Listen early, and ad-free!

398: Fake CAPTCHAs, Harmageddon, and Krispy Kreme

With , ,
December 18, 2024
Read the transcript

This week, we delve into the dark world of fake CAPTCHAs designed to hijack your computer. Plus, the AI safety clock is ticking down – is doomsday closer than we think? And to top it off, we uncover the sticky situation of Krispy Kreme facing a ransomware attack.

All this and more is discussed in the latest jam-packed edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley of "The AI Fix" podcast.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • 1Password Extended Access Management – Secure every sign-in for every app on every device.
  • BigID - Start protecting your sensitive data wherever it lives with BigID. Get a free demo to how your organization can reduce data risk and accelerate the adoption of generative AI.
  • ThreatLocker - the Zero Trust endpoint protection platform that provides enterprise-level cybersecurity to organizations globally. Start your 30-day free trial today!

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Have you heard of these fake CAPTCHAs before, Carole?

CAROLE THERIAULT. No, but I've heard of, you know, copying and pasting things into—

UNKNOWN. Yes, yes, well done, well done. Yes, we've got copy and paste. Are you telling me copy and paste isn't safe anymore, Graham? Smashing Security, episode 398. Pharmageddon and Krispy Kreme with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 398. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. Now, Carole, Christmas is rapidly approaching, and what better can we do than deliver to everyone a little present in the form of a special guest return to the show? We have Mr. Mark Stockley from the AI Fix podcast.

MARK STOCKLEY. Thank you very much. I've never been described as a little present before.

CAROLE THERIAULT. No, me neither. I'm just picturing you with your legs coming out of a box.

MARK STOCKLEY. Maybe he meant not fully present rather than a small wrapped package.

CAROLE THERIAULT. Yes, this is our last episode for a few weeks. We'll be back obviously in the new year, 2025.

MARK STOCKLEY. Oh my God.

CAROLE THERIAULT. Oh my God.

GRAHAM CLULEY. Yeah. Now we've had some feedback from listeners. A couple of them have been in touch. First up, Nathan White. He's been in touch and he says, Graham, I don't think you should let Carole disparage you. That's not the end of his message. He says, being born in 1969 puts you in Gen X, not the boomer generation. Tsk, tsk, Carole. And similarly, listener Evans got in touch, said, hey guys, love the show. Want to make a slight correction. Graham was born in 1969. He's a Gen Xer rather than a boomer. Be proud, Graham. You are part of the best generation. Carole, it looks like we are in the same generation.

CAROLE THERIAULT. So embarrassing that you're in my generation.

GRAHAM CLULEY. Do you wish to make a formal apology to our listeners?

CAROLE THERIAULT. No, I do not. If you guys knew Graham, you would understand why I made that mistake. I just think it was innocent.

MARK STOCKLEY. You're saying spiritually he's a boomer?

CAROLE THERIAULT. Spiritually, he's definitely a boomer. Definitely. What, you're gonna let me hang on not apologizing? I'm okay with that.

GRAHAM CLULEY. Let's kick off the show, shall we?

CAROLE THERIAULT. Okay, that's what I'm gonna do. I'm gonna kick off the show instead. Let's thank this week's wonderful sponsors, 1Password, BigID, and ThreatLocker. Now coming up in today's show, Graham, what do you got?

GRAHAM CLULEY. I'm gonna be saying don't get caught out by CAPTCHAs.

CAROLE THERIAULT. Okay, and what about you, Mark?

MARK STOCKLEY. I thought we'd keep it light. I'm gonna talk about the end of the world.

CAROLE THERIAULT. The end of the world, wonderful. And I'll keep it light and talk about how hackers almost stole Ransomware Grinchmas. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, my topic for today all revolves around completely automated public Turing tests to tell computers and humans apart.

MARK STOCKLEY. Sorry, Turing tests?

GRAHAM CLULEY. Yes.

MARK STOCKLEY. Is that a test to see if you're in Italy?

GRAHAM CLULEY. Turing tests, as in Alan Turing, as in Bletchley Park.

MARK STOCKLEY. Oh, there's a G on the end. Sorry.

GRAHAM CLULEY. There is. I quite often drop the G. It's a little bit like Twitter used to do with our Smashing Security account. So these are also known as CAPTCHAs.

CAROLE THERIAULT. Mm-hmm.

GRAHAM CLULEY. And as you know, CAPTCHAs are used by websites to stop bots getting in. They're supposed to be able to tell the difference between a human and a computer. They'll ask you to complete a test or a task designed to be easy for humans to complete, but tricky for a computer. It's funny that they say CAPTCHAs are supposed to be easy for humans to complete, aren't they? Because that's not always been my finding.

CAROLE THERIAULT. Yeah, they're weird. Some of them recently, like, you know, spot the bus, for example. And then there's these tiny little images. There's 9 of them. And you have to go through and go, is that a tiny bit of a bus mirror?

GRAHAM CLULEY. Are you wearing your glasses, Carole? Because I know you are of a generation which maybe requires glasses now. Is it that you need to increase the resolution on your screen, perhaps?

CAROLE THERIAULT. No, actually, I've been wearing glasses since I was 16, actually, Graham.

GRAHAM CLULEY. Time for a new prescription, perhaps.

CAROLE THERIAULT. No, but you know what I mean? I find it sometimes difficult. I'll get them, but they do slow me down.

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. Have you ever used the dark web?

CAROLE THERIAULT. Me?

MARK STOCKLEY. No.

CAROLE THERIAULT. No.

GRAHAM CLULEY. Might have done. Who's asking?

MARK STOCKLEY. Have you ever been to a marketplace on the dark web? Like the kind of place where you can go and buy stolen driver's licences or drugs or anything like that?

GRAHAM CLULEY. No. None of us have done that, Mark. And none of our listeners should do it either.

MARK STOCKLEY. Well, for research purposes, I have done that. Oh, let me tell you, however hard you think the hardest CAPTCHA you have ever faced is, there is a whole other level of utterly terrifying CAPTCHAs that sit in front of these marketplaces. Not only are they utterly unfathomable, but they all come with timers.

GRAHAM CLULEY. Yes.

MARK STOCKLEY. And some of the timers are really fast, like they're ticking over in microseconds. Basically, you're building up a big sweat. It's just terror.

GRAHAM CLULEY. It's a little bit like a ticking bomb.

MARK STOCKLEY. It's a lot like a ticking bomb. Yeah.

GRAHAM CLULEY. Red wire, blue wire. And you always stop the bomb just two seconds before it's gonna go off. When CAPTCHAs were first invented, computers weren't particularly great at reading text. So there were a lot of CAPTCHAs which involved you deciphering text, especially if the text were distorted, if there are funny squiggles in the background, computers could have real trouble with that. But humans generally are pretty good at that kind of thing.

Unfortunately, computers got better at solving CAPTCHAs over time. And people think, well, how come they got so good at this? Is there some technology? Well, the reason why CAPTCHAs became easier for computers to solve was because CAPTCHAs actually had a dual purpose. So, Carole, you must have seen those CAPTCHAs which ask you to say which two squiggly words are in front of you, right? You get a word which has been scanned in from a document somewhere, and another word is—

MARK STOCKLEY. Yep.

GRAHAM CLULEY. And so you type in both words, don't you?

CAROLE THERIAULT. Right, right.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. You type in the word that—

MARK STOCKLEY. Yeah.

CAROLE THERIAULT. Yeah. And then they go, yes, you're correct.

GRAHAM CLULEY. That's right.

CAROLE THERIAULT. Crazy human eyes were able to make that out, but a computer never would be able to.

GRAHAM CLULEY. So what might surprise you is a lot of those CAPTCHAs, they knew what the first word was. They didn't know what the second one was. And so they actually are testing you on the first word, and they're trying to work out what the second one is by asking thousands and thousands of people, what is this second word? We think it's a word. What is it?

CAROLE THERIAULT. What, 'cause the CAPTCHA system needs motivation?

GRAHAM CLULEY. No, because the CAPTCHA system needs training.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. And so when enough thousands of people have said, "Oh, that second word is equinox," or whatever it might be, then it might start using it as the first word. Once it trusts that enough people have said the same thing, the same answer to that.

CAROLE THERIAULT. That's cute. Yeah, yeah, that's very cute. I like that.

GRAHAM CLULEY. Yeah. So over time, the CAPTCHA learned what— now that has another benefit.

So millions and millions of people around the world are telling these systems what scrawly squiggles actually say. And that has helped media companies digitize their ancient newspaper archives.

It's helped Google digitize their book collection. It's made OCR so much better.

So we have actually been training computers how to understand squiggly and deformed words much better, which of course has made them better at answering CAPTCHAs and defeating CAPTCHA systems.

CAROLE THERIAULT. So, are you a human?

GRAHAM CLULEY. Hee hee hee hee.

CAROLE THERIAULT. I will show them.

MARK STOCKLEY. I feel played.

GRAHAM CLULEY. So the next system— So obviously the problem was then that these word CAPTCHA systems weren't so good. And so they began to use image CAPTCHAs, the kind of thing you've just mentioned, Carole.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. You might be asked, for instance, click on all the buses. Or click on every square that contains part of a staircase or part of a trellis.

Now, I know what a traffic light looks like. Okay? I'm not sure.

CAROLE THERIAULT. I've been in a car with you as the passenger. I'm just saying.

GRAHAM CLULEY. I know they've got a green light, they've got an amber light, they've got a red light, right? I know that. But when I'm faced with one of those things, I'm always thinking, do I have to select the pole as well?

How much of the traffic light do I have to get? Or if it's a staircase, do I have to do the handrail too? It's a nightmare.

MARK STOCKLEY. This is getting a bit metaphysical. What is the actual boundary of the traffic light?

Is there a boundary? What is a boundary? Aren't we all in some way part of a traffic light?

CAROLE THERIAULT. This is very interesting and very insightful into how your brain works that you would think these things.

GRAHAM CLULEY. Oh, come on. You must have done CAPTCHAs and thought, am I clicking on the real thing or not?

Is this really what they mean? Is this really what the correct answer is? But again, it's true.

Over time, you and thousands and thousands of other people around the world are training a computer somewhere how to recognise things, which is really handy if you want to let a future computer system loose on the roads in a vehicle.

CAROLE THERIAULT. And let me get more meta than that. We have been training ourselves at getting better at understanding what these CAPTCHAs want from us when they say, yes, pick out the traffic lights.

GRAHAM CLULEY. Yeah, we're beginning to understand.

CAROLE THERIAULT. We're being trained as well.

GRAHAM CLULEY. Yeah. And we are also training robot dogs one day to climb staircases. Well, because it's easier for a robot dog to climb a staircase. Well, I don't know, up the stairs rather than up the handrail. I'm not sure.

But ultimately, this is obviously going to lead to the demise of human civilization because we are training these computer systems so powerfully to understand the world around them. At the same time, the CAPTCHAs, of course, are struggling to keep out the non-humans.

They're trying to keep the robots out, but we're also helping computers view the world in a more human-like way. And that's why you sometimes see crazy CAPTCHAs.

I've seen CAPTCHAs which have asked you to choose piano chords. I saw one which says, 'Can you find the mate in 5 in a chess puzzle?'

What? Now admittedly, that was on a chess website.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. So it assumed a certain level of knowledge. But we all know now that computers are better at playing chess than humans.

So again, if you had a computer which knew that lots of chess puzzles were used in CAPTCHAs, then surely it would be a common attack method to have a CAPTCHA-beating system built into a computer system which knew how to solve chess puzzles.

CAROLE THERIAULT. Right. And breathe.

GRAHAM CLULEY. So these things are horrific. And there's even a subreddit called Captchas from Hell, which details just how impossible or almost impossible to complete different CAPTCHAs are.

Now, there have been attempts to do CAPTCHAs in a way which is easier for us humans to handle, but still keep out robots. There are systems by Google and Cloudflare, for instance, which can be just as simple as ticking a checkbox to confirm, which is lovely.

MARK STOCKLEY. Yeah, that's all it is. That's all it is. It's just ticking a checkbox.

GRAHAM CLULEY. Well, that's all it is. On the outside, in the user interface point of view.

MARK STOCKLEY. Yeah. It is in many ways far more worrying.

CAROLE THERIAULT. No, but it's like a bouncer at a club, right? You've got to go through the rigmarole, and they're like, okay, you're in.

MARK STOCKLEY. It's like a bouncer. It's like a bouncer at a club if the bouncer has been following you all day.

GRAHAM CLULEY. Yes. And does a biometric scan on you.

MARK STOCKLEY. So by the time you get to the club door, it's like, yeah, they're fine.

GRAHAM CLULEY. So these systems aren't perfect. And my overall point is we live in a world of CAPTCHAs.

We're not unused to seeing these things, and sometimes we get frustrated by them, and it's not as though they're unusual to us. And this is something that cybercriminals are now taking advantage of.

So imagine there's something you are really keen to get your hands on, maybe an article you're keen to read or something you want to download. Maybe you fancy grabbing a piece of software without paying through the nose for it, or grab a movie that your streaming service isn't offering you.

Illegal driving licenses, whatever it may be.

MARK STOCKLEY. Yeah.

GRAHAM CLULEY. So you go to a website, doesn't have to be on the dark web, Mark, and eventually you hit a wall, you hit a brick wall, and someone's asking you to log in or create an account to access what you want. And what happens is a seemingly legitimate CAPTCHA thing pops up, a little page with a big button which basically says, click here to say you're not a robot.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. So that's what you do, right? It's a normal thing to see.

Yeah. So you click on that thing.

And it says, to confirm you're a human, you've just got to do a very simple process, it says. What we'd like you to do—

MARK STOCKLEY. Enter your credit card details. Yeah, I'm waiting.

CAROLE THERIAULT. I'm just waiting to see. Yeah.

GRAHAM CLULEY. What we'd like you to do is press this sequence of keys. Press the Windows button and R, then Ctrl+V, and then Enter. And that will fix your browser to allow you to come in. 'Cause at the moment, the CAPTCHA system isn't working.

CAROLE THERIAULT. Okay, so right away I would be like, Windows button? What are you talking about?

GRAHAM CLULEY. Okay, well that's 'cause you've got a Mac.

CAROLE THERIAULT. Right, so that would alert me that there'd be a problem. So I'm out.

GRAHAM CLULEY. In this particular example, I'm giving you the Windows version, but could it just as easily be a Mac version? So they're saying, sure, let's press Windows+R, so there's a little Windows button in the corner of your keyboard, and the R, then Ctrl+V, and then Enter. And boom, you have done something very wrong because that has triggered—

MARK STOCKLEY. They've put something into your clipboard.

GRAHAM CLULEY. That's exactly it. What they've done is a malicious script has been copied into your clipboard. And when you pasted with Ctrl+V into the Windows Run command, you have actually just executed a really sneakily crafted PowerShell command, and that is now downloading from the internet malware which is going to target your social media accounts, trying to steal your banking credentials, your passwords, your personal files.

As far as you as the user are concerned, you just went Windows+R, Ctrl+V, Enter, blink blink blink, and it's done. But you have actually installed malware.

So it's a very clever social engineering trick, taking advantage of the fact that people want to gain access to something, that they're used to seeing these CAPTCHA messages popping up on their screen. And it cleverly waltzes around the protection of traditional security tools because it's you manually entering a command on your computer.

It's as though you were at the command line or inside the Windows Run dialog because you have manually asked your computer to go and download a piece of software. It's not an external piece of software or malicious script on a website that's automatically doing it for you.

CAROLE THERIAULT. Yeah, I just want to say thank you to our listeners who have tuned in to our festive episode. It's pretty scary. Thank you.

GRAHAM CLULEY. More Christmasy stuff later. Mark's story apparently is going to be very jolly. So it's really clever. And security firms like—

CAROLE THERIAULT. It's also old school. It's a bit old school.

GRAHAM CLULEY. Is it? Have you heard of these fake CAPTCHAs before, Carole?

CAROLE THERIAULT. No, but I've heard of, you know, copying and pasting things into. Yes.

GRAHAM CLULEY. Yes. Well done. Well done. Yes, we've got copy and paste. Are you telling me copy and paste didn't save anymore, Grim? So security firms Guardio, Qualys, and others are warning about these fake captchas, which have been spread far and wide across the internet via malvertising campaigns.

CAROLE THERIAULT. What the fuck are we supposed to do? What are we supposed to do? They're warning us. Thank you very much. Okay. We're warned. What do we do?

MARK STOCKLEY. Run high-quality anti-malware software like Malwarebytes, for example.

GRAHAM CLULEY. Who are not sponsors of the show, Mark.

CAROLE THERIAULT. Yeah, you can pay for that.

GRAHAM CLULEY. Can I just point out, Mark sometimes works for Malwarebytes. He's in their employ.

MARK STOCKLEY. I'm just saying, you know, it can't stop you pasting, but actually the thing that then gets downloaded can be stopped.

GRAHAM CLULEY. Yes, ultimately the thing which gets downloaded, that could be recognised by your antivirus software. It may be also that your operating system would say, what's this program you're about to run?

MARK STOCKLEY. And say, do you really want to run it?

GRAHAM CLULEY. But of course, people want to access the counterfeit driving license or the video game that they're trying to download or the version of Microsoft Word or whatever it is that they're trying to grab.

CAROLE THERIAULT. I guess what I was trying to say is the technique may be new, but it's the same old thing of taking advantage of you being impatient from getting A to B and often self-blaming, thinking you've done something wrong or this is a brand new CAPTCHA or, you know, you haven't been paying attention.

GRAHAM CLULEY. Yep.

CAROLE THERIAULT. But you still haven't told us what we're supposed to do, right? You just— beware. Thanks very much, Graham. I just want to say thank you so much. We're feeling much better now. Looking forward to Christmas.

GRAHAM CLULEY. What I would say is be wary of CAPTCHAs which ask you to do unusual things. Unfortunately, CAPTCHAs keep on asking you to do unusual things to prove that you're human.

MARK STOCKLEY. So click all the ears on this antelope.

CAROLE THERIAULT. Yeah. I think this is my point. Just be careful about CAPTCHAs that are weird.

GRAHAM CLULEY. There will be CAPTCHAs in the future, which ask you to turn your webcam on, you know, and do a biometric scan of a part of your body, for instance.

MARK STOCKLEY. So you have been to the dark web.

GRAHAM CLULEY. Stand on one leg.

CAROLE THERIAULT. Show us your belly button immediately.

GRAHAM CLULEY. We are going to analyse your navel. Mark, what's your story for us this week?

MARK STOCKLEY. I've got a question. How close are we to catastrophe? I don't mean this episode specifically. I think it's going okay. I mean, generally.

GRAHAM CLULEY. Well, I think, hang on a minute. We're recording, this episode's coming out on the 19th of December. So in about a month's time, that'll be around about the 20th of January. I don't know if anything particular is happening there, maybe in the United States. So about a month.

MARK STOCKLEY. Let's make it more specific. This is a cybersecurity podcast. So let's talk about computer-driven catastrophe. A world-altering cybersecurity event. How close do you think we are?

CAROLE THERIAULT. Can you describe what that might be?

MARK STOCKLEY. I'm thinking post-apocalyptic, you know, people are eating rats and eating each other.

GRAHAM CLULEY. Ah, are you talking about the year 2038 problem?

MARK STOCKLEY. Is that the Unix epoch?

GRAHAM CLULEY. Yes, that's right. So it's the equivalent of Y2K, which is only 13 years away now, isn't it?

MARK STOCKLEY. So you're saying 13 years. Well, it turns out it's 26 minutes.

GRAHAM CLULEY. Oh.

CAROLE THERIAULT. Oh, good jeez. Okay, can you talk quickly?

MARK STOCKLEY. 'Cause I prepped my story.

CAROLE THERIAULT. We're not gonna get to Pick of the Week before that.

MARK STOCKLEY. I'll try not to take too long, but it's an important question, right? I'll explain why it's 26 minutes in a second, but it's an important question. You want to know when disaster is looming. Let's say you've got an even reasonably modern car. I'm talking to you now, Carole, not Graham.

GRAHAM CLULEY. Rude.

MARK STOCKLEY. You know, it beeps when you're too close to the curb to avoid a bump. It gives you an early warning, and your car is full of other warning lights that show you, you know, your brakes are worn or your oil needs a top-up or whatever. If you're a Mission: Impossible villain, you put a timer on your doomsday device so that everyone can see how close Thom Cruise is to getting blown up. And of course, he never does. But handily, the timer is always there to show you how close we came.

GRAHAM CLULEY. And helpfully, you also have a little speaker, don't you? Attach that to your bomb to go beep, beep, beep.

CAROLE THERIAULT. Yeah, you can convince me on this. I'm on the other side. I'm like, I don't want to know if we're all going to be blown out to smithereens. I'd rather just be sitting here.

MARK STOCKLEY. Maybe go and grab a cup of coffee for the next 5 minutes. But what if we want to think bigger than Ethan Hunt being blown up?

Like some things are even more serious than that. Although that's hard to believe. So we've got the DEFCON levels that nobody understands that tell us how prepared the military is for a potential nuclear attack.

I don't know if you know about the DEFCON levels, but they're the levels that are of no use. Any normal person would make a scale that starts at 1 and gets worse as it goes up.

But DEFCON gets worse as it goes down. But there's something even bigger than DEFCON.

It's called the Doomsday Clock. You've probably heard of it.

GRAHAM CLULEY. Mm-hmm. Oh, yes. How many minutes to midnight?

MARK STOCKLEY. That sort of thing. It was invented in 1947 by an organisation called the Bulletin of the Atomic Scientists, which I think was set up by Robert Oppenheimer and Einstein.

GRAHAM CLULEY. They must have been a fun bunch to have at a party, mustn't they?

CAROLE THERIAULT. Probably about as much fun as this party, I'll tell you.

MARK STOCKLEY. Do you think they were all sat around saying, "Now we've built the world's worst doomsday weapon. What can we do to make things better?" Anyway, every year the Doomsday Clock tells us in January how close we are to midnight.

Which is the moment of catastrophe. And as of January 2024, we're 90 seconds to midnight according to the Doomsday Clock, which is bad.

GRAHAM CLULEY. Right.

MARK STOCKLEY. So in 2012, it was 5 minutes to midnight, and this has been ticking down ever since.

GRAHAM CLULEY. Oh dear.

MARK STOCKLEY. And the Doomsday Clock—

CAROLE THERIAULT. The thing is, is the clock can't go the other way though.

MARK STOCKLEY. That's a good point.

GRAHAM CLULEY. Sometimes winding a clock backwards breaks it, doesn't it? You have to actually go forwards and go round again.

MARK STOCKLEY. I prefer the idea of breaking it, to be honest. I'm sure, I can't remember, I'm sure it went back.

After the Cold War ended.

GRAHAM CLULEY. Oh yeah, makes sense.

CAROLE THERIAULT. No, no, I think, I feel I know this, that it has gone back as well, but I do feel that's illogical. Anyway, crack on.

You're doing great.

MARK STOCKLEY. Anyway, the Doomsday Clock accounts for all kinds of possible disasters, nuclear war, environmental collapse, biological threats, disruptive technologies, and it mentions the rise of artificial intelligence under both of those last two. So under biological threats and disruptive technologies.

So it accounts for a computer catastrophe, but it's not only about a computer catastrophe. So it doesn't really help us with that question I asked at the beginning.

So the IMD Business School for Management and Leadership, which is an organization I'm guessing that nobody on this podcast has heard of, has created an AI safety clock, which is essentially the Doomsday Clock, but focused on AI. And it has a much, much less cool name.

And I imagine they're hoping it's gonna drum up some publicity for them. And according to the AI safety clock, we are currently 26 minutes away from AI catastrophe.

CAROLE THERIAULT. That's better than 14 seconds.

GRAHAM CLULEY. Yeah.

MARK STOCKLEY. You're definitely a glass half full kind of person, Michael Crawford. Well, it's better than 14 seconds.

You may be thinking, wow, 26 minutes, that probably isn't even long enough to get to the end of this podcast. But let me reassure you that these are, according to IMD, symbolic minutes.

It says 26 minutes is a symbolic representation of how close we are to a critical tipping point where uncontrolled artificial general intelligence could pose significant threats.

CAROLE THERIAULT. Okay, symbolic. So relative to what? Like, what does that mean?

MARK STOCKLEY. That is a great question. So anyway, as I was saying, it's a symbolic representation of how close we are to this critical tipping point. And it explains the threats of uncontrolled artificial general intelligence as rapid advancements in agentic AI, intensifying competition in AI hardware, the growing role of AI in military and geopolitical contexts, breakthroughs in AI reasoning, changes in US policy.

GRAHAM CLULEY. How easy it is to detect a traffic light.

MARK STOCKLEY. Now, I note that in that list, it doesn't mention robot dogs with flamethrowers on their back. And I personally think that's a serious omission.

CAROLE THERIAULT. Yes.

MARK STOCKLEY. I would probably take 12 minutes off the clock just for that.

GRAHAM CLULEY. Yes.

MARK STOCKLEY. So as I say, the AI safety clock says that we're 26 symbolic minutes from catastrophe. And frankly, as you alluded to, Carole, I don't know how to read that. Is that good? I mean, it's better than 14 seconds. Is there an algorithm or did an intern spend 26 symbolic seconds thinking about this in a marketing brainstorm? Like, what is this? I just don't know.

CAROLE THERIAULT. When I worked with you guys in the AV industry, right, decades ago, every month we would say, hey, guess what? We detect X number more viruses than we did the previous month. Aren't you safe, Mr. or Mrs. Customer? And that number was an algorithm, right? It was just made up. Literally, it was just made up.

GRAHAM CLULEY. You heard it here first.

CAROLE THERIAULT. Am I allowed to say that?

GRAHAM CLULEY. Breaking news.

CAROLE THERIAULT. I'm just saying they tried.

GRAHAM CLULEY. You were lying to me. You were.

CAROLE THERIAULT. No, I didn't do this. It wasn't me.

GRAHAM CLULEY. Mark, carry on. I'm not talking to Carole.

CAROLE THERIAULT. Anyway, I'm just thinking the number is manufactured and estimated.

GRAHAM CLULEY. It does sound manufactured because 26, why not 25? I'll tell you why not 25, because 25 just sounds, oh, that's a bit too normal. 26 sounds a bit more scientific. Oh, we've put thought into this.

CAROLE THERIAULT. They should have added a decimal point, right?

GRAHAM CLULEY. They would never have said 20 minutes to midnight or half an hour, would they? They wouldn't have said that.

MARK STOCKLEY. Yeah.

GRAHAM CLULEY. It had to be all 26 because we're scientists.

MARK STOCKLEY. So I guess that I don't know, you don't know. I, for one, would like to know how far we actually are from AI Armageddon.

CAROLE THERIAULT. What are you gonna do? What are you gonna do? What's your plan?

MARK STOCKLEY. I'm about to tell you.

CAROLE THERIAULT. Okay.

MARK STOCKLEY. I'm literally about to tell you.

CAROLE THERIAULT. I'm sorry. I'm sorry. This obviously gets to me, right?

MARK STOCKLEY. Anyway, it's all very well talking about captchas and the dark web and all that kind of stuff, but if we're gonna get turned into batteries, this seems like a more pressing security issue. So unfortunately, the AI safety clock doesn't offer an exchange rate for symbolic minutes to real minutes, and I think that would be really useful.

GRAHAM CLULEY. Yes.

MARK STOCKLEY. So I thought maybe we could figure it out for ourselves. So it's widely thought that the worst possible AI catastrophe is the singularity, which is the point where the AI learns to improve itself autonomously and enters this runaway improvement. And the gateway drug for that capability is so-called artificial general intelligence, or AGI.

And over the last year, the bigwigs in AI have been offering up estimates for when they think they'll create AGI. Which isn't the end, but if the end is coming, that's the beginning of the end.

So I thought that we could use their estimates to come up with an exchange rate for the AI safety clock. And my maths isn't great, so I thought the only way to answer this question would be to ask an AI.

So I went to ChatGPT and I gave it 4 estimates. So Google DeepMind CEO Demis Hassabis reckons it's AGI in 10 years.

Sam Altman from OpenAI, he thinks it's about 5 years. Mustafa Suleyman from Microsoft AI, he thinks 3 to 5 years.

And Dario Amodei from Anthropic thinks it's 1 to 2 years. So I went to ChatGPT and I gave it these estimates, right?

And it said that the exchange rate for Demis Hassabis is 202,154 Demis Hassabis Harmageddon minutes. And Harmageddon is a word starting with an H.

GRAHAM CLULEY. Oh my God.

MARK STOCKLEY. Also, I checked that with ChatGPT as well. I said, give me a word meaning Armageddon that starts with H, and it said Harmageddon.

And I'm sure it's not hallucinating. I'm sure that's real. Anyway, there are 202,154 Demis Hassabis minutes to one AI safety clock minute.

And that means there are two Demis Hassabis minutes to one Sam Altman minute and 101,077 Sam Altman minutes to one AI safety clock minute. And Mustafa Suleyman said 3 to 5 years.

So average that out to 4 years. So that's 80,862 Suleyman minutes to one AI safety clock minute.

And Dario Amodei said 1 to 2 years. So that's 1.5 on average.

So that's 30,323 Amodei Armageddon minutes to one AI safety clock minute. The average exchange rate from the estimate of 4 influential AI CEOs is 104,446 AI CEO catastrophe minutes to 1 AI safety clock minute.

So to wrap up, the next time the AI safety clock changes its estimate, because we'll all be watching to see.

GRAHAM CLULEY. Yes.

MARK STOCKLEY. Just listen to this podcast, find the average exchange rate, multiply the AI safety clock time by 104,446, and that will tell you how far away we are from catastrophe.

CAROLE THERIAULT. Sorry, what?

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. Oh, the holidays. Finally, a bit of joy.

For some of us, it's the time of unprecedented indulgence, isn't it? It's the season to ignore scales, loosen the belt a notch or three, or simply toss the belt and don your trusty elasticated slacks and a festive sweater, probably oversized.

GRAHAM CLULEY. Are you dressing as Father Christmas, Carole? That's what it sounds like.

CAROLE THERIAULT. No, but you eat a lot of stuff, right? It's what, you know, you sit there during Christmas, you're having the mince pies and the Stollen and the, "Oh yeah, no, one more biscuit and I'll get passed over the Pringles."

And we all know that we have to pay the pound piper. See what I did there?

Come January, when, you know, all the clothes are going to be a little more tightly encased around our bodies. But of course, January is a long time away when you're looking at the candy canes or shoving a fistful of Honey Nuts into your face.

MARK STOCKLEY. Yeah, it's 15,415 Hassabis minutes or something.

CAROLE THERIAULT. Mark, what is your— what's your guilty pleasure at Christmas? You must keep something for Christmas and—

MARK STOCKLEY. Oh, I'll tell you what it is. It's shortbread. So I love shortbread and people who know me know that I love shortbread. So Christmas comes around and then I get a lot of presents that are sort of suspiciously rattly, very large, heavy metal tin-shaped things in wrapping paper. And the shortbread does not last long.

CAROLE THERIAULT. You're like, just put the butter, sugar, and flour into my face.

GRAHAM CLULEY. Yum, yum, yum. Yeah.

CAROLE THERIAULT. Graham, what about you?

GRAHAM CLULEY. Well, shortbread's a great one, I have to say. But 2024 has been a revolutionary year for me. I've started doing something which I haven't done in all my previous years, which is eating nuts. Not peanuts, not peanuts. But I would eat a Ferrero Rocher these days. Never would have done that in the past. But if someone were to buy me some Ferrero Rocher, I may well snaffle those up.

CAROLE THERIAULT. Oh, really?

MARK STOCKLEY. I like the way you explained that in a way that was sort of, I can tell you think you're a little bit exciting. There was a tone.

CAROLE THERIAULT. Now, it's funny because none of you said donuts. Don't donuts feature in your festive fun?

GRAHAM CLULEY. No. No.

MARK STOCKLEY. No, no, that would be weird.

GRAHAM CLULEY. No, not at this time of year, no.

CAROLE THERIAULT. Krispy Kreme donuts?

GRAHAM CLULEY. Oh, they're American, Krow. That's not what I think of when I think of donuts. I think of traditional British donuts, which aren't glazed.

CAROLE THERIAULT. Yes, well, you're also, sorry, Gen X, boomer. Thing. Yeah. Thanks, guys. Thanks, Nathan. Mark, I know, for example, that your kids are a fan of donuts because I remember a wee trip to London.

MARK STOCKLEY. They were until a trip to London.

CAROLE THERIAULT. Yeah. They ate one donut from this Krispy Kreme place and your youngest went into a sugar coma. I thought I'd killed her. So Krispy Kreme is what I'm talking about. Krispy Kreme. And see, Graham, I think they seem to be everywhere in our neighborhood. At least where I live in the UK, they're in my supermarkets and my gas stations. They're in fast food outlets. They're even in the posh shopping centre where it has its very own boutique.

GRAHAM CLULEY. Hang on, are they sponsoring the podcast this week? They get a lot of— Krispy Kreme, and you're saying how available they are and how delicious and gorgeous they are this time of year.

CAROLE THERIAULT. I'm not saying they're delicious.

MARK STOCKLEY. They are though.

CAROLE THERIAULT. Well, yes. Well, let's see how you feel at the end, whether you think this is all good news. Over the years, Krispy Kreme, okay, have had some unusual and press-worthy marketing strategies. So in 2014, they released a $1,675 American dollar donut as part of a fundraising effort for the Children's Trust. It was covered in 24-karat gold and was decorated with edible diamonds.

GRAHAM CLULEY. Oh, for goodness' sake.

CAROLE THERIAULT. And the inside was made with Dom Pérignon champagne jelly.

GRAHAM CLULEY. It sounds disgusting.

CAROLE THERIAULT. But they don't always get it right. In March 2021, Krispy Kreme announced that they were providing a free original glazed doughnut every day for the rest of the year to customers in the US who could prove they'd received a COVID-19 vaccine. And what a surprise that multiple physicians poo-pooed this move. A former Baltimore health commissioner reportedly tweeted that if a person ate a doughnut every day without making other lifestyle changes, would gain £18 by the end of the year.

GRAHAM CLULEY. That's it. You survive COVID, but you end up having a heart attack.

MARK STOCKLEY. Isn't that weirdly coercive? I mean, I don't hold with any of these vaccine conspiracy theories. And then I hear things and I'm like, what wheels are turning?

GRAHAM CLULEY. Krispy Kreme were behind it all along.

CAROLE THERIAULT. But this year they're celebrating the Christmas season with the Merry Grinchmas collection. Five donut confections inspired by Dr. Seuss's The Grinch Who Stole Christmas, okay? So you can take a look at them if you want. They're in the show notes.

And I was gonna ask you, you can see one that has the Grinch's face on it. Basically it's their main flagship seasonal donut. Whatever that means. Do any of you want to take a guess at how many ingredients might be in that Grinch donut there?

GRAHAM CLULEY. So what we're looking at is something which has the Grinch's face. It's a lurid green colour.

CAROLE THERIAULT. And it's got gooey stuff inside.

GRAHAM CLULEY. I would imagine there's a lot of ingredients in that.

CAROLE THERIAULT. A lot? What? Ten? What's a lot?

GRAHAM CLULEY. Well, I would think 30.

CAROLE THERIAULT. 30. Mark, higher or lower?

MARK STOCKLEY. 714.

CAROLE THERIAULT. Okay, well, you're closer. Look, I've just put it in the show notes. That is the composite makeup of the doughnut, of the one doughnut. There is about— I couldn't even count them. So more than I cared to count ingredients.

GRAHAM CLULEY. There's a very, very long list. Count the commas. The commas will tell us.

CAROLE THERIAULT. Oh, that's smart. That's smart. So here we have these specially made seasonal donuts featuring the Grinch in a global campaign, though I suspect its target market is US of A.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. And of course, you've got the powers that be at the Krispy Kreme empire waiting to see their festive wanga enter the books. And they experience a nightmare. They experience a nightmare.

GRAHAM CLULEY. A nightmare before Christmas. Yes.

CAROLE THERIAULT. As hackers attempted to steal Krispy Kreme's Grinchmas from them. According to a mandatory K-8 filing on November 29th, Krispy Kreme suffered unauthorized access to its portion of its IT systems. And I'm going to quote the Register here because they got into the Christmas spirit with this article. Its security team waddled into action and sprinkled in support from leading cybersecurity experts, but said that delays in online orders were going to be hard to swallow for some.

MARK STOCKLEY. They wait the whole year for this.

CAROLE THERIAULT. It kind of crippled their online ordering system. And I'm like, what? So yeah, you can order donuts online, of course, to be delivered. Who knew?

GRAHAM CLULEY. It makes sense. It does make sense considering their typical customer demographic.

MARK STOCKLEY. I love that these hackers are doing absolutely nothing to disavow the stereotype of hackers as large basement-dwelling donut eaters.

CAROLE THERIAULT. Now, we don't know if this was a ransomware attack or whether Krispy Kreme paid up. Reports suggest that there's still disruption in some parts of the US in terms of online ordering.

However, a security researcher, Kevin Beaumont, suspects ransomware may be involved. Quote, he said, I've been tracking a ransomware group which I believe gained access to them, meaning Krispy Kreme, in that timeframe. So he said this on Mastodon. Of course, whatever action Krispy Kreme took to pay or not to pay, Krispy Kreme will likely take a hit operationally and financially. So the digital orders represent 15.5% of the company's sales in Q3.

GRAHAM CLULEY. And I know that some Krispy Kreme stores were actually down for a while. They couldn't take credit card payments. So you had to pay with cash while this was happening.

MARK STOCKLEY. How did you know that, Graham? Just because, you know, I'm not judging.

GRAHAM CLULEY. I'm just, you know, I saw posts by people who were upset online that their local stores were mysteriously closed. This was before the announcement happened that they'd suffered a security breach, but already suspicions were beginning to ripple around.

MARK STOCKLEY. Yeah.

CAROLE THERIAULT. So hackers did indeed try to steal Krispy Kreme's Grinchmas. And as Krispy Kreme tightens its financial belts, it hopes you might forego yours.

MARK STOCKLEY. So when you said, "Let's just count the commas," I thought, "That's an easy job for an AI." So I got the text and I cut and pasted it into ChatGPT, and it has been counting the commas until now. It's taken 3 minutes and 13 seconds to tell us that there are 120 commas in that text.

CAROLE THERIAULT. 120 ingredients in a single doughnut. Yum, yum, yum.

GRAHAM CLULEY. BigID helps you uncover dark data, identify and reduce risk, take action through remediation, and scale your data security strategy through seamless integration with your existing tech stack. Start protecting your sensitive data wherever your data lives by visiting bigid.com/smashingsecurity. Get a free demo to see how BigID can help your organization reduce data risk and accelerate the adoption of generative AI.

Also, there's a free new report that provides valuable insights and key trends on AI adoption challenges and the overall impact of GenAI across organizations. So go visit bigid.com/smashing and thanks to the folks at BigID for sponsoring Smashing Security.

CAROLE THERIAULT. Do zero-day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker.

Imagine taking a proactive deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action for risk management and compliance.

Onboarding and operation is fully supported by their US-based support team. Stop the exploitation of trusted applications within your organization to keep you running efficiently and securely.

Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit smashingsecurity.com/threatlocker.

That's smashingsecurity.com/threatlocker. And thank you to ThreatLocker for sponsoring the show.

GRAHAM CLULEY. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management.

1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM, MDM can't touch. Go and check it out for yourself at 1password.com/smashing.

That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.

And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

MARK STOCKLEY. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. So this week's Pick of the Week has been suggested to me by listener Vin Kennedy. He's been in touch. He is recommending a website called udm14.com. And you're thinking, that's a rather strange name, Graham. What on earth could UDM14 be all about?

Well, it turns out, I'm sure many of our listeners use Google as a search engine, and it turns out that if you add to the end of your Google search URL, the parameter ampersand UDM equals 14, that it will strip out all the ads and all the AI nonsense, like AI overviews and all the other kind of nonsense which has made Google unpleasant to use. And it's almost like being back in 1999 again. And UDM14.com gives you a very easy way to do this. So if you chaps want to try right now, go over to UDM14.com.

CAROLE THERIAULT. Mm-hmm.

MARK STOCKLEY. I'm looking at it right now.

GRAHAM CLULEY. So what you're seeing is you're looking at a webpage which has a Google-style search box in the middle of it. And you type in your search thing there. And it will just simply send that search word or search phrase to Google. With the extra little addition to your search query URL. And what you won't get, or you shouldn't get, are all the sponsored ads and all the stuff in the sidebar and all the other guff.

MARK STOCKLEY. Okay, I'm asking how many ingredients there are in a Krispy Kreme donut.

GRAHAM CLULEY. So you could either use this site or you could add the little bit, the ampersand UDM equals 14 to the end of your URL. Or if you go to udm14.com and we'll put links in our show notes, you can actually find out how to change the default way that your browser uses Google so that every time you do a search, rather than doing it the traditional way where you get all this guff, it automatically adds this parameter onto the end, which you may want to do.

Now that of course isn't the only way to avoid Google's AI guff. You could use DuckDuckGo, you could use Startpage, you could use Kagi, which is a paid-for search engine as well. So there are alternatives, but I know lots of people to use Google as a search engine. And that is why this is my pick of the week.

MARK STOCKLEY. I quite the AI in Google.

GRAHAM CLULEY. Did you it when it told you to put glue on your pizza to keep the pepperoni on?

MARK STOCKLEY. Much more entertaining than looking at tons and tons of ads. I actually think it's quite useful. I find myself using the results from the Gemini bit at the top of Google search results more and more often.

CAROLE THERIAULT. I have bookmarked this Pick of the Week, Graham.

GRAHAM CLULEY. Right. Oh, well, high praise indeed.

MARK STOCKLEY. First time in 398 episodes. When he shoots, he scores.

GRAHAM CLULEY. Mark, what's your Pick of the Week?

MARK STOCKLEY. Carole, do you ever find your podcast co-hosts troublesome? Unpredictable.

CAROLE THERIAULT. Pass.

MARK STOCKLEY. Do you ever wish that they were saying something different? Perhaps you wish that they were, I don't know, more interesting or funnier.

CAROLE THERIAULT. This is a bit personal, Mark.

MARK STOCKLEY. I don't know.

GRAHAM CLULEY. I don't find this on Smashing Security, but I certainly have encountered that on my other podcast.

MARK STOCKLEY. Anyway, I've got just the thing for you. So I don't know if you know, but I am on a podcast called The AI Fix. And one of the things that we do there is we use quite a lot of AI tools.

Generally what happens with these things is you go along and they say, go on, sign in with Google to make it super easy. And you go and look at it and you go, wow, this is garbage, and you never look at it again. And sometimes you need a very specific service, maybe you need to take a transcript of your podcast and you sign up, you give it your credit card, you use the service and then you immediately unsubscribe.

So maybe you pay for a month or whatever, but it's very rare that I actually sign up for a service and then I keep using it. And many, many episodes ago, I thought, wouldn't it be great if Graham was a bit better?

So I went to this website called ElevenLabs, which is a voice synthesiser website. So it uses AI to transform text into speech. So you type something and then the AI will read it and say it out loud.

And you can use it to clone people's voices. So I took about 10 minutes of Graham talking and I fed it into ElevenLabs and it made Graham 2.0. And Graham 2.0 is a pretty good facsimile of Graham's voice, and I can get it to say whatever I want.

GRAHAM CLULEY. Just my voice, is it? It's only copied my voice. It hasn't copied my physical presence or anything else yet.

CAROLE THERIAULT. I don't want you to mimic Graham's voice and make him say, oh, Carole, you're the best, you're the best.

MARK STOCKLEY. You don't want that? No. You don't want him to phone his—

CAROLE THERIAULT. It would be empty.

MARK STOCKLEY. You don't want him to phone his bank and say, "Hi, this is Graham. Please transfer all of your money to my podcast co-host." No! Well, good luck with that because I've already done that, obviously.

But anyway, this thing exists. So I signed up to do this. So I signed up, I made Graham 2.0. We did it on the show, it was funny, and I didn't cancel my subscription.

So I can't remember how much it is, something like £11 a month, something like that. And I keep finding uses for it. I keep wanting to go back and do things with it.

And so this is the one I'm going to recommend because this is one of the few AI tools that I have run into that I actually find I'm using over and over again.

GRAHAM CLULEY. Hang on. Are you finding that you're using it over and over again with my voice or with—

MARK STOCKLEY. No comment, Graham. No comment. No comment, Graham.

GRAHAM CLULEY. So your pick of the week is ElevenLabs. Carole, what's your pick of the week?

CAROLE THERIAULT. Well, mine is security related. I know. This is for all you listeners out there who fancy a little code breaking courtesy of GCHQ.

So you put your energy into GCHQ's Christmas challenge. I think I've put the link in the show notes if you guys want to take a look while I'm jabbering about it.

But basically, puzzles have always been at the heart of GCHQ, says the GCHQ director. And they need skills to solve them. So this year's challenge has 7 puzzles, plus several hidden elements for those who want an extra test.

They're aimed primarily at teens and younger people, but you know, you might want to give it a try, see if you've got the skills to do it. So you can find this at gchq.gov.uk, link in the show notes. And if you're bored over the festive season, you might have a crack at it.

GRAHAM CLULEY. Have you done this, Carole? Have you tried it out?

CAROLE THERIAULT. No. Are you crazy? After I saw the list of what was in a doughnut, I felt weak because I'd eaten one recently.

MARK STOCKLEY. There's a dollar note. There's a king. There's a leg of ham. There's a person on the left of a couple of people, and there is an ace of spades, which I guess could be a card.

Money, king, ham. Person card. I think I've cracked that.

CAROLE THERIAULT. You've got it. If you think you can do better than Mark, check out my pick of the week.

GRAHAM CLULEY. And this presumably is to recruit people into GCHQ, is it? Is this if you do really, really well?

CAROLE THERIAULT. It's just a bit of Christmas fun.

GRAHAM CLULEY. You don't have to read into it. They said that about completing CAPTCHAs, didn't they? And before we knew it, we had robot dogs coming up the stairs.

CAROLE THERIAULT. I'm really looking forward to those. Break.

GRAHAM CLULEY. 26 minutes, everybody. 26 minutes. Well, that just about wraps up the show for today and for this year. Mark, thank you so much for joining us today.

I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?

MARK STOCKLEY. Just find me at the AI Fix Talk Show.

GRAHAM CLULEY. Fantastic. And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

CAROLE THERIAULT. And massive shout out to our episode sponsors, 1Password, BigID, and ThreatLocker. And of course, to our wonderful Patreon community.

It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 397 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

CAROLE THERIAULT. Bye-bye! Nice quick show. Excellent, guys.

-- TRANSCRIPT ENDS --