This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. My Auntie Liz, she got burgled once before Christmas and the burglar apparently unwrapped all the presents around the tree and left them all thinking, these are shit.

---

CAROLE THERIAULT. I don't need some socks. Thanks though, Auntie Liz.

---

UNKNOWN. Smashing Security, episode 349. Ransomware gang reports its own crime and what happened at OpenAI with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security episode 349. I'm Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Well, what was the pause for there, Carole? What was—

---

CAROLE THERIAULT. Do you always say that? Or do you say, my name is Graham Cluley?

---

GRAHAM CLULEY. I actually, you're, well—

---

CAROLE THERIAULT. It just, it was there's a weird audio cadence that changed.

---

GRAHAM CLULEY. I do normally say, my name is Graham Cluley. Yeah. That's right.

But this time I said, I'm Graham Cluley.

---

CAROLE THERIAULT. I was expecting the music.

---

GRAHAM CLULEY. Da da My name is Graham Cluley. La-di-di!

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Carole, it's great to be back in the country. I was on my overseas mission last week, of course.

I was at Black Hat MEA, where I bumped into friend of the show, Dan Raywood.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. Journalist, of course. He's currently writing for Dark Regions.

---

CAROLE THERIAULT. He's everywhere. I saw him on a plane coming back from Canada.

Literally, we were getting on the plane.

---

GRAHAM CLULEY. You told me that, yes!

---

CAROLE THERIAULT. Yeah! I was on the plane, really hot and bothered, not happy, and then I just heard, "Carole Theriault!"

I was oh, hi, hi. Then we had a nice Snapchat.

---

GRAHAM CLULEY. It was very nice. So hi, Dad.

---

CAROLE THERIAULT. Well, he's stalking me as well. He's stalking me too.

So, but anyway, he's now the owner of a lovely Smashing Security sticker, as are some other delegates from the conference who came up to me and said that they enjoyed the podcast. And I did my usual trick of saying, which one of us do you prefer, me or Carole Theriault?

---

GRAHAM CLULEY. But regardless of their answer, I still gave them a sticker. So.

---

CAROLE THERIAULT. I love you guys.

---

GRAHAM CLULEY. High five. It was a crazy event, you know.

It was a crazy event. On the last day, last afternoon, I was the MC of the event, doing my shtick.

---

CAROLE THERIAULT. And suddenly, huge thunderstorm, right?

---

GRAHAM CLULEY. Oh, I thought there was someone coughed. All right.

---

CAROLE THERIAULT. No, no, no. Enormous thunderstorm, torrential rain.

And then the water started to come through the roof of this enormous conference centre.

---

GRAHAM CLULEY. Oh no.

---

CAROLE THERIAULT. And then the power went out.

---

GRAHAM CLULEY. Fuck.

---

CAROLE THERIAULT. And we were all evacuated. Thousands and thousands of people.

---

GRAHAM CLULEY. Oh my God. I would have died.

I would not that.

---

CAROLE THERIAULT. A journey which normally takes 10 minutes to get back to the hotel in a car took an hour and a half because the roads were completely flooded because they don't have drains because they're not expecting this kind of weather.

---

GRAHAM CLULEY. Oh my God.

---

CAROLE THERIAULT. So, we should have canoed back. Anyway, dramatic end to the conference.

---

GRAHAM CLULEY. I'm glad you made it back. I had no idea.

---

CAROLE THERIAULT. Well, there you go.

---

GRAHAM CLULEY. I would have been on my own this week going, "Well, what do you think, Graham?" "Oh yeah, that's right."

Glug, glug, glug, glug, glug, glug, glug. Should we kick the show off?

---

CAROLE THERIAULT. Let's do it.

---

GRAHAM CLULEY. Okay. But first, let's thank this week's wonderful sponsors, Kolide and Vanta.

It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

CAROLE THERIAULT. So you've hacked a company, now what? Ooh.

---

CAROLE THERIAULT. And I'm gonna talk about when company boards act like numpties. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. So imagine the scenario. Imagine that you have hacked a company. You've accessed their data. You've committed the security breach, okay? And what you probably want to do is you want to monetize the data in some fashion.

---

CAROLE THERIAULT. Right, so I've stolen all this glut of information. I wanna make some wonga off the stuff I've stolen. Yep, makes sense.

---

GRAHAM CLULEY. And there's different ways to monetize it. Maybe you could sell it to others. Maybe you could use the information which you've taken for fraudulent purposes.

---

CAROLE THERIAULT. Yep. Social engineering. Yeah.

---

GRAHAM CLULEY. And maybe if you've actually managed to convert it into money, you may think, well, what are we gonna do now? You might even launder it through online casinos to get rid of all their money and maybe make some more money on the side.

---

CAROLE THERIAULT. No, it's to make it legal. That's the whole point, right? It's just to legalize the cash.

---

GRAHAM CLULEY. Yes, exactly. It covers your tracks and gives it to criminal, probably casino operation.

---

CAROLE THERIAULT. You could also do ransomware, right? Where you kind of say, you can have it back for a fee.

---

GRAHAM CLULEY. Right, exactly. And if you were trying to extort some money from an organisation, how do you apply those thumbscrews? You could leak the data online, which you've stolen. Right. And say, if you don't pay up, we're going to put it on our dark website. You could contact journalists. I've been contacted by ransomware gangs before, say, "Hey, hey, hey, look, we've got all the emails from this company and we found some really juicy stuff. You could write about this." Sometimes I've had hacking groups do that with me.

---

CAROLE THERIAULT. Do you say okay? Do you say okay or no?

---

GRAHAM CLULEY. No, of course I don't say okay. Of course I don't say okay. No, no, no.

---

CAROLE THERIAULT. But loads of journalists do, 'cause they need the clicks. So well done though, Graham, seriously, for having an ethical backbone. I had no idea.

---

GRAHAM CLULEY. You had no idea that I had any backbone at all. Well, I could do with the clicks, to be fair. To be honest, it would be good. But maybe I'm an idiot. I'm not sure.

---

CAROLE THERIAULT. No, you're not an idiot. You're not an idiot.

---

GRAHAM CLULEY. But yeah, I just don't like the idea of being an accessory in the crime. Right.

---

CAROLE THERIAULT. I'm so proud of you, actually. I'm glad you're my friend.

---

GRAHAM CLULEY. There you go. You know, I do feel like that, actually, quite strongly. Sometimes when you've seen celebrities get hacked and photographs stolen, and then you see the mainstream media publishing them, and I think, well, hang on a minute. Is that acceptable? I sort of think it isn't, really.

---

CAROLE THERIAULT. I'm with you.

---

GRAHAM CLULEY. So other things you could do, you could contact the customers of the hacked company describing how awful their security was. Just one year ago, AirAsia, they got hacked by a ransomware gang called the Daixin team, and they lost personal data of 5 million passengers, all of their employees. And normally that would be bad enough for a company, right, to have their data stolen.

---

CAROLE THERIAULT. Totally.

---

GRAHAM CLULEY. But something possibly actually has saved AirAsia from further attacks. Something you probably wouldn't expect, because according to the hackers, the DaiChin team who came in, they said they were so irritated by the chaotic organisation of AirAsia's network and the absence of any standards that they refused to look at the data for a long time. And they said the network protection was very, very weak.

And they basically announced, we're never going to hack them again because they're too much effort, because they're just so lousy, their security. So it's worse actually than the data being leaked — you also got the hackers saying, "You're a complete joke, how you're running your computer security on your network." That's, I don't understand that.

---

CAROLE THERIAULT. Okay, I don't get that at all. So you're stealing data and you're bitching publicly that the data was too easy to steal? What the fuck?

---

GRAHAM CLULEY. Too easy to steal, but also just disorganised. They've also been hacked plastic surgeries and mental health clinics where the hackers have contacted patients threatening to release their details on their photographs, their pre-op photographs, or their mental health notes, unless they stump up the cash.

---

CAROLE THERIAULT. I thought you said hacked plastic surgery, and I was imagining someone's face being somehow destroyed. I don't know. Okay, yeah, there's loads of bad things out there, Graham. What's your point?

---

GRAHAM CLULEY. Or ways of applying pressure on an organisation to pay the ransom. But now, we are seeing something new.

---

CAROLE THERIAULT. Is it really new? Okay, I'm waiting. Okay, impress me.

---

GRAHAM CLULEY. Well, I think there's been threats of this before, but now it actually seems to be happening. The ALPHV ransomware gang, also known as BlackCat, earlier this month they hacked a company called MeridianLink. And MeridianLink provides services at some kind of platform for financial institutions. They've got some important customers who've got lots of wonga.

---

CAROLE THERIAULT. Okay, yeah, it's not a company I know of. I don't know any of this.

---

GRAHAM CLULEY. Yeah, yeah, because it's not a field we work in, right? But the ALPHV ransomware gang, they say that they didn't encrypt any files, which isn't that unusual these days.

Sometimes the hackers don't bother encrypting files, they just think, "We're just gonna steal your data 'cause we're gonna assume you've got backups. Why bother encrypting your files, maybe tipping you off earlier as to what's happening?" Can we just give ourselves a hat tip there and just take a pause?

---

CAROLE THERIAULT. Because for years, we banged on about having backups to everyone. We did it for at least 10 years. So well done, well done.

---

GRAHAM CLULEY. Well done, well done. Yes, exactly. So this gang, they exfiltrate data.

And according to the hackers, they said the next day MeridianLink found out what happened about the breach, but they didn't apparently do anything about it. According to the hackers, they say they didn't put any security upgrades in place, they didn't patch themselves, and it was only when ALPHV posted on their dark web website, their leak website, about the breach that they then saw MeridianLink protect themselves against further attacks.

---

CAROLE THERIAULT. So this is a bit like I get robbed, they're still staking my joint, right, to see how I'll react. I don't fix the door or the broken window or anything. Don't do anything. They get annoyed.

So then they go to the local paper and tell everybody that they broke into my house and how crap it was or whatever, you know, that they have this data. And then I go, okay, fine, I'll fix the door.

---

GRAHAM CLULEY. Yeah, I'll change the locks.

---

CAROLE THERIAULT. Maybe you're fed up with people coming in every night stealing your VHS recorder again, you know. In the old days, when we worked at the company we worked at, no free advertising for anybody, I would come home occasionally at night, right? I had a flat in Oxford Centre, and my front door would be wide open because I had forgotten to close it when I left.

Literally all day, that door was wide open, this huge door thing in a Victorian house, a little apartment. And no one walked in ever, no one stole anything.

But somehow—

---

GRAHAM CLULEY. How do you know no one walked in? Maybe people did walk in.

---

CAROLE THERIAULT. I don't know, actually. They didn't steal anything.

---

GRAHAM CLULEY. Yeah, exactly. Because I had an aunt, my Auntie Liz. She got burgled once before Christmas, and the burglar apparently unwrapped all the presents around the tree.

---

CAROLE THERIAULT. And left them.

---

GRAHAM CLULEY. And left them all, thinking, "These are shit." I don't need some socks.

---

CAROLE THERIAULT. Thanks though, Auntie Liz.

---

GRAHAM CLULEY. Aw. Anyway, so they exfiltrated data, right?

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. And the company's now protected. But AlfV did not rest on its laurels there because they still want the company to pay up.

And they're thinking, well, you know, MeridianLink haven't been in touch. They're not negotiating with us, there's no dialogue going on, you know, why aren't they doing anything?

---

CAROLE THERIAULT. Are they prodding MeridianLink and asking for a dialogue?

---

GRAHAM CLULEY. Well, yeah, they're attempting to start a decent dialogue, a decent negotiation.

---

CAROLE THERIAULT. Find us on this forum.

---

GRAHAM CLULEY. Right. And they're not getting very far.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. So they decide to take it upon themselves to tell someone else about the hack. Not MeridianLink's customers, not MeridianLink's staff, but instead the US Securities and Exchange Commission.

---

CAROLE THERIAULT. Ooh.

---

GRAHAM CLULEY. So Alfie submitted a form. There's a place you can go on the SEC website where you can report companies who you believe have failed to, for instance, disclose a security breach within 4 days as stipulated in SEC rules.

SEC updated its rules in July, saying that you had to report a breach within 4 days.

---

CAROLE THERIAULT. This is— oh my God, this is the kind of stuff that people policymakers never consider. How could you?

So you've got some digital robbers reporting you for having—

---

GRAHAM CLULEY. Been robbed by them.

---

CAROLE THERIAULT. Yeah, for being robbed by them. Beautiful.

---

GRAHAM CLULEY. And not telling the authorities. And not reporting it, not reporting it within the time limit.

So they wrote, the hackers wrote on the SEC website, "We want to bring to your attention a concerning issue regarding MeridianLink's compliance with the recently adopted cybersecurity incident disclosure rules."

---

CAROLE THERIAULT. I love it.

---

GRAHAM CLULEY. "It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days."

---

CAROLE THERIAULT. Oh my God. Written by AI, I can hear it. It's written— I will test this later.

---

GRAHAM CLULEY. So according to the rules, according to the new SEC rules, you have to report a breach within 4 days unless you can delay the disclosure if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, which I suspect it doesn't in this case.

---

CAROLE THERIAULT. Okay, okay. I'm going to say this is my immediate reaction of what they should do.

So they have to amend the law, and you need to identify yourself as the reportee for them to take it seriously.

---

GRAHAM CLULEY. Oh wait, oh, I see. On the form, you have—

---

CAROLE THERIAULT. Yeah, you have to say, I'm Jo Smith.

---

GRAHAM CLULEY. Upload your passport. Upload your—

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Tell us your phone number. We'll verify it.

---

CAROLE THERIAULT. Otherwise we can't take it seriously, right? Because we need to go speak with you.

---

GRAHAM CLULEY. Ah.

---

CAROLE THERIAULT. We need to get more information first.

---

GRAHAM CLULEY. Maybe the hackers would fall for that.

---

CAROLE THERIAULT. Well, they wouldn't, but then they also wouldn't report you, 'cause now there's a sticky pickle, there's a catch-22, 'cause if they don't then take it seriously, you know, if they don't go after them, there could be a whole little mess, little squabble going online.

---

GRAHAM CLULEY. But hang on, isn't this a little bit like software as a service? Aren't the hackers actually doing a good duty for the company?

'Cause a company which has been hacked has got enough on its plate already. How wonderful if the hackers then begin the process of reporting the breach to the authorities, like ringing up the ICO.

---

CAROLE THERIAULT. You're right, you're right. The SEC.

---

GRAHAM CLULEY. Can we say this comes off your list of items to do?

---

CAROLE THERIAULT. The SEC could start offering bug bounties to hackers to report companies that fuck up. There you go, yes, there you go.

---

GRAHAM CLULEY. Very well. You could do that as well, no.

---

CAROLE THERIAULT. So, so poor MeridianLink though. Tell me what happens.

---

GRAHAM CLULEY. So MeridianLink, they've now confirmed that they suffered a cybersecurity incident, but they say their investigations to date have not identified any unauthorized access to its production platforms. Curious as to why they say production platforms.

---

CAROLE THERIAULT. Yeah, yeah, yeah, I know.

---

GRAHAM CLULEY. So has it been something else? And that it has suffered minimal business interruptions.

It says, we have no further details to offer currently as our investigation is ongoing.

---

CAROLE THERIAULT. Of course, that's what you have to do for liability. You have to say, we don't know that anything's been stolen, that's why we haven't reported it, so we haven't done anything bad.

And the hackers, it's also forcing the hand of the hackers who are gonna go, "Look, we can prove that we've stolen stuff." But maybe also, what if this is a bluff? What if the hackers have fuck all?

---

GRAHAM CLULEY. It could be. It's always possible, isn't it?

Because it's not like if you steal the Mona Lisa, there's a gap on the wall. But if you copy data, there's not always evidence that the data has been copied and exfiltrated, depending on how much network logging they have.

---

CAROLE THERIAULT. That's the problem though. There's no ethical place to post that data.

And I don't mean to the public, all of us, but somewhere where they can kind of go, yeah, yeah, no, they've got stuff. You know, in murder investigations, I listen to a lot of this crap podcasts about murders and stuff, right? You have to kind of prove, oh, I know stuff that the cops know.

---

GRAHAM CLULEY. Oh yes, because you know about the tattoo behind the ankle.

---

CAROLE THERIAULT. Exactly.

---

GRAHAM CLULEY. Only the murderer would know about that. So there's an extra little detail here.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Which is Alfie have reported MeridianLink for a breach of these new SEC rules. I went and read the SEC press release about these rules.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Which was published in July. According to that, these new disclosure rules only come into effect from December 15th, 2023.

Oh.

---

CAROLE THERIAULT. So maybe that's a screw-up on the hacker's side.

---

GRAHAM CLULEY. The hackers have gone a little bit too early, but maybe a warning for other organizations as well that leave it a month.

---

CAROLE THERIAULT. They're listening.

---

GRAHAM CLULEY. They are. They're always listening.

---

CAROLE THERIAULT. They're listening right now and they're going, damn you, Graham Cluley. Damn you. Foiled our plans.

---

GRAHAM CLULEY. Maybe we'll see more of this in the future after December 15th.

---

CAROLE THERIAULT. Who knows?

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Alrighty, we have a fast-moving story here. So apologies to those of you bored senseless by AI natter.

But today, this is less of a technology story and more of what's going to happen next. So buckle up. And we're recording this episode on Monday, 20th of November in the evening.

So this all started Friday last week. So a mere few days ago, Sam Altman, he's the front man for OpenAI.

He got some unexpected news. Now, you probably know that this company was co-founded by Mr. Sam Altman, and that was thanks to the financial help from Elon Musk himself, early days.

---

GRAHAM CLULEY. This is the ChatGPT company, is that right?

---

CAROLE THERIAULT. This is the ChatGPT company, exactly. And now, largely thanks to Microsoft's $10 billion investment back in January, they've been moving at a clip so dizzyingly fast.

Basically, ChatGPT is the bell of the AI ball. That's the best way to say it, or was until 48 hours ago when all hell broke loose in the upper boardrooms of OpenAI.

So here's what I've managed to piece together. So I've had to read a number of articles, I'd say about 20, right? To get the chronological order of all the little tidbits that I wanted to cover.

---

GRAHAM CLULEY. Okay, I know nothing about this. Tell me what's going on.

---

CAROLE THERIAULT. Okay, so I wake up Friday and according to the piece in New York Times, Sam Altman, 38, was invited to a video meeting with the board at noon on Friday. And the previous night he was at an event in Oakland, California, where he was talking with people about art and AI and how they're gonna respect artists and how that's all gonna be a tricky thing, but we'll manage.

---

GRAHAM CLULEY. And he was at Bletchley Park a couple of weeks ago, wasn't he? He was everywhere. He was with Kamala Harris and Rishi Sunak. You know, there was that big meeting about AI ethics.

---

CAROLE THERIAULT. He's like Princess Diana of the AI world. He is everywhere and everything, getting all the right messages.

Well, this is— No, he's not.

---

GRAHAM CLULEY. He's not at all. He's not at all.

---

CAROLE THERIAULT. Of course not. So, anyhow, okay, so this is the next morning, and he gets the invite to the meeting.

So, Sam's logging on to the video meeting, you know, and he's not sure what the agenda is. Well, he soon finds out because he's immediately fired.

And this is all according to the president of the board, Greg Brockman, who apparently, despite being the president and on the board, not invited to the meeting. And minutes later, minutes later, the board published the blog post.

---

GRAHAM CLULEY. A blog post saying what?

---

CAROLE THERIAULT. So the blog post is titled OpenAI Announces Leadership Transition. And I have just a few select quotes because there's lots of we're great, we care about everybody, lots of good stuff.

But basically, the board of directors of OpenAI that acts as the overall governing body for all AI activities today announced that Sam Altman will depart as CEO and leave the board of directors. Mira Murati, the company's chief technology officer, will serve as interim CEO effective immediately. Okay, that's in paragraph 1.

---

GRAHAM CLULEY. Okay, so why are they getting rid of him?

---

CAROLE THERIAULT. Ha, good question. So does this answer your question? Quote, "Mr. Altman's departure follows a deliberate review process by the board which concluded that he was not consistently candid in his communications with the board, hindering its ability to exercise its responsibility abilities. The board no longer has confidence in his ability to continue leading OpenAI." So it doesn't really answer the question because you want to know what happened.

---

GRAHAM CLULEY. Sounds juicy, doesn't it? You kind of want to know some details as to what's—

---

CAROLE THERIAULT. So I'm reading this like, oh my God, oh my God, oh my God, right? So hours later, the company's president, Greg Brockman, he's also quitting out of solidarity. He's like, "I'm done, I'm out of here."

---

GRAHAM CLULEY. He's the guy who didn't get invited to the meeting. He didn't get the Zoom invite.

---

CAROLE THERIAULT. That's why he's pissed off. That's why he's throwing away his company that's currently worth something like $80 billion or something, you know, after the next round.

So this is the darling of the tech world, and they just dumped their co-founder and CEO on his ass. And this was a surprise to all because many maintain this guy's done loads to generate enthusiasm for language models like ChatGPT.

He's been everywhere and done all the talks. And the question on everyone's lips after hearing the news was, "What happened?"

But Sam was tight-lipped. All the papers were probably calling him nonstop going, "Why? Why? What happened? What do you have to say?"

And he didn't respond to anyone that I saw. And so were the board. And so was the ex-president, Brockman. He said a few words, but nothing exciting.

---

GRAHAM CLULEY. Oh, for goodness' sake. Can't they not just tell it? This sounds really juicy.

---

CAROLE THERIAULT. It's coming, Graham. No matter who you are, right? If you're unceremoniously dumped like this, also very publicly with a blog afterwards.

---

GRAHAM CLULEY. I have been dumped in the past, but never with a blog afterwards. So I would be disappointed if there was a blog and it still didn't tell me why I'd been dumped.

I think everyone deserves to be told why they're done, right? I once dumped a girl because she didn't know who the Beatles were.

---

CAROLE THERIAULT. I met her. Yes, that's true. It is true. He's not lying.

The other thing is we're not even talking about the staff who are going, "Where's our boss? Where's the figurehead of everything?" There's 700 of them, right?

And they want to know the details. So when they ask, they're told that there was a breakdown in communications between Sam and the board.

Thanks, guys. Really? Thanks. I would say actually, no shit, thanks.

---

GRAHAM CLULEY. Carole, have you found out what the reason is or not? Are you just teasing me along here? Have you found out what the actual reason is?

---

CAROLE THERIAULT. You're going to follow my story. So sit back. I told you to buckle up. That means zip it.

So how come they were able to do this? How come the board were even able to just fire the CEO who is a member of the board?

And it's because it's a capped profit subsidiary. So Sam Altman himself, the CEO or ex-CEO, did not directly own shares.

And this board does not have the typical incentive of maximizing returns for shareholders, but they have a fiduciary responsibility or duty to create safe artificial general intelligence that is broadly beneficial. Okay.

They were able to sack Sam without blinking and just saying, you know, he wasn't keeping us informed. It was maybe a bit dangerous, but they're now having to say it wasn't dangerous.

It's not dangerous, but it's kind of, we had to get rid of him. So this is why it's so exciting.

Let's pivot again because we have Microsoft who have sunk $10 billion, not $10 million, $10 billion.

---

GRAHAM CLULEY. I bet they're pleased.

---

CAROLE THERIAULT. Into OpenAI.

---

GRAHAM CLULEY. They've spent $10 billion on this company, and now the two people who were heading it up have left. Well, that was a good investment, wasn't it?

---

CAROLE THERIAULT. They must have had a proper heads up, right? They must have been called and told, "Look, guys, guys, guys, this guy's not good. We gotta, you know, do you agree?" Do you think?

Do you want to know when they found out?

---

GRAHAM CLULEY. Same time everybody else did.

---

CAROLE THERIAULT. One minute before the blog post went live. What a kick in the ass.

---

GRAHAM CLULEY. "Just so you know, we're about to publish a blog."

---

CAROLE THERIAULT. "Oh, we've just done it." "Oh, it's published." And the employees, right? Well, they're not getting answers that they want, so they start quitting.

Some of them quite senior, at least 3 senior researchers, including the director of research at OpenAI, says sayonara to OpenAI. This is all on Friday. Okay, this is one day.

---

GRAHAM CLULEY. It's a bit like when we left that company, Carole, when we both left and there was an avalanche of other people who came out with us, wasn't there? There was a cavalcade of people.

No, there wasn't. No, there was no—

---

CAROLE THERIAULT. We did put out a blog when we left.

---

GRAHAM CLULEY. Well, yeah, we published a blog article, but—

---

CAROLE THERIAULT. They didn't want us to publish a blog article.

---

GRAHAM CLULEY. No, they didn't. But no one came with us, did they? No one came with us.

---

CAROLE THERIAULT. Well, you came with me, actually. Oh, yeah.

---

GRAHAM CLULEY. Okay. That's true.

---

CAROLE THERIAULT. Uh-huh.

---

GRAHAM CLULEY. Yeah. Loyal.

---

CAROLE THERIAULT. So, next day, we wake up to see Sam Altman, saying he's in talks with OpenAI's board about returning to the company. Oh. Yeah.

And he even posted a photo of himself in the OpenAI offices wearing a guest visitor badge and has the line, "First and last time." Right.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Complicated.

---

GRAHAM CLULEY. So it's beginning to sound a bit like a publicity stunt now.

---

CAROLE THERIAULT. Well, you know, you have all these plans, you have these employees, and yet you have the board that spat you out in public in a humiliating way and you want to go and have chats? But then on the same day, there's also gossip that Altman, Sam Altman and Brockman were going to go launch their own initiative.

And he also pokes the board on X/Twitter saying, if I start going off, the OpenAI board should go after the full value of my shares. Snigger, snigger, because I don't have any.

---

GRAHAM CLULEY. Oh, I see.

---

CAROLE THERIAULT. Right? So this morning, this morning, this is now Sunday, what do we hear?

Sam Altman and Greg Brockman have decided to accept roles leading the brigade at Microsoft's Advanced Research Lab. Because Microsoft probably said, "Well, we have the right to do this as the board." Basically said, "Look, hey guys, you have an open job here."

---

GRAHAM CLULEY. "Just come on in." Presumably they're not going to give another $10 billion to these two guys again, are they?

---

CAROLE THERIAULT. Well, OpenAI are also shuffling things about because Mira Murati, who is the interim chief since Friday, is now being replaced by Emmett Shear. He's the former CEO of Twitch.

Lower ranks in OpenAI, the employees, are also scrambling. More than 550 of OpenAI's 700 employees signed a letter saying that the board have to quit because otherwise, if they don't resign, they may just get up and go and work for Microsoft because Microsoft has said to them, don't worry, there are jobs for all OpenAI staff if they want to join the company.

---

GRAHAM CLULEY. Carole.

---

CAROLE THERIAULT. What? I'm talking very loud. I can tell I'm shrill. I'm sorry, listeners. I'm sorry.

---

GRAHAM CLULEY. Carole, you haven't told me yet why they got rid of him.

---

CAROLE THERIAULT. Well, the staff say the process through which you terminated Sam Altman and removed Greg Brockman from the board has jeopardized all of this work and undermined our mission and company. Your conduct has made it clear you did not have the competence to oversee OpenAI. 550 employees wrote that, signed to that note.

---

GRAHAM CLULEY. Okay, well, look, I get that.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. But why did they fire the guy? What was the problem? What did he do? Do you know or not?

---

CAROLE THERIAULT. They tell the board in the letters—

---

GRAHAM CLULEY. Carole, do you—

---

CAROLE THERIAULT. Carole! Carole! No, no, I have one more thing to say before we have this conversation. Get this: one of the board members who is obviously being targeted by this employee onslaught of saying, "Resign, you fuckers," also signed the letter.

Oh, he's quoted as saying, "I deeply regret my participation in the board's actions. I never intended to harm OpenAI. I love everything we built together, and I will do everything I can to reunite the company." So I'm just saying, hand me the toffee popcorn. Am I right?

---

GRAHAM CLULEY. I'll hand you the toffee popcorn when you tell me why he was actually fired.

---

CAROLE THERIAULT. Every single journalist who are much more powerful than me have tried to get that answer, and so far we do not know.

---

GRAHAM CLULEY. Well, you know what?

---

CAROLE THERIAULT. What?

---

GRAHAM CLULEY. You've all made a big mistake, because it's easy to find out. Why he was fired.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. All you have to do is ask ChatGPT.

---

CAROLE THERIAULT. It's not up to date that way unless you pay.

---

GRAHAM CLULEY. We're not prepared to pay for this breaking news.

---

CAROLE THERIAULT. Maybe one of our listeners, one of our listeners is going to be a monthly subscriber to ChatGPT 4. Please let us know what they say.

---

GRAHAM CLULEY. I wonder if some of these crazy responses from the OpenAI board were not actually human responses, but people thought, oh God, I've got this boring board job. I don't know what to do today. I'll ask ChatGPT to tell me what I should do today and what decisions I should make. This is the AI taking control right here, Chris. This is the AI pushing out the man.

---

CAROLE THERIAULT. Maybe it's a PR stunt and they've actually got ChatGPT to do all these communications. What would you do if you were Greg Brockman at this stage? What would you do if you're Mira Murati and they're just building up their whole drama? Who knows? It's crazy. But this is the belle of the ball. Right? This is Pamela Anderson— What was that beach show she was on when she was running around? Baywatch. Baywatch. Tripping and breaking her ankle. Okay? That's how big this is. Pay attention. It's probably old news now that you're listening.

---

GRAHAM CLULEY. Interesting mixed metaphor that you're making here between a fairy tale about Cinderella and Pamela Anderson in Baywatch, a show which most of our listeners don't even remember.

---

CAROLE THERIAULT. She is Canadian. Bitcoin.

---

GRAHAM CLULEY. Oh, well, all right.

---

CAROLE THERIAULT. Dear to my heart. Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security. Expand the scope of your security program with Vanta's market-leading compliance automation. Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.

From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing. That's vanta.com/smashing.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.

Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS—even Linux—from a single dashboard.

Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide.

Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

---

GRAHAM CLULEY. And welcome back. We're going to start our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security-related necessarily.

Hmm, mine might be. Yours is security-related?

---

CAROLE THERIAULT. Maybe a little bit, a tiny bit, tiny bit.

---

GRAHAM CLULEY. Well, I say it doesn't have to be necessarily. I mean, it's you who say it shouldn't be. I don't know why you put it down my throat then.

Well, I'm just— I find it rather, you know. Anyway, my pick of the week this week, I don't know how many of our listeners are following British politics, but—

---

CAROLE THERIAULT. I'm not, so you can inform me.

---

GRAHAM CLULEY. If you think the goings-on at OpenAI are a complete shitshow, watch British politics.

---

CAROLE THERIAULT. Is this about Cotswolds Dave?

---

GRAHAM CLULEY. No, well, it was connected to David Cameron, our former Prime Minister, who was an MP in the Cotswolds long ago. He's now become — well, he's been ennobled to the Lords.

He's now Lord Dave of Chipping Norton, he is now. And he is going to be our Home Secretary, although not actually answerable to the House of Commons because he won't be showing up there because he's not an MP.

Anyway, that's all come about because Suella Braverman has been fired as Home Secretary. You can look into exactly what she did wrong.

Well, you can see the latest thing that she did wrong which upset Prime Minister Rishi Sunak. Now, I'm not going to get very political here, but my pick of the week this week is a Twitter account called Rate Your Resignation Letter.

And what they do is they analyse, and it's quite often been the resignation letters of politicians, to give them basically a score. Score for their grammar, a score for any insults, any sort of mistakes that they've made, just having a pop basically at the quality of the resignation letter.

Now, Suella Braverman's resignation letter was quite a hoot because — What is it? Oh yes, oh yes.

---

CAROLE THERIAULT. Is it in the show notes? Can I look at it?

---

GRAHAM CLULEY. Yes, yes, I've linked to it in the show notes. You can go and read her resignation letter.

And this has caused a cavalcade of other politicians to question the suitability of Rishi Sunak to be Prime Minister, including someone called Dame Andrea Jenkins MP. And she has written a letter of no confidence.

And this was a work of art. Dame Andrea Jenkins has written the most extraordinarily badly written letter that I think I've ever, ever seen.

She's a big fan of a previous Prime Minister, Boris Johnson. I'm looking at her letter now.

---

CAROLE THERIAULT. Okay, so the one signed the 13th of November. She says, "Dear Sir Graham." Is that why you chose this story?

---

GRAHAM CLULEY. No, no, it's written to Sir Graham Brady, the chairman of the 1922 Committee. This is what you do if you want the current leader of the Conservative Party to be ousted.

Enough MPs have to write complaining. So what I particularly enjoy is she's a big fan of Boris Johnson, and some of her sentences appear to have missed out verbs, or she's got a little bit distracted by the end of the sentence.

So for instance, she says, "Yes, Boris, the man who won the Conservative Party a massive majority, was unforgivable enough." And I think she meant to write, "the ousting of Boris was unforgivable enough."

So she appears to be saying that Boris Johnson was unforgivable enough.

---

CAROLE THERIAULT. I wonder if some third party may have gotten their hands on this before it was sent out. If she didn't press the return button on her own?

There could have been changes in — no?

---

GRAHAM CLULEY. It was posted on her Twitter account, as is the custom. But there are a huge number of errors and grammatical flaws, and you just think, oh my God, wouldn't you have spent a bit more time writing this letter?

Anyway, the ResignWell website, the Rate Your Resignation Twitter account, is an account which looks at people's resignation letters and then gives them a score. And points out grammatical errors.

And I quite enjoy it because, my goodness, there's not that much to enjoy in British politics at the moment.

---

CAROLE THERIAULT. But this is such a wanky thing that is so British, right? To go through and go, "Actually, they don't know how to use a past participle. Did you see?"

So yeah, that's what this is. But it is good fun.

I enjoy it too. I've lived here long enough. I know how to roll with this.

---

GRAHAM CLULEY. I love it. Okay. That's my pick of the week. Carole, what's your pick of the week?

---

CAROLE THERIAULT. My pick of the week is a book, which I experienced as an Apple audiobook, and it is called The Future by Naomi Alderman. Yeah, it's brand new. I think it's just hit the shelves. I've just finished it, and it is a teeny tiny bit security related because at the heart of the story there's some techie jiggery-pokery afoot. But the whole thing is more taking a stab at how the near future could pan out if we don't pay a bit more attention to what's going on. So basically you've got 3 tech trillionaires, right?

You've got this, a CEO of a hybrid of Facebook and ex-Twitter called Fantail. You've got the CEO of Anvil, that's Amazon. And you have the CEO of Medlar, which is kind of a Microsofty Apple World's most profitable personal computing company. And they have made in-case plans. And what I mean by that is if the world goes AWOL completely, these 3 VVVIPs can be safe, right? Because they have lavish bunkers dotted around the world.

---

GRAHAM CLULEY. Okay, so it's how they're going to survive when the world goes to shit. So they'll be cryogenically suspended or they'll be blasted into space to set up life on a new planet.

---

CAROLE THERIAULT. Yeah, the book is actually more about how do you get enough advanced warning that you're going to be able to get the hell out of Dodge if the hammer hits. So everything starts going crazy, everything starts melting down around you, how can you leave in your very posh, I don't know, whatever, Porsche or, you know, a posh car and not be hammered by people who are going crazy. But you need an advanced warning system.

So they say, why don't we create a program that triages all the world's data and risk points with a view of predicting the world's end ahead of time so we have enough time to jet off to our fully stocked for decades luxurious safe house while the rest of us fight for survival Mad Max style. So this is kind of the narrative of the book, and it's interwoven with backstories and childhood experiences of all our kind of protagonists.

---

GRAHAM CLULEY. Is this a funny book, Carole?

---

CAROLE THERIAULT. Is it a comedy? No, it's not.

---

GRAHAM CLULEY. No, no, it's not.

---

CAROLE THERIAULT. No, no, no, it's not funny, but it is thoughtful. I found it very thoughtful, and I found it smart, and I found it engaging. The Guardian did not. They kind of slated it. Her previous novel was called The Power, and that won the Women's Prize for Fiction. I haven't read that yet, but I will now. But I think it's a shame The Guardian didn't get it.

I think she brings a lot of interesting topics, topics that our listeners will like. But Graham, this is not a book for you because it's kind of complicated.

---

GRAHAM CLULEY. There's no pictures.

---

CAROLE THERIAULT. And you need to focus. Yeah. You just need a lot of focus. There's a lot of threads, and I think you would just get really frustrated and go, "Ah, this is not for me." But it was right up my street. So if you like my pick of the weeks, this sounds like it's up your wazoo. Check it out. It's called The Future by Naomi Alderman. And that's my pick of the week.

---

GRAHAM CLULEY. Well, that just about wraps up the show for this week. Next week, we're going to have a bumper show, aren't we, Carole?

---

CAROLE THERIAULT. Mm-hmm. We've got a lot of content.

---

GRAHAM CLULEY. And we've got a guest as well who's going to be joining us because we haven't had one for the last couple of weeks. And that's always fun.

---

CAROLE THERIAULT. A brand new guest we've never had on before. Fingers crossed they show up.

---

GRAHAM CLULEY. You can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. And you can also look up Smashing Security on Reddit. And to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And high fives to our episode sponsors, Fanta and Kolide. And of course, to our wonderful Patreon community.

It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 348 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

---

CAROLE THERIAULT. Bye.

---

GRAHAM CLULEY. What are you doing Thursday night, Krop? Thursday night, November the 23rd, BBC Four.

They're showing a colorized re-edit of the first ever Dalek story. Doctor Who, The Daleks, 1963. John's been watching these.

---

CAROLE THERIAULT. He's— because the BBC have put— I can't believe this hasn't been one of your pick of the weeks yet. Or was it?

---

GRAHAM CLULEY. I'm saving up for it.

---

CAROLE THERIAULT. I'm saving up for it. He started watching from season 7.

---

GRAHAM CLULEY. Oh, of the classic old series?

---

CAROLE THERIAULT. Yeah, yeah, he started because they're all up there now.

---

GRAHAM CLULEY. Season 7's brilliant. John Pertwee's first series.

---

CAROLE THERIAULT. Exactly, exactly. That's what he said.

John Pertwee, he's the best Doctor Who. That's what he said. But yeah, he started at 7:07. They're all up. They've put them all up on iPlayer.

---

GRAHAM CLULEY. Oh, it's a wonderful thing. No, it's good.

Yeah, it's good stuff. Good stuff. All right, see you next week.

-- TRANSCRIPT ENDS --