ZOE ROSE
We need an LLM that says, here’s how to do it. And don’t forget to consider these things.
Unknown
Smashing Security, episode 475. JadePuffer, the AI that ran a ransomware attack all by itself. With Graham Cluley and special guest Zoe Rose.
Hello, hello, and welcome to Smashing Security episode 475. My name’s Graham Cluley.
ZOE ROSE
And I’m Zoe Rose.
GRAHAM CLULEY
Hello, Zoe. Welcome back to the show. It’s been a while since you’ve been on. How are you doing?
ZOE ROSE
Well, usually when I join, something massive has happened.
ZOE ROSE
At the moment, I have not acquired another child or a pet.
GRAHAM CLULEY
So, well done.
GRAHAM CLULEY
So for those who don’t know Zoe, what are you? I mean, people who haven’t heard of you before, what do you do exactly?
ZOE ROSE
That’s a good question. What do I do? I work in security and pretend I know what I’m talking about half the time.
GRAHAM CLULEY
Oh, okay. It seems fair enough. And you work for a big company?
ZOE ROSE
I have a bloody long title now, actually. That’s the change. That’s what’s new. My title has massively increased.
GRAHAM CLULEY
Okay, give us your title. Let’s hear it.
ZOE ROSE
All right. It is C-Cert, which if you know what that stands for, it has more words, but we’ll just stick to some letters. Security Operations Development Manager.
GRAHAM CLULEY
Security Operations Development Manager, like SODOM, is basically what you’re saying.
GRAHAM CLULEY
This week on Smashing Security, we’re not going to be talking about how a Greek politician investigating spyware had his own mobile phone hacked.
You’ll hear no discussion of how a US Department of Homeland Security information sharing database has been accessed by hackers.
And we won’t even mention how hackers are using a fake World Cup t-shirt offer to spread malware. So Zoe, what are you going to be talking about this week?
ZOE ROSE
I’m going to talk about Apple’s Hide My Email isn’t actually as hidden as it sounds like.
GRAHAM CLULEY
All this and much more coming up on this episode of Smashing Security.
JOE
Graham, am I right in thinking that Arctic Wolf are sponsoring the show this week?
GRAHAM CLULEY
They’ve just published a new report, 2026 State of the Cybersecurity Attack Surface, and they analysed over 800,000 real IT assets to find out how exposed organisations actually are.
JOE
And I’m guessing everything is hunky-dory.
GRAHAM CLULEY
No, not so much. The reality is they found 1 in 3 IT assets is missing at least one critical security control.
JOE
One in three? That’s terrible.
GRAHAM CLULEY
Isn’t it just? 10% of assets have no endpoint security at all. 17% are completely invisible to the tools that are supposed to be monitoring them.
JOE
So the tools don’t even know those assets exist?
GRAHAM CLULEY
Right. Ghost assets wandering around your network, unprotected, unmonitored.
JOE
Nobody added him, nobody removed him, and he’s been quietly in there for 11 years downloading maps of Paraguay.
GRAHAM CLULEY
That’s the path of least resistance.
JOE
So what does the report tell us to actually do about it?
GRAHAM CLULEY
And the report is free to download.
JOE
Free! I like that. Where do I get it?
GRAHAM CLULEY
SmashingSecurity.com/ArcticWolf.
JOE
That’s SmashingSecurity.com/ArcticWolf. And thanks to Arctic Wolf for supporting the show. And please keep an eye on your IT assets and retired geography teachers.
GRAHAM CLULEY
One of them involves a fully automated, sophisticated, AI-driven ransomware attack against a company. Nasty stuff.
The other involves a 15-year-old lad in Japan who just wanted to cause some chaos on an animation streaming website.
These stories appear different, but they’re actually telling the same story. And that story is something we’ve been warning about for a while.
That the skills needed to commit a cyberattack are in the hands now of practically everybody on the internet. So let’s start in Japan. Have you ever been to Japan, Zoe?
GRAHAM CLULEY
One of the things which is really big in Japan is anime. Are you into anime at all?
ZOE ROSE
I think I’ve seen some, but I’d probably be the worst guest to try and talk about it in any educated way.
GRAHAM CLULEY
And there is a popular anime streaming service called Bandai Channel. And you can think of it as being a bit like Japanese Netflix, but specifically for anime.
And last November, something really odd happened on this particular streaming service. People found that they were being unsubscribed.
Not just a few people, but thousands and thousands of them. By the time Bandai Channel noticed and shut down all of its services — what the hell’s going on here?
We’re going to turn everything off — a total of 46,812 accounts had been cancelled in under 4 hours.
GRAHAM CLULEY
And this week, Japanese police have arrested the person that they believe to be the culprit of this particular attack, a 15-year-old schoolboy.
ZOE ROSE
Eh, as you would, yeah.
GRAHAM CLULEY
And according to media reports, he’d been teaching himself about computers since primary school, and he had built the attack tool that targeted Bandai Channel using ChatGPT.
ZOE ROSE
So it stands to reason that this would also be used, honestly.
GRAHAM CLULEY
But the only thing is, of course, that the AIs are meant to have guardrails to prevent you from writing malicious code.
ZOE ROSE
Guardrails, oh yeah, okay.
GRAHAM CLULEY
They have got better, but what you’re saying, I guess, in Zoe Rose’s hacking house, maybe you are capable of subverting the security and getting around it with your elite skills.
Is that what you’re saying?
ZOE ROSE
We make mistakes and it just amplifies our mistakes.
GRAHAM CLULEY
According to reports, the teenager told police he didn’t have a particular grudge against the company. He just could do it, and so he did do it.
ZOE ROSE
I relate to this child. I would have to say, if I was a 15-year-old child doing this, I’d be like, “Mate, it works!” I’d be so excited.
GRAHAM CLULEY
I would like to think, Zoe, that you wouldn’t do it now. A little bit of adult common sense or decorum.
ZOE ROSE
Sure, yeah, of course.
GRAHAM CLULEY
In December last year, a 17-year-old from Osaka was arrested for using ChatGPT to build a tool that hoovered up 7.25 million records from a chain of internet cafes.
And apparently his goal was to steal credit card information from members in order to then go and buy Pokémon cards, which, I mean, it sounds like a complete cliché, doesn’t it?
In Japan to do something like this.
Before that, in February, three teenagers — a 14-year-old, a 15-year-old, a 16-year-old — were arrested for using ChatGPT to fraudulently generate mobile phone contracts in other people’s names.
And they sold these stolen Rakuten mobile subscriptions for cryptocurrency and then used the proceeds to gamble online and buy video game consoles.
So there’s been a fair amount of this.
Three separate cases in Japan, multiple teenagers, all using AI chatbots as their primary development tool, just like teenagers are probably using AI to write their homework these days as well.
Now, I don’t want to suggest that these kids are going to a chatbot and just typing in something like “hack the Bandai channel” into ChatGPT.
The 15-year-old arrested this week clearly had some existing tech expertise.
But what is happening is the gap between being an interested teenager who’s got some computer knowledge and a person capable of attacking a platform with 46,000 users and stealing their information — that has noticeably reduced.
That’s one of the big changes AI has caused.
ZOE ROSE
I would say yes, but they got caught. Operational security, I think, is quite difficult to do.
GRAHAM CLULEY
Yes. They still didn’t cover their tracks properly, but AI impresses me with the speed with which it can code. Your boss isn’t listening — have you ever done any vibe coding, Zoe?
ZOE ROSE
It is interesting and I will admit it is helpful, but, and that’s the big but, if I know what I need done and I understand the foundations, I can make it effective for me.
So, if I’m not a skilled person and I’m using it for a skilled resource, it’s noticeably lacking a lot of things.
GRAHAM CLULEY
You don’t think it’s getting better? Can you foresee a time when it becomes more professional, maybe?
ZOE ROSE
But I think the way that our brains seem to function is if we think that this feature can work for us, we start to lose that functionality in ourselves.
ZOE ROSE
And so we’re not—
GRAHAM CLULEY
Our brain turns to porridge is what you’re saying if we use AI too much.
ZOE ROSE
I used to be able to figure out how to walk to different places alone. Now it’s like, where is my map?
ZOE ROSE
I don’t ever, well, maybe, maybe I’m wrong, but I don’t foresee it in the near future to fully replace people because it doesn’t have that capability.
But the problem is before it gets to the place where it can replace people, do we still have the skills on our side?
ZOE ROSE
To do the critical thinking.
GRAHAM CLULEY
Well, what it feels like to me is that something which would have taken years of study for a human and weeks of hard work can now be accomplished in an afternoon with the aid of an AI.
ZOE ROSE
Well, wouldn’t we just call those script kiddies? Wouldn’t they still classify as that?
GRAHAM CLULEY
Well, maybe they would, but if a script kiddie can hack into an organisation and cancel accounts.
ZOE ROSE
But they used to be able to do these things as well with other tools.
GRAHAM CLULEY
Yes, but they needed some sort of assistance, didn’t they? Whereas now you can know nothing at all. You don’t have to have spent any time on the script kiddy forums.
ZOE ROSE
I suppose, I suppose. Maybe it’s just faster.
GRAHAM CLULEY
It feels to me like that’s where things are heading, which brings us to my second story.
ZOE ROSE
I’m going to flag, I’m going to flag the point that I made earlier is that operational security isn’t always there.
GRAHAM CLULEY
Yes, we can hopefully catch them later.
ZOE ROSE
We need an LLM that says, here’s how to do it. And don’t forget to consider these things.
GRAHAM CLULEY
This thought that AI can be harnessed by people with little technical knowledge to cause some harm brings me to my second story, which shows, I believe, where things are heading.
So security researchers at Sysdig have just published what they’re calling the first documented case of fully autonomous AI-driven ransomware.
This is not AI-assisted, it’s not AI-accelerated or any of those sort of marketing terms. There’s no human steering the attack at all.
This is just an AI agent doing the entire job from start to finish entirely by itself. And they’re calling this thing Jade Puffer. Because, well, why wouldn’t you?
GRAHAM CLULEY
I don’t know why they’ve called it Jade Puffer, to be honest.
ZOE ROSE
Because it’s an excellent name.
GRAHAM CLULEY
Well, yes, I know, but why didn’t they call it lumpy trousers? Or why didn’t they call it—
ZOE ROSE
Because Jade Puffer is more exciting.
GRAHAM CLULEY
Maybe, maybe the name is actually made up by an AI. Maybe.
GRAHAM CLULEY
There you go. Putting someone out of work again, Zoe.
ZOE ROSE
So all my codenames are in a theme. So if you figure out certain projects and certain things that needed codenames anywhere I’ve worked, you probably can guess which ones I created.
GRAHAM CLULEY
It finds a way in, it steals passwords, it breaks into secondary servers, it encrypts the data, it leaves a ransom note demanding bitcoin, all without a single human having to put a hoodie on in their darkened bedroom.
GRAHAM CLULEY
There’d been a patch out for at least a year. They hadn’t patched it. And it was internet-facing.
ZOE ROSE
And so most organisations.
GRAHAM CLULEY
‘Cause you know, that’s often what they’re after now. They don’t want to use their own AI tokens. They’d rather use someone else’s.
And they’re stealing cloud infrastructure credentials for AWS, and cryptocurrency seed keys to break into wallets.
And then it moved on to its real target, which was the company’s production database.
And it tried to create a hidden admin account for itself to access that database, but it failed. It made a technical error.
And what was eye-opening was that the AI diagnosed the problem as it was trying.
GRAHAM CLULEY
Now, Sysdig’s researchers, they said if a human had read that same error message—
ZOE ROSE
Lots more searching online.
GRAHAM CLULEY
It would have not taken 31 seconds to recode in order to do it properly.
ZOE ROSE
You know what this makes me think though? I should rethink my stance on automated pen tests. Oh, maybe there is an AI out there that could be a decent red teamer.
GRAHAM CLULEY
Yeah, well, there are more and more companies who are beginning to do that, aren’t there? Anyway, Jade Puffer sorted itself out.
GRAHAM CLULEY
Encrypted all the items in the database, deleted the originals, so the data is now gone. So it’s been held hostage.
ZOE ROSE
Do they know? Question. Do they know? If the ransomware actually is done properly and it can actually revert backwards, or is it all gone?
GRAHAM CLULEY
And the kind of question which would only be asked by a cynical cybersecurity expert such as yourself, because actually you have put your finger on the whole flaw in this plan.
GRAHAM CLULEY
So it effectively disappeared. Even if someone had paid, there was no chance you were ever going to get the decryption key back to get your data back.
So there was a flaw in the code.
ZOE ROSE
Well, we’ve seen this before though, in legitimate people. Yes. Actual cybercriminals. So maybe the AI is at the functional level of sass in people already.
GRAHAM CLULEY
But more than that, in the actual ransom note where it listed the bitcoin address, what it used was a generic bitcoin address, which is used in all the bitcoin documentation.
It’s like using .
ZOE ROSE
I know how to do this because it’s done it for me, but I don’t actually know how to apply it logically.
ZOE ROSE
And it’s a limited capacity of this highly functional, very fast, efficient tooling that’s still not there. I don’t know, it’s just really interesting to me.
GRAHAM CLULEY
Because the AI couldn’t stop itself from offering a running commentary on what it was doing.
So when they looked at its attack scripts, they were stuffed with comments and explanations of what it was doing.
And as we know, no humans are ever gonna document— It’s commenting!
ZOE ROSE
Oh my goodness, it’s like a programmer that can’t comment their own code. It’s bloody commenting. It’s like—
GRAHAM CLULEY
Less than ideal for the criminals, really.
ZOE ROSE
Well, I mean, to be fair though, if they got the money, they got the money. They didn’t have to do that much. So, their return on investment ain’t that bad, is it?
GRAHAM CLULEY
Well, but they haven’t got the money ’cause they didn’t list the right bitcoin address.
ZOE ROSE
Oh, okay, never mind.
GRAHAM CLULEY
They listed the example one. So, they bungled, basically. They’ve got an AI accomplice, and it has bungled. Achieved precisely nothing other than damage.
ZOE ROSE
But maybe it was a test, and maybe they’ve had it successful since then, innit? ‘Cause how many companies actually say when they’ve been hit by ransomware?
GRAHAM CLULEY
So what connects this 15-year-old in Japan who zapped these 46,000 anime accounts and this rogue AI that wiped a company’s database and then forgot how to actually extort the money afterwards?
I think the connection is that AI is making it easier to be a cybercriminal. It is opening up this career opportunity, if you like, to more people.
So as people are struggling with the cost of living, as people are finding, oh, crumbs, you know, I can’t get a job or whatever, more people might be tempted into cybercrime because AI could well help them.
JadePuffer, this new ransomware, it’s not perfect. It fell over. It failed to handle the encryption properly and extort any money.
But sooner rather than later, as you’ve already suggested, I think problems like that are going to be fixed.
JOE
This week’s episode is supported by NordLayer.
GRAHAM CLULEY
NordLayer. And before anyone says anything, no, it’s not NordVPN.
JOE
I wasn’t going to say that.
GRAHAM CLULEY
NordLayer is a network security platform built for businesses.
JOE
Right, so what does NordLayer actually do?
GRAHAM CLULEY
Well, think about how your team works today. People logging in from home, from hotel Wi-Fi, from coffee shops, from wherever.
JOE
From a sun lounger, hopefully.
GRAHAM CLULEY
It’s a scary world out there for travelling workers.
JOE
So NordLayer fixes that.
GRAHAM CLULEY
But it goes well beyond just encrypting the connection.
You get centralised control over who can access what based on their identity, their device, whether their device is actually compliant, and if someone leaves the company, you revoke their access immediately.
JOE
No more ex-employees still wandering around your systems 6 months later.
GRAHAM CLULEY
So if someone on your team has started using some AI tool that your security team hasn’t approved—
GRAHAM CLULEY
Yeah, well, whatever. NordLayer can spot that too. And there’s no complex infrastructure to set up. Apparently you can be up and running in just about 10 minutes.
GRAHAM CLULEY
Use the code NLsummer26 at checkout.
JOE
Whoa, all I have to do is type in that code at nordlayer.com/smashing and I can get a great deal? Let me write that down.
GRAHAM CLULEY
Yep, go ahead, write it down.
JOE
What’s the code again? I forgot.
GRAHAM CLULEY
Oh, Joe. NLsummer26.
JOE
Got it. Off to nordlayer.com/smashingigo.
GRAHAM CLULEY
And thanks to NordLayer for supporting the show. Zoe, what’s your story for us this week?
ZOE ROSE
It generates a random email address that you can enter instead of your main email.
Theoretically, the point is privacy, to keep from the association with this, whatever you’re signing up for, with your true identity.
GRAHAM CLULEY
Yeah. And presumably it means that you will know where someone got your email address from. So if you create—
ZOE ROSE
It’s like watermarking it. Yeah.
GRAHAM CLULEY
Yeah. And you could obviously shut it down if it’s then abused by spammers or scammers in some way.
ZOE ROSE
I don’t use it for a highly sensitive sort of, maybe I don’t want somebody to associate this action with my identity. I don’t use it in that use case.
But being as what it was marketed as, I could imagine a lot of people do.
ZOE ROSE
Right. So that’s more the concern for me.
GRAHAM CLULEY
So what’s happened with it? What’s happened with this Hide My Email feature?
ZOE ROSE
There is a vulnerability, quote unquote, that you can associate your generated email address with the original legitimate mailbox.
ZOE ROSE
So theoretically, if I go to a naughty site and I want to sign up for an account and I don’t want you to see it’s me, I could use this generated account and then this site will email this generated account, which would then come to my main legitimate email.
ZOE ROSE
Theoretically, it’s going to be very helpful for a lot of people. From my perspective, I would still make the assumption that that’s traceable without knowing that it was. Yeah.
I didn’t know it was. I always assumed it would be because, you know, it’s technology and technology is—
ZOE ROSE
Yeah, that’s a nice way of saying it.
GRAHAM CLULEY
A dumpster fire. Yes.
ZOE ROSE
You know that picture where it’s like the guy and he’s got the pictures and all the red strings together?
GRAHAM CLULEY
Oh, the red string, yes, like a conspiracy board, yes.
ZOE ROSE
And I still look it, but LLMs, further to what you were talking about, they just make that easier as well because you can aggregate data quite quickly with a lot of tooling.
I imagine they’re using LLMs as well to aggregate more data, because it’s not that difficult to tag and connect the dots.
ZOE ROSE
So, I would always assume that they’re connectable. But as a non-technical person, I could 100% see how they would not think that this is connectable.
And if you’re doing it because you’re hiding some kink, okay, embarrassing, not the end of the world. But for some users, they’re trying to get help for dangerous situations.
Maybe they’re a survivor of domestic abuse and violence.
ZOE ROSE
And so I agree with the Smashing Security researchers’ publication of the fact that it is vulnerable and it is not protecting you in the way that it’s supposed to be, or it claims to be.
The disappointing thing is apparently it was June last year that the vulnerability was disclosed to them.
GRAHAM CLULEY
Oh, to Apple. So Apple’s known about this for a year.
ZOE ROSE
According to the article, it was a year, and in May the update was it was going to be resolved shortly, and we’re in July and there’s no resolution yet.
ZOE ROSE
So that’s why, from what I’ve read, that’s why they wanted to publish it, because they’re concerned for the safety of people that are making use of this.
GRAHAM CLULEY
So that feels quite noble to me that the researchers withhold technical details of exactly how to exploit this to prevent that sort of exploitation event, people obviously finding themselves in a pickle, but Apple should have done something by now, surely.
ZOE ROSE
Well, and it’s disappointing because Apple always likes to market themselves as privacy-focused, right? And if you’re going to market yourself that way, bloody do it.
GRAHAM CLULEY
Yeah, walk the walk. Yeah.
ZOE ROSE
So the one thing I always get frustrated with, they’re marketing their autonomous cars, is they’re not actually autonomous, or they can’t achieve what they want, or they don’t even have the capability that they’re marketing.
And that’s dangerous for people’s safety. This is also dangerous.
Maybe it’s not as physically visible how dangerous it can be, but I work and volunteer with organisations that support survivors of domestic abuse and violence.
I’ve also been through a very similar situation myself. It’s scary being in that environment.
And when the technology you’re relying on to protect you, and in some people’s case it is protecting their life, and you’re not doing it to the best of your ability, that’s, that’s really, really disappointing.
So I’m hoping it resolves it, but I think the main takeaway here is you cannot rely 100% on technology. You just can’t.
GRAHAM CLULEY
Because of the false confidence it creates, because people would have used this thinking they were being private, thinking they were doing the right thing.
ZOE ROSE
It’s the cases that it’s not fine and assuming that it is, that you’re protected, where it can go drastically wrong.
I think knowing that it is broken allows you to consciously choose what use cases is it going to fit for, right?
Not knowing means that you’re unconsciously putting yourself at risk, and that’s what I’m not okay with. I still make use of the functionality for the case that I’ve already said.
If I want to have a temporary mailbox, it’s a great resource. It’s still connectable, yes, but it’s a great resource. I can just remove it.
GRAHAM CLULEY
And I also know there are some other third-party services which offer sort of masked emails and things like Fastmail. I think ProtonMail offers this as well.
ZOE ROSE
At the end of the day, you have to be separate, but as our lovely 15-year-old found out, OPSEC is very difficult. Right?
And so, if you want to keep them separate for your own safety or for specific reasons, maybe you have a much, much more intense threat map than I do, and you’ve got nation state after you, then there’s a lot more to consider.
GRAHAM CLULEY
But I guess for now, all eyes are on Apple and how they’re going to respond to this, albeit 13 months later.
ZOE ROSE
So, who’s accountable there if something happens? How do we force organisations to care? And I think at the end of the day, we’re European, right?
Well, European, not EU for you, but—
GRAHAM CLULEY
Thanks for reminding me.
ZOE ROSE
But at the end of the day, we have more protections than somebody in North America because of the regulations and putting the accountability back on the vendor.
So, as these things happen and as technology changes, as much as I hate regulation and compliance for the sake of compliance, I do hope it makes a difference and puts more accountability back on the organisations to respond in an appropriate timeframe and not market falsely.
GRAHAM CLULEY
Well, we’ve got time now to talk about one of today’s sponsors, Vanta. Joe, what keeps you up at 2 o’clock in the morning?
JOE
The dog next door, mostly.
GRAHAM CLULEY
Oh, right, well, yeah, but I’m talking professionally, what keeps you up?
JOE
Oh, whether we’ve got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.
GRAHAM CLULEY
Exactly, which is where today’s sponsor comes in. It’s Vanta.
JOE
Fanta, the fizzy orange drink. How can this possibly be true?
GRAHAM CLULEY
It automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.
JOE
Lush, I hate questionnaires.
GRAHAM CLULEY
It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.
JOE
So basically it handles the boring stuff so we can focus on the interesting stuff.
GRAHAM CLULEY
Head to vanta.com/smashing, that’s V-A-N-T-A dot com slash smashing, and get started today.
JOE
And maybe get a decent night’s sleep for once. Oh, and unlike fizzy drinks, Fanta isn’t bad for you. That was a fruit twist.
GRAHAM CLULEY
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
ZOE ROSE
Pick of the Week.
GRAHAM CLULEY
Could be a funny story, a book that they’ve read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn’t have to be security related necessarily.
Now, my pick of the week this week is related to a news story which I saw on July 1st.
TV stations in America, they broke their 24-hour rolling news to report on what was going on at the Empire State Building in New York.
ZOE ROSE
They’re on the antenna with a flag.
GRAHAM CLULEY
They appear to be protesters and have unfurled a banner that says, “When the power of love beats the love of power, the world knows peace.” NBC New York is covering all of it.
ZOE ROSE
We’re going to take a listen right now.
GRAHAM CLULEY
Did you see this at all, Zoe?
GRAHAM CLULEY
They unfurled a banner saying, “When the power of love beats the love of power, the world knows peace,” which is, you know, a very groovy thing to say.
They got down from the very top onto a platform and the man got down on one knee and nervously proposed to the woman who had climbed up there with him.
And, you know, it was all in some ways charming, in other ways just like, what the bloody hell are they doing?
Is this what everyone’s going to be doing now to propose to each other? This is insanity. And they were arrested, of course. Their names are Angela Nikolau and Ivan Birkus.
They are two Russian, what are called, rooftoppers, who climb buildings. You know, they don’t have all the safety gear. They just go up in their trainers, it seems.
ZOE ROSE
What is it called, like free climbing or something?
GRAHAM CLULEY
It’s that kind of thing. They break into buildings. They’re not doing this with permission. They evade security teams.
ZOE ROSE
May I guess that? Yeah.
GRAHAM CLULEY
And it is that documentary which is my pick of the week. And I’ll tell you something about myself, Zoe. I am terrified of heights, right?
I can’t stand on a stool, let alone climb up a ladder.
ZOE ROSE
Mate, I am 155 centimetres, and that is as tall as I need to be.
GRAHAM CLULEY
I have in the past got up into the loft in my house and I’ve then been stuck there for 45 minutes thinking, how am I going to get— and that’s when there’s a ladder attached to the loft.
You know, it’s like, how am I going to get down? But aside from being terrified of heights, I am weirdly drawn to them. I am always thinking, oh, I want to test my fear of heights.
See, is this quite as scary. Will I want to throw myself off the— that’s my worry, is my brain will sort of short circuit and throw myself off just impulsively.
Anyway, I cannot tell you how stomach-churning this documentary was to me because I’m watching these two people climb buildings without permission.
And they sort of fell in love doing it, which is charming, but sometimes they’re having a bit of a row on the way, which has all been recorded on their GoPros.
And the woman at one point was having a real panic attack, which is understandable. I would be having a panic attack. I would feel paralysed as well.
And the guy is saying, “Come on, you can do it,” and all the rest of it. And she’s like, “No, no, really, I can’t.” And then she wants to, she wants to prove that she can.
I’m not saying that what these guys do is advisable or admirable. I think there’s—
ZOE ROSE
We should flag that there have been people that have died from doing that sort of thing.
GRAHAM CLULEY
I also think it’s questionable why Netflix, you know, why is this documentary being made? Is there then a compulsion for people to carry on doing these things?
GRAHAM CLULEY
Rather than working in a sandwich bar or something like that. It’s, it’s—
ZOE ROSE
I feel like that’s not the two alternatives, climbing a ginormous building or making sandwiches.
GRAHAM CLULEY
This woman, by the way, this woman.
GRAHAM CLULEY
So what she does is she takes an outfit with her, she’s got her heels, and she’s doing all these sort of glamorous shots of herself doing acrobatics on the top of buildings, you know, which, I mean, they are amazing photographs, but surely if there was one reason why AI was invented was to stop people climbing up buildings and putting their lives at risk to pose on top of a skyscraper.
Anyway, is this my pick of the week, or is this my nitpick of the week?
ZOE ROSE
I have to say, you’re criticising Netflix for— Yes! Providing this resource, and also recommending it.
GRAHAM CLULEY
Well, I’m bringing it to light. So this could be a nitpick of the week, rather than a pick of the week. I’m not sure which it is, but anyway, I found it compelling, and—
ZOE ROSE
I would like you to watch it again with the goggles. What do they call that? Like virtual reality?
ZOE ROSE
What? So that you’re single point of view of her?
GRAHAM CLULEY
I’m not wearing virtual reality goggles.
ZOE ROSE
I would love that.
GRAHAM CLULEY
I’m not sure, but that is what I’m talking about on Smashing Security today.
GRAHAM CLULEY
Okay, Zoe, what’s your pick of the week?
ZOE ROSE
My pick of the week is, I am a single mother of two children and a cat. I’m pretty sure my cat is Satan, but, so I’m very busy.
GRAHAM CLULEY
So you’re the mother of Satan?
GRAHAM CLULEY
Right, lovely.
ZOE ROSE
Anyway, pick of the week is, I have no time, and so I’ve discovered, and by discovered I mean heavily forced to stop not considering by multiple people throughout many years, to purchase a Thermomix.
GRAHAM CLULEY
Oh, now I know what one of those is. Why don’t you describe it for our listeners, what a Thermomix is?
ZOE ROSE
And donate it because I’ve got this Thermomix replaced. But basically it weighs, it measures, it mixes and cooks and all of those fancy things.
I’ve made ice cream and lemonade and every dinner, and it does my shopping.
GRAHAM CLULEY
It’s not just cold food, it can do hot food. I have lived in a house with a Thermomix before.
GRAHAM CLULEY
So I do know— the embarrassing truth is that I only ever made boiled rice in it. But I know that you can do extraordinary things.
ZOE ROSE
So I’ve got all the recipes.
GRAHAM CLULEY
They’re very expensive. I mean, as a boiled rice machine, I thought this was overpriced, I have to say. Oh no, I did pasta as well. I did pasta as well. But you know, it is—
ZOE ROSE
You are so bland right now. I did pasta.
GRAHAM CLULEY
They are expensive devices.
ZOE ROSE
Okay. They are expensive. And you have to have a subscription to the app for recipes. You don’t have to, but I do.
GRAHAM CLULEY
No, come on.
ZOE ROSE
It makes shopping super bloody easy because then I just put it in the thing that delivers. Because I’m not going to the shop with two children and a bloody cat.
So it’s really useful and it allows me to cook things that are actually really good, to the point where, because I’m not a very good cook, let’s be honest.
You want me to investigate an incident? Right on. You want me to cook pizza from scratch? Questionable. But in this case, it works.
GRAHAM CLULEY
And it can boil rice very reliably in my experience.
ZOE ROSE
It even makes cake. I made cheesecake the other day. That’s so clever. And muffins, because it has a thingy that goes on top and you can steam them.
GRAHAM CLULEY
I’m sure lots of listeners would love to find out what you’re up to and follow you online. What’s the best way to do that?
ZOE ROSE
But I think I’d also like to flag that if they’re somebody that related to the story I said earlier about high threat profiles, I would suggest they go and look at organisations like Operation Safe Escape or any organisations that specifically tailor their support to domestic abuse and violence survivors, because they will understand those threat maps a lot better than I can summarise.
GRAHAM CLULEY
And listeners, you can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky and Reddit and Mastodon. And don’t forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship info, guest lists, and the entire back catalog of 475 episodes.
Check out smashingsecurity.com. Until next time. Cheerio, bye-bye. Cheers. You’ve been listening to Smashing Security with me, Graham Cluley.
Thanks ever so much to Zoe Rose for joining us this week and to this episode’s sponsors, Arctic Wolf, NordLayer, and Vanta.
Make sure to check out their special offers because they’re supporting the show.
And talking of people supporting the show, thanks to the following fine fellows, all signed up members of Smashing Security Plus. Let’s pick out some of them from the hat right now.
We’ve got first up, Darryl Green and Dave Barker. Both of them sound very dependable. I’d trust them to look after my plants while I’m on holiday.
Big yay to Richard Anand, Christoph Goossens and Travis West. Travis West.
Sounds like a Wild West character riding into town, sorting out your endpoint security, then riding off again without a word. And not also to Heisenberg.
We know who you are, but we can’t be certain where you are. And that’s fine.
Big thanks to Darren Kenny and to the magnificent Trogdork, a name that sounds like the final boss you’d have to beat in a game of Zelda, but probably turns out to be really good at patching vulnerabilities.
Oh, and finally, Daniel Kromeck and Billy, just Billy, one name Billy, no further questions. He’s happy with that.
Those are just a few members of Smashing Security Plus, which means that they get their episodes completely ad-free, earlier than the general public as well, they get them.
And they can have their names pulled out at random to be mercilessly mocked at the end of the show. Who could want for more?
If you fancy a little bit of that, join Smashing Security Plus. Just head over to our little club at smashingsecurity.com/plus for all of the details.
But you don’t have to become a member of that. You could support the show in ways which don’t cost a penny by liking, subscribing, leaving a 5-star review wherever you listen.
That will warm my cockles. And of course, tell your friends about the show. Spreading the word really does help. And, well, until next time, cheerio, bye-bye.
