WEBVTT 00:04.191 --> 00:18.322 [SPEAKER_02]: It's been given a CVSS score of 9.4 basically, the industry, but some number on how badly you've copped things up, 9.4 is sort of one step shy of everything's on fire and the sprinkler's a broken. 00:18.962 --> 00:26.008 [SPEAKER_02]: It's not unplug everything and hide under your desk, it's more sort of unplug everything and start drafting your resignation. 00:36.719 --> 00:44.994 [SPEAKER_00]: smashing security, episode 437, sales forces trusted domain of doom, with grand cluelay. 00:46.117 --> 00:50.401 [SPEAKER_02]: Hello, hello and welcome to Smash In Security Episode 437, my name is Grant Cleoly. 00:51.142 --> 00:52.844 [SPEAKER_02]: And I am Paul Ducklin. 00:53.504 --> 00:53.905 [SPEAKER_02]: Duck? 00:54.045 --> 00:58.169 [SPEAKER_02]: Well, come back, do you know I had a look through the archives? 00:58.189 --> 01:01.452 [SPEAKER_02]: You were a very first guest on the show. 01:01.472 --> 01:02.033 [SPEAKER_02]: How's that? 01:02.133 --> 01:03.314 [SPEAKER_02]: Back in episode 11 in 2017. 01:03.514 --> 01:04.655 [SPEAKER_02]: I think Vania had just quit. 01:08.619 --> 01:10.000 [SPEAKER_02]: and we parachuted you in. 01:10.160 --> 01:12.521 [SPEAKER_02]: And here you are again, the other one's left. 01:12.721 --> 01:13.481 [SPEAKER_01]: Here I am again. 01:13.981 --> 01:24.766 [SPEAKER_01]: Well 2017, I thought you were going to say 1974 for a moment, because everything before the pandemic now seems to feel like a long time ago. 01:24.786 --> 01:26.746 [SPEAKER_01]: It does, doesn't it, it's like the Ice Age? 01:27.267 --> 01:28.307 [SPEAKER_02]: It's probably a good thing. 01:28.927 --> 01:32.569 [SPEAKER_02]: So duck for those people who don't know you, what do you do? 01:33.189 --> 01:34.910 [SPEAKER_02]: And why might they have heard of you? 01:35.620 --> 01:49.187 [SPEAKER_01]: Well, one reason old-timers might have heard of me, or anyone who runs an antivirus, but I think I mean, EDR software has probably downloaded the iCar test file at some time. 01:49.367 --> 01:55.330 [SPEAKER_01]: And on that page, there is a thing goes blah, blah, blah, blah, blah, blah, Ducklin.html. 01:56.030 --> 02:03.814 [SPEAKER_01]: And that ducklin.html is i. So I didn't write the iCar file, but I wrote the justification. 02:03.834 --> 02:11.837 [SPEAKER_01]: The community needed to come together so that everybody could agree on a standard way of checking that their products were working. 02:11.977 --> 02:15.759 [SPEAKER_02]: That's a small and important footnote in cybersecurity history. 02:15.939 --> 02:18.280 [SPEAKER_02]: It's quite a significant thing the iCar test found. 02:18.618 --> 02:25.165 [SPEAKER_01]: Yes, it seems trivial to what 58 bytes of ASCII code, which is quite funky if you decompile it. 02:25.585 --> 02:39.580 [SPEAKER_02]: There's a temptation at this point for us to sort of travel down a dangerous alleyway talking about things like Doran, Rosen Tells, virus simulator, and yes, which may be about 2% of our audience remember. 02:42.439 --> 02:47.681 [SPEAKER_02]: Before we kick off, let's thank this week's wonderful sponsors, Vanta, Second Alerts, and a non. 02:48.081 --> 02:50.822 [SPEAKER_02]: We'll be hearing more about them later on in the podcast. 02:55.183 --> 03:04.046 [SPEAKER_02]: This week on Smashing Security, we're not going to be talking about how harrods has confirmed a date of reach that is exposed the personal details on nearly half a million customers. 03:05.828 --> 03:31.411 [SPEAKER_02]: You'll hear no discussion of how French department store Samaritaine has been fined 100,000 euros for installing hidden cameras in site smoke alarms without warning employees they were under surveillance and we won't even mention how Afghanistan's Taliban government has cracked down on what it calls immoral activities by turning off more than 43 million people's internet access. 03:33.303 --> 03:36.024 [SPEAKER_02]: So, Duck, what are you going to talk about this week? 03:36.764 --> 03:46.769 [SPEAKER_01]: Well, I would like to talk about what happens after a brief, and I don't mean the technological response, but our culture response. 03:47.369 --> 03:51.971 [SPEAKER_02]: And I'm going to be talking about how just $5 can steal your Salesforce data. 03:52.811 --> 03:56.693 [SPEAKER_02]: All this and much more come up on this episode of Smash In Security. 04:00.796 --> 04:04.498 [SPEAKER_02]: Now, Doug, I think we've already hinted on this, but how long have we actually known each other? 04:04.518 --> 04:05.138 [SPEAKER_02]: Do you reckon? 04:06.059 --> 04:12.462 [SPEAKER_01]: Well, it was probably around the time of the Icar test file. 04:13.942 --> 04:15.543 [SPEAKER_02]: I think sort of mid-90s? 04:16.043 --> 04:17.444 [SPEAKER_02]: Yeah, something like that. 04:17.804 --> 04:24.427 [SPEAKER_02]: We started off working for rival companies and then we started working for the same company for many years. 04:24.647 --> 04:24.907 [SPEAKER_02]: Yes. 04:25.028 --> 04:27.249 [SPEAKER_02]: A lot of those 30 years are said that we've known each other. 04:27.269 --> 04:29.530 [SPEAKER_02]: We've gone to the same exhibition, same conferences, 04:30.350 --> 04:34.533 [SPEAKER_02]: We've worked the exhibition halls, we've got leads from attendees. 04:34.553 --> 04:37.695 [SPEAKER_02]: Do you remember used to have to get them to write down their details? 04:38.035 --> 04:39.516 [SPEAKER_02]: And then someone will transcribe them. 04:39.916 --> 04:41.977 [SPEAKER_02]: Then you scanned people with a pen. 04:42.578 --> 04:47.261 [SPEAKER_02]: And eventually, you got to the stage where you're asking people to fill in their details on an iPad. 04:47.321 --> 04:48.782 [SPEAKER_02]: And it went going to some system. 04:49.422 --> 04:57.623 [SPEAKER_01]: and then in the end it was just you basically blip them and then you bought the data back from the company that's organising the comforts at the end of the day. 04:58.204 --> 05:07.565 [SPEAKER_01]: In some ways I wish we could go back to those early days when you would hand someone a clipboard and they would fill in the form because they actually wanted to be taught to. 05:08.025 --> 05:09.986 [SPEAKER_01]: They just go no thanks and you go fine. 05:10.206 --> 05:16.547 [SPEAKER_02]: Yes, these days many vendors will have a CRM, a custom a relationship management system. 05:17.447 --> 05:30.157 [SPEAKER_02]: Some of those CRMs will be sort of homegrown, brewed by the founder of the company over a long weekend, surviving on coffee, others will be professional packages bought for thousands and thousands of dollars. 05:30.637 --> 05:33.619 [SPEAKER_02]: Essentially, they also serve the same requirement. 05:33.699 --> 05:41.825 [SPEAKER_02]: They're a very sophisticated database for a member in which customers you've annoyed and when you annoyed them and how much you annoyed them. 05:42.206 --> 05:43.146 [SPEAKER_02]: That's basically what a CRM is. 05:44.107 --> 05:49.299 [SPEAKER_01]: and how much would cost a day and owe them enough to get more money back in the coming year for them. 05:50.169 --> 06:04.412 [SPEAKER_02]: I'm a one-man business and I don't have many customers, but even I have got CRM these days because I can't remember all the people over noise or you know people who have contacted me about doing work for them and I'll forget to get back to people if I don't have it in the system. 06:04.752 --> 06:07.393 [SPEAKER_02]: But sales people, they love these things. 06:07.613 --> 06:12.794 [SPEAKER_02]: It's like a glorified digital filing cabinet so they can remember their clients better. 06:12.814 --> 06:15.435 [SPEAKER_02]: I remember when my accountant used to ring me up and they say, 06:21.177 --> 06:23.959 [SPEAKER_02]: You've got a note that I do a podcast. 06:24.239 --> 06:29.043 [SPEAKER_02]: You clearly haven't ever experienced it because you'd realize it's not a video podcast. 06:29.063 --> 06:35.188 [SPEAKER_01]: So presumably you don't tell them so they don't update the database so that you can catch them out every time. 06:36.329 --> 06:39.671 [SPEAKER_02]: But these CRM, they contain a lot of important data. 06:39.711 --> 06:42.532 [SPEAKER_02]: Data you don't want falling into the wrong hands. 06:42.612 --> 06:47.594 [SPEAKER_02]: And the biggest CRM in the world is undoubtedly Salesforce. 06:48.074 --> 06:48.734 [SPEAKER_02]: It's massive. 06:48.814 --> 06:55.377 [SPEAKER_02]: It dominates the CRM market to point with out more customers than the next four competitors combined. 06:55.497 --> 06:55.897 [SPEAKER_02]: Wow. 06:56.638 --> 06:59.699 [SPEAKER_01]: And it runs on somebody else's computer, doesn't it? 07:00.039 --> 07:02.820 [SPEAKER_01]: That's the whole idea behind it. 07:02.860 --> 07:03.921 [SPEAKER_02]: Yes, up in the cloud. 07:04.021 --> 07:04.241 [SPEAKER_02]: Yeah. 07:04.861 --> 07:18.624 [SPEAKER_02]: That means if a problem is found in Salesforce, it's a bit more significant than if one's found in Big Yann's customer tracker Pro or was, you know, whatever other alternative CRM might be that you're using. 07:18.944 --> 07:29.706 [SPEAKER_02]: Well, cyber security outfit, no mass security, they recently announced that they had found a vulnerability in Salesforce's agent force platform. 07:30.026 --> 07:31.506 [SPEAKER_01]: Untemptive sale is this 07:34.747 --> 07:37.409 [SPEAKER_02]: Well, yeah, I need to make clear, because yes, you're absolutely right. 07:37.589 --> 07:44.012 [SPEAKER_02]: There have been lots of vulnerabilities found in Salesforce, particularly recently, which, of course, are all kinds of problems. 07:44.032 --> 07:47.614 [SPEAKER_02]: You think one would be enough for two, three, four, five years. 07:47.714 --> 07:52.017 [SPEAKER_02]: Yeah, so faithful listener, you may have heard about Salesforce problems. 07:52.117 --> 07:55.259 [SPEAKER_02]: This particular one has just been found recently. 07:55.619 --> 07:56.960 [SPEAKER_02]: It's been given a CVS 07:57.800 --> 07:59.160 [SPEAKER_02]: S score of 9.4. 08:00.421 --> 08:07.523 [SPEAKER_02]: That's the common vulnerability score in system, basically the industry, but to number on how badly you've coped things up. 08:07.543 --> 08:13.404 [SPEAKER_02]: 9.4 is sort of one step shy of everything's on fire and the sprinkler's a broken. 08:14.025 --> 08:16.665 [SPEAKER_02]: It's not unplug everything and hide onto your desk. 08:16.765 --> 08:21.987 [SPEAKER_02]: It's more sort of unplug everything and start drafting your resignation or apology. 08:23.185 --> 08:25.930 [SPEAKER_02]: Yes, if a problem is warmer cry, right? 08:26.291 --> 08:26.551 [SPEAKER_02]: Yes. 08:26.712 --> 08:28.395 [SPEAKER_02]: And log full shell. 08:28.435 --> 08:28.655 [SPEAKER_02]: Yes. 08:29.156 --> 08:30.339 [SPEAKER_02]: But 9.4. 08:30.739 --> 08:31.361 [SPEAKER_02]: Pretty bad. 08:31.381 --> 08:32.322 [SPEAKER_02]: I'd say pretty bad. 08:33.257 --> 08:37.419 [SPEAKER_02]: Now, as you already said, Duck sells for spin the news a lot in recent months due to security issues. 08:37.439 --> 08:44.621 [SPEAKER_02]: They got data theft, where hackers have gained access via connected third party apps have been cloud vulnerabilities, all sorts of bad stuff going on. 08:44.961 --> 08:48.643 [SPEAKER_02]: But this vulnerability that no mass security found is different. 08:49.083 --> 08:53.505 [SPEAKER_02]: They've called it forced leak, because every vulnerability has to have a name. 08:53.545 --> 08:54.645 [SPEAKER_02]: I'm Robert Dispointed, it doesn't 08:54.665 --> 08:55.586 [SPEAKER_02]: Does it have a logo? 08:55.606 --> 08:57.107 [SPEAKER_02]: It doesn't have a logo. 08:57.328 --> 09:10.321 [SPEAKER_02]: I mean, it feels like the marketing department at no massacurity have let the sides down, because clearly, if it doesn't have a logo, if it doesn't have a theme song, it doesn't have its own domain name, we can go check it out. 09:10.341 --> 09:10.561 [SPEAKER_02]: Yes. 09:10.881 --> 09:17.027 [SPEAKER_02]: That's right, there has been a vulnerability or fierce desire, if you remember, we've had it own theme song. 09:18.368 --> 09:23.809 [SPEAKER_02]: If it doesn't have a merchandise store, then I think it shouldn't really count. 09:23.909 --> 09:30.990 [SPEAKER_02]: Anyway, this thing is called forced leak, and it exploits a feature of Salesforce force agent. 09:31.611 --> 09:33.591 [SPEAKER_02]: It's to do with the web to lead form. 09:33.631 --> 09:44.713 [SPEAKER_02]: This is the form that companies use to funnel in leads, whether people are using it on a web form or an iPad or a trade show where people are filling in their names, the email, the company, and what their interest is. 09:45.213 --> 09:53.482 [SPEAKER_02]: All of that goes through this form, straight into the Salesforce CRM as a potential customer lead. 09:54.163 --> 09:58.087 [SPEAKER_02]: Now, this web to lead form doesn't just ask you for your contact details. 09:58.568 --> 10:00.670 [SPEAKER_02]: You know, just having someone's contact details is not really enough. 10:00.690 --> 10:02.052 [SPEAKER_02]: You want to know what they're interested in. 10:02.754 --> 10:06.377 [SPEAKER_02]: and it has a huge description field. 10:07.098 --> 10:14.925 [SPEAKER_02]: It accepts up to 42,000 characters, which is, I reckon about 7,000 or 8,000 words. 10:17.827 --> 10:25.013 [SPEAKER_01]: Cranky Grim, when you wrote games software, you didn't have 42,000 bytes of RAM to play within the whole computer. 10:25.473 --> 10:27.695 [SPEAKER_01]: Haha, it's absolutely astonishing. 10:27.975 --> 10:37.203 [SPEAKER_01]: But it's such a weird number as well, if you're going to stop at 42,000, why not have 100,000, or, yes, I suppose it's someone thought what's the biggest you'll ever need. 10:37.743 --> 10:41.106 [SPEAKER_01]: And that's kind of the biggest they've ever had plus a bit to spare. 10:41.546 --> 10:41.887 [SPEAKER_01]: It's odd. 10:42.367 --> 10:42.907 [SPEAKER_01]: No, it's even. 10:45.566 --> 10:49.249 [SPEAKER_01]: Anyway, it's round about 7,000 or 8,000 typical words. 10:49.349 --> 10:54.734 [SPEAKER_01]: Is that is something that somebody is at the U-dimension they might just type in on an iPad quickly at a trade show? 10:54.754 --> 10:55.815 [SPEAKER_01]: 7,000 words. 10:55.875 --> 11:00.418 [SPEAKER_01]: T-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t-t 11:11.127 --> 11:13.088 [SPEAKER_02]: So, it is a big field. 11:13.248 --> 11:17.091 [SPEAKER_02]: It's an awful lot of text, which they are allowing to be entered. 11:17.731 --> 11:29.439 [SPEAKER_02]: And the researchers, they took a look at this and they thought, I wonder what would happen if we put some malicious instructions into that whopping huge field on these lead forms? 11:30.059 --> 11:33.200 [SPEAKER_02]: But this wasn't like a SQL injection attack. 11:33.300 --> 11:40.023 [SPEAKER_02]: It wasn't a case of them typing something in and the form just spitting out information from the CRM database. 11:40.743 --> 11:42.564 [SPEAKER_02]: This wasn't direct prompt injection. 11:42.584 --> 11:45.725 [SPEAKER_02]: This was indirect prompt injection. 11:45.745 --> 11:47.746 [SPEAKER_02]: So I wanted to describe to people how it works. 11:47.806 --> 11:50.507 [SPEAKER_02]: It might get it nerdy, but hopefully this will be interesting. 11:51.267 --> 12:00.551 [SPEAKER_02]: So the attacker would include malicious instructions in their lead form entry and that's what gets stored in the sales force database. 12:00.611 --> 12:07.434 [SPEAKER_02]: Now sales force has this spanking new autonomous AI agent thing called agent force. 12:07.554 --> 12:09.935 [SPEAKER_02]: It's not just a chatbot that answers questions. 12:10.575 --> 12:16.797 [SPEAKER_02]: It supposedly helps you make sense of the data in your CRM and helps you plan, execute, 12:18.470 --> 12:20.191 [SPEAKER_02]: What could possibly go wrong, Graham? 12:20.591 --> 12:23.672 [SPEAKER_02]: Well, yes, there's an AI involved in everything could go wrong. 12:23.992 --> 12:32.554 [SPEAKER_02]: So the malicious instructions that no massacurities researchers put into the form were directed at Salesforce agent force. 12:33.295 --> 12:43.798 [SPEAKER_02]: And because they knew that at some point, an innocent employee at the receiving company, the company which was receiving the lead, they were going to ask the AI something. 12:44.338 --> 12:48.061 [SPEAKER_02]: You know, they were going to give it some sort of instruction, which would look at the entries. 12:48.661 --> 12:53.405 [SPEAKER_02]: Something like, please check the lead with the name Bobby tables in it and respond to their questions. 12:53.465 --> 12:54.145 [SPEAKER_02]: Something like that. 12:54.626 --> 12:55.066 [SPEAKER_01]: Oh, no. 12:55.086 --> 12:57.908 [SPEAKER_01]: I can guess where this is going. 12:58.188 --> 13:02.252 [SPEAKER_02]: Well, the AI would of course obediently obey their request. 13:02.592 --> 13:10.578 [SPEAKER_02]: Retrieve the poisoned data entered via the form and execute the hidden instructions as though they were legitimate. 13:11.110 --> 13:18.732 [SPEAKER_02]: Now, what the malicious instruction said was, first of all, it asked the AI to count how many leads existed in the entire database. 13:19.409 --> 13:24.030 [SPEAKER_01]: And then, it's the right sort of flavor of thing that you might ask. 13:24.150 --> 13:27.011 [SPEAKER_01]: It's not like, design me a craft to go to the moon. 13:27.051 --> 13:29.171 [SPEAKER_01]: Yes, kind of pseudo relevant. 13:30.012 --> 13:33.232 [SPEAKER_02]: It's not complete gibberish, but it's clever this. 13:33.753 --> 13:40.514 [SPEAKER_02]: It would then, just to see if it could execute general knowledge queries outside, it's normally intended scope it. 13:40.574 --> 13:43.195 [SPEAKER_02]: Then said, what college you get if you mix red and yellow? 13:43.755 --> 13:57.495 [SPEAKER_02]: And then, and this was the crucial bit, it said, extract all of the email addresses from the CRM and encode them into a string, changing things like spaces to percent 20. 13:58.677 --> 14:01.038 [SPEAKER_02]: Now, here's the problem for an external hacker. 14:01.338 --> 14:13.023 [SPEAKER_02]: So an employee inside the company has run this command that they've instructed their AI to do this, but how is the hacker going to get that string containing everybody's details? 14:13.603 --> 14:18.945 [SPEAKER_02]: Well, the CRM has created this string containing loads of information from its database. 14:19.605 --> 14:25.731 [SPEAKER_02]: But it's not going to send it var email or slack or signal or I see queue or anything like that. 14:26.071 --> 14:29.094 [SPEAKER_02]: It isn't going to be FTP to a third party server. 14:29.775 --> 14:41.245 [SPEAKER_02]: What the next instruction was, var this web to lead form, was they told it to embed at the end of their response to the innocent employee at the company and image. 14:42.106 --> 14:55.432 [SPEAKER_02]: and it said, this image is hosted on a third party website and it gave a URL part of which as a parameter was the string containing the encoded email addresses. 14:56.031 --> 15:06.317 [SPEAKER_02]: And so, of course, that web server would receive the request for the image, but it would also receive the parameter which would contain all the email addresses. 15:06.917 --> 15:08.999 [SPEAKER_02]: So that's how the data gets exfiltrated. 15:09.079 --> 15:12.441 [SPEAKER_02]: However, the guys themselves force their nobosos. 15:12.981 --> 15:20.449 [SPEAKER_02]: They knew it shouldn't be possible to display any old file from any old third-party server, within the response that would be dangerous. 15:20.509 --> 15:25.514 [SPEAKER_02]: And so they had, what's known as the CSP, a content security policy. 15:25.554 --> 15:31.900 [SPEAKER_02]: This is a feature where tells a browser, which external sources, it's allowed to load content from. 15:32.501 --> 15:35.844 [SPEAKER_02]: And it's basically a whitelist of domains that your app 15:37.160 --> 15:39.501 [SPEAKER_01]: So what's in their CSP list that's alone? 15:40.221 --> 15:54.108 [SPEAKER_02]: Well, they had a list of domains which they owned, including the domain CDN dot My-Salesforce-CMS.com. 15:54.788 --> 15:56.169 [SPEAKER_02]: Had they not registered there? 15:56.909 --> 16:00.831 [SPEAKER_02]: It belonged to Salesforce, with the emphasis on belonged. 16:05.915 --> 16:22.198 [SPEAKER_02]: And so the research is at Noma, notice this, purchase the domain for just $5 and we're able to trick salesforce to cough up the sensitive information stored inside its CRM, all at cost just $5. 16:22.498 --> 16:29.679 [SPEAKER_01]: And all in compliance with salesforce's content security policy, which 16:33.680 --> 16:44.366 [SPEAKER_02]: Yeah, it's meant to give you that reassurance, so we're protected, and we've got all these defenses in place, but there was just one domain in there that they hadn't kept registered and so someone else had grabbed it. 16:45.027 --> 16:50.049 [SPEAKER_01]: This reminds me of SPF, if you remember that, which is still a big thing. 16:50.350 --> 16:57.254 [SPEAKER_01]: And when it came out 10, 15 years ago, it was touted as instant solution to all your spam 17:03.437 --> 17:16.265 [SPEAKER_01]: And then, most large companies ended up with a list so long that there was no possibility that they could truly vouch for all of them, and there was an ever changing list of third parties as well in there. 17:16.585 --> 17:21.648 [SPEAKER_01]: And this sounds like exactly the same thing, oh well, we might need 7,000 different domains. 17:22.168 --> 17:28.212 [SPEAKER_01]: Whereas if they just had one, and had filtered everything through that, then they could have been much more proactive, couldn't they? 17:28.572 --> 17:29.654 [SPEAKER_02]: Yeah, there'd have been all right. 17:30.154 --> 17:31.456 [SPEAKER_02]: So what's the takeaway from all this? 17:31.696 --> 17:39.006 [SPEAKER_02]: Well, if you're using AI agents in your business, let's face it, everyone in the dog seems to be rushing to bolt AI into everything. 17:39.447 --> 17:45.014 [SPEAKER_02]: You need to remember, these are autonomous systems with quite often more power than sense. 17:45.895 --> 17:52.478 [SPEAKER_02]: So, they will look at those 42,000 characters and they may well act upon it, whereas a human would go, what on earth is all this? 17:53.038 --> 18:01.923 [SPEAKER_02]: And the goodness sake keep track of which domains are in your white lists and make sure they haven't expired and haven't been snapped up by some 18:13.554 --> 18:24.443 [SPEAKER_01]: Well, I have a story loosely entitled, one's wise, thrice more unto the breech dear friends, when is this all going to stop? 18:25.043 --> 18:29.207 [SPEAKER_01]: If you don't mind me channeling the Bard of Avan very, very badly indeed. 18:29.887 --> 18:40.836 [SPEAKER_01]: As I mentioned earlier, just want to talk about, why is it that we seem to have fallen into bad habits when it comes to breech disclosures? 18:41.797 --> 19:00.342 [SPEAKER_01]: Even though we have new regulations, even though we have supposedly stronger controls, and even though we supposedly have more mature, cheap information security officers and more mature attitudes in companies towards conveying information to customers. 19:00.737 --> 19:02.938 [SPEAKER_02]: Why do you say we fall them into bad habits? 19:03.058 --> 19:05.219 [SPEAKER_02]: Which bad habits do you think we fall in into? 19:05.559 --> 19:12.642 [SPEAKER_01]: Well, we're still seeing to be dining out on the... Oh, we've had a breach and suddenly an email arrives, dear customer. 19:12.982 --> 19:15.303 [SPEAKER_01]: We take your cybersecurity seriously. 19:16.003 --> 19:28.866 [SPEAKER_01]: So seriously, we have utterly neglected to look after your data at all, and we have allowed whatever it is, an AI to scoop up all this data and embed it in a web link and call the web link and leak the information to a third party. 19:29.306 --> 19:38.428 [SPEAKER_01]: I'm making that biz up, but it seems that that's where we started, maybe 10 or 15 years ago when we started getting emails about data breaches coming out. 19:39.252 --> 19:52.117 [SPEAKER_01]: And although companies are learning not to use those words these days, some still too, it still seems that we are willing if not to tell untruths. 19:52.898 --> 19:57.000 [SPEAKER_01]: To be very economical with the way we pass and interpret the truth. 19:57.340 --> 19:59.361 [SPEAKER_01]: So let me give you a recent example. 19:59.381 --> 20:04.683 [SPEAKER_01]: Okay, this comes out of the notorious Marks and Spencer M. and Esprit. 20:05.343 --> 20:06.244 [SPEAKER_01]: in the UK. 20:06.564 --> 20:14.068 [SPEAKER_01]: I'm just picking them because that was in the news for many, many weeks in a row, but there are other companies that have done similar things. 20:14.768 --> 20:20.252 [SPEAKER_01]: Where the initial response was, perhaps within a day or two, I think it was. 20:20.992 --> 20:29.137 [SPEAKER_01]: Don't worry, all the evidence we have so far suggests that no customer data has been stolen so our customers don't need to take any action. 20:29.957 --> 20:38.679 [SPEAKER_01]: And you're kind of thinking, should you be making that statement when you actually don't have the information? 20:38.959 --> 20:44.840 [SPEAKER_01]: Because it sort of raises the question, well, let's say you don't go looking at all. 20:44.860 --> 20:45.160 [SPEAKER_01]: Yes. 20:45.481 --> 20:55.743 [SPEAKER_01]: You'll never find any evidence that customer data was stolen, and you'll always be able to say, as far as we know, you won't be lying, you won't be telling the truth. 20:56.343 --> 21:03.589 [SPEAKER_01]: And it says, though, we're suggesting that absence of evidence is evidence of absence. 21:04.249 --> 21:05.650 [SPEAKER_01]: But that's absolutely not the case. 21:05.690 --> 21:13.896 [SPEAKER_01]: And of course, Mark Suspense had to reverse that and make another statement saying, now, actually, now we've had a look. 21:13.956 --> 21:16.418 [SPEAKER_01]: Now we actually do know what's going on. 21:16.818 --> 21:20.461 [SPEAKER_01]: As required by the regulators, we've tried to find out what's going on. 21:20.901 --> 21:22.803 [SPEAKER_01]: Customer data was stolen. 21:23.123 --> 21:27.968 [SPEAKER_02]: I have some sympathics, it's difficult for companies necessarily to know if customer data has been taken. 21:28.208 --> 21:28.828 [SPEAKER_02]: Absolutely. 21:28.848 --> 21:33.192 [SPEAKER_02]: It's not like if your bicycle gets stolen, it's very obvious your bicycle is no longer there. 21:33.373 --> 21:38.938 [SPEAKER_02]: My best bicycle did get stolen recently, Graham, and I am still bitter about it. 21:39.158 --> 21:41.800 [SPEAKER_01]: Did you leave it outside Marks and Spencer unlocked? 21:42.121 --> 21:46.345 [SPEAKER_01]: No, I left it right outside my flat, and someone made off with it. 21:47.104 --> 21:47.684 [SPEAKER_01]: but you're right. 21:47.704 --> 21:49.285 [SPEAKER_01]: I was in no doubt. 21:49.945 --> 21:53.867 [SPEAKER_01]: I came out and there was a bicycle shaped space where it used to be. 21:53.928 --> 21:55.168 [SPEAKER_01]: Yes, it wasn't the question. 21:55.368 --> 22:04.133 [SPEAKER_01]: My bicycle was still there, but now every time I ride it, somebody else is finding out where I'm going and when, which is a very different kind of proposition. 22:05.192 --> 22:09.715 [SPEAKER_02]: So when a company loses data, it's not as obvious. 22:09.735 --> 22:11.416 [SPEAKER_02]: So I have some sympathy there. 22:11.536 --> 22:28.127 [SPEAKER_01]: I do too, but what I don't have sympathy with is this idea of saying, well, on the basis of that we do not yet know, we can honestly say that and invite people very strongly to infer that they're going to be okay. 22:28.767 --> 22:42.568 [SPEAKER_01]: Now, Mark just spent maybe on being a little bit hath there because the data that was stolen was comparatively modest by understanding, I think, boils down to name, phone number, email address and perhaps physical address. 22:43.031 --> 22:47.814 [SPEAKER_01]: Which is still a little bit worrying if you've ever been stalked, someone now knows what your physical address is. 22:47.834 --> 22:52.316 [SPEAKER_02]: What someone could contact them claiming to be marks and Spencer and say we want to compensate you. 22:52.516 --> 22:53.537 [SPEAKER_02]: Click here or else. 22:53.557 --> 22:53.657 [SPEAKER_00]: Yes. 22:53.697 --> 22:54.618 [SPEAKER_02]: Into your bank account. 22:54.638 --> 22:57.659 [SPEAKER_02]: I mean, there are subsequent follow-up scams, which could occur. 22:58.240 --> 22:58.860 [SPEAKER_01]: Absolutely. 22:59.220 --> 23:03.242 [SPEAKER_01]: I'm not suggesting that they should try and make a definitive statement. 23:03.743 --> 23:05.684 [SPEAKER_01]: Therefore, they have a definitive answer. 23:05.964 --> 23:14.169 [SPEAKER_01]: But I do wonder why it seems okay to make implicit suggestions for everything's all right. 23:14.909 --> 23:20.272 [SPEAKER_01]: Because it kind of sounds bad if you admit you don't know. 23:20.652 --> 23:21.833 [SPEAKER_01]: We know you don't know. 23:22.333 --> 23:24.715 [SPEAKER_01]: Maybe that's the way we should lead off. 23:25.015 --> 23:28.337 [SPEAKER_02]: And oh so often they have to come back a few days later. 23:28.617 --> 23:36.523 [SPEAKER_02]: and get even more press attention by saying, ah, we've found 10,000 customers have the date breach and then a week later, did we say 10,000? 23:36.583 --> 23:38.084 [SPEAKER_02]: We meant 150,000. 23:38.845 --> 23:49.673 [SPEAKER_01]: In some previous cases, many years ago, these have gone up from thousands to hundreds of thousands to millions, every day when you realize, actually, well, it's everybody, not just somebody. 23:50.353 --> 24:05.023 [SPEAKER_01]: And another example is that, you know, there's a massive breach and the one thing the company can tell immediately is that it almost certainly does not involve things like payment card data, because that's outsourced to a different third party who didn't get breached. 24:05.563 --> 24:11.467 [SPEAKER_01]: And I appreciate that it's useful to know that payment card data was not stolen. 24:11.948 --> 24:13.589 [SPEAKER_01]: But I often get the impression 24:17.111 --> 24:22.276 [SPEAKER_01]: that people are being invited to infer from back that, yeah, this is all under control. 24:22.616 --> 24:34.867 [SPEAKER_01]: Don't worry, they haven't got your payment card data, but what they're not telling you is what they might have got because, ironically, the one thing that these days is surprisingly easy to change. 24:35.407 --> 24:36.548 [SPEAKER_01]: is a credit card number. 24:36.868 --> 24:47.636 [SPEAKER_01]: You can just call the bank, go into the bank or use it on your phone to say, bend that card, stop it working, send me a new one and I'll take the inconvenience. 24:48.136 --> 24:53.800 [SPEAKER_01]: But the one thing you can't do is get a new passport number, get a new driving license number. 24:54.200 --> 24:59.084 [SPEAKER_01]: You can move house, but should you have to do that every single time there's a fruit? 24:59.424 --> 25:00.745 [SPEAKER_01]: Every other week I'd be moving. 25:01.185 --> 25:03.706 [SPEAKER_01]: Well, the real estate agents would love that, wouldn't that? 25:04.186 --> 25:05.607 [SPEAKER_02]: What do you think the regulators should do? 25:05.667 --> 25:08.908 [SPEAKER_02]: Would it be a good idea, for instance, if there was a standard form? 25:08.928 --> 25:14.610 [SPEAKER_02]: So, they can write their press release, but they also have to issue a certificate, which has a number of checkboxes. 25:14.770 --> 25:16.350 [SPEAKER_02]: Was customer data taken? 25:16.730 --> 25:19.231 [SPEAKER_02]: Yes, no, or don't, no. 25:19.491 --> 25:21.452 [SPEAKER_02]: Just simple binary options there. 25:21.932 --> 25:26.554 [SPEAKER_02]: So, they can write their press release saying, some data, or we don't believe, but they would have to say, 25:27.194 --> 25:32.835 [SPEAKER_02]: don't know, in many cases, rather than implying no, which seems to be the way they often do it. 25:33.716 --> 25:41.397 [SPEAKER_01]: I've been thinking a lot on the same lines as you that if there were some boiler plate that simply did not allow weasel words. 25:41.617 --> 25:52.300 [SPEAKER_01]: Now, the counter argument that I've heard to that is that why shouldn't companies be able to say things that are at least partly encouraging if the truth is not desperate? 25:53.240 --> 26:09.133 [SPEAKER_01]: and isn't it unfair to these companies because after all they have been the victim of a serious criminal offense themselves that suddenly they have to act as though they've somehow done something naughty or bad themselves? 26:09.673 --> 26:11.374 [SPEAKER_01]: Well, the truth is they have. 26:12.195 --> 26:29.597 [SPEAKER_01]: If they've collected your personal data for their own commercial benefit, all the while assuring you that they will take good care of it, and then they haven't, well, I think we need to make it absolutely clear in our minds that it is possible to feel sorry for a company. 26:30.217 --> 26:38.042 [SPEAKER_01]: and at the same time to think that their response to that issue has not been good and maybe they can be held live. 26:38.603 --> 26:47.749 [SPEAKER_01]: I mean the classic example in the UK is probably talk talk when they did lose a lot of data, they didn't give a good account of themselves. 26:48.049 --> 26:55.254 [SPEAKER_01]: The criminals were the people who are held to blame for this, in other words obviously you could feel sorry for the fact that the company 26:58.916 --> 27:09.886 [SPEAKER_01]: But at the same time, the information commissioner's office says you know what, you could and should have protected things much better, given that we expect you to know what the rest of us know. 27:09.986 --> 27:10.086 [SPEAKER_01]: Yes. 27:10.807 --> 27:14.130 [SPEAKER_02]: And they didn't do a great job of looking after the victims afterwards either. 27:14.350 --> 27:16.172 [SPEAKER_02]: They were pretty shoddy in their handling of that. 27:16.723 --> 27:30.328 [SPEAKER_01]: So I think one thing that got me thinking about this is that for many years now, we have heard C-Sos talking about a principle which is, I'm making quite an air quote here, a Siem Brieck. 27:31.108 --> 27:36.210 [SPEAKER_01]: In fact, if you search for those two words, you will hear that as a cyber security mantra. 27:36.830 --> 27:41.711 [SPEAKER_01]: But it seems that in a world where we work on a Siem Brieck, it's almost 27:46.213 --> 27:49.275 [SPEAKER_01]: I don't really want to hear that from a CSO, I don't think. 27:49.295 --> 27:51.037 [SPEAKER_01]: It feels a little defeatist. 27:51.637 --> 28:04.247 [SPEAKER_01]: Now I sort of understand that what I don't understand is that sometimes as soon as there is an actual breach, then they send out an email or a message to their customers saying, ah, assume no breach. 28:04.707 --> 28:09.671 [SPEAKER_01]: There actually has been a breach, we're admitting to that, but assume that your data hasn't been stolen. 28:10.652 --> 28:18.079 [SPEAKER_01]: And I just think sometimes we are the victim of trying to polish things that don't need polishing. 28:18.519 --> 28:26.747 [SPEAKER_01]: So perhaps your approach can work that there are some things you are required to state and it almost has to be a checkbox approach. 28:27.287 --> 28:41.892 [SPEAKER_01]: So that you can't try and temper it with emotional manipulative words, sometimes telling the plain truth in plain English is actually much much more useful for everybody. 28:47.585 --> 28:51.468 [SPEAKER_02]: Let me tell you about Secolettes, who are sponsoring today's show. 28:51.788 --> 29:02.415 [SPEAKER_02]: But if you're drowning in vulnerability alerts and spending way too much time figuring out which ones actually matter to you and your software, Secolettes solves that problem. 29:02.816 --> 29:10.201 [SPEAKER_02]: They monitor over 100 sources and automatically match vulnerabilities to your specific software versions. 29:16.085 --> 29:22.668 [SPEAKER_02]: want to see only critical Microsoft vulnerabilities with a CBS of 8 to 10 that have been actively exploited this week? 29:23.268 --> 29:23.508 [SPEAKER_02]: Done. 29:24.048 --> 29:26.690 [SPEAKER_02]: No more weighed in through irrelevant alerts. 29:27.090 --> 29:34.153 [SPEAKER_02]: You can push those alerts directly to the people who need them, bar email, Slack, Teams, whatever works for you, and set the frequency yourself. 29:34.533 --> 29:35.714 [SPEAKER_02]: One of their clients said it best. 29:36.094 --> 29:38.835 [SPEAKER_02]: They said, Sec alerts has been an absolute game changer. 29:39.015 --> 29:40.776 [SPEAKER_02]: We've strengthened our security posture, 29:43.917 --> 29:49.760 [SPEAKER_02]: They've got plans for businesses of all sizes, and right now you can try Seculerts for free for 30 days. 29:50.320 --> 29:55.382 [SPEAKER_02]: Use the code Smashing, and you'll get 50% off a yearly subscription. 29:55.682 --> 29:58.204 [SPEAKER_02]: Check them out at Seculerts.co. 29:58.644 --> 30:05.527 [SPEAKER_02]: That's S-E-C alerts.co, and thanks to Seculerts for supporting the show. 30:12.402 --> 30:15.106 [SPEAKER_02]: Hey Chums, we need to talk about digital footprints. 30:15.826 --> 30:29.383 [SPEAKER_02]: Know that feeling when you google yourself and find, well, more than you'd like, old forum posts, data broker listings, photos you've forgotten about, maybe even some dodgy things you now regret, well, that's your life on the internet. 30:29.924 --> 30:32.606 [SPEAKER_02]: And that's where today's sponsor and non comes in. 30:33.066 --> 30:39.270 [SPEAKER_02]: Think of it as your personal privacy cleanup crew powered by AI that she does something useful for once. 30:39.851 --> 30:42.432 [SPEAKER_02]: Here's how it works, and non scans the web. 30:42.492 --> 30:47.916 [SPEAKER_02]: Yes, including the dark corners you don't want to think about, and it finds all the data tied to you. 30:48.276 --> 30:49.197 [SPEAKER_02]: But here's the clever bit. 30:49.477 --> 30:53.640 [SPEAKER_02]: It doesn't just show you a complete horror show of your digital past and wish you luck. 30:53.660 --> 30:53.700 [SPEAKER_02]: It 30:54.500 --> 31:05.110 [SPEAKER_02]: actually identifies which links might contain sensitive information and, with one button press, fires off removal requests to get them delisted from search results. 31:05.510 --> 31:11.556 [SPEAKER_02]: Plus it keeps monitoring for new data breaches and alerts you if your information turns up somewhere it shouldn't. 31:11.836 --> 31:17.762 [SPEAKER_02]: It's like having a security researcher working for you 24-7, and you don't need to keep it fed with pizza and coffee. 31:18.182 --> 31:30.376 [SPEAKER_02]: Once take back some control, head to becomeanon.com, and use promo codes smashing for 25% off that becomeanon.com. 31:31.057 --> 31:35.022 [SPEAKER_02]: Find Monitor and remove your data online with ease because you're 31:44.786 --> 31:48.269 [SPEAKER_02]: You know what keeps security professionals up at 3 o'clock in the morning? 31:48.609 --> 31:54.954 [SPEAKER_02]: It's not just worrying about whether you've got the right controls in place, or if your vendors are actually as secure as they claim to be. 31:55.075 --> 32:03.722 [SPEAKER_02]: Note the really fun one is, how do I escape this nightmare of ancient tools and manual processes slowly consuming my soul? 32:04.462 --> 32:06.064 [SPEAKER_02]: Well, it's some good news. 32:06.604 --> 32:07.044 [SPEAKER_02]: Vanta. 32:07.605 --> 32:20.054 [SPEAKER_02]: Vanta automates all that tedious manual work, so you can finally stop sweating over spreadsheets, hunting down all the evidence like it's a scavenger hunt, and filling out those never-ending security questionnaires. 32:20.874 --> 32:30.361 [SPEAKER_02]: Vanta's trust management platform continuously monitors your systems, centralizes all your data, and actually simplifies security as you scale. 32:32.803 --> 32:46.286 [SPEAKER_02]: Vanta integrates directly into your existing workflows that uses AI to streamline evidence collection, flag risks, before they become problems, and keep your security program audit ready, all the time. 32:46.726 --> 32:53.708 [SPEAKER_02]: With Vanta, you get everything you need to move faster, scale with confidence, and perhaps most importantly, get some actual sleep. 32:54.388 --> 33:04.091 [SPEAKER_02]: So get started at venta.com slash smashing that's venta.com slash smashing and as a smashing security listener you'll get $1,000 off. 33:04.451 --> 33:05.792 [SPEAKER_02]: I can't say fair in that. 33:08.433 --> 33:12.574 [SPEAKER_02]: And welcome back and you join us at our favorite part of the show the part of the show that we like to call pick the week. 33:15.935 --> 33:17.636 [SPEAKER_02]: Pick it away. 33:17.676 --> 33:18.136 [SPEAKER_02]: Pick it away. 33:19.303 --> 33:25.513 [SPEAKER_02]: Big of the week is the part of the show where everyone chooses on the like could be a funny story at book that they've read a TV show, a movie or record a podcast or website or an app. 33:25.633 --> 33:28.698 [SPEAKER_02]: Whatever they wish, it doesn't have to be security-relatedness, certainly. 33:30.150 --> 33:36.952 [SPEAKER_02]: Well, my pick the week this week is kind of hacking related because it's to do with phone hacking. 33:36.992 --> 33:52.558 [SPEAKER_02]: If you remember, the news of the world and other newspapers hacking into the phones of celebrities on royalty and all kinds of other people as well, and that scandal which brought about the end of some journalist's careers, although others seem to have survived. 33:53.318 --> 34:04.967 [SPEAKER_02]: There is a new true crime drama on ITB here in the UK, and I saw that it's also actually being published up on YouTube, so it's probably accessible for anybody to watch around the world. 34:05.628 --> 34:14.995 [SPEAKER_02]: It features the real-life story of Guardian Jonas Nick Davies, played by David Tenant, and David Doctor Who Tenant, David Doctor Who Tenant, one of them at least. 34:15.636 --> 34:16.376 [SPEAKER_02]: And also, 34:17.197 --> 34:31.137 [SPEAKER_02]: Dave Cook played by Robert Carlisle, who was investigating the 1987 murder of private detective Daniel Morgan, and Daniel Morgan was working for a detective agency which had links to the news of the world. 34:32.098 --> 34:33.619 [SPEAKER_02]: Anyway, it's really interesting. 34:33.639 --> 34:37.881 [SPEAKER_02]: There are about seven episodes and I have to admit, I haven't actually had a chance to watch all of them. 34:38.001 --> 34:38.962 [SPEAKER_02]: You had some about. 34:38.982 --> 34:41.563 [SPEAKER_02]: I think I've now watched three episodes. 34:41.583 --> 34:42.604 [SPEAKER_02]: I mean, join it. 34:43.264 --> 34:53.810 [SPEAKER_02]: It's interesting to see how this scandal unfolds through the lens of these two entwined real cases, the investigation into bone hacking in the murder of this private detective as well. 34:54.390 --> 34:57.231 [SPEAKER_02]: Sometimes, I guess this is to keep people interested. 34:57.912 --> 34:59.773 [SPEAKER_02]: It takes rather a surreal step. 35:00.373 --> 35:13.638 [SPEAKER_02]: There's a lot of break in the fourth wall, with David Tennant's character speaking straight to the camera, and there's a lot of celebrity cabmios as well, even saw Alistair Campbell pop-up at one point, as well as Jonathan Ross and others. 35:14.339 --> 35:16.379 [SPEAKER_02]: Now, some might find that a little bit distracting. 35:16.860 --> 35:23.762 [SPEAKER_01]: You are complaining about me mentioning the eye-castring earlier, you may have to explain who Alistair Campbell was. 35:24.183 --> 35:24.783 [SPEAKER_01]: Slash is. 35:25.223 --> 35:39.820 [SPEAKER_02]: Alistair Campbell used to be a journalist and he then became the right hand man and main uh sort of spokesman or advisor to Tony Blair during the Blair government and uh now he's a bit of a podcast in legend as well at the the rest is politics. 35:40.060 --> 35:41.882 [SPEAKER_02]: Dominic Cummings of his day. 35:41.942 --> 35:45.346 [SPEAKER_02]: Yes, so a controversial figure certainly. 35:46.067 --> 35:51.650 [SPEAKER_02]: So anyway, like I said, it's a strange telling of the tale because surreal things do happen. 35:51.710 --> 35:55.893 [SPEAKER_02]: I found it a little bit distracting sometimes, but overall, I think it's quite good. 35:56.918 --> 36:04.881 [SPEAKER_02]: How, true-to-life is the hacking depiction so far, what I've seen has been very realistic. 36:05.561 --> 36:16.444 [SPEAKER_02]: And the attention to detail for setting this in the early 2000s, and well, some of it goes back to the 1980s as well, is very authentic, so you've got old-fashioned telephones. 36:16.824 --> 36:21.306 [SPEAKER_02]: Everyone's reading their messages on blackberries, it's a real nostalgia fest from that point of view. 36:21.586 --> 36:24.787 [SPEAKER_02]: The picking up of voicemails, we have to enter a four-digit number. 36:25.187 --> 36:29.311 [SPEAKER_02]: Do you ever see the black brief from over the person's shoulder with the screen actually? 36:29.331 --> 36:29.572 [SPEAKER_01]: Okay. 36:29.812 --> 36:31.894 [SPEAKER_01]: Oh, so they found some black briefs at the still work. 36:32.074 --> 36:34.176 [SPEAKER_02]: I am absolutely loving that aspect of it. 36:34.216 --> 36:35.237 [SPEAKER_02]: Just why would that weird? 36:35.277 --> 36:36.218 [SPEAKER_02]: Did they get that from? 36:36.258 --> 36:41.043 [SPEAKER_02]: And they've managed to get a black-oriented price server set up or something to send it a message? 36:41.424 --> 36:41.984 [SPEAKER_02]: Anyway, yes. 36:42.224 --> 36:44.146 [SPEAKER_02]: From the nerd in me is really enjoying that. 36:44.847 --> 36:59.716 [SPEAKER_02]: This is based upon a book which Nick Davies wrote about phone hack and he also wrote another great book before that called Flat Earth News, which I'd strongly recommend all about the newspaper industry, but so far really enjoyed it and I think many listeners to the podcast would probably enjoy it as well. 36:59.756 --> 37:06.540 [SPEAKER_02]: So it's called The Hack, which isn't great search engine optimisation to be honest, but there will be links in the show notes. 37:07.001 --> 37:08.722 [SPEAKER_02]: And that's my pick of the week. 37:09.342 --> 37:10.483 [SPEAKER_02]: Duck, what's your pick the week? 37:11.345 --> 37:26.105 [SPEAKER_01]: Well, I've also gone back in time, but I've gone back a bit further than you and it turns out that there is a kind of cyber security angle to this in terms of how difficult it can be to uncover things that seem obvious. 37:26.686 --> 37:34.411 [SPEAKER_01]: The book I'm reading was written in 1999 but about something that happened at the turn of the 19th century. 37:34.831 --> 37:41.115 [SPEAKER_01]: And the book is called La Pierre de Rosette, which in English is published as the Rosetta Stone. 37:41.715 --> 37:48.398 [SPEAKER_01]: the story of the decoding of hieroglyphics, by Robert Soleil and Dominique Valbel. 37:48.818 --> 37:56.301 [SPEAKER_02]: And it's a slim volume when you say it's a slim volume, would you say it's less than 8,000 words or 42,000 characters? 37:56.381 --> 37:59.322 [SPEAKER_01]: Could we know, no, no, no, no, it's longer than 7,000 words. 37:59.622 --> 38:00.042 [SPEAKER_01]: longer than that. 38:01.543 --> 38:04.704 [SPEAKER_01]: I'm sure everyone knows what the Rosetta Stone is. 38:05.484 --> 38:10.486 [SPEAKER_01]: It's one of those things that the British didn't actually directly take from the Egyptians. 38:11.046 --> 38:13.527 [SPEAKER_01]: But the French took it and then the British took it from the French. 38:15.287 --> 38:26.511 [SPEAKER_01]: It's a fascinating thing because it's from the Egyptian era when people could still read and understand the Egyptian language in the form of hieroglyphs. 38:27.591 --> 38:35.636 [SPEAKER_01]: The problems that they had then that you don't have today is firstly, how do you make a really high quality image of something like this which is a granite stone? 38:35.936 --> 38:44.122 [SPEAKER_01]: It's been carved by the time it's captured, the current rulers of Egypt consider the older religion something that needs to be forgotten about. 38:44.362 --> 38:45.202 [SPEAKER_01]: It's unimportant. 38:45.222 --> 38:49.765 [SPEAKER_01]: When how do you copy it so that experts all around the world can get to look at it? 38:50.246 --> 38:55.249 [SPEAKER_01]: And how do you overcome your initial assumptions in order to decode stuff? 38:55.749 --> 39:05.513 [SPEAKER_01]: The fact that they're immensely complicated to carve is just part of their sort of regality if you like that, was the special language that was not used every day. 39:06.013 --> 39:19.618 [SPEAKER_01]: So the story of how it was decoded and of course the intrigues between all the personalities and who's going to be the first and the sort of victory remarks that went between this person, who's deciphering that person and so on. 39:19.879 --> 39:21.279 [SPEAKER_01]: It is a fascinating story. 39:21.959 --> 39:22.980 [SPEAKER_01]: In the computer age, 39:23.680 --> 39:31.847 [SPEAKER_01]: it will be much easier because we could make high quality digital copies of it very quickly and we could disseminate them and we could work together. 39:32.247 --> 39:39.593 [SPEAKER_01]: So that bit would be easy but overcoming those initial prejudices or assumptions turned out to be quite difficult. 39:39.933 --> 39:47.139 [SPEAKER_01]: So it took a couple of decades rather than a couple of years to decode it as everyone initially expected. 39:47.399 --> 39:48.160 [SPEAKER_01]: So it's a fascinating 39:50.842 --> 39:57.231 [SPEAKER_01]: It is, in English, it is the Rosetta Stone, the story of the decoding of hieroglyphics. 39:57.451 --> 40:00.795 [SPEAKER_01]: And if you want the French originals called La Pierre de Rosette. 40:01.416 --> 40:05.522 [SPEAKER_01]: It is written by Robert Solais and Dominique Valbel. 40:07.253 --> 40:22.850 [SPEAKER_02]: fantastic sounds interesting well that just about wraps up the show for this week thank you so much duck for coming onto the show really appreciate it I'm sure lots of listeners would love to find out what you are up to and maybe here you elsewhere online what's the best way for folks to do that 40:23.715 --> 40:27.598 [SPEAKER_01]: If you're on LinkedIn, find me, I am at P Duckland. 40:28.399 --> 40:30.341 [SPEAKER_01]: I am duck blog on Facebook. 40:30.561 --> 40:36.326 [SPEAKER_01]: I'm still on the Twitter thing because I think someone needs to be telling the truth out there. 40:37.246 --> 40:40.789 [SPEAKER_01]: But generally, there aren't that many Paul Duckland's. 40:41.630 --> 40:47.395 [SPEAKER_01]: So if you search for me, but to give you a put cybersecurity in there, you will quickly find your way towards me. 40:48.515 --> 41:01.577 [SPEAKER_02]: Terrific, and you can find me grand clearly on LinkedIn or follow smashing security on Blue Sky and don't forget to ensure you never miss another episode, follow smashing security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocketcasts. 41:02.118 --> 41:11.759 [SPEAKER_02]: The episode show notes on shipping for guest lists and the entire back catalogue of 437 episodes, check out smashingsecurity.com. 41:12.199 --> 41:13.940 [SPEAKER_02]: Until next time, Cheerio, bye bye! 41:14.620 --> 41:15.040 [SPEAKER_02]: Bye! 41:23.818 --> 41:27.204 [SPEAKER_02]: You've been listening to smash-in-scurity with me, Graham clearly. 41:27.885 --> 41:33.494 [SPEAKER_02]: Thanks to Duck for coming on the show this week, and to our episode sponsors Banta Secular Turn On. 41:34.566 --> 41:38.827 [SPEAKER_02]: and to all of those charms you've signed up for smashing security plus over on Patreon. 41:39.407 --> 41:58.552 [SPEAKER_02]: They include David Smith, Dimitri, Frankie Guzikowski, Jakone Verth, Marwani, and Del Paul Roe, Nikos, Duncan N. Mark Hooper, David, Thomas Kulti, Mike Reeve, Andrew Green, Chris Webb, PK, Jeremy Wagner, Tim Wilson, Steve Oster, Eshenstuff, 41:58.812 --> 42:08.518 [SPEAKER_02]: Alex Tascar, Bree Bussle, Risto V, Mattweir, MJ Lee, Dan H, Catherine McCorley, David Sanchez, Will Green, and James Clark. 42:09.098 --> 42:11.940 [SPEAKER_02]: Would you like to have your name read out the end of the show every now and then? 42:12.561 --> 42:20.345 [SPEAKER_02]: If so, you should sign up for Smash and Security Plus and gain early access to episodes with none of the past year at vert. 42:20.946 --> 42:25.689 [SPEAKER_02]: Just go to Smash and Security.com slash plus for more details. 42:26.429 --> 42:30.430 [SPEAKER_02]: Of course, you may not be able to afford such luxuries, and I realise that I'm not stand. 42:30.870 --> 42:32.650 [SPEAKER_02]: So don't feel any pressure to come a patron. 42:33.530 --> 42:41.432 [SPEAKER_02]: And don't feel any pressure to check out the smashing security merchandise store, which I've recently dusted down and refreshed with some new t-shirt designs. 42:41.792 --> 42:42.532 [SPEAKER_02]: All that kind of thing. 42:42.852 --> 42:47.313 [SPEAKER_02]: But truth is, you can support the podcast in other ways, which don't involve splashing the catch. 42:47.413 --> 42:51.333 [SPEAKER_02]: You can help by liking, subscribing, giving five star reviews. 42:51.693 --> 42:53.734 [SPEAKER_02]: I've known one of those for a while on Apple Podcasts, 42:54.934 --> 42:56.295 [SPEAKER_02]: If you like the podcast, let me know. 42:57.636 --> 43:00.318 [SPEAKER_02]: Just tell people to give it a listen, spread the word. 43:00.698 --> 43:03.180 [SPEAKER_02]: Thanks to each and every one of you. 43:03.660 --> 43:05.921 [SPEAKER_02]: I really do appreciate you tuning in every week. 43:06.442 --> 43:09.584 [SPEAKER_02]: Well, until next week, I think it's time for me to say cheer yeah. 43:09.924 --> 43:11.445 [SPEAKER_02]: So, cheer yeah, bye bye.