This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. You'd do the same thing.

---

GRAHAM CLULEY. No, I would not.

---

CAROLE THERIAULT. Yes, you would.

---

GRAHAM CLULEY. No, I would not. I absolutely would not.

---

CAROLE THERIAULT. You would. You would. You would. La, la, la, la, la.

---

GRAHAM CLULEY. No, no.

---

ALLAN LISKA. La, la, la.

---

GRAHAM CLULEY. No, no, no, no.

---

CAROLE THERIAULT. I just got you pegged.

---

GRAHAM CLULEY. No. One is enough. One is enough.

---

CAROLE THERIAULT. Allan, do you know Graham well enough to answer this question?

---

ALLAN LISKA. So I hate to say it, Graham, but I'm with Carole.

---

UNKNOWN. Smashing Security, Episode 359: Declaring War on Ransomware Gangs, Mobile Muddles, and AI Religion with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 359. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, we are joined by someone new this week, a guest who hasn't been on the show before, although we have spoken about his work. It is the ransomware sommelier, Allan Liska. Hello, Allan. Bonjour. Hello. You're not actually French, are you? I don't know why.

---

ALLAN LISKA. I am the opposite of French. Whenever I visit Bordeaux, which is my favorite city in the world, I try my best to speak French, but it sounds very much like a Southern American trying to speak French, and they just say, please speak English and stop. So not French.

---

CAROLE THERIAULT. I love Bordeaux as well.

---

GRAHAM CLULEY. Are you a big lover of wine, Allan?

---

ALLAN LISKA. I am. And I'm a big lover of wine and a big lover of the city. In fact, for a couple of years, we hosted BSidesBordeaux to bring security people into Bordeaux and have talks and drink wine. And it was a lot of fun.

Unfortunately, I haven't been able to keep up with it as much as I'd like to. But I'm hoping we'll be able to get it back at some point. But yes, I'm a huge, huge fan of wine. If you ever want to phish me, promise me a 1982 Château Margaux and I will click on whatever link you want.

---

GRAHAM CLULEY. You're called the ransomware sommelier. You are an expert in ransomware as well, aren't you?

---

ALLAN LISKA. I am, and I'm actually a certified sommelier. So both titles are true.

---

CAROLE THERIAULT. Let's thank this week's wonderful sponsors, Kolide, BlackBerry, and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm stuck inside of mobile with the Meta blues again.

---

CAROLE THERIAULT. Oh, how long did it take you to come up with that one?

---

GRAHAM CLULEY. Not as long as it took Bob Dylan.

---

CAROLE THERIAULT. He used to write songs in 20 minutes, so you're competing there. What about you, Allan?

---

ALLAN LISKA. I'm going to talk about war crimes, so I'm going to bring it down a little bit. I'm sorry.

---

CAROLE THERIAULT. And then I'm going to get us all to pray AI-style. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Chums, chums, there is a chap on Reddit. His name is MalfeasanceE.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Sounds friendly enough, doesn't he, MalfeasanceE?

---

CAROLE THERIAULT. There's a lot of people on Reddit, just FYI.

---

GRAHAM CLULEY. There are, yeah, yes, there's certainly quite a few up there. And this chap, he posted last week about a strange experience that he had had.

You see, a few months ago, he changed his mobile phone number. I don't know what happened. Maybe he changed his cell phone provider, whatever. He changed his mobile phone number. And he tried to log into his Instagram account. And to do that, he entered his new phone number. And it logged him into some random woman's account.

---

CAROLE THERIAULT. Oh.

---

GRAHAM CLULEY. So he now had access to all of their pictures, could see who their friends and contacts were, their direct messages, and so forth. And—

---

CAROLE THERIAULT. Can I just ask though, is Instagram used for anything kind of—

---

GRAHAM CLULEY. Kinky?

---

CAROLE THERIAULT. Naughty? Yeah. Or is it just pictures of flowers and I mean, I look at it for paintings, so that's all I look at.

---

GRAHAM CLULEY. But I love the thought that you imagine there's some corner of the social media universe that isn't being used for bad stuff. Of course, there's loads of bad stuff going on there, everywhere else. Even if you went on Club Penguin, there's probably bad stuff going on there, right?

Everywhere there's bad stuff. And people are going to be exchanging messages which they certainly anticipate will be kept private. You wouldn't want someone reading, you know, your pro—

---

CAROLE THERIAULT. "Oh, I've just recorded a podcast with that screwball Cluley again." Yeah, that would be the worst if you got a hold of that one.

---

GRAHAM CLULEY. Right. That would be the worst.

So, pretty bad that he managed to access someone else's account just with his new mobile phone number. And then he noticed that his Amazon Alexa Echo thing, bing bong, kept on giving him reminder notifications after he connected it to his new mobile number. Reminders that he hadn't himself set.

---

CAROLE THERIAULT. Oh, things like 12 o'clock, go to the doctor's. And he's, oh, I don't have an appointment.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. We now have an Amazon Echo thing.

---

CAROLE THERIAULT. Do you?

---

GRAHAM CLULEY. You know, we do. It is primarily used to tell me when to take the eggs off the boil.

It's basically—

---

CAROLE THERIAULT. Have you heard of a timer, dude?

---

GRAHAM CLULEY. Yeah, I just say, you know, give me 7 minutes on the clock or something, you know, and it will do that. So, you know, that's the main thing it's used for.

Oh my God, I know that I am ashamed to admit it on this podcast, but it's true. So what does he do? He's got access to this woman's, this young woman's Instagram account. And so of course, first thing he does is he messages the owner, the proper owner of the account, from his own account, warning her to reset all of her accounts, remove her old phone number, add presumably her new mobile phone number rather than her previous one. No, actually, he doesn't do that at all.

Oh, he doesn't get in contact with them. Instead, he was curious. And so what he did was he found out, oh, I wonder what other apps and what other accounts I can log into with this phone number, which is new to me, but previously was owned by someone else.

---

CAROLE THERIAULT. And you'd do the same thing.

---

GRAHAM CLULEY. No, I would not.

---

CAROLE THERIAULT. Yes, you would.

---

GRAHAM CLULEY. No, I would not. I absolutely would not.

---

CAROLE THERIAULT. No, no, I wouldn't. You would. La, la, la, la. No, you would do it before you contacted the woman because you'd want to see how big of a problem it was to back up your argument before you tell her to change the passwords or whatever.

---

GRAHAM CLULEY. Can't do that.

---

CAROLE THERIAULT. I just got you pegged.

---

GRAHAM CLULEY. No, one is enough. You can access one account.

---

ALLAN LISKA. Allan, do you know Graham well enough to— So I hate to say it, Graham, and I appreciate the invitation here, but I'm with Carole on this.

---

GRAHAM CLULEY. What? I invite you onto this podcast.

---

CAROLE THERIAULT. Love you, Allan.

---

ALLAN LISKA. And this is the—

---

GRAHAM CLULEY. Anyway, this chap, he claims he's able to access this person's TikTok, their Snapchat, their Facebook, their DoorDash, their Amazon, and others. That's what he reckons.

---

CAROLE THERIAULT. All through the phone number.

---

GRAHAM CLULEY. All through the phone number. Because many of these sites, if you can't remember your password, they'll say, "Oh, well, if you want to reset your password, then tell us some other information about yourself. Do you know what your mobile phone number is?" And then when you enter the mobile phone number, it sends you a text, a confirmation code. It's an authentication code really, isn't it? Which you then enter to say, "Yes, I am the owner of this mobile phone." It says, "All right, well, we'll let you reset the password then." Oh my God. So effectively, he's stalking people.

---

CAROLE THERIAULT. Yeah, and we have to keep our phone numbers forever.

---

GRAHAM CLULEY. Well, this is it, because of course, if you change your mobile phone number, your cell phone operator doesn't then throw that into the eternal fires of hell, never to be reused again. What they do is they wait. Well, it depends where you are in the world, but some places like America, it may be 45 days, other places it may be 6 months. It doesn't matter. Your phone number eventually gets recycled. This is one of the big problems with phone numbers is we just use numbers. If we had alphanumerics, if you had a phone number which was 9KBB!, if we had phone numbers that, we'd have much more variation. We wouldn't have so much trouble, but numbers run out, so they get recycled. So he at this point got worried, not because he might be found guilty of stalking this woman and accessing her accounts without permission, which I think is a bloody dodgy thing that he did, but because he was thinking, hang on, my old number might be recycled. Someone else might get access to my accounts.

---

CAROLE THERIAULT. That's what motivates him. Protect his own butt.

---

GRAHAM CLULEY. Yeah. So I find it quite hard to feel sympathetic towards him, because it does seem that he was worried more about himself when he posted this message on Reddit than this young woman.

---

CAROLE THERIAULT. Well, at least he's honest, right, Graham?

---

GRAHAM CLULEY. Well, yes, I'm being honest too. Why's my voice raised that?

---

CAROLE THERIAULT. 'Cause you're full of shit? Anyway.

---

GRAHAM CLULEY. So if you're able to accidentally log in someone else's account with a new phone number, it is never all right to see how many other accounts you can also log into, right?

---

ALLAN LISKA. 100%.

---

GRAHAM CLULEY. The first one you can consider an accident. But after that, it looks you're kind of doing this deliberately. Now, there is potentially some blame on tech companies here, though, because I think no platform should ever have just your phone number as a login credential when these phone numbers are recycled so often.

---

CAROLE THERIAULT. Well, you know, it's weird. Just today, I had to call a medical provider, right? And they needed to verify who I was. And they asked me loads of questions, information, my address, my age, all this stuff. And I'm giving this information away to them.

---

GRAHAM CLULEY. And then I remember that they said, "This call may be recorded for monitoring purposes." And you're just, "Well, for God's sake!" I love it when they say, "This call may be recorded for training purposes." And I'm now thinking, is it AI training? Is it all going into ChatGPT? Can you give me details exactly what this training is?

---

CAROLE THERIAULT. Have you tried and asked ChatGPT what your address is? See if they get it right.

---

GRAHAM CLULEY. Oh no, I haven't, no. That's a scary thought. Anyway, so I don't think tech companies should be using this as a login credential, your phone number. And that is also the opinion of a privacy wonk called Alexander Hanf.

Who posted about this thing on LinkedIn. This is where I found out about this story. He tried to contact Meta, the owners of Facebook and Instagram, via its bug bounty program because he couldn't find any other way. He wasn't after any money. He wasn't after a bounty. He just thought, how the hell do I contact Facebook to tell them about this?

---

ALLAN LISKA. Of course.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. And he got a response back saying, well, this is a concern, but it's not a bug. And we don't have any control over telecoms providers who reissue phone numbers. So not our problem. And, you know, but they do have control over allowing people to log in with just a phone number. It's part of that design.

---

ALLAN LISKA. Then you could make the argument, well, we don't have any control over people who reuse passwords. And yet, you know, there are companies that have built-in protections. When you try and reuse an old password, they'll let you know, hey, please don't use this password again. So I think that that is a ridiculous and short-sighted argument. You know, we have to be aware of the shortcomings everywhere else around us, including with the phone companies.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. Oh, by the way, Alexander Hanf, when he got that reply, he reckons the response he received was actually AI-generated.

---

CAROLE THERIAULT. I'm sure it was.

---

GRAHAM CLULEY. He said they literally closed the ticket within seconds of him submitting it. He said it would have taken longer than that for a human to even have read what he wrote to them, let alone evaluate it. You know what?

---

CAROLE THERIAULT. This is gonna be this new world where we'll have to have keywords to ensure the AI then puts it in the appropriate bucket so that human eyeballs see it.

---

GRAHAM CLULEY. Yes, yes. Mention Mark Zuckerberg, echelon, just something like that, which is gonna trigger all the— Awoo! Yeah, ahooga, ahooga. So the truth is Facebook, Instagram, these other sites, they don't want the hassle of dealing with how many millions of people forget their passwords every day and say, oh, we can't prove who we are. And so that's why they're pushing this. You can reset your password by your phone number because it's so much easier for the tech company, but it's poorer for security. They could insist upon the use of authentication apps, one-time passwords instead of SMS-based authentication, but too much hassle. They don't want to do it.

---

CAROLE THERIAULT. Well, it's too many people wouldn't understand, I suspect.

---

GRAHAM CLULEY. I suspect not. But we need, we need, you know, for better protection, we need, we need to do that. And we need to educate people to turn on those features when they are available. Also, should telecoms companies be doing more to warn users when they change their phone number? T-Mobile, I noticed they do advise companies to change the numbers on any accounts they may have their old number saved on, such as bank accounts and social media, etc. But many others, I think, aren't doing this at all. So once again, SMS is a load of old rubbish.

---

CAROLE THERIAULT. Except we use it all the time.

---

GRAHAM CLULEY. Well, we use it for SMSing, but for anything secure, maybe you want to be a bit more careful because if it's just the phone number, we know from SIM swap attacks and other things, but also we've got these bloody mobile phone companies recycling our numbers.

---

CAROLE THERIAULT. Sucks.

---

GRAHAM CLULEY. It sucks, which we should actually spell, I think, S-U-C-K-3. See, that could be a phone number, couldn't it? We could do some of that, or the dollar sign. What about putting an emoji in there? Allan, what would your number be if you didn't have to have a number?

---

ALLAN LISKA. If I didn't have to have a straight number? Oh, I would just— well, so it's, you know, in the US the numbers are 10 digits, so I would just make it my password. And that way my password and my phone number are the same thing. So much easier to get through life. I mean, everybody's phone number would be their first pet and their date of birth. So yes, that will—

---

GRAHAM CLULEY. Their stripper name.

---

CAROLE THERIAULT. How do you know my password?

---

GRAHAM CLULEY. Allan, what story have you got for us this week?

---

ALLAN LISKA. So I know you like to keep it lighthearted, but what's been bothering me lately is the rash of ransomware attacks against hospitals. Right now, as we're recording, Romania has more than 100 hospitals that are under attack by a ransomware attack that seems to be attributed to a Phobos variant, which is ridiculous. But, you know, we've had the St. Louis Children's Hospital this year.

We've had the hospitals in Maine, hospitals in Chicago, a hospital in Germany. And that's just this year so far.

---

GRAHAM CLULEY. Yeah, it's just early February.

---

ALLAN LISKA. Yeah. Healthcare is just under nonstop onslaught from ransomware attackers who don't feel like there'll be any consequences for going after a hospital, for shutting down services and so on. And we need to figure out how to stop it.

---

GRAHAM CLULEY. So I remember, Allan, that a while ago, some of the ransomware gangs said they weren't going to target hospitals because they thought maybe that was a bad idea. Now, in the case of this Romania attack, I read that it was an IT service provider for these hospitals who maybe had been breached, and maybe that's where the attack came through. So is it possible the ransomware gangs don't know who their actual real victims are, or is it that they just don't care?

---

ALLAN LISKA. So since Carole already used the term bullshit, I'll go ahead and say my usual line that we have to remember that ransomware actors are lying pieces of shit. And yes, there was an attempt early on in the, you know, back in 2020, in the start of the pandemic, where a bunch of ransomware actors said, oh no, we won't go after hospitals. And then what they've done is they've changed the definition of hospital over time.

So basically only things they deem a qualified hospital count. So for example, St. Lawrence Children's Hospital in Chicago, which is a nonprofit hospital. But because they have operating revenues in the hundreds of millions of dollars, they're considered a fair attack, even though that's just what it costs to run a hospital in the US. That is not them making that money. That, you know, according to Lockbit, that doesn't matter. That means that they're rich enough that they can afford to pay the ransom.

---

CAROLE THERIAULT. But why hospitals? Why hospitals as an industry, do you think?

---

ALLAN LISKA. I think there are a couple of reasons. One, it gets a lot of attention, so it gets a lot of media press, which garners more, for lack of a better term, street cred or clout for the ransomware group. So if you're operating a RaaS service, you know, you can get more people to sign up for that.

But the thought is that because it causes so much disruption, that hospitals are going to be more likely to pay a ransom. Now, the evidence doesn't bear that out. Hospitals are actually one of the least likely targets to pay a ransom. But I think the ransomware actors think that way. There's also the possibility because patient records are so valuable on the underground market, on the identity theft market, because you have basically everything, you know, going back to your point earlier, Carole, you have the phone number, you have the address, you have in the US Social Security number. All of that is part of your patient record. And so even if you're not going to get paid, if you steal enough patient records, you can make that money selling that on underground forums. It's gross.

---

GRAHAM CLULEY. So have you got a solution for this, Allan? What's your advice? Other than chopping off their fingers with bolt cutters.

---

CAROLE THERIAULT. I love how it's Allan's responsibility now.

---

GRAHAM CLULEY. It is Allan's. Yeah, well, Allan's brought the problem to us today, so I'm hoping he's got a solution as well.

---

ALLAN LISKA. I have the most American solution that is out there. Oh dear. Drone strikes. I figure you take out one of these dudes with a drone while they're sitting in their house, and all of them will very quickly learn not to go after hospitals.

You know, and I mean, it's not like their OPSEC is that great. We saw this when Australia a couple of weeks ago, you know, hit the sanctions on the ransomware actor that went after Medibank.

They had everything except for what he had for lunch that day. You know, you may think you have good OPSEC as a cybercriminal, but you don't have GCHQ OPSEC, right?

Like, you can't hide from people that have satellites. And so we know where most of these— not me personally, but I am sure intelligence agencies could very quickly find out where they are.

And one drone strike and you take them out. Barring that, since we can't seem—

---

CAROLE THERIAULT. Yeah, I was gonna say otherwise, is there any options for how we could handle this?

---

ALLAN LISKA. I don't know what else we can do. You know, we sanction ransomware. Well, I mean, we—

---

GRAHAM CLULEY. Fair enough. Fair enough.

---

ALLAN LISKA. We sanction ransomware actors directly. So, you know, we've— that's not something we've normally done in the past, but now we sanction cybercrime groups.

We, you know, shut down cryptocurrency exchanges to try and get them to make it harder to launder their money. The ransomware groups that aren't in the US, we are arresting a lot— or not in, you know, the ones that aren't in Russia, I should say.

Those are the ones that we're doing a better job of arresting. We're taking down their infrastructure.

I think we could take down their infrastructure faster. We're doing a lot of things, but they're just more nimble than law enforcement is.

As much great work as law enforcement has been doing recently, it still takes long time to build a case, share the intelligence across the different agencies around the world, and then take that action. In the meantime, the ransomware actors can operate, you know, basically with impunity.

I mean, we saw this with Scattered Spider, the arrest of Scattered Spider a couple of weeks ago, or the one of the actors behind Scattered Spider who lived in Florida. That took 8 months, which is relatively fast by law enforcement standards.

Yeah, but it still allowed them to just, you know, have a path of destruction behind them for 8 months and, you know, thinking that there was gonna be no consequence.

---

CAROLE THERIAULT. What do you think of basically making it illegal for companies to pay off ransomware gangs?

---

ALLAN LISKA. So I'm torn on that. So in the '70s and '80s, there was a spate of kidnappings in Italy.

And so what Italy did to solve the problem in 1991 is they banned ransom payments. So you weren't allowed to pay a ransom to kidnappers.

In fact, if you reported a kidnapping, they didn't just make it illegal for you to pay the ransom. They also temporarily froze all of your assets so that you couldn't pay a ransom.

---

GRAHAM CLULEY. Wow.

---

ALLAN LISKA. And what happened was for the first couple of years, the number of kidnappings appears to have gone up. It's really hard to get solid kidnapping data, but contemporary reports say the kidnappings went up.

I just can't find real hard numbers, which as an analyst drives me nuts, in part because the kidnappers could double extort you, right? They could get the money if you had the resources.

They could get the money to pay the ransom. But then also, once you paid the ransom, they could blackmail you for paying the ransom.

---

CAROLE THERIAULT. And so it's like double jeopardy. Yeah.

---

ALLAN LISKA. And so there was this incentive that was seen here for the kidnappers. Now, what wound up happening because assets were frozen, people just couldn't pay the ransom anyway. And even though that period was very, very painful, eventually the number of kidnappings in Italy went down significantly. But there were a couple of years of pain.

And the question is, are we willing to put businesses through a couple of years of pain in the hopes that ransomware will go away and it won't? I mean, maybe it takes a different form. There'll be a new kind of cybercrime activity that's happening. So we're not really solving the problem. We're just morphing the problem into something else. On the other hand, I'm tired of cybercriminals driving Lamborghinis while I drive a Subaru.

---

CAROLE THERIAULT. Would you really want to drive a Lamborghini?

---

GRAHAM CLULEY. Oh, God, no.

---

ALLAN LISKA. No, I just don't want them to drive a Lamborghini either.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. So, AI, it's worming its way into every industry. It's every institution, every organization, and it's doing so at breakneck speed. And it's helped along by companies that don't want to be left behind, thinking that all their competitors are doing it. They want to automate processes so they can reduce the resource bills. And they want to make a quick buck or $10 million, right? But an area that I don't think we've ever explored on Smashing Security is how AI and religion intersect.

---

GRAHAM CLULEY. Oh, excellent. 'Cause we've upset enough of our listeners talking about sex and politics in the past. So let's now tackle religion.

---

CAROLE THERIAULT. Let's do the whole trifecta.

---

GRAHAM CLULEY. Yeah, exactly. Good.

---

CAROLE THERIAULT. Okay, so put your thinking caps on, gents. How do you see AI helping religions of the world? So not any specific religion, but any organization.

---

GRAHAM CLULEY. Yeah, so I'm imagining that I am the Pope, for instance, which is, you know, I might become the Pope one day. Who knows? It is possible. I'm imagining that if I have to roll out once a week or however often onto his little balcony and give a sermon or a speech or say something, albeit in Latin or Italian, I don't know what he does, but anyway, AI will help me construct that sermon, you know, because there's only so many stories you can roll out when you're 70. You've done them all in the past before. So that would help me. And it could do the translation as well, maybe, which would be good.

---

CAROLE THERIAULT. Exactly. So you could get your message across internationally, couldn't you?

---

GRAHAM CLULEY. Exactly. Yeah, I could relax as the Pope watching Homes Under the Hammer and not have to worry so long writing my sermons.

---

CAROLE THERIAULT. Exactly. What about you, Allan?

---

ALLAN LISKA. So as a lapsed Catholic, I could see going to confession to an AI. So instead of having to go all the way to church and confess my sins, I just type it into the AI. And the nice thing is when you go to confession as a Catholic, they're, "Oh yeah, say some Hail Marys or whatever."

---

CAROLE THERIAULT. That's right.

---

ALLAN LISKA. The AI could come up with a much more structured penance. Like, "Oh no, for what you did this week, you need 72 Hail Marys and 3 Our Fathers."

---

CAROLE THERIAULT. Our Fathers. Yeah, that's right.

---

ALLAN LISKA. Exactly. And you know what, maybe throw some rosaries in there too, because dude, you need to stop that. So I can see an AI confessional.

---

CAROLE THERIAULT. I love that. I could imagine an app for—there's going to be an app for that, right?

---

ALLAN LISKA. Exactly. You don't even have to get out of bed.

---

GRAHAM CLULEY. There is.

---

CAROLE THERIAULT. You should TM it right now, Allan. Seriously. And one cool thing, or for me, I thought was quite cool, is generative AI systems could be trained on massive troves of scriptures, right? And religious texts and images and make them more accessible to all. And this includes ancient texts as well.

---

GRAHAM CLULEY. Yeah, so I was just thinking, the Bible's a very popular book, isn't it?

---

CAROLE THERIAULT. I've heard so. They have them a lot in hotel rooms, I've seen.

---

GRAHAM CLULEY. Wouldn't it be good to have a sequel? You could get an AI to write a follow-up. And make some money that way. Has this podcast been banned yet, by the way?

---

CAROLE THERIAULT. There was a recent article on this very topic in phys.org. Computer scientists from the University of Kentucky used AI to reveal the contents of a carbonized papyrus that was burnt in the eruption of Mount Vesuvius in AD 79, or 79 AD.

Scientists looked through 3D X-ray images of the papyrus, and they trained AI to read letters in the scrolls based on subtle changes left in the structure of the papyrus by the ancient ink. And the AI was able to decipher and translate the ancient Greek word for purple on the scroll. That's pretty cool, don't you think?

---

GRAHAM CLULEY. Well, I'm sorry, Carole, I'm somewhat distracted by the fact that you say papyrus rather than papyrus.

---

CAROLE THERIAULT. Is that how you say papyrus?

---

GRAHAM CLULEY. Well, it's what I say, but the number of times I've been criticized for my pronunciation on this podcast, like with Caesia, and other words. I hate to bring it up, but I feel I should say something. Surely it's papyrus.

---

ALLAN LISKA. Since we're going to criticize pronunciation, something, again, as a longtime listener, I've always thought the way you say Carole reminds me of the way Rik would say Carl in The Walking Dead. So I'm just going to throw that out there for the world to have.

---

GRAHAM CLULEY. Anyway, back to the AI 3D, this thing.

---

CAROLE THERIAULT. So you're able to basically take things that human eyes can't see and basically reveal it. So think of ancient texts, in the Indian subcontinent, for example. They may be in a Sanskrit language or Gupta script, and these could be processed, translated for all. It's kind of amazing.

---

GRAHAM CLULEY. Yeah. Very cool.

---

CAROLE THERIAULT. What about AI worship? So some argue that it could lead to the production of works of art, the formation of new communities, and perhaps attempts to change society for the better.

There was a recent article in The Conversation, this is included in the show notes, listeners, that explains how we are about to witness the birth of a brand new kind of religion, and it predicts the emergence of sects devoted to worship of AI.

---

GRAHAM CLULEY. For God's sake.

---

CAROLE THERIAULT. Is that a little scary?

---

GRAHAM CLULEY. As if religion hasn't caused enough problems in the world, we're now going to have an AI religion as well. This is brilliant. So lovely.

---

ALLAN LISKA. To me though, to me though, I think what we're actually going to see, because each religion is going to train their AI in their own scriptures, and I think what we're going to have is a battle of the different religious AIs. So the Mormon AI taking on the Catholic AI, taking on the Protestant AI, persecuting each group, right?

Exactly. I think we're gonna have the different religious trained AIs just all battling each other out, man.

---

CAROLE THERIAULT. Yeah, I think you're right. And remember we had the Pope in the puffer jacket?

---

GRAHAM CLULEY. Oh yes, yes, yes.

---

CAROLE THERIAULT. That was a bit of a joke, but if you just expand it a bit, it's a bit scary. But do you know what the Pope's biggest worry about AI is?

---

GRAHAM CLULEY. I don't know. What is his biggest worry?

---

CAROLE THERIAULT. It's apparently the impact AI will have on the elderly and the vulnerable. They will be left behind and perhaps not be able to interact with our new AI-driven society.

---

GRAHAM CLULEY. That's funny because I'm more worried about when AI does interact with members of society. I think good for the older people that they won't have anything much to do with it.

---

CAROLE THERIAULT. But see, my question at this point was, who advises the Pope on these matters? I mean, really, what does he know about AI?

---

ALLAN LISKA. Oh, well, I mean, there are a lot of scholars in the Vatican, so I imagine they have religion and AI scholars. They would have to. They have scholars about everything else.

---

CAROLE THERIAULT. Correct. Correct, Allan. Enter Franciscan friar Paolo Benanti. He is the man who has both the ear of Pope Francis as well as the Italian prime minister.

And this guy is not just a friar. He's an ethics professor, an ordained priest, and a self-proclaimed geek. And he is very active in this AI debate.

Benanti writes papers Rome's Call for AI Ethics, suggesting the moral ground rules for AI use. In it, the friar/professor highlights the essential principles of transparency, inclusion, accountability, impartiality, reliability, security, and privacy.

Papers this led Benanti to be appointed last year as one of the 38 experts selected by the UN Secretary-General as the new advisory body on AI. And according to Politico, Benanti is most worried about two potential consequences when it comes to AI.

---

GRAHAM CLULEY. Oh, okay.

---

CAROLE THERIAULT. OK, so first is the impact that AI, especially when controlled by big tech monopolies, might have on jobs. So the impact on the job market. He says, quote, "What we are seeing right now is not a canary in the coal mine as much as a vulture trying to eat our carrion." So that's colorful.

---

GRAHAM CLULEY. I was actually contacted by someone who's lost his job because of AI.

---

CAROLE THERIAULT. Really? Can we know what his job maybe was?

---

GRAHAM CLULEY. He is a journalist. He, well, he's a sub-editor. So he used to check other people's copy, looking for mistakes, improving the text. And he says he's been completely replaced now by AI.

---

ALLAN LISKA. A lot of that's happening though. I mean, you know, we hear stories all the time about news sites going entirely AI to write articles, and you lose a lot with that. But I guess if you're the owner, you save a lot of money.

---

GRAHAM CLULEY. That's it.

---

CAROLE THERIAULT. That's a very interesting point, Allan. I'm going to be touching on that. So secondly, his second point that Benanti is unsettled by is the prospect that some people might be becoming overly reliant on AI systems for key choices. So he says, quote, "We need to give back to people the ability to decide by their conscience."

And in recent weeks, the 50-year-old Padre, who coined, interestingly, coined the term AlGorithms. And I can think of someone that might have wished he'd come up with that himself — someone from a while ago who ran for president of the USA.

Benanti joined the Microsoft papa Bill Gates at a meeting with Italian Prime Minister Giorgia Meloni. And there Benanti presided over a commission seeking to save Italian media from ChatGPT bylines and general AI oblivion.

So he seems to be the go-to guy for all things AI and ethics. He hangs out in the Pope's circle. He has the ear of political leaders. Global tech giants go to him for some advice.

And he seems to be trying very hard to put the ethical brakes on something that might have been allowed to bolt from the stables, maybe perhaps some might think a little early. What are your thoughts here, guys? Allan?

---

ALLAN LISKA. I'm stuck on friar. The only friar I know is Friar Tuck from Robin Hood fame, and I would not want that dude in charge of AI ethics. I wish it was a Jesuit that was actually doing this. And I know that I've just derailed your whole conversation, which is really important to have, but I can't help it. The friar thing really sticks in my craw.

---

CAROLE THERIAULT. What about you, Cluley? Do you think it's too late to try and apply ethics or an ethic code to the use of AI?

---

GRAHAM CLULEY. Yes, probably, but you should still try. I mean, obviously, barn door is open, everything's bolted, but no harm in trying to create some kind of standards and some kind of ethics, but inevitably, it will be broken and ignored.

---

CAROLE THERIAULT. So, I thought the same, right? But then I was thinking cars, right? When cars were first invented, they had no seatbelts, no airbags, little concern for security. You could drive sauced to the eyeballs without a worry in the world, and it was only the accidents and the needless deaths across the lands that led to rules and regulations, right, that we totally depend on now. So maybe that's how it works.

---

ALLAN LISKA. And that may be. I mean, government always plays catch-up with new technology, which is what we're seeing now. Governments around the world trying to regulate AI when AI has been around for more than a decade now. They're now trying to regulate it. And so I think we're going to have to go through much more pain before we get to good regulation of AI. And then just car companies, the AI companies are going to spend their hard-earned money lobbying the government to loosen whatever regulations they put in place.

---

CAROLE THERIAULT. I don't know. Do you have any worries that he represents a major religion or has affiliations with a major religion and is also advising on this?

---

GRAHAM CLULEY. Everyone's got a vested interest in something. Everyone's got, having their back pocket filled with someone's money or other, aren't they? Or they're affiliated with some business or—

---

CAROLE THERIAULT. Who's your patron, Graham?

---

ALLAN LISKA. Me?

---

GRAHAM CLULEY. The lovely patrons of Smashing Security. That's who it is. And our sponsors, of course.

---

ALLAN LISKA. Ah.

---

GRAHAM CLULEY. With Cylance AI, the team at BlackBerry are helping you keep one step ahead, stopping more attacks earlier and with less effort than other solutions in the market. And that's independently tested and proven. The lightweight AI offers broad coverage, consistently low false positives, and quick threat responses, supporting endpoints seamlessly. Now, many solutions boast about how little time it took them to respond after a threat emerged, but with BlackBerry's Cylance AI, you'll find out how long before ransomware, and it can be months or years, it has already protected its customers. Staying one step ahead is central to everything BlackBerry does. And in fact, it's your 24/7 AI-driven security partner. So visit smashingsecurity.com/blackberry to find out more. And thanks to them for supporting the show.

---

CAROLE THERIAULT. This episode of Smashing Security is sponsored by Kolide. Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization's SaaS apps and other resources? Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets.

It would effectively lock them out. Welcome to Kolide, a world where access is only given to approved secure devices. As the administrator, you can manage every operating system, even Linux, from a single dashboard. Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment.

Kolide is the device trust solution for companies with Okta. Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps. Learn more at kolide.com/smashing. That's K-O-L-I-D-E.com/smashing.

And huge thank you to Kolide for sponsoring the show.

---

GRAHAM CLULEY. Shortcut compliance without shortchanging security. That's what Vanta can bring your company. Expanding the scope of your security program with Vanta's market-leading compliance automation, saving your business time and money.

Vanta has over 5,000 customers around the globe who are saving over 300 hours in manual work and up to 85% of their costs for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time.

And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta. Just go to vanta.com/smashing to claim your discount. That's vanta.com/smashing.

And thanks to Vanta for supporting the show. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

---

ALLAN LISKA. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. In fact, it's not a Pick of the Week. It is a Nitpick of the Week.

Oh, no. Dun dun dun.

Because in readiness for this program, I thought, what am I going to choose as my Pick of the Week for the next episode? And my eye was drawn to a series streaming on Netflix called One Day, based upon a book, based upon an awful movie.

Apparently it was rubbish. I hadn't read the book, I hadn't seen the movie, but it sounded kind of romantic.

I thought, oh, this sounds like my cup of tea. It's about a couple and they— you see them, they meet when they're just graduating from university on a particular day of the year, and it comes back to them every year on that day, what's happened in their lives, follows them over 20 years.

And I thought, oh, this could be really cute. It got a great review in The Guardian.

That's why I was drawn to it. I thought, okay, I'll check this out.

And it was all right at first. It was all right.

And I have to be honest, by the end of it, I actually quite liked it a lot. But it took me longer than I expected to like it.

And that's why it's not my pick of the week. But what is my nitpick of the week are subtitles.

I love subtitles. I put subtitles.

I turn the subtitles on everything because I find I follow more of the plot. I hear what they're saying.

I'm reading the subtitles all the time. I'm reading the subtitles.

I'm watching this program and I think, oh, this is cute, this is cute. And then I noticed something in episode 1 of One Day, which carried on through the following 12, 13, 14 following episodes.

And it was every time— at first it was the boy's character, the man's character. Every time he went like that, it would write "clicks mouth" in square brackets.

---

CAROLE THERIAULT. AI-generated subtitles.

---

GRAHAM CLULEY. Well, I don't know what it was. But it was unnecessary to tell me he's just clicked his mouth.

It was not relevant to the plot. And it was getting— it was just sometimes—

---

CAROLE THERIAULT. You see, you should be drinking a bit. Then you could have a drinking game and you could have a, you know, a little slurp every time they did something quirky.

---

GRAHAM CLULEY. I think there was just a little bit of tackiness on his tongue sometimes. Maybe the way he spoke, he just— and it was doing it all the time.

And I was speaking to my partner. I said, did you notice how they keep on saying clicks mouth?

And then the female character, she was clicking her mouth. And by the end of about episode 4, every time it said, "Clicks mouth," I was like, "There's another one. There's another one."

And it was taking me out of the— "Clicks mouth." "Just done it again."

It wasn't necessary. I'm sure anybody who has some hearing impairment was not having their enjoyment of the drama improved by saying, "Clicks mouth."

And then it would say things like, "Keys jangle," when he put his keys into the bowl.

---

CAROLE THERIAULT. How's your blood pressure, dude?

---

GRAHAM CLULEY. I'm beginning to wonder.

---

CAROLE THERIAULT. Me too.

---

GRAHAM CLULEY. But I want the subtitlers of this world to realise I want to know what they're saying. I don't mind if there's a sound which would actually help people who are hearing impaired to tell them, oh, there's a police car outside, or there's a screech of, you know, something like that, or a gunshot.

That's fair enough. Click's mouth?

Not necessary. That is why it is my nitpick of the week.

Thank you.

---

ALLAN LISKA. Very nice.

---

GRAHAM CLULEY. Allan, what's your pick of the week?

---

ALLAN LISKA. Actually, my pick of the week is The Saint.

---

GRAHAM CLULEY. Oh. Ah, not the movie with Val Kilmer.

Val Kilmer, I hope.

---

ALLAN LISKA. No, no, the original television series and the books.

---

GRAHAM CLULEY. Ah.

---

ALLAN LISKA. I've been just feeling nostalgic lately, and so I've been rewatching the Saint series on TV and then rereading some of the books. So I have a first edition copy of— first edition British copy, I should say.

---

CAROLE THERIAULT. Yeah.

---

ALLAN LISKA. And I've always been a big Saint fan. I think maybe that's one of the reasons why I'm in InfoSec, because it feels like, you know, he was a precursor to kind of what we do here.

---

GRAHAM CLULEY. Allan, before you go on, there will be some young people listening to the podcast who are not familiar with The Saint or indeed Return of the Saint with Iain O'Quillivan with the flashy car. Maybe you can tell people what the premise of The Saint is.

---

ALLAN LISKA. So The Saint is an anti-hero, and in the books he's much more an anti-hero than he is in the television series and then the movies and then the god-awful Val Kilmer movie. Please don't watch that. Also, don't watch the— even though it's got Eliza Dushku in it, who I love, please don't watch the 2016 series from Paramount.

That was also bad. The Saint is just a rich guy because he's a thief, and he goes around and he helps people, but he also helps himself while he's helping people.

---

CAROLE THERIAULT. It's kind of Robin Hood, isn't it?

---

GRAHAM CLULEY. Right.

---

ALLAN LISKA. So he's often referred to as a modern-day Robin Hood. A lot of the British '30s, '40s, and '50s antiheroes— so if you look at the Green Archer and the Saint and all of these, they were the antihero.

They did a little bit of good and a little bit of bad. You can find it, at least in the US, on Amazon Prime, so if you have Amazon Prime, you can watch all 6 seasons of it.

And that's kind of what I've been doing. My specific pick of the week is Leslie Charteris said one of his favorite places to vacation was Palm Springs in California, and so he wanted to do a movie, The Saint Goes to Palm Springs, and he got the script optioned, and then the movie studio sat on it forever.

So in May of 1941, he did a piece with Life magazine where they went to Palm Springs and they did a pictorial detective story. So it was basically him telling his story through pictures and a little bit of writing, and it's all laid out in this magazine.

And I managed to get a copy of it, and it's just great to read through. It's also great to see what 1941 Life magazine is like with, you know, because obviously World War II was going on, and so there's another thing that's a pictorial of Army uniforms and Navy uniforms and so on.

And there's an ad for Boris Karloff's favorite shaving cream in there and all kinds of things. But I absolutely just love this pictorial story.

It was a great read. I want to bring back The Saint as a comic book if I could ever get the rights to that.

And I mean, I already have my first plot lined out here. It's going to be called The Saint Gets a Text, and it's one of those texts that comes in that is like, hey, I'll be there in 5 minutes, and you don't know who the person is.

And then they start a conversation pretending to be your friend and they steal all your cryptocurrency. You know, started with that.

But the Saint, of course, would turn the tables and shut down the entire operation. While the police are yelling at him for doing it wrong.

---

GRAHAM CLULEY. Yeah, he never used drones, Allan. Never used drones.

---

ALLAN LISKA. He didn't have to. If I were as cool and suave as the Saint is, I would not have to use drones either. But I'm just not that cool or suave.

---

CAROLE THERIAULT. I just need a silk scarf and a martini glass, it seems, no?

---

ALLAN LISKA. Right, exactly. He was more of a bourbon.

It was only when he was— when Roger Moore was James Bond that he went to martini, but he was more of a scotch or bourbon kind of guy.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. So last week, my pick of the week was a little bit dark. So I'm going to U-turn and give a feel-good series to check out.

It's called God's Favorite Idiot. And it's from our pals at Netflix.

And the premise is very simple. A tech support employee becomes the unwitting messenger of God.

It is actually quite funny. I actually laughed out loud, which doesn't happen very often.

Melissa McCarthy is the star of the show, and it was written by her husband and frequent collaborator Ben Falcone. Falcone plays Clark, the mid-level tech support worker, a normal average guy, until he's struck by lightning from a divine cloud and starts getting weird powers.

That are hard for people to ignore. And McCarthy plays Emily, a coworker and a romantic interest of our tech support guy who's been touched by God, and you're watching them kind of fumble along.

Plus, you've got Satan running amok, and God has chosen Clark to be the messenger, and his job's to spread the word and strengthen the hand against the diabolic forces coming for us all. So it's quite light.

Yeah, it's a bit like that show, what was that show with Ted Danson, The Good Place?

---

GRAHAM CLULEY. Oh yes, that's called—

---

CAROLE THERIAULT. Yeah, it has that kind of feel. So it has that kind of over— there's lots of color and it's kind of light and fun.

It's a very good thing to do while you're making dinner to watch, or if you've had a hard day. It's funny.

So if that sounds like your thing during your downtime, you can find it on Netflix. It's called God's Favorite Idiot, which is a very sweet title.

And that's my pick of the week.

---

GRAHAM CLULEY. God's favorite idiot. Fantastic.

Well, that just about wraps up the show for this week. Allan, I'm sure lots of our listeners would love to follow you online and find out what you're up to.

What's the best way to do that?

---

ALLAN LISKA. So if you're on Blue Sky, it's just ransomwaresommelier.com. And if you're still on Twitter, it's @uuallan, U-U-A-L-L-A-N.

---

GRAHAM CLULEY. Terrific. And you can follow us on Twitter at @Smashing Security.

Security, no G, Twitter @LastPass with a G. We also have Mastodon accounts and look up the Smashing Security subreddit.

And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE THERIAULT. And huge, huge shout out to our episode sponsors, Kolide, BlackBerry, and Vanta, and to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest list and the entire back catalog of more than 358 episodes. Oh my God.

Check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time. Cheerio.

Bye-bye.

---

CAROLE THERIAULT. Bye. How'd you do?

How'd you feel, Allan? All right.

---

ALLAN LISKA. I felt good. How did you all feel?

This is a real honor for me, so I hope I didn't ruin your fantastic show.

---

CAROLE THERIAULT. Oh no, you didn't ruin anything. You were a fabulous guest.

---

GRAHAM CLULEY. Pleasure to have you on. I think you may have done something for America's foreign policy against ransomware gangs, and that may cause some international incidents.

---

ALLAN LISKA. But other than that, I think I'm a walking international incident, so that's perfectly fine.

-- TRANSCRIPT ENDS --