This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

GRAHAM CLULEY. Tim Cook is not going to park outside your little lemonade stall and be happy about what you've done because you're trading.

---

CAROLE THERIAULT. I don't think he could give a shit. You don't think he'd care at all? Really?

---

UNKNOWN. Smashing Security, episode 389: WordPress versus WP Engine and the Internet Archive Ransomware Shavers Down with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 389. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. Hi, Carole. How are you doing?

---

CAROLE THERIAULT. I have COVID.

---

GRAHAM CLULEY. COVID? That's so 3 years ago, Carole.

---

CAROLE THERIAULT. Yeah, well.

---

GRAHAM CLULEY. You're off trend.

---

CAROLE THERIAULT. I'm off trend. It's the first time in my life. No, so I may be a little bit less enthusiastic this week, but I'm here, right? I'm here. So huzzah to that. And how are you, Graham?

---

GRAHAM CLULEY. I'm all right. I went on a lightning dash to America last week for the Rochester Security Summit, where I was given a keynote. Fortunately, I didn't come back with any unpleasant disease, as far as I know. That's all good news. First time to America since the big pandemic for me, though. That felt like a milestone. And also great to meet some listeners to the old podcast.

---

CAROLE THERIAULT. It's not old.

---

GRAHAM CLULEY. Well, we've been going for about 8 years now, Carole.

---

CAROLE THERIAULT. Jesus.

---

GRAHAM CLULEY. Quite old for a podcast.

---

CAROLE THERIAULT. Okay, don't. I'm gonna fall off my chair. How about we kick this show off and thank this week's wonderful sponsors, 1Password, Vanta, and Flashpoint. Now coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm gonna be asking what the fork is going on at WordPress and WP Engine.

---

CAROLE THERIAULT. And we are going to see what's hitting the digital banks of the Internet Archive and the Wayback Machine. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, the internet, ah, it's a wonderful thing, isn't it? Not just wonderful in technological ways, but also it's a place of peace, calm reflection.

---

CAROLE THERIAULT. The internet?

---

GRAHAM CLULEY. Yes. A safe sanctuary from craziness and drama. That's what I love about it.

---

CAROLE THERIAULT. Well, I think it depends how you use it, don't you think?

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. If I listen to some deep sleep music, right, on YouTube.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. It's pretty chill.

---

GRAHAM CLULEY. That is pretty chill. I'll tell you something else that's pretty chill, at least normally, is the very calm waters which are WordPress. It's hard to imagine anything dramatic happening with WordPress. It's been there for years and years.

---

CAROLE THERIAULT. Maybe explain what WordPress is just for some people, because not everyone's, you know.

---

GRAHAM CLULEY. So WordPress is a free open-source web content management system, also known as a CMS. A lot of people think of it as a blogging platform, but it's much more than that. It allows people to create and host their own websites. And lots of businesses use it for that as well, even if they don't have a blog. And there's an almighty ding-dong going on between the founder of WordPress and a company called WP Engine that helps users host their WordPress websites.

---

CAROLE THERIAULT. Okay, so one allows you to create a website and the other one allows you to host. So these guys should be basically friends.

---

GRAHAM CLULEY. They should be friends. And there are lots of companies which help you host your website because when you create a website with WordPress, with that software, you have to put it on a server and you can either put it on your own server, which means that you end up spending all your time maintaining the server yourself. You're probably going to have to grow a beard and wear sandals. Or you have to find a company to run the server for you, a company like WP Engine, and then they will run the free open source WordPress software on the server for you.

And because it's still WordPress, it can automatically update itself. You can augment it with plugins and add-ons to make the website do whatever you want to do with it. My website runs on WordPress. Your website runs on WordPress, Carole. The New York Times runs on WordPress. Government websites run on WordPress. Little mom and pop stores, they run on WordPress. 11 billion websites around the world. That's my number, by the way.

---

CAROLE THERIAULT. They're the McDonald's of websites. Okay.

---

GRAHAM CLULEY. They are, but the Mickey D's arguably, arguably better quality. I would suggest that they're a success because it's a great platform. It's the most popular content management system, CMS, in the world. It's used by businesses of all sizes and individuals. 43% of the web is reckoned to be using WordPress.

---

CAROLE THERIAULT. See, that's surprising. I would never have thought that. If you had asked me that, I would probably gone 5 or 10. Isn't that interesting?

---

GRAHAM CLULEY. It's astonishing. WordPress is huge.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And the big cheese, the head honcho, the benevolent dictator, some would say the supreme emperor of the WordPress galaxy, is a guy called Matt Mullenweg. And he's a genius. He's brilliant. He's passionate. He's deeply committed to open source and the philosophy behind it. But Matt has gone nuclear.

---

CAROLE THERIAULT. About something specific, I'm guessing.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Rather than actually exploding.

---

GRAHAM CLULEY. He hasn't combusted. No, he hasn't.

---

CAROLE THERIAULT. Good.

---

GRAHAM CLULEY. There's not a mushroom cloud over his—

---

CAROLE THERIAULT. It was going to be a weird segue for the show, I thought. Yeah.

---

GRAHAM CLULEY. That would have been interesting. No, there's some reality TV-style drama right now involving WordPress. And what it comes down to is there's this humongous ding-dong going on between Matt Mullenweg, the millionaire founder of WordPress, the CEO of Automattic, which runs WordPress.com, which is a hosting platform. Don't confuse it with WordPress.org. And a company which offers WordPress hosting to businesses called WP Engine.

Right now, I'll put my hands up, full disclosure and everything. I've been a customer of WP Engine before. I've hosted my website on WP Engine in the past, as well as other places. I'm not currently a customer of WP Engine. WP Engine is not a cheap WordPress host. You know, it's not like these WordPress hosts which offer to keep your site up for $2 a month, and there are plenty of those.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. If you use them, it's gonna cost you at least $20 a month for its most basic, simple offering.

---

CAROLE THERIAULT. Why are they allowed to charge so much more, do you think?

---

GRAHAM CLULEY. Well, they can charge what they. You know, it's market forces.

---

CAROLE THERIAULT. No, no, but why would you use it?

---

GRAHAM CLULEY. Because depending on how much traffic you get and how essential it is for your website to remain online, you may be prepared to spend hundreds of dollars per month. If you were a business and your website was an important part of your revenue or a way of communicating with the outside world, you would want to make sure that those servers stayed up and that they had the support teams, they had the infrastructure to keep them up, keep them working all the time. And if there is a problem, have a support team to go to.

---

CAROLE THERIAULT. And you thought your website was so vital to humanity that you need to pay an extra $18 a month to keep your site up and running?

---

GRAHAM CLULEY. More than that. More than that. More than that. I was, yeah. And to this day, I'm paying more than $20 a month with another host to keep my website up and running. So yeah.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Maybe I have an overinflated sense of my website's importance.

---

CAROLE THERIAULT. No, no, shh, shh, shh, shh. I'm not sure.

---

GRAHAM CLULEY. Oh, hush. So organizations think it's important to keep their sites up and running, and you feel more confident if you're spending the money. And WP Engine has done really, really well. It's making $400 million per year in revenue at the moment.

---

CAROLE THERIAULT. Well, I don't know what their outgoings are, but yeah.

---

GRAHAM CLULEY. Well, they are doing very, very well. And frankly, Matt Mullenweg of WordPress is pretty pissed off about it.

---

CAROLE THERIAULT. Well, he's pissed off that they're doing well.

---

GRAHAM CLULEY. Well, yes.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. And I'll explain why, because he has a company which is of a similar size called Automattic, which runs WordPress.com and some other services as well. And they say that WP Engine isn't contributing enough to make the open source WordPress project, that free bit of software at the heart of their companies, any better. And that WP Engine is enriching itself at the expense of the entire community. Amongst other things, he's claiming that WP Engine has violated WordPress's trademark guidelines. So imagine, for instance, you set up a lemonade stall outside Apple HQ in California, right? In Cupertino. And you started selling iLemonade.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. Tim Cook, he's not gonna park outside your little lemonade stall and be happy about what you've done because you're trading.

---

CAROLE THERIAULT. I don't think he could give a shit. You don't care at all. Really? Really?

---

GRAHAM CLULEY. You know, there have been lots of little companies in the past which have got into trouble because they've had similar kind of names. Right? So it could happen. Now, WP Engine, it has those letters, WP. And Matt Mullenweg says that his mum got confused. He says his mum thought WP Engine was somehow a WordPress company connected with her son. And Matt Mullenweg says that WP Engine is in fact a cancer to WordPress. Those are his words. He says they're making half a billion dollars in revenue on top of WordPress, but they're only contributing back every week 40 man-hours of effort to improve WordPress. He says his own company, which is of a similar size, Automattic, contributes almost 4,000 people hours every week.

---

CAROLE THERIAULT. So it's basically the argument is I'm a better guy than you. Yeah.

---

GRAHAM CLULEY. So he's saying, if you're going to make that much money, you should either be giving us some money so that we can pay for developers to improve WordPress, which you are benefiting from that software. Or you should be putting in the effort yourselves because it's not proportionate to the amount of money they're getting.

---

CAROLE THERIAULT. Okay. So here, can I have my tinfoil hat? My theory, theory, theory.

---

GRAHAM CLULEY. Yes, yes, yes.

---

CAROLE THERIAULT. Conspiracy theory, Carole Theriault. I suspect that Matt did not specify this in the T's and C's when they made a deal with WP Engine. So there must be paperwork somewhere that says, you know, in exchange for X, you give us Y.

---

GRAHAM CLULEY. Well, it's open source, you see. So there's a GPL. The kind of license which you have is anyone can take the software and do what the heck they like with it. It's free. Go away.

---

CAROLE THERIAULT. Well, no, not if you want to. Not if they're demanding a certain number of hours, right?

---

GRAHAM CLULEY. He believes it would be under the ethos of WordPress. Sure. You should be contributing back. So there's no hard and fast rule. You are encouraged, but you don't have to.

---

CAROLE THERIAULT. Well, you do if someone's going to shame you publicly.

---

GRAHAM CLULEY. Mm-hmm.

---

CAROLE THERIAULT. So how do you feel about this as a WordPress user? Are you feeling happy?

---

GRAHAM CLULEY. And I'm going to tell you more first.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Because the argument doesn't finish there, because legal letters are flying between these two companies and they're being very, very public about it. There are letters being written. People are telling each other to cease and desist. So right now, WP Engine says that Mullenweg is holding their company to ransom. They say that he's embarking on what he called himself a scorched-earth nuclear approach. WP Engine claim that Mullenweg is demanding tens of millions of dollars for a trademark licensing deal.

---

CAROLE THERIAULT. Yeah, so saying, give us some kickback because you guys got too rich on us and didn't put in the hours. Mm-hmm.

---

GRAHAM CLULEY. And there's no resolution in sight. And now things are turning really nasty because what has happened is WP Engine customers are no longer able to update their WordPress plugins. WordPress has blocked them from accessing the plugin repository, which exists on WordPress.

---

CAROLE THERIAULT. Oh dear.

---

GRAHAM CLULEY. So if your plugins on your website get out of date, they could have serious security problems, which hackers could exploit.

---

CAROLE THERIAULT. Geez, who peed in Matt's Cheerios, eh?

---

GRAHAM CLULEY. Right, now you're getting the story, right? So this is really bad and WordPress is publicly saying, well, if you've got a problem with it, speak to WP Engine.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. Because WP Engine needs to play fair with us. So why should we continue giving them the access to our repository of all these plugins when they're not doing anything to benefit us? Nasty.

---

CAROLE THERIAULT. Well, okay, is it possible that behind the scenes for the last X number of years, WordPress has been saying, hey, WP Engine, you know, it'd be really nice if you guys would give us a bit more hours.

---

GRAHAM CLULEY. They have.

---

CAROLE THERIAULT. And they're like, yeah, thanks, no thanks.

---

GRAHAM CLULEY. Those kind of conversations have been happening. WP Engine hasn't stepped up maybe to meet Matt's demands as to what they should do. And so this, that's why this has now reached this level. And so you think, well, this is really bad for WP Engine's customers. So it's not just bad for WP Engine, it's bad for their customers. And they are a big player in the WordPress hosting market, right? They've got lots and lots of very big websites being hosted with them. But you may think, oh, well, it doesn't matter for us because we don't use WP Engine. Uh-uh. Because one of the other things that WP Engine do is they make a plugin, a very popular plugin called Advanced Custom Fields. It's probably in the top 30 of all WordPress plugins. I use it on my own site.

---

CAROLE THERIAULT. Really?

---

GRAHAM CLULEY. Yep. And under Matt Mullenweg's direction, WordPress has blocked WP Engine's coders from updating the ACF, or Advanced Custom Fields, plugin in the WordPress repository. They've been locked out until all these arguments are resolved.

---

CAROLE THERIAULT. So he's effectively setting up a perfect storm for any badasses who want to go in there and take advantage of any vulnerabilities that can't be patched because of this stupid—

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Spat they're having.

---

GRAHAM CLULEY. Which means not only WP Engine customers are now affected. So if a security hole were found in that plugin, it can't be fixed.

Yeah. And what do you know? Someone's found a security hole in that plugin. Can you guess who's found the security hole in the plugin?

---

CAROLE THERIAULT. No, I'm guessing not someone. I'm hoping it's someone good.

---

GRAHAM CLULEY. Matt Mullenweg. And his developers at WordPress have found a security hole in the Advanced Custom Fields, the ACF plugin.

---

CAROLE THERIAULT. The one that they're not allowing WP Engine to update.

---

GRAHAM CLULEY. That's absolutely right.

---

CAROLE THERIAULT. And tell me this, did they publish what they found?

---

GRAHAM CLULEY. Yes, they have.

---

CAROLE THERIAULT. You're kidding me.

---

GRAHAM CLULEY. So they've published, they've told WP Engine about it. They've told the world that this vulnerability has been found and they say, if you've got a problem with this, you need to take it up with WP Engine.

---

CAROLE THERIAULT. It's—

---

GRAHAM CLULEY. So there are now millions and millions of websites using a popular plugin. That's not great, right?

And you must be thinking, why is WordPress shooting itself in the foot like this? Because surely this is gonna rebound on them.

---

GRAHAM CLULEY. So what happens now if I or millions of other people using that particular plugin on our websites, regardless of whether we host with WP Engine or not, go to our setup and just check to see if it's out of date. Well, what we find right now is that plugin has gone from our computers because WordPress has unilaterally taken it over.

They've replaced it with another plugin called Secure Content Fields. They took WP Engine's code, they fixed the bug, they've renamed it, they've hijacked control of that plugin so anyone who was using that plugin is now using WordPress's version without the consent or prior knowledge of any users or indeed the owners of that plugin, which was WP Engine.

---

CAROLE THERIAULT. Geez Louise.

---

GRAHAM CLULEY. Now that feels to me like a supply chain attack because it is the kind of thing you don't want your plugin being taken over by someone unknown and changing the code. You want continuity.

Now, WP Engine have reacted to this saying, you know, basically, what the fuck? They are saying to people, if you want the original version of our plugin, which has now been patched, go to our website, download it from there instead of from WordPress.

---

GRAHAM CLULEY. But millions of people have been updated without their permission, without realizing what's happening. And when you see the social media posts being made by Matt Mullenweg and by the official WordPress account on sites like Twitter, you begin to wonder if they've lost their marbles, because they are acting like spoilt brats.

---

CAROLE THERIAULT. Is it just him? Like, is there a board?

---

GRAHAM CLULEY. There clearly are thousands of workers there, and there are tales that some people are really, really disturbed about what is happening to the community, 'cause people love the open-source community. They feel very strongly about it, as you can imagine.

Typical developer types, you know, they feel very, very passionate about this. And what they see is whatever beef Matt Mullenweg may have with WP Engine, it is innocent businesses and individuals who are being put at risk as a result of this.

---

GRAHAM CLULEY. And companies who are currently using WordPress as a platform, whether using WP Engine or not, are going to be thinking, did we make a good choice here? Because this one guy who's done this this time and is acting erratically could he do this again?

It's a really weird way to win friends and influence people.

---

CAROLE THERIAULT. Sounds to me like they're using him as an example. Unless it's just a complete war of vitriol that we don't know what's going on behind, because it's very weird. But could this be a warning to other people saying, you know, under this new WordPress regime, everyone must put in the hours as dictated by me?

---

GRAHAM CLULEY. Maybe that is partly it, but I think it was always really a sort of, it would be awfully nice if you did rather than a requirement that you had to. And so WP Engine, you know, I don't want to completely say they're blameless. Maybe WP Engine should be contributing more, right? Maybe they should be supporting the community more. I think that is a reasonable argument to have, but to—

---

CAROLE THERIAULT. Yeah, the strong-arming is a bit disgusting.

---

GRAHAM CLULEY. It feels like blackmail.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. And I'm pissed off that my website's embroiled in it because I use that plugin. I have to choose, do I use the WordPress version or do I use the WP Engine version of this plugin? Who do I feel more comfortable with? And because WordPress powers, as I said, around about 43% of all the websites on the internet, this is a squabble which really matters. And right now the future of WordPress hangs in the balance. It's fascinating to watch.

---

CAROLE THERIAULT. I don't think the future of WordPress hangs in the balance.

---

GRAHAM CLULEY. I think it does. I think there will be—

---

CAROLE THERIAULT. You think there's going to be a huge, huge outcry and it's going to— it's not on the— it's not in the stock market, right? Because they're not floated, so they're private.

---

GRAHAM CLULEY. I wonder what's going to happen with Matt Mullenweg, because I wonder whether his staff are going to revolt about this and whether people are going to say, we can understand why you did this, but we can't understand why you did it like that, because you've taken things too far.

---

CAROLE THERIAULT. Yeah, well, it's going to be interesting to see what comes out next. Crazy drama.

---

GRAHAM CLULEY. Who needs Married at First Sight when you have WordPress versus WP Engine? Grab your popcorn. Carole, what's your story for us this week?

---

CAROLE THERIAULT. So I am talking about the Internet Archive and the Wayback Machine, and they have been seeing some trouble. You know what I mean when I'm talking about the Wayback Machine, because it's a cool endeavor, right?

---

GRAHAM CLULEY. Yeah. And the Internet Archive, it's unbelievable, isn't it? It's a great resource.

---

CAROLE THERIAULT. Yeah. I think I would kind of describe it as the internet's history book. Do you think that's fair? It's a digital library. I've seen someone describe it as that, of the internet sites across time.

---

GRAHAM CLULEY. It kind of makes a backup of the internet. That's the great thing I think about it is, if there's an article you really like, it may well have been preserved, or you can ask it for it to be preserved at the Internet Archive. And you can always access a copy of it, even if the original site gets taken down. And you can go back in time and see old versions of websites, which is really fun as well.

---

CAROLE THERIAULT. First began archiving cached web pages in '96, right? So you can kind of go see the first or the very early Apple pages or Microsoft pages.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. As of January this year, the Wayback Machine apparently archived more than 860 billion web pages. That was over 99 petabytes of data, which is ginormous, listeners. And, you know, it's a really useful tool, not just because it's fun to go look at these web pages, but many investigative journalists, historians, and activists use it all the time.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. A Berlin-based researcher who trains people to use the tool says, you know, we face the challenge of websites and web pages being modified, altered, or intentionally taken down. Sometimes it's to hide something that was previously published, or it now has a different connotation than was intended. So she calls it a precious tool.

---

GRAHAM CLULEY. Right. Yeah, I would agree with that.

---

CAROLE THERIAULT. And so many were dismayed to hear that the Wayback Machine was successfully breached last week. It seems the website was compromised with the attacker stealing a user authentication database. And you think, oh, okay. But the problem was it wasn't a tiny itty-bitty one. It contained 31 million unique records.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. So how it started leaking out is visitors were going to archive.org, right? And they were seeing this JavaScript alert created by the attacker stating that the Internet Archive was breached. And it read, have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. It just happened.

---

GRAHAM CLULEY. Oh dear.

---

CAROLE THERIAULT. See 31 million of you on HIBP.

---

GRAHAM CLULEY. Oh, HIBP.

---

CAROLE THERIAULT. What's that, Graham?

---

GRAHAM CLULEY. That's Have I Been Pwned, Troy Hunt's little initiative. Yeah. So yes, you get an alert from them whenever your details come out in a data breach.

---

CAROLE THERIAULT. Exactly. Now, Troy told Bleeping Computer that he'd in fact received a data dump from the threat actors that included authentication information for registered members, including their email addresses, screen names, password change timestamps, bcrypt hashed passwords, and other internal data.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. Now, I'm wondering, and I'm sure listeners are wondering too, why would a threat actor want to send their data to Have I Been Pwned?

---

GRAHAM CLULEY. Well, to look like the big dog, to show off to your mates, say, look what I did. Because maybe there's not that much that can be done with that data. I don't know. I mean, obviously you've got the email addresses. You could forge an email claiming to come from the Internet Archive and email people, maybe phish them or send them somewhere malicious. But it's not as though they're going to be raiding your bank accounts or something like that, is it?

---

CAROLE THERIAULT. No.

---

GRAHAM CLULEY. So I think it's more to show off, probably. It's for kudos. Yeah, yeah.

---

CAROLE THERIAULT. Because otherwise people would be like, well, we don't believe you. And I suppose maybe it's better to send it to Have I Been Pwned than to leak it.

---

GRAHAM CLULEY. And it gets the attention of the site that's been breached. So hopefully they will improve their security and fix the problem. Whereas a hacker just sending their own email to a service may get ignored. But if Troy Hunt contacts you, then you think, "Uh-oh, you know, I'm gonna have to take this seriously because millions of people are gonna find out about it."

Actually, as an aside, Troy started doing research, right?

---

CAROLE THERIAULT. Looking into this dump. And he said that 54% of the accounts were already in the Have I Been Pwned database from previous breaches.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. So listeners, to maybe go check out your email address at these places just to see it's been included. And maybe if you're reusing passwords, naughty, naughty, but you know, this could be a very good time to go and change those that have been compromised. Would you not agree?

---

GRAHAM CLULEY. Oh yeah, you should always use different passwords for different services. And yeah, I'd recommend everyone sign up for Have I Been Pwned? It's a good reminder, you know, it's a good alert when a service gets breached and if you have to take any action.

---

CAROLE THERIAULT. Now, at the time of recording, we're a little earlier than normal, but the Internet Archive, or sorry, the Wayback Machine is still offline, but it looks like the archived data is safe? 'Cause that was a big concern for a lot of people.

Like, if you've screwed up that data somehow and it's no longer trustworthy, you wouldn't be able to use that. Like, it's been used in criminal court cases before, right? The Wayback Machine.

---

GRAHAM CLULEY. Oh, well, you've gotta wonder, right? If they've got petabytes and petabytes of data, how do you back up a backup of the internet? Right? You know, where do we—

---

CAROLE THERIAULT. Where do you keep that?

---

GRAHAM CLULEY. And how many copies of the backup do you have? So, hang on, I'm just backing up the internet to my USB stick.

---

CAROLE THERIAULT. It'll be done by tomorrow at 2.

---

GRAHAM CLULEY. Yeah. It's— has anyone got a bigger USB stick?

You know, it's— yeah, it's— so yeah, obviously the worst thing in the world would be if the backup of the internet were deleted and erased and there wasn't some way to recreate it. That would be an enormous cultural and historical loss.

---

CAROLE THERIAULT. It would be. It would be.

The latest tweet, the latest message on X from the founders of Wayback Archive says the data is safe, services are offline as we examine and strengthen them. Sorry, but needed. Internet Archive staff is working hard. Estimated timeline: days, not weeks.

So that's interesting. So they think they're going to be online soon.

And it also says, thank you for the offers of pizza. We are set. You know that you're a loved entity when you're offered carbs and molten cheese in a crisis.

---

GRAHAM CLULEY. And you know what? It is a loved entity.

There will be plenty of people who would love to give their support and assistance to getting that service online again and secure. Of course, it's, you know, the Internet Archive has to be careful that they're accepting help from trustworthy people. But yeah, you would imagine there's a lot of people who would like to help them out.

---

CAROLE THERIAULT. Yeah, no, totally. Like, I'll finish with Kate Gibbs at Wired.

She wrote in an article on the Internet Archive, you know, it's no exaggeration to say that digital archiving as we know it would not exist without the Internet Archive. Its most famous project, the Wayback Machine, is a repository of web pages that functions as an unparalleled record of the internet. Without it, the world would lose its best public resource on internet history.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. So what the hell are people, you know, attacking it for? But then why do people attack hospitals? You know, why do people—

---

GRAHAM CLULEY. You could argue that, but as far as I know, this wasn't done with any financial motivation. It wasn't done with any ransom demands as far as I know.

---

CAROLE THERIAULT. We don't know as yet. Things have been pretty tight-lipped because we know that there's been some DDoS, distributed denial of service attacks as well as this data breach.

Looks like they were getting hammered for a period of time.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. But we don't know if those are related. If you're interested, watch the space.

If you're a member, maybe change your password as soon as you can.

---

GRAHAM CLULEY. And that's me. This episode of Smashing Security is brought to you by Flashpoint. 2024 has been a year like no other for security. Cyber threats, physical security concerns have continued to increase. Now, geopolitical instability is adding a new layer of risk and uncertainty.

Last year, there was a staggering 84% rise in ransomware attacks and a 34% jump in data breaches. The result? Well, millions and millions of dollars in financial losses and threats to safety worldwide.

That's where Flashpoint comes in. Flashpoint empowers organizations to make mission-critical decisions that will keep their people and assets safe. How does it do that?

By combining cutting-edge technology with the expertise of world-class analyst teams, and with Ignite, Flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, alerts, and analytics all in one place. It's no wonder Flashpoint is trusted by mission-critical businesses and governments worldwide. To access the industry's best threat data and intelligence, visit flashpoint.io today.

That's flashpoint.io. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.

That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I don't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.

And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. My Pick of the Week, in a way, is kind of associated with what you've just been talking about, Carole, the internet archive. My Pick of the Week is a website called Dimmsdale, dimmsdale.co.uk.

---

CAROLE THERIAULT. Dimsdale.

---

GRAHAM CLULEY. And I am a big fan of radio shows. Love radio shows. I mean, it's probably been brought up on Radio 4 from the BBC.

---

CAROLE THERIAULT. See, that's probably where we get on, actually, because I loved radio as a kid. Still love radio. Love podcasts. Love audio.

---

GRAHAM CLULEY. Yeah, right. Dimsdale has a collection of over 2,000 radio shows on it, thousands of episodes of them. And if you go to that website and you create an account, which is free by the way, this is all free, you can access an RSS feed of archived episodes of your favorite radio comedy shows, sketch shows, panel games, audio dramas, documentaries.

It's also a forum where you can discuss your favorite shows with other fans. And I'm using it in my regular podcast app because I've got those RSS feeds and I've plugged them into my podcast app to listen to old episodes of I'm Sorry, I Haven't a Clue, Knowing Me, Knowing You with Alan Partridge, Lord Peter Wimsey dramas, all kinds of things.

---

CAROLE THERIAULT. So these are mostly UK-based dramas, right?

---

GRAHAM CLULEY. It does seem to be a strong UK bias in it, I think, whoever's collating it.

---

CAROLE THERIAULT. I'm on the website, the Dimsdale Co UK website right now, and it says, links are down. Due to the issues at archive.org, they have suffered a DDoS attack and are currently down whilst they fix the problems.

We link to archive.org, hence the disrupted service. Sorry, nothing we can do but wait. Oh, it says, it is expected to be back up in days, not weeks. We'll let you know once we have more news. So there you are.

---

GRAHAM CLULEY. So it is true the Internet Archive has a huge archive of MP3 files. That's where, for instance, I found old episodes of Hitchhiker's Guide to the Galaxy, which my son was listening to the other night.

Yeah, and so they will link to also places like BBC Sounds, and they will link to approved copyright owners' archives of some of these old things. So if you're looking for some great old radio shows, it is a terrific place to create yourself an account, grab the RSS feed, and join in.

---

CAROLE THERIAULT. Yeah, get your email address out.

---

GRAHAM CLULEY. Yeah, use a strong, unique password just in case. It's not the same organisation, Carole. They're just linking.

---

CAROLE THERIAULT. I'm just having a giggle.

---

GRAHAM CLULEY. All right, okay. Anyway, I love it, it's brilliant. And you know what, Crow, I think you would love this too, because I know how you love audio dramas.

You know, there'll be Sherlock Holmes and all kinds of things, things which haven't been repeated for years and years on the radio.

---

CAROLE THERIAULT. I was just listening to an old, I think 1993, Iris Murdoch, The Sea, The Sea. Yeah, I was listening to an audio production from the BBC with all of— full star cast. It was brilliant.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. So yeah, I'm all into that stuff.

---

GRAHAM CLULEY. Fantastic. Anyway, so Dimsdale, dimsdale.co.uk, is my pick of the week.

---

CAROLE THERIAULT. Very cool.

---

GRAHAM CLULEY. Crow, what's your pick of the week?

---

CAROLE THERIAULT. Well, my pick of the week stars my little heartthrob, Geoff Goldblum, or Gold Bum, as I like to call him.

---

GRAHAM CLULEY. Oh yes.

---

CAROLE THERIAULT. This is Netflix's series called Chaos. Have you seen this, Graham?

---

GRAHAM CLULEY. No, no.

---

CAROLE THERIAULT. Oh, well, shout out to Dave Bittner and listeners who told me to check it out. So, you have this alternative modern world in which the old gods, including Zeus, played by Goldblum—

---

GRAHAM CLULEY. Appropriately enough, he is a god.

---

CAROLE THERIAULT. Yeah. But you've got Zeus here, Goldblum dressed in white, crisp suits as he swaggers around happily amongst the palace and gardens of Mount Olympus. Until there's a day, a new monument is unveiled in Crete for him, and it's a monument of him, but it's been desecrated by a gang of Trojans.

And so Zeus isn't happy and is worried that humans are getting a bit too big for their boots. And so you have our biased narrator, Prometheus.

Okay, this is played by Stephen Dillane. He's a former friend of Zeus, but currently a prisoner. So, if you know your mythology, he's chained to a rock, and his liver is being internally pecked by an eagle.

---

GRAHAM CLULEY. We've all been there.

---

CAROLE THERIAULT. But he's our narrator, right? And he's so great. He is just so good in it.

So there are 8 episodes. I watched them all in 2 sessions. There's a huge cast of characters, and the plot whizzes along at a really good clip.

It's fun, it's dark, it's thoughtful, it's action-packed. So it's rare that something can get all those things, but this one seems to.

You know, it answers the underlying big questions like, "What's it to be human?" "What's it like to have power, to be desperate, or have free will?" And they explore these with pizzazz and heart.

So my pick of the week, Kaos, K-A-O-S. Graham, don't complain.

---

GRAHAM CLULEY. Oh, you know what? When you first said it's called Kaos, I thought to myself, I really hope it's not spelled with a K. Yeah, but why did they have to spell it with a K?

---

CAROLE THERIAULT. Because maybe originally it was.

---

GRAHAM CLULEY. It's all Greek.

---

CAROLE THERIAULT. So that's my pick of the week, Kaos on Netflix. Boom.

---

GRAHAM CLULEY. Well, that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G. Twitter won't allow us to have a G.

And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And huge, huge shout out to our episode sponsors, Fanta, Flashpoint, and 1Password. And of course, to our wonderful Patreon community.

It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 388 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye!

---

CAROLE THERIAULT. God, I'm gonna go to bed.

---

GRAHAM CLULEY. Get well, Crow.

---

CAROLE THERIAULT. Yeah, well, I'll try. I haven't left the house in 3 days. I'm already starting to go stir crazy.

I have no idea how we did this during lockdown. Honestly, I was just like, it's much different when it's only you and everyone else is out having fun.

-- TRANSCRIPT ENDS --