Hello everyone, and before we begin, a quick apology. I don't want to point any fingers or name any names, but unfortunately on this particular episode, one of us has quite poor sound quality, and basically without dropping anybody in it or anything, we've all agreed that next time any of us go to Canada, we will take the proper microphone with us to avoid this happening again. Anyway, I think the episode still sounds great, lots of good content here, so enjoy the show.

This episode of Smashing Security is supported in part by NetSparker. NetSparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.

This episode of Smashing Security is also supported by Intersect. They have a webinar which promises to tell you everything you need to know about the secret key to PSD2 compliance. Sign up right now at smashingsecurity.com/intersect. That's E-N-T-E-R-S-E-K-T.

If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities, as well as coding errors that can leave you and your business exposed to malicious hacker attacks, you need NetSparker. Try it now by downloading a demo at netsparker.com/smashing. That's netsparker.com/smashing.

Smashing Security, Episode 49: Hacking Funeral Homes, Cryptomining Websites, and Careful with That Hairspray, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 49 of Smashing Security for the 26th of October, 2017. My name is Graham Cluley, and I'm joined as always by my good chum and co-host, Carole Theriault. Hello, Carole!

Hello, Graham. Hello from Canada.

Oh, you're over in Canada at the moment, are you?

Yes, you know that.

Well, okay, I'm trying. I'm just trying to be friendly. The listeners don't know that. What are you doing in Canada, Carole?

I am visiting the family and doing a few little work things as well. So it's— and doing a podcast. There you go.

Doing a podcast. Sounds terrific. And we are joined as well by another international guest, a special guest, Mr. John Leyden. Hello, John.

Hello, listeners. My name is John Leyden and I work for The Register where I write about security. And I'm calling in today from Spain.

And there can't be many people who listen to this podcast who aren't aware of what The Register is. I mean, it's a—

Oh, they all must know John Leyden.

You would think so.

How long have you been doing The Reg?

Well, I've just counted it for the purposes of doing my bio, and it's 17 years coming up in December.

Oh, wow.

Which is so long.

Yeah.

So he knows his stuff, listeners. He knows his stuff.

You would hope so after 17 years.

Well, we'll find out. Let's find out.

I know people who know their stuff is more accurate to say.

And I think John may be one of our first northern guests. Is that right?

Okay, so northern means north of England, you mean?

Yeah, the north.

As opposed to North Pole?

We—

No, I don't— But it's called Smashing Security without a G. So is that kind of tribute to—

Oh, go on Twitter.

No, I take that as a tribute to northern pronunciation.

We wanted you to feel very comfortable.

All right, well, what we're going to do is the same as we do most weeks, which is we're going to look back over the last week's news and talk about the security stories which have caught our eye. And I'm gonna start this week with a story which comes from West Monroe, Louisiana. Where the Griffin Funeral Home has suffered at the hands of hackers. Because a bunch of hackers broke into the funeral home's email account and began, what?

I thought you were, for some reason, I thought you were gonna say they broke into the funeral parlor, which I thought, oh no.

What kind of sick mind do you have of imagining hackers crowbarring their way into coffins and besmirching them? No, it's not quite like that. No, what's happening is that the hackers have been taking over the email system of the Griffin Funeral Home and sending out scams from the organisation. What was happening was an email was being sent from the owner of the funeral home, Ms. Glenda Griffin, asking for a favour, and it would say, "Good day. How are you today? Hope my email finds you well. Please, I would like to ask you a favor, so would appreciate if you would confirm that you received this. Await your response." Not very normal kind of English, is it? Particularly one that would be sent to people who use the services of a funeral home. And of course, the second message claiming to come from Glenda—

So they both came at the same time, or—

I think what they did was they waited for people to respond saying, "Oh, hi Glenda, what can we do for you?" "What do you need? What can we do for you?" "Yeah, you know, we've run out of bodies to offer you, you know, we've done that." But anyway, what favor can we offer you?" Anyway, was a message claiming that Glenda was in Ukraine with one of her cousins who needed $2,450 to pay for his prostate surgery.

I don't think I've ever seen this in any spam message before.

The prostate surgery is such a specific—I think what the scammers like to do is they like to pull on the heartstrings, don't they? Because that's more—if they pull on the heartstrings, maybe it will lead to the purse strings. And then they'll begin to get some money out of you. So they tell you a bit of a sob story. Oh, my cousin is sick. He's got prostate cancer. He's been undergoing treatment. But, you know, maybe you could send us some money and we'll pay you back as soon as we get back home. And of course, this is a scam, right? There's no one with prostate cancer, you know, in Ukraine waiting for this money. You know, the only people who are prostrate are the people in the coffins, probably. But what I'm actually most disappointed by is the scammers who I think are failing to take proper advantage of the situation. I mean, why aren't scammers being a bit smarter about their scams? If they break into a funeral parlor, for instance, why don't they send you a scam related to the funeral parlor? Wouldn't that be more smart to do that? They could see whose body they were currently processing on the production line, and send a message related to that. They could say that they found a gold watch or some money in the pocket, or halfway through embalming the body and they found the deeds to a Nigerian diamond mine worth $154 million.

Because, Graham, that would take a lot more work, right? Because they'd have to research Glenda Griffin and find out what her interests are and make it seem like it's from her. So this is just a blanket spam message. Presumably they've infected her computer to do this.

Well, what they've done is they've broken into the email account of the funeral home. So their funeral home business apparently was using a Yahoo email account. Oh dear.

Exactly. Well, that's the hack there straight away, isn't it?

Well, they are one of the 3 billion Yahoo user accounts, which has been compromised in that hack, which happened a few years ago. So, you know, that's the first mistake which happened. But, you know, I just think the scammers are sort of letting the side down a bit. They're just sending regular scams, right? And people are instantly going to think, well, why is a funeral parlor sending me this? Why are they saying, sorry for not burying your granny, but I'm stuck in Azerbaijan. It's not really going to fly, is it? Well, you know what?

We're really sorry you're disappointed with the spammers' behavior, Graham. Poor you. Maybe you should give them lessons on how to improve it to make our lives much, much more difficult.

Well, hey, if they're listening to Smashing Security, then they're getting some tips right now, aren't they? I'm just saying, put a little bit more effort in, guys. And then maybe you won't be— maybe you won't be simply exploiting the vulnerable and the elderly. Maybe there are other people who you can scam instead. I just think it's a bit pathetic just sending out the same old scam regardless of what email address you've actually broken into.

The problem is, is it probably works.

Well, yeah, it probably does for a small percentage, doesn't it?

Right. And how much, you know, how much effort do they have to do? How many words are in this email? About 100, you know, and you can use this as a blanket one for any email account you compromise.

But, you know, they are going to some effort because what happened was Griffin Funeral Home, they tried to change their password to regain control of the account, and they did that on 4 occasions, and each time they found themselves locked out again because the hackers had been changing the security questions and answers tied to the account. And so they kept on being kicked out. Oh, that's a little bit clever.

Right.

So they were sort of actively trying to keep control over the account. And I watched a news report about the case, and initially I was baffled because they showed, you know, the staff members crouched around a Gmail inbox. But then an employee said, "Oh, we've been in touch with Yahoo, but Yahoo haven't really helped." And I was just like, "Well, maybe you rang the wrong guys, people." But it turns out that they've now created an alternative email account for the company on Gmail because they can't use their Yahoo anymore, and they're hoping people will believe their Gmail account is trustworthy rather than the Yahoo one, which they've been talking to people from in the past. I imagine that Yahoo account is probably going to become something of a dead letterbox.

Oh dear, that's such a terrible joke. This is what he does. Can I ask a couple of questions about this one?

Yes, please do.

Actually, an observation. I've read studies where people say that the scenario presented in these scam messages is deliberately made implausible in order to suck in the more credulous.

Yes, and the more vulnerable.

So criticizing it for being implausible, it's like, you know, it's designed to be implausible. It kind of goes against common sense, but that's— if you understand the scam, what they're trying to do is get people on the line who want to believe very improbable things, and scammers will be wasting their time if they end up dealing with people who double-check things.

I see. So the idea is you target people who believe incredulous things because they're more likely to go through the entire process, ultimately giving you $100,000 or something like that.

Ultimately giving you some money. I mean, once people have paid some money in, then they're much more likely to pay more money in because they're worried about losing the small amount that they've lost. They get sucked in.

You think it would be smarter for the scammers to rather than have the first or second message ask for £2,450, to ask for maybe £25? Because people might be more likely— I mean, I don't know how many people have that kind of money lying around willy-nilly.

I don't know how much prostate surgery costs in Ukraine, but I suspect it's— I wasn't suggesting it's only £25.

I think it'd be more— I think it'd be— I agree with Carole that it seems to be more likely if they ask for a small amount first.

Yeah, and rise up to the prostate cancer, you know, get there. That was a bad choice of words.

We're not operating as a school for scoundrels here, are we? Giving them tips.

Yeah, yeah, Graham, we're not a school for scoundrels. I'm with John on this.

You're right, you're right. What we need to do is give people some good, sensible advice to avoid being hacked like this, right? Yeah, it's Yahoo. So here's— well, yeah, maybe you shouldn't be on Yahoo, but protect your email accounts with a strong, unique password. Enable multifactor authentication. Be careful when choosing your answers to security questions. Don't make them things which are easy to Google and find the answers out that way. Make sure your emails aren't secretly being forwarded elsewhere or other suspicious apps haven't been granted access to your account, because sometimes even after you change the password, you may find a third party can still access them if they've previously doxxed it in that fashion. And maybe listen to our previous podcast. Number 14, all about protecting webmail, where we talk about this in depth. Really good strong advice in there about how to defend your webmail accounts. Look out for people who are maybe more vulnerable in your family who might be at risk of falling for scams like this, and hopefully they won't end up out of pocket. What we don't know is whether anyone actually fell for this. All we know is that the funeral home hasn't been able to regain control of its email account, so it doesn't know who actually is getting back in touch with these scammers and who potentially might be at risk of giving them money as well. I think they've been slightly creative.

Imagine if you were a café full of fraudsters in Lagos, for example, and they're going through a list of accounts that they've compromised and thinking, oh yes, we've got this account, we've got this account. Oh, let's do a CEO fraud scheme. Let's pretend to be a supplier who needs urgent payment. And let's pretend to be the CEO who wants someone in accounts to transfer that payment. So that's the typical scenario. And then someone says, oh, here, I've got a funeral home. I mean, chief executive of a funeral home probably doesn't have an accountant who we could send an email to and try and con them to send money to. Let's do something else entirely. So in actual fact, this might be quite creative. This might be a kind of coffee break project that someone jumped up in over the water cooler in Lagos somewhere.

It might be. Anyway, check out our previous podcast. You can find out more about how to protect your webmail account there.

Yeah, it's a good podcast, that one. It's really good. It's worth listening to.

And John, what have you got for us?

Okay, I want to talk about a story we've been covering for the last couple of weeks, which is quite an interesting one. I'll start by asking this question. Which is the odd one out of these four? Okay. The Pirate Bay, Pulitzer-winning political fact-checking site PolitiFact, UpToBox, which is a Dropbox clone, and the official website of Real Madrid footballer Cristiano Ronaldo.

Which is the odd one out?

I would think they're all unconnected.

You're not going to get there. It's one of those ones where you have to know the answer and it's not fair. What they all have in common was they were all running crypto mining code on their sites.

Hang on. You said which one's the odd one out.

I have to explain what they've all got in common before explaining what the odd one out is. Okay. All right. The odd one out was PolitiFact, because PolitiFact was not deliberately running crypto mining software. Okay, and the other ones were deliberately running this. Pirate Bay and Uptobox admitted running code on their websites as an experiment, an experiment that since has been abandoned.

Hang on a minute, hang on a moment. I think we need to explain to people— I mean, I'm sure many people listening to the podcast are aware of what crypto mining web pages are, but can you just explain what that actually is and why people may not want that?

Right, each of these sites is running code on them that generated their crypto coins, involved generating cryptocurrency. Now people are more familiar with bitcoin. What it involves is running software that works through a complicated mathematical process to derive code which then has a value.

So what's happening is there are websites out there now which just the act of you visiting them will initiate a process which will use up some of your CPU time to try and mine cryptocurrency for the benefit of the people who put that particular piece of mining code on the website. And you may be entirely unaware that this is happening. Apart from— that was like PolitiFact.

So they didn't know it was right.

Well, they didn't know it was running, but also people who are going to these websites may not be aware that these websites are doing this in the background as well, using up the resources of their computer. And this is happening.

So basically, if I went to this site on my computer, so I went to one of these sites, my CPU usage would be used?

That's right, Carole. Your CPU usage and your electricity will be used to mine this currency. What you would find is that the site would be running very slow. In the case of PolitiFact, it was spawning 8, at least, instances of JavaScript running this program to generate a cryptocurrency, not bitcoin, one called Monero, which is the same idea but a different currency.

And in some ways, this is quite cool because it's another way for websites to generate some income and maybe it's a way for them to drop having adverts, but are they asking my permission? Exactly. There's this impact on the visitors to the website. Have they asked your permission? Are you happy with them using up your resources in order to put a few pennies into their pocket?

This is at the heart of the issue. Now, the main program that's being used in this respect is something called CoinHive, and the technology is there as a means for websites, as Graham said, to earn an income without running ads. Now, that's why Pirate Bay and Uptobox ran the code as an experiment.

So why don't they have a forum saying, hey, do you mind if we do this instead of giving us the, you know, instead of us providing you ads, we'd like to use some of your CPU usage to do some.

The reason why they don't do that is because they know people will say no, we don't want you doing that. That's why they, you know.

Well, then turn on ads.

It's actually slightly, you're on the right lines, but it's actually slightly more complicated than both of you are suggesting.

Okay. In the last 10 days, they've made $40K.

It was about a month prior to October the 10th. But I think it's an interesting topic for us to discuss because people don't like ads anyway, but because ads can be intrusive, annoying, malicious. Malicious sometimes. That's not a lot. So could sites come up with a different alternative involving micropayments or something like this, short of having a paywall to pay for their work and the cost of running the site? Now, cryptocurrency really does offer some kind of potential there, but I agree with you, they only should be used with consent.

This is it. The other tests that they've done used goods like nail polish remover, hand sanitizer, rubbing alcohol, and all these resulted in large fires, although no explosions. So my question is probably the same as yours: why aren't we banning aerosols and all these dangerous products that we can actually have something useful like a laptop?

And the problem here is that it isn't used with consent. This sort of thing will become more commonplace, at least in terms of people who don't care about the performance of the website or aren't bothered that people are having a bad time visiting websites.

Now, I am not someone who ever likes to put these devices into cargo. This is something that, you know, because I like to work on the plane, and I also, I've lost so many bags in my life or had them rerouted. I want to keep my devices with me. But there are some people that like to have it, you know, maybe they're carrying more than one laptop and they don't want to have to carry that on their shoulders. Maybe they have a bad back, whatever. But it's pretty, you know, it's pretty scary that we are getting very contrary advice. The resulting threat of this is an explosion, right? So there's either an explosion in the cabin or there's an explosion down in the cargo hold if there's too many lithium-ion batteries down there.

I don't know.

Because Coinhive have previously encouraged developers to play fair with people and to throttle the calculations because in the case of PolitiFact, it was running like Billy O, it was just maxing out everything going. Now it's saying that it's released a version of its software called AuthedMine, which has a user consent page. Now, but I don't think that's going to solve the problem, and I can explain why briefly. As well as Coinhive, there have been 3 or 4 different variants of this software that have come up. And this is a way for unscrupulous people or anyone to make money. How prevalent is this technology? It's actually becoming more prevalent. AdGuard found 220 websites, mostly smut websites, torrent trackers, the kind of slightly shady, illicit end of the internet, were silently launching this technology and mining cryptocurrency. The technology to mine it is out there. And now Coinhive are saying, we're going to put in consent, but I don't think it stops problem. I think different versions will come about that allow people to run JavaScript code that generates cryptocurrency. Someone who can put that code on a website can direct that code to raise funds, essentially, to a wallet of their choice. So that's the technology, and it can be used for good or ill. How much money are these guys making from doing this? Because we have some kind of answer to that as well. From the AdGuard study, Sophos found that 220 websites were mining this, and it looked at all the instances of Coinhive on the internet, and it tried to work out how much money was being made based on the value of Monero, which is the main currency generated through this. And it found that these guys were making $43,000 as of October 10th based on the average time people spent on websites. The last 10 days.

No, but it would get me about 20 prostate operations in Ukraine. I mean, it's, you know, if—

I wouldn't mind making that money.

And it's not terribly much effort, right? Either for the websites themselves to add the bit of code or for a hacker to find a vulnerability on the website and plant the code. It feels to me a bit like these things are, they're akin to potentially unwanted applications.

Sure, if you're happy with that. They are akin to potentially unwanted applications, and that's why the ad blocking people and security software vendors such as Malwarebytes are giving people the choice to block this technology.

They're alerting it as a PUA, and they'll say, "Hey, it's a ransomware." They're alerting it as a potentially unwanted application.

You know what could be an interesting way of moving with this? Because there is a problem. Websites need to make money. Adverts are unpopular or they're malicious. Paywalls aren't working. Paywalls don't really work. This sort of thing is abusing people. People's trust and it is just stealing too many resources. I wonder if someone, and maybe it would be a browser developer, could say, okay, we're going to help monetize the web for those sites which want monetizing. We'll build some sort of crypto mining into our browser where it would work with an API with particular websites. It would do it in a sort of responsible way where you could determine how much percentage of your CPU or resources you were prepared to give and make that a small number so there's not a significant impact on your resources. And that would then give a little bit of money back to the websites. I wonder if it needs someone to sort of be there as the sort of the person on the totem pole to say, this is how we're going to do it. And then everyone could jump onto that model rather than everyone building their own code to do this and then abusing people's permission. I don't know. It's just an idea.

Yeah, well done.

TM it. TM Graham Cluley. There you are. And I'll have 10% of everything that's mine.

Oh my goodness. You see, you greedy little— The avaricious nature of the Cluleys. So greedy.

Now you know why it drives me crazy.

Have I mentioned the Smashing Security store lately? Go and buy a t-shirt or a mug. Why don't you? We're making a fortune there, aren't we, Carole?

Well, you might be. I haven't seen a penny. Well, we'll talk about this after the show.

Carole, what have you got for us?

Well, I wanted to unpack the airline device ban saga. So you may remember earlier this year the Trump administration were forcing passengers that were flying from certain countries such as Cairo, Kuwait City, and Dubai to put large devices like laptops, cameras, and tablets into checked luggage. To quote the Department of Homeland Security, we have reason to be concerned about attempts by terrorist groups to circumvent aviation security, and terrorist groups continue to target aviation interests. So 56 routes were affected by this. Now, this rule was imposed to counter the potential threat that larger devices could be harboring explosives. So this was all back in March, right? So a few months later, in May, American security officials met with European counterparts to discuss the expansion of this ban to European airports. And that would be around 400 nonstop flights leave Europe for the United States daily. So this would affect about 100,000 travelers every single day.

And just imagine the impact that would have on people. I mean, not just that you wouldn't be able to work during your transatlantic flight, but all those kids who wouldn't be able to have iPads. Oh no. And they'd go feral. Horrifying. This would be a real nightmare for any road warrior or parent for exactly your reasons. I would like to use that time to work efficiently, right? And if I don't want to work, I want to watch a movie or something of my choice, and that normally means I need to have my device there. I have been on airplanes where there have been explosive gases emanating. I think this is a concern for all of us.

So two years ago— That was quite funny. No, it wasn't. This is talking about people being bombed, okay? Not ass farts. So two years ago, the Federal Aviation Administration convinced the Civil Aviation Organization to ban cargo shipments of lithium-ion batteries on passenger planes and to require that the batteries shipped on cargo planes be charged to no more than 30%. Now, I didn't know this at all. Apparently the risk of a battery overheating is much lower if the battery isn't fully charged, which is interesting.

Oh, I didn't know that. And the other thing is that sometimes when you go through airport security, they want you to turn on the device and it's like, well, tough luck if the battery's run out, isn't it? Yeah, exactly. So you're sort of gambling even more now, aren't you?

So what you're saying here is it's like a sweet spot where you get through the control if you've got between I don't know, 20 and 60% and higher than that, then it's watch a video or play an online game for a few minutes and then come through.

And also, it'd be, you know, it'd be almost impossible for them to be able to check every single laptop to see whether or not it's fully charged or not. That would take a lot of time, wouldn't it? Yeah. So, so basically, let's— so to recap here, we've got the Trump administration that was basically trying to— were talking to Europe about saying, hey, maybe all big devices should go in cargo. And then we've got the FAA on the other side saying, whoa, if we do that, there's a big problem with explosions and intense fires. So just this week, the FAA have been recommending that the UN agency— this is the agency responsible for setting global aviation standards— actually prohibit passengers from putting laptops and other large personal devices into their checked baggage. Oh, so we've got contrary advice here. What's interesting is the FAA have kind of been saying this for years now. They finally come up with some tests to actually show what they mean about this. And this is where it got all very interesting and I decided to cover the story. So they've done 10 tests of fully charged laptops packed in suitcases. In one of the tests, they use an 8-ounce aerosol can of dry shampoo. Okay, now this is a product that— I don't know if people don't want to wash their hair, they spray it on and it looks clean, I guess. And this is permitted. This is an aerosol can, which is permitted in checked baggage. And it was strapped to the laptop. A heater was placed against the laptop's battery to force it into a thermal runaway, a condition in which the battery's temperature continually rises. There was a fire almost immediately and an explosion within 40 seconds with enough force to potentially disable the fire suppression system. Oh crikey, that's scary stuff, right? And here we had the Trump administration saying, hey, no, we want all laptops down there.

And yet you're allowed to take hair conditioner or whatever it is in an aerosol. So we have to keep laptops and hairspray away from each other on planes.

If you really need dry shampoo and hairspray that bad— unless you're Trump, I don't see anyone who needs that.

So maybe rather than giving us all these controls over laptops and whether we should check them into luggage or take them as hand luggage onto planes, maybe we should just simply have a rule of you don't need hairspray. Well, for goodness' sake, and go and buy it when you arrive in America.

It's interesting because I was thinking, how is the US Homeland Security dealing with this kind of— it's almost a fight between the FAA and the Homeland Security, isn't it? So it seems about in June this year, they started kind of backtracking on the whole cargo hold enforcement and instead decided to go down the route of requiring nearly 200 airlines to meet new heightened security and screening protocols. Now apparently these are not going to add to the waiting times, but there's going to be more sophisticated protocols to screen people and devices to try and combat this threat.

How can it not increase waiting times and security?

And already we have to take laptops out of bags, you know, we have to put them through the scanners. All devices that are bigger than your mobile have to go through that way anyway. So I'm not sure what— and I haven't found anywhere where they're kind of explaining what all these screening procedures are, and I guess they can't because obviously then there could be a countermeasure around it.

So it could be said perhaps that in protecting against one threat, protecting against that threat comes with trade-offs. Oh, everything does, yeah. Right, and some of those trade-offs might mean that a different threat makes you more vulnerable to that threat. So it's a complicated mix. It's coming up with these rules must be quite difficult because it's not, oh, to be secure you need to do A, B, C, D, E, F, G, right? It's if you do that, then you have that risk to think about, if you put, you know, laptops and so forth with lithium batteries in the hold, what happens if something happens to them and they expand and release a gas?

That could be dangerous. I wonder who's importing all this hairspray into America, and do they realize the impact they're having on the ozone layer? If they believe in climate change, of course.

Maybe they don't. Start off with the people who've got big heads of hair, big bouffants. Yeah, rule out the baldies first, I think. Yeah. Okay, John, you're clear. I'm clear. All right. Well, let's find out who our sponsors are this week. This episode of Smashing Security is supported in part by Intersect.

This episode of Smashing Security is also supported in part by Netsparker. Netsparker is a web application security scanner that automatically finds security flaws in your website and fixes them before hackers can exploit them. Try it now by downloading a demo at netsparker.com/smashing.

On with the show. And welcome back to the show. And we're at the part of the show which we like to call Pick of the Week.

Pick of the Week.

Fine. My pick first, is it?

No, you just have to—

No, no, no. Oh, goodness gracious. No, John, you just have to say Pick of the Week.

Oh, I have to say Pick of the Week too. I didn't know I had to say Pick of the Week.

He just said it. Boom. He said it. He said it. It's a tradition.

Pick of the Week. Okay. Pick of the Week is the part of the show where we choose something that we like. It could be a funny story, a book that we've read, a TV show, a movie, record, app, website, podcast, whatever you like. That's not security related. Well, it doesn't have to be security related necessarily. No, it's definitely not.

I was trying to get in first. I was trying to get in first.

And that's mine. And my pick of the week is, do you guys remember the first time you ever got an iPod?

Yep, I do. I do.

Do you remember the experience of opening up the packaging? Yes. How beautiful it was. Yes. It was like getting a beautiful diamond from Tiffany's or something like that. It's just, oh, the packaging and the way the cellophane opened, it's just like, oh, they've thought of everything. And it was wonderful, wasn't it? It was really fantastic. Well, there's a company now which is trying to bring back those kind of memories. A company called Twelve South, who normally make Apple gizmos like cases for your iPad or stands. Okay. Well, they have made a candle which makes your home smell like a brand new Apple Mac. Oh, for God's sake.

Oh, I don't think I could do this podcast anymore.

What does a brand new Apple Mac smell like?

Ah, well, well, let me refer to their blurb. Okay. They say, "With every whiff of our Inspire candle, you'll find strong notes of bergamot, lemon, and tarragon, scent profiles that clear your mind of clutter and stimulate creativity."

This is ridiculous. They've got the scent of potpourri and they've figured out a way of selling that to hipsters at 10 times the normal price. It's terrible.

The stench of desperation, what it sounds like to me.

$29.99. You are— here we are for your candle.

Any listener who's bought one of these, please get in touch at .

I must admit, I haven't bought one, but it tickled me so much that I thought I have to mention it on the show. $29.99. So clearly they're going for the Apple Mac typical marketplace. We aren't afraid to pay over the odds.

Well, what if they think we're idiots?

Anyway, they say that some of the proceeds are going to charity. So I guess that excuses everything else, doesn't it?

Yeah, I can tell the marketeers were like, look, no one's going to buy this unless we have a charitable link. What?

They had the first version of this candle a year ago, and they say they sold out. It's now been improved.

Yeah, well, how many did they make? 5?

It's your birthday coming up in a month or two, isn't it?

Yeah, let's put our friendship to the test. So there you are.

If anyone does try it out, let us know on Twitter or on our Facebook group, or drop us an email.

Tell me why you're not an idiot.

I'm going to do a very disparaging story if I found out you bought Carole candles that smell of pineapple milk.

Johnny, John, Mr. Leyden, I will call you if that happens. This is bad.

You just have to call things out. This is the end of the world.

That's what they're saying. $29.99 for a candle. John, what's your pick of the week?

Okay. Everybody, or almost everybody, loves a murder mystery. A new series has been screened by the BBC. It comes from a team of documentary makers who were embedded for a whole year with a team of murder detectives from my very home city, Manchester. Now, one of my formative experiences as a journalist was 15 months as a crime reporter. I didn't see what this program shows. It was a very formative experience, and I learned a lot about human nature as well as the craft of writing during that time. This program is called The Detectives: Murder on the Streets. It's a 4-part series. It's available through the iPlayer. Now, I must say that we've already missed one of them, but it's still worth catching this series. What we're seeing here is we're following the detectives from the point where they investigate crimes from the very first call to the point where they are canvassing the local area around the crime, finding witnesses, talking to charities and others who might be able to help them, local businesses who might be able to help them with the crime, surrounding CCTV footage, which is an important part of many investigations. But most fascinatingly, it goes into the point where they're identifying suspects and the interviews of those suspects, and then the subsequent forensic examination. And that's where it gets really good. Because they're interviewing the suspects and they're showing the police who are in a different station watching the live video of the suspects being interviewed. It's absolutely fascinating.

I will watch it. It sounds terrific.

But I must add, there is a technology angle here, and a very strong one, if I might say so. No, there is. Issues around how law enforcement use metadata of mobile phones are being kicked around in the technical press for years now. Now, metadata, for those who don't know, that involves not the content of calls, but it involves the number that's been called, the duration of a call, the location from which a call has been made, and the date and the timing of the call, of course, or an SMS message. Now, in this program, they show how an investigation of a case of a local man gone missing hinged on tracking his mobile phone, and I won't give away anything more than that, but it's absolutely central to the case because this guy had gone missing. He hadn't contacted anybody, he hadn't used his cash card or anything, and it was his mobile phone that was crucial to the case. The program is called The Detectives: Murder on the Streets, and it's available through BBC iPlayer.

Okay, cool. That sounds quite fascinating. I think I might have seen one of those episodes.

It is very— I mean, it is Manchester noir. I have to warn people that it may feature scenes of raining and people waiting around and people being in interviews saying no comment and so on and so forth. So it shows the whole thing and is really interesting.

Sounds superb. Well, if I had to choose between a candle which smelled like a brand new opened Apple Mac and watching that I think I'd probably go and watch your documentary.

Sounds quite good to me. Really? Really? Wow, you surprised me.

Crow, what's your pick of the week this week?

I want to talk about the scourge of autoplay. Don't you hate when media autoplays when you go to a website? I frickin' hate it. I hate it. I hate it. I hate it. And I get— I understand why some people do it. They want to up their hits and la da da da da. But sometimes you go to a webpage and it's a story, suddenly your media player starts blaring and it's a completely unrelated story to what you actually are trying to look for. Yeah. And it's so counterproductive, isn't it? I can't imagine that anyone actually likes it. And you're not actually wrong. So I didn't know this, but it turned out that in June this year, Safari actually blocks now automated playing of media by default. Default. You go to the Preferences tab, you can actually add sites that you want to allow to play media automatically. And so I am giving Apple a very huge dramatic hat tip for that, because that is something that I hope everyone is going to copy. When I read about this, I started looking around, and it turns out that Google has plans to do this, but it's not there yet. So there was this extension, this Google extension. I think it was an article in the Next Web. This is about last year sometime. It basically was an extension that allowed you to block media. But it turns out that it's not being maintained and it hasn't been updated in a while, so that's just something I can't recommend anyone install, so I don't want to install it either. But I found a new article that says Google is planning to follow in Apple's footsteps, although they didn't word it that way, and introduce the new autoplay policies and controls in January 2018. So that's only a few months away for the rest of the— for Chrome users. So keep your eyes open for that. For any of you out there who hate the autoplay of media, either jump over to Safari or keep your fingers crossed that Google get it right in January and they turn it off by default and allow you to turn it on when you want it on.

It's a great idea and well done Apple for debuting it first.

Yeah, yeah, absolutely. And good to end on a positive note. That just about wraps it up for this week, I think. We have to thank John Leyden for joining us. John, if people want to follow you online, what's the best place to do that?

Well, the best place is our website, theregister.co.uk. Nice plug. You can find plenty of stories there from myself, from my colleagues, including my San Francisco Bay Area colleague Iain Thomson on many aspects of security. Or if you wanted to chat, then I can be reached through Twitter as @JLeyden. Excellent.

And you can also follow the podcast on Twitter @SmashingSecurity. There's no G, not because we're northerners, but simply because Twitter wouldn't allow us to have that many characters. And we're also on Facebook now. You can go to Smashing Security. Smashingsecurity.com/facebook, and that will take you automatically to our group. And if you did want to buy a t-shirt or a mug or a sticker, we have a store which you can visit via our website.

Stop bickering, you two. Okay. You've started again, haven't you?

Oh dear. Thanks for tuning in. If you know someone who might like the podcast despite the bickering, please tell them about it. And don't be afraid to get in touch as well. Until next time, from all of us, cheerio, bye-bye, goodbye, adios. I've got a plane going overhead. I don't know if you can hear that.

I can. Yeah, just stops for a few minutes.

It's a pretty slow plane if it's gonna take a few minutes. It will be. Maybe we have to go through Smashing Security checks.