I'm a bit of a fan of figure skating, I'll be honest with you, I quite like it.

Oh really? I'm taking you figure skating.

I'm not a fan of doing it, Carole.

Yeah, no shit, I've never seen anyone cling to the edge of the rink looking like they're fearing for their lives.

Smashing Security, episode 104: The World's Most Evil Phishing Test and Cyborg Ransomware Phishing Attacks and Ransomware Attacks in the Workplace with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 104. My name is Graham Cluley.

And I'm Carole Theriault.

Hello, Carole.

Hello. How are you?

Thank you very much for asking. I'm absolutely gorgeous. I think that's without question. You all right?

Oh yeah, fine.

Kind of normal, I guess. And we're joined by a special guest returning to the show, Scott Helmeee. Hello, Scott.

Hello, hello everyone.

Welcome back.

Thank you.

It's good to have you back. Of course, Scott, you have caused something of a furore in some of your past appearances that, you know, I have. Well, you know, you are all embracing of the— well, I can't name her, can I? The Alexa.

Yes. Oh, good job you're on my headset because she didn't turn on. It's okay.

Hi, Scott. What can I do for you, Scott?

And all manner of other IoT devices.

Yes.

It's great to have you on. What have you been up to lately? Are you doing anything exciting at the moment?

Right now I'm spending most of my time working on my new startup and I do a lot of traveling for training. So I get to kind of jet set around a lot, which is really nice, but super tiring as well. I actually just got back this weekend from being in Holland for a week, which was beautiful.

Oh, I'm so glad you've allowed a pit stop for us because I've chosen my topic, my main story just for you.

Well, and my story today, Carole, has something of a Dutch connection as well.

Well, this is serendipitous, boys.

Very impressed, Carole, four syllables. The examples you've used there, very good indeed.

I'm just Googling that, hang on.

Smashing Security is this week sponsored by the marvelous folks at LastPass. LastPass allows you to protect all of your passwords across all of your devices, whether they be laptops, desktops, or smartphones. And if you're an enterprise, you should really run a password manager as well, because you can defend your employees and put in place password best practices. Make sure to give them a try. Visit lastpass.com/smashing. And thanks to LastPass for supporting the show. And welcome back. Now, have either of you two ever made an itsy bitsy bit of a mistake at work?

Never.

Ever made a little blunder?

Never in my life have I made a mistake.

No. Yeah, I agree.

You're both perfect employees.

Perfect.

Well, the truth is that we all goof up from time to time, apart from—

This is what people who goof up tell themselves.

Ouch.

I would argue it's only human. And it's these goofs, of course, that cybercriminals often depend upon for their evil plans to succeed, whether it be an IT administrator not applying a patch or a careless click on a phishing link.

Dun dun dun. Are you trying to make this mysterious?

Well, not mysterious so much. I'm going to take you somewhere beautiful right now. I'm going to take you to the somewhat flat city of Amsterdam. Have you ever been to Amsterdam, you two?

Yes.

I flew through that, yes.

Yeah, fantastic, isn't it?

Fantastic city.

Famous for its bicycles. You big fan of bicycles? Giggles, Carole?

Sure.

Dutch tulips. Do you like a Dutch tulip? Scott?

What's going on here?

I'm not sure.

He's buying time.

They are beautiful.

Canals. Fan of canals. Yes. Coffee shops, Carole? It doesn't even need asking, does it? Anyway, Amsterdam is also home to the Dutch branch of the Pathé cinema chain.

They put out a lot of good movies, Pathé.

They do. They've actually been around since 1896. Can you believe?

The very early days of filmmaking.

Founded in France by the Pathé brothers. The Pathé Frères. Over 100 years later, they're still going strong, producing movies, distributing them around cinemas across Europe. And good for them.

Huzzah!

Now, I'd like you to imagine, Scott, that you have been appointed chief financial officer of the Dutch branch of Pathé. All right?

Okay.

In real life, your name is Edwin Slutter. Now, that's not something to be amused by. OK, it's just a normal Dutch kind of name. And you, Carole, you're Scott's boss. You're the CEO of the Dutch branch of Pathé, and your name is Dutchy Major. OK? OK. And for you two, it's your job to keep a close eye on each other and make sure the other is doing their job properly.

OK. Well— Edwin, you following the rules?

How can I keep track of all this?

I have no idea. This is insane.

Just keep an eye on her. Just keep an eye on her, OK? Well, Carole, you are the CEO, okay? And one day in March, you receive an email from your uber boss. Not literally the boss from Uber, but the head honcho of Pathé in Paris.

Okay, like the top dog. Top dog.

Top dog. Or as they say, top chien.

Le grand chien.

Well, I've just been transported to Paris.

What happened? Yes, it's uncanny, isn't it? And so they say, aye, have you been contacted by Monsieur From KPMG this morning. And the CEO of the Dutch branch says, 'No, I haven't heard from him. Can you explain why he would contact me?' And the French CEO says, 'It is concerning an important confidential matter. I want you to take care of it. Here are his contact details.' And this is the grand chien saying this, right?

This is le

This is le chien grand who is saying this to the Dutch CEO, who's considered a lowly CEO. Compared to the French one. Yes.

chien grand who Okay.

And so he gets in touch with the contact details he's been given of his contact at KPMG and explains that there's a complex financial transaction taking place to acquire a foreign corporation based in Dubai, and it has to remain completely and utterly confidential. No one else must be made aware of it, including the CFO.

is saying this, right?

Scott, that's the job you're doing. Edwin Slutter.

Yeah, you just carry on with your head in the sand there, Mr. CFO. Don't know nothing to look at here.

The CFO mustn't be told, but there's money which has to be moved. Now, the Dutch CEO was suspicious. Carole, you would be suspicious, wouldn't you?

Well, I would be like, hmm, this is unusual that I should send money.

Well, in fact, she was so suspicious of this email from the French CEO who told you not to tell anyone, including Scott, that you forwarded the email to the CFO.

To Scott?

Yeah, to Scott. Saying?

Going, dude, look at this.

Saying, isn't this a bit strange? And so you go back to the French CFO and you say, we're struggling to understand how exactly we're meant to do this, because under Dutch governance regulations, we need confirmation from another senior director.

Okay, fair. Okay, good.

So they've questioned it, and sure enough, another email shows up signed by another senior director of Pathé in France, attaching what appears to be an invoice from a Dubai company called Towering Stars General Trading. And it's asking for €826,521 or $945,000.

Okay, so a big money transaction needs to be kept on the quiet. And the big head honcho, Le Grand Chien, has told me, the Dutch CEO, hey, just do this and keep it under your hat. I involved Scott, however, saying, look, this is weird. And my CFO Scott said, yeah, let's ask him again and tell him what to do. They've gone through all the hoops. Everything's above board.

Gone through all the hoops. At least they've done all this via email, haven't they?

Right.

And a few days pass. Scott, you've gone on holiday, right? You've left Carole in complete charge of all the money.

As you should.

And herein lies my mistake.

Huge, huge mistake.

Hey, I'm great with money.

Carole, you as the MD, as the managing director of the Dutch branch, email the French CEO using the personal email address that he's given you because he—

Oh, whoa, whoa, you didn't mention the personal address.

Oh, well, this has now come up. He said, look, we need to make sure no one intercepts this, including the IT team. And so please use my personal email address instead.

Okay, okay.

I have so many alarm bells in my head.

Yeah, right now I've got a lot of alarm bells.

Unfortunately, Scott, you're on holiday.

You might be having a good time. I'll turn all the alarms off.

You in your little swim trunks, sipping the margarita.

Little budgie smugglers.

Anyway, Carole, you're now beginning to get a little bit concerned. So you email the CEO and you say, look, we've passed on the €800,000. The French CEO.

Yes, the big gros chien.

The €826,000. When exactly are we going to get that money repaid?

Oh yeah, because my budget's down now.

Right, exactly. And the French CEO says, he says, 'Do not worry about that. It'll be returned to you in a fortnight.' So don't have to worry, it's going to come to you.

Okay.

Now, what happened next is that the French CEO came back again saying, 'Well, we now need to make a further instalment.' This time—

Excusez-moi.

This time, €2.4 million or €2.75 million.

Whoa, that's three times the amount of the original loan.

Yes, that's right. There was an initial instalment, but they've realised they've got a hot one here. And unfortunately for you, Carole, running the Dutch branch, there are insufficient funds. And so you spent all the money.

I'm not very good with money.

And so you're saying, well, can we get on the phone to discuss this?

About time, right?

And do you know what the big French boss says? Oh, sacré bleu, he says, don't be ridiculous. This is confidential according to KPMG's transaction rules. You are not allowed to discuss this on the phone with anybody. You can only communicate via email to the addresses you've already been given. And astonishingly, the Dutch CEO at that point emailed the CFO saying, what a wonderful process. I've never experienced anything like this before. Just bitching behind the back of the big French boss. Despite that, more money was transferred and more money was still requested over and over and over again. And in grand total, €19.2 million, or $22 million, was moved into Dubai bank account over the course of a few weeks.

So what you're saying is I ended up paying $22 million to the quote-unquote French CEO. Are we going to find out this is not the French CEO? Is that what's happening here?

Well done, Carole, for making that deduction. That's sadly a little bit too late because €19.2 million has already disappeared. And it was at this point that the real French officer Pathé popped up out of the undergrowth and said, bonjour, malheureusement, your bank balance is nul, zero. Seems surprisingly low. What is going on? And the Dutch went, oh, wasn't it you asking us to move the money?

Oh my.

Imagine how that person felt upon reading that email of just, oh, shit.

Mad.

I think that's the expression, blood draining from someone's face. I think that would be the time.

The end of March this year, the MD of Pathé Netherlands and the Dutch CFO as well, both of you effectively were suspended. And following an interview—

I was suspended for giving away $22 million to some unauthorised dude?

At a general meeting of shareholders, you were fired. And in a letter, the CFO was told that he had ignored a large number of red flags. Now, chances are none of this would have made the news if those two people hadn't been fired. They'd probably have just hidden it under the carpet, right? And it would never have been spoken about officially. But what happened was the CFO actually went to court claiming unfair dismissal. He said, look, it's all very well, I made a mistake, but I shouldn't have lost my job for this. Without pay.

Holy moly. I'm surprised that they're not suing them for personal liability for some of the funding.

Apparently the emails have been designed to look that they really were coming from Pathé. So they probably used a similar looking domain name or some sort of homographic attack. So there was a character which looked like an E maybe, but actually was some weird kind of E instead. The CFO, as I said, felt that he'd been fired unfairly, took his case to court. And this week, a judge in Amsterdam has agreed with the CFO that he was fired unfairly. And the company— are you kidding me? I'm not. The company has been told they have to— they're not going to give him his job back.

You were fired unfairly, but you And that's not very much though, is it?

Well, it's not much compared to the €19.2 million. Yeah, you can have one more month of salary, here you go.

can't have your job back.

Oh great, thanks. Well, he was suspended, he was fired back in March or April, so he'll get 6 months plus salary as a result of this, which will presumably cover him for a while.

He's also not been paid anything for the last 6 months. He's probably poor now.

And who would want to hire a CFO who's made a mistake like this, or indeed a CEO who may have fallen for something like this? I suspect many people wouldn't be terribly sympathetic. By the way, this news of this latest development in the case comes just after Pathé's Twitter account got hijacked by cryptocurrency scammers pretending to be, you guessed it, Elon Musk. So they're not having the best time of it, are they?

Mon Dieu, mon Dieu.

So everyone, big or small, inside an organisation, you have to be really, really careful. Make sure you have procedures in place for when financial transactions are being made.

You know what? I think most people would check up on this. I agree they did do some checking, but it just seems a bit weird. There were a number of alarm bells that no one— I just can't believe it just kept going on and on.

I think that's the thing, right? If this was a single mistake, then that's easy for a person to do that. But I think what kind of surprised me as that story was unraveling was that it was multiple.

It kept happening. Yeah.

Times over a period of time. Yeah.

And I wonder if that actually reinforces it. I wonder if that in your mind makes you think, oh, this is okay because I did send 800,000 a couple of days ago. Nothing bad has happened. Therefore, any concerns I might've had about that, you're sort of reassured into thinking, oh, well, it won't be, it'd be all right to send another 1.5 million or 3 million.

Yeah.

It's bizarre.

It surprises me the company had no process to check or validate this. Right.

But the CFO had the numbers and he was— What, was he told to hide it? And he did. And then he still complained that he lost his job?

See, that's a little bit weird though, right? A big financial transaction and you've gotta keep the financial person out of that.

Alright, you are going a bit Columbo on us now, Scott. And I like the way you are thinking because there is an alternative potential explanation.

Trop vide, empty. Okay.

Which is, what if the CEO and the CFO were in on it? What if they knew they were being scammed or they actually—

Dun dun dun!

You know what? You would not sue for your job if that was true.

But wouldn't that just solidify your cover?

The triple bluff! No one will see it coming.

Apparently Pathé's own investigation says they're pretty convinced that these two people—

were just chumps.

Yeah, you said it right.

Phishing and things like this, especially spearfishing, are such nasty threats to try and face and tackle. And I mean, they're obviously so hard because it keeps happening, right? We keep hearing these big stories of these huge amounts of money and it's just like, how have we not come up with a solution for this yet as a wider industry? We really need to tackle this problem because that is a huge amount of money. And the other thing is you have no idea what anyone's going to fund with that money or use it for.

Maybe the people defrauding you are actually planning to spend it all on a cryptocurrency giveaway. Maybe they're going to give all of that money to Elon Musk in the hope that they're going to get 10 times back from Elon.

You know, you tune out for 10 seconds and you have no idea where you guys have gone.

Already?

It's my fault.

It's my fault.

I tuned out 17 minutes ago. Scott, what's your story for us this week? But what they have to do now is they have to

So mine's kind of phishing related again.

pay his salary up until next month.

There was a tweet that went out. Do you know how companies do these things where they phish test their staff? Yeah. Or even something super simple, just sending out an email and seeing who clicks on the links and stuff.

And then, of course, he will be quietly pushed out of the door.

So they'll send someone in the security team or the IT team or wherever will send out a test phishing email to see who falls for it. And I have really mixed feelings about these anyway, but I saw a particularly harsh one go out.

Okay.

And I'll just kind of paraphrase a tweet here. It says, I've just heard about a diabolical phishing simulation. The company faked an email from their own HR department. So they sent an email to all their staff and they faked it from HR, asking users if they were tired of phishing simulations and provided an unsubscribe link to future simulations. And those who clicked and unsubscribed failed the simulation.

Oh.

Because they got them to click. They got them to click the link.

Hiding in plain sight.

That's—

Hmm.

This is just— I think this is bad.

Okay, I want to understand that because my immediate view is that's pretty clever and cool, and that's going to teach people to be way more wary, but you don't seem to like it, so talk to me about that.

Let me explain the purpose of a link, right? So we have links in HTML, anchor tags as we may officially call them. What is the purpose of a link? What's its sole job in life?

To get you somewhere.

Right, and how do you get somewhere? What do you do to it?

You click on it.

Click it.

So does a link have any other function or purpose in life?

No.

So what we're saying is we have this thing that only has one sole purpose in life, but when you do that sole purpose, it's the wrong thing. I just feel links are built to be clicked. So should we really get mad at people for clicking on a link?

I don't see simulations and training like this as a way of reprimanding employees, but more as a kind of perhaps slap-in-the-face training.

Well, I think there's a bit of that, Carole, but I think it's also assessing how vulnerable your workers are, because if you've done some training and

Well, I think there's two parts of both of your points that can come together there in that number one, I do from Graham's perspective, I do see people need education and awareness and companies should try and educate their staff, right?

awareness, you want to know if that training and awareness actually worked. And doing a phish test might be a good way of saying, oh, look, actually

Because as members of staff, as people, as me on my computer at home, I kind of have a very small amount of responsibility in order to know if I'm conducting myself safely and I want to know how to protect myself.

our staff are beginning to be a bit smarter about these and less of them are clicking on the link.

So I think we can all agree that users, be they at work or home, want to have the information to protect themselves and to act in a way that will not cause them harm.

Right.

But then to wrap that into your point, Carole, I think a lot of the time in companies, from my experience, is they're a very negative experience. It's usually like, oh my gosh, you failed the phishing email. Here is my big stick that I'm going to hit you with. So I think that there is a way that we can go about this. But more often than not, it's a very negative thing and we blame the user.

Yeah. Okay. No, and I think that's fair. But do you think in this instance, this example could have been done responsibly?

In its core, if we strip away everything that's happened here, this is just a highly effective phishing campaign, right? Like it's, yeah. I mean, I think most people probably as well will look at this and think, wow, that is like a super dirty tactic, right?

It's really evil. I mean, whoever came up with this was an evil genius, right?

They are like Dr. Evil in their lab.

That's what I admire about it. There's something quite amazing about the brain that came up with that idea. I know, let's double post it!

We have the ultimate tool. It's like the Emperor in Star Wars. He's like unlimited power with these electric hands.

Oh, a social

That's what I envisage when I see this. But I guess the ultimate thing for me is what happened afterwards? What happened to the people that clicked on that link?

engineering phishing simulation

And if this was like a really positive thing and it was like, oh hey, by the way, this is a test and you failed and it wasn't like we yelled at them and beat them with a stick, then I kind of feel more comfortable with that.

sort of thing.

And also we don't know, but were there any clues in the email which would have signaled to people that this was an email which originated from the outside world, for instance?

Because, because that's what phishers do all the time. They put a lot of clues there.

Well, no, but they will have come—

They're very nice people.

Yeah, they're so nice.

If you were to have, for instance, looked at the headers, or if they have some system in place inside the organization which warns you this email, although it appears to come from our domain, actually has come from outside—if there was something like that which would have properly represented how this would actually have happened if an external attacker had actually initiated this kind of attack, then that seems to me somewhat fairer.

The tweet says that they faked an email from their own HR department. So I imagine there was probably something. I really hope they didn't send it from their genuine HR internal email because that would just be totally unfair.

That's what I think.

And yes, but then maybe the company doesn't have a thing in place. You mentioned checking the headers. There's only about 8 people in the world that I know that could even do that. And you could never expect—a lot of the times in IT and security and technology, we come up with these beautiful solutions. It's like, oh, people should open and inspect the headers. And I'm like, Right, that would work. But the grand total of like me and 6 other people on planet Earth will even do that.

Well, that's what I do, Scott, is whenever I get a suspicious email, I just forward it to you and say, could you just check the headers of this before I click on anything?

Which is, you know, if you have someone in your organization to help you with stuff like that, that's great. And that's a good thing to do, right? It's like, I have this thing I'm not sure about its legitimacy. I'm going to seek an external opinion.

Okay, but what about the idea that people remember negative experiences more than they do positive experiences? It's true. You tend to remember fights more than you remember all the wonderful things that happened, you know, say last week, if that happened.

So if I had a whole bunch of negative experience at the company that I worked for, I think, you know what, I don't want to work for these tossers anymore, right?

I'm getting a new job. You know what? Good point.

Maybe it's—

I think you're probably right in that they do stick more. But I think the value of breaking down the barriers between users and IT and especially security is probably more valuable in the long run.

Maybe what you could do is you could reward the people who did well, so they get some candy floss or a balloon or whatever it is. Well done, you didn't click on the link.

Some unicorn sprinkles.

And those people who did click on the link, it's not as though they're treated negatively. They just miss out.

They just don't get cookies.

They just miss out on the cookies.

Oh, that's good. Yeah.

Positive reinforcement. I think that would be a much better approach.

Yeah. And you know what? No, you dumb idiot, you don't get a cookie. No, you don't. Because you're just stupid.

No, you can't write that on the cookies, Carole. Come on.

But what's important is people shouldn't be disciplined or terminated because of failing something like this. They should be encouraged and educated, right?

Let me just flip this around though to the one other side that I kind of come across all the time with this is if as a user you can click on a link and it causes some kind of catastrophic failure in your company's systems, you click a link, you get malware and it spreads on the whole network and encrypts the whole thing and you've effectively got ransomware. Is it really that user's failing for clicking on the link, or is the IT infrastructure of that company not dreadful?

No, no, no. I don't think it's the employee's fault for clicking on the link, but it would be great if you had an extra additional layer of, "Should I click on this?" And that comes with training and experience.

Oh, totally. I think I do genuinely think as users, we have a very small amount of responsibility in this wider process, but if that system had proper anti-malware on it and it was fully up to date and for some reason this employee's computer couldn't communicate with the entire rest of the world to ransomware them, I think that we're going to get a lot further, a lot faster with technical controls rather than user controls for the user to do themselves.

What if that employee was the head of IT security?

Well, then this person should be subjected to hopefully a little bit more training and experience with their privacy.

But not fired.

No, I mean, you've got to look at it for me, whether there was any malice or negligence. You know, if someone's intentionally acting in a negligent way and doing things that they shouldn't, but—

Do you need jobs going? Because I imagine there's a lot of people who'd like to work for you.

The message I'm getting from this is, you know, if this happened to me, I'm just thinking I'd probably think I can't trust anyone. I mean, I didn't trust the HR department before, but now I'm definitely not going to trust them. They're the least trustworthy part of the entire company. The evil geniuses who came up with this.

Graham, who do you trust? Who do you trust really though?

My dog.

Enough said. You're going to work for him?

I do pretty much work for him. You wouldn't believe what I have to pick up after he's done his business. The jobs he leaves for me. Carole, what's your story for us?

Gentlemen, you have been offered the job of your dreams. And you've been invited to head office for your onboarding process. That sounds so undreamy as something. It's not. But off you trot.

Indoctrination.

That's right. Yeah. But off you trot happy as Larry because HR is going to walk you through everything just after you sort out the ID stuff. And you follow HR into a small room and inside the room, rather than a camera, there's a masked woman in a white coat and she has white gloves and a syringe.

Rather than a wooden spoon. What's she planning to do with those gloves and syringe?

Once you ask that, she laughs and says, "No, don't worry, Graham. This is just completely voluntary subcutaneous microchipping." What? And this is so you can access all the building without a badge or a key. And all the cool cats get it because we'll give you discount lunches and gym access, and you're gonna get great health service, and isn't it great?

No, it's not great. It's horrendous.

I knew that was going to go down like a lead balloon.

I don't want anybody fiddling with my body. Thank you very much.

Okay, now hold on, Graham. Okay, I'm going to switch it up. Okay, I'm switching up. Now say, let's say you live with your Uncle Dwayne. Okay, now Dwayne lives with you because he has dementia and he keeps leaving the house. And getting lost, and you're worried about him, right? And the doctors offer to inject him with a subcutaneous microchip with GPS tracking so you can monitor his location in real time.

Could I not just tie a piece of elastic to his ankle?

No, he likes to get nude.

He likes to get nude.

In men's estate, he likes to get nude and run around.

Oh, so he's walking around naked around the town?

Yes, yes.

Is he still carrying anything else?

In fact, I have to— yep, well, I've had a family member in that same situation, so it does happen. And in that situation, maybe you're less, you know, less against it.

I suppose my dog is chipped and he's naked.

Well, exactly. These are 3mm long microchips that are implanted in the flesh between your thumb and forefinger via syringe. Isn't that right, Scott?

Maybe. Yes, this is correct. Although mine's slightly bigger than 3 or 4 millimeters.

Is it? He's just boasting. He doesn't have a micro one.

It's a mega chip at 5 mils.

Yeah, I would say it's probably more like 6 or 7 mil maybe.

Well done, Scott.

What have I done?

I'd want a grower, not a shower, I have to say.

Now, these are exactly the same as we kind of use for pets. Okay. And they apparently feel, I guess yours would've felt differently, but normally when it goes in via the syringe, it feels like a slight sting in your hand. Or did you cry and pass out from the pain?

No, I was on TV on mine. So you can actually go watch my implantation.

Okay. We'll put a link in the show notes. I forgot that. That's brilliant. Okay. So this is all near field communication or NFC technology, right? This is the same stuff we use in credit cards. And these are passive chips that hold data. And what's kind of cool about them is they can be read by other devices, but the NFC chip cannot read information itself. So it basically emits a kind of a unique identifier that's triggered when the device comes into range of a reader unit. Now, I want to know what your chip does, Scott, but I was reading about, they can open doors or you can buy train tickets, you could bypass passcodes, open your car, access vending machines, printers, all that kind of stuff.

Yeah. So I've had mine a little over a year now and they were even more in their infancy then. They're still kind of in their infancy now. And I guess there's no limit to what you can do with them. If you could do something with an NFC card, so maybe you have your badge for work and you tap it on a reader to get in the building, then you could program the badge onto the chip embedded in your hand instead of carrying around the credit card sized badge or doohickey with it. So then there are cars that can recognize the chip and open. There are all different kinds of things that you can use it for. Any situation where you'd use an NFC chip or an NFC card, you could use the one in your hand as a replacement for that.

I agree with you that right now it's pretty early days. There's a smattering of people in tech firms around the world, I think US, UK, Sweden, that are playing around with microchipping humans. But there is concern that there's going to be a bit of a growth in the near future. And there's a number of reasons I think this is true. So number one, from a business standpoint, it makes total sense. We've shown ourselves to be great at handling big data. But at least we understand the power it harnesses, although we're not very good at handling it yet. But we understand the potential of big data. And we can see it would save us money. You don't need ID cards or key fobs and organize all that kind of stuff. And you'd also get a host of reliable real-time data on your staff, right? So you'd know maybe who to fire, who to reward, who to monitor. And your data, presumably, that's how it's being touted to companies at the moment. It's this, your data will be more secure because you'll be able to control access to that data better.

What?

Well, I don't know what it would. So maybe you mentioned the chip with GPS in where you could do tracking, but mine, and many of the ones that I've seen don't have that kind of capability.

So yes, that's right.

For me, it was if I rock up at work in the morning and swipe my access pass on the door, they can see I arrived at 9:49 and I was late and I left at 3:20. But then if I use the chip in my hand to do that, for a lot of these scenarios, it wouldn't change necessarily what the company could see.

That's why I didn't quite understand how you'd be able to monitor employees to any greater extent. I agree if there was some—

If it had something like GPS in.

But a GPS thing would need some additional power capability, wouldn't it?

They're already looking at doing that in order to help people in the exact situation I gave you.

Oh, are they also sewing solar panels into people's craniums?

Yeah, yeah. Into your back, into your backside. Oh, that's awful.

Charming.

If you get the ones with the company logo on, they're cheaper, Graham.

Now, there's another reason I think it's going to be on a growth path, and that's because people today are getting pretty cool with cyborgness. Like, Scott, I'm talking to you even though you're a cyborg, right?

You say they say.

And people have all kinds of implants and people have pacemakers for Parkinson's and heart problems and depression. And some even get these RFID tags into prosthetics, you know, in hips and in knees to help with future rehabilitation. And one study even suggested embedding an active RFID responder into cancerous tumors could be an effective means of treatment. And so this got me thinking that it's these medical advancements, right, that make us more comfortable with this microchip technology. It softens our resistance to the concept of being chipped. Because 20 years ago, I think people would be "fuck no, thanks very much, but no."

I think it's the age-old thing, right? It's new technology. So people are kind of resistant and hesitant to it, but then as it offers more benefits, those benefits and those conveniences erode that initial kind of hostility towards change. So as they're evolving, the things that you're talking about now are more and more rewards, and then people are "okay, this new thing doesn't sound so bad. It'll do X, Y, and Z for me now."

Exactly. The tipping point for implantable chips will come when they become more useful and then they're hard to refuse, right? The more useful they become, the harder they are to refuse. And maybe, okay, so if we see that, maybe it's only a matter of time, Graham, before if you go to your dream job and you actually even question the fact that you might be chipped.

No, sorry, I quite disagree. I don't think there's any need to have this kind of thing implanted on me. All of this can be achieved by me just carrying a card, right? And I just put it in my pocket.

Okay, Graham, I've been your friend for a very long time. We've had to travel together. I don't recall a single trip where you haven't forgotten something. From toothbrush to pants to suitcases to glasses to keys to microphones. We've been traipsed around foreign cities looking for cables.

To pile onto this here as well, and just really back up, there's no need for me to have contactless payment on my phone or even my credit card. I could just shove it into the reader and type in that 4-digit PIN and press the green button.

I don't have contactless payment on my phone. What a bloody pointless idea is that? I'm quite happy carrying a card.

You know what? It was very useful for a friend of mine, a friend of mine named Eddie. He lost his wallet and he was able basically to survive for the next week until he found it again because he had contactless on his phone.

It's called advancement, Graham. Things advance. Do you have contactless on your credit cards or your debit cards? Do you use the touch to pay?

Yes.

And is that not more convenient than having to put the card in, wait, do the 4-digit PIN and press enter?

Well, I always quite enjoyed that little tango I'd do on the keypad, to be honest. I am pleased when sometimes I still have to do it because it just keeps the old memory cells going. Trying to remember.

What, the 4-digit number?

Yes. Wow.

That's how far you're pushing yourself these days.

I think we've just explained ourselves, Carole.

Well, I have a number of different cards which have different numbers on them.

I suppose you're almost half a century old.

Ooh. I think that's a valid question, but I come back to the same point which Scott had earlier,

Let's assume that maybe we're right. There's going to be a lot more microchipping coming, thanks to people like Scott who have basically offered up their arms and got the ball rolling. Thanks so much, Scott.

which is that same data is being collected right now if you have it on a card as well.

So I think then we need to think about the hard questions, right? Like who has access to this data that is being collected? Who can they share that data with? So why put it in your body?

Convenience.

The only reason would be that it always is on you. And that I see has actually been something of a disadvantage because sometimes you don't want some method of identification.

And how do you, the owner of that data initially, control that flow of the information? Are you left out of the loop completely? Let's just use your arm and then feed us all the information we need. Oh, really?

When's that?

When's that, Graham?

Uh-oh. Here we go.

When's that? Late at night? Late at night when you're wandering around the red-lit city? What are you talking about?

So there's going to be people walking through a crowd with NFC readers just gently rubbing up against your hand to try and identify you.

The thing is, we don't trust data collectors right now. We don't think Google, Amazon, or Facebook have our best interests at heart right now. Would you all agree with that? So we are gaining more trust, it seems, in this microchip because of the medical advancements and the benefits that we can see. But we don't like how the data is being handled or treated. And thankfully, there are a few influential people who are getting concerned. There was a recent article in The Guardian called Alarm Over Talks to Implant UK Employees with Microchips. Okay, bit of a huge title. But basically, the whole idea is that we need to think about this. And one of the biggest main trade union bodies of the UK have sounded the alarm. And there's legislators in states as well who are looking to try and control how information is both collected and managed from microchips. So I think we have a chance to kind of fix this before the train leaves the station, if indeed the train hasn't already left the station.

Trains? I wouldn't get one of those newfangled train things. I'm quite happy with my cart horse.

Get me a hay bale and I'll get you to London.

They don't travel quicker than 15 miles per hour anyway. This is ridiculous, this technology. Technological advancement.

Okay, Grandpa, settle down, settle down.

Graham Cluley.

Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in. Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare. That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise. LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory. As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus. Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass. And welcome back, and you join us on our favorite time of the show, the part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.

Week. Pick of the Week. Shouldn't be.

And my pick of the week this week is not security related.

Excellent.

I would like to take you back how many years? 24 years. January 6th, 1994.

What a surprise, Grandpa.

Actually, almost 25 years.

Back in my forties.

In January 1994, one day before the US figure skating championship, do you remember, Scott, you're probably too young, Nancy Kerrigan was attacked.

Why me?

She said.

Why me?

Why?

I was glued to the television during all that.

She was attacked after a practice session at the ice rink, and the assailant—

What was her name? Tonya?

Well, this—

Tanya?

Well, she wasn't the one who actually did the attack, but the assailant had been hired by— Who's her boyfriend? Let me explain.

Oh, I'm sorry. I'm trying to remember.

I'm sorry.

I'm sorry.

Well, I'm about to tell everyone. Okay, I'll shut up.

I know we have young listeners who may not know the story.

The assailant had been hired by two men: the ex-husband of Tonya Harding and the one-time bodyguard of Tonya Harding. Who is Tonya Harding? She was one of Nancy Kerrigan's rivals for the figure skating championship. And both Nancy and Tonya Harding ended up being selected for the U.S. Olympic figure skating team. And there were huge audiences around the world who watched the 1994 Winter Olympics to see this soap opera.

Not only that, it was huge news. It was the— I was in America then. And I mean, every channel, this was the biggest drama to ever hit the ice.

It was not just the ice rink. This was front page news for weeks and weeks and weeks.

I wasn't just talking about Ice Weekly magazine.

Skater Tonya Harding makes a stunning admission about the Nancy Kerrigan assault.

She says she knew after the attack but did not tell police.

Now, I've kept this pretty quiet, I must admit, but I'm quite a fan of getting inside the sort of latex and the sequins and, you know, just—

Well, cross-dressing?

I'm a bit of a fan of figure skating. I'll be honest with you, I quite like it.

Oh, really? I've taken you figure skating.

I'm not a fan of doing it, Carole.

Yeah, no shit. I've never seen anyone cling to the edge of the rink looking like for fear of their lives.

Did he do Bambi justice?

He didn't even get around the rink once, but you know, by holding on the edge.

It's a long way.

Anyway, I found this movie which was on Amazon Prime, I think, or Netflix, or one of those. Anyway, it is called I, Tonya. Yes. And I was flicking through and I thought, oh, I wonder if that's a documentary. I thought that'd be a really interesting documentary. And I thought, oh no, it's actually a film. I thought, well, it's just gonna be a dramatization of the Tonya Harding ice rink attack and all the rest of it. Turns out it is brilliant. It's wonderfully written. It's very, very funny, dark humor, beautifully acted. It's got a great music soundtrack. Margot Robbie stars as Tonya Harding. Allison Janney, if you remember her from The West Wing, do you remember that? She plays her mum, and it's a fantastic— it's a show-stopping performance from Allison playing the mom. It's hilarious. You've got to go and see I, Tonya. Brilliant, funny, clever, thoughtful movie. And just wonderfully written. Go and see it.

Well, it's not in cinemas anymore.

No, it's on Amazon Prime or Netflix or one of those or other streaming services. Came out earlier this year, isn't at the cinema anymore.

My pick of the week is a notebook. It's an actual, just paper, you know, you write things in it notebook. Oh, hang on, Matt. Hang on. So Mr. Techno Whiz, Mr. Cyborg, isn't using some digital notebook. We're bringing the notebook into the 21st century now, Graham, which means that you'll probably be using it at this point.

Oh, sit down and buckle up, Graham.

It's going to be a big deal. So first of all, it's a special notebook. It uses a set of pens that came with it. You can buy these anywhere. They're by Pilot and they're called FriXion pens, which is spelled F-R-I-X-I-O-N or something crazy.

We're not talking pens again, are we? Scott, we talked about these very pens in last week's episode. So we know about these magical pens.

Okay.

You can write stuff with them and then flip the pen over and rub it out with the back.

You guys pre-planned this.

That's it. That's the gist, right? Yeah. So the cool thing that I learned is you can write this stuff down, you can flip the pen over, you can rub it back out. And actually, they're called friction pens because it's the heat of the friction of the rubber. I feel I've opened a can of worms here.

No, no, keep going. Keep going.

They should be sponsors. Two weeks, they've got plugs. Two weeks.

You flip them over and when you use the eraser on the back, it doesn't actually consume the eraser. It's just the heat of the friction that actually rubs the ink out as such. So the ink basically goes invisible when it gets hot.

Carole loves this.

This pad that I have is a special pad, and when you're using these Pilot FriXion pens, you can consume the whole notebook, you know, front and back, and you run out of pages. Normally you'd toss it in the bin, burn it, whatever, and buy another one. But this particular one, you actually just put it in the microwave for 15 seconds.

Cramps?

Yes, last week was talking about putting them in the fridge.

Well, no, because the fridge is cold and it's because the pen, the ink from the pen goes invisible on heat, which is when you rub them out. But if you just throw the notepad in the microwave and microwave it, the whole thing goes blank again.

Forever. Forever. Or for like until it—

Yeah, no, that's it. Like it's gone. You've like erased it as such. And so you just throw it in the microwave, give it a little quick ping. And take it back out and it's like brand new notebook again.

You know what, Scott? I think this is an excellent pick of the week and I'm going to buy one. If only Graham had brought this up last week, I would have been much more impressed.

I want to hear about the app. I've just been to the website and I'm reading that there's an app because at the moment it sounds like an ordinary notebook, but with the Frixion pens.

I mean, yeah, so it kind of is. So the pages are, they're not paper. Obviously, if they were paper and you just kept using and using using them, they'd wear out super fast. So the pages feel like a kind of plasticky almost. Like they have a really nice feel and they write really nicely. But in the bottom of every single page is embedded like a menu bar and it has a tiny little QR code in the corner and then a little section across the bottom where you can tick what kind of document it is. So you can actually assign each of these symbols to a type of document. And if you take a photo with the app, it reads a QR code so it knows which page of the notebook you're on, and it looks at the checkboxes on the bottom to see which one you've crossed and how you've identified the document. So I can take a quick photo and it will email me the PDF.

That's quite cool.

So it converts everything into this PDF and then I get the nice document, and then I can just erase the page and reuse the notebook but not have lost my notes. And it sounds super odd.

These notebooks, they're called Rocketbooks, right?

Yeah, so the one that I have is the Rocketbook Everlast. I mean, you know, you can tell by the name, the idea of it is that it's a notebook that lasts an exceptionally long time, and I don't just keep throwing them in the bin when I fill them.

So are you saving money by always using this notebook, or does the notebook cost about £300?

No, I think from memory it was like £15 or something. It's not extraordinarily large amounts of money. I probably would have to use it a lot of times to see a financial return. But I like doing things, there's just some things in my life that I can't make digital. Like my task list for the day, I love to get up in the morning and write down the series of things that I want to get done. And then throughout the day I can just cross one out.

Tick it off. I love that too.

And that gives me a real, that's my motivational thing for the day. And I've never found a digital equivalent that gives me that same kind of feeling of physically striking off the list. Yes, success.

So for the wonderful experience, you need to buy a Rocketbook notebook of any sort, a black Frixion pen.

Yeah.

And a microwave. Oh yeah, microwave. I don't have one of those either. Ah, so that's a good— can I put it in the oven?

You'll have to take the microwave one. That's the other one called the Wave. So the Wave is the microwave erasable one. So I have a couple of these. I think I actually got my first one back when they were a Kickstarter, however long ago that was.

So how do you wipe yours then? How do you wipe the words from yours? Keep it clean. Keep it clean, please.

Carole's— it was Carole's giggle that set me off. It was her fault. Carole, sorry. So because the pages are also slightly plasticky, you can just wipe them as well. So it's not like— like I said, it feels kind of like a polymer or something. So you can also just give them a wipe down.

You know what, Scott? What I like about you is that you are geeky and you are embracing all this gadgetry, you know, which—

Oh, be careful, Sky's flirting.

No, it just means that, you know, I'm much happier that you're doing all this. I mean, I love the idea of this, but yeah, all right.

You'd lose it.

Yeah, I would lose it. That's true. And then someone would just grab it, wouldn't they, and put it in the freezer and they'd be able to read all my notes. I suppose.

So, you know, I've never heard of this thing because it— I guess in a way it kind of makes sense. If it uses heat to make the ink invisible, then would cold make it re-visible?

Are you gonna try it?

You have to try it. Yeah, so hang on, let me just—

Certainly normally with friction pens, because I've done this with my son, if you write a message and rub it out, which creates friction to make it hide, and put it in the freezer for a while, the message will come back.

I'm going to do this. I am now. I've never heard of this and I'm going to go try it.

The heat, the friction of rubbing it out creates heat, which makes it disappear. Putting it in the freezer below -10 degrees brings it back.

So it's basically a pen that works in a very narrow margin of temperature.

And an app. There's an app as well.

Everything has an app. Yeah, the Rocketbooks have an app. Everything needs an app these days.

Anyway, don't worry about her, Scott. I think it's marvellous that you're doing this rather than us. And yeah, terrific. Carole, what's your pick of the week?

Okay, fun one this week. So this is from YouTuber Anthony Vincent. Now he's a creator of the 10 Second Song. So basically he's a pretty amazing rock and pop star mimic. So he's been online and asking his fans what they want him to cover, and they kept inundating him with Bohemian Rhapsody, and he's done so. But he's managed to mimic 42 famous singers in the one song, including Johnny Cash, "just killed a man, put a gun against his head, pulled my trigger, now he's dead," Frank Sinatra, Ozzy Osbourne, Michael Jackson, Ray Charles, loads of them. So I've included a link in the show notes. It's a great song.

It's great, it's great.

I found this little gem on my pick of the week, which is openculture.com. And if you don't think this and think it's a bit of a waste of time and that's not for you, you will, I promise, find something on openculture.com that is for you. It's kind of a curated site with a huge wealth of free stuff from reputed courses or books like the Guggenheim Projects and teacher resources and great lectures, and it's great. So if you need to have intellectual relaxation, I say check out OpenCulture.com. It's a fabulous site.

Oh, okay. I've never heard of it before.

It's cool. No, I mean, they're fine.

Well, don't start stealing your Pick of the Weeks from that, Graham, because it's my stuff.

You're going to be plundered.

That's my— I know I have been plundering.

Have you?

Anyone who goes and enjoys it might see a few of my previous Pick of the Weeks. I've now just shown my magic.

You're going to wear the crown jewels there. Well, I think that just about wraps it up on this bumper edition of Smashing Security. Thank you, Scott, for joining us. If people want to connect with you online and find out more about the Rocketbook or whatever you're up to, how should they do that?

Best spot is probably on my blog at scotthelme.co.uk and on the Twitterverse.

And feel free to email Scott with any of your phishing queries because he can look at headers.

Forward any spam email to him.

. I will get back to you as soon as I can.

And also you can follow us on Twitter, we're @SmashingSecurity, no G. Twitter won't allow us to have a G. And we have an online store, we can grab t-shirts and stickers and mugs and things like that at smashingsecurity.com/store.

And please subscribe to our show if you like what you've heard, and of course leave a review if you liked what you heard. We got a number of amazing reviews last week, we got about 4 or 5 of them.

And in the meantime, if you want to check out some of those past episodes, you can go to www.smashingsecurity.com where you can find all of them and ways in which to get in touch with us. Until next time, cheerio, bye-bye, bye everyone, see you laters.

I wanted to ask about the G, so I know that it's because Twitter wouldn't let it. You have it? Is that because someone else had it or because you just weren't allowed a G?

Well, this is—

Can I ask that? Is this a secret?

It is sort of secret, but—

Are we going to pull the lid on this wide open?

Okay.

Will you try and create it? You try and grab it if you want.

Oh, okay. And they'll tell me. I can't— Is it because it's a rude word?

No, it's not a rude word. I can't believe you can't work this out.

Why? Why wouldn't you work it out?

Because he's a programmer.

Okay, we have to hurry up because my ears are so hot from being in the headphones the whole time.

Scott, it's very simple. I'll tell you, I'll tell you, I'll tell you. Too many characters.

Is it really just string length?

It's string length.

Oh, that sucks. That's lame as.