Let's see, this is what I've been saying, right? In 5th grade, they asked me if I'm going on a train from New York to California, at what point do I arrive if I'm going 40 miles an hour? I know this, but why doesn't a civil engineer know the answer to this, right? When I arrive at that intersection, it knows I've been doing the speed limit since the last 6 streets.

Why isn't it just turning them green? It should know when I'm arriving. Yeah, turn them green for Jack.

Smashing Security, Episode 142: Mercedes Secret Sensors, Smart Cities, and Ransomware Runs Riot with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 142. My name is Graham Cluley.

And I'm Carole Theriault.

Hello, Carole.

Hello.

We are joined by podcast royalty in the form this week of Jack Rhysider of Darknet Diaries.

Not quite royalty, but I'm very happy to be here. This is the second time coming and it's really exciting to be again.

You've made a return visit. I think that really means that you're part of the family now.

Yeah, it feels like it. And you've been doing a little bit of work with the lovely Maria.

Yes.

So basically you are part of the family. So welcome.

Yeah, it's great. Great being here again.

It's great to have you. And if anyone hasn't yet checked out Jack's podcast, really recommend it. Darknet Diaries. Really good listen if you want to hear of stories from the dark side. Of the internet.

And you come here to cheer up. It's perfect. Yeah.

So Carole, what stories have we got this week?

Well, first, a huge thank you to this week's sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free. Now on today's show, Graham delves into the lavish world of mercs. Yeah, I mean cars. Jack will be visiting Texas, and I'll be looking into the ins and outs of smart cities. All this and much more coming up on this huge episode of Smashing Security.

What makes it huge, Carole? What makes—

Why don't you watch and find out? You haven't seen my story yet. Settle in, guys.

Now, chaps, I wonder, Jack, are you a driver? Do you have an automobile?

Yes, I do. I only have one car, though. It's an older car, so it's not one of these special smart ones or internet-connected.

Very sensible, I would argue. Now, some people, Carole, I don't know if you have, but I used to own a Mercedes.

What, your hairdresser's car?

Look, I don't know why you always called it a hairdresser's car. I mean, it was in my days of not being a parent. And so it did only allow me to—

There was a cartoon. I can't even remember what cartoon it was, but there was this huge chested guy with this big blonde foppish hair. And he would drive around a red little convertible thing that was much smaller than his body. Basically, that's what you looked like.

Well, thank you for saying I had a big chest, Carole. That's very kind of you. I think it slipped somewhat. Rather like obelisks. But I don't know if either of you have been reading The Sun newspaper. The Sun newspaper.

Oh dear, I get it delivered, of course.

I put the word newspaper in quotes. Are you familiar with The Sun, Jack, at all?

Well, isn't it— is there for a specific city or is just The Sun?

No, it's the same.

It's a national newspaper here in the UK run by Rupert Murdoch, and it's not really a newspaper. It was famous for its—

Page 3.

Yes, it's Page 3 beauties back in the day. I don't know if they still do that. It is a very high-selling newspaper, not renowned for its high quality, however. Quite tabloid.

Do you remember when they tried to address the Page 3 problem, which was basically scantily clad women, by introducing— I don't know if this was just in Canada, but in Canada on page 7, you'd have this tiny black and white Page 7 guy.

Yeah, it's called the Page 7 fella. That's what they had, yes.

So it was international. There you go.

Yes, yeah, we had the Page 7— well, I didn't, but yes, it was. Brilliant. Anyway, the reason why I'm talking about The Sun— normally I wouldn't source my stories about the crazy world of online security and privacy from The Sun, but they ran a story which has been picked up by a number of other media outlets about Mercedes-Benz cars. And specifically, they said that Mercedes dealers in the UK, and who knows where else in the world, were fitting tracking devices to all new and used cars sold by Mercedes. And these could, if activated, pinpoint a car's precise location.

That kind of device. So I guess it was communicating in a GPS-style way. So Jack, for instance, I mean, you're obviously someone who wants to preserve your privacy. I understand that. Most of us, we don't want our information out there. But this would be a way for the guy who sold you your car potentially to find out where you live or where you go.

That's the way you have to balance it, right? Is there more of an upside? Is there more of a benefit to having somebody know where you are versus having your private information in the hands of somebody you don't know? And that's the hard balance.

And if you're someone a bit hot, right? You, Carole. I mean, obviously not at the moment.

You don't mean temperature having a fever. You mean more good looking.

You're a pretty hot tamale, right, Carole?

What, so a tracking device, basically, if you get Definitely, absolutely, yeah, the hottest.

If the Mercedes dealer took a shine to you, they might be interested in where you go, what clubs you go to. You know, imagine if every time you went to the discotheque, there was the Mercedes dealer doing the Lambada or a John Travolta or something.

into trouble, we'll be able to find you without What a stalker. Yeah, no, that sounds fun. That sounds great fun.

Not fun at all, Carole.

a phone call, kind of tracking device? Love that. Yeah, yeah.

No, obviously. Anyway, so Mercedes said that these sensors are put into every car. And this is different from your optional extra, right? Sometimes you buy an expensive car and you say, well, for security reasons, I want it to have the ability to track it if it gets stolen, for instance. This is something which is put in all of the cars. And Mercedes say it's only activated in extreme circumstances. So I was thinking, well, what are the extreme circumstances, right? Would it be a life or death situation, for instance, or a missing person?

Mm.

And I was reminded of this. You may remember there's a past Pick of the Week, which we talked about called What3Words. And there was a story earlier this year about a mother and daughter, who were rescued after they had a car crash in a remote rural part of Somerset in the UK, avoiding all the combine harvesters and things. Must have crashed into a hay bale.

Hey!

Well, no, that's very flattering for people from Somerset. And all they had to do was use the What3Words app, and it gave them 3 coordinates, which allowed the police to exactly pinpoint their location.

Calling through to the police. What's the location of your emergency? We're on a road. I'm not entirely sure of the road. We've just been involved in a road traffic accident. There's at least 4 cars in it. I'm just going to try and find out the actual road. Okay. What I'm going to do is I'm going to send you a very quick link to your phone. Are you able to use your phone while you're on it, or is it not? Yeah, yeah, yeah, I think so, yeah. So it's called What3Words. So if you click on the link, it will give you 3 separate words for your location, and when I put them in, it will tell me where you are. Are you happy to do that if I send it to you? Yeah, yeah, yeah. Brilliant.

Very cool.

So that's one way in which it can happen. So is it life or death situations? Is it missing persons? And apparently, no, that's not the extreme circumstance in which Mercedes turn this on. And I thought, well, is it law enforcement? Is it if your car is stolen or if your car is used in some sort of criminal activity? And again, no, those aren't the extreme circumstances.

So it has to be more extreme than what you're saying.

Exactly.

Oh, I know, I know. You didn't pay your bill.

Right.

No way.

That was a guess.

Jack, it's a good guess.

Oh my God. That's what Mercedes-Benz care about is have you kept up to date? Have you defaulted on your finance payments? They can track down your car and they can seize it off you.

Okay, so I don't this idea. And the thing is, because you're not treating the customers adults here, you know, you're treating them kids who are immature and irresponsible. And you're going to pull your little trick on them to get your car back, it's just not going to play well.

I mean, and sometimes people can be immature and irresponsible, right? I mean, I remember— I'll tell you a story, actually, Carole, about that car you were talking about.

Your hairdresser's car?

No, I don't know technically. There's nothing wrong with hairdressers, by the way, or their vehicles. But I used to live next to a petrol station, or gas station, as I believe they call them over stateside. And I used to pop round there because it had a little store attached, right? So it was my local where I could go and get a pint of milk or whatever. One day I drove home, I was running low on fuel, I parked in the petrol station, filled up with petrol, went into the store to pay, and then I walked back to my apartment.

Leaving your car at the gas station.

Leaving my car because I was so used to doing the walk. I wasn't used to driving from there to my apartment, which was next door. Well, I left my car there for two days.

Oh my God.

By the gas pump. Preventing other people from using, getting any petrol.

And so you.

So I woke up the next morning, I opened my curtains and thought, where's my car gone? It's been stolen. Oh no. Looking outside my house.

Are you lying? I've never heard this story.

Oh no, it's a true story. And then I ran through my memory. I thought, well, what was I doing? What was I doing? What happened? I thought, "Ah, it's still at the petrol station." So I popped round there and sort of quickly scarpered.

Did you have a driveway or were you parked somewhere communal?

No, it was like a communal car parking thing. You know, it's back in the day, Carole, back in the day. Anyway, so I would've felt this would've been really helpful back in those days. You know, use it as a lost car sort of device. Would be fantastic. But no, they're using this to try and get money. They're passing on the information to bailiffs so they can track down any Mercedes and repossess it. And are they telling you that they're doing this? They're telling you that they have a tracker in your car? Well, Mercedes say around 80% of new cars from Mercedes are sold on finance plans. And apparently, if you do read all the small print when you sign off your—sign off your soul—

To buy a Merc.

To buy a Mercedes. It is included in there that we reserve the right to use, you know, in extreme circumstances, we can find out where you are and then get your car back.

So you can pay us your final bill.

Right. Right. Now, human rights groups and privacy campaigners are a bit concerned about this. Liberty, for instance, have said that they're disturbed by this revelation and say it's all part of the creeping growth of surveillance. It is easy to see, isn't it, how this kind of feature could be abused by governments. For instance, they could put pressure on car manufacturers to share details of a vehicle's location. Or for intelligence agencies to hack a car manufacturer? Am I getting carried away with this or not?

I think we need to bring it closer to home, right?

Okay.

I'm seeing a rash of incidents lately where domestic cyber spying is happening, where this is a husband spying on their wife or a boss spying on their employee, and they're using different tools to do that through their phones and turning on cameras and this kind of thing. And that is what could very well happen. A jealous boyfriend or something could figure out a way into this and start seeing the exact location of their girlfriend's Mercedes.

Or maybe if they actually worked at the car company, maybe they would have access to these tools, just like we've seen in the past, people who work for the police abusing databases, which they have access to, or looking up people's criminal records. Similarly, you might have someone at the car company who's able to determine where a particular car is.

Yeah, but all that still just assumes that this whole thing is secure. And we haven't even got to the point of, are they good? Is Mercedes good at holding onto my data? And I don't know.

Right, yeah. And we've certainly seen big car companies in the past goof up both in the firmware of their vehicles and also sometimes their own websites and systems have been breached.

I wonder whether they're collecting this information. So presumably if these trackers were put on any car, right? Just in the off chance, someone doesn't pay their bill, that data must be being snarfed all the time and collected into a database. I don't know if you just turn it on if someone doesn't pay the bill or if it's just always on, you just go look at the database when you need to.

From my reading of it, and who knows if this is accurate because it is the Sun newspaper this week. It is the Sun. And Shirley from Basildon, you know, 34 23 36. They say that the sensor has to be activated. So Mercedes are trying to reassure people this isn't turned on all the time, but only in really, really serious situations, i.e., if they're about to lose money, do they enable it?

That's weird as well, right? That you have something on your car that can be remotely activated by a third party without your knowledge.

Well, cars these days, I mean, they are the mobile internet device.

Your car is crazy.

No, my car doesn't do anything like that. My car beeps if I drive badly. That's what upsets you, is all the beeps it gives me.

Yeah, fair enough. That's probably right. It's not the car. You're right.

Here's my call to action here.

Yes.

This is just a matter of time before somebody figures out where that tracking device is and just yanks it off the car and then puts that on the internet and says, here's how to disable the tracking device. Because there's really literally no upside for the customer here. So everyone would just say, well, I need to disable this. There's nothing I get out of this and just pull it right off.

Yeah, I think you're right, yeah. So my advice for anyone who doesn't want to be tracked by the likes of Mercedes and their cars would be to drive some old beat-up car instead. Maybe like Jack has got. Do you remember the Robin, the Reliant Robin? Do you remember that?

I don't think Jack would have ever seen one of these. I didn't know they existed till I moved here. And you do see them on the road now.

You still see them.

It's a three-wheeled car, Jack.

Yes.

Well, so last year Atlanta got hit with ransomware. This is becoming an epidemic or pandemic, whatever the word is. Ransomware is hitting US government cities. And Atlanta didn't pay the $52,000 in ransom last year, but instead they spent $2.4 million cleaning it up.

That's right. Yeah, it's shocking. And it's depressing.

Well, is it depressing? Should we—

Well, yes. It encourages people just to pay the ransomware. No, no, they didn't pay.

That's the thing.

I know, but when other cities see the bill.

Oh, I see.

Right? They'll go, fuck, let's just pay. Dear God, let's get this headache over with. Why do the right thing? It's too expensive.

So there's more here. So Baltimore this year got hit with a $70,000 ransomware and they didn't pay. Instead, they spent $18 million cleaning it up.

You see? You see? Or are they just padding? Are they padding the numbers?

Well, just to get a bit—

It's a real beauty.

I'll put the links in the show notes so you can double-check for yourself. But the FBI discouraged them from paying because they said, hey, even if you pay the $70,000 in ransomware, you've got a lot of problems you need to clean up, which is going to cost you a million anyway.

They had to be very careful going round roundabouts

So you might as well just do a full top-down inspection of everything and spend the money.

because they would sometimes topple over.

Right.

So this year has been just a phenomenal year. We've had 60 ransomware attacks on state and local government in the US alone.

Oh, yes. Anyway, Jack, what have you got for

Lake City in Florida paid $460,000 in bitcoin just, I think, last month.

us this week?

To get rid of the headache.

To just get rid of it. That's it. So that city completely paid. Another city in Florida, Riviera Beach, paid $600,000 in ransomware fees. But that one was interesting because they had insurance to cover it.

That's interesting. So is that what cybersecurity insurance is for, to pay the ransoms? Possibly.

I've never thought about that.

I never even thought about that. Oh, yeah. It's one of the costs.

I mean, it's not the only costs. That's the thing. It's not just—

It's immoral. If you have life insurance, right, and you get kidnapped, can you use the Report in to us next week, tell us how it goes. life insurance money to get you out?

Anyway, Jack, sorry, Carole was completely distracted. Phishing infected us, so it wasn't me.

So yeah, so on Friday I saw this story that 23 towns in Texas were hit with a coordinated ransomware and the Texas governor has actually issued a level 2 escalated response, which level 1 is the highest threat level, which is emergency. So they're getting close to having a statewide emergency there in Texas.

It's like a DEFCON alert basically, isn't it?

Yes.

This is pretty serious.

23 in a coordinated attack. That's the first time I've ever heard of that.

Yes.

And the investigators are thinking this is from a single threat actor. Most towns are not admitting to this right now, so we don't really know what towns, but there's one town called Borger in the Panhandle. And they said this is affecting city business and financial operations. Birth and death certificates are not available online, and no payments are being accepted for utility payments from their 13,000 residents right now. Nobody can pay the bill because the systems are down.

Because there have been problems sometimes in the past of people who've actually had their power cut off because they haven't been able to pay their bills due to ransomware hitting a particular city. So I imagine if some sort of payment system is down, you have to be careful that any sort of background process isn't also going to be affected and take matters into its own hands.

Yes. And another city in Texas, which was not hit called Denison, Texas, just said, you know, forget it. We're unplugging. And they took down their own internet today as a precaution.

Yeah. Try and get us. We're not even online, dudes.

Well, good luck to their residents being able to pay their bills online, of course. That's right. It could be a challenge. So they believe that this is the same hacker or group of hackers who are organizing all of these attacks. I mean, potentially they could be making an awful lot of cash if some of these towns do agree to pay up, like some of the places you've already mentioned, which did pay up. Carole, you can get insurance for anything, surely, can't you?

Yeah, they could sweep up here. I mean, that's one of the things about this ransomware is that it is pretty profitable. It's easy to spread and get in there and pretty profitable.

If you're prepared to pay enough of a premium, I could get insurance for

You're making me wonder whether Texas has a reputation for paying these bills, in the way that you talked about Florida earlier, that they've paid the ransom. Maybe Texas has— these systems have been hit before individually at times and Texas has paid the ransom.

alien abduction, I'm sure, if I was able to prove it was alien abduction.

So it suddenly became quids in, dudes, hit, you know, hit 23 at once and they've already got the precedent set in place. Hmm.

That's an interesting theory. I was thinking more along the lines that it might be targeted because of a similar department might be overseeing some of these systems. And so you have the similar vulnerability that you can use in each place.

It's curious though, it seems to be all these cities recently which have been hit rather than maybe more regular organizations. Is that suggesting to us that councils and towns aren't protecting themselves as well as commercial organizations?

I just think of how many people are available, right, in a city. You have a city of 100,000 that might be using a specific—

Oh, you think the stakes are higher because of the number of people? The stakes are higher because there's more people available. In a company, you might have 1,000 or 500 or, you know, and you might go for the big spearfish, right? Right.

And maybe then it's quids in.

Yeah, it's— I mean, you put

Yeah.

But you put it on a company, a hospital, a state, a city government, you're going to get a lot more out of that. So it's definitely a lot more profitable. ransomware on one person's computer, you And especially when you're impacting the way the bills are getting paid, they're not getting paid until this is fixed. So, you know, it puts a real big spanner in the works. can get, what, $300 out of them?

And, you know, in my experience, things like councils and education and health tend to have systems that are a little bit more ropey than state-of-the-art firms. It's just a lot more Scotch tape and spit holding things together because funds are shorter. You don't have as much money, you don't have as much resources. So maybe they're an easier mark.

I suppose you have to justify every buck, don't you, in the city council?

Absolutely.

Whereas in a commercial organization, you may have seen past victims of this kind of thing and think, we have to invest in security, we've got to protect our staff, we have to prevent these kind of things from coming in.

Yes, and that sort of transitions me into the next part of this story, which is who's there to help them? When it comes to pay rates and stuff, commercial and retail, they'll pay higher, and then you got state and government kind of paying a little lower, and maybe schools paying a little less than that, and charities and nonprofits paying even less. So you don't get the cream of the crop security people working in these state and local governments. And often I hear that these people, it's really hard to get fired out of here, which means that people are just going to kind of do their minimum job, what they need to do not to get really fired. And even then they probably don't even get fired. So they just don't have a good cleanup crew. So some of the people who are coming to help in Texas is FEMA is actually going down there to help. The Department of Homeland Security is assisting. Texas A&M's Information Technology and Electronic Crime Unit is getting involved, which is their college down there. And even the Texas military department is throwing in their hat.

Going in with tanks. I mean, where's this gonna stop?

Oh, do you want to get your tights out, Graham?

Well, I don't think me. I'm just wondering what city. Could it be Gotham City next? Could it be Batman who has to come? Commissioner O'Hara ringing the Batphone, getting Batman and Robin in. Carole, what have you got for us this week?

In my story, we're visiting the land of smart cities. And the thing is, is people use this term a lot, right? Smart city. And I didn't actually know how to define it or what the advantages and disadvantages really were. So I thought I'd do a little spot of digging and we could sift through some of the highlights and see whether we're thumbs up or thumbs down. Now, a smart city is one that uses digital info and communication tech to enhance the city, right? To enhance the quality of the services it delivers. So things like transport or health or climate or connectivity or crime or everything.

The kind of things which could be messed up with a ransomware attack. That's the sort of thing you're thinking about.

Exactly. So, you know, when there's a city with enough IoT services, we've got what boffins are calling a smart city. And I don't think that's the right term. It should be smarter city, because it's not all or nothing really, is it? It's a gradient of smartishnesses, whatever. Anyway, so I'm digging around and I get my hands on a list of smart city tenders. And this is what appears to be published by city councils around the world looking for an expert to make their city pop with some smartness. And there is a lot of them. There's a link in the show notes, but we're talking things like intelligent traffic and public transport systems, bike share schemes, air quality monitoring, smart solar storage, automatic weather stations, disaster alert systems, citywide Wi-Fi services, electric vehicle charging points. It goes on and on and on. Storm pollution control plans. All these things could make life so much better for all of us, right? But it does depend on real-time local data in order to work in a lot of cases.

Yeah.

And that means you need a whole host of data collection, right? So you have things like city sensors around the city. And you also have data from residents and visitors. This would be gathered probably through apps and cellular use and city-hosted Wi-Fi. All of this information that they're able to collect from devices can feed into various systems.

So far, this all sounds very secure and nothing for anybody to worry about.

Six streets. We should just record that and then just play it every episode, don't you think? It's a real standard. Why isn't it And all this data is used to create a system of smart behavior and alerts which are supposed to help us. So imagine, for example, if traffic lights could automatically change pattern when traffic was increasing from one direction versus another. just turn them green?

Well, see, this is what I've been saying, right? In 5th grade, they asked me, if I'm going on a train from New York to California, at what point do I arrive if I'm going 40 miles an hour?

And maybe bins, right, would have sensors so that when they're full, a little sensor alerts the team

I know this, but why doesn't a civil engineer know the answer to this, right?

that needs to come, you know, that they're ready to be picked up.

It should know when I'm arriving.

Yeah, turn them green for Jack.

When I arrive at that intersection, Ada knows I've been doing the speed limit since the last signal. This is basic algebra.

The bonus, sweet smelling streets, I guess.

I'd just be happy with loos, public loos, which did something like that, Carole, which were able to tell when last time they'd been used. And so you could determine which one was used least recently.

There's life-saving possibilities here, up-to-the-minute information about accidents on the roads. So you could actually navigate help to the scene automatically without needing a passerby. And this would be huge in the UK, because if you stop alongside a car in distress and say the guy's eyeballs are hanging out of his face in the UK and you say, "Are you okay?" They'll be like, "Oh gosh, yes, I'm perfectly fine. Sorry to trouble you." It's insane over here.

What, on the outside?

So this would help lives, it would save lives. So this is all great. And I do hate to ruin the whole Shangri-La-esque utopia that I've painted here, but there is a flip side, which we've already investigated earlier in the show. With everything connected and automated, it can make things much more disastrous if the system is disrupted in some way. There'd be like— it would turn brown or something? Yeah.

Well, no, not brown. It would give you a green light.

So vulnerability exploit, a data breach, DDoS. And as we saw in the tenders, cities are actively looking for third-party experts to come in and make their cities smarter. They want their smart city dreams to come true. And from my reading today, this is hot market and cities are competing for services and techies are promising a shiny world.

The other ones would be brown. So you'd know which one is most likely to be safe to use.

And the question is—

That's what I want to see, that kind of technology.

They must at the same time when they're asking for people to pitch for this kind of stuff, they must also say, but you have to do it securely. They must be saying we want all these really cool features. Let's play the game, right? So I'm the third party. Yes.

Well, what questions are you going to ask me? What questions are you going to ask me to kind of gauge how secure it's going to be? You want to hear some crazy research that's kind of tangentially aligned to my story?

I haven't thought about this sort of thing, Carole, but clearly, I mean, you sound like someone who works at a council office. Go for it.

So the question is, are cities perhaps so hungry to get ahead of the competition, they're not thinking deeply enough about security?

Right.

So there's this guy, Dimitrios Pavlakis, okay? He's an industry analyst at ABI Research.

10%, frankly, is probably better than normal, isn't it? It's probably better than a normal day.

And today, just today when I was doing this research, this press release comes out and I'm gonna paraphrase his quote 'cause it was the longest sentence on the planet. Effectively, smart cities are increasingly under attack by a variety of threats, ransomware, sophisticated cyber attacks on critical infrastructure. No, but it's on top of all that,

Okay.

of course, right?

Oh, I see, right. Yes. So Jack, is it possible that the ransomware attacks which you've been talking about against cities could actually in the long term be a good thing because it will wake up other cities to these threats and get them thinking more about security? Yeah, I think city analysts, city people, what are they? They're these people who work in the cities. They are definitely paying attention to all these ransomware threats and they're glued to this news when they see another city doing it because how did they pay, did they not, how did they hire, who helped them. You know, it's like, well, hey FEMA, you helped that city, why don't you help us too when we get hit?

And also there's this— have you heard of

I think it's a little bit like the shift which we saw maybe 20 years ago because prior to Amazon, for instance, a lot of people's experience of e-commerce was not entirely satisfactory. And a lot of people just laughed at the thought of ever entering their credit card information on the web.

Google's Sidewalk Labs?

And then Amazon came along and it turned out not only could you order things, but things would arrive. No, what's that? So this is a Google Alphabet sister company, and they've been trying to create a smart city in Toronto. And they were, this is affordable housing. We can build it faster, cheaper, smarter than anybody else. You know what? You guys are right. Why do we have this show? We shouldn't even bother. So hang on, this is something which Google have initiated? I think we should just build a big, beautiful wall around all of these cities, rather like the

Yes, yeah, Google Sidewalk Labs.

one which disconnected itself from the internet. A huge wall or a moat or something like that filled So they're going to have data-driven adverts or something? They'll determine who's walking down the street and—

Can you imagine? In a way you kind of want to see what they would do, but I kind of wish they weren't doing it in a city that is— There was research published by the Georgia Institute of Tech this month. And they found that if a hack randomly stalled 20% of

with boiling oil. And that could stop all of these attacks from happening. You just don't want it to be a Canadian city, right?

cars during rush hour in Manhattan, it would cause complete road chaos. They said if even just 10% of the cars at rush Yeah, no, I just don't. I think they should do it somewhere where, you know, where there's a military base and people are paid to live there so they can actually study it and do it properly. hour were affected, it would create enough blockages to stop emergency vehicles from getting through traffic.

Oh yes, that's fine, isn't it? Yeah, just experimental soldiers, Carole. Great, yeah, that's never caused any problems in the past. What do you think? Seriously.

I would just be happy if my town had gigabit internet.

Oh really?

Oh yeah, that's true. If you had gigabit internet, I'm prepared to put up with anything, frankly. You know, it's steal my firstborn child.

Yeah, I would say to my cities, start there and then we can talk about the next thing. Fantastic. So you've got an IT security team, but you want to turn them into security superstars. How can you best provide each employee with the opportunity to upskill themselves?

Fact: if you don't have a password policy in your place of work, you can bet your bottom dollar that someone somewhere has selected one of the following passwords: 1111, 1234, or maybe the very complicated to hack 123abc. Don't let them do it, guys. Look into LastPass Enterprise. It will help you sort out all your poor passwords and put you back in charge. Learn more about LastPass Enterprise at lastpass.com/smashing. That is lastpass.com/smashing with a G. And that you

And welcome back. Can you join us on our favorite part of the show, the part of the show that we to call Pick of the Week?

Pick of the Week. heard about The

Pick of the Week.

left button does that, right?

Good man. Pick of the Week is the part of the show where everyone chooses something they. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

No. No.

Better not be.

Oh, because this week—

Graham Cluley!

Well, I— it's kind of security, kind of privacy. I thought it was kind of important. I thought listeners would be interested in it because Facebook has just announced this week a new feature which they're rolling out into their app. Called "Off-Facebook Activity," and I'll include some links in the show notes where you can read more, including a fact sheet about this.

These are two issues I don't want to talk about in Pick of the Week— Facebook and private messaging. Well, you might like this because maybe this is a good thing. You can decide at the end of the Pick of the Week. Facebook's new feature will let you see what apps and websites are sending them information about your activities. And optionally let you clear that information from your account if you wish. The cool Rory. Yeah, cool Rory. Basically what you'll be able to do is you'll be able to clear your history and prevent your future off-app behavior being tapped by Facebook, although there are some caveats. What do you mean future?

So you'll be able to say to Facebook, I don't want you collecting any of this stuff in future, at least not associating it with my account.

Oh yeah. Yeah. Maybe.

It's like a review. Yeah. So if App A is associated to my Facebook account, of which I do not have, I'm proud to say, but let's say, right. Yeah. And so I turn this feature on and what it will announce to me, hey, you know that A is grabbing all this information or giving us all this information.

I'll go, whoa, stop that.

If you go into the setting right now, you will be able to see what apps and what websites have been serving up information to Facebook and associating it with your account. So you'll be able to tell it, stop doing that in future.

What? It's quite clever. It's for a security nut like me, I might want to go in just to see what Facebook activity they've been gathering to date.

Well, exactly. And it may give you a bit of a shock. I'm not doing it.

Not falling for it.

Oh, I see. You're thinking of— Yeah, yeah, no, you're thinking of—

I'm on to you, Facebook.

You're thinking of bringing back your account from the dead just to see what it's been doing. Now, disappointingly, and this is Facebook, of course, so don't be surprised, hitting Clear History Security doesn't actually delete your data.

Of course it doesn't.

Of course it doesn't.

Such assholes.

It just unlinks it from your profile and apparently maintains it in a pseudonym— can I say pseudonymous? Can you say that, Carole?

Well, no, you can't actually. Jack, would you like to tackle that word? Pseudonymous. Anyway, and they're even saying that they won't do that in some circumstances. They think that you're a bit suspicious with your Facebook activity or engaged in fraud or naughty things, they will still retain a certain amount of the information they save for a longer time. Get off Facebook, my advice.

Well, exactly.

What do you think, Jack? What are you, Facebook user? I know, but when you get on Facebook, it's a million options on clicking. There's just so many different settings that finding this one is gonna be really hard. And it's shifting sands all the time because their settings have all— it just always feels like it's changing. And of course, you have to decide to turn off this off Facebook activity.

I've bought the same mouse 15 times in the last 10 years. And so this is not a new mouse, but I love this mouse so much that I thought I might share it with you.

What is it? Which one is it?

This I'll tell you at the end, but look, okay, so I hear, I hear someone on this call scrolling, and I hear this. Me.

It's Carole.

Listen to this noise, right? Okay, that's what a normal mouse scroll sounds like. Listen to my— how my mouse scrolls. It's hard to hear, but it's a smooth scroll, right?

It sounds a bit like a hamster wheel. It's spinning freely. It spins freely like a hamster wheel. And so I do a lot of scrolling, and, and so I can just scroll forever with this.

But the, the other thing is that it breaks often though if you've had 15 of them. Well, it doesn't. It's, it's that I want one for my work computer and my other computer, and, and, you know, my, my dad's house, and everywhere I go, I just— I'm, you need this mouse.

Oh, for goodness' sake, why do you need 12 buttons?

He's young and smart. His brain's still intact, Graham.

How many fingers do you have?

There's— but you can map it to whatever, right? And I'll tell you the one that just makes it— changes my life. Yeah, and that is the scroll wheel itself has a button you can click to the left or the right, right? So it's not just a middle click for the scroll wheel, but you can click left or right on the scroll wheel. And this I've mapped to copy and paste. So without putting my hand on the keyboard to say, what, two keystrokes on there, I can just keep my hand on the mouse and select something, copy and paste right from the mouse, because that's what I've selected.

Doesn't it? If you press the left button, you get a little— you get a little— you're faster. You're faster. I get it. I get it.

Well, you can— so you can— I mean, running with the mouse—

You can—

Yeah, it's like— yeah, you're right. It's like 5 clicks compared to 2.

Yeah. So I've remapped these buttons. Another one I did was search and find and all these other things so that I can copy something and then hit find and then find it, right? You know, I hit that button to search for it. It's great. So I have so many less keystrokes I'm using on my computer because I can just use them all on my mouse.

Jack, can you customize the different buttons depending on which Oh, that'd be good, wouldn't it? application you're in?

Maybe. I don't know.

There must be a tool out there which does it. But I'm just thinking if you were editing a podcast, for instance, how fantastic that would be for some of those functions which you Ah, dreams. regularly do. If you could do all of that from the—

So, and the last cool feature is that the battery life is 3 years. So I'm rarely having to swap it out.

Is that because your hamster wheel is actually a generator, which is powering the battery?

The model of this is the Logitech M705, and I've bought a dozen of them at this point. And yes, it's my pick of the week.

Okay. I'm Googling it right now to see if it looks like a weirdo mouse. Oh, it looks like a fairly ordinary mouse. Yeah.

It's just a typical mouse.

The Logitech Marathon M705. Well, where are all these buttons on this?

Yeah, they're just all around.

Hidden.

They're embedded, yeah. So, I mean, the mouse wheel can click right and left, and then where the thumb usually rests on the side of the mouse, that's got 3 or 4 buttons.

How about that? Carole, what's your pick of the week?

And, you know, got right and left button, and you've got the mouse down button.

Okay, before I get into the pick of the week, right, do you guys have any favourite sayings or idioms? "Bob's your uncle"?

Oh, I do.

"Fine words don't butter parsnips." I thought it was "kind words don't butter parsnips." Maybe they're both right.

Yeah, yeah.

Oh, maybe you're right.

I knew that would be your favourite. I had written that one down.

Oh, really?

Yeah, yeah.

I knew that was your favourite. Used in a salary negotiation. So when you— when you have a meeting with a boss and they say, "You've done really, really well," you say, "Yeah, thank you very much, but kind words don't butter parsnips." In other words, give me some money so I can put butter on them. That'd be nice.

Do you have one, Jack?

"Think smarter, not harder." Oh, I like it.

I like it. But I've got some seriously delicious ones for you. If you guys go to the link that I've provided, this is a list of 40 idioms that cannot be translated literally. And there are some glorious ones.

Oh, actually, maybe you shouldn't look.

Maybe you shouldn't look. You should tell me which country it comes from.

Okay, okay.

And you decide what country it comes from, right?

Okay, okay, okay, okay.

To wear a cat on one's head is the literal translation, and what it means is you're hiding your claws and pretending to be a nice, harmless person, Graham, but you're wearing a cat on your head.

Turkey.

The only person I can think of about wearing a cat on the head is America, of course, with the current president. But I mean, it's obviously not America, so—

Japan!

Japan? Oh, okay.

Okay. Okay, you want another one?

Yes, please.

To blow little ducks.

Bulgaria.

It means to talk nonsense or lie.

Oh, thank heavens. I thought it might be rude. Anything else?

To slide in on a shrimp sandwich.

Okay, that one is definitely rude. That must be Swedish.

It is. It refers to someone who didn't have to work to get to where they are. So someone like— to slide— Paris Hilton slid in on a shrimp sandwich. How delicious is that? It's amazing. And there's also this one: balls of a swan.

Oh, that sounds— Estonia.

No, it means something that's impossible. And it's from Croatia. Oh, that's— Muda labudova.

Balls of a swan. Okay.

Balls of a swan. There you go. Anyway, there's 40 of them. Enjoy yourself. They're wonderful.

Are you suggesting people begin to incorporate these idioms into their own discussion? I mean, that'd be quite fun to do, wouldn't it?

Did you fall from a Christmas tree, Graham? I'm just saying you're not well informed, Polish style.

There's gonna be a lot of this going forward, isn't it? Well, I think that just about wraps it up for this week. Jack, I'm sure lots of our listeners would love to follow you online and find out more about your podcast. What is the best way for folks to do that?

Twitter.

I'm pretty responsive there, Jack Rhysider, or just find me on darknetdiaries.com.

Cool. And you can follow us on Twitter at Smashing Security. Smashingsecurity, no G, Twitter won't allow us to have a G. And we've also got an active community now on Reddit as well. Go and find our Smashing Security subreddit and join in the chat. With a G. Yes, with a G on Reddit, yes.

A huge thank you to this week's Smashing Security sponsors, Immersive Labs and LastPass. And thanks to you wonderful listeners. Thanks to our new Patreon supporters and our new reviewers. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.

Until next time, cheerio. Bye-bye.

Bye.

Bye. A bit sexy there, Jack. Little bye. So here's a little song, supporters on Patreon, made up of your names because, you know, we're in the privacy game. Here goes.