Smashing Security podcast #475: JadePuffer

ZOE ROSE

We need an LLM that says, here’s how to do it. And don’t forget to consider these things.

Unknown

No, no, we don’t need that actually, Zoe. We don’t need any help for the criminals in covering up the tracks. Interesting. Interesting that you should suggest that.

Smashing Security, episode 475. JadePuffer, the AI that ran a ransomware attack all by itself. With Graham Cluley and special guest Zoe Rose.

Hello, hello, and welcome to Smashing Security episode 475. My name’s Graham Cluley.

ZOE ROSE

And I’m Zoe Rose.

GRAHAM CLULEY

Hello, Zoe. Welcome back to the show. It’s been a while since you’ve been on. How are you doing?

ZOE ROSE

Well, usually when I join, something massive has happened.

ZOE ROSE

At the moment, I have not acquired another child or a pet.

GRAHAM CLULEY

So, well done.

GRAHAM CLULEY

So for those who don’t know Zoe, what are you? I mean, people who haven’t heard of you before, what do you do exactly?

ZOE ROSE

That’s a good question. What do I do? I work in security and pretend I know what I’m talking about half the time.

GRAHAM CLULEY

Oh, okay. It seems fair enough. And you work for a big company?

ZOE ROSE

I have a bloody long title now, actually. That’s the change. That’s what’s new. My title has massively increased.

GRAHAM CLULEY

Okay, give us your title. Let’s hear it.

ZOE ROSE

All right. It is C-Cert, which if you know what that stands for, it has more words, but we’ll just stick to some letters. Security Operations Development Manager.

GRAHAM CLULEY

Security Operations Development Manager, like SODOM, is basically what you’re saying.

GRAHAM CLULEY

Interesting. Well, before we kick off, let’s thank this week’s wonderful sponsors, Arctic Wolf, NordLayer, and Vanta. We’ll be hearing more about them later on in the podcast.

This week on Smashing Security, we’re not going to be talking about how a Greek politician investigating spyware had his own mobile phone hacked.

You’ll hear no discussion of how a US Department of Homeland Security information sharing database has been accessed by hackers.

And we won’t even mention how hackers are using a fake World Cup t-shirt offer to spread malware. So Zoe, what are you going to be talking about this week?

ZOE ROSE

I’m going to talk about Apple’s Hide My Email isn’t actually as hidden as it sounds like.

GRAHAM CLULEY

And I’m going to be telling the tale of how a 15-year-old with a chatbot became a cybercriminal and what happens when the AI just does the whole job itself.

All this and much more coming up on this episode of Smashing Security.

JOE

Graham, am I right in thinking that Arctic Wolf are sponsoring the show this week?

GRAHAM CLULEY

You are right, Joe.

They’ve just published a new report, 2026 State of the Cybersecurity Attack Surface, and they analysed over 800,000 real IT assets to find out how exposed organisations actually are.

JOE

And I’m guessing everything is hunky-dory.

GRAHAM CLULEY

No, not so much. The reality is they found 1 in 3 IT assets is missing at least one critical security control.

JOE

One in three? That’s terrible.

GRAHAM CLULEY

Isn’t it just? 10% of assets have no endpoint security at all. 17% are completely invisible to the tools that are supposed to be monitoring them.

JOE

So the tools don’t even know those assets exist?

GRAHAM CLULEY

Right. Ghost assets wandering around your network, unprotected, unmonitored.

JOE

Like a retired geography teacher who’s somehow still on the school network.

Nobody added him, nobody removed him, and he’s been quietly in there for 11 years downloading maps of Paraguay.

GRAHAM CLULEY

Yeah, yeah, I guess so, Joe. The point is, your attackers will find him before you do because they are specifically looking for the forgotten, the unpatched, the invisible.

That’s the path of least resistance.

JOE

So what does the report tell us to actually do about it?

GRAHAM CLULEY

Arctic Wolf’s report covers how to prioritize the exposures that actually matter. Cut through all that noise and verify that when you fix something, it actually stays fixed.

And the report is free to download.

JOE

Free! I like that. Where do I get it?

GRAHAM CLULEY

SmashingSecurity.com/ArcticWolf.

JOE

That’s SmashingSecurity.com/ArcticWolf. And thanks to Arctic Wolf for supporting the show. And please keep an eye on your IT assets and retired geography teachers.

GRAHAM CLULEY

So, chums, I want to tell you about two stories really this week. On the surface, they don’t seem connected.

One of them involves a fully automated, sophisticated, AI-driven ransomware attack against a company. Nasty stuff.

The other involves a 15-year-old lad in Japan who just wanted to cause some chaos on an animation streaming website.

These stories appear different, but they’re actually telling the same story. And that story is something we’ve been warning about for a while.

That the skills needed to commit a cyberattack are in the hands now of practically everybody on the internet. So let’s start in Japan. Have you ever been to Japan, Zoe?

GRAHAM CLULEY

Well, it’s a fabulous place, I have to say. If you ever get the chance, it’s a great place to go and visit. So anyway, I love Japan. I love Japanese culture.

One of the things which is really big in Japan is anime. Are you into anime at all?

ZOE ROSE

I think I’ve seen some, but I’d probably be the worst guest to try and talk about it in any educated way.

GRAHAM CLULEY

Oh, don’t worry. I’m not going to talk about it in an educated way. It’s that animation where everyone’s got really big eyes. It’s a big deal, particularly in Japanese culture.

And there is a popular anime streaming service called Bandai Channel. And you can think of it as being a bit like Japanese Netflix, but specifically for anime.

And last November, something really odd happened on this particular streaming service. People found that they were being unsubscribed.

Not just a few people, but thousands and thousands of them. By the time Bandai Channel noticed and shut down all of its services — what the hell’s going on here?

We’re going to turn everything off — a total of 46,812 accounts had been cancelled in under 4 hours.

GRAHAM CLULEY

Bandai Channel investigated what it thought might be a leak of its membership database.

And this week, Japanese police have arrested the person that they believe to be the culprit of this particular attack, a 15-year-old schoolboy.

ZOE ROSE

Eh, as you would, yeah.

GRAHAM CLULEY

And according to media reports, he’d been teaching himself about computers since primary school, and he had built the attack tool that targeted Bandai Channel using ChatGPT.

ZOE ROSE

All right, I could see that. I mean, I can’t say that open source tooling or any tooling out there hasn’t already been used maliciously, just like it is used for research.

So it stands to reason that this would also be used, honestly.

GRAHAM CLULEY

But the only thing is, of course, that the AIs are meant to have guardrails to prevent you from writing malicious code.

ZOE ROSE

Guardrails, oh yeah, okay.

GRAHAM CLULEY

Oh, I think they’ve got better, haven’t they, over time?

They have got better, but what you’re saying, I guess, in Zoe Rose’s hacking house, maybe you are capable of subverting the security and getting around it with your elite skills.

Is that what you’re saying?

ZOE ROSE

Mate, you don’t have to be that complex. Just keep trying. I think that we have to remember that this stuff is built by us, humans, and we are not the most effective people.

We make mistakes and it just amplifies our mistakes.

GRAHAM CLULEY

So, this 15-year-old schoolboy, he just described what he wanted to a chatbot, and the chatbot helped him build a programme that could break into accounts and cancel the subscriptions.

According to reports, the teenager told police he didn’t have a particular grudge against the company. He just could do it, and so he did do it.

ZOE ROSE

I relate to this child. I would have to say, if I was a 15-year-old child doing this, I’d be like, “Mate, it works!” I’d be so excited.

GRAHAM CLULEY

I think there’s probably a lot of listeners as well who can identify that maybe aged 15, they would’ve done something like that as well.

I would like to think, Zoe, that you wouldn’t do it now. A little bit of adult common sense or decorum.

ZOE ROSE

Sure, yeah, of course.

GRAHAM CLULEY

You don’t sound convinced. Now, he is not the only teenager in Japan to have harnessed the power of AI to hack in this way.

In December last year, a 17-year-old from Osaka was arrested for using ChatGPT to build a tool that hoovered up 7.25 million records from a chain of internet cafes.

And apparently his goal was to steal credit card information from members in order to then go and buy Pokémon cards, which, I mean, it sounds like a complete cliché, doesn’t it?

In Japan to do something like this.

Before that, in February, three teenagers — a 14-year-old, a 15-year-old, a 16-year-old — were arrested for using ChatGPT to fraudulently generate mobile phone contracts in other people’s names.

And they sold these stolen Rakuten mobile subscriptions for cryptocurrency and then used the proceeds to gamble online and buy video game consoles.

So there’s been a fair amount of this.

Three separate cases in Japan, multiple teenagers, all using AI chatbots as their primary development tool, just like teenagers are probably using AI to write their homework these days as well.

Now, I don’t want to suggest that these kids are going to a chatbot and just typing in something like “hack the Bandai channel” into ChatGPT.

The 15-year-old arrested this week clearly had some existing tech expertise.

But what is happening is the gap between being an interested teenager who’s got some computer knowledge and a person capable of attacking a platform with 46,000 users and stealing their information — that has noticeably reduced.

That’s one of the big changes AI has caused.

ZOE ROSE

I would say yes, but they got caught. Operational security, I think, is quite difficult to do.

GRAHAM CLULEY

Yes. They still didn’t cover their tracks properly, but AI impresses me with the speed with which it can code. Your boss isn’t listening — have you ever done any vibe coding, Zoe?

ZOE ROSE

You know, I have made use of certain functionality of AI to figure out what it could do.

It is interesting and I will admit it is helpful, but, and that’s the big but, if I know what I need done and I understand the foundations, I can make it effective for me.

So, if I’m not a skilled person and I’m using it for a skilled resource, it’s noticeably lacking a lot of things.

GRAHAM CLULEY

You don’t think it’s getting better? Can you foresee a time when it becomes more professional, maybe?

ZOE ROSE

I do see it getting better, yes.

But I think the way that our brains seem to function is if we think that this feature can work for us, we start to lose that functionality in ourselves.

ZOE ROSE

And so we’re not—

GRAHAM CLULEY

Our brain turns to porridge is what you’re saying if we use AI too much.

ZOE ROSE

I used to be able to figure out how to walk to different places alone. Now it’s like, where is my map?

ZOE ROSE

So, I think yes, AI is getting better.

I don’t ever, well, maybe, maybe I’m wrong, but I don’t foresee it in the near future to fully replace people because it doesn’t have that capability.

But the problem is before it gets to the place where it can replace people, do we still have the skills on our side?

ZOE ROSE

To do the critical thinking.

GRAHAM CLULEY

Good point.

Well, what it feels like to me is that something which would have taken years of study for a human and weeks of hard work can now be accomplished in an afternoon with the aid of an AI.

ZOE ROSE

Well, wouldn’t we just call those script kiddies? Wouldn’t they still classify as that?

GRAHAM CLULEY

Well, maybe they would, but if a script kiddie can hack into an organisation and cancel accounts.

ZOE ROSE

But they used to be able to do these things as well with other tools.

GRAHAM CLULEY

Yes, but they needed some sort of assistance, didn’t they? Whereas now you can know nothing at all. You don’t have to have spent any time on the script kiddy forums.

ZOE ROSE

I suppose, I suppose. Maybe it’s just faster.

GRAHAM CLULEY

It feels to me like that’s where things are heading, which brings us to my second story.

ZOE ROSE

I’m going to flag, I’m going to flag the point that I made earlier is that operational security isn’t always there.

GRAHAM CLULEY

Yes, we can hopefully catch them later.

ZOE ROSE

We need an LLM that says, here’s how to do it. And don’t forget to consider these things.

GRAHAM CLULEY

No, no, we don’t need that actually, Zoe. We don’t need any help for the criminals in covering up the tracks. Interesting, interesting that you should suggest that.

This thought that AI can be harnessed by people with little technical knowledge to cause some harm brings me to my second story, which shows, I believe, where things are heading.

So security researchers at Sysdig have just published what they’re calling the first documented case of fully autonomous AI-driven ransomware.

This is not AI-assisted, it’s not AI-accelerated or any of those sort of marketing terms. There’s no human steering the attack at all.

This is just an AI agent doing the entire job from start to finish entirely by itself. And they’re calling this thing Jade Puffer. Because, well, why wouldn’t you?

GRAHAM CLULEY

I don’t know why they’ve called it Jade Puffer, to be honest.

ZOE ROSE

Because it’s an excellent name.

GRAHAM CLULEY

Well, yes, I know, but why didn’t they call it lumpy trousers? Or why didn’t they call it—

ZOE ROSE

Because Jade Puffer is more exciting.

GRAHAM CLULEY

Oh, okay. Alright. Well, I was thinking maybe someone at Sysdig in their lab was a fan of tropical fish ornaments. Maybe it’s just a very dull job.

Maybe, maybe the name is actually made up by an AI. Maybe.

GRAHAM CLULEY

There you go. Putting someone out of work again, Zoe.

ZOE ROSE

Oh, when I have to think of codenames for things, I usually stick to a theme. I’m not going to say what theme because I might embarrass myself, but I stick to a theme.

So all my codenames are in a theme. So if you figure out certain projects and certain things that needed codenames anywhere I’ve worked, you probably can guess which ones I created.

GRAHAM CLULEY

That’s one of Zoe’s. So Jade Puffer is doing the entire job.

It finds a way in, it steals passwords, it breaks into secondary servers, it encrypts the data, it leaves a ransom note demanding bitcoin, all without a single human having to put a hoodie on in their darkened bedroom.

GRAHAM CLULEY

Now, the unnamed victim organisation, they weren’t exactly running a tight ship, to be honest. Apparently they had some software with a known security flaw.

There’d been a patch out for at least a year. They hadn’t patched it. And it was internet-facing.

ZOE ROSE

And so most organisations.

GRAHAM CLULEY

Yeah. So Jade Puffer was able to get in and it helped itself to passwords, account details, API keys for OpenAI and Anthropic and Google Gemini.

‘Cause you know, that’s often what they’re after now. They don’t want to use their own AI tokens. They’d rather use someone else’s.

And they’re stealing cloud infrastructure credentials for AWS, and cryptocurrency seed keys to break into wallets.

And then it moved on to its real target, which was the company’s production database.

And it tried to create a hidden admin account for itself to access that database, but it failed. It made a technical error.

And what was eye-opening was that the AI diagnosed the problem as it was trying.

GRAHAM CLULEY

And fixed— no, not cool, Zoe Rose, not cool at all. You really got to remember what side you’re on. And it fixed the problem. And it took round about 31 seconds to fix the problem.

Now, Sysdig’s researchers, they said if a human had read that same error message—

ZOE ROSE

Lots more searching online.

GRAHAM CLULEY

Yeah, they would then have had to have Googled it. They’d then have to go and make a cup of tea or something, or whatever it is, you know, scratch their head for a bit.

It would have not taken 31 seconds to recode in order to do it properly.

ZOE ROSE

You know what this makes me think though? I should rethink my stance on automated pen tests. Oh, maybe there is an AI out there that could be a decent red teamer.

GRAHAM CLULEY

Yeah, well, there are more and more companies who are beginning to do that, aren’t there? Anyway, Jade Puffer sorted itself out.

GRAHAM CLULEY

Encrypted all the items in the database, deleted the originals, so the data is now gone. So it’s been held hostage.

ZOE ROSE

Do they know? Question. Do they know? If the ransomware actually is done properly and it can actually revert backwards, or is it all gone?

GRAHAM CLULEY

A very good question.

And the kind of question which would only be asked by a cynical cybersecurity expert such as yourself, because actually you have put your finger on the whole flaw in this plan.

GRAHAM CLULEY

So although it did encrypt the files and it did generate a unique decryption key, which was going to be the only thing which would ever unlock those files for the victim, it failed to send that key back to the criminals.

So it effectively disappeared. Even if someone had paid, there was no chance you were ever going to get the decryption key back to get your data back.

So there was a flaw in the code.

ZOE ROSE

Well, we’ve seen this before though, in legitimate people. Yes. Actual cybercriminals. So maybe the AI is at the functional level of sass in people already.

GRAHAM CLULEY

Maybe it is.

But more than that, in the actual ransom note where it listed the bitcoin address, what it used was a generic bitcoin address, which is used in all the bitcoin documentation.

It’s like using .

ZOE ROSE

That’s excellent. I love these little failures. It’s just yeah, lovely. It’s like these script kiddies.

I know how to do this because it’s done it for me, but I don’t actually know how to apply it logically.

ZOE ROSE

And it’s a limited capacity of this highly functional, very fast, efficient tooling that’s still not there. I don’t know, it’s just really interesting to me.

GRAHAM CLULEY

And there were other things which were interesting about this ransomware as well, because the security researchers, they knew they were looking at an AI rather than a human attacker.

Because the AI couldn’t stop itself from offering a running commentary on what it was doing.

So when they looked at its attack scripts, they were stuffed with comments and explanations of what it was doing.

And as we know, no humans are ever gonna document— It’s commenting!

ZOE ROSE

Oh my goodness, it’s like a programmer that can’t comment their own code. It’s bloody commenting. It’s like—

GRAHAM CLULEY

So the AI had left comments in its own code discussing which parts of the database were the best return on investment. I love this. So, yeah.

Less than ideal for the criminals, really.

ZOE ROSE

Well, I mean, to be fair though, if they got the money, they got the money. They didn’t have to do that much. So, their return on investment ain’t that bad, is it?

GRAHAM CLULEY

Well, but they haven’t got the money ’cause they didn’t list the right bitcoin address.

ZOE ROSE

Oh, okay, never mind.

GRAHAM CLULEY

They listed the example one. So, they bungled, basically. They’ve got an AI accomplice, and it has bungled. Achieved precisely nothing other than damage.

ZOE ROSE

But maybe it was a test, and maybe they’ve had it successful since then, innit? ‘Cause how many companies actually say when they’ve been hit by ransomware?

GRAHAM CLULEY

That’s true. It may well have since been developed further, and maybe it is succeeding.

So what connects this 15-year-old in Japan who zapped these 46,000 anime accounts and this rogue AI that wiped a company’s database and then forgot how to actually extort the money afterwards?

I think the connection is that AI is making it easier to be a cybercriminal. It is opening up this career opportunity, if you like, to more people.

So as people are struggling with the cost of living, as people are finding, oh, crumbs, you know, I can’t get a job or whatever, more people might be tempted into cybercrime because AI could well help them.

JadePuffer, this new ransomware, it’s not perfect. It fell over. It failed to handle the encryption properly and extort any money.

But sooner rather than later, as you’ve already suggested, I think problems like that are going to be fixed.

JOE

This week’s episode is supported by NordLayer.

GRAHAM CLULEY

NordLayer. And before anyone says anything, no, it’s not NordVPN.

JOE

I wasn’t going to say that.

GRAHAM CLULEY

You were absolutely going to say that, Joe. They are both from Nord Security, but NordLayer is a completely different product. NordVPN is for individuals.

NordLayer is a network security platform built for businesses.

JOE

Right, so what does NordLayer actually do?

GRAHAM CLULEY

Well, think about how your team works today. People logging in from home, from hotel Wi-Fi, from coffee shops, from wherever.

JOE

From a sun lounger, hopefully.

GRAHAM CLULEY

You’d be lucky. And the moment someone logs into a company network over an unsecured connection, you’ve got a problem. Credentials intercepted, phishing attacks, unauthorised access.

It’s a scary world out there for travelling workers.

JOE

So NordLayer fixes that.

GRAHAM CLULEY

It gives you encrypted connectivity for your whole team from anywhere, up to 1 gigabyte per second with zero additional hardware required.

But it goes well beyond just encrypting the connection.

You get centralised control over who can access what based on their identity, their device, whether their device is actually compliant, and if someone leaves the company, you revoke their access immediately.

JOE

No more ex-employees still wandering around your systems 6 months later.

GRAHAM CLULEY

No more of that. And it will block malicious sites, risky downloads, dangerous domains, and it can even detect shadow apps.

So if someone on your team has started using some AI tool that your security team hasn’t approved—

GRAHAM CLULEY

Yeah, well, whatever. NordLayer can spot that too. And there’s no complex infrastructure to set up. Apparently you can be up and running in just about 10 minutes.

GRAHAM CLULEY

10 minutes. Plans start from just $8 per user per month. And right now there is a summer sale. New customers get up to 20% off annual plans until the end of August 2026.

Use the code NLsummer26 at checkout.

JOE

Whoa, all I have to do is type in that code at nordlayer.com/smashing and I can get a great deal? Let me write that down.

GRAHAM CLULEY

Yep, go ahead, write it down.

JOE

What’s the code again? I forgot.

GRAHAM CLULEY

Oh, Joe. NLsummer26.

JOE

Got it. Off to nordlayer.com/smashingigo.

GRAHAM CLULEY

And thanks to NordLayer for supporting the show. Zoe, what’s your story for us this week?

ZOE ROSE

I was talking about Apple’s Hide My Email. So if you don’t know what that is, it’s if you have an iCloud account, you can select the feature that says Hide My Email.

It generates a random email address that you can enter instead of your main email.

Theoretically, the point is privacy, to keep from the association with this, whatever you’re signing up for, with your true identity.

GRAHAM CLULEY

Yeah. And presumably it means that you will know where someone got your email address from. So if you create—

ZOE ROSE

It’s like watermarking it. Yeah.

GRAHAM CLULEY

Yeah. And you could obviously shut it down if it’s then abused by spammers or scammers in some way.

ZOE ROSE

Yeah. I use it for the use case that you just said, so I can have it for a temporary amount of time. Remove it, and then I’m good. It’s very useful for that.

I don’t use it for a highly sensitive sort of, maybe I don’t want somebody to associate this action with my identity. I don’t use it in that use case.

But being as what it was marketed as, I could imagine a lot of people do.

ZOE ROSE

Right. So that’s more the concern for me.

GRAHAM CLULEY

So what’s happened with it? What’s happened with this Hide My Email feature?

ZOE ROSE

There is a vulnerability, quote unquote, that you can associate your generated email address with the original legitimate mailbox.

ZOE ROSE

Yeah.

So theoretically, if I go to a naughty site and I want to sign up for an account and I don’t want you to see it’s me, I could use this generated account and then this site will email this generated account, which would then come to my main legitimate email.

ZOE ROSE

And then if I don’t want it anymore, I can delete the account on the website or disable it within my settings. Very useful.

Theoretically, it’s going to be very helpful for a lot of people. From my perspective, I would still make the assumption that that’s traceable without knowing that it was. Yeah.

I didn’t know it was. I always assumed it would be because, you know, it’s technology and technology is—

ZOE ROSE

Yeah, that’s a nice way of saying it.

GRAHAM CLULEY

A dumpster fire. Yes.

ZOE ROSE

Yeah, perfect. And I used to work in OSINT, so open source intelligence. My job used to be aggregating data and connecting the dots and making very overly-sized webs of details.

You know that picture where it’s like the guy and he’s got the pictures and all the red strings together?

GRAHAM CLULEY

Oh, the red string, yes, like a conspiracy board, yes.

ZOE ROSE

Mate, that was me, and that’s exactly what I did.

And I still look it, but LLMs, further to what you were talking about, they just make that easier as well because you can aggregate data quite quickly with a lot of tooling.

I imagine they’re using LLMs as well to aggregate more data, because it’s not that difficult to tag and connect the dots.

ZOE ROSE

Right? These vulnerabilities probably make it much easier. I mean, I imagine it is. And so, I would always take the assumed compromise approach.

So, I would always assume that they’re connectable. But as a non-technical person, I could 100% see how they would not think that this is connectable.

And if you’re doing it because you’re hiding some kink, okay, embarrassing, not the end of the world. But for some users, they’re trying to get help for dangerous situations.

Maybe they’re a survivor of domestic abuse and violence.

ZOE ROSE

So this could be quite risky for them if their abuser is able to connect the dots, if their stalker is able to identify them.

And so I agree with the Smashing Security researchers’ publication of the fact that it is vulnerable and it is not protecting you in the way that it’s supposed to be, or it claims to be.

The disappointing thing is apparently it was June last year that the vulnerability was disclosed to them.

GRAHAM CLULEY

Oh, to Apple. So Apple’s known about this for a year.

ZOE ROSE

According to the article, it was a year, and in May the update was it was going to be resolved shortly, and we’re in July and there’s no resolution yet.

ZOE ROSE

So that’s why, from what I’ve read, that’s why they wanted to publish it, because they’re concerned for the safety of people that are making use of this.

GRAHAM CLULEY

So that feels quite noble to me that the researchers withhold technical details of exactly how to exploit this to prevent that sort of exploitation event, people obviously finding themselves in a pickle, but Apple should have done something by now, surely.

ZOE ROSE

Well, and it’s disappointing because Apple always likes to market themselves as privacy-focused, right? And if you’re going to market yourself that way, bloody do it.

GRAHAM CLULEY

Yeah, walk the walk. Yeah.

ZOE ROSE

And there are priorities.

So the one thing I always get frustrated with, they’re marketing their autonomous cars, is they’re not actually autonomous, or they can’t achieve what they want, or they don’t even have the capability that they’re marketing.

And that’s dangerous for people’s safety. This is also dangerous.

Maybe it’s not as physically visible how dangerous it can be, but I work and volunteer with organisations that support survivors of domestic abuse and violence.

I’ve also been through a very similar situation myself. It’s scary being in that environment.

And when the technology you’re relying on to protect you, and in some people’s case it is protecting their life, and you’re not doing it to the best of your ability, that’s, that’s really, really disappointing.

So I’m hoping it resolves it, but I think the main takeaway here is you cannot rely 100% on technology. You just can’t.

GRAHAM CLULEY

So I’ve got a question, Zoe. Is a broken privacy feature worse than no privacy feature?

Because of the false confidence it creates, because people would have used this thinking they were being private, thinking they were doing the right thing.

ZOE ROSE

And in many cases they probably were fine. Right. In many cases it’s probably fine.

It’s the cases that it’s not fine and assuming that it is, that you’re protected, where it can go drastically wrong.

I think knowing that it is broken allows you to consciously choose what use cases is it going to fit for, right?

Not knowing means that you’re unconsciously putting yourself at risk, and that’s what I’m not okay with. I still make use of the functionality for the case that I’ve already said.

If I want to have a temporary mailbox, it’s a great resource. It’s still connectable, yes, but it’s a great resource. I can just remove it.

GRAHAM CLULEY

And I also know there are some other third-party services which offer sort of masked emails and things like Fastmail. I think ProtonMail offers this as well.

ZOE ROSE

They do, yep, and they’re useful if you 100% want to keep them separate.

At the end of the day, you have to be separate, but as our lovely 15-year-old found out, OPSEC is very difficult. Right?

And so, if you want to keep them separate for your own safety or for specific reasons, maybe you have a much, much more intense threat map than I do, and you’ve got nation state after you, then there’s a lot more to consider.

GRAHAM CLULEY

But I guess for now, all eyes are on Apple and how they’re going to respond to this, albeit 13 months later.

ZOE ROSE

Well, and it goes back to responsibility because they’re marketing it as hide my email address and they know there’s a vulnerability.

So, who’s accountable there if something happens? How do we force organisations to care? And I think at the end of the day, we’re European, right?

Well, European, not EU for you, but—

GRAHAM CLULEY

Thanks for reminding me.

ZOE ROSE

Just in case you forgot. To be fair, I’m not either.

But at the end of the day, we have more protections than somebody in North America because of the regulations and putting the accountability back on the vendor.

So, as these things happen and as technology changes, as much as I hate regulation and compliance for the sake of compliance, I do hope it makes a difference and puts more accountability back on the organisations to respond in an appropriate timeframe and not market falsely.

GRAHAM CLULEY

Well, we’ve got time now to talk about one of today’s sponsors, Vanta. Joe, what keeps you up at 2 o’clock in the morning?

JOE

The dog next door, mostly.

GRAHAM CLULEY

Oh, right, well, yeah, but I’m talking professionally, what keeps you up?

JOE

Oh, whether we’ve got the right security controls in place, whether our vendors are secure, how to escape the nightmare of outdated tools and endless manual processes.

GRAHAM CLULEY

Exactly, which is where today’s sponsor comes in. It’s Vanta.

JOE

Fanta, the fizzy orange drink. How can this possibly be true?

GRAHAM CLULEY

No, no, Joe, it’s Vanta with a V. It’s a trust management platform. It’s not a drink full of sugar.

It automates all of that tedious manual compliance work so you can stop drowning in spreadsheets, chasing audit evidence, and filling out questionnaire after questionnaire.

JOE

Lush, I hate questionnaires.

GRAHAM CLULEY

Well, who doesn’t? Vanta continuously monitors your systems. It centralises your security data. It keeps your program audit ready all of the time.

It also uses AI to streamline evidence collection and flag risks. It automates compliance for SOC 2, ISO 27001, HIPAA, GDPR, and more.

JOE

So basically it handles the boring stuff so we can focus on the interesting stuff.

GRAHAM CLULEY

Exactly. Precisely that. And for a limited time, new customers can get $1,000 off. $1,000? Yep, $1,000.

Head to vanta.com/smashing, that’s V-A-N-T-A dot com slash smashing, and get started today.

JOE

And maybe get a decent night’s sleep for once. Oh, and unlike fizzy drinks, Fanta isn’t bad for you. That was a fruit twist.

GRAHAM CLULEY

And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

ZOE ROSE

Pick of the Week.

GRAHAM CLULEY

Pick of the Week is the part of the show where everyone chooses something they like.

Could be a funny story, a book that they’ve read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn’t have to be security related necessarily.

Now, my pick of the week this week is related to a news story which I saw on July 1st.

TV stations in America, they broke their 24-hour rolling news to report on what was going on at the Empire State Building in New York.

ZOE ROSE

We are following breaking news out of New York City where at least two people have climbed to the very top of the Empire State Building. You can see them there.

They’re on the antenna with a flag.

GRAHAM CLULEY

That is 1,554 feet above the ground.

They appear to be protesters and have unfurled a banner that says, “When the power of love beats the love of power, the world knows peace.” NBC New York is covering all of it.

ZOE ROSE

We’re going to take a listen right now.

GRAHAM CLULEY

Did you see this at all, Zoe?

GRAHAM CLULEY

Well, they had helicopter crews circling around one of the world’s most famous buildings because a man and a woman had climbed right to the very, very top.

They unfurled a banner saying, “When the power of love beats the love of power, the world knows peace,” which is, you know, a very groovy thing to say.

They got down from the very top onto a platform and the man got down on one knee and nervously proposed to the woman who had climbed up there with him.

And, you know, it was all in some ways charming, in other ways just like, what the bloody hell are they doing?

Is this what everyone’s going to be doing now to propose to each other? This is insanity. And they were arrested, of course. Their names are Angela Nikolau and Ivan Birkus.

They are two Russian, what are called, rooftoppers, who climb buildings. You know, they don’t have all the safety gear. They just go up in their trainers, it seems.

ZOE ROSE

What is it called, like free climbing or something?

GRAHAM CLULEY

It’s that kind of thing. They break into buildings. They’re not doing this with permission. They evade security teams.

ZOE ROSE

May I guess that? Yeah.

GRAHAM CLULEY

Anyway, this interested me in this case, and I found out that they were the subject of a Netflix documentary a couple of years ago called Skywalkers: A Love Story.

And it is that documentary which is my pick of the week. And I’ll tell you something about myself, Zoe. I am terrified of heights, right?

I can’t stand on a stool, let alone climb up a ladder.

ZOE ROSE

Mate, I am 155 centimetres, and that is as tall as I need to be.

GRAHAM CLULEY

Right, right. So you and me both, right? Yeah.

I have in the past got up into the loft in my house and I’ve then been stuck there for 45 minutes thinking, how am I going to get— and that’s when there’s a ladder attached to the loft.

You know, it’s like, how am I going to get down? But aside from being terrified of heights, I am weirdly drawn to them. I am always thinking, oh, I want to test my fear of heights.

See, is this quite as scary. Will I want to throw myself off the— that’s my worry, is my brain will sort of short circuit and throw myself off just impulsively.

Anyway, I cannot tell you how stomach-churning this documentary was to me because I’m watching these two people climb buildings without permission.

And they sort of fell in love doing it, which is charming, but sometimes they’re having a bit of a row on the way, which has all been recorded on their GoPros.

And the woman at one point was having a real panic attack, which is understandable. I would be having a panic attack. I would feel paralysed as well.

And the guy is saying, “Come on, you can do it,” and all the rest of it. And she’s like, “No, no, really, I can’t.” And then she wants to, she wants to prove that she can.

I’m not saying that what these guys do is advisable or admirable. I think there’s—

ZOE ROSE

We should flag that there have been people that have died from doing that sort of thing.

GRAHAM CLULEY

Oh, and some of their friends had died as a result of this. So that is covered in the documentary. So, I mean, it is absolutely appalling.

I also think it’s questionable why Netflix, you know, why is this documentary being made? Is there then a compulsion for people to carry on doing these things?

GRAHAM CLULEY

Rather than working in a sandwich bar or something like that. It’s, it’s—

ZOE ROSE

I feel like that’s not the two alternatives, climbing a ginormous building or making sandwiches.

GRAHAM CLULEY

This woman, by the way, this woman.

GRAHAM CLULEY

She climbs these buildings, she’s on Instagram, right? And so she’s got hundreds of thousands of followers.

So what she does is she takes an outfit with her, she’s got her heels, and she’s doing all these sort of glamorous shots of herself doing acrobatics on the top of buildings, you know, which, I mean, they are amazing photographs, but surely if there was one reason why AI was invented was to stop people climbing up buildings and putting their lives at risk to pose on top of a skyscraper.

Anyway, is this my pick of the week, or is this my nitpick of the week?

ZOE ROSE

I have to say, you’re criticising Netflix for— Yes! Providing this resource, and also recommending it.

GRAHAM CLULEY

Well, I’m bringing it to light. So this could be a nitpick of the week, rather than a pick of the week. I’m not sure which it is, but anyway, I found it compelling, and—

ZOE ROSE

I would like you to watch it again with the goggles. What do they call that? Like virtual reality?

ZOE ROSE

What? So that you’re single point of view of her?

GRAHAM CLULEY

I’m not wearing virtual reality goggles.

ZOE ROSE

I would love that.

GRAHAM CLULEY

Are you insane? I would never do such a thing. Anyway, Skywalker’s A Love Story. Is it my pick of the week? Is it a nitpick of the week?

I’m not sure, but that is what I’m talking about on Smashing Security today.

GRAHAM CLULEY

Okay, Zoe, what’s your pick of the week?

ZOE ROSE

My pick of the week is, I am a single mother of two children and a cat. I’m pretty sure my cat is Satan, but, so I’m very busy.

GRAHAM CLULEY

So you’re the mother of Satan?

GRAHAM CLULEY

Right, lovely.

ZOE ROSE

Anyway, pick of the week is, I have no time, and so I’ve discovered, and by discovered I mean heavily forced to stop not considering by multiple people throughout many years, to purchase a Thermomix.

GRAHAM CLULEY

Oh, now I know what one of those is. Why don’t you describe it for our listeners, what a Thermomix is?

ZOE ROSE

A very, very expensive kitchen tool. But I will say, if you don’t like clutter, I was able to remove an insane amount of kitchen tooling.

And donate it because I’ve got this Thermomix replaced. But basically it weighs, it measures, it mixes and cooks and all of those fancy things.

I’ve made ice cream and lemonade and every dinner, and it does my shopping.

GRAHAM CLULEY

It’s not just cold food, it can do hot food. I have lived in a house with a Thermomix before.

GRAHAM CLULEY

So I do know— the embarrassing truth is that I only ever made boiled rice in it. But I know that you can do extraordinary things.

ZOE ROSE

So I’ve got all the recipes.

GRAHAM CLULEY

They’re very expensive. I mean, as a boiled rice machine, I thought this was overpriced, I have to say. Oh no, I did pasta as well. I did pasta as well. But you know, it is—

ZOE ROSE

You are so bland right now. I did pasta.

GRAHAM CLULEY

They are expensive devices.

ZOE ROSE

Okay. They are expensive. And you have to have a subscription to the app for recipes. You don’t have to, but I do.

GRAHAM CLULEY

No, come on.

ZOE ROSE

Super beneficial though, because I go through the app, I choose the recipes, put in a shopping list.

It makes shopping super bloody easy because then I just put it in the thing that delivers. Because I’m not going to the shop with two children and a bloody cat.

So it’s really useful and it allows me to cook things that are actually really good, to the point where, because I’m not a very good cook, let’s be honest.

You want me to investigate an incident? Right on. You want me to cook pizza from scratch? Questionable. But in this case, it works.

GRAHAM CLULEY

And it can boil rice very reliably in my experience.

ZOE ROSE

It even makes cake. I made cheesecake the other day. That’s so clever. And muffins, because it has a thingy that goes on top and you can steam them.

GRAHAM CLULEY

Very clever. Very cool pick of the week. Take out a mortgage though to buy one. Well, that just about wraps up the show for this week. Zoe, thank you so much for joining us as a guest.

I’m sure lots of listeners would love to find out what you’re up to and follow you online. What’s the best way to do that?

ZOE ROSE

Well, I am not massively active online because I’m getting old. And also going back to the mum comment, they could go to my website, rosesec.com, if they really want.

But I think I’d also like to flag that if they’re somebody that related to the story I said earlier about high threat profiles, I would suggest they go and look at organisations like Operation Safe Escape or any organisations that specifically tailor their support to domestic abuse and violence survivors, because they will understand those threat maps a lot better than I can summarise.

GRAHAM CLULEY

Fantastic stuff. Well, we really appreciate you being on the show.

And listeners, you can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky and Reddit and Mastodon. And don’t forget to ensure you never miss another episode.

Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship info, guest lists, and the entire back catalog of 475 episodes.

Check out smashingsecurity.com. Until next time. Cheerio, bye-bye. Cheers. You’ve been listening to Smashing Security with me, Graham Cluley.

Thanks ever so much to Zoe Rose for joining us this week and to this episode’s sponsors, Arctic Wolf, NordLayer, and Vanta.

Make sure to check out their special offers because they’re supporting the show.

And talking of people supporting the show, thanks to the following fine fellows, all signed up members of Smashing Security Plus. Let’s pick out some of them from the hat right now.

We’ve got first up, Darryl Green and Dave Barker. Both of them sound very dependable. I’d trust them to look after my plants while I’m on holiday.

Big yay to Richard Anand, Christoph Goossens and Travis West. Travis West.

Sounds like a Wild West character riding into town, sorting out your endpoint security, then riding off again without a word. And not also to Heisenberg.

We know who you are, but we can’t be certain where you are. And that’s fine.

Big thanks to Darren Kenny and to the magnificent Trogdork, a name that sounds like the final boss you’d have to beat in a game of Zelda, but probably turns out to be really good at patching vulnerabilities.

Oh, and finally, Daniel Kromeck and Billy, just Billy, one name Billy, no further questions. He’s happy with that.

Those are just a few members of Smashing Security Plus, which means that they get their episodes completely ad-free, earlier than the general public as well, they get them.

And they can have their names pulled out at random to be mercilessly mocked at the end of the show. Who could want for more?

If you fancy a little bit of that, join Smashing Security Plus. Just head over to our little club at smashingsecurity.com/plus for all of the details.

But you don’t have to become a member of that. You could support the show in ways which don’t cost a penny by liking, subscribing, leaving a 5-star review wherever you listen.

That will warm my cockles. And of course, tell your friends about the show. Spreading the word really does help. And, well, until next time, cheerio, bye-bye.

Scroll to Top