[SPEAKER_03]: And also, this one seemed really bizarre to me.

[SPEAKER_03]: How many times, employees say, you ruled.

[SPEAKER_03]: Because apparently, that is an important business metric.

[SPEAKER_02]: smashing security, episode 434, Wobba Hackers, and AI Woppers, with Grand Kloole.

[SPEAKER_01]: Yes indeed, very nice to be back.

[SPEAKER_01]: I am very excited about this.

[SPEAKER_03]: Now, of course, regular listeners will know you from your past appearances.

[SPEAKER_03]: You are the sidebat and anthropologist and the host of that tremendous podcast comprising positions, which isn't about awkward yoga positions.

[SPEAKER_03]: It's about something a bit different.

[SPEAKER_01]: Yes, it's a cybersecurity podcast where we look at all the potential compromising positions in an organization and have to prevent that, thinking by from an anthropological perspective.

[SPEAKER_01]: So a little bit of a different take on cyber, I think, and obviously, absolutely innuendous throughout because with a name like compromising positions, which I do suggest you don't put that into your corporate laptop when you Google it.

[SPEAKER_01]: Yeah, we have to kind of live up to our namesake.

[SPEAKER_03]: Fantastic.

[SPEAKER_03]: Well, before we kick off, let's thank this week's wonderful sponsors, one password, draughter and vanter.

[SPEAKER_03]: We'll be hearing more about them later on in the podcast.

[SPEAKER_02]: This week on smashing security, we won't be talking about how the U.S.

[SPEAKER_03]: Department of Defense routinely left its social media accounts wide open for hijacking through exposed live stream keys, allowing attackers to push out anything they liked.

[SPEAKER_03]: How video streaming platform Plex has suffered its third date of breach in a decade, meaning users have to reset their passwords again.

[SPEAKER_02]: Then we won't even mention.

[SPEAKER_03]: How WhatsApp's former security boss claims he was given the boot, because it ignored his warnings.

[SPEAKER_03]: They were violating their legal requirements when it came to privacy and security.

[SPEAKER_03]: So Leanne, what are you going to talk about this week?

[SPEAKER_01]: Well, I'm going to talk about how the big brains in AI might not be that smart when it comes to covering their tracks when they're stealing intellectual property.

[SPEAKER_03]: Hmm, and I'm going to be asking if you want fries with that.

[SPEAKER_03]: All that and much more coming up on this episode of Smash In Security.

[SPEAKER_03]: Now, Chums, Chums, I want to tell you a story about a couple of ethical hackers.

[SPEAKER_03]: One is called Bob D'Hacker, and the other one is called Bob the Shoplifter.

[SPEAKER_03]: I don't think those are the names they were born with, necessarily.

[SPEAKER_01]: Don't know, these days were naming conventions, so if it might be.

[SPEAKER_03]: It's possible, isn't it?

[SPEAKER_03]: Anyway, they have detailed what they describe as catastrophic vulnerabilities in the computer systems of RBI.

[SPEAKER_03]: Now, you might be wondering, beforehand, who the heck are our BI?

[SPEAKER_01]: Um, Royal Bird Institute?

[SPEAKER_03]: No, not the Royal Bird Institute, nothing like that.

[SPEAKER_03]: You might be thinking, well, how big a deal can this mystery organization called RBIBeth?

[SPEAKER_03]: You've never heard them, well, our BI is restaurant brand international.

[SPEAKER_03]: and it is the parent company behind some mega brands like Tim Hortons and Popeyes and Burger King.

[SPEAKER_03]: They could over 30,000 locations worldwide, so they're a pretty hefty deal.

[SPEAKER_03]: And according to a detailed expose of RBI's technical failings put together and posted on the Bob DeHacker blog, [SPEAKER_03]: They say that the security of this company, which I've said, is behind Burger King Tim Horton's and Popeyes.

[SPEAKER_03]: They say their security was as about as solid as a paper-water wrapper in the rain.

[SPEAKER_01]: Are we talking about modern paper wrappers then in the rain?

[SPEAKER_01]: Oh, because it was like back in the 90s, I remember those things that they would last forever.

[SPEAKER_03]: Hang on, you're not just a cyber anthropologist.

[SPEAKER_03]: You're also some kind of expert on the wrapping of fast food.

[SPEAKER_01]: Absolutely.

[SPEAKER_01]: You've got to be well versed in all of culture and that includes the different types of wrapping of takeaways.

[SPEAKER_03]: Well, they're saying it's really not that solid at all, it's my take in the way of what they're saying.

[SPEAKER_03]: And they also say they are impressed by something, they say they're actually impressed by the commitment to terrible security practices.

[SPEAKER_01]: If you're going to excel on something, why not excel full-heartedly?

[SPEAKER_01]: That's why I say.

[SPEAKER_03]: That is some serious shade that they are throwing at the security team at RBI and Burger King isn't it?

[SPEAKER_03]: Now, fortunately, these guys are ethical hackers, and their stated mission is to crack systems to uncover security vulnerabilities and report them [SPEAKER_03]: In an effort to make the world a better place to improve security, rather than using this access to exploit it for their own enrichment.

[SPEAKER_03]: And thank goodness there are people out there who find vulnerabilities, for the greater good rather than to fill their pockets.

[SPEAKER_01]: Indeed, filling their pockets and filling their bellies as well, is that what's coming up?

[SPEAKER_03]: Exactly.

[SPEAKER_03]: What are they going to do with all this power?

[SPEAKER_03]: Well, in this particular case, they found it remarkably easy to access these systems.

[SPEAKER_03]: But of course, they'd need a password.

[SPEAKER_03]: And the problem was that they didn't have a password.

[SPEAKER_03]: If a massive big problem isn't it, when you need to get into a system and it's demanding a password, what are you going to do if you haven't got one?

[SPEAKER_01]: Well, I guess if you're an ethical hacker, there's plenty you can try and do.

[SPEAKER_03]: Yeah, I suppose you could use a list of past passwords.

[SPEAKER_03]: You could maybe try and fish someone.

[SPEAKER_03]: You could try and trick someone's given password or you could take advantage of the fact that RBI doesn't actually require you to have an account because they haven't disabled new signups on this particular web-based system.

[SPEAKER_03]: Anyone could go there, register a brand new account.

[SPEAKER_03]: And they were promptly sent a password to access the system.

[SPEAKER_03]: Right.

[SPEAKER_03]: And they were sent that password, varie mail in plain text.

[SPEAKER_01]: Oh no.

[SPEAKER_03]: So yes, yes, it is 2025.

[SPEAKER_03]: And people are still sending passwords in plain text.

[SPEAKER_03]: So it wasn't a link where you could say your own password.

[SPEAKER_03]: They were generating a password and then sending it to you in your email.

[SPEAKER_03]: This is a big no, no, isn't it?

[SPEAKER_01]: It's a massive no, no.

[SPEAKER_01]: Very generous.

[SPEAKER_01]: I'll be I to do so for this purpose.

[SPEAKER_01]: Very kind.

[SPEAKER_01]: Very kind.

[SPEAKER_01]: It saves a lot of time.

[SPEAKER_01]: A lot of effort.

[SPEAKER_01]: You know, we're all busy people, including the hackers.

[SPEAKER_01]: You know, just to get to where we need to in and out.

[SPEAKER_03]: Well, according to Bob DeHacker and Bob the shop lifter, this was all they required.

[SPEAKER_03]: And they were able to get through the door and once they were through the door, all kinds of other security problems revealed themselves.

[SPEAKER_03]: Because these guys managed to very easily give themselves a master key.

[SPEAKER_03]: to the entire world of Burger King.

[SPEAKER_03]: No password required.

[SPEAKER_03]: They found they were able to access the company's global store directory.

[SPEAKER_03]: Not just the store names, but they could see the names of the employees.

[SPEAKER_03]: They could see their personal information, their phone numbers, their addresses, their email account details, their internal IDs, configuration details, they found they were able to access even RBI's equipment ordering website.

[SPEAKER_01]: So literally the keys to the Burger King Kingdom.

[SPEAKER_03]: Exactly, that's you were now the king of Burger King, absolutely.

[SPEAKER_03]: And they found they were now able to access RBI's equipment ordering website.

[SPEAKER_03]: Now that was protected by password.

[SPEAKER_03]: So that's good news, isn't it?

[SPEAKER_03]: But it turned out the password.

[SPEAKER_03]: was hard-coded into the HTML.

[SPEAKER_03]: So all you have to do is view the source of the web page to see what the password was.

[SPEAKER_01]: Which with my fat fingers, I'm always accidentally doing that anyways.

[SPEAKER_01]: And constantly, people must look over that my screen sometimes says, oh, she's in the lead hacker.

[SPEAKER_01]: She's always looking at the source.

[SPEAKER_01]: I've just got sausage hands and constantly, accidentally doing the sharky for it.

[SPEAKER_01]: So what did that what was a password then?

[SPEAKER_03]: Oh, yes.

[SPEAKER_03]: So that's the other embarrassment.

[SPEAKER_03]: The password was Burger King POS.

[SPEAKER_03]: Now don't know if the POS means an appointment of sale or maybe it means peace of, um, never mind.

[SPEAKER_03]: But yeah, basically, not the best password in the world, Burger King POS.

[SPEAKER_03]: So there they were.

[SPEAKER_03]: They were into that system, which meant they could order every piece of equipment a burger king outlet could want.

[SPEAKER_03]: So, Lian, I'm imagining that you would love to be the burger queen in your local area.

[SPEAKER_03]: Yes.

[SPEAKER_03]: You don't want some rubbish old burger king.

[SPEAKER_03]: You want more of a drive through, don't you?

[SPEAKER_01]: Do I want to feel like I've been treated in the position I deserve, which you know, I'll be say it's served on hand and first.

[SPEAKER_01]: Well, my thought is on the pedal.

[SPEAKER_03]: That's what you deserve.

[SPEAKER_03]: Well, and so you're going to need to equip your little drive through, where people are going to chug along in their little cars, you're going to need an audio box that communicates between the drive and the salesperson.

[SPEAKER_03]: You've got it, just tick a box, you'll get one sent to you.

[SPEAKER_03]: Maybe you wanted a tablet which displays what people can order, you know, whether they want a zinger burger or whether they want a double cheeseburger or whatever it may be.

[SPEAKER_03]: You can have one of those as well.

[SPEAKER_03]: You can order all of those things.

[SPEAKER_03]: The stores, locations, which they have, so if there isn't a Burger King in your particular town, you could add it to the database, which means you could then have sent to you a equipment to outfit a Burger King, which doesn't actually exist, but their website does believe exists.

[SPEAKER_01]: I'm going to have a lot of disappointed people when they come around to my house.

[SPEAKER_01]: What in their world for me?

[SPEAKER_03]: Now, these ethical empackers, they found that they could access all manner of data now they were into Burger King systems.

[SPEAKER_03]: They could also collect, drive through conversations when they took place what tone was used to did the guest's smile that apparently is the requirement if you're working in sales.

[SPEAKER_01]: I was just about to say, ah, no, they're really recording stuff like that as in the tone.

[SPEAKER_01]: And whether or not we smile, don't.

[SPEAKER_01]: Oh, yeah.

[SPEAKER_01]: That's creepy.

[SPEAKER_01]: That's creepy.

[SPEAKER_01]: No, I don't like it.

[SPEAKER_01]: That's worse than just having my conversation stolen.

[SPEAKER_03]: So they've got these raw audio files of real people ordering food.

[SPEAKER_03]: They've got transcripts.

[SPEAKER_03]: Sometimes, of course, not just saying, I'll have a double cheeseburger, please.

[SPEAKER_03]: But actually, having private conversations in their car as well, because not while you're waiting, all of that is being recorded, is being transmitted is going into the system.

[SPEAKER_03]: And this apparently was just hidden behind another password.

[SPEAKER_03]: Now, that password, oh dear, again, hard-coated in.

[SPEAKER_03]: That password, do you want to guess?

[SPEAKER_03]: Do you want to guess what that password was?

[SPEAKER_03]: What a water?

[SPEAKER_03]: That would be so much better than the past word which was Admin.

[SPEAKER_00]: No.

[SPEAKER_03]: Which of course, yeah, I'm afraid so.

[SPEAKER_03]: So you can now access the drive-through audio system.

[SPEAKER_03]: You can set the volume to blast the ear drums of anyone who visits one of these drive-throughs anywhere at 30,000 locations around the world if you wish to reduce it to a whisper as well.

[SPEAKER_03]: So a huge amount of information [SPEAKER_03]: I was told my wife about this and she said, well, why are they recording all these conversations?

[SPEAKER_03]: Why are they doing this?

[SPEAKER_03]: There's a very good reason why they're doing this.

[SPEAKER_01]: Go on, man.

[SPEAKER_01]: I want to know this good reason because this is not nice.

[SPEAKER_03]: Well, it may not be an acceptable reason, but they've got a reason.

[SPEAKER_03]: They're doing this because they are analyzing the audio.

[SPEAKER_03]: They are using AI systems to [SPEAKER_03]: the employee friendliness level.

[SPEAKER_03]: So is the member of stuff being friendly enough with the customer?

[SPEAKER_03]: Have they managed to upsell?

[SPEAKER_03]: So you know someone's asked to record a pounder and you say, well, wouldn't you rather have a full pound of meat between your buns instead?

[SPEAKER_03]: It's how long it takes them to actually process the order and also, and this one seemed really bizarre to me.

[SPEAKER_03]: How many times, employees say, you're all, because apparently, that is an important business metric.

[SPEAKER_04]: If a one-especially just playing the choice I make is my domain with every order I derain in, have them all way You know, the beacon in you make some of us them in passports on your rings, chicken fries or popcorn And if what I think is proper, I can have them all way You know, I looked at some of the transcript, which came out of this research [SPEAKER_03]: Apparently, you should get very disappointed if a Burger King member of staff doesn't do this.

[SPEAKER_03]: Supposedly, they're meant to greet you with the phrase, welcome to Burger King, where you rule.

[SPEAKER_01]: Can I figure out how you'd fit in to conversations?

[SPEAKER_01]: Like, now, let the water me up, please.

[SPEAKER_01]: You rule.

[SPEAKER_01]: Thanks, and with a Coke, you rule.

[SPEAKER_01]: Okay.

[SPEAKER_03]: Absolutely, you rule.

[SPEAKER_01]: I mean, I'm not like Putin or anything like that.

[SPEAKER_01]: You don't need to keep telling me this.

[SPEAKER_03]: So there's also some dick tat which have come down from head office.

[SPEAKER_01]: Yeah.

[SPEAKER_03]: Absolutely bonkers.

[SPEAKER_03]: So people are being judged by these of kind of metrics of drinking kept and I'm afraid these ethical hackers also found a way to access the bathroom ratings screen as well.

[SPEAKER_01]: Right, okay.

[SPEAKER_03]: So I don't know if you've been to a burger king.

[SPEAKER_01]: I've been to a Burger King.

[SPEAKER_03]: I don't know if you've been to the laboratory or not Leon, you don't have to answer these questions, by the way.

[SPEAKER_01]: Well, I try to avoid it, I'd tend to be the hand sanitizer kind of route I'd like to go instead.

[SPEAKER_03]: Well, quite often you're asked what your experience was, while you were in the average, you couldn't report how happy you were.

[SPEAKER_01]: I mean, after a burglating, you know, that can be a sad face.

[SPEAKER_01]: Is that what they want to know?

[SPEAKER_01]: I can tell them all about that if they want.

[SPEAKER_03]: Well.

[SPEAKER_03]: It turns out, these researchers found that anyone in the world could spam bathroom reviews for every burger king location in the world.

[SPEAKER_03]: Saying it was out of toilet paper or saying that the bog was blocked or you wouldn't even have to go within a mile of their restrooms to give it a bad review.

[SPEAKER_03]: question.

[SPEAKER_03]: And with their admin power, these researchers could add and remove existing Burger King stores, you could even open a Burger King on the moon.

[SPEAKER_03]: If you wanted to, you could edit employees account if someone wanted a promotion.

[SPEAKER_03]: Sure, why not?

[SPEAKER_03]: Go and have one.

[SPEAKER_03]: You could access store analytics and sales data, huge amount of information.

[SPEAKER_03]: Now, you're probably thinking, okay, these researchers, they've done this, but are they acting [SPEAKER_03]: I should hope so.

[SPEAKER_03]: You'd like to think so, wouldn't you?

[SPEAKER_01]: Yes, because, oh, maybe a little bit of fun involved though, actually.

[SPEAKER_01]: I'd like to play around with this a little bit myself, but then that's because the power would go to my head and there's no way I could be an ethical hacker because I don't think I could have ethically hit in that way.

[SPEAKER_03]: You have to show restraint.

[SPEAKER_03]: Well, these researchers thankfully did show restraint, and so they told RBI the parent company on the day they found the problem.

[SPEAKER_03]: the first date that they would just gobsmacked within hours of gaining access and think it's so bad.

[SPEAKER_03]: We have to tell them about it.

[SPEAKER_03]: And to RBI's credit, they fixed the vulnerability on the same way.

[SPEAKER_01]: That's a well-resolved security team.

[SPEAKER_01]: Well, yeah, good in some ways.

[SPEAKER_03]: because I've never got back to the researchers.

[SPEAKER_03]: They never acknowledged what they had done.

[SPEAKER_03]: They never commented on the vulnerabilities they never said so much as they thank you, they didn't send a gift voucher to go and have a milkshake or something at their nearest branch.

[SPEAKER_03]: They never got back to them.

[SPEAKER_01]: I would like a big box of little paper crowns if I've done something like that.

[SPEAKER_03]: Oh, you understand people that would motivate me.

[SPEAKER_03]: If I had a little crown and a sash, and I could pretend to be King Graham for a day, I'd be happy with that.

[SPEAKER_03]: I don't need money if I find a vulnerability to the medal.

[SPEAKER_03]: Something about big fantastic wouldn't it.

[SPEAKER_01]: A royal warrant.

[SPEAKER_03]: So, RBI never got back to them, but someone else did, because Bob DeHacker received a DMCA from a security firm that RBI employed in the wake of discovering their security problem.

[SPEAKER_03]: So, that was basically a legal request asking Bob DeHacker to remove their blog post.

[SPEAKER_03]: It's specifically said that you have used the Burger King trademark in an unauthorized way on your website and you've created a high degree of confusion amongst the public.

[SPEAKER_01]: I mean, the Burger Eating Public are absolutely paying attention to the website on a constant daily basis.

[SPEAKER_01]: I know now that I know about it, it's going to be bookmarked, favorited, the routine in the morning is no longer going to be Instagram on the toilet, it's going to be stretch of that website, see if anything's changed.

[SPEAKER_03]: Well it was more than that, they were actually claiming that the public would in some way be confused that the Bob de Hacker's website was somehow endorsed by or linked with RBI and Burger King.

[SPEAKER_03]: As though that was ever going to happen, as though everyone was ever going to go to Bob DeHack as website and try and order themselves, a cheeseburger and fries.

[SPEAKER_01]: Don't know, it cast sounds like a hipster joint and how I'm going to admit that, like a full [SPEAKER_03]: So, the blog post wasn't fake, it was because it contained Burger King's code snippets and some screenshots of their HTML code which contained the hard code password, so by claiming copyright infringement they got the post taken down, even though the real issue was just embarrassment to their security team, I suppose.

[SPEAKER_03]: They also said that the content promoted illegal activity and spread false information and was detrimental to the goodwill and reputation of Burger King and the other brands involved.

[SPEAKER_03]: And so the researchers, Bob DeHacker, Bob of the Shoplifter, they decided the sensible thing to do was we're just going to take down our blog post.

[SPEAKER_03]: Now still on the way back, machine.

[SPEAKER_03]: Wonderful thing the internet archive isn't it, so you can still read it and we've linked to it from our [SPEAKER_03]: The researchers have said no customer data was retained during a research, no drive-through orders were harmed, we were responsible, we followed protocols for a responsible disclosure, they even said we still think the warpah is pretty good, but Wendy's is better, so long and thanks for all the fish at an effemet fillet affich.

[SPEAKER_01]: Can you make Donald's temperature there then?

[SPEAKER_03]: Oh, I'm not, am I getting my fast food chains mixed up?

[SPEAKER_03]: Oh dear.

[SPEAKER_01]: Bo, can you be after you?

[SPEAKER_03]: What do you think of this, Leon?

[SPEAKER_03]: You've been high up in security at different brands in the past.

[SPEAKER_01]: So, have they been hired?

[SPEAKER_03]: They haven't been hired.

[SPEAKER_01]: Did they do the null thing where you're supposed to say, if we don't hear back from you, we will discuss it.

[SPEAKER_03]: Yeah, I think they didn't post their blog post until, um, and I've been fix and stuff.

[SPEAKER_03]: That after the fun rebels he's would fix.

[SPEAKER_03]: Yeah.

[SPEAKER_01]: Oh, I think you're not going to get it mixed up.

[SPEAKER_01]: I, you know, I'm not going to go to go to Bob DeHackers website and not start ordering burgers.

[SPEAKER_01]: at all.

[SPEAKER_01]: Because it might take forever to get to men.

[SPEAKER_01]: I don't like cold food.

[SPEAKER_03]: Very sensitive.

[SPEAKER_01]: No, I feel like there is something about responsible disclosure and actually learning from the States.

[SPEAKER_01]: There's one thing that I think we don't do very well in the cyber security community, which is share when we've screwed up so that other people can learn from it.

[SPEAKER_03]: Yes.

[SPEAKER_01]: And we do that really, really bad light and yeah, and it's things like this like silencing genuine researchers is is a really bad practice because yes, we all know that we shouldn't have hard coded passwords and things in plain text, but sometimes we need reminding about that and this little kind of very public can a big browns that are making these mistakes.

[SPEAKER_01]: It's important for people to know, and I think as well as a bug-eating person in this world, it's kind of good for us to know that even the big boys make mistakes, and even royalty and sometimes screw up.

[UNKNOWN]: Yeah.

[SPEAKER_03]: Yes, I, I mean, I think, obviously it's embarrassing, but it's a lot more embarrassing, I think, to try and get a blog post taken down, claiming copyright infringement.

[SPEAKER_03]: What, you imagine that, because that's, that's just focused more attention on this breach that they've insisted upon that.

[SPEAKER_03]: If they just simply come out and said, you know what, this is really bad.

[SPEAKER_03]: Thank you so much for telling us about this problem.

[SPEAKER_03]: We fixed it now, and what's more, I mean, they could even have said to these two guys.

[SPEAKER_03]: Look, maybe you could come on powerful hot, maybe we can set up a contract for you, and you could check our systems every six months.

[SPEAKER_03]: You know, let's turn this into a good story, because you've actually helped us thank goodness.

[SPEAKER_03]: It wasn't someone more malicious who was exploiting this.

[SPEAKER_01]: But no, uh, they've gone the other way, and it's a bit like, uh, the strizen effect.

[SPEAKER_01]: Now everyone will know that they've, uh, yes.

[SPEAKER_01]: Very touchy, very thin skin.

[SPEAKER_03]: I don't know that Barbara Streisen would eat a Burger King.

[SPEAKER_03]: I'm not sure.

[SPEAKER_03]: I think she's a bit too classy for that.

[SPEAKER_03]: The Ann, what's your story for us this week?

[SPEAKER_01]: Well, I've been reading a lot about people working for AI companies getting 7 figure salaries lately.

[SPEAKER_00]: Yes.

[SPEAKER_01]: Absolutely, throwing loads of money around, which is, you know, one of the impetus is why I'm going back to the universe to myself, to upscale in AI because I would quite like some that delicious, delicious money and a 7 figure salary.

[SPEAKER_01]: However, you think, oh, I've seen the likes of Meta and the opening eye throwing these big sellers around these people at work that must have massive brains, right?

[SPEAKER_01]: Must be so intelligent, like the best of the best, the cream of the crop.

[SPEAKER_03]: Huge eggheads, I'm imagining.

[SPEAKER_01]: that that's not the case.

[SPEAKER_01]: It turns out that they may be technically very smart but they are pretty stupid when it comes to the world of work.

[SPEAKER_01]: And the story I'd like to bring your attention to today in your lovely listeners is the fact that X-A-I, which is a Elon Musk, who's a AI company, is currently suing a former engineer because apparently he still strayed secrets.

[SPEAKER_01]: Not only did he steal trade secrets, he first took $7 million in stock trades out of the business before deciding to go for another job at OpenAI.

[SPEAKER_01]: Now if you are familiar with OpenAI and Elon Musk, there were buddies for a while.

[SPEAKER_01]: Yes.

[SPEAKER_01]: the sproes for a while.

[SPEAKER_03]: Not so much these days.

[SPEAKER_01]: He doesn't want very much a part of the style of open AI, and big driving force and a financial contributor to that.

[SPEAKER_01]: However, Elon wanted to do his own thing, and ever since there has been a bit of a feud between XAI and open AI.

[SPEAKER_01]: And, as you can imagine, everyone's all competing for the very best talent in turns out there was a person, a Stanford trained researcher, and his name is Shushen Lee, [SPEAKER_01]: So he joined the XCI.

[SPEAKER_01]: He's been at the company for about a year and a bit, and he's doing some work for them.

[SPEAKER_01]: He received shares of up to 7 million.

[SPEAKER_01]: After one year of work, a bear in mind as well, that this young lad, this is his very first job as well.

[SPEAKER_03]: Cracky.

[SPEAKER_01]: So I had a look at his LinkedIn because I looked in stock everywhere and he's done some of the roles but it's just like apprenticeships, schemes and internships.

[SPEAKER_01]: A big company's mind but not actual paid work so his first paid job was an XCI and within a year.

[SPEAKER_01]: a single year, 7 million cash becoming available to him.

[SPEAKER_01]: So what did this chapter do?

[SPEAKER_01]: Well, he's working for XAI and then he decided actually I want a job at Open AI and he actually succeeded in getting a job.

[SPEAKER_01]: He hunted in his notice just after he sold his 7 million in shared, because it was an opportunity, you know, a buyer opportunity there.

[SPEAKER_00]: Right.

[SPEAKER_01]: And then he decided the moment, and literally this is documented in the case file, which I've included a link for, or anyone's interest in, is a very interesting read.

[SPEAKER_01]: The moment he hunted in his notice, then began to transfer intellectual property from XRI, all the things he's been working on onto his personal device.

[SPEAKER_01]: Yes.

[SPEAKER_03]: which isn't the thing you're supposed to do.

[SPEAKER_03]: There is a certain irony here, of course, of an employee of an AI company scooping up a lot of information which didn't properly belong to them for his own betterment, which, of course, is exactly what the AI companies have been doing with every piece of information on the internet.

[SPEAKER_03]: Regardless, whether they have the right to access it or not.

[SPEAKER_03]: But yes, you're all supposed to do this, are you?

[SPEAKER_01]: Well, no, and there is a suggestion as well, but while he did try and conceal, is the measures he was taking like, yeah, he was like, oh, I'll just delete my browser history, I'll delete the system logs, I'll rename files and things like that.

[SPEAKER_01]: The security team kind of became wise to it, but there's also a suggestion that he actually uploaded this information to OpenAI's GPT models as well.

[SPEAKER_01]: Oh, this is what Lee did.

[SPEAKER_03]: And he didn't trust Grock to do it, obviously.

[SPEAKER_01]: Well, he wants to move away from Grock and I wonder why.

[SPEAKER_01]: But what makes me laugh about...

It's a terrible thing, instead of for it is a very serious thing, particularly a malicious inside of which, you know, we can class this.

[SPEAKER_01]: This person's an idiot.

[SPEAKER_03]: But, uh...

Very well paid, did he?

[SPEAKER_03]: Yeah, let's not slang him off too much.

[SPEAKER_01]: Yeah, yeah.

[SPEAKER_01]: What I liked about the legal documentation was, well, you know what, he signed a piece of paper saying that he'd done the [SPEAKER_01]: Um, he signed a document saying that he wasn't going to steal proprietary information.

[SPEAKER_03]: Well, that's all right, then.

[SPEAKER_01]: And it was just goes on and on about all these so-called kind of security, awarenessy safeguards that we, you know, these tick boxes that we all do in them, all of our organizations, what we say, well, you know, if we just tell them, you're not allowed to do it and they took a box saying, I'm not going to do it.

[SPEAKER_01]: Then we will be safe.

[SPEAKER_01]: It doesn't work like that in the real world because [SPEAKER_01]: people have so much more that they want to do in terms of impetus of why they would do bad things.

[SPEAKER_01]: And this is just like one of the kind of key cases.

[SPEAKER_01]: Now, the story continues.

[SPEAKER_01]: So, you know, they found out that he was doing this.

[SPEAKER_01]: One being offered a job, every being offered a job at competitor, thinking like, where is immediate revocation of access to systems?

[SPEAKER_01]: Because, you know, is that a proper direct competitor?

[SPEAKER_01]: Where is the gardening leave on this?

[SPEAKER_01]: Because he was going to literally start often too, yes, now.

[SPEAKER_03]: So, did they know he was going to open AI?

[SPEAKER_01]: They knew after he started buying a shares out.

[SPEAKER_01]: So they knew then.

[SPEAKER_01]: And then, yeah, they started looking to it and going, oh, he looked like he's got a job with a competitor.

[SPEAKER_01]: And he's going to start in a couple of weeks.

[SPEAKER_01]: So he resigned on the 28th of July, and his start date was in 19th of August, which is why I'm saying, where is the gardening leaving this?

[SPEAKER_01]: Because it surely you would not be able to just start a job with a direct person.

[SPEAKER_01]: I've not known jobs to do that normally, but that's not the case here.

[SPEAKER_01]: And not only that, he had full access.

[SPEAKER_01]: But they confronted him about it, and he admitted he didn't say the reason why.

[SPEAKER_01]: But he actually wrote down and admitted, yes, I did steal this.

[SPEAKER_01]: Yeah, I did cash in my shares, I don't go into open egg.

[SPEAKER_01]: Well, I don't know if he still is, all the news articles I read, did approach opening eyes for comment and asked them, are you still going to hire this guy?

[SPEAKER_01]: I don't know if I would.

[SPEAKER_03]: I'd be very surprised if they did.

[SPEAKER_01]: But Charlie does he really think after being caught that he will keep those shares, that his legal costs alone going against like the richest man in the world, and that his legal team is going to have any money after this.

[SPEAKER_01]: What a stupid thing to do for your very first job when you're looking at a gravy train.

[SPEAKER_01]: It just blows my mind that people would be so stupid when they're so smart.

[SPEAKER_03]: It feels like.

[SPEAKER_03]: He absolutely landed on his feet.

[SPEAKER_03]: He had to do this incredible job.

[SPEAKER_03]: He was being compensated numbers, and maybe he isn't some ways a very clever chap, but it appears in terms of common sense maybe not quite so mature perhaps, but yeah, what a way to shoot yourself in the foot.

[SPEAKER_01]: just like as soon as you're approached.

[SPEAKER_01]: Like, no, no, yeah, did it, did it?

[SPEAKER_01]: Oh, don't be doing.

[SPEAKER_01]: I can't get legal counsel, find out.

[SPEAKER_01]: Oh, terrible.

[SPEAKER_01]: But I just think it just goes to show that one way of hiring people.

[SPEAKER_01]: You know, you want to hire the very best people.

[SPEAKER_01]: But there's so many other factors at play.

[SPEAKER_01]: And one of the things I've been kind of reading about recently is [SPEAKER_01]: the psychology about being malicious and you know the impetus behind it and there's something called the dark triad of personality and one of the kind of key components is a nasum entitlement.

[SPEAKER_01]: So one of the papers I read recently suggested that if you're on the nasism scale are you feeling entitled to take and take and take and you don't really care about the consequences.

[SPEAKER_00]: Right.

[SPEAKER_01]: Now the concern there is is when you think about there's another piece of research that suggests [SPEAKER_01]: quite a lot of CEOs and organizations have narcissistic traits.

[SPEAKER_03]: Surely not.

[SPEAKER_03]: Absolutely not.

[SPEAKER_03]: I cannot believe that for a secondly hand.

[SPEAKER_01]: And we all know that people like to hire people who are very much like themselves.

[SPEAKER_01]: So you look at Elon Musk.

[SPEAKER_01]: Did you look at the type of people he's around himself with?

[SPEAKER_01]: And can you really say that this is not a product of culture?

[SPEAKER_01]: And so when you think about insider threats, particularly the malicious ones, you kind of report you so there.

[SPEAKER_01]: There's definitely things you could do, so I've checked some bounces.

[SPEAKER_01]: If you build a good culture, people won't be incentivized to.

[SPEAKER_01]: to carry you over, I think.

[SPEAKER_01]: You know, you will have a small minority who just lives for the dark side, I don't want to see the world burn.

[SPEAKER_01]: But I think there's just something to be said there about actually, you hire people who like yourself and if you're a wrong one yourself, then maybe you're going to attract more wrong ones.

[SPEAKER_01]: What would you do to kind of prevent people from stealing all their intellectual property when they go to a competitor, Brian?

[SPEAKER_03]: Oh, I'd have a really good canteen in the company.

[SPEAKER_01]: Oh, Graham, you're making me come back to the office again.

[SPEAKER_03]: There you go, you see, because they can't feed themselves, can they?

[SPEAKER_03]: So I'd have a lovely restaurant, and I'd say look, of course, they're going to offer you $28 million more than we offer you.

[SPEAKER_03]: We understand that, but the food here is so much nicer.

[SPEAKER_01]: Here's where we get, we Burger King, we get it from Burger King.

[SPEAKER_03]: Oh, well, well, actually they could probably set up a Burger King drive through, couldn't they?

[SPEAKER_03]: They'd be easy to do.

[SPEAKER_01]: It's more jealousy than anything that I wanted to kind of bring this story up.

[SPEAKER_01]: What is that about?

[SPEAKER_01]: It just goes to show that me just cannot buy loyalty in this world.

[SPEAKER_03]: I mean, if Elon Musk wants to offer us a job working for XAIN, we would split five million between...

How would you think?

[SPEAKER_03]: And we'd bring our own lunch boxes.

[SPEAKER_01]: Absolutely.

[SPEAKER_03]: And we'd never call him a- Not to his face.

[SPEAKER_03]: You know that feeling when you're juggling 10 different hats at once, you got your risk management hat, you're compliance hat, you're budget hat, you got the hat that says, please don't be the person everyone blames for slowing the business down and causing a roadblock.

[SPEAKER_03]: If that's you, then you'll be relieved to know that there is a better way because GRC governance, risk and compliance, [SPEAKER_03]: It's not just about ticking boxes, done right, it can be a revenue driver, it builds trust, it speeds up deals, it makes your security program stronger, and that's where Drata comes in.

[SPEAKER_03]: Drata is a trust management platform that takes the boring, soul-sap-in stuff off your plate so you can focus on actually reducing risk and proving compliance instead of endlessly chasing evidence or filling in yet another spreadsheet.

[SPEAKER_03]: With Drata, you can automate security questionnaires evidence collection, compliance tracking.

[SPEAKER_03]: You can stay audit ready thanks to real-time monitoring.

[SPEAKER_03]: You can simplify reviews with Drata's Trust Centre and even AI-powered questionnaire assistance.

[SPEAKER_03]: In short, instead of wasting hours proven trust, you can actually start actually building it faster.

[SPEAKER_03]: So, if you're ready to modernize your GRC program and stop drowning in checklists, head over to drata.com slash smashing to learn more.

[SPEAKER_03]: That's drata.com slash smashing because of drata, trust isn't just a box to tick.

[SPEAKER_03]: It's a business advantage and thanks to drata for supporting the show.

[SPEAKER_03]: How many SaaS applications are your colleagues using right now?

[SPEAKER_03]: If you can't keep count, don't worry, you're not alone.

[SPEAKER_03]: SaaS sprawl and shadow IT are everywhere.

[SPEAKER_03]: And that's where Trilika by one password comes in.

[SPEAKER_03]: Trilika discovers every app you use across your company, whether it's officially managed, or someone quietly signed up for it with the company credit card.

[SPEAKER_03]: Trelica by one password gives you the tools to assess risk.

[SPEAKER_03]: Manage access and enforce security best practices across the board.

[SPEAKER_03]: No more abandoned accounts just waiting to be hacked.

[SPEAKER_03]: No more paying for licenses than nobody uses.

[SPEAKER_03]: No more scrambling when earn, employee leaves, and you're not sure what they still have access to.

[SPEAKER_03]: With Trelica, you can securely onboard an off-board staff, reduce unnecessary costs, and stay on top of compliance.

[SPEAKER_03]: Now, I've used one password for years, I love how it takes the headache out of security, and now, with Treleka, they are tackling one of the messiest problems in modern IT, SASS, Sproul.

[SPEAKER_03]: Treleka by one password is trusted by businesses of every size, and it's backed by one password, rock solid security.

[SPEAKER_03]: So what are you waiting for?

[SPEAKER_03]: Take the first step to clean in up your SaaS landscape, secure credentials, and protect every application, even unmanaged shadow IT.

[SPEAKER_03]: Learn more at onepassword.com slash smashing.

[SPEAKER_03]: That's onepassword.com slash smashing.

[SPEAKER_03]: Right, cyber security, bit of a fact, isn't it?

[SPEAKER_03]: Everyone nods along in the board meeting, and quietly, hope someone else is dealing with it while they go and put the kettle on, well, that is where Banta comes on.

[SPEAKER_03]: Think of them as your mate at school who actually did their homework, and then let's you copy it.

[SPEAKER_03]: They'll help you get things like ISO 27,01 sorted without the headaches, and they don't stop there.

[SPEAKER_03]: Sock 2 GDPR Hiper, even the shiny new IS 42,01.

[SPEAKER_03]: Fenters got you covered.

[SPEAKER_03]: Instead of drowning in spreadsheets and tickbox questionnaires, Vanter automates the boring bit, centralizes your security workflows, even helps you manage vendor risk, meaning you can spend less time panicking about audits and more time worrying about what really matters, but whether you run out of biscuits in the canteen.

[SPEAKER_03]: And here's the clincher, because you're a smashing security listener, banners offer you $1,000 off if you book a demo.

[SPEAKER_03]: You can't say fair in that.

[SPEAKER_03]: So go on, give yourself a break, head over to vantar.com slash smashing, take the demo, claim your discount, let banner deal with all the dull compliance grind.

[SPEAKER_03]: Vanta, the first ever enterprise-ready trust management platform, one place to automate compliance workflows, centralized and scale your security program.

[SPEAKER_03]: Learn more at Vanta.com slash smashing, and thanks to Vanta for supporting the show.

[SPEAKER_03]: Pick of the week is the part of the show where everyone chooses something like a bit funny story at Book of the Neighborhood TV show, movie a record about customer website or an app.

[SPEAKER_03]: Whatever they wish, it doesn't have to be scaredy-relatedness, certainly.

[SPEAKER_01]: Better not be.

[SPEAKER_03]: Uh-huh.

[SPEAKER_03]: Well, my pick of the week this week is a website now way back in the day.

[SPEAKER_03]: I used to like computer games back when they were 2D, and it just meant going left and right rather than doing 3D and shooting people.

[SPEAKER_03]: I just liked casual video games.

[SPEAKER_03]: You know, on my ZX-81, or my memo tech MTX-512, or my home computer where it learnt how to program, it's to level those things.

[SPEAKER_03]: I'm not so much of a fan of modern computer games I've done mid.

[SPEAKER_03]: But, [SPEAKER_03]: I like the classics and I found this website called classicreload.com which is devoted to the preservation of retro games and abandoned software which is no longer sold and it has over 6,000 old games which you can play in the browsers that are sort of emulated inside your browser software [SPEAKER_03]: Commodore 64 Windows 3.1 ZX Spectrum and I have to say it's quite good fun.

[SPEAKER_03]: Are you a fan of old computer games?

[SPEAKER_01]: I am and it sounds as soon as you said it I was like that's going to be a time suck but a better [SPEAKER_03]: I've found some old games that I used to love playing.

[SPEAKER_03]: There's a game called Digo or Dick Dundre, which I used to play a great fun, CGA graphics on MS-DOS, Kingdom of Crosse, which was written by Scott Miller, who set up Apple G games, and I think eventually, didn't he end up doing do more one of those sort of things, I think he did?

[SPEAKER_03]: And I found a couple of games which I wrote, making them nothing tease as well, which have ended up archived up there.

[SPEAKER_01]: You'll have to share those links specifically, Greg.

[SPEAKER_03]: Well, I'm a little bit embarrassed by some of them, but anyway, yeah, I suppose I could.

[SPEAKER_03]: So some of those games are up there.

[SPEAKER_03]: And I think it's Rava Fum.

[SPEAKER_03]: And that is why classic reload.com is my pick of the week.

[SPEAKER_01]: But it's really good pick.

[SPEAKER_01]: So we gotta say, I'll have to just avoid it for the time being, because I know what I'm like.

[SPEAKER_03]: Leanne, what's your pick of the week?

[SPEAKER_01]: My pick of the week is a YouTube channel.

[SPEAKER_01]: Yes.

[SPEAKER_01]: It's one of the YouTube channels where you get so excited when it comes up in your feed.

[SPEAKER_01]: Okay.

[SPEAKER_01]: If you're lucky enough to have a feed that's decent enough, that will actually show you things you've subscribed to.

[SPEAKER_01]: It's called, and this is so at my street, the bad movie Bible YouTube channel.

[SPEAKER_03]: Okay, the bad movie book.

[SPEAKER_01]: Do you like bad movies?

[SPEAKER_03]: Um, I'm probably a bit more of a fan of good movies, but I do seem to watch my fair share of bad movies, and some movies are so bad they're brilliant.

[SPEAKER_01]: Exactly.

[SPEAKER_01]: Exactly.

[SPEAKER_01]: Now, this YouTuber, he's doing God's work.

[SPEAKER_00]: Yes.

[SPEAKER_01]: And basically the former is, they're usually about 45 minutes to an hour, so they're really in depth, they're video essays, and a lot of them are based on knock-off and fakes of movie genres, movie titles that we all love and a familiar with.

[SPEAKER_01]: So, his recent offerings are the best and worst and weirdest robot-cop knock-offs.

[SPEAKER_01]: All right.

[SPEAKER_03]: would they be things like robo-cold about a robo-tock fish?

[SPEAKER_01]: Well, there's also like, like, there's one called, um, fenn bock-cock, and side bock-cock, hobo-cock, and all sorts of things like that.

[SPEAKER_01]: So he basically watches bad movies, so we don't have to.

[SPEAKER_01]: Um, so that's why I think he's just doing some amazing, saintly work there.

[SPEAKER_01]: But there's been so many films where he's described, and like, actually, that sounds amazing, and I've rushed out and got absolutely lucky this channel.

[SPEAKER_03]: Have you ever seen shark attack?

[SPEAKER_03]: three with John Barrowman.

[SPEAKER_01]: Not shark attack three because I'm worried about what shark attack three out.

[SPEAKER_01]: I haven't seen shark attack one or two.

[SPEAKER_01]: I'm missing out on the story.

[SPEAKER_03]: I haven't seen shark attack one or two and I was able to follow the plot of shark attack three but it is quite impressive I have to say.

[SPEAKER_01]: So the bad movie Bible YouTube channel.

[SPEAKER_01]: So really nice guide, if you want to start exploring, the most bad-f***ed films you'll ever come across.

[SPEAKER_01]: Boy or boy, they have very, very good videos.

[SPEAKER_01]: And I absolutely adore just sitting there and planning my next step, bad movie marathon.

[SPEAKER_03]: Alright, I'm gonna look forward to exploring that.

[SPEAKER_03]: Thank you very much, Leanne.

[SPEAKER_03]: And that just about wraps up the show for this week.

[SPEAKER_03]: Thanks so much Leanne for joining us.

[SPEAKER_03]: I'm sure Los Angeles and this would love to find out what you're up to and follow you online.

[SPEAKER_03]: What is the best way to do that?

[SPEAKER_01]: Yep, come on.

[SPEAKER_01]: Say hi to me on LinkedIn.

[SPEAKER_01]: I love spending my time there, because maybe I'm an assist as well.

[SPEAKER_01]: Typing comprising positions podcast, don't just type in compromising positions.

[SPEAKER_01]: You won't find us.

[SPEAKER_01]: You'll find lots of other things that I can't be held responsible for.

[SPEAKER_03]: And of course, smash and security is on social media as well, and you can find me grand clearly on LinkedIn, or follow me on blue sky where smash and security also has an account and don't forget to ensure you never missed another episode, follow smash and security in your favourite podcast apps such as Apple Podcasts, Spotify and Pocketcasts.

[SPEAKER_03]: The episode show notes, sponsorship info, guest lists, and the entire back catalogue of 434 episodes.

[SPEAKER_03]: Check out smash and security.com.

[SPEAKER_03]: So until next time, cheerio, bye bye!

[SPEAKER_03]: Bye!

[SPEAKER_03]: You've been listening to Smashing Security with me, Grand Pluly.

[SPEAKER_03]: I'm grateful to Leanne, the Cyber and Thropologist that joining us.

[SPEAKER_03]: And I'm grateful to this episode, sponsors one password, Droughtron Vanta, and of course, to all of those chums who've signed up for Smashing Security Plus and support the podcast via Patreon.

[SPEAKER_03]: They're the folks who make these podcasts really possible and get me out of bed in the mornings, and they include Scotia, Michael Cram, Darren Kenny, William Reddig, Ryan Who, Sean Jan, B Daniel, Arsk Leo, Ruben, Steven Castle, Alan Lysker, Matt Cotton, The Green Girl, Mike Hallett, Monkey Duck, Alex, Tarsca, Daniel Cromek, Jamie Forster, and Elbow.

[SPEAKER_03]: If you'd like your name to be one of those red out on the credits, now and then, this is one of the joys of joining Smash and Security Plus.

[SPEAKER_03]: You sign up for as little as about $5 a month.

[SPEAKER_03]: And you get your name red out every now and then, as well as early access to Smash and Security episodes, occasional bonus content and of course.

[SPEAKER_03]: The episode to smash and security that you get early don't have any ads in them.

[SPEAKER_03]: What you got to do is go to smash and security.com slash plus for more details now.

[SPEAKER_03]: Obviously I realize not everyone is able to support and show that way that doesn't matter.

[SPEAKER_03]: You can support us in other ways as well.

[SPEAKER_03]: You can like, you can subscribe, you can maybe even give me a five star review that be lovely.

[SPEAKER_03]: Anything you can do to entice people to give, these humble little podcast listen is really gratefully received, spread in the word, via word of mouth, is a fantastic way to do it.

[SPEAKER_03]: So thanks to everybody for supporting the show, for listening to this episode and I hope you're tuning again next week for more of the same until then.

[SPEAKER_03]: Cheerio, bye-bye.