In episode 426 of the "Smashing Security" podcast, Graham reveals how you can hijack a train’s brakes from 150 miles away using kit cheaper than a second-hand PlayStation.
Meanwhile, Carole investigates how Grok went berserk, which didn't stop the Department of Defense signing a contract with Elon’s AI chatbot. So who is responsible when your chatbot becomes a bigot?
Plus: Email headaches, SPF rage, and a glowing review for... Taskmaster SuperMax Plus?
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- Schoolboy hacks into city's tram system - The Telegraph.
- Caboose - Wikipedia.
- Neil Smith discusses his findings - Twitter thread.
- End-of-Train and Head-of-Train Remote Linking Protocol - CISA.
- The Cheap Radio Hack That Disrupted Poland’s Railway System - Wired.
- Grok, Elon Musk’s AI Chatbot, Shares Antisemitic Posts on X - The New York Times.
- X ordered its Grok chatbot to ‘tell like it is.’ Then the Nazi tirade began - Washington Post.
- Hacker uses Elmo's X account to post antisemitic rant and demand release of Epstein files - ABC News.
- Elon Musk Announces Sensuous Grok AI Companion - Mashable.
- Grok Rolls Out Pornographic Anime Companion, Lands Department of Defense Contract - The Rolling Stone.
- Learn DMARC.
- TASKMASTER SUPERMAX+.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Adaptive Security - request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. I feel like you didn't do a ton of research on train engineering.
GRAHAM CLULEY. Oh, you'd be surprised. You would be surprised.
CAROLE THERIAULT. No, I don't know if I would.
UNKNOWN. Smashing Security, Episode 426: Choo-Choo Choos to Ignore the Vulnerability with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 426. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. What's coming up on the show this week, Carole?
CAROLE THERIAULT. Well, first, before we kick off, let's thank this week's wonderful sponsors, 1Password, Adaptive Security, and Vanta. It's their support that helped us give you this show for free.
Coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be taking hacking to the end of the line.
CAROLE THERIAULT. Mm. And I'm going to ask who's to blame when chat assistants go rogue.
All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, we all love a train, don't we?
CAROLE THERIAULT. A train?
GRAHAM CLULEY. Yeah, everyone loves trains. Did you love trains when you were a kid?
CAROLE THERIAULT. A choo-choo?
GRAHAM CLULEY. Yeah, choo-choo trains.
CAROLE THERIAULT. Do you mean getting on a train?
GRAHAM CLULEY. Well, getting on a train, watching trains, pushing trains around on the floor when you're a little kid, or watching trains.
CAROLE THERIAULT. We used to walk old train tracks actually as kids.
GRAHAM CLULEY. Did you? That's brave. Disused ones.
CAROLE THERIAULT. Disused ones, yeah.
GRAHAM CLULEY. That's good. Well, some people are very enthusiastic about them, aren't they?
And there can be cybersecurity consequences of having a love for trains. Way back in 2008, a 14-year-old boy in Poland got himself into a spot of bother because he hacked into— actually, it was a tram system rather than trains, but he began to use it as a giant train set. He hacked into the trams.
CAROLE THERIAULT. Why do you laugh? You laugh you're a sociopath or something.
GRAHAM CLULEY. It's just an extraordinary story. There he was in the city of Łódź, I believe it's called.
He had trespassed onto tram sites, into the depots in the city. He was gathering information. And he took an old TV remote control and he adapted it so it can change the track points, which meant that he was able to cause chaos.
So there was one particular Tuesday afternoon when a city tram driver tried to steer his vehicle to the right, but found himself swerving to the left instead.
CAROLE THERIAULT. How funny!
GRAHAM CLULEY. Unexpectedly.
CAROLE THERIAULT. Ha ha ha ha ha!
GRAHAM CLULEY. No, not funny, Carole. Not funny.
You sound like a sociopath now. The rear wagon swung off the rails, crashed into another passing tram, hurtling screaming passengers to the floor. 12 people were injured.
And the spokesman for the police, they nabbed this boy. They said he took his TV control and made it capable to control the tram line. Trains.
And he'd written in the pages of his school exercise book where the best junctions were to move trams around. So he was really enthusiastic about this. And he treated it like a giant train set.
CAROLE THERIAULT. There is a game I play that is actually this. You're managing a ton of trains and making sure they don't—
GRAHAM CLULEY. Yeah, I told you it was fun.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. Anyway, big problem. He was making emergency stops. Passengers were being hurt.
CAROLE THERIAULT. Probably entertaining his little buddies.
GRAHAM CLULEY. Anyway. That was back in 2008. And thank heavens, railways are much safer now, aren't they?
CAROLE THERIAULT. I wouldn't know. I'm not an expert in trains.
GRAHAM CLULEY. Well, are they safer? Are they? That's the big question. Because four years later, in 2012, a security researcher called Neil Smith, he was taking an interest in the locomotives crossing America.
Have you seen these enormous trains, these mega trains they have in America?
CAROLE THERIAULT. Yeah, well, we have them in Canada too.
GRAHAM CLULEY. Their trains can be three miles long. Wow. It's astonishing.
I mean, it's hard for me as a Brit to imagine that. How long would that take to go past you?
CAROLE THERIAULT. Well, they've got to move stuff from A to B somehow. I mean, Australia, they use the mega trucks, don't they?
They're these massive—
GRAHAM CLULEY. Do they?
CAROLE THERIAULT. Yeah, yeah. There's huge trailers.
They go on the roads. I can't remember, there's a name for them, but I don't remember what it is. But anyway.
GRAHAM CLULEY. Well, I know that in America, for instance, trains are responsible for moving more freight than any other form of transport. It's a big deal.
And when you've got a train that long, communicating from one end of the train, which can be three miles away from the other end, that becomes a challenge.
CAROLE THERIAULT. Why?
GRAHAM CLULEY. Well, you can't send a fax.
CAROLE THERIAULT. You've got a phone.
GRAHAM CLULEY. You may not have network coverage to send a text.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. So it's a problem.
CAROLE THERIAULT. I'm imagining there might be a little Wi-Fi on the train, maybe.
GRAHAM CLULEY. Have you ever been on a train and tried to use Wi-Fi, Carole?
CAROLE THERIAULT. Yes. Works fabulously in Canada.
GRAHAM CLULEY. Was it? Oh, okay.
I'm just used to being in the Stone Age rail lines of Britain, I suppose. Anyway, it's important that you can communicate from one end of a train to the other.
Because imagine there's this blooming long three-mile train. Imagine it's parked up somewhere and you are a train maintenance man at the back of the train.
You won't necessarily know if the front of the train has started moving again. Because the carriages, or whatever they're called, they might all be shunted up together.
CAROLE THERIAULT. I'm picturing this massive centipede.
GRAHAM CLULEY. Yes, it's a great big caterpillar doing a stretch. It's an accordion, stretching out.
And so it may take a while before, you know, clank, clank, clank. And if you're doing work at the back, that could be a real problem.
It could be a squish situation, couldn't it? Or you might want to know, as the driver at the front of the train, what the heck the brakes are doing at the back of the train, because maybe you're going up a slope, maybe going down a slope.
Maybe you need your brakes to engage or disengage. Maybe you want to know that the pressure is right, because this is an enormous train.
CAROLE THERIAULT. I feel you didn't do a ton of research on train engineering.
GRAHAM CLULEY. You would be surprised just how many videos.
CAROLE THERIAULT. Oh yeah, videos. Oh, of course. Yeah, videos.
GRAHAM CLULEY. You may be surprised how many videos I've watched at 2x normal speed in order to gain this amount of knowledge, Carole, in readiness for the podcast today.
CAROLE THERIAULT. Well, it's a good 10 minutes.
GRAHAM CLULEY. It's a huge amount. See, in the old days, in the old days, it was easy.
In the old days, American freight trains had a caboose. I love a caboose.
It's a great word, isn't it? Caboose. Are you familiar with the caboose?
CAROLE THERIAULT. Yeah. It's often used as a derogatory term towards women's asses.
GRAHAM CLULEY. Is it?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Okay. Well, according to Wikipedia, caboose is a little hut which is coupled onto the end of a freight train. It provides some shelter for crew. It's got sleeping and cooking facilities. I imagine a lady's bottom wouldn't have that.
It's used for observing problems at the back of a train or providing a supplementary braking system. I don't know how they — do they throw out an anchor? I don't know.
But there used to be people on the end of a train, right? And you'd see it in old movies. In your Charlie Chaplin style movies, you don't really see cabooses anymore.
You're more likely to find a caboose up for rental on Airbnb. So there may be someone's done up a caboose, put it in their back garden, and made it available for rent.
Anyway, the way in which this is done these days without a caboose on these flipping long trains is with what is known as an end of train device, an EOT, or a flashing rear end device, a FRED, F-R-E-D. And these collect data regarding a train's brake line pressure, and they send that information to the front of the train via a radio signal.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Alright? So they don't have Wi-Fi, but they can transmit a radio signal, and there'll be something at the other end, you know, waiting to receive it. And that essentially acts as though they were rear-end crew members communicating with the front-end crew via radio, allowing —
CAROLE THERIAULT. Because FaceTime's not working. Okay.
GRAHAM CLULEY. Well, no, it's not gonna — no, no. Obviously FaceTime has only been around for the last 10 years or whatever as well.
CAROLE THERIAULT. I know, but we're 2015.
GRAHAM CLULEY. Well, 2012 when Neil Smith was looking into this. But these end-of-train devices, they've been around since the demise of the caboose.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. So, and as we know, sometimes with critical infrastructure, you have a piece of technology and it doesn't get replaced for decades and decades. But Neil Smith, this researcher, in 2012, he was looking at train security and specifically these end-of-train devices, and he realised that the system was open to being hacked.
It was vulnerable. Now, when I first heard that you could hack a train, I was thinking sort of Mission: Impossible-style stunts, leaping from train to train, wanting to be within Bluetooth range. You need to be really close.
But that isn't the case. That isn't the case at all. You can be a ridiculously long distance away.
You could be, for instance, 150 miles away.
CAROLE THERIAULT. How could that be?
GRAHAM CLULEY. By sending a radio signal, Carole, at the right frequency. All you need is some radio equipment. It costs less than $500 to send a bogus message that could issue commands to the end-of-train device to, I don't know, something like suddenly slam on its brakes.
Which isn't a good thing. Derailment, danger, danger. These end-of-train devices, they use weak authentication.
All they really seem to have is a checksum to verify that any messages they send or receive haven't been corrupted or that no bits have been dropped during the radio transmission. That's all they have. They don't have any more security than that.
CAROLE THERIAULT. They don't have a, is this coming from an authorized location or device?
GRAHAM CLULEY. And obviously the location is constantly changing 'cause they're crossing across many states, potentially. But yes, they don't have anything else. They're just looking at a checksum.
And this has been the case for well over 10 years.
CAROLE THERIAULT. Well, you know, let's take a pause and think, all us train people, how lucky we are that we're not dead. Right? Is it happy days?
GRAHAM CLULEY. Well, yes, we're all happy. Yes, that's true. But researcher Neil Smith, he's not happy because I've been onto his Twitter account. His avatar, by the way, is of a Thomas the Tank Engine, which I think is very, very cute.
And he wrote, so how bad is this? He says, you could remotely take control over a train's brake controller from a very long distance away using hardware that costs less than $500. You can induce brake failure leading to derailments, or you could shut down the entire National Railway System.
CAROLE THERIAULT. Okay, so he's saying this on Twitter because he's already told them.
GRAHAM CLULEY. Oh, he told them about it in 2012.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And he's also pointed out these devices are also on some passenger trains as well, potentially causing even more problems. So he told the authorities about the weak security.
The American Association of Railways, they played it down. They said, oh, this is theoretical, they said. This hasn't happened in real life.
We're only going to take notice of this, they said, if you can demonstrate it in real life. And so Neil Smith said, okay, I'll demonstrate it.
And the American Association of Railway said, go on then. And he said, well, he said, I need to do it in a safe way.
Can I use your test track facility? And they said, no bloody way are you coming on our test track facility.
And so he reckons they blocked all security-related testing if they knew it would cause them problems. And there was a complete lack of progress.
He got annoyed about this. Took a few years.
He got annoyed about it. He wrote an article for the Boston Review revealing his findings.
They replied. They wrote an article in Fortune magazine debunking it.
Complete stalemate. However, I can reveal that last year the American Association of Railways had new management.
And Neil Smith thought, maybe I'll have a bit more luck now dealing with them.
CAROLE THERIAULT. Okay, yeah, yeah, yeah.
GRAHAM CLULEY. So he brought up the issue again, and this time, years after he first made his discovery, he was listened to. And CISA, the American cyber defense agency, has just published an advisory in the last few days all about what they call the weak authentication in the end-of-train and head-of-train remote linking protocol.
So that's all right then. It's all fixed. Happy days.
CAROLE THERIAULT. Is it?
GRAHAM CLULEY. Well, not quite. Because there are still some 75,000 end-of-train devices on trains across USA, Mexico, and most importantly, Canada.
I'm just saying that for you, Carole. Which have to be physically replaced.
And the anticipation is that it's going to take years to accomplish, and it's going to cost millions to do it. And put new technology in place.
Which may explain why they weren't so keen to listen to the vulnerability and hear about the problems in the first place.
CAROLE THERIAULT. Yeah, it's interesting because it kind of says they buried it under the carpet because they didn't have to declare it. Maybe at the time, I don't know, I can't remember what the laws were or what their responsibilities were having been told this information.
GRAHAM CLULEY. They seemed to think it didn't matter.
CAROLE THERIAULT. Yeah, they didn't help him. They should have got involved, I guess.
GRAHAM CLULEY. Yeah, and there was another researcher who also independently did some research and announced it at DEF CON. So I think over time, the noise has begun to get louder and now is being listened to a bit more.
But although at the moment we don't know that this has ever been done maliciously, now, of course, it's become better known, unfortunately, as a result of this disclosure. But it's not as though no one is interested in messing with trains.
A couple of years ago, some 20 trains in Poland were brought to a standstill, again, by unauthorized radio signal hackers. Reportedly interspersed the stop commands which they sent in Poland with renditions of the Russian national anthem and parts of a speech by Vladimir Putin.
So, there are people out there who would love to mess around with trains and cause all kinds of mayhem. Carole, what have you got for us this week?
CAROLE THERIAULT. So, okay, AI assistants. The things we never thought of before 2020 and now can't seem to get enough of.
I mean, we have so many, right? There's the Gemini from Google, ChatGPT, Meta's AI, Alexa, Siri, Claude, Grok, just to name a few.
And these AI assistants are already pretty ubiquitous. I mean, they're basically the next search tool, wouldn't you agree?
GRAHAM CLULEY. Oh, yeah, absolutely.
CAROLE THERIAULT. You want a recipe? Go to AI.
You know, you want advice on a trip? Go to AI.
GRAHAM CLULEY. Oh yeah, absolutely. Search engines are becoming less relevant, and in fact, they're plugging in AI more than ever because they know they can't compete.
I mean, a search engine will give you maybe 100 results of dubious usefulness, whereas an AI, if it's programmed correctly, if it's working properly, will just give you one response, which hopefully with the information you need without having to click on a link.
CAROLE THERIAULT. I have people who are maybe less au fait with the whole internet thing, you know, some of maybe the boomer generation, for example, and I tell them to use an AI assistant for their basic requests because it's often easier for them. They ask a specific question and they get a specific response.
They don't have to trawl. They don't have to work around sponsored ads at the moment.
It's fairly simple and straightforward.
GRAHAM CLULEY. Yes. Although one of the problems with AI is it can sound excessively confident, can't it?
It can sound as though it really knows what it's talking about.
CAROLE THERIAULT. It depends which ones you use, I think. Okay.
There are some that are a little more hesitant, I think. Anyway, so currently countries around the world are kind of wrestling with how to apply regulations to this digital genie that was maybe perhaps let out of the bottle a little too early.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So countries Denmark— Denmark is proposing changes to its copyright laws to give citizens ownership of their own likeness, which I've talked about before on the show, including their face, voice, and body. Of course you should.
Have copyright of your own face, voice, and body, in my opinion. But meanwhile, while this is happening, the US, as part of the one big beautiful bill, just recently tried but failed to pass a 10-year moratorium to prevent individual states from regulating AI stuff.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So it's nuts out there. And while the powers that be bash it out, I thought we could consider this one wee AI-based conundrum.
And it involves a recent Grok snafu. Now, Grok is a free AI assistant designed by xAI.
GRAHAM CLULEY. You say it's free, Carole, but I think you do have to sell your soul to the devil, don't you, and have a Twitter account? That's the main way in which people will be interacting with it.
CAROLE THERIAULT. But it is said to maximize truth and objectivity. This is—
GRAHAM CLULEY. Oh, yes.
CAROLE THERIAULT. Very much not my opinion. But what it says on its homepage.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And in fact, way back in April 2023, Elon Musk said in an interview that he intended to develop an AI chatbot called TruthGPT. We remember that.
GRAHAM CLULEY. Oh my goodness.
CAROLE THERIAULT. Which he described as a maximum truth-seeking AI that tries to understand the nature of the universe. And he expressed concern that ChatGPT was being trained to be politically correct.
GRAHAM CLULEY. Yes, because he's got a big beef with Sam Altman at OpenAI, hasn't he?
CAROLE THERIAULT. Yeah, they do. They have a big beef. And TruthGPT later became what we know now as Grok. Now, it seems that Grok has had at least one big contract come its way. The US Department of Defense said this past Monday it would begin using Grok after awarding the tech company a multimillion-dollar contract.
GRAHAM CLULEY. For what? What are they going to use Grok for? For making jokes?
CAROLE THERIAULT. Apparently Grok has some government tools that'll be super useful.
GRAHAM CLULEY. Oh my goodness.
CAROLE THERIAULT. So the future's looking bright for xAI and Grok, as long as you don't cast your memory back to last Tuesday. Because last Tuesday, throughout the day, Grok seemed to go rogue, even for a maximum truth seeker. The chatbot ranted for hours about a second Holocaust and spread antisemitic tropes and conspiracy theories. According to The Washington Post, it even claimed that people with Jewish-sounding names were disproportionately linked, quote, "every damn time," unquote, to hate, radicalism, and deceitfulness.
GRAHAM CLULEY. It was quite rude as well about Polish Prime Minister Donald Tusk. Did you see that one?
CAROLE THERIAULT. Nope. Didn't enjoy researching all that stuff, I've got to say. Wasn't fun.
GRAHAM CLULEY. No, no, no. It said he was a pompous ginger whore, is what they said. It's what Grok's opinion was. And it had some unpleasant things to say about Turkish leadership as well. I think this has resulted in Turkey thinking of actually blocking Twitter entirely in their country.
CAROLE THERIAULT. Yes. So I would say a whole heap of hate vomit, right? A whole heap of hate vomit from Grok seemed to be the result of a code update, which The Washington Post said included instructions such as, "You tell it like it is," and, "You're not afraid to offend people who are politically correct." And it was also instructed to not blindly defer to mainstream authority or media. And it looks like Grok certainly took its instructions seriously, doesn't it?
GRAHAM CLULEY. Yeah, I'm a little bit worried that this is the AI that the Department of Defense is getting into bed with if it's all about hating people.
CAROLE THERIAULT. To be fair, the Department of Defense got into bed with three more.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. They have a multi— what's it called now? A polyamory going on with ChatGPT in there as well. And there's a few more. Yeah.
GRAHAM CLULEY. Lovely.
CAROLE THERIAULT. According to The Independent, xAI attributed the problem to the chatbot relying too heavily on input from X users.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So it's the user's fault.
GRAHAM CLULEY. Specifically, it's the users of Twitter, or X as it's now known. So what it's done is it's learned how to interact with the world. All of the knowledge which it's been scooping up has been on Twitter. So because it's seen bile and hatred there, it thinks, well, let's just go with this then. Amazing.
CAROLE THERIAULT. The Anti-Defamation League, a civil rights group that monitors antisemitism, said, what we are seeing from Grok LLM right now is irresponsible, dangerous, and antisemitic, plain and simple. XAI did eventually roll the code back and said it was actively working to remove the inappropriate posts.
And here's my problem, right? Here's my beef. If a company employee went on a similar antisemitic violent tirade like XAI's Grok chatbot did—
GRAHAM CLULEY. Give him a promotion.
CAROLE THERIAULT. Would they have a job the next day? Can you imagine you walk into the office one morning you're Michael Douglas from Falling Down, that movie?
GRAHAM CLULEY. Well, isn't it the case that Twitter's CEO, Linda Yaccarino, actually resigned the following day? So maybe it wasn't Grok.
Maybe she was just there drunkenly at the keyboard, "And another thing." She's going to tap it out, "I don't know about this as well." Oh, it's all her fault.
CAROLE THERIAULT. Oh, that's unusual.
GRAHAM CLULEY. Actually, Grok was very rude about her as well. Which may have expedited her desire to leave the organization.
CAROLE THERIAULT. But if you were an employee, right, sharing your torrent of mouth excrement with all your colleagues, your boss, and worst of all, your paying customers, right? Because I'm sure some of these people were paying to have their whatever VIP X treatment or whatever it is.
GRAHAM CLULEY. Oh, yeah.
CAROLE THERIAULT. And do you think that oopsie daisy is an appropriate response? Who is responsible? Who is accountable?
GRAHAM CLULEY. Here's the thing. There is a counterargument.
I'm not necessarily going to say that I subscribe to it, but there is a counterargument which goes this. That in the last couple of years, Twitter has become so overrun with bots, there are actually very few humans up there who are getting offended. So it's mostly bots who are getting offended or bots who are getting offended on other bots' behalf.
After all, if a tree falls over in the forest, and no one's there to see it, did it really fall? What was the phrase? Or is it a bear in the woods? Or is the Pope Catholic? I can't remember. Anyway, that's the counterargument.
CAROLE THERIAULT. I think your point is moot because we're not just talking about X here. We know that AI is embedded and implemented in almost all electronic things that we now use.
And I think there is the tech race to hurry to get it out the door means that we as customers have become beta users. We're beta testers.
GRAHAM CLULEY. Oh, yes.
CAROLE THERIAULT. That's what we are. And I mean, this is very different from, you know, a hacker taking over a channel and spewing crap. You know what happened on Sesame Street's Elmo?
GRAHAM CLULEY. Elmo. Yeah, Elmo got hacked. Yeah.
CAROLE THERIAULT. Quite a big popular channel where, you know, he says things "Happy Monday, everybody." And a baddie took over and made all kinds of racist and antisemitic threats with expletives.
GRAHAM CLULEY. That could have been worse. Imagine if it'd been Oscar the Grouch. That would have been really bad.
CAROLE THERIAULT. He may not have as many followers. And my point is, a bad guy got in and messed about. But in Grok's case, who is accountable?
GRAHAM CLULEY. Well, I think they should be accountable. I think the people at the top need to take some responsibility for this.
CAROLE THERIAULT. Because they're advocating our use of this stuff. They're saying, come use this. This is so cool and great. It's going to make your life so wonderful.
GRAHAM CLULEY. And they're not just spreading insults. They're spreading misinformation as well. And it's dangerous.
CAROLE THERIAULT. They're making money. Right? Off people using it. And imagine if you're using AI for something super serious, an intricate medical procedure, you know, and it goes rogue. Oopsie.
GRAHAM CLULEY. Right?
CAROLE THERIAULT. I don't know how this works. But don't worry, I'm actually covering last week's news because just today, day of recording Tuesday, Elon announced the Grok AI companion.
GRAHAM CLULEY. Oh my God.
CAROLE THERIAULT. For subscribers. And that's exactly what we need, an AI companion for saucy sexting, for fuck's sake. This is from the guy who's planning to own his own political party. So fun times.
GRAHAM CLULEY. You know what, I might catch one of those rockets to Mars. Maybe it'd be better over there. This episode of Smashing Security is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. That OpenAI.
CAROLE THERIAULT. In a world where deepfake voices, vishing, and AI-generated phishing emails are hitting inboxes and Zoom calls, Adaptive Security is leading the charge to stop AI-powered social engineering attacks. Their AI-native platform simulates cutting-edge deepfake threats, trains your team with expert-vetted modules, and even triages real-time phishing reports.
GRAHAM CLULEY. And now Adaptive's new AI content creator helps security teams instantly generate custom training by just pasting in a news article or compliance doc, whether it's a breaking threat or an internal policy update, Adaptive can spin it into interactive multilingual training in seconds.
CAROLE THERIAULT. Trusted by top security leaders, Adaptive is building the future of cyber defense. To learn more, head to adaptivesecurity.com. That's adaptivesecurity.com.
GRAHAM CLULEY. Now, Carole, according to Vanta's latest State of Trust report, Cybersecurity is the number one concern for UK businesses, and of course, Vanta can help you with that.
CAROLE THERIAULT. Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.
GRAHAM CLULEY. You see, Vanta allows your company to centralise security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk. To help your team not only get compliant, but stay compliant.
CAROLE THERIAULT. So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta, for sponsoring Smashing Security. If you're a security or IT professional, you've got a mountain of assets to protect: devices, identities, and applications. It's a lot, and it can create a mountain of security risks. Fortunately, you can conquer that mountain with 1Password Extended Access Management.
GRAHAM CLULEY. Over half of IT pros say securing SaaS apps is their biggest challenge. With the growing problem of SaaS sprawl and shadow IT, it's not hard to see why. Thankfully, Trelica by 1Password can discover and secure access to all of your apps.
CAROLE THERIAULT. Trelica by 1Password inventories every app in use at your company. Then, pre-populated app profiles assess SaaS risks, letting you manage access, optimise spend, and enforce Smashing Security best practice across every app your employees use.
GRAHAM CLULEY. So take the first step to better security for your team by securing credentials and protecting every application, even unmanaged shadow IT. Learn more at 1password.com/smashing. That's 1password.com/smashing. And welcome back, and you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my Pick of the Week this week is security-related.
CAROLE THERIAULT. Uh-oh.
GRAHAM CLULEY. Because, well, it's about something which happened to me last night. I was working behind the scenes on the Smashing Security website and email infrastructure.
I know how to have a good time in the wee small hours of the morning. Anyone who's ever tried to sort out their company's email knows what a pain in the neck it is to deal with SPF and DKIM and DMARC.
It's an absolute minefield. What you want to do, of course, is you want to prevent your emails being mistaken for phishing emails or spoofed messages.
And the way in which many companies protect against phishing emails, ransomware and spoof messages coming in is they put protections in place, they will be looking at the email headers to make sure that they're all right. Yeah.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And you know how it is, Carole. We send email from various places.
Our website, it can send us emails. It sends you and me emails when people fill in the form, our contact form on the website.
So that's from one server. And you and I, Carole, we receive emails from people that contact us at , and either of us can reply to them.
And just because we reply doesn't mean that people will necessarily see our responses. So if we've got our email headers wrong, there is the potential, it doesn't mean it necessarily will always happen, but it's the potential that our emails will bump into their defences, end up in their spam folder or treated as junk, or in the worst case, be completely rejected entirely if we haven't set up our DNS correctly our entries which handle SPF and DKIM and DMARC.
I'm sorry, it's a very nerdy pick of the week. Anyway.
CAROLE THERIAULT. I'm sure there's about at least 10 people out there loving this. So carry on.
GRAHAM CLULEY. Last night I spotted we had a problem and I wanted to fix it because I thought, oh my gosh, you know, it's possible people aren't receiving our emails. And so I was up until about 1:30 in the morning fixing it.
And that is what led me to this website called Learn DMARC.com. So DMARC is D-M-A-R-C, learndmarc.com.
That gave me an email address that I could send a message to, and then I could see on their web page what its mail server thought about my email headers, the emails I just sent it. So it would tell me if my SPF and DKIM headers weren't in alignment.
It could tell me if emails I sent to Smashing Security had the right digital signature, which would reassure people they were from our podcast, etc. It's a bloody nightmare handling these things.
But with learndmarc.com, I could see what was going wrong. I could fix it.
And I felt that for those 8 people who are still listening to this part of the show, I thought they might hear about that as well. So I wanted to share the resource in case it helped someone else.
learndmarc.com is my pick of the week.
CAROLE THERIAULT. Couldn't this be used for bad as well?
GRAHAM CLULEY. I don't see how it would be used for bad.
CAROLE THERIAULT. No? If you were trying to do an email campaign and you wanted to see—
GRAHAM CLULEY. No, no, because the way in which these things work is they don't just look at the contents of your email with its headers, which obviously could be meddled with.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. It then compares them to the DNS entries on your domain, on your website.
CAROLE THERIAULT. Yes. Okay.
GRAHAM CLULEY. So, which is something you have control over. So it's a way of verifying okay, if they've got that signature, it links in with this and blah, blah, blah.
CAROLE THERIAULT. Plug that hole that I tried to gouge in your pickling.
GRAHAM CLULEY. No, no, that's very fun. That's fine. By the way, it's got a really cute kind of war games style interface. It's like tickety tickety tickety tickety. It's like the computer's talking to you, saying, "Hello, I've just received this. I've just received that." To be honest, made it even more fun to use. Well, learnedmarc.com. Knock yourself out, Carole. You know how to have a good time.
CAROLE THERIAULT. Yes, I do.
GRAHAM CLULEY. What's your pick of the week then?
CAROLE THERIAULT. Well, rather controversially, I am going to give another shout out to something that I've had as a previous pick of the week.
GRAHAM CLULEY. Oh?
CAROLE THERIAULT. And I'm doing it because I made this recommendation way back in episode 255, which is more than 175 episodes ago. And it is still going to this day, and it's a fantabulous way to unwind after a stressful day, for example. And so my pick of the week is a show called Taskmaster.
Just to recap quickly, Taskmaster is a British comedy panel game show created by the wonderful Alex Horne. And it's presented by the ginormous Greg Davies.
GRAHAM CLULEY. He's very tall.
CAROLE THERIAULT. 6'7". Okay? Makes my Yeti look like a shrimp. And little Alex Horne, who actually comes in at 6'2", as the Taskmaster's assistant.
And in each series of the program, a group of 5 celebrities attempt a series of challenges or tasks, and the Taskmaster then reviews the contestants' attempts and awards points based on performance, interpretation, or other arbitrary comedic factors. It's very fun. I think it's the only show that I consistently, laugh-cry.
GRAHAM CLULEY. Really.
CAROLE THERIAULT. And I don't have any idea why. I never expect to, but then I do. It has that kind of magic. And it was released all the way back in 2015, which means there's 18 series now to watch.
GRAHAM CLULEY. I've only seen it a couple of times, but I think it's still going, isn't it?
CAROLE THERIAULT. Yes! And I've been watching it all along. Now you're probably thinking, "Oh, eff off, Carole. Once again, you're giving me a show that I can't watch because I live in a non-supported place." Because, you know, it's on Netflix at the moment, but that's not available everywhere. But wait!
GRAHAM CLULEY. Wait.
CAROLE THERIAULT. Little Alex Horne, the creator of the show, has created a website, which, Graham, you can go to. It's called taskmastersupermaxplus.com.
GRAHAM CLULEY. That's quite long. Super Max Plus.
CAROLE THERIAULT. Yes, Taskmaster Super Max Plus. And he says, "I've been told quite a few times that not everyone everywhere can watch Taskmaster. We want to create a channel where fans can watch all episodes ad-free. The complete global home for all things Taskmaster." Everything is up to the very latest season in the UK, and it's streaming now. And there's even special treats and special end-of-year championships. So—
GRAHAM CLULEY. Hang on, he says here £5.99 per month after a 7-day free trial.
CAROLE THERIAULT. Well—
GRAHAM CLULEY. So when he said free—
CAROLE THERIAULT. Okay, well I—
GRAHAM CLULEY. Not free.
CAROLE THERIAULT. Okay, not free, but free for 7 days. Binge it.
GRAHAM CLULEY. You can watch 168 episodes. How long's an episode?
CAROLE THERIAULT. Instead of spending your evenings trying to send spam them to our listeners.
GRAHAM CLULEY. I wasn't trying to send them spam.
CAROLE THERIAULT. Why don't you mainline this stuff?
GRAHAM CLULEY. 7-day free trial, then £5.99 a month. That feels quite a lot if all you can watch is Taskmaster.
CAROLE THERIAULT. Well, what I would say to you is you don't have to have it for all months going forward. A lot of these things would love you to stay on forever, but you could just dive in for a month, watch as much as you wanted, and then, you know, wait till Christmas when you're at the in-laws. And get another season, you know?
Anyway, I think it's great. I think it's worth the $6 or whatever it is.
GRAHAM CLULEY. Brilliant. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT. And huge, huge thank you to our episode sponsors, Vanta Adaptive Security and 1Password. And of course to our wonderful Patreon community.
It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 425 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
CAROLE THERIAULT. Bye.
GRAHAM CLULEY. So the guy who I thought was quite small is actually 6'2 himself. So he calls himself Little Alex, but actually he's quite tall.
-- TRANSCRIPT ENDS --