This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. You're not seeing their growlers or their, you know, carrot and two veg. Or what is it? Sausage and two veg?

---

UNKNOWN. Is that the vegetarian option? Carrot and two other vegetables? Smashing Security, episode 373. iPhone undeleted photos and stealing Scarlett Johansson's voice with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 373. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And Carole, we are joined by a very special guest this week, someone who's been on the show before. Please reveal who it is. Pull back the curtain.

---

CAROLE THERIAULT. Anna Brading of Malwarebytes. Hi, Anna. Hello.

---

ANNA BRADING. Do you know it's been over a year since I've been on.

---

CAROLE THERIAULT. Well, you have been doing— you have been doing renovations for a lot of that time. It wasn't that you weren't asked.

---

ANNA BRADING. That's true.

---

CAROLE THERIAULT. The ego's intact, baby.

---

GRAHAM CLULEY. Good to have you back, Anna.

---

ANNA BRADING. Good to be back.

---

CAROLE THERIAULT. Let's kick this show off and thank this week's wonderful sponsors: Collide, Sonrai, and Vanta. It's their support that help us give you this show for free. Now, coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm going to be saying thank God for screw-ups.

---

CAROLE THERIAULT. Okay, Anna, what about you?

---

ANNA BRADING. I'm gonna be talking about long-deleted photos coming back.

---

CAROLE THERIAULT. And my story is a genuine mistake or a cunning, perhaps unethical PR stunt. Plus, I chat with Sandy Bird, the co-founder and CTO at Sonrai Security. This company takes a pretty cool approach to securing the cloud, and Sandy tells us how it works. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, I don't know about you, but I love a good cock-up.

---

CAROLE THERIAULT. Oh, I didn't know that about you.

---

GRAHAM CLULEY. Yeah, no, I love it. I love it when things go hilariously wrong. And I actually thought maybe during this little part of the show, as I cock-ups, I might give you a list of legendary cock-ups.

---

ANNA BRADING. Oh, yes, please.

---

GRAHAM CLULEY. And so I went searching online, but the results weren't quite what I had in mind. So probably not appropriate for this podcast. But what I'm thinking of is things do you remember the Mars Climate Orbiter, which NASA launched into space in 1998, planning to study the Martian climate and the surface?

---

CAROLE THERIAULT. Anna was 6 years old.

---

ANNA BRADING. Yeah, I was barely born, Graham.

---

GRAHAM CLULEY. Well, the only problem was that some of the software had been mistakenly told to use English Imperial measurement units rather than the metric units used by other systems connected with the probe. And so crunch! It crashed. It got confused. $125 million down the drain. It'd gone all the way to Mars and then just crashed because of a simple engineering error. Oh dear. Oh dear.

---

ANNA BRADING. Mm-hmm.

---

GRAHAM CLULEY. Or what about when Hoover, the vacuum cleaner people, they ran a promotion in the UK. They offered free flights to Europe and New York. All you had to do was spend more than £100 on Hoover products, they said, which was significantly less than the cost of the actual flights. Now Hoover, if you'll remember, they'd been relying on customers being unwilling to go through the complex application process.

---

CAROLE THERIAULT. I do remember this, you know.

---

GRAHAM CLULEY. Yes. Do you remember what happened?

---

ANNA BRADING. No.

---

CAROLE THERIAULT. So they didn't do it, but they didn't— they do a class action?

---

GRAHAM CLULEY. Well, there was a huge kerfuffle. That's what it was, Carole. Forget class action. It was a kerfuffle. Because they severely underestimated just how popular the offer would be.

---

ANNA BRADING. Oh my gosh.

---

GRAHAM CLULEY. And the company had to deny customers their flights. They had years of bad publicity. Eventually, they were forced to honour many of these deals at the cost of £48 million.

---

ANNA BRADING. Oh my gosh.

---

GRAHAM CLULEY. And all the senior staff involved in the promotion lost their jobs. I mean, it's quite brilliant, isn't it? I mean, obviously a bit sad for those people, but I love a cock-up like that.

---

CAROLE THERIAULT. You'd worry about the legal advice that you got in that instance, really.

---

ANNA BRADING. Do you think they got legal advice?

---

GRAHAM CLULEY. Legal shmeagle.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. I remember all three of us, when we used to work together at a certain security company, and we would start certain initiatives, we wouldn't go anywhere near the legal department. We wouldn't want them interfering with things. If we had a good idea, we just went for it, didn't we?

---

ANNA BRADING. Yeah, we don't want them to say no.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Yeah, yeah. Well, we were young, reckless.

---

GRAHAM CLULEY. And sometimes, of course, you can have a monumental IT-related cock-up. So along those lines, I was delighted to read an article on 404 Media, a great outlet for all the gossip from those side of things, about how some folks are getting just what they deserved after a blunder.

---

ANNA BRADING. No.

---

GRAHAM CLULEY. So, let me set the scene. There are, and this will shock you, some grubby little scumbags out there who are using artificial intelligence to generate non-consensual sexual images of celebrities. Right? So, you pick someone famous that you fancy, like Scarlett Johansson or Demi Moore or Lassie, or, you know, someone famous.

---

ANNA BRADING. Michael Bublé.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. And for a monthly subscription fee, you get access to AI-generated images of them without their pants on. So, if you had that option, which celebrities would you two choose? Anna? Instant reaction. Let's hear it.

---

ANNA BRADING. I don't want to see any celebrities naked.

---

CAROLE THERIAULT. Yeah, but you're not really. You're not seeing their growlers or their, you know, carrot and two veg.

---

SANDY BIRD. Or what is it?

---

CAROLE THERIAULT. Sausage and two veg.

---

ANNA BRADING. Maybe you should do it.

---

GRAHAM CLULEY. Is that the vegetarian option? Carrots and two other vegetables.

---

CAROLE THERIAULT. That's what happens when you go a bit veggie, right? But it's not their bits, is it?

---

ANNA BRADING. No, but who would you like to see, Carole? Thom Selleck?

---

GRAHAM CLULEY. Anna doesn't want to see anyone naked, so not even Paddington, presumably. He has to keep his duffle coat on.

---

ANNA BRADING. Absolutely not Paddington.

---

GRAHAM CLULEY. Carole?

---

ANNA BRADING. Maybe on the bears, but no.

---

GRAHAM CLULEY. Carole, who?

---

CAROLE THERIAULT. I don't want to see anyone naked unless they want to show me themselves naked. And even then, the chances of me saying, "Yeah, go on then," is pretty slim.

---

ANNA BRADING. Graham, who would you like to see naked? I feel like this is a question for you.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Well, unfortunately, we haven't got time. We've got to get on with the show. So, we'll have to move on. Now, there is a particular service. One of these services which offers this facility is called Aesthetic Illusions. Sounds harmless enough, doesn't it? And they have an account up on Patreon, just like Smashing Security does, folks. But unlike us, they charge $60 a month for their service. And according to its Patreon page, will create more than 5,000 images a month. And they've already made over 53,000 images.

---

CAROLE THERIAULT. Of what?

---

GRAHAM CLULEY. Of naked celebrities.

---

CAROLE THERIAULT. Right, so I can go to them and go, "Thom Cruise, show me him in the buff." And they'll go, "Presto, here's a penis on a body." Yep, you'll get images.

---

GRAHAM CLULEY. You may get some porn videos as well of the celebrities. Not real ones, but there's gigabytes and gigabytes and gigabytes of this. Now, a journalist at 404 Media, he signed up for this service, presumably just to see what was there.

---

CAROLE THERIAULT. Just for research, yeah.

---

GRAHAM CLULEY. Just for research. Just for research purposes.

---

CAROLE THERIAULT. And then said, I'll be working on this solid for the next month.

---

GRAHAM CLULEY. Imagine having the company credit card and being able to do that and be able to justify it. Fantastic, isn't it? So he found this and obviously he went to Patreon and said, this appears to be against your no naughty bits rule.

And Patreon shut it down, right? Very good. Very, very good. But then the problems really started because as he tells it in his report, he subsequently received an email.

---

CAROLE THERIAULT. This journalist does.

---

ANNA BRADING. Yes.

---

GRAHAM CLULEY. From a Gmail address owned by Aesthetic Illusions, assuring him that as a paying customer, the service was going to continue, but was migrating to a new platform, not one which had all these rigid rules like Patreon did. And so he could still create AI-generated images of celebrities, which subscribers requested, before Patreon sort of closed the door.

In fact, in the message he said, hi friends, it looks like the inevitable happened. My Patreon's been nuked. Obviously terrible timing since I literally just quit my day job. Yikes. But then, you know, he's got people paying $60 a month and creating 5,000 images a month.

It does sound like a full-time job, doesn't it? So he sent that email to subscribers after Patreon shut the account down.

Now there's just one little problem with the email. And that is that the email was CC'd. It didn't just go to individual subscribers. It went to something like, well, at least 35, 36 other users of the service.

---

CAROLE THERIAULT. What, 36 people?

---

GRAHAM CLULEY. Possibly these were all people who are on the highest $60 tier rather than on the cheapo tier. And some of those email addresses, of course, included people's full names and profile pictures because you use Patreon for all kinds of things.

I support a number of Doctor Who podcasts and things like that on Patreon, because why wouldn't you?

---

ANNA BRADING. Of course, me too.

---

GRAHAM CLULEY. Right? And so there I've got legitimate names. But if I was supporting something a little bit shady, it would be the same email address and my same name, which would be used up there.

---

CAROLE THERIAULT. What, like New Daleks or something?

---

GRAHAM CLULEY. Well, it's amazing what you can do with a sink plunger, Carole. And it's— so now those email addresses have been made public through this BCC blunder.

---

CAROLE THERIAULT. Well, when you say BCC, they basically CC'd instead of BCC'd. Exactly. Like rookie error.

---

GRAHAM CLULEY. They did a CC instead of a BCC, which as we know is something which happens all the time. In the past, we've seen the Ministry of Defence, they've put lives of Afghan citizens at risk by using CC rather than BCC. We've seen possible child abuse victims being exposed by the police.

We've seen people who have HIV being outed. We saw people who were bidding for bitcoin connected with the Silk Road.

Sonos, they did a blunder as well. There's been a whole series of these things time and time again.

And I actually say, huzzah, isn't this fantastic? Isn't it great that sometimes the cybercriminals screw up like this?

And thank goodness for screw-ups. Because this hopefully will remind people that you've got to be a little bit more careful if you want to access your non-consensual porn, or maybe just avoid it altogether, because you could be sharing your personal information with people who, by the very definition of what they are doing, don't give a damn for people's privacy because they're creating this stuff.

So why should they take proper care of your details as well? So buyer beware.

Beware is what I'm saying.

---

CAROLE THERIAULT. I think this journalist though has a pretty sweet job going on right now.

---

GRAHAM CLULEY. Well, only if you want to see a carrot and two vegetables grill.

---

ANNA BRADING. I mean, how much do you want to see that?

---

GRAHAM CLULEY. Not really.

---

ANNA BRADING. Yeah, sure, great. It's also fake.

Yeah. Is it illegal to consume that kind of thing?

---

GRAHAM CLULEY. A carrot?

---

ANNA BRADING. A carrot and two vegetables.

---

CAROLE THERIAULT. You guys.

---

GRAHAM CLULEY. Anna, what is your story this week?

---

ANNA BRADING. So my story, let's talk about old photos. How many photos do you two have on your camera roll?

Do you know, on your phone?

---

CAROLE THERIAULT. Too many. Tens of thousands, twenties of thousands, probably.

---

GRAHAM CLULEY. Yeah, I would think tens of thousands.

---

ANNA BRADING. Yeah, I looked today, I've got nearly 60,000.

---

GRAHAM CLULEY. Bloody hell. Well, you've got two little kids, haven't you?

---

ANNA BRADING. Yes.

---

GRAHAM CLULEY. You'd have taken lots of photographs of the first kid. Second kid, you kind of don't bother so much.

---

ANNA BRADING. Does she even exist?

---

CAROLE THERIAULT. She does.

---

ANNA BRADING. She does. Oh yes, and I also tend to take a few for each photo-taking opportunity.

Maybe you have taken sensitive photos. So maybe you're on a fitness journey, Graham, and want to document your body changes.

Maybe you've done a bit of sexting, Carole.

---

CAROLE THERIAULT. Yes, I do a lot of sexting.

---

SANDY BIRD. How did you know?

---

ANNA BRADING. Well, I've actually used an online skincare place where you upload photos of your completely naked face and they send you a formula to put on your face, and assessed by the state of your face without makeup. All that is to say, there are some photos on my camera roll that I don't want to keep on my camera roll.

So I'll take them, use them for whatever purpose I need to use them for— wink wink, no judge— and then I'll delete them. Because yeah, even though my phone is mine and no one has access to it, there are some things I don't want or need to be reminded of.

---

CAROLE THERIAULT. Yeah, sometimes you take a screen grab, right? You take a screen grab to send to a group of friends on a chat, but you don't want it in your roll.

---

ANNA BRADING. Exactly.

---

GRAHAM CLULEY. I don't know about you, but I— without naming any names or any individuals, and certainly not suggesting that it's me— if you have a particular painful part of your body which is not easily accessible, you might decide to take a photograph of it with your phone, just so you can see what's going on down there.

---

ANNA BRADING. Sure.

---

GRAHAM CLULEY. Right?

---

CAROLE THERIAULT. You had a problem with your sack, and you took a picture.

---

GRAHAM CLULEY. I'm not going into any details.

---

ANNA BRADING. Too veg.

---

GRAHAM CLULEY. And then delete it afterwards, because obviously you don't want it uploaded to the iCloud or to Google Photos or anything like that, or accidentally share it. So, you know—

---

CAROLE THERIAULT. Well, do you put your face in it as well?

---

ANNA BRADING. Only accidentally if he's taking from below.

---

CAROLE THERIAULT. Hey! Thumbs up! Those are my potatoes. Oh god.

---

GRAHAM CLULEY. Anyway, yes, so the thing to do is, if you take those sort of photos, they're meant to be temporary, aren't they?

---

ANNA BRADING. Or for a very brief duration. They're a moment in time.

---

GRAHAM CLULEY. Yes, exactly. You zap them, you destroy them.

---

ANNA BRADING. Yes, get rid of them. Yes, exactly. So you don't want their photos to appear anywhere else, but you want— so you want to delete them straight away.

However, I'm doing a house renovation at the moment and people are often asking to see photos. So even though my phone is my own phone, people want to look at them.

---

ANNA BRADING. So say you're at the pub, people are asking, you know, what shade of cream did you get in your kitchen, or what level of turf did you go for? And I say, let me get my camera out and show you. And people scroll through my phone and do they see—

---

GRAHAM CLULEY. Have they ended up seeing photos of your turf? Oh my God, that is embarrassing, isn't it?

---

ANNA BRADING. Exactly. Tell me about it. I mean, it's brown at the moment.

---

GRAHAM CLULEY. Too much information.

---

CAROLE THERIAULT. I'm uncomfortable.

---

ANNA BRADING. I've got the giggles now.

---

GRAHAM CLULEY. Okay.

---

ANNA BRADING. And boy, do they scroll. They scroll through the renovation photos and they keep going.

---

GRAHAM CLULEY. Oh yes, yes, that's what happens. People keep on flicking away.

---

ANNA BRADING. So I find that really rude and you're like, whoa. Yeah, you're like, oh thanks, take that back. Anyway, that's why I delete the photos I don't want to share on my camera roll.

---

GRAHAM CLULEY. Yeah.

---

ANNA BRADING. Anyway, last week Apple issued an update for iPhones and iPads, iOS 17.5 if you're wondering, and it contains security fixes, updates to Apple News, very exciting. And what is exciting is cross-platform tracking detection.

So it will tell you now if a tracking device is moving with you, which is really good for anti-stalking measures. Anyway, great, all good so far.

---

ANNA BRADING. Lots of people updated as they should, as good digital citizens. However, there was a bit of a surprise for some users.

---

ANNA BRADING. So vacation photos that were taken in 2018 and deleted the same year ended up at the top of someone's photo album. Those medical photos Graham someone took to keep an eye on a mole they had were back on the phone.

---

GRAHAM CLULEY. I don't think it was a mole that was living down there, but anyway, you go, okay, whatever it was, you shouldn't have sent them to me.

---

ANNA BRADING. So, oh my God, those sexy photos taken with someone's ex-partner were back right at the top of the camera roll, easily, just easily accessible for the person's new partner to see.

---

GRAHAM CLULEY. Back at the top. So it's like your latest photos are things which you thought you'd deleted 6-odd years ago.

---

ANNA BRADING. Exactly, yeah. And they were right at the top of the recent photos. So people are freaking out, and lots and lots and lots and lots of people were posting on Reddit saying, what is going on?

---

GRAHAM CLULEY. How's that even possible if you've deleted the photo?

---

ANNA BRADING. Exactly, because you— so you delete a photo and it goes into your recently deleted album for 30 days. And when you delete a photo, it tells you it will be in an album for 30 days.

After that, it says it will be permanently deleted. But lots of the reports were photos that were deleted years ago, so they weren't in the recently deleted album.

---

ANNA BRADING. So it's not like it just surfaced them again. But obviously when you delete a file, it doesn't zap into unexistence.

---

CAROLE THERIAULT. Yeah, I think you have a problem with the word permanently, because you might think that means never to be seen again. And Anna, honestly, exactly.

---

ANNA BRADING. I'm so naive.

---

CAROLE THERIAULT. You're just a little naive. Yeah, yeah, exactly.

---

ANNA BRADING. Because the actor deletion, it just removes the pointer that tells you where the file is located. It doesn't actually erase the file. So yeah, gives the impression that you're cutting ties with the data, but not that it's going to appear back in your photo albums.

But until Apple says what happened, we won't know. We probably won't know because they never say, but they have released a fix. They don't tell us. So they said iOS 17.5.1 addresses a rare issue where photos that experience database corruption could reappear in the Photos library even if they were deleted. So never trust that deleted items are actually gone forever.

---

CAROLE THERIAULT. No, sorry. No, oh, we fucked up.

---

ANNA BRADING. No, no statement at all. That's just in the release notes. Jesus.

---

GRAHAM CLULEY. So— This is really bad because Apple, of course, likes to differentiate itself by saying, we're the ones who take privacy seriously.

---

ANNA BRADING. The privacy company. I know.

---

CAROLE THERIAULT. Right? They've taken backup seriously. They've taken backup so seriously.

---

ANNA BRADING. They've created one for you that you didn't know.

---

GRAHAM CLULEY. They're using AI probably. You don't really want to delete that. That's really—

---

ANNA BRADING. Yeah, exactly. You thought you did, but actually we know better. And here it is again in your Recents folder.

---

GRAHAM CLULEY. Well, just before recording, my phone did tell me that this new update to Apple iOS was out. So I've just updated my iPhone.

---

CAROLE THERIAULT. Check your photos.

---

ANNA BRADING. Yeah, check your photos.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Thank God I've lived an angel my whole life, so.

---

ANNA BRADING. It's what I've heard.

---

CAROLE THERIAULT. Yep.

---

GRAHAM CLULEY. Carole, what's your story for us this week?

---

CAROLE THERIAULT. Okay, okay. So you two, you get a message via a trusted route, right? Whatever that may be for you, phone call, email, whatever, whatever you trust. And huzzah, there is a fab new lucrative opportunity for you.

---

ANNA BRADING. Oh, Graham, listen.

---

CAROLE THERIAULT. Yeah. And you guys the sound of fab new lucrative opportunities. So you arrange a little chit chat because you know what's going on and, you know, And they say to you, you know, Anna, or to you, Graham, that they want to license your voice to become the chat assistant voice for ChatGPT's AI bot.

---

GRAHAM CLULEY. Right.

---

ANNA BRADING. Understandable. Yeah.

---

GRAHAM CLULEY. Lovely.

---

CAROLE THERIAULT. So you're up for it? You're no problem.

---

ANNA BRADING. Yeah, yeah, yeah.

---

CAROLE THERIAULT. No problem. Because I'm thinking once you record, you might get royalties if you work your cards right.

---

ANNA BRADING. Yeah. I was going to say, how much are they paying?

---

CAROLE THERIAULT. Passive income. Hello.

---

ANNA BRADING. Yeah.

---

GRAHAM CLULEY. Paid by the word would be good, wouldn't it?

---

ANNA BRADING. Lovely.

---

CAROLE THERIAULT. And it would depend what the company was. But what if it was GB News or Vagisil, right? Or McDonald's?

---

GRAHAM CLULEY. I don't know that I'd care.

---

CAROLE THERIAULT. You wouldn't care?

---

GRAHAM CLULEY. Because then I could create my own videos with the voice of Vagisil or GB News saying things which they wouldn't. To differentiate myself. I could undermine them.

---

ANNA BRADING. Yeah, but you have been signed into non-existence by the legal team, and you wouldn't be able to do that, Graham.

---

GRAHAM CLULEY. Oh, I see. Oh, the bloody legal team.

---

ANNA BRADING. I know, they're always around.

---

CAROLE THERIAULT. Now, you guys all know about ChatGPT, and you remember their frontman, Sam Altman. We talked about it in episode 349. Yes, I did my research. And this is where we covered the whole fiasco of his being ousted by OpenAI board, the dudes behind ChatGPT. This is the company that is heavily, heavily backed by Microsoft.

And at the time, the fight was all whether Sam Altman was moving a bit too fast and furiously and maybe not considering the AI commoditization potential fallout. But weirdly, Altman was quickly brought back in, right? And OpenAI carried on as though nothing ever happened.

That's my memory of it. It was crazy times. So if Sam Altman calls you up, you guys are like, "Yeah, yeah, we're in."

Well, actually, you don't agree right away. You might kind of go, "Tell me more, please." And they say they want to use your voice because it sounds soothing, right? Sultry. Maybe, in Graham's case, like the Easter mouse.

---

ANNA BRADING. Graham's a well-established voice. He might not want his voice associated with—

---

CAROLE THERIAULT. Right! Right. And he knows that they can then use his voice to say anything they want, and he doesn't like that.

---

ANNA BRADING. So—

---

CAROLE THERIAULT. But then say people start going crazy saying, "Oh my God, did you work with this company? Did you work with them? Here's your voice." Because this is what happened to sultry voice Scarlett Johansson.

And she just issued a statement last week saying that she, 9 months ago, was approached by Sam Altman, right? This was back in November, saying he wanted her voice to represent his new ChatGPT assistant voice. And he said her voice would be comforting to people. But she declined the offer.

---

GRAHAM CLULEY. Right?

---

ANNA BRADING. Right. Yeah, yeah.

---

CAROLE THERIAULT. But then Sam demos the new chatbot on May 13th last week and, you know, saying, oh, it works faster than previous versions and can reason across text, audio, and video in real time. And in the demo, the AI bot chatted in real time, adding emotion specifically more drama to its voice as requested.

But weirdly, all this, all this going on, it sounded an awful lot like Scarlett Johansson, the person who was approached but declined the offer of having her voice used in this way.

---

GRAHAM CLULEY. And she was famously in a Hollywood movie, wasn't she? About an AI or something where she voiced it, I think.

---

CAROLE THERIAULT. Yeah, her. She did voice it. Exactly.

The other thing is CBC reported that many people commented during the demo on the strangely flirtatious moments that arose, which would not be expected in this instance. So maybe you guys can try this out because this is what happened. Let's see if you can do this in a sultry way. Okay.

---

SANDY BIRD. Okay.

---

CAROLE THERIAULT. So in one video posted by OpenAI, a female voice ChatGPT compliments a company employee on "Rocking an OpenAI hoodie." Is that sexy, wearing an OpenAI hoodie? Is that a cock-up, Graham?

---

GRAHAM CLULEY. Not for me, no.

---

CAROLE THERIAULT. It's just— and another, the chatbot says, "Oh, stop it. You're making me blush," after being told it's amazing, right?

---

ANNA BRADING. All right, yeah.

---

CAROLE THERIAULT. So Scarlett, later in her statement, she says, quote, "When I heard the released demo, I was shocked, angered, and in disbelief that Mr. Altman would pursue a voice that sounded so eerily similar to mine that my closest friends and news outlets could not tell the difference." Oh dear.

---

GRAHAM CLULEY. Do you think Sam Altman's got a thing for ScarJo, as I believe she's called?

---

ANNA BRADING. Sounds like it, doesn't it?

---

CAROLE THERIAULT. Who doesn't? Come on. Anyone with a pulse.

---

GRAHAM CLULEY. And he probably thought, because he's a multimillionaire or whatever he is, that, you know, she'll just do it. If I want, and if she doesn't want it, I'll just do it anyway, because what's the— Yeah. What's going to happen?

---

CAROLE THERIAULT. Well, that's what I think, because then maybe she'll make a big hoo-ha publicly. Doesn't hurt me none.

---

GRAHAM CLULEY. I don't think she's ever made a hoo-ha public.

---

ANNA BRADING. Unless she's on—

---

GRAHAM CLULEY. Unless she's been using the wrong version of iOS.

---

ANNA BRADING. Or on your AI generator. Animated photos.

---

CAROLE THERIAULT. I think he mentioned her actually by name, actually.

---

ANNA BRADING. Oh, did you? Oh yeah, you did.

---

CAROLE THERIAULT. Yes, you did.

---

GRAHAM CLULEY. Oh yeah, yeah.

---

CAROLE THERIAULT. But see, Mr. Altman even insinuated that the similarity was intentional in a tweet, 'cause he did a single word tweet, "Her." Yeah. Reference to the film in which she, you know, she voices the AI chat system.

A week has passed. What I'm finding amazing about this is one week has passed since the chatbot was demoed. Johansson said that as a result of OpenAI's action, she was forced to hire legal counsel who wrote two letters to Altman and OpenAI setting out what they had done and asked them to detail the exact process by which they created the Sky voice.

That's what they call this AI voice, Sky. And guess what? Altman and OpenAI, rather than explain, decide to suspend the voice. Of Sky. That sounds a lot like Scarlett Johansson.

---

GRAHAM CLULEY. But she's gonna want money because do you remember, I think it was Scarlett Johansson, there was some movie where she was going to get a percentage of the box office takings and because Disney or whoever it was decided to put it on streaming instead, or after one week of theatrical release, her earnings went down considerably.

---

ANNA BRADING. Yeah.

---

GRAHAM CLULEY. She kicked off a fuss and ended up getting a big wodge of cash.

---

CAROLE THERIAULT. Good for her.

---

GRAHAM CLULEY. Well, I don't say no either. I agree with you. Now, I would expect she'll go after OpenAI and say, well, you may have taken it down, but you've still used my name.

You still used my voice. Yeah. Without permission, you asked and I told you no, but you went ahead and thought you could do this anyway. So I would think good for her.

---

CAROLE THERIAULT. 100% agree. Okay, but yesterday, so this is on the 19th of May. So yesterday, day of recording, May 19th, a blog post comes up on OpenAI.

And one of the paragraphs says, okay, "We believe that AI voices should not deliberately mimic a celebrity's distinctive voice. Sky's voice is not an imitation of Scarlett Johansson's, but belongs to a different person, different professional actress using her own natural speaking voice. To protect her privacy, we cannot share the name of our voice talent." Of course.

---

GRAHAM CLULEY. But she is also a professional sound-alike of Scarlett Johansson.

---

CAROLE THERIAULT. But I'm with you, I think this whole thing is a huge PR stunt. He asked her, she said no, he said screw it, we're just gonna go ahead because it's going to get us loads of press coverage, and if she kicks up a fuss then that gives us more press coverage.

And look at here, they might even get on Smashing Security.

---

ANNA BRADING. That's why. Yeah, it's kind of invasive though, isn't it? Yes, it's horrible.

---

GRAHAM CLULEY. He's a total cockwomble, that's what he is.

---

ANNA BRADING. What's more than that?

---

CAROLE THERIAULT. I think it's kind of digital abuse. There's this weird new thing. It's like, yeah, yeah, it's she said no, he did it anyway, and he's going, fuck you. It's a power play. It's gross.

---

ANNA BRADING. Exactly. Yeah.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Mind you, if they wanted to use my voice, that'd be quite cool.

---

ANNA BRADING. Would you have said yes?

---

GRAHAM CLULEY. I might have asked for about £100, so I'd a little bit of money, but yeah, that would— that, that— but yeah, I'd probably— I'd probably—

---

ANNA BRADING. Yeah. And imagine the ego, Graham, if it was using your voice the whole time. It'd be great.

---

CAROLE THERIAULT. You could just listen to yourself. You could be like, live in your own echo chamber and never listen to anyone but yourself. And you'd be like, oh wow, this is so great. Transcendental, man.

---

GRAHAM CLULEY. I wouldn't have to turn up to this podcast each week.

---

SANDY BIRD. No.

---

GRAHAM CLULEY. Just get ChatGPT 4.0 to do it.

---

ANNA BRADING. Program it quickly, done.

---

CAROLE THERIAULT. I'm not sure anyone would notice, Graham. If a security software company said they could help you reduce the permissions attack surface in your cloud by 92% with the click of a button, what would you say? Sonrai Security just made achieving least privilege easy with the Cloud Permissions Firewall, a scalable solution that easily restricts excessive permissions from human and machine identities, quarantines unused identities, and disables unused regions and services without any disruptions. Even better, the solution maintains this level of risk reduction by automatically enforcing least privilege policies as new identities are added to the environment. What's better? The fact that you can test drive the Sonrai Cloud Permissions Firewall for free for 14 days. Go to smashingsecurity.com/sonrai. That's S-O-N-R-A-I. And thanks to Sonrai Security for sponsoring the show.

---

GRAHAM CLULEY. Long-term sponsors Kolide were acquired by 1Password earlier this year, and both companies are leading the industry in creating security solutions that put users first. Kolide Device Trust helps companies with Okta ensure that only known and secure devices can access their data, and that's what they're still doing, but now as part of 1Password. So if you've got Okta and you've been meaning to check out Kolide, now's a great time. Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of. Plus, you can use Kolide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today. That's K-O-L-I-D-E dot com/smashing. And thanks to Kolide for supporting the show.

---

CAROLE THERIAULT. If you are building a SaaS business, achieving compliance with ISO 27001, SOC 2, or other in-demand frameworks can unlock major growth for your company and establish customer trust. However, this process is often time-intensive and costly. Vanta automates up to 90% of compliance work, getting you audit ready quickly and saving you up to 85% of associated costs. And Vanta scales with your business with a market-leading trust management platform to help you continuously monitor compliance, unify risk management, and streamline security reviews. Join 7,000 global companies like Atlassian, Flow Health, and Quora that use Vanta to build trust and prove security in real time. Watch Vanta's on-demand demo at vanta.com/smashing. That's vanta.com/smashing. And thanks to Vanta for sponsoring the show.

---

GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

ANNA BRADING. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. My Pick of the Week this week is a TV show. I have been watching it on BBC iPlayer, but it is not a BBC program.

---

CAROLE THERIAULT. Hmm.

---

GRAHAM CLULEY. It is a program which actually came from RTE, which is the Irish TV network, and it is a drama series called Kin. Have either of you seen Kin?

---

CAROLE THERIAULT. K-I-N. Oh, I think I have. I'm looking it up right now.

---

ANNA BRADING. I've seen parts of it, but I had to stop.

---

GRAHAM CLULEY. Why did you stop? Because it wasn't very good?

---

ANNA BRADING. No, no, I thought it was very good. But as a mother of a son, I couldn't watch it. I'll say no more.

---

GRAHAM CLULEY. I understand.

---

ANNA BRADING. But it was too much.

---

GRAHAM CLULEY. So, Kin is a drama about warring gangsters. And it stars Aidan Gillen, who you may remember from Queer as Folk back in the day, and Charlie Cox, who some people may know as Daredevil, and Claire Dunne. And it is utterly binge-worthy, unless you have kids.

Because you are watching the machinations amongst a family of criminals as they jockey for position and power. In a struggle with another gang of criminals. And apparently, it is actually inspired by a real-life and ongoing feud happening in Ireland between two criminal gangs, which I won't name in this podcast, because I don't want them showing up on my doorstep.

That has resulted in multiple deaths. I think it's very well written and directed. Brilliantly acted. Wonderfully violent.

---

ANNA BRADING. It's very violent.

---

GRAHAM CLULEY. It's very violent.

---

CAROLE THERIAULT. Yeah, I'm not into that.

---

GRAHAM CLULEY. Yeah, probably not for kids. I don't watch many things like this, but I thought this was really good. And I've really enjoyed it. So if you fancy something a little bit adult— You may want to plot out on a piece of graph paper the family tree, though.

I found it very difficult working out who was a brother of who, and who was a son, and who's the uncle, and hang on, how are they related? So, get your pen and paper out. But really, really good. Really enjoyed it. Kin, which is on BBC iPlayer if you can't find it elsewhere. Anna, what's your pick of the week?

---

ANNA BRADING. My pick of the week is a bit different, but I wanted to talk about it because it's— Well, I like it anyway. So, have you heard about The Portal that everyone's been talking about?

---

CAROLE THERIAULT. The Portal? No.

---

ANNA BRADING. So, it's a visual arts exhibition in Dublin and New York, and it's created by a guy called Benedictus Gillis. And so in Dublin and in New York, there's a giant circular screen. It looks like a massive porthole and a video camera which broadcasts a live stream from one side to the other.

So people in Dublin can see people in New York, and people in New York see people in Dublin. They can interact, they can make faces.

---

CAROLE THERIAULT. Kind of like a FaceTime.

---

ANNA BRADING. Yeah, like a giant FaceTime. So I think that's nice, friendly fun, right? And I've got friends in New York, and if the portal was nearer to me than Dublin, I'd definitely give it a go. I'm not going to go to Dublin for it. However, we can't have nice things, so a man mooned the camera.

Someone took drugs on camera, an OnlyFans model flashed the portal, and it was closed down.

---

CAROLE THERIAULT. Was it a nice butt that was being mooned?

---

ANNA BRADING. Oh, I didn't see it. I've seen the OnlyFans one. Yeah, so they had to close it down for a bit. It's up again now. They've implemented more safety features, so if you hold a phone up, or if you step onto the exhibit, it will blur the screen.

But anyway, I think it's a nice thing, and I think people shouldn't ruin nice things. So I'm glad it's back.

---

CAROLE THERIAULT. It's just because everyone wants their 10 seconds of fame now, right? And they'll do anything.

---

ANNA BRADING. I know. Yeah, I know.

---

GRAHAM CLULEY. And everyone's an exhibitionist. Now we've been denied the pleasure of seeing our deleted photos popping up on our iPhones anymore after the update.

---

ANNA BRADING. Gotta get the kicks where you can.

---

GRAHAM CLULEY. Exactly. Exactly. That's what you gotta do. How funny. Carole, what's your pick of the week?

---

CAROLE THERIAULT. So I was arting it up this past weekend. Thank you both of you came to the show. Fantastic.

---

GRAHAM CLULEY. Aw. My pleasure.

---

CAROLE THERIAULT. And because I was doing that, my Yeti, my other half, said he would make us a fancy yummy dinner for Sunday evening. Had finished everything. Lovely, I say, right? So I come home after, I don't know, it's probably about 7 o'clock on Sunday, happy but so exhausted from the day.

But the smells from the kitchen were out of this world. He made me chicken rendang. It's slow-cooked chicken and braised in coconut milk and full of spices and herbs.

And you've gotta make it the day before and let it sit and all this stuff. So good. It was so good. Mind-blowing.

So I was, you know, where'd you get this? And he was, Felicity Cloake. Right now she does a food column called How to Cook the Perfect from The Guardian.

---

ANNA BRADING. Oh, yeah.

---

CAROLE THERIAULT. Yeah. You used her before.

---

ANNA BRADING. Yeah. Yeah.

---

CAROLE THERIAULT. She's great. I'm sure I've mentioned her on this in Pick of the Weeks in previous years, but she's a fantastic resource for those of you to kind of go, I want to try and make this, but it's kind of your first time doing a dish. Because she'll kind of go through about 5 different approaches to how people make it, and then she'll take the best bits for her and why she's taking it, and then put it into a whole new recipe.

---

ANNA BRADING. Yeah. It's very cool.

---

CAROLE THERIAULT. So my pick of the week is 2 things. One, Felicity Cloake's How to Cook the Perfect Chicken Rendang, and any of her recipes. But also, my Yeti for looking after me.

---

ANNA BRADING. Aw.

---

CAROLE THERIAULT. You know?

---

ANNA BRADING. He's so good.

---

CAROLE THERIAULT. He is good.

---

ANNA BRADING. And he is a great chef.

---

CAROLE THERIAULT. Yeah, I know he's taken over now. He's better than me, which really sucks because that was my little thing. But, uh—

---

ANNA BRADING. You are both excellent.

---

GRAHAM CLULEY. But give him a paintbrush, Carole. He'd probably be better at you than me.

---

CAROLE THERIAULT. He probably fucking would be. Honestly.

---

GRAHAM CLULEY. Now, Carole, you've been busy this week, haven't you? You've been chatting to the chaps at Sonry.

---

CAROLE THERIAULT. Yes, had a really illuminating chat with Sandy Bird, co-founder and CTO at Sonry Security. Listen up. So, a treat for you listeners out there. We have a cloud security expert in the hot seat, and this guy knows his security onions.

Sandy Bird. Sandy is the co-founder and the CTO at Smashing Security. This is the company that helps you protect your data by securing all the stuff in the cloud.

But these guys take a different approach and we are gonna find out just how it works. But first, welcome to Smashing Security, Sandy.

---

SANDY BIRD. Hey, thanks for having me, Carole.

---

CAROLE THERIAULT. Our pleasure completely. Now maybe, Sandy, you could tell us a little bit about yourself and what led you to co-found Sonry Security.

---

SANDY BIRD. Yeah, look, I think for 20 years now I've been doing some form of security work. I spent the early parts of my career doing analytics on log data to find, you know, odd patterns and threats and things of that nature.

But as I moved along my career path, I spent a lot of time, especially when I was at IBM after they acquired Q1 Labs, looking at all of the aspects of security, identity security, application security, all of these things. And one of the things that I thought was so intriguing about cloud and our transition to cloud was that most of the controls were identity-based in terms of keeping the good guys in and keeping the bad guys out from that perspective.

---

CAROLE THERIAULT. Right, authentication, you mean, so the right person has access.

---

SANDY BIRD. Authentication, access, permissions. Sometimes in cloud, it gets a little gray as to where the authentication is happening and exactly how it's happening, especially when you have things like resource policies. Absolutely, it's the key thing that controls that whole world.

And so I just found it really intriguing. I thought we could do a better job for the first time in cloud than we maybe did in enterprise, and that's what started Smashing Security on a better model for access.

---

CAROLE THERIAULT. Okay, so you've hinted a bit at this, but you're trying to solve this specific problem and you guys seem to have taken a different route as to how to handle it. So can you tell us a little bit about that?

---

SANDY BIRD. No path is a straight line, Carole. I wish it was.

---

CAROLE THERIAULT. You don't really—it would be boring. Come on.

---

SANDY BIRD. It would be so boring. I had this hypothesis probably 4 years ago when we started Sunree that because we had all of the audit data for every identity and what it was doing in the cloud, and we had a representation of all of the access policies and role assignments and things depending on which cloud you're in—they're called different things, but basically the mapping of the permissions to the identities—we could correlate the two together and get a perfect picture of what it should look like, and then we could basically correct it all and make it perfect.

And after spending 4 years of my life trying to get people to do that, I realized there's a couple fundamental flaws in it. One is that at the scale of cloud, you have many different teams building apps for different purposes, and the centralized—they call them different things—cloud infrastructure team, cloud ops, cloud, they have different names, but the central team that governs that whole cloud infrastructure didn't have control of the development teams and what they were doing.

So they were basically, you know, they could build the perfect policy, they could put it in a Jira ticket and say, you have to go fix this. But if the team didn't do it, it just never got corrected. And we would see customers that after a year had just not corrected very many of these kind of least privileged problems that they had.

And we had this—this is a good story, Carole. I had this one very successful customer: they had 2,000 of them that they fixed in a 10-month period. But I think we measured it—I think they had more than 2,000 new identities at the end of the 10 months. So you know what I mean? They're just falling further behind.

---

CAROLE THERIAULT. It's playing catch-up, though. I think a lot of companies must be in that position because I suspect not all IT people are extremely au fait with actually tackling these things on their own, right? They may be tasked with the job, given no resources to actually do it, and that can lead to you chasing your tail a little bit, do you think?

---

SANDY BIRD. I think it's exactly true. You know, we always blame—security comes last. It doesn't really come last, but the reality is there's a lot of different priorities for these teams and their goal to get stuff out the door and be innovative, and they should be gold that way.

And so we started to do some measurements of this, and I think one of the key things—you kind of say different teams—the longer people were in cloud, the worse it got. And we kind of did this interesting data report where we saw that.

---

CAROLE THERIAULT. How do you mean longer in cloud? They were early adopters or that kind of thing?

---

SANDY BIRD. Early adopter in cloud now is many years. But even if you were in cloud for 5 years, say, if you were there for 5 years, the amount of, we'll call it cyber litter in your cloud, you know, identities that are there that have permissions that haven't been used in 2 years, that number just grows and grows and grows. And then the same thing with these excessive permissions, right?

People give them, they didn't know how to get the workload to work, so they gave it star permissions, but then they don't use it anymore. And 2 years later, it's still sitting there. And these numbers just kept getting bigger and bigger and bigger the longer people were in cloud. So yeah, big problem.

---

CAROLE THERIAULT. And it gets complicated because the environments get more complex. Some people have permissions. They've left the company. Those doors haven't been closed. New people come in. You give them too many permissions. They have access to stuff they shouldn't have access to. And then to kind of clean that up is a bit trying to clean out my email at the moment. You know, I just look the other way.

---

SANDY BIRD. I think that was the biggest epiphany I had. We were trying to get people to do the most simple task, which is, look, just delete the stuff that hasn't been used in a long time. Here's a perfect list of the 10,000 identities that haven't been used because it's a mix of people and workload identities, right? So you have both sides.

And so it was this very large list and no one would do it. And the reason it was perfectly automated, could be done in a minute, you know, but no one would do it. And you say, well, why won't you do this? Well, I'm afraid you've got it. The fear, the fear comes in.

There's so many examples they give us, Carole. Sometimes it's, as you say, those people have left the company. I don't know how that thing's configured. And if we take it away and someone asks me to put it back, I can never put it back. I don't know how to do that, right?

Or, you know, that's a break glass account. We don't want to delete that one. Okay, well, do you have a list of all your break glass accounts? I don't think we do. You know, and so there's lots of excuses.

And so we really had to invent a different way, which is really what we're into now, which is let's not try to make everything perfect. Let's get people to a great state automate it, do it super quick, and then have a way to get the permissions back if you need them.

---

CAROLE THERIAULT. I love it. Now, you guys have, at Sonrai, have just put out your findings on basically cloud research and how, you know, we use or misuse it. So first question would be, what question were you really hoping to answer in putting out this research?

---

SANDY BIRD. One of the problems that we had was we were going to build this new method that said, we're going to cut off the most sensitive permissions from everything that doesn't use it. And grant it back to the things that did. And so we needed to measure that to understand what that gap was.

The second part of that though was step 2, which was, okay, well, if a new workload gets built tomorrow or something that's old needs it back, you want to wake up one of those old identities. How many times would that happen to an average team? And so we needed to measure that.

So we, because we did that, we took a large set of our public cloud customers and we kind of did these overall statistics across them so that we could get a bunch of these numbers so we could give people confidence that, you can do this, it solves a massive gap, but the burden on the team on the next day will be low. And so that's why we built the report.

Some of the numbers that came out of it are kind of surprising. They're higher than I would have thought of. I think you can divide them between things that I assumed that were correct and things that I assumed that are wrong.

---

CAROLE THERIAULT. Okay.

---

SANDY BIRD. I knew the number of workload identities was higher than the number of people identities when you look at public cloud. The whole point of these things is to build workloads that do amazing things and build products on top of. So they should have a lot of workload identities. And by average, you would see that split, you know, 20/80, 20% people, 80% workload identities. And I think that's a good mix.

---

CAROLE THERIAULT. Yeah.

---

SANDY BIRD. What really surprised me though, when we looked at the, we'll call it two main use cases. One is these sensitive permissions that are granted to an identity that are not used, and then identities which are not used at all.

---

CAROLE THERIAULT. So they're never touched by anybody. No one.

---

SANDY BIRD. They're never touched at all. Right? If we look at these sensitive permissions, the workload ones are really interesting. You end up with this. So across all identities, 92% of the identities sitting in the cloud have at least one of these very sensitive permissions, which it's not using.

---

CAROLE THERIAULT. Oh.

---

SANDY BIRD. However, 87% that contribute to that are the workload identities. So the workload identities are actually, the people identities are actually not as bad. You know, we always joke that we give humans too many credentials. Well, apparently we give the workload identities way too many credentials. They're way worse than the humans are in this particular case.

---

CAROLE THERIAULT. Can you give us a tangible example? So maybe some of our listeners are not the IT person. So what does that mean?

---

SANDY BIRD. So say as an example, you know, you have a— we use a simple example. You have some big website that, you know, I don't know, books taxi drives for people or something. You know, these apps exist and they run on these public cloud infrastructures.

---

GRAHAM CLULEY. Okay.

---

SANDY BIRD. And when it goes to do that, you know, it needs to maybe update a record in a database. That makes sense. You know, somebody's gonna book a ride, we gotta put a record in a database so we can schedule their driver.

---

ANNA BRADING. Mm-hmm.

---

SANDY BIRD. Well, when it goes to update that record, it needs a permission to probably write a record into a table or something. But the developer probably couldn't get it to work the way that they wanted to. And if they were using a cloud service for that database, BigQuery and GCP or DynamoDB and Amazon, maybe they just gave it the star permission for the entire database. And then they try it and it worked and they're like, great, it works. I'm gonna move on to my next thing. Right. But they didn't need all of the, they didn't need to delete the database, they didn't need to create a new database, they didn't need to do all those things, but they gave it too many permissions. And so when an attacker gets ahold of that, well, they can destroy your world, they can ransomware the data, they can do all these types of things. And it's these workload identities that are so over-permissioned that way.

---

CAROLE THERIAULT. Yeah. I can totally imagine that. You know, if it's hard to get my key, you know, one key out for my neighbor to keep an eye on what's in the garage, I can give 'em the whole set. And if he's— yeah, and I just go, don't worry about it.

---

ANNA BRADING. He's a good guy.

---

CAROLE THERIAULT. Not going to worry about it. Nothing's happening badly right now. But then years go by and years go by and time goes on and that's still just sitting there, right?

---

SANDY BIRD. Exactly. Exactly.

---

CAROLE THERIAULT. So was there anything in there that you thought, God, why haven't we learned how to fix this yet? Anything like that in the report where you thought, look, you know, what's frustrating you in terms of what IT people aren't able to do or aren't doing yet that would help them immensely?

---

SANDY BIRD. I think in the data report, there's a thing that we're doing with human identities that we're not doing with the machine identity. So I go back to this unused example, and when you split that report between machine and humans, we find out that 12% of the human identities that are in the cloud are unused.

Well, that means, you know, there's almost 90% that are used. And so that's not perfect, but it's pretty good. And what that probably means is our, we always call it the leave or move or joiner problem in humans.

When they leave the company, when they join the company, when they move groups, we're probably doing an okay job of their permissions and getting them at least in the cloud. And when they're not there supposed to be there anymore, we're removing them.

And so that way, reason you don't have that many unused human identities. But the non-people identity, this is one of the highest statistics in the report, like 88%.

Of the 61% of completely unused identities were these machine identities. And what it probably means is there's no process in companies to clean this stuff up.

You know, it's not—

---

CAROLE THERIAULT. Exactly. Yeah, I understand. Yeah.

---

SANDY BIRD. The auditor comes in, the auditor doesn't say, well, did you remove the serverless function's identity when it was no longer used? You know, they don't ask those questions. And so I think that's why there's so much of that kind of litter that gets left over.

---

CAROLE THERIAULT. Yeah. Any advice? Okay, so just before we close, is there any advice? So someone's listening right now and going, yeah, oh, this feels like this could be good for me. You know, how do I go about it? What would be their first steps to take?

---

SANDY BIRD. Yeah, I think, you know, we have several, you know, if you're, and I'll use AWS as the example, you know, Azure and GCP have similar functions here. There are centralized controls in all three clouds where you can actually cut off the craziest permissions that don't need to be there.

You know, I joke Azure has this really interesting permission that allows you to take a disk volume on a running virtual machine and make it a public URL on the internet. I don't know why you would ever want to do that, but the permission exists.

---

CAROLE THERIAULT. And so, yeah, you sneeze and you have your finger on the mouse.

---

SANDY BIRD. Yeah, exactly. And it happens. And so in those scenarios, maybe you want to put some centralized controls in to block the things you really don't want to have happen, right? If you don't want pre-signed URLs of your analytics workloads and machine learning workloads, let's block those centrally.

And the clouds all have ways to do that. The other thing is that all of the clouds have inventories where you can see how long it's been since identities have been used.

You should be looking through that once in a while and cleaning that up and having a process for that. Have a hack day for 4 hours one morning where you just get the team in a room and say, we're going to look at our one account here and we're going to look at 50 identities and remove those if they're not used.

And that's a good way to start if you don't have tooling to help with this stuff. If you're the type of company that can afford tooling, then you look at something like Smashing Security and we can automate huge amounts of this.

We can divvy the work out to the teams. We can cut these things off with this cloud permissions firewall really quickly.

There's ways to do it at scale and easier. But even if you don't, you're a small company, you're a startup, there's still something you can do just by actually taking a look at those identities that are unused and centrally blocking the things that you really don't want to happen in your cloud.

---

CAROLE THERIAULT. Brilliant. Is there anything else that you'd like to add, Sandy?

---

SANDY BIRD. Hey look, I think Carole, everyone should take a look at this data report. It's really interesting, the statistics in it. And if it's something you're interested in trying to clean up, we've got some links to our website and ways people can do free trials of some of the tools that help manage this.

---

CAROLE THERIAULT. You've heard Sandy, listeners. You can read Sonrai's latest research and try its cloud permission firewall for free, 'cause you never know, you might be leaving a bit too much on show.

So go to smashingsecurity.com/sonrai. That's S-O-N-R-A-I. And Sandy Bird, what a pleasure. CTO and co-founder of Sonrai Security. For coming on the show. Thanks, Carole.

---

GRAHAM CLULEY. Fascinating stuff. And that just about wraps up the show for this week. Anna, I'm sure lots of our listeners would love to follow you online and find out what you're up to.

What's the best way for folks to do that?

---

ANNA BRADING. I'm @AnnaBrading on X, or Twitter.

---

CAROLE THERIAULT. Ugh.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity. Smashing Security, no G, Twitter, and don't forget to ensure you never miss another episode.

Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge shout out to our episode sponsors, Vanta, Sonrai, and Kolide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 372 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

ANNA BRADING. Bye-bye. Bye-bye.

---

GRAHAM CLULEY. Ah, well done. It was all a bit grubby.

All a bit grubby this week. With the portal, with the OnlyFans flashing, with the photos.

---

ANNA BRADING. With the non-consensual.

---

SANDY BIRD. Oh.

---

CAROLE THERIAULT. I wasn't grubby.

---

GRAHAM CLULEY. I know you weren't that grubby, although I think Sam Altman might be a bit of a—

---

CAROLE THERIAULT. No, I just think we already knew that he was a bit doolally.

---

ANNA BRADING. It's weird. That is weird.

---

SANDY BIRD. Yeah, creepy.

-- TRANSCRIPT ENDS --