JACK RHYSIDER
Let's see, this is what I've been saying, right?
In 5th grade, they asked me if I'm going on a train from New York to California, at what point do I arrive if I'm going 40 miles an hour?
I know this, but why doesn't a civil engineer know the answer to this, right? When I arrive at that intersection, it knows I've been doing the speed limit since the last 6 streets.
CAROLE THERIAULT
Why isn't it just turning them green? It should know when I'm arriving. Yeah, turn them green for Jack.
Unknown
Smashing Security, Episode 142: Mercedes Secret Sensors, Smart Cities, and Ransomware Runs Riot with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 142. My name is Graham Cluley.
CAROLE THERIAULT
And I'm Carole Theriault.
GRAHAM CLULEY
Hello, Carole.
GRAHAM CLULEY
We are joined by podcast royalty in the form this week of Jack Rhysider of Darknet Diaries.
JACK RHYSIDER
Not quite royalty, but I'm very happy to be here. This is the second time coming and it's really exciting to be again.
GRAHAM CLULEY
You've made a return visit. I think that really means that you're part of the family now.
CAROLE THERIAULT
Yeah, it feels like it. And you've been doing a little bit of work with the lovely Maria.
CAROLE THERIAULT
So basically you are part of the family. So welcome.
JACK RHYSIDER
Yeah, it's great. Great being here again.
GRAHAM CLULEY
It's great to have you. And if anyone hasn't yet checked out Jack's podcast, really recommend it. Darknet Diaries.
Really good listen if you want to hear of stories from the dark side. Of the internet.
CAROLE THERIAULT
And you come here to cheer up. It's perfect. Yeah.
GRAHAM CLULEY
So Carole, what stories have we got this week?
CAROLE THERIAULT
Well, first, a huge thank you to this week's sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free.
Now on today's show, Graham delves into the lavish world of mercs. Yeah, I mean cars. Jack will be visiting Texas, and I'll be looking into the ins and outs of smart cities.
All this and much more coming up on this huge episode of Smashing Security.
GRAHAM CLULEY
What makes it huge, Carole? What makes—
CAROLE THERIAULT
Why don't you watch and find out? You haven't seen my story yet. Settle in, guys.
GRAHAM CLULEY
Now, chaps, I wonder, Jack, are you a driver? Do you have an automobile?
JACK RHYSIDER
Yes, I do. I only have one car, though. It's an older car, so it's not one of these special smart ones or internet-connected.
GRAHAM CLULEY
Very sensible, I would argue. Now, some people, Carole, I don't know if you have, but I used to own a Mercedes.
CAROLE THERIAULT
What, your hairdresser's car?
GRAHAM CLULEY
Look, I don't know why you always called it a hairdresser's car. I mean, it was in my days of not being a parent. And so it did only allow me to—
CAROLE THERIAULT
There was a cartoon. I can't even remember what cartoon it was, but there was this huge chested guy with this big blonde foppish hair.
And he would drive around a red little convertible thing that was much smaller than his body. Basically, that's what you looked like.
GRAHAM CLULEY
Well, thank you for saying I had a big chest, Carole. That's very kind of you. I think it slipped somewhat. Rather like obelisks.
But I don't know if either of you have been reading The Sun newspaper. The Sun newspaper.
CAROLE THERIAULT
Oh dear, I get it delivered, of course.
GRAHAM CLULEY
I put the word newspaper in quotes. Are you familiar with The Sun, Jack, at all?
JACK RHYSIDER
Well, isn't it— is there for a specific city or is just The Sun?
CAROLE THERIAULT
No, it's the same.
GRAHAM CLULEY
It's a national newspaper here in the UK run by Rupert Murdoch, and it's not really a newspaper. It was famous for its—
GRAHAM CLULEY
Yes, it's Page 3 beauties back in the day. I don't know if they still do that. It is a very high-selling newspaper, not renowned for its high quality, however. Quite tabloid.
CAROLE THERIAULT
Do you remember when they tried to address the Page 3 problem, which was basically scantily clad women, by introducing— I don't know if this was just in Canada, but in Canada on page 7, you'd have this tiny black and white Page 7 guy.
GRAHAM CLULEY
Yeah, it's called the Page 7 fella. That's what they had, yes.
CAROLE THERIAULT
So it was international. There you go.
GRAHAM CLULEY
Yes, yeah, we had the Page 7— well, I didn't, but yes, it was. Brilliant.
Anyway, the reason why I'm talking about The Sun— normally I wouldn't source my stories about the crazy world of online security and privacy from The Sun, but they ran a story which has been picked up by a number of other media outlets about Mercedes-Benz cars.
And specifically, they said that Mercedes dealers in the UK, and who knows where else in the world, were fitting tracking devices to all new and used cars sold by Mercedes.
And these could, if activated, pinpoint a car's precise location.
CAROLE THERIAULT
What, so a tracking device, basically, if you get into trouble, we'll be able to find you without a phone call, kind of tracking device?
GRAHAM CLULEY
That kind of device. So I guess it was communicating in a GPS-style way. So Jack, for instance, I mean, you're obviously someone who wants to preserve your privacy. I understand that.
Most of us, we don't want our information out there. But this would be a way for the guy who sold you your car potentially to find out where you live or where you go.
JACK RHYSIDER
That's the way you have to balance it, right? Is there more of an upside?
Is there more of a benefit to having somebody know where you are versus having your private information in the hands of somebody you don't know? And that's the hard balance.
GRAHAM CLULEY
And if you're someone a bit hot, right? You, Carole. I mean, obviously not at the moment.
CAROLE THERIAULT
You don't mean temperature having a fever. You mean more good looking.
GRAHAM CLULEY
You're a pretty hot tamale, right, Carole?
CAROLE THERIAULT
Definitely, absolutely, yeah, the hottest.
GRAHAM CLULEY
If the Mercedes dealer took a shine to you, they might be interested in where you go, what clubs you go to.
You know, imagine if every time you went to the discotheque, there was the Mercedes dealer doing the Lambada or a John Travolta or something.
CAROLE THERIAULT
What a stalker. Yeah, no, that sounds fun. That sounds great fun.
GRAHAM CLULEY
Not fun at all, Carole.
CAROLE THERIAULT
Love that. Yeah, yeah.
GRAHAM CLULEY
No, obviously. Anyway, so Mercedes said that these sensors are put into every car. And this is different from your optional extra, right?
Sometimes you buy an expensive car and you say, well, for security reasons, I want it to have the ability to track it if it gets stolen, for instance.
This is something which is put in all of the cars. And Mercedes say it's only activated in extreme circumstances. So I was thinking, well, what are the extreme circumstances, right?
Would it be a life or death situation, for instance, or a missing person?
GRAHAM CLULEY
And I was reminded of this. You may remember there's a past Pick of the Week, which we talked about called What3Words.
And there was a story earlier this year about a mother and daughter, who were rescued after they had a car crash in a remote rural part of Somerset in the UK, avoiding all the combine harvesters and things.
Must have crashed into a hay bale.
GRAHAM CLULEY
Well, no, that's very flattering for people from Somerset.
And all they had to do was use the What3Words app, and it gave them 3 coordinates, which allowed the police to exactly pinpoint their location.
Unknown
Calling through to the police. What's the location of your emergency?
Unknown
We're on a road. I'm not entirely sure of the road. We've just been involved in a road traffic accident. There's at least 4 cars in it.
I'm just going to try and find out the actual road.
Unknown
Okay. What I'm going to do is I'm going to send you a very quick link to your phone. Are you able to use your phone while you're on it, or is it not?
Unknown
Yeah, yeah, yeah, I think so, yeah.
Unknown
So it's called What3Words. So if you click on the link, it will give you 3 separate words for your location, and when I put them in, it will tell me where you are.
Are you happy to do that if I send it to you?
Unknown
Yeah, yeah, yeah. Brilliant.
CAROLE THERIAULT
Very cool.
GRAHAM CLULEY
So that's one way in which it can happen. So is it life or death situations? Is it missing persons?
And apparently, no, that's not the extreme circumstance in which Mercedes turn this on. And I thought, well, is it law enforcement?
Is it if your car is stolen or if your car is used in some sort of criminal activity? And again, no, those aren't the extreme circumstances.
CAROLE THERIAULT
So it has to be more extreme than what you're saying.
JACK RHYSIDER
Oh, I know, I know. You didn't pay your bill.
GRAHAM CLULEY
That was a guess.
CAROLE THERIAULT
Jack, it's a good guess.
GRAHAM CLULEY
Oh my God. That's what Mercedes-Benz care about is have you kept up to date? Have you defaulted on your finance payments? They can track down your car and they can seize it off you.
JACK RHYSIDER
Okay, so I don't this idea. And the thing is, because you're not treating the customers adults here, you know, you're treating them kids who are immature and irresponsible.
And you're going to pull your little trick on them to get your car back, it's just not going to play well.
GRAHAM CLULEY
I mean, and sometimes people can be immature and irresponsible, right? I mean, I remember— I'll tell you a story, actually, Carole, about that car you were talking about.
CAROLE THERIAULT
Your hairdresser's car?
GRAHAM CLULEY
No, I don't know technically. There's nothing wrong with hairdressers, by the way, or their vehicles.
But I used to live next to a petrol station, or gas station, as I believe they call them over stateside. And I used to pop round there because it had a little store attached, right?
So it was my local where I could go and get a pint of milk or whatever.
One day I drove home, I was running low on fuel, I parked in the petrol station, filled up with petrol, went into the store to pay, and then I walked back to my apartment.
CAROLE THERIAULT
Leaving your car at the gas station.
GRAHAM CLULEY
Leaving my car because I was so used to doing the walk. I wasn't used to driving from there to my apartment, which was next door. Well, I left my car there for two days.
CAROLE THERIAULT
Oh my God.
GRAHAM CLULEY
By the gas pump. Preventing other people from using, getting any petrol.
CAROLE THERIAULT
And so you.
GRAHAM CLULEY
So I woke up the next morning, I opened my curtains and thought, where's my car gone? It's been stolen. Oh no. Looking outside my house.
CAROLE THERIAULT
Are you lying? I've never heard this story.
GRAHAM CLULEY
Oh no, it's a true story. And then I ran through my memory. I thought, well, what was I doing? What was I doing? What happened?
I thought, "Ah, it's still at the petrol station." So I popped round there and sort of quickly scarpered.
CAROLE THERIAULT
Did you have a driveway or were you parked somewhere communal?
GRAHAM CLULEY
No, it was like a communal car parking thing. You know, it's back in the day, Carole, back in the day.
Anyway, so I would've felt this would've been really helpful back in those days. You know, use it as a lost car sort of device. Would be fantastic.
But no, they're using this to try and get money. They're passing on the information to bailiffs so they can track down any Mercedes and repossess it.
CAROLE THERIAULT
And are they telling you that they're doing this? They're telling you that they have a tracker in your car? It must be in the T&Cs somewhere.
GRAHAM CLULEY
Well, Mercedes say around 80% of new cars from Mercedes are sold on finance plans. And apparently, if you do read all the small print when you sign off your—sign off your soul—
CAROLE THERIAULT
To buy a Merc.
GRAHAM CLULEY
To buy a Mercedes. It is included in there that we reserve the right to use, you know, in extreme circumstances, we can find out where you are and then get your car back.
CAROLE THERIAULT
So you can pay us your final bill.
GRAHAM CLULEY
Right. Right. Now, human rights groups and privacy campaigners are a bit concerned about this.
Liberty, for instance, have said that they're disturbed by this revelation and say it's all part of the creeping growth of surveillance.
It is easy to see, isn't it, how this kind of feature could be abused by governments.
For instance, they could put pressure on car manufacturers to share details of a vehicle's location. Or for intelligence agencies to hack a car manufacturer?
Am I getting carried away with this or not?
JACK RHYSIDER
I think we need to bring it closer to home, right?
JACK RHYSIDER
I'm seeing a rash of incidents lately where domestic cyber spying is happening, where this is a husband spying on their wife or a boss spying on their employee, and they're using different tools to do that through their phones and turning on cameras and this kind of thing.
And that is what could very well happen. A jealous boyfriend or something could figure out a way into this and start seeing the exact location of their girlfriend's Mercedes.
GRAHAM CLULEY
Or maybe if they actually worked at the car company, maybe they would have access to these tools, just like we've seen in the past, people who work for the police abusing databases, which they have access to, or looking up people's criminal records.
Similarly, you might have someone at the car company who's able to determine where a particular car is.
JACK RHYSIDER
Yeah, but all that still just assumes that this whole thing is secure. And we haven't even got to the point of, are they good? Is Mercedes good at holding onto my data?
And I don't know.
GRAHAM CLULEY
Right, yeah.
And we've certainly seen big car companies in the past goof up both in the firmware of their vehicles and also sometimes their own websites and systems have been breached.
CAROLE THERIAULT
I wonder whether they're collecting this information. So presumably if these trackers were put on any car, right?
Just in the off chance, someone doesn't pay their bill, that data must be being snarfed all the time and collected into a database.
I don't know if you just turn it on if someone doesn't pay the bill or if it's just always on, you just go look at the database when you need to.
GRAHAM CLULEY
From my reading of it, and who knows if this is accurate because it is the Sun newspaper this week. It is the Sun. And Shirley from Basildon, you know, 34 23 36.
They say that the sensor has to be activated.
So Mercedes are trying to reassure people this isn't turned on all the time, but only in really, really serious situations, i.e., if they're about to lose money, do they enable it?
CAROLE THERIAULT
That's weird as well, right? That you have something on your car that can be remotely activated by a third party without your knowledge.
GRAHAM CLULEY
Well, cars these days, I mean, they are the mobile internet device.
CAROLE THERIAULT
Your car is crazy.
GRAHAM CLULEY
No, my car doesn't do anything like that. My car beeps if I drive badly. That's what upsets you, is all the beeps it gives me.
CAROLE THERIAULT
Yeah, fair enough. That's probably right. It's not the car. You're right.
JACK RHYSIDER
Here's my call to action here.
JACK RHYSIDER
This is just a matter of time before somebody figures out where that tracking device is and just yanks it off the car and then puts that on the internet and says, here's how to disable the tracking device.
Because there's really literally no upside for the customer here. So everyone would just say, well, I need to disable this.
There's nothing I get out of this and just pull it right off.
GRAHAM CLULEY
Yeah, I think you're right, yeah. So my advice for anyone who doesn't want to be tracked by the likes of Mercedes and their cars would be to drive some old beat-up car instead.
Maybe like Jack has got. Do you remember the Robin, the Reliant Robin? Do you remember that?
CAROLE THERIAULT
I don't think Jack would have ever seen one of these. I didn't know they existed till I moved here. And you do see them on the road now.
GRAHAM CLULEY
You still see them.
CAROLE THERIAULT
It's a three-wheeled car, Jack.
CAROLE THERIAULT
It's a real beauty.
GRAHAM CLULEY
They had to be very careful going round roundabouts because they would sometimes topple over. Oh, yes. Anyway, Jack, what have you got for us this week?
JACK RHYSIDER
Well, so last year Atlanta got hit with ransomware. This is becoming an epidemic or pandemic, whatever the word is. Ransomware is hitting US government cities.
And Atlanta didn't pay the $52,000 in ransom last year, but instead they spent $2.4 million cleaning it up.
CAROLE THERIAULT
That's right. Yeah, it's shocking. And it's depressing.
GRAHAM CLULEY
Well, is it depressing? Should we—
CAROLE THERIAULT
Well, yes. It encourages people just to pay the ransomware. No, no, they didn't pay.
GRAHAM CLULEY
That's the thing.
CAROLE THERIAULT
I know, but when other cities see the bill.
CAROLE THERIAULT
Right? They'll go, fuck, let's just pay. Dear God, let's get this headache over with. Why do the right thing? It's too expensive.
JACK RHYSIDER
So there's more here. So Baltimore this year got hit with a $70,000 ransomware and they didn't pay. Instead, they spent $18 million cleaning it up.
CAROLE THERIAULT
You see? You see? Or are they just padding? Are they padding the numbers?
GRAHAM CLULEY
Well, just to get a bit—
JACK RHYSIDER
I'll put the links in the show notes so you can double-check for yourself.
But the FBI discouraged them from paying because they said, hey, even if you pay the $70,000 in ransomware, you've got a lot of problems you need to clean up, which is going to cost you a million anyway.
So you might as well just do a full top-down inspection of everything and spend the money.
JACK RHYSIDER
So this year has been just a phenomenal year. We've had 60 ransomware attacks on state and local government in the US alone.
Lake City in Florida paid $460,000 in bitcoin just, I think, last month.
CAROLE THERIAULT
To get rid of the headache.
JACK RHYSIDER
To just get rid of it. That's it. So that city completely paid. Another city in Florida, Riviera Beach, paid $600,000 in ransomware fees.
But that one was interesting because they had insurance to cover it.
CAROLE THERIAULT
That's interesting. So is that what cybersecurity insurance is for, to pay the ransoms? Possibly.
JACK RHYSIDER
I've never thought about that.
CAROLE THERIAULT
I never even thought about that. Oh, yeah. It's one of the costs.
GRAHAM CLULEY
I mean, it's not the only costs. That's the thing. It's not just—
CAROLE THERIAULT
It's immoral. If you have life insurance, right, and you get kidnapped, can you use the life insurance money to get you out?
GRAHAM CLULEY
Carole, you can get insurance for anything, surely, can't you?
If you're prepared to pay enough of a premium, I could get insurance for alien abduction, I'm sure, if I was able to prove it was alien abduction.
CAROLE THERIAULT
Report in to us next week, tell us how it goes.
GRAHAM CLULEY
Anyway, Jack, sorry, Carole was completely distracted. Phishing infected us, so it wasn't me.
JACK RHYSIDER
So yeah, so on Friday I saw this story that 23 towns in Texas were hit with a coordinated ransomware and the Texas governor has actually issued a level 2 escalated response, which level 1 is the highest threat level, which is emergency.
So they're getting close to having a statewide emergency there in Texas.
GRAHAM CLULEY
It's like a DEFCON alert basically, isn't it?
GRAHAM CLULEY
This is pretty serious.
CAROLE THERIAULT
23 in a coordinated attack. That's the first time I've ever heard of that.
JACK RHYSIDER
And the investigators are thinking this is from a single threat actor.
Most towns are not admitting to this right now, so we don't really know what towns, but there's one town called Borger in the Panhandle.
And they said this is affecting city business and financial operations.
Birth and death certificates are not available online, and no payments are being accepted for utility payments from their 13,000 residents right now.
Nobody can pay the bill because the systems are down.
GRAHAM CLULEY
Because there have been problems sometimes in the past of people who've actually had their power cut off because they haven't been able to pay their bills due to ransomware hitting a particular city.
So I imagine if some sort of payment system is down, you have to be careful that any sort of background process isn't also going to be affected and take matters into its own hands.
JACK RHYSIDER
Yes. And another city in Texas, which was not hit called Denison, Texas, just said, you know, forget it. We're unplugging. And they took down their own internet today as a precaution.
CAROLE THERIAULT
Yeah. Try and get us. We're not even online, dudes.
GRAHAM CLULEY
Well, good luck to their residents being able to pay their bills online, of course. That's right. It could be a challenge.
So they believe that this is the same hacker or group of hackers who are organizing all of these attacks.
I mean, potentially they could be making an awful lot of cash if some of these towns do agree to pay up, like some of the places you've already mentioned, which did pay up.
JACK RHYSIDER
Yeah, they could sweep up here. I mean, that's one of the things about this ransomware is that it is pretty profitable. It's easy to spread and get in there and pretty profitable.
CAROLE THERIAULT
You're making me wonder whether Texas has a reputation for paying these bills, in the way that you talked about Florida earlier, that they've paid the ransom.
Maybe Texas has— these systems have been hit before individually at times and Texas has paid the ransom.
So it suddenly became quids in, dudes, hit, you know, hit 23 at once and they've already got the precedent set in place. Hmm.
JACK RHYSIDER
That's an interesting theory. I was thinking more along the lines that it might be targeted because of a similar department might be overseeing some of these systems.
And so you have the similar vulnerability that you can use in each place.
GRAHAM CLULEY
It's curious though, it seems to be all these cities recently which have been hit rather than maybe more regular organizations.
Is that suggesting to us that councils and towns aren't protecting themselves as well as commercial organizations?
CAROLE THERIAULT
I just think of how many people are available, right, in a city. You have a city of 100,000 that might be using a specific—
GRAHAM CLULEY
Oh, you think the stakes are higher because of the number of people?
CAROLE THERIAULT
The stakes are higher because there's more people available. In a company, you might have 1,000 or 500 or, you know, and you might go for the big spearfish, right?
Go for the CEO, CTO, CIO.
CAROLE THERIAULT
And maybe then it's quids in.
JACK RHYSIDER
Yeah, it's— I mean, you put ransomware on one person's computer, you can get, what, $300 out of them?
JACK RHYSIDER
But you put it on a company, a hospital, a state, a city government, you're going to get a lot more out of that. So it's definitely a lot more profitable.
And especially when you're impacting the way the bills are getting paid, they're not getting paid until this is fixed. So, you know, it puts a real big spanner in the works.
CAROLE THERIAULT
And, you know, in my experience, things like councils and education and health tend to have systems that are a little bit more ropey than state-of-the-art firms.
It's just a lot more Scotch tape and spit holding things together because funds are shorter. You don't have as much money, you don't have as much resources.
So maybe they're an easier mark.
GRAHAM CLULEY
I suppose you have to justify every buck, don't you, in the city council?
CAROLE THERIAULT
Absolutely.
GRAHAM CLULEY
Whereas in a commercial organization, you may have seen past victims of this kind of thing and think, we have to invest in security, we've got to protect our staff, we have to prevent these kind of things from coming in.
JACK RHYSIDER
Yes, and that sort of transitions me into the next part of this story, which is who's there to help them?
When it comes to pay rates and stuff, commercial and retail, they'll pay higher, and then you got state and government kind of paying a little lower, and maybe schools paying a little less than that, and charities and nonprofits paying even less.
So you don't get the cream of the crop security people working in these state and local governments.
And often I hear that these people, it's really hard to get fired out of here, which means that people are just going to kind of do their minimum job, what they need to do not to get really fired.
And even then they probably don't even get fired. So they just don't have a good cleanup crew.
So some of the people who are coming to help in Texas is FEMA is actually going down there to help. The Department of Homeland Security is assisting.
Texas A&M's Information Technology and Electronic Crime Unit is getting involved, which is their college down there. And even the Texas military department is throwing in their hat.
GRAHAM CLULEY
Going in with tanks. I mean, where's this gonna stop? They need some kind of superhero, don't they? We started— We saw it in Florida.
CAROLE THERIAULT
Oh, do you want to get your tights out, Graham?
GRAHAM CLULEY
Well, I don't think me. I'm just wondering what city. Could it be Gotham City next? Could it be Batman who has to come?
Commissioner O'Hara ringing the Batphone, getting Batman and Robin in. Carole, what have you got for us this week?
CAROLE THERIAULT
In my story, we're visiting the land of smart cities. And the thing is, is people use this term a lot, right? Smart city.
And I didn't actually know how to define it or what the advantages and disadvantages really were.
So I thought I'd do a little spot of digging and we could sift through some of the highlights and see whether we're thumbs up or thumbs down.
Now, a smart city is one that uses digital info and communication tech to enhance the city, right? To enhance the quality of the services it delivers.
So things like transport or health or climate or connectivity or crime or everything.
GRAHAM CLULEY
The kind of things which could be messed up with a ransomware attack. That's the sort of thing you're thinking about.
CAROLE THERIAULT
Exactly. So, you know, when there's a city with enough IoT services, we've got what boffins are calling a smart city. And I don't think that's the right term.
It should be smarter city, because it's not all or nothing really, is it? It's a gradient of smartishnesses, whatever.
Anyway, so I'm digging around and I get my hands on a list of smart city tenders.
And this is what appears to be published by city councils around the world looking for an expert to make their city pop with some smartness. And there is a lot of them.
There's a link in the show notes, but we're talking things like intelligent traffic and public transport systems, bike share schemes, air quality monitoring, smart solar storage, automatic weather stations, disaster alert systems, citywide Wi-Fi services, electric vehicle charging points.
It goes on and on and on. Storm pollution control plans. All these things could make life so much better for all of us, right?
But it does depend on real-time local data in order to work in a lot of cases.
CAROLE THERIAULT
And that means you need a whole host of data collection, right? So you have things like city sensors around the city. And you also have data from residents and visitors.
This would be gathered probably through apps and cellular use and city-hosted Wi-Fi. All of this information that they're able to collect from devices can feed into various systems.
GRAHAM CLULEY
So far, this all sounds very secure and nothing for anybody to worry about.
CAROLE THERIAULT
We should just record that and then just play it every episode, don't you think? It's a real standard.
And all this data is used to create a system of smart behavior and alerts which are supposed to help us.
So imagine, for example, if traffic lights could automatically change pattern when traffic was increasing from one direction versus another.
JACK RHYSIDER
Well, see, this is what I've been saying, right?
In 5th grade, they asked me, if I'm going on a train from New York to California, at what point do I arrive if I'm going 40 miles an hour?
I know this, but why doesn't a civil engineer know the answer to this, right? When I arrive at that intersection, Ada knows I've been doing the speed limit since the last signal.
CAROLE THERIAULT
Six streets. Why isn't it just turn them green?
JACK RHYSIDER
It should know when I'm arriving.
CAROLE THERIAULT
Yeah, turn them green for Jack.
JACK RHYSIDER
This is basic algebra.
CAROLE THERIAULT
And maybe bins, right, would have sensors so that when they're full, a little sensor alerts the team that needs to come, you know, that they're ready to be picked up.
The bonus, sweet smelling streets, I guess.
GRAHAM CLULEY
I'd just be happy with loos, public loos, which did something like that, Carole, which were able to tell when last time they'd been used.
And so you could determine which one was used least recently. What, on the outside?
CAROLE THERIAULT
There'd be like— it would turn brown or something? Yeah.
GRAHAM CLULEY
Well, no, not brown. It would give you a green light. The other ones would be brown. So you'd know which one is most likely to be safe to use.
That's what I want to see, that kind of technology.
CAROLE THERIAULT
There's life-saving possibilities here, up-to-the-minute information about accidents on the roads.
So you could actually navigate help to the scene automatically without needing a passerby.
And this would be huge in the UK, because if you stop alongside a car in distress and say the guy's eyeballs are hanging out of his face in the UK and you say, "Are you okay?" They'll be like, "Oh gosh, yes, I'm perfectly fine.
Sorry to trouble you." It's insane over here. So this would help lives, it would save lives. So this is all great.
And I do hate to ruin the whole Shangri-La-esque utopia that I've painted here, but there is a flip side, which we've already investigated earlier in the show.
With everything connected and automated, it can make things much more disastrous if the system is disrupted in some way. So vulnerability exploit, a data breach, DDoS.
And as we saw in the tenders, cities are actively looking for third-party experts to come in and make their cities smarter. They want their smart city dreams to come true.
And from my reading today, this is hot market and cities are competing for services and techies are promising a shiny world. And the question is—
GRAHAM CLULEY
They must at the same time when they're asking for people to pitch for this kind of stuff, they must also say, but you have to do it securely.
They must be saying we want all these really cool features.
CAROLE THERIAULT
Let's play the game, right? So I'm the third party. So you're going to say to me, you really have to do this securely. And I'm like, of course, sir.
CAROLE THERIAULT
Well, what questions are you going to ask me? What questions are you going to ask me to kind of gauge how secure it's going to be?
GRAHAM CLULEY
I haven't thought about this sort of thing, Carole, but clearly, I mean, you sound like someone who works at a council office.
CAROLE THERIAULT
So the question is, are cities perhaps so hungry to get ahead of the competition, they're not thinking deeply enough about security?
CAROLE THERIAULT
So there's this guy, Dimitrios Pavlakis, okay? He's an industry analyst at ABI Research.
And today, just today when I was doing this research, this press release comes out and I'm gonna paraphrase his quote 'cause it was the longest sentence on the planet.
Effectively, smart cities are increasingly under attack by a variety of threats, ransomware, sophisticated cyber attacks on critical infrastructure.
GRAHAM CLULEY
Okay.
So Jack, is it possible that the ransomware attacks which you've been talking about against cities could actually in the long term be a good thing because it will wake up other cities to these threats and get them thinking more about security?
JACK RHYSIDER
Yeah, I think city analysts, city people, what are they? They're these people who work in the cities.
They are definitely paying attention to all these ransomware threats and they're glued to this news when they see another city doing it because how did they pay, did they not, how did they hire, who helped them.
You know, it's like, well, hey FEMA, you helped that city, why don't you help us too when we get hit? So yeah, they are definitely paying attention to all this stuff.
And you know, here's what I think. Let's go back.
Let's get out of our modern heads for a second and think about our cities when they started going online and allowing you to pay your bills online.
We were saying, you know, this isn't safe, this is insecure, and all these things. And it was really ugly at the time, you know, it just didn't look good.
And there was even an extra fee or something, oh, there's a convenience fee to pay online.
And so that shift of saying, okay, well, we're going to do what we used to do all the time, which was nice and secure, and we're going to shift it to this newfangled internet thing.
That was quite a mind shift in our head.
And it feels like that's a new phase of this now is not only are we shifting to the future here, which is very internet-connected stuff, but it's giving up all this extra data and telemetry and all this stuff.
And again, it comes down to, is the upside bigger than the downside?
GRAHAM CLULEY
I think it's a little bit like the shift which we saw maybe 20 years ago because prior to Amazon, for instance, a lot of people's experience of e-commerce was not entirely satisfactory.
And a lot of people just laughed at the thought of ever entering their credit card information on the web.
And then Amazon came along and it turned out not only could you order things, but things would arrive.
CAROLE THERIAULT
You know what? You guys are right. Why do we have this show? We shouldn't even bother. We should just be, let's get with the times. Let's not worry about anything.
GRAHAM CLULEY
I think we should just build a big, beautiful wall around all of these cities, rather like the one which disconnected itself from the internet.
A huge wall or a moat or something like that filled with boiling oil. And that could stop all of these attacks from happening.
CAROLE THERIAULT
You want to hear some crazy research that's kind of tangentially aligned to my story?
CAROLE THERIAULT
There was research published by the Georgia Institute of Tech this month.
And they found that if a hack randomly stalled 20% of cars during rush hour in Manhattan, it would cause complete road chaos.
They said if even just 10% of the cars at rush hour were affected, it would create enough blockages to stop emergency vehicles from getting through traffic.
GRAHAM CLULEY
10%, frankly, is probably better than normal, isn't it? It's probably better than a normal day.
CAROLE THERIAULT
No, but it's on top of all that, of course, right?
GRAHAM CLULEY
Oh, I see, right. Yes.
CAROLE THERIAULT
And also there's this— have you heard of Google's Sidewalk Labs?
GRAHAM CLULEY
No, what's that?
CAROLE THERIAULT
So this is a Google Alphabet sister company, and they've been trying to create a smart city in Toronto. And they were, this is affordable housing.
We can build it faster, cheaper, smarter than anybody else.
And this US venture capitalist, Roger McNamee, in June warned this is the most highly evolved version of surveillance capitalism to date. So it's basically on ice at the moment.
GRAHAM CLULEY
So hang on, this is something which Google have initiated?
CAROLE THERIAULT
Yes, yeah, Google Sidewalk Labs.
GRAHAM CLULEY
So they're going to have data-driven adverts or something? They'll determine who's walking down the street and—
CAROLE THERIAULT
Can you imagine? In a way you kind of want to see what they would do, but I kind of wish they weren't doing it in a city that is—
GRAHAM CLULEY
You just don't want it to be a Canadian city, right?
CAROLE THERIAULT
Yeah, no, I just don't.
I think they should do it somewhere where, you know, where there's a military base and people are paid to live there so they can actually study it and do it properly.
GRAHAM CLULEY
Oh yes, that's fine, isn't it? Yeah, just experimental soldiers, Carole. Great, yeah, that's never caused any problems in the past. What do you think? Seriously.
JACK RHYSIDER
I would just be happy if my town had gigabit internet.
CAROLE THERIAULT
Oh really?
GRAHAM CLULEY
Oh yeah, that's true. If you had gigabit internet, I'm prepared to put up with anything, frankly. You know, it's steal my firstborn child.
JACK RHYSIDER
Yeah, I would say to my cities, start there and then we can talk about the next thing.
GRAHAM CLULEY
Fantastic. So you've got an IT security team, but you want to turn them into security superstars. How can you best provide each employee with the opportunity to upskill themselves?
Immersive Labs provides a cloud-based system, meaning it's available 24 hours a day, whenever is convenient for them to learn.
It provides hands-on experience with tools, technology, and even sandboxed malware. The platform provides story-based threat simulations.
It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there.
Check out Immersive Labs' skills development platform to drive down your organization's cyber risk while reducing training costs.
Check them out at immersive labs dot com slash lite. Immersive labs dot com slash L-I-T-E.
CAROLE THERIAULT
Fact: if you don't have a password policy in your place of work, you can bet your bottom dollar that someone somewhere has selected one of the following passwords: 1111, 1234, or maybe the very complicated to hack 123abc.
Don't let them do it, guys. Look into LastPass Enterprise. It will help you sort out all your poor passwords and put you back in charge.
Learn more about LastPass Enterprise at lastpass.com/smashing. That is lastpass.com/smashing with a G.
GRAHAM CLULEY
And welcome back. Can you join us on our favorite part of the show, the part of the show that we to call Pick of the Week?
CAROLE THERIAULT
Pick of the Week.
JACK RHYSIDER
Pick of the Week.
GRAHAM CLULEY
Good man. Pick of the Week is the part of the show where everyone chooses something they.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
CAROLE THERIAULT
Better not be.
GRAHAM CLULEY
Oh, because this week—
CAROLE THERIAULT
Graham Cluley!
GRAHAM CLULEY
Well, I— it's kind of security, kind of privacy. I thought it was kind of important.
I thought listeners would be interested in it because Facebook has just announced this week a new feature which they're rolling out into their app.
Called "Off-Facebook Activity," and I'll include some links in the show notes where you can read more, including a fact sheet about this.
CAROLE THERIAULT
These are two issues I don't want to talk about in Pick of the Week— Facebook and private messaging.
GRAHAM CLULEY
Well, you might like this because maybe this is a good thing. You can decide at the end of the Pick of the Week.
Facebook's new feature will let you see what apps and websites are sending them information about your activities.
And optionally let you clear that information from your account if you wish.
Now, this has come about because there's been a number of privacy groups, and I think it's the chaps in Germany have been kicking up a stink about Facebook's activity.
And, you know, generally the world has taken a long, hard look, I think, as to how Facebook collects data and what it does with it over the last year or so.
Now, according to Facebook, there are studies which show the average person with a smartphone has more than 60 apps installed on that device, and they use around about 40 of them every month.
And many of those may actually be sharing information with your Facebook account.
And Facebook says it's really difficult for people to keep track of who has information about them and what it's used for.
Well, like, duh, Facebook, I mean, you're the number one culprit for that, aren't you? This new feature called Off-Facebook Activity has been written about.
You can read about it on BBC News, for instance. I'll include a link to a story written by Rory Cellan-Jones up there, who's their main Technology correspondent.
CAROLE THERIAULT
The cool Rory.
GRAHAM CLULEY
Yeah, cool Rory.
Basically what you'll be able to do is you'll be able to clear your history and prevent your future off-app behavior being tapped by Facebook, although there are some caveats.
Now at the moment this feature is being rolled out very, very slowly. Only Ireland, South Korea— that wasn't one of the whales from Finding Nemo, by the way.
Only Ireland, South Korea, and Spain are getting a look at it, but they say they're planning to roll it out wide around the world as well.
So with this feature, you will be able to disconnect future off-Facebook activity. So the stuff which you do outside of Facebook—
CAROLE THERIAULT
What do you mean future?
GRAHAM CLULEY
So you'll be able to say to Facebook, I don't want you collecting any of this stuff in future, at least not associating it with my account.
CAROLE THERIAULT
Yeah. So if App A is associated to my Facebook account, of which I do not have, I'm proud to say, but let's say, right.
And so I turn this feature on and what it will announce to me, hey, you know that A is grabbing all this information or giving us all this information.
JACK RHYSIDER
I'll go, whoa, stop that.
GRAHAM CLULEY
If you go into the setting right now, you will be able to see what apps and what websites have been serving up information to Facebook and associating it with your account.
So you'll be able to tell it, stop doing that in future.
CAROLE THERIAULT
What? It's quite clever. It's for a security nut like me, I might want to go in just to see what Facebook activity they've been gathering to date.
GRAHAM CLULEY
Well, exactly. And it may give you a bit of a shock. I'm not doing it.
CAROLE THERIAULT
Not falling for it.
GRAHAM CLULEY
Oh, I see. You're thinking of— Yeah, yeah, no, you're thinking of—
CAROLE THERIAULT
I'm on to you, Facebook.
GRAHAM CLULEY
You're thinking of bringing back your account from the dead just to see what it's been doing.
Now, disappointingly, and this is Facebook, of course, so don't be surprised, hitting Clear History Security doesn't actually delete your data.
CAROLE THERIAULT
Of course it doesn't.
GRAHAM CLULEY
Of course it doesn't.
CAROLE THERIAULT
Such assholes.
GRAHAM CLULEY
It just unlinks it from your profile and apparently maintains it in a pseudonym— can I say pseudonymous? Can you say that, Carole?
CAROLE THERIAULT
Well, no, you can't actually.
GRAHAM CLULEY
Jack, would you like to tackle that word? Pseudonymous. Anyway, and they're even saying that they won't do that in some circumstances.
They think that you're a bit suspicious with your Facebook activity or engaged in fraud or naughty things, they will still retain a certain amount of the information they save for a longer time.
You have to read— and I think maybe that's acceptable from the sort of— well, when you consider some of the dodgy things which happen on social networks.
In the last week, for instance, we've seen a number of reports from Facebook and Twitter alerting people to activity being done by the Chinese authorities against the protesters in Hong Kong.
You might want to keep collecting some information if someone's already been tagged as a bit dodgy by the Facebook police, maybe, I don't know.
CAROLE THERIAULT
Get off Facebook, my advice.
GRAHAM CLULEY
Well, exactly.
CAROLE THERIAULT
What do you think, Jack? What are you, Facebook user?
JACK RHYSIDER
I know, but when you get on Facebook, it's a million options on clicking. There's just so many different settings that finding this one is gonna be really hard.
And to know if it cancels out something else or override gets written, but you know, it's just really difficult to know how to navigate the settings. It's horrendous.
GRAHAM CLULEY
And it's shifting sands all the time because their settings have all— it just always feels like it's changing.
And of course, you have to decide to turn off this off Facebook activity. Default for it is obviously on, you know, naturally that's the way Facebook works.
And as Carole says, I think quit Facebook altogether. We did an episode. Check out episode 75. I think it's our most popular episode ever, Carole.
All about quitting Facebook, where we discussed with Maria how to get off and stay— please. And anyway, listen to episode 75 and then, then you hear about it.
Jack, what's your pick of the week?
JACK RHYSIDER
I've bought the same mouse 15 times in the last 10 years. And so this is not a new mouse, but I love this mouse so much that I thought I might share it with you.
CAROLE THERIAULT
What is it? Which one is it?
JACK RHYSIDER
This I'll tell you at the end, but look, okay, so I hear, I hear someone on this call scrolling, and I hear this. Me.
GRAHAM CLULEY
It's Carole.
JACK RHYSIDER
Listen to this noise, right? Okay, that's what a normal mouse scroll sounds like. Listen to my— how my mouse scrolls. It's hard to hear, but it's a smooth scroll, right?
GRAHAM CLULEY
It sounds a bit like a hamster wheel. It's spinning freely.
JACK RHYSIDER
It spins freely like a hamster wheel. And so I do a lot of scrolling, and, and so I can just scroll forever with this. It's so nice.
It, it just— I love the scrolling aspect, that—
CAROLE THERIAULT
But the, the other thing is that it breaks often though if you've had 15 of them.
JACK RHYSIDER
Well, it doesn't.
It's, it's that I want one for my work computer and my other computer, and, and, you know, my, my dad's house, and everywhere I go, I just— I'm, you need this mouse.
And so I just keep buying them wherever I go so I don't have to use any other mouse. And so the other thing is that it has something 12 buttons on this thing.
GRAHAM CLULEY
Oh, for goodness' sake, why do you need 12 buttons?
CAROLE THERIAULT
He's young and smart. His brain's still intact, Graham.
GRAHAM CLULEY
How many fingers do you have?
JACK RHYSIDER
There's— but you can map it to whatever, right? And I'll tell you the one that just makes it— changes my life.
Yeah, and that is the scroll wheel itself has a button you can click to the left or the right, right?
So it's not just a middle click for the scroll wheel, but you can click left or right on the scroll wheel. And this I've mapped to copy and paste.
So without putting my hand on the keyboard to say, what, two keystrokes on there, I can just keep my hand on the mouse and select something, copy and paste right from the mouse, because that's what I've selected.
CAROLE THERIAULT
And that you heard about The left button does that, right?
CAROLE THERIAULT
Doesn't it? If you press the left button, you get a little— you get a little— you're faster. You're faster. I get it. I get it.
JACK RHYSIDER
Well, you can— so you can— I mean, running with the mouse—
CAROLE THERIAULT
Yeah, it's like— yeah, you're right. It's like 5 clicks compared to 2.
JACK RHYSIDER
Yeah. So I've remapped these buttons. Another one I did was search and find and all these other things so that I can copy something and then hit find and then find it, right?
You know, I hit that button to search for it. It's great. So I have so many less keystrokes I'm using on my computer because I can just use them all on my mouse.
GRAHAM CLULEY
Jack, can you customize the different buttons depending on which application you're in?
GRAHAM CLULEY
Oh, that'd be good, wouldn't it?
JACK RHYSIDER
Maybe. I don't know.
GRAHAM CLULEY
There must be a tool out there which does it.
But I'm just thinking if you were editing a podcast, for instance, how fantastic that would be for some of those functions which you regularly do.
If you could do all of that from the—
JACK RHYSIDER
Oh yeah. Yeah. Maybe.
GRAHAM CLULEY
Ah, dreams.
JACK RHYSIDER
So, and the last cool feature is that the battery life is 3 years. So I'm rarely having to swap it out.
GRAHAM CLULEY
Is that because your hamster wheel is actually a generator, which is powering the battery?
JACK RHYSIDER
The model of this is the Logitech M705, and I've bought a dozen of them at this point. And yes, it's my pick of the week.
GRAHAM CLULEY
Okay. I'm Googling it right now to see if it looks like a weirdo mouse. Oh, it looks like a fairly ordinary mouse. Yeah.
JACK RHYSIDER
It's just a typical mouse.
GRAHAM CLULEY
The Logitech Marathon M705. Well, where are all these buttons on this?
JACK RHYSIDER
Yeah, they're just all around.
JACK RHYSIDER
They're embedded, yeah. So, I mean, the mouse wheel can click right and left, and then where the thumb usually rests on the side of the mouse, that's got 3 or 4 buttons.
And, you know, got right and left button, and you've got the mouse down button.
CAROLE THERIAULT
It's like a review.
GRAHAM CLULEY
How about that? Carole, what's your pick of the week?
CAROLE THERIAULT
Okay, before I get into the pick of the week, right, do you guys have any favourite sayings or idioms? "Bob's your uncle"?
CAROLE THERIAULT
"Fine words don't butter parsnips." I thought it was "kind words don't butter parsnips." Maybe they're both right.
JACK RHYSIDER
Yeah, yeah.
GRAHAM CLULEY
Oh, maybe you're right.
CAROLE THERIAULT
I knew that would be your favourite. I had written that one down.
GRAHAM CLULEY
Oh, really?
CAROLE THERIAULT
Yeah, yeah.
GRAHAM CLULEY
I knew that was your favourite. Used in a salary negotiation.
So when you— when you have a meeting with a boss and they say, "You've done really, really well," you say, "Yeah, thank you very much, but kind words don't butter parsnips." In other words, give me some money so I can put butter on them.
That'd be nice.
CAROLE THERIAULT
Do you have one, Jack?
JACK RHYSIDER
"Think smarter, not harder." Oh, I like it.
CAROLE THERIAULT
I like it. But I've got some seriously delicious ones for you. If you guys go to the link that I've provided, this is a list of 40 idioms that cannot be translated literally.
And there are some glorious ones.
GRAHAM CLULEY
Oh, actually, maybe you shouldn't look.
CAROLE THERIAULT
Maybe you shouldn't look. You should tell me which country it comes from.
GRAHAM CLULEY
Okay, okay.
CAROLE THERIAULT
And you decide what country it comes from, right?
GRAHAM CLULEY
Okay, okay, okay, okay.
CAROLE THERIAULT
To wear a cat on one's head is the literal translation, and what it means is you're hiding your claws and pretending to be a nice, harmless person, Graham, but you're wearing a cat on your head.
GRAHAM CLULEY
The only person I can think of about wearing a cat on the head is America, of course, with the current president. But I mean, it's obviously not America, so—
CAROLE THERIAULT
Okay. Okay, you want another one?
GRAHAM CLULEY
Yes, please.
CAROLE THERIAULT
To blow little ducks.
CAROLE THERIAULT
It means to talk nonsense or lie.
GRAHAM CLULEY
Oh, thank heavens. I thought it might be rude. Anything else?
CAROLE THERIAULT
To slide in on a shrimp sandwich.
GRAHAM CLULEY
Okay, that one is definitely rude. That must be Swedish.
CAROLE THERIAULT
It is. It refers to someone who didn't have to work to get to where they are. So someone like— to slide— Paris Hilton slid in on a shrimp sandwich. How delicious is that?
It's amazing. And there's also this one: balls of a swan.
GRAHAM CLULEY
Oh, that sounds— Estonia.
CAROLE THERIAULT
No, it means something that's impossible. And it's from Croatia. Oh, that's— Muda labudova.
GRAHAM CLULEY
Balls of a swan. Okay.
CAROLE THERIAULT
Balls of a swan. There you go. Anyway, there's 40 of them. Enjoy yourself. They're wonderful.
GRAHAM CLULEY
Are you suggesting people begin to incorporate these idioms into their own discussion? I mean, that'd be quite fun to do, wouldn't it?
CAROLE THERIAULT
Did you fall from a Christmas tree, Graham? I'm just saying you're not well informed, Polish style.
GRAHAM CLULEY
There's gonna be a lot of this going forward, isn't it? Well, I think that just about wraps it up for this week.
Jack, I'm sure lots of our listeners would love to follow you online and find out more about your podcast. What is the best way for folks to do that?
CAROLE THERIAULT
Twitter.
JACK RHYSIDER
I'm pretty responsive there, Jack Rhysider, or just find me on darknetdiaries.com.
GRAHAM CLULEY
Cool. And you can follow us on Twitter at Smashing Security. Smashingsecurity, no G, Twitter won't allow us to have a G. And we've also got an active community now on Reddit as well.
Go and find our Smashing Security subreddit and join in the chat. With a G. Yes, with a G on Reddit, yes.
CAROLE THERIAULT
A huge thank you to this week's Smashing Security sponsors, Immersive Labs and LastPass. And thanks to you wonderful listeners.
Thanks to our new Patreon supporters and our new reviewers. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
GRAHAM CLULEY
Until next time, cheerio. Bye-bye.
CAROLE THERIAULT
A bit sexy there, Jack. Little bye. So here's a little song, supporters on Patreon, made up of your names because, you know, we're in the privacy game. Here goes.
Shout out to 636B, Alex, Amanda, Andrew, Andy, Ben, Chris, CMDR Divorced Pop, Dave, Dave, Dave, and Dave. Thank you all.
Emil, Eric, Fantastic Wolf, George, Habmala, Hades, Heisenberg, Jack. You guys all rock.
Job, Matt, Mike, Nathan, Rangar, Richard, Robert, Sean, Susie, Tapacol L, Tennis J, Thom Thom, Twilight, and Sylar. You guys are making our show possible. Thank you for your support.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.