Quick note before we begin this week, I wanted to thank everybody because we keep getting emails from people who love the show and are proactively asking how they can help us, which is just a very unusual gesture to get from an audience of listeners out there. Two things.
If you can, please sign up for our ad-free version in Cognito mode. You can find it at searchengine.show. Or, if you're not in a financial position to do that, It's funny, but writing a review of the show on Apple Podcasts helps us put the show in front of many more people because of the strange logic of the algorithm.
is that a question for a different question answering show i don't make these rules but if you've got a minute leave us a review on apple podcasts ideally a positive one thank you after these ads we've got a great show for you A friend recently pointed out to me this small, interesting fact he'd observed. A podcaster he listened to had a habit of signaling to his listeners which episodes of his show were the really good ones, so you could skip the others if you wanted.
I admire the hell out of this gesture. It's like when a waiter nudges you away from the so-so dish towards the excellent one. They're actually on your side, not just selling you something. And in that spirit, I want to say that this week's question, for us, it's been one of our favorites. I'm always looking for question of the year. It's my Oscars. And in February, when I heard this one, I thought,
might be it. Hi, Eric. How are you? I'm good. Big fan of your work. Oh, thank you. I appreciate your Costco hoodie, Kirkland Signature. Well, thank you. The question came from this listener, Eric, a man with impeccable taste. And his question had to do with one particular feature on the iPhone. The audio message. Some people call these voice messages or voice notes. I switch in between all three. But it's where you can send someone a recording of your voice
rather than a text message. Well, normally you can. But Eric had learned of an anomaly. One specific phrase, which if you set it into your iPhone, the message would refuse to go through. And the phrase in question was a surprising one. So I'm going to group chat per usual with just some buddies of mine we've been friends since college and so thursday my friend alex said you gotta try this record a voice memo message and mention dave and busters and it will not be delivered
Dave and Buster's. As in the American restaurant that's Chuck E. Cheese for adults. Skee-ball and rum and coke. Dave and Buster's. So of course he sent us a bunch and everyone says negative. Did not get that. Nope. Didn't get that. So everyone's like what the fuck that's wild can i try it with you right now yes do you mind we'll bleep it out but can you give me your phone number sure Sorry, all the fours. That's okay. Adio.
Wait, is it audio? I never leave voice memos. I'm like, I record my voice and monologue for a living. Oh, I know. Me neither. I think famous people do it because my wife has like a famous friend. That's the only way she messages. Really? I don't know. Yeah. Wait, why do you think famous people are more likely to send voice memos. I don't think they want to spend time actually typing out their thoughts. It's like a phone call without actually having the commitment of a phone call. Interesting.
Okay, alright, I'm sending you on. I found the audio message feature on my phone and decided first as a test, I'd send a message without the trigger phrase. Hey, have you heard about the animatronic? Banned at Chuck E. Cheese. There's something to check out. We should go. All right. Send. I've got the three bubbles. Yep. Says deliver. band at Chuck E. Cheese. There's something to check out. We should go. Alright. That one worked. Okay, now let me try Disney Dave and Buster's. Yeah.
You know, the place I really want to spend time is Dave and Buster's. I want to be intoxicated and gambling. That sounds cool. Let's go to Dave and Buster's. Alright, send. Okay, it transcribes, it says you know more, but it doesn't say delivered on my end. Do you get it? Nope, I just got three dots. And it just stays on the three dots? It just stays on the three dots. It looks like we're breaking up with each other and I'm really sending you a novella. That's right.
We waited, but the message never went through. Just three dots floating forever in the air like stray balloons for weeks after this call. The search engine team became enchanted by the anomaly. We kept trying to send each other voice notes, convinced there had to be some other combination of words that would also refuse to transmit. It couldn't just be the phrase Dave and Busters, right? Except it was.
This testing itself was addictive. In fact, I want to give you permission to pause this podcast right now and just try it yourself. Go ahead. Make a voice note. And in it, tell your crush you love them. Tell your boss you hate them. Tell a secret that you have kept close to your chest. As long as it's iPhone to iPhone. And you include the phrase Dave and Busters. The message. It will not end. Eric's group chat had found out about this anomaly basically through internet word of mouth.
Eric's friend's girlfriend's friend had discovered it herself then posted about it on her personal Facebook page. Can you read me the original Facebook post that you made? Okay, friends, help me solve a mystery. Audio messages sent between iPhones will not send if you say Dave and Buster's in the audio. Don't believe me? Try it.
I sent an audio text to an Android user and it went through. Is there beef between Apple and Dave and Buster's? Does that name sound like something inappropriate and is being blocked? I don't know, but y'all try and comment below your results. And please share this so maybe it will find the right person to answer me. Hopefully that's you, right?
This is Nicole Williams, patient zero for the Dave and Buster's anomaly. So when you post that, I'm curious, like, how had you discovered this anomaly? So my best friend, she and I audio text all day, every day. when they were running a Winter Pass special, and it was... Dave & Buster's was? Yes, Dave & Buster's. And she and I love arcades and all that stuff, so she continued to send me these audio messages about this Dave & Buster's Winter Pass.
and I wouldn't respond. And so she just would continue to ask me, and it went on for probably a month or so, and then I was at Dave & Buster's, and I sent her a message, and somehow through that exchange, We discovered that. None of those messages were coming through. And it kept me from the winter pass. So I think there's monetary damages done, too, because I paid way more than I needed to. But then we started testing it.
Nicole and her friend were doing what everybody does when they learn about this anomaly, experimenting. sending each other and other people different versions of these Dave investors' messages. My husband is an Android user, unfortunately, and the audio would go through to him. So it was... just between iPhones and not between an iPhone and an Android. So maybe this was an Apple issue. Could there be something about the phrase Dave and Busters that Apple specifically would want to censor?
What is like the word busters is something derogatory. I don't know if they flagged that word, like I'm going to bust you in the face or, you know, something. And so they were like. Maybe there's violence happening. So then we would just try sending busters. But no, busters can go through. Nicole ran a few more tests herself, but she couldn't figure it out. So, she posted on Facebook. The post reached Eric. who just one day later has sent it to search engine. And when we received the call,
We accepted the mission. I asked Eric, what did you think when you first encountered this? Uh, what's the conspiracy about Dave and Buster's and Apple? does tim not like dave and busters is buster a weird word like is buster like i'm obscure slur that you've never heard of right yeah is it something in a different country england do they think dave and busters is weird i don't know
And then what's your second order of theories? Uh, this is just a weird bug that Apple doesn't know about. Yeah, it's... Weird. I know. I'm hoping you guys can figure this out. Okay. I'm going to look into it. But I also want to say the other thing that's kind of cool about this. Right now, you and I are in this glorious window in which
If you've forgotten to write someone back and you've offended them, all you have to say is, I'm so sorry. I left you a voice memo. I happen to mention Dave and Buster's, and you're never going to believe this. There's this little-known error. Hey, I was just letting you know you were fired, but I wanted us to meet at Dave and Buster's to kind of talk through the severance plan, and that didn't go through. I'm sorry. we're going to take a short break and then
An investigation that will take us to some strange places, some dark places, and of course, through the gates of Dave and Busters itself. All that, after these ads. Welcome back to the show. Before I tell you anything else, I want you to know that this week, we found an explanation. We've solved the Dave & Buster's anomaly. I'm going to tell you the path we followed.
clues along the way, although I didn't always recognize them when I encountered them. Maybe you will. Our journey began online, where there was surprisingly, a little thrillingly, almost nothing. There's that original Facebook post, which Nicole had written January 29th. That had garnered 13 comments. And right there in those comments, I saw theory number one. Theory number one. is that this was a corporate feud. Here's the Facebook comment, quote,
I'm cracking up thinking about this beef between D&B and Apple. I need answers. The theory that this was a feud seemed like it imagined a pretty petty world, but we are living in a pretty petty world. Tech CEOs do all sorts of strange things. Still, why would a multi-trillion dollar company be feuding with Dave and Busters? I shelved this idea for a moment. Even in our timeline, it seemed too absurd.
I moved on to theory number two, which both Nicole and Eric had considered. Tech company censorship. The idea that there was something in the phrase Dave and Busters that the iPhone software was blocking. To me, this also seemed unlikely. You can say whatever you ducking want in a text message. Any vial thing. Why would an audio message be any different? I needed more probable theories, so I went looking for them.
First stop, the forums on Apple's website. There, I found one person posting about this issue, a man named Wesley, writing on December 30th, 2024, says, quote, craziest thing. Try to send a voice text. Not dictated text with the phrase Dave and Buster's in it. And the recipient will not receive it. It's the craziest thing I've seen. Let me know what you get. Apple moderators closed down the thread. No replies. Wesley's call to follow him, silenced, into the void.
So I looked to the 22,000 member Dave and Buster's community on Reddit. Something you need to understand about this community is that Davenbusters offers its customers a sort of soft gambling experience. You compete there for tickets that you can exchange for valuable prizes, like a Nintendo Switch. And in the subreddit, people mainly obsess over ticket maximizing strategies and brag about the valuable prizes they've won.
One typical thread I saw, quote, cashed in five emoji barcode balls for 20,000 tickets and got the foot massager. Another, first time hitting the super bonus. A third, my favorite, plaintiff, how long does it take to get the birthday reward? No mention here, not one, of the anomaly. None of these people had noticed they weren't allowed to whisper into their iPhones the name of the place they most loved.
I was not yet making progress, but at least I now carried the question with me because socially it was the most powerful search engine query I've discovered. At dinner, at drinks, if conversation lulled, if I wanted to steer things in another direction, I'd pull my phone out. It was a superpower. Wanted to see a secret almost nobody else on earth knows.
The anomaly would provoke a flurry of voice noting, and then feelings of wonder, which would melt into feelings of paranoia, a one-two you often encounter in America. so many conspiracy theories about Apple, Tim Cook, Dave, Buster, phones listening in on you, which again, I just was not ready to buy any of these. But I had no counter story to offer in return.
The first clue, which I would not understand until much later, was hidden inside a story. Okay, we now welcome on a very, very special guest. Which I heard on a Barstool Sports podcast called... Pardon my take. It is James Buster Corley, one of the co-founders of Dave and Buster's, the most famous place In the world. In the world. It's video, so you see the hosts dressed like pretty standard Intelligros. Casually, comfortably, one is wearing indoor Ray-Bans.
And then there's the titular Buster, Buster Corley. First, let me say I'm jazzed to be on this program. I'm not. Buster connecting on video from his home, a man in his late 60s, looking a bit like a fitter offseason Santa Claus. Charmingly, there's a large pinball machine in his home, just behind him in the frame. The man likes the game. I'm happy to be here, and I'm happy to always happy.
to talk about David Busters, whatever you want to talk about. Okay, all right, so let's start from the beginning. Can you just give us the beginning, like how it all started and how it all evolved into being the coolest place for games and fun and eat? Of all time. Yeah, well, Dave and I started out as business partners and along the way became best friends. And I'm godfather to his children. He's godfather to mine. Buster tells the origin story of his and Dave's powerful partnership.
Back in the early 80s, these two men, Dave and Buster, were running establishments in Little Rock, Arkansas. Their businesses were separate but side by side. One called Buster's, the other confusingly called Slick Willie's. Slick Willy's was a big ass really fine pool hall early on like Customers loved Slick Willy's games and they loved drinking next door at Buster's. But the rules in Arkansas said that the two places could not be combined.
Back then, you could not have pool tables and a liquor license under one roof. but there was a walkway between the two and in our infinite wisdom we sat at the bar and watched our guests go from one place to the other. They go over to... slick willies for intense games and then come to busters to eat and drink and back and forth etc so we thought hey you know what we need to do is we need to put these two places together
So they did. They moved to Dallas, where the rules were different, where their forbidden desire to mate restaurants would be allowed by local regulators. The new spot, this one carried both their names, conjoined now by a fancy ampersand, Dave and Buster's. From there, the rest was restaurant history. That was Buster's story. And if its obvious pertinence to the solution to this mystery is not clear to you,
It wasn't clear to me at the time either. I didn't know what I'd just learned. I couldn't talk to either Dave or Buster directly. Both founders in 2025 have sadly died, and Dave and Buster's corporate was not responding to my email. but I had another idea, something I wanted to test out at the local franchise. Okay, so we're walking in to Dave & Buster's at 11am on Tuesday.
It has more arcades than I've ever seen in any single place in my life. This is actually kind of awesome, I have to say. I visited my local Dave & Buster's with my colleague Hazel just as the doors opened. It's huge. There's so many cars. It's like a cop. They've got Minecraft, Aliens Armageddon, Pac-Man Battle Royale. They've got axe throwing. Dave and Buster is at casino-esque entertainment prison. No clocks, no windows. Engineered to make time disappear while you chase your tickets.
Our reason for being here was that we thought that at least one group of people who must have noticed this anomaly would be the employees of the place itself. Imagine their voice notes. Honey, I'm going to my job at Dave & Buster's. What a long day I've had at Dave & Buster's. I ate some chicken wings on my break at my job, which is Dave & Buster's. I hoped these employees might have some insider information they could share.
But as I walked in, I realized there's another question that I didn't even know I had, which is, what kind of customer goes to Dave and Buster's at 11 a.m. Which of this Bacchanal's many dopamine highs were these people chasing? Okay, first of all, can I just ask you your name and what you're doing at Dave & Buster's this morning? Hi, my name is Alex. I'm here to play DDR.
right by the door a couple a man and a woman not drinking not gambling just wholesomely playing dance dance revolution and you were like ripping it up i've never seen anybody do that how often do you guys come here so I've been coming here pretty frequently over the last year probably a couple times a week it's it's a workout for me so like I'm doing it to burn calories
Alex and his wife, two very athletic people, used Dave and Buster's as their gym. I wanted to just make a podcast about that. Instead, I asked about the anomaly. Okay, so the actual question that we're trying to figure out This is going to seem like a left turn, but do you use an iPhone or an Android? iPhone. Do you ever send voice notes on iPhone? Very rarely. I receive them sometimes. Have you ever noticed that if someone...
So we discovered that if you try to send or receive a voice message on an iPhone, and it includes the phrase Dave and Busters, and as far as we can tell, only Dave and Busters, the message will not send. I had no idea do you want me to show you that how this works um i'll take your word for it it's okay the person's like no i'm good Alex was keen to get back to his workout. So I moved on. What's your name? It's Al Ray. And what do you do at Dave & Buster? I'm a janitor.
Here we go. An actual employee. Do you have an iPhone or Android? I have an iPhone. Do you ever send voice notes to message people? Yes, I do. Have you ever mentioned Dave and Buster's when you send a voice note? Like if you're like, I'm at Dave and Buster's right now. Well, honestly, I'm at work.
Ah. And it wasn't just Tyree. Another employee I spoke to said pretty much the same thing. It was work. It was the envies. Of course. I do not tell people on my way out in the morning. I'm on my way to search engine. The anomaly then had gone unnoticed by the folks at this Brooklyn branch of Dave & Buster's. I, whoever was noticed, I was soon asked with polite directness by the manager to hit the road. So we hit the road. We first talked to our listener Eric in February. And now...
In that time, the American economy shuttered. The president picked a fight with Nauru, a country of 12,000 people. Citizens everywhere planned for their uncertain futures. And meanwhile, I kept showing people the Dave and Buster's anomaly, and despite everything, they kept being arrested in wonder by it. And then finally, I showed it to the right person. Two of them, actually. people who would help us solve this riddle. Our big break after this short break. Welcome back to the show.
Our big break came from someone at the office. Shruti had mentioned the anomaly to a film editor here, Andy Grieve. And like everybody, Andy found himself repeating Dave & Buster's into his phone, trying to find out if there was some trick that would force Apple to try.
a Dave and Buster's voice note. But unlike everybody else, Andy was successful. Late that night, Andy wrote to Shruti that he'd made a discovery. If you said Dave and Buster's into a voice note very slowly, like slowly, spreading out the words. and
Busters, the voice note would sail through. Andy wrote, quote, I've been doing some tests over here, and my theory is that it's not Dave and Busters. It's Dave and Busters. I know that sounds the same to you as a listener, because you're not reading my script right now. But the first time Andy wrote Dave & Busters, he wrote it A-N-D. The second time he wrote it with an ampersand. And he's right. The official way to spell Dave and Busters is with an ampersand.
All those years ago, when Dave and his business partner Buster had conjoined their restaurants into one concept, they'd put an ampersand in between their names. Not knowing that this one fancy flourish, made years before the invention of the iPhone, would cause an anomaly in space and time decades later. Stunning. Andy continued, quote, I tried saying and, and, and, and ampersand, and the message didn't send. So Andy had deduced that ampersand was the likely culprit.
Maybe Andy should be hosting a podcast. Computers, particularly in the past, have had all sorts of problems with special characters like ampersands. Andy, as a film editor, knew that his film editing software, for instance, would sometimes reject a special character in the file name. If it was a problem there, maybe it was a problem here.
But what didn't make sense to any of us was why. You could easily send Dave & Busters over text. What was it about saying Dave & Busters over audio message that would cause the anomaly? It was confusing. I knew that we needed to talk to an expert. Ampersand, a fellow tech reporter, connected me to the right one.
Hi, my name's Alex Dumas. I'm the Chief Information Security Officer of Sentinel-1 and a lecturer in computer science at Stanford University. And what does it mean to be the Chief Information Security Officer? It means I used to be a hacker and now I'm a corporate sellout. That's what it means. Alex grew up in the 90s doing all sorts of youthful computer crimes. But as an adult, his life flipped.
Now, companies hire him to legitimately test or protect their security. He ran security for Yahoo. After that, he ran security at Facebook, actually during the height of Russian hacker paranoia. Very big jobs. He may have been overqualified for the case of the Dave & Buster's anomaly. In fact, when I told a journalist friend I'd reached out to the Alex Stamos,
his face made this wobbly expression before he said, you asked Alex Stamos about the Dave and Buster's thing. So I reached out to you because I'm trying to answer this question. And I just want to say like, before I explain the question, I understand there's a lot going on in the world right now if you were to rank every single problem afflicting the world in order of importance there's a good chance this one would go last
fine with me man podcast about the top 100 problems so many podcasts about the top so if you're looking for that podcast turn this one off now yeah get out get out this is about a small and interesting and delightful quark So the issue is this. A listener of ours heard about this issue because a friend posted on Facebook, and then the chat group tested it out. What they realized is that if they send one another... voice memo and the voice memo contains the phrase Dave and Buster's
The voice memo will not send. What? Yes! What? That's the backdoor? It's not like Xi Jinping looks like Winnie the Pooh or a sequel query or something. It's David Buster. Let's do this. Yeah, yeah, let me do it. I'm gonna try to send you a memo. For the last time, I spoke the magic words into my phone, and I hit send. Yeah, I get three dots, and it's still three dots. Yes. This is giving me anxiety just watching. And it doesn't show up. That's crazy.
So I told Alex about the film editor Andy's discovery around the ampersand. It's funny, I should tell you, one of the people that I've said this, he found that if he said Dave and Buster slowly enough, he's like, Dave... and busters, in that circumstance the message seemed to send. Oh, well then it's almost only the ampersand.
Alex started to dissect what might be happening behind the scenes with the audio message and the troublesome ampersand. And his explanation pointed to an additional culprit that never would have crossed my mind. That culprit? AI. It turns out AI is part of the process involved in sending an audio message.
When you receive an audio message, you see the actual waveform of the audio, where you can click play and listen. But below it, you also get the transcript of what's in the audio. And Alex noted that this transcript is a relatively new trick from Apple, enabled by artificial intelligence. They now have this feature, which is they do AI where they listen to the message and do real-time transcription of it.
So when I do a message, and I want to be very careful with the words they listen, because I feel like it is a big part of people's theories in this. Yes. But when you say they listen, you mean I talk on the phone. An AI that's either, I don't know, on my phone or in the cloud. I think it's supposed to be on the phone. I mean, this is one of the things that Apple advertised.
is that their AI is supposed to be more private because it's running on your phone. So the AI that's on the phone is like, quote unquote, listening to my message, turning it into text so that when I send people long voice memos, they can actually skip them and just read it. And that's sort of new. That's new. Apple started offering these auto transcriptions in their fall 2023 update. iOS 17.
And the fact that these transcriptions are AI-generated is important because, as Alex pointed out, there have been issues with some of Apple's newly released AI features. particularly since their most recent update, which shipped one month before the first report of this Dave & Buster's anomaly, iOS 18. A lot of people thought this new iOS is kind of like their worst release ever.
Here I am getting uninvited from any Apple event ever again. But like, they demoed all this stuff. Like the summaries, have you seen all the summaries people have shown? Like, you know, you get broken up over text and it gives you the Siri summary of like, Sorry, they can't. Don't hate them. Or it'll say, like, oftentimes I just get inaccurate ones where it will try to do an italicized summary of a text message or a headline, and it'll say something that sounds incredibly alarming.
And then when I click through, I'm like, oh, no, the AI is just confused. Right. So it just makes me think like they kind of rushed a bunch of this AI stuff. So my first thought is. Is the AI model, for whatever reason, choking on the Dave and Buster's ampersand? So this is where the ampersand comes in. The iPhone's AI model takes the audio of me saying Dave and Busters and tries to turn it into a transcript that writes Dave and Busters with an ampersand. But that breaks something.
The iPhone, perhaps, thinks this ampersand represents here not human language, but a random misplaced bit of computer code. Because ampersands mean one thing in human English and another thing in code, engineers usually indicate to the computer when an ampersand should be ignored. We do this thing called escaping, where you basically say, hey, treat this as something that's displayed as an ampersand to a human. Don't
interpret it as an ampersand. And so maybe it's just forgetting to escape this ampersand in this one particular circumstance for whatever reason, if it's Dave and Buster. This ampersand may have been unescaped, one of the most jaw-dropping scandals of 2025. But to understand why that unescaped ampersand could have fully crashed the audio message, that required further testing. Alex offered to try to get inside the iPhone's mind. I've got an iPhone here that's hooked up to my computer.
And I can try it here. We can see whether or not we can get to throw an error. Yeah. We can see. So you see, I've got just this test phone that's got nothing on it. And when you say a test phone, it's just like an iPhone that you're purely using for this test. Yeah, it's a development phone. It's a totally clean...
iPhone 14 with a brand new install of 18.3.1. It's set to developer mode and so it's hooked up to a tool called Apple Instruments which allows me now... We were screen sharing so I could see the software. On the top of the window was a spiky graph representing activity on the iPhone, almost like a heart rate. Beneath, eligible to meet, the corresponding log entries for each action the phone had taken, the computer's notes on its own internal working.
Normally these log entries are quickly deleted, but Alex's setup would capture them. So we're going to make the problem happen and then we're going to like x-ray into the mind of the iPhone to understand what is going on behind the scenes. Yeah and so we're going to see maybe if something crashes we might get lucky. And as it dies, it might say, oh, I'm dying. Yeah. Hey, PJ, let's go to Dave and Buster. Okay, so you've recorded the message you're gonna try to send it
I'm receiving nothing. At the moment that Alex had recorded his voice note, I could see the log entries cascading down the screen. Any action the iPhone took required marshalling so many of these little tasks. The voice note, of course, did not make it to my phone. But now Alex could check these tasks to see which one had failed. And so, I am transcoder agent. This is probably a pretty... Good one for us to look at, right? Mobile SMS. Looks like a good one. There's info, debug. So let's see.
It's funny, you're like fluent in iPhone. I'm not a professional in this. I just want to point that out. You speak enough iPhone to go on vacation in iPhone and order some cocktails. Exactly. Yeah. That's it. There are people who do this all day, every day. Alex's larger theory about what was going on here was that the unescaped ampersand had perhaps triggered one of the security systems built into the iPhone's internal code.
I did not know about these security systems and Alex started to explain to me how they worked and why Apple's developers created them in the first place. One of the things they've done is they've created security protections where if something bad happens, they can try to protect that if you hack one of those subsystems, that hopefully they can contain that hack.
and keep them from taking over the entire film. And have there been issues in the past where because there's so many programs that are now sort of entering into iMessage, someone might find a vulnerability in like Memoji and then be able to get it and grab somebody's text messages or something? Oh yeah, no, take over the internet. Oh wow. Yeah, so there's a company in Israel called NSO Group that sells these. hacks and is very good at it.
you know the russians do this the chinese do this so the chinese government's actually quite good at this and if somebody nobody would ever do this to me I'm not that type of reporter but if it happened to me what would happen like one day I would get a text message from an unknown number with a funny emoji and that would be them breaking in so there's
what are called interaction and non-interaction hacks. So there have been ones that are so bad that the message is delivered and in the background. your phone parses the message, they take over your phone, and then they delete the message you don't even know.
And then they plant the malware on your phone. And now they can read all your messages, read your email, and even in some cases, turn on the microphone, turn on the camera, track your GPS locations. And that's been used against democracy activists. It's been used against journalists. It's really bad.
Let me tell you a story about what Alex means when he says it's really bad. So one of these iPhone exploits was discovered by NSO, that Israeli hacker group Alex mentioned. And NSO sold it to the Saudi government. Here's how they used it. One day in 2018, a flight attendant gets taken into custody at the Dubai airport. While she's being interrogated, someone opens her phone and covertly installs the exploit on it.
Not because they're interested in her, but because they're interested in her partner. A man named Jamal Khashoggi, a Saudi journalist, a columnist at the Washington Post. He'd been critical of the royal family. Five months later Khashoggi is murdered, quite brutally, by agents of the Saudi government. presumably Apple built these security systems to prevent events like this one
But Alex thought that here, perhaps one of those security systems built for a very important reason was behaving in an overselless way. The rogue ampersand. The fact that it had just confused the iPhone for a moment. Maybe the system saw that as a vulnerability and stopped the message from transmitting it all. That's the theory anyway. I have one more question. If I were a different kind of person ethically, is there a path by which...
you know, this listener is like, Hey, I saw a Facebook post. This funny thing happens on an iPhone. Check it out. They send it to me and I'm like, send a message to someone in China or Israel or Russia. And I'm like, Hey, Hey, there's this little part of the security wall that looks a little funny.
like you can use this and like they do a little bit more work and then the next thing you know, someone is calling a journalist and saying like Dave and Busters, Dave and Busters, Dave and Busters and getting into their email. I mean, it's possible. It is possible. that this is- if you pull this thread you find a big hole in the sweat. This kind of bug, it's not super likely, but it is possible. I have seen more minor things than this turn out to be a highly exploitable.
Alex recommended that we email Apple with the details of the anomaly, which we did. Apple looked into it and actually got back to us. They told us what we'd found is a rare bug. I mean, we knew that. And said it poses no security risk to its They said a fix will be available and a software update soon. cherished so much.
feels like around seven seconds here. But back to Alex's tests. There's a bunch of errors getting thrown around the IM transcoder agent. He wasn't able to definitively find the exact process that the unescaped ampersand was breaking. None of the errors here. It gives us a perfect, but this is pretty
But he saw enough to feel good about his theory. And he was able to connect us with some iOS experts, people more fluent in iPhone, who were able to confirm that the ampersand was causing the issue here, on the sender's side. The anomaly was essentially explained. I asked Alex Stamos what, in the end, he made of all this. When you learn about a glitch like this, what's the feeling it gives you? You know, there's a saying that you hear software people say, it's turtles all the way down, right?
Something I tell my Stanford students is that security is an incredible field to get into because it's the only part of computer science that gets worse every year. Every part of CS just magically gets better. graphics and compute and storage, but systems get more complex. less understandable and more important every year. And so as a result systems get less safe and there's more need for people to break them and make them safer. And I think AI has just massively multiplied.
I mean, this is one of the weird things about AI. Theoretically, AI systems are supposed to be what's called deterministic, right? So a deterministic system is a piece of software where if you know the inputs, you can predict what the outputs are. In practice to human beings, modern AI systems are non-deterministic. We have no freaking idea why they work. We just build these things and we train them on these huge training sets.
And then they just kind of happen. They just kind of do things. We are building software systems that are beyond human comprehension. And we're throwing them in our pockets and then building our lives. And this is another thing I tell my students. It is the most exciting time to be in security since the late 90s because once again, New kinds of vulnerabilities and bugs are being discovered every day of new entire classes of issues.
This is what it was like when I was young. You'd go to a security conference, you'd go to Defcon or Black Hat, and you'd go to a talk, and somebody would get on stage, and they would talk about some new research. You would leave, and you'd be like, wow, I think every single product on the planet is vulnerable to that bug because nobody's ever heard of it. And that's what AI is like right now.
you know somebody might say we built in a secure ai system and you're like you can't make that promise because nobody knows what the vulnerabilities are in these systems yet like Just the fundamental research hasn't been done yet. And so it is like both a terrifying and really fun time to be alive if you're in this field.
Of all the anxieties I have about artificial intelligence and their legion, this was an underrated one. That AI might be helping us build things we ourselves don't entirely understand. Today, that had prompted a silly question about a phone that for its own reasons, would not send a Dave & Buster's message. I wondered what questions it would prompt tomorrow. Alex, thank you. Thank you for being so generous with your time as well. Yeah, thanks, PJ.
Alex Stamos is the Chief Information Security Officer of Sentinel-1 and a lecturer in computer science at Stanford University. And thanks this week to Kashmir Hill, Nadeem Hamoud, and very special thanks to Jay Little and everybody trail of bits. They lent us their iPhone fluency. Jay spent his valuable time running tests to better understand this ampersand bug. Thanks so much.
Search Engine is presented by Odyssey. It was created by me, PJ Vogt, and Shruti Pimanini. Our senior producer is Garrett Graham. This episode was fact-checked by Mary Mack. Theme, original composition, and mixing by Armin Bazarian. Additional production support on this episode by Noah John, Hazel May Bryan, and Sean Merchant.
If you would like to support this show and get ad-free episodes, zero reruns, and the occasional bonus audio, please consider signing up for Incognito Mode. You can learn more at searchengine.show. Our executive producer is Leah Reese Dennis. And thanks to the rest of the team at Odyssey. Rob Miranda, Craig Cox, Eric Donnelly, Colin Gaynor, Maura Curran, Josephina Francis, Kurt Courtney, and Hilary Schaaf. Our agent is Oren Rosen.
follow and listen to for free on the odyssey app or wherever you get