not HTTPS. Although actually I'm seeing right now it's HTTPS. My site's HTTPS.
GRAHAM CLULEY. Is it?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Are you sure?
CAROLE THERIAULT. Well, I'm looking at it and it says HTTPS.
GRAHAM CLULEY. Oh bugger, so it is. All right, so.
CAROLE THERIAULT. Oh dear, and I get to edit this bit.
GRAHAM CLULEY. Apologies, please. Ryan, I take it back. It turns out that if you go to http://isitlegaltopay.com, it doesn't redirect you to HTTPS. But if you go to HTTPS, it does. So, okay.
CAROLE THERIAULT. So he's just got a tiny little niggle. No problem.
GRAHAM CLULEY. So I've made a big thing about this.
CAROLE THERIAULT. Yep. Like the aubergine.
GRAHAM CLULEY. Ryan now hates me. Just exactly the same thing. Now, what you see there on the map, Carole, is probably lots of countries which aren't filled in with a colour.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. Because he doesn't yet know what the situation is in Kazakhstan. He doesn't have information on that, for instance, or what the information is in the Sudan.
CAROLE THERIAULT. So he's building out the database. Yeah.
GRAHAM CLULEY. Exactly. And you can contribute to this via a GitHub page. It's linked to from the site. Because some countries do say it's a bad idea to pay ransomware gangs because you could be funding terrorism. Others simply say, no, you cannot, full stop, do it. The only place marked in red at the moment where you definitely cannot pay your ransomware is in North Carolina, where apparently state agencies and local government are prohibited by law for paying ransomware demands. In some other places you have to report it. But I think this is kind of interesting and I think it will grow over time. Canada, do what you like. UK, do what you like.
CAROLE THERIAULT. Yeah. France, do what you like. Australia, do what you like. South Africa, do what you like.
GRAHAM CLULEY. Although if you click on some of these countries, you will find a little bit more granularity. So they may say, although it's not illegal, it's strongly discouraged, or you have to, in some places, you know, there may be additional rules. There's certain criminal code. What the website says is, look, I'm not a lawyer.
I'm not Judge Judy. Do not take this website. If you are thinking of paying a ransom demand, go and consult proper legal advice regarding whether what you're doing is right or not, because otherwise you could end up in a bit of a pickle.
CAROLE THERIAULT. I'm just having fun while I have, you know, cereal. Yeah.
GRAHAM CLULEY. So one other thing, Carole, which ties in with your story just now is I went to the about page for isitlegaltopay.com and it says that the entire website was written with ChatGPT. So the data's been collected, outsourced from the, you know, people are contributing the data, but the actual website is written by AI, which might explain if you do go to the about page, it sort of glows in this menacing green.
It pulsates a bit like a giant maggot, which has been infected by some sort of mutation. But anyway, but that might be ChatGPT, which has chosen that. But anyway, isitlegaltopay.com is my pick of the week.
CAROLE THERIAULT. All right.
GRAHAM CLULEY. Nice work, Ryan. And remember to use HTTPS. Such a bobo. Carole, what is your pick of the week?
CAROLE THERIAULT. My pick of the week this week is a movie.
GRAHAM CLULEY. Oh yeah.
CAROLE THERIAULT. It is called Licorice Pizza. It was created by the creator of Boogie Nights and Magnolia, Paul Thomas Anderson.
GRAHAM CLULEY. Oh yes.
CAROLE THERIAULT. And it came out last year, November '21, but I really think it's destined to be a cult classic of its genre, the coming-of-age movie. I saw it last night. So I got it on BBC iPlayer where it's available at the moment.
And it kind of underscores the sweet pleasures, but also the nasty heart-wrenching pains associated with infatuation at a tender age. So we're in 1973 and you have this 15-year-old kid and he reminded me a bit of you, Graham.
GRAHAM CLULEY. Is this the character of Gary I'm looking up right now? Yeah. Yeah. I can— there is a physical resemblance.
CAROLE THERIAULT. I don't know. Not about looks.
GRAHAM CLULEY. No, not about looks. Not about looks.
CAROLE THERIAULT. Not about looks. Listen, just listen first, right? So he's been killing it as a child acting star, child acting star. But he's getting old. He's 15.
GRAHAM CLULEY. Oh, right.
CAROLE THERIAULT. You know? And he doesn't fit into that world anymore. And he can see the writing on the wall. But this is where he meets Alana.
GRAHAM CLULEY. Oh, yes.
CAROLE THERIAULT. And Alana is the— a photographer's assistant or something, but is 10 years his senior, Graham. So she's 25.
GRAHAM CLULEY. I'd have quite liked that when I was 15.
CAROLE THERIAULT. Uh-huh. I know. And he's kind of got all completely swoony over Alana. And he's also a very determined kind of person, a bit like you are.
Like, you know, when you say, "I'm going to do this," you just go for it. So rather than wallow or fight back about his acting career, he changes tacks completely embarks on a little venture flogging waterbed mattresses.
And it's crazy. And he's got charisma and charm, which means his mates and siblings are all involved in his venture as he navigates the world of marketing and buying and selling for the first time with all these adults around. And then there's more ventures that happen when there's a bill that's reversed.
He seizes the opportunity to capitalize, right? To be the first person in town to offer a specific type of service. And so we have this, zany, determined, savvy kid.
And she's kind of curious about him, but kind of can't believe he's 15, but just is also kind of intoxicated by him. Because he's kind of fascinating.
GRAHAM CLULEY. That's a little bit awkward feeling though, if she's 25. If she's—
CAROLE THERIAULT. Well, you know, that's kind of my issue. They called it puppy love, but a mature one. And I'm like, I don't know, if the roles were reversed, and this was a 25-year-old guy and a 15-year-old girl who was completely obsessed with him. But they don't deal with that at all. And none of the reviews that I saw dealt with it.
So I found that interesting because it is, there's no sex scene or anything in it, but there is deep, tender love that happens. So make of it what you will. It's quite beautifully written. It's got a really nice cadence and it really gets that feeling of, you know, my age and thinking back to the days when you went through this, you can go, oh, I remember. But if you're in it, you're sick, you're just sick.
Your tummy's constantly going crazy. You're wondering when they're going to call, why they've— are they ghosting you and all that stuff. So that's my movie.
So it's Licorice Pizza. I'm sure you can stream it wherever you stream stuff. But I know currently it's available on BBC iPlayer. And that is my pick of the week.
GRAHAM CLULEY. I've just been looking at it. According to what I'm reading here, you can't stream it anywhere at the moment. So maybe BBC iPlayer is the place for now.
I guess you can pay for it on somewhere like Amazon Prime Video. So, you know, but yeah, you can't stream it for free at the moment. Anyway, he's made some other good movies, hasn't he? Paul Thomas Anderson.
CAROLE THERIAULT. Yeah. Boogie Nights, Magnolia.
GRAHAM CLULEY. Magnolia. Yeah, that was—
CAROLE THERIAULT. Magnolia was very long. God, that was long. Thom Cruise, wasn't it? It was 3 and a half hours or something.
GRAHAM CLULEY. That's right. Yeah.
CAROLE THERIAULT. Numb butt. That's how I ended that one.
GRAHAM CLULEY. That's what I call him too. Anyway, that just about wraps up the show for this week. You can follow us on Twitter @SmashInSecurity, no G, Twitter announced have G.
We also have a Mastodon account as well. Don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Overcast.
CAROLE THERIAULT. Massive thank yous to this episode's sponsors, Divo, Fanta and Collide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
And as always, for episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 343 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye.
CAROLE THERIAULT. Bye. All right.
GRAHAM CLULEY. Excellent. Very good. Very good. Fun story. Well done, Carole.
CAROLE THERIAULT. You should watch it with Miss Amanda as well.
GRAHAM CLULEY. Yeah, maybe we shall.
CAROLE THERIAULT. I think you're going to want to hide a bit.
GRAHAM CLULEY. A bit close to home.
CAROLE THERIAULT. It'll be a little close to home, but it's not embarrassing. He's very sweet. He's a really— he's actually kind of the star character.
He is a really good character. And you're going to be waiting for something awful, and there's nothing awful. He's just— but it's just— anyway, it's really great.
GRAHAM CLULEY. I really love it. Here's a cybersecurity joke that uses AI. Why did the AI cross the road? To get to the other side of the firewall. Hahaha, I hope that made you chuckle.
-- TRANSCRIPT ENDS --