Dr Nick Patterson, of Deakin University in Australia, has been widely quoted in the British tabloid press warning about – as the Daily Star puts it – the risk of “ultra-realistic sex robots being used by warped hackers to attack humans”:
“Hackers can hack into a robot or a robotic device and have full control of the connections, arms, legs and other attached tools like in some cases knives or welding devices. Often these robots can be upwards of 200 pounds, and very strong. Once a robot is hacked, the hacker has full control and can issue instructions to the robot. The last thing you want is for a hacker to have control over one of these robots! Once hacked they could absolutely be used to perform physical actions for an advantageous scenario or to cause damage.”
The quote from Dr Patterson doesn’t actually mention “sex robots”, but that hasn’t stopped the press from leading with headlines like these:
- “Sex robot armies: Fears hackers could create killer cyborgs and turn technology on punters”
- “Fears sex robots could be turned into ‘killer cyborgs’ with ‘knives or wielding devices’ if twisted hackers take control”
- “Experts warn that this sex robot could kill you if it’s hacked”, and “Caught with your pants down – Cyber security expert issues bizarre warning that sex robots could be easily hacked and made to kill their owners.”
The truth is, all you need is any robot that interacts with a human in the workplace or in the home. It doesn’t need to be a sex robot.
Of course, the image of armies of murderous sex robots much for a much more exciting headline. But that shouldn’t stop us from recognising that there is a threat posed by robotic devices if they are vulnerable to hackers, and that – in some cases – a compromised robot could endanger humans.
Take, for instance, the example of the domestic UB Tech Alpha 2 robot which researchers recently demonstrated contained vulnerabilities that could allow a malicious hacker to wield a sharp screwdriver around in a rather reckless fashion:
If you’re interested in hearing more about that, be sure to listen to this recent episode of the “Smashing Security” podcast where researcher Scott Helme discussed the threat:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Today's episode of Smashing Security is brought to you by Rapid7.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation is not only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial at www.rapid7.com.
That's www.rapid7.com, and thanks very much to Rapid7 for supporting the show. Smashing Security, Episode 39: Whoa, are we talking to a cyborg?
With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 39 of Smashing Security for the 24th of August 2017.
My name is Graham Cluley, and I am joined as always by my good friend and co-host Carole Theriault. Hello, Carole.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation is not only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial at www.rapid7.com.
That's www.rapid7.com, and thanks very much to Rapid7 for supporting the show. Smashing Security, Episode 39: Whoa, are we talking to a cyborg?
With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 39 of Smashing Security for the 24th of August 2017.
My name is Graham Cluley, and I am joined as always by my good friend and co-host Carole Theriault. Hello, Carole.
How are you?
I'm great. Thank you. I can't believe we're going to have our 40th episode next week.
I know, 40th episode next week.
We haven't missed one week. Can I just say, in 40 weeks, we haven't missed a week.
We have been flipping awesome, haven't we? And I'm sure someone who's been listening to every episode every week is our special guest this week. Isn't that right, Scott Helmeee?
Hello, Scott. How are you?
Hello, Scott. How are you?
That's right.
I'm good.
Thank you.
Was that definitely him saying he had listened to every episode? I'm not sure.
Yes, yes, definitely. It's definitely 100%.
100%. He's heard every single word.
Scott, for folks who don't know who you are and what you do, tell us about yourself.
So the title I go by is security researcher, which is kind of the posh way of saying hacker.
So I spend most of my time trying to break into systems and find security flaws with them so that we can learn about them, fix them, and make everything better as a result.
So I spend most of my time trying to break into systems and find security flaws with them so that we can learn about them, fix them, and make everything better as a result.
Ooh, you're gonna the my topic this week then.
But just to make clear, you are one of the good guys, right?
Yes, absolutely.
So you are hacking into things with permission. You're not—
He always wears white t-shirts, I'm sure.
Yes, I do. And my face doesn't pixelate when you point a camera at me, so I'm definitely one of the good guys.
So what we do every week is we look at what's been going on in the computer security news, things which have tickled our nostrils and made us interested, and things which we thought you might want to hear our opinions about.
And this week I thought, hey guys, I thought, Let's start off with a little game. All right?
And this week I thought, hey guys, I thought, Let's start off with a little game. All right?
Oh, your games are always so boring.
No, games aren't boring.
No, yours are.
Okay, that's true. I'm going to— okay, here is Graham's little quiz and it's called Acronym Time. So guys, I'm going to put a little clock on, right?
I've got a bing and a buzz, right? So I've got a bing which means success. And I have a buzz if you get it wrong, right?
I'm going to give you some acronyms and I want you to tell me what they stand for. Okay. Are you up for it?
I've got a bing and a buzz, right? So I've got a bing which means success. And I have a buzz if you get it wrong, right?
I'm going to give you some acronyms and I want you to tell me what they stand for. Okay. Are you up for it?
Okay.
All right. Number 1, TEOTWAWKI. TEOTWAWKI.
Is that an acronym or are you saying something in another language? I'm confused.
This is the really marvellous industry of computer security that thinks this is really fun.
I think I've probably said this word talking to the press before, and I can't for the life of me remember what it stands for.
I think I've probably said this word talking to the press before, and I can't for the life of me remember what it stands for.
You can't remember what?
No.
So it's T-E-O-T-W-A-W-K-I.
Are you perhaps a fan of R.E.M.? It's the—
End of the world as we know it.
The end of the world as we know it. That's right. Which of course is coming round.
Oh, what?
Yes. Isn't it snappy?
Yeah.
Isn't it easier to say the end of the world as we know it?
Yeah, right.
Every time there's a new zero-day vulnerability or a Heartbleed, we have to say, oh, Teotihuacan.
Yeah, we all do.
So if you didn't get that one, you probably won't get this one, which was mentioned by Paul Ducklin in one of our past podcasts. Vorriwoggum. Vorriwoggum.
Mm-hmm. Worry Wogum.
You're not enjoying this, are you?
This is—
It's the voice of reason in a world gone mad.
Yeah.
Okay, here's another one. Windows. Did you know Windows was an acronym? Oh God. Wish I'd never dis— I've ruined the joke. I'll try it again.
Can we just cut that later?
Oh my God.
Here we go. Drum roll. Drum roll. Wish I'd never deployed on work systems.
Clunky, clunky.
That's so bad.
Are you not enjoying this? Yahoo! You always have other options. Yahoo!
Okay, we're done now, right? We've done enough.
No, here's the final one. Final one. Ropemaker. Because this is what I'm going to talk about today. Ropemaker. Have you heard about Ropemaker?
This is the new exploit which Mimecast are talking about.
And Mimecast's marketing team came up with this acronym and it stands for Remotely Originated Post-Delivery Email Manipulation Attacks: Keeping Email Risky.
This is the new exploit which Mimecast are talking about.
And Mimecast's marketing team came up with this acronym and it stands for Remotely Originated Post-Delivery Email Manipulation Attacks: Keeping Email Risky.
Oh my God.
Just rolls off the tongue.
Risky.
This is the longest intro for the most worst acronym I've ever heard. I'm embarrassed and I'm sorry, listeners.
And you're ashamed.
Yes.
For being part of this podcast.
Yes.
So here's the problem, right? This is what Ropemaker is all about. Here's the problem. You're a bad guy and you want to get a malicious email to your intended target.
But of course, there are email filters and gateway scans going on between you and your victim.
So at the corporation which you're targeting, they've got all these defenses in place at the email gateway. What can you do?
Well, wouldn't it be fantastic if you could send an email but after it's been sent, after it's actually arrived in someone's inbox, you can actually change its content.
So it's gone past all the filters and— I know it sounds fantastic.
But of course, there are email filters and gateway scans going on between you and your victim.
So at the corporation which you're targeting, they've got all these defenses in place at the email gateway. What can you do?
Well, wouldn't it be fantastic if you could send an email but after it's been sent, after it's actually arrived in someone's inbox, you can actually change its content.
So it's gone past all the filters and— I know it sounds fantastic.
So it's already arrived at the destination?
Yes, it has. And it's sitting there in the inbox. And could there be a way to change the content of that email afterwards? Ooh, now you're thinking. That's kind of interesting.
Because if that were possible, an attacker could change a harmless link into a malicious one in an email already delivered to your inbox, remember.
Or they could change the display text in an email to whenever they want to something else. And they don't have to log into your email account to do it, right?
Well, that's what Ropemaker, and I'm not going to read out again what it stands for.
Because if that were possible, an attacker could change a harmless link into a malicious one in an email already delivered to your inbox, remember.
Or they could change the display text in an email to whenever they want to something else. And they don't have to log into your email account to do it, right?
Well, that's what Ropemaker, and I'm not going to read out again what it stands for.
Please.
This Ropemaker thing, which Mimecast have uncovered, does.
And it does it using some really sneaky CSS tricks, Cascading Style Sheets, which are commonly used in HTML websites, but also in HTML emails to make your inbox all pretty and beautiful.
And it does it using some really sneaky CSS tricks, Cascading Style Sheets, which are commonly used in HTML websites, but also in HTML emails to make your inbox all pretty and beautiful.
I've never been a fan of the HTML email, so I'm too old school to—
Oh, but they make things so pretty though.
I know, but you know.
Yeah, but frankly, I suspect a huge amount of email out there is HTML and is using CSS.
Oh yeah, 95 plus. I'm sure it's huge.
So what happens is this: an attacker can modify the remote CSS file. So you can send an email which references an external CSS file held on a third-party site.
And the attacker modifies that CSS file and it could, for instance, enable a bad link using the CSS display command, the HTML command, while hiding a good one.
So they can, at a later point, change the email so the good link doesn't appear, but the bad one does.
And the attacker modifies that CSS file and it could, for instance, enable a bad link using the CSS display command, the HTML command, while hiding a good one.
So they can, at a later point, change the email so the good link doesn't appear, but the bad one does.
I'm surprised this has never been done before. I can't believe this. This doesn't— this sounds so old school.
Well, certainly CSS tricks have been tried before by spammers as a way to disguise their content to try and get it past filters and so forth.
And this is why many email clients will strip out offending HTML code to prevent the external CSS from being loaded. Yeah, many email clients do that.
Not all of them do it, but many of them will do it.
And this is why many email clients will strip out offending HTML code to prevent the external CSS from being loaded. Yeah, many email clients do that.
Not all of them do it, but many of them will do it.
So yeah, because your email will ask you now, right?
So certainly on my mail account, if somebody sends me an email, it will say, I'm going to load this external thing and I have to allow that before it will load.
So certainly on my mail account, if somebody sends me an email, it will say, I'm going to load this external thing and I have to allow that before it will load.
Yeah, you're absolutely right. And some email—
wouldn't stop this, would it?
Because if the thing that it's loading has changed, then it would never know that it's different because you've already given permission for that particular message.
Because if the thing that it's loading has changed, then it would never know that it's different because you've already given permission for that particular message.
And your email client no doubt remembers that and says, oh, this is one that Scott said it is comfortable with me rendering. And so you've gone ahead and done it.
Hmm.
So the thing is that this trick works on some email clients, but not others.
And I was reading the Mimecast blog post and what I found quite irritating, actually, a bit annoying, was that Mimecast said, if you want to find out what email clients this works for, you're going to have to download our security advisory, the PDF.
And I thought, oh, fair enough, blah, blah, blah. And of course, they've hidden that behind a lead generation form for their marketing department.
The same marketing department who was so busy coming up with that terrible acronym.
And I was reading the Mimecast blog post and what I found quite irritating, actually, a bit annoying, was that Mimecast said, if you want to find out what email clients this works for, you're going to have to download our security advisory, the PDF.
And I thought, oh, fair enough, blah, blah, blah. And of course, they've hidden that behind a lead generation form for their marketing department.
The same marketing department who was so busy coming up with that terrible acronym.
You're kidding me.
No.
They've gated it?
Yeah, they gated it. So they sort of say, oh, it works on some clients, but to find out, I mean, they're quite, it says to find out you have to go and download this PDF. So I did it.
And of course I entered my details, Arnold Aardvark. What company do you work at? Mimecast, I said.
So I gave a Mimecast email and it went ahead and gave me the link, which is fantastic. But anyway, let me save you the bother if you're worried about this.
It is kind of interesting still, the report, if you want to go and download it, but, What they found out was affected clients include Microsoft Outlook, both desktop and mobile, Apple Mail, both on your desktop and on your mobile devices, and Mozilla Thunderbird as well.
In their own tests, web-based email systems like Gmail and Outlook.com, iCloud, they weren't susceptible.
They weren't getting impacted by this, which is probably a good indication that they are used to these kind of attacks or the abuse of CSS and naughty tricks like that going on.
So they put a little bit more effort into doing it.
Now Mimecast are trying to kick up a big fuss about this and get everyone really excited because of course their product has been updated to defend against this particular attack.
And they've been speaking privately to different mail firms for a few months, I think, about this, but they haven't had much success getting them to take it very seriously.
Microsoft got back and said, well, we don't really think this fits into our definition of a vulnerability.
And of course I entered my details, Arnold Aardvark. What company do you work at? Mimecast, I said.
So I gave a Mimecast email and it went ahead and gave me the link, which is fantastic. But anyway, let me save you the bother if you're worried about this.
It is kind of interesting still, the report, if you want to go and download it, but, What they found out was affected clients include Microsoft Outlook, both desktop and mobile, Apple Mail, both on your desktop and on your mobile devices, and Mozilla Thunderbird as well.
In their own tests, web-based email systems like Gmail and Outlook.com, iCloud, they weren't susceptible.
They weren't getting impacted by this, which is probably a good indication that they are used to these kind of attacks or the abuse of CSS and naughty tricks like that going on.
So they put a little bit more effort into doing it.
Now Mimecast are trying to kick up a big fuss about this and get everyone really excited because of course their product has been updated to defend against this particular attack.
And they've been speaking privately to different mail firms for a few months, I think, about this, but they haven't had much success getting them to take it very seriously.
Microsoft got back and said, well, we don't really think this fits into our definition of a vulnerability.
Really?
Yeah. Well, it's not really a vulnerability.
I can kind of see how they, you know, how they think that because like if the email says, go get this thing, then it goes and gets that thing.
Right.
Yeah.
And if the thing is different, then I don't know. Like, I'm curious, how does it say how they fix it?
Yeah.
Apple have said, well, you can navigate into your settings, mail preferences and viewing, and uncheck the thing you were just talking about, Scott, the loading remote content in messages.
Mimecast even went— they tried to get a CVE number for this.
So a sort of official bug number for it, but they were told, well, actually, none of the vendors are considering this to be a vulnerability, so you can't have one.
And so I think Mimecast are a little bit peeved by this, and that's why they've now gone public and rolled out their lead generation form to try and get people excited and interested.
But I think you don't really need to panic about this that much.
Mimecast even went— they tried to get a CVE number for this.
So a sort of official bug number for it, but they were told, well, actually, none of the vendors are considering this to be a vulnerability, so you can't have one.
And so I think Mimecast are a little bit peeved by this, and that's why they've now gone public and rolled out their lead generation form to try and get people excited and interested.
But I think you don't really need to panic about this that much.
Well, thanks for bringing it to our attention.
Well, no, 'cause I think it's still interesting. I think the geekiness of it is interesting. The idea of changing an email after it's been sent. I think that is kind of cool.
This CSS trick, it's a little bit cheeky, but Mimecast say they haven't seen it being used in the wild.
Some defenses are clearly in place, like the preventing remote content from loading.
Now, what a bad guy could do is they could chuck all of that cheeky CSS code inline into the actual email, which makes the email much, much bigger.
But then of course, it could be picked up by a gateway filter.
The same sort of technology which is looking for spammy tricks could say, "Wait, what's going on here with this?" I think regardless of all of this, my message to people is be careful of unsolicited, unusual email messages.
Always remember when you're hovering your mouse over a link, check out where that link is going to take you, just in case it might be taking you somewhere unexpected.
It is a kind of crafty trick, but I'm not sure it's a case of terror.
This CSS trick, it's a little bit cheeky, but Mimecast say they haven't seen it being used in the wild.
Some defenses are clearly in place, like the preventing remote content from loading.
Now, what a bad guy could do is they could chuck all of that cheeky CSS code inline into the actual email, which makes the email much, much bigger.
But then of course, it could be picked up by a gateway filter.
The same sort of technology which is looking for spammy tricks could say, "Wait, what's going on here with this?" I think regardless of all of this, my message to people is be careful of unsolicited, unusual email messages.
Always remember when you're hovering your mouse over a link, check out where that link is going to take you, just in case it might be taking you somewhere unexpected.
It is a kind of crafty trick, but I'm not sure it's a case of terror.
Well, what happens if actually someone takes this information and does it? Now, is Mimecast then responsible for having told them how to do it? I mean, it's a difficult catch-22.
No, I think that's a super slippery slope, right?
Yeah.
That's, yeah.
I mean, they haven't produced sort of proof of concept code of this, which people can take as far as I know.
I mean, okay, in a way it's a bit like saying, oh, you know, phishing can happen.
I mean, okay, in a way it's a bit like saying, oh, you know, phishing can happen.
Yeah. We kind of are in that territory there.
And you could use a Bitly link or something like that. You wouldn't then criticize someone for saying, oh, they've told people you can do phishing tricks and things like that.
That's like, it's like standard functionality of the internet, right? It's like, go fetch this stylesheet. And then the server gives you back whatever it wants.
The idea is that most of the time it's the same, but just like we update web pages, you can update other things as well.
So I think what surprises me is what we mentioned earlier, that we haven't seen this more often, you know, or we haven't come across this before now, because actually, you know, loading remote content into an email client is quite a cool trick.
The idea is that most of the time it's the same, but just like we update web pages, you can update other things as well.
So I think what surprises me is what we mentioned earlier, that we haven't seen this more often, you know, or we haven't come across this before now, because actually, you know, loading remote content into an email client is quite a cool trick.
And of course, there are still other ways in which you can be protected.
So when you click on that link, your web gateway product or your endpoint Smashing Security product could pick up on the fact that that link is phishing or dangerous.
And so there's so many other ways in which you can be defended as well.
Maybe it's just simply too much effort, and maybe so many email clients are blocking remote content by default. I'm not sure.
Maybe people don't automatically click that button every time. I don't know. But yeah, be careful about unsolicited unusual emails.
I don't think Mimecast are going to get too many people excited about this, but maybe we'll see other gateway vendors who think, well, we actually have to look out for these kinds of tricks as well.
It may be a good idea to add that to our heuristics. But what I can say is, feel free to go and download the report and enter a Mimecast email address if you wish.
Scott, what have you got for us as your topic this week?
So when you click on that link, your web gateway product or your endpoint Smashing Security product could pick up on the fact that that link is phishing or dangerous.
And so there's so many other ways in which you can be defended as well.
Maybe it's just simply too much effort, and maybe so many email clients are blocking remote content by default. I'm not sure.
Maybe people don't automatically click that button every time. I don't know. But yeah, be careful about unsolicited unusual emails.
I don't think Mimecast are going to get too many people excited about this, but maybe we'll see other gateway vendors who think, well, we actually have to look out for these kinds of tricks as well.
It may be a good idea to add that to our heuristics. But what I can say is, feel free to go and download the report and enter a Mimecast email address if you wish.
Scott, what have you got for us as your topic this week?
I'm going to talk about some new research that came out literally just last week.
The two main people that presented this, Adrian Portafeldt from Google and April King from Mozilla, they are both kind of security gurus in their respective organizations.
And it's about how we are progressing towards a fully encrypted web. So obviously when the web first came out, everything was HTTP.
We didn't even have HTTPS or the green padlock or anything like that to look for.
And we're now kind of in this transition period where everything was HTTP and that's kind of the default still and still the thing that everybody expects.
But we're pushing towards an encrypted web. We're pushing towards having HTTPS on absolutely everything.
And they kind of, they did some research in how we're doing, how we're making progress. And from Google and Mozilla, they have access to the telemetry from the browsers.
Now Chrome and Firefox, the two browsers, they both look at how often you are on an HTTPS website and how often you're on an HTTP website.
So they can actually look at it and see over time more and more usage is shifting towards HTTPS. And they actually published the numbers for this.
The two main people that presented this, Adrian Portafeldt from Google and April King from Mozilla, they are both kind of security gurus in their respective organizations.
And it's about how we are progressing towards a fully encrypted web. So obviously when the web first came out, everything was HTTP.
We didn't even have HTTPS or the green padlock or anything like that to look for.
And we're now kind of in this transition period where everything was HTTP and that's kind of the default still and still the thing that everybody expects.
But we're pushing towards an encrypted web. We're pushing towards having HTTPS on absolutely everything.
And they kind of, they did some research in how we're doing, how we're making progress. And from Google and Mozilla, they have access to the telemetry from the browsers.
Now Chrome and Firefox, the two browsers, they both look at how often you are on an HTTPS website and how often you're on an HTTP website.
So they can actually look at it and see over time more and more usage is shifting towards HTTPS. And they actually published the numbers for this.
All right.
And it's really nice for me to see this because I also do my own research. Every 6 months I produce a report on the top 1 million sites on the web.
Okay.
And when somebody else publishes their research, especially from such esteemed members of the security community, and it lines up with my own findings, this is really nice to see.
And we're now actually seeing on Chrome— I have the numbers right here.
On Chrome now, it depends on your operating system, but between 60 and 70% of page loads now take place on HTTPS instead of—
And we're now actually seeing on Chrome— I have the numbers right here.
On Chrome now, it depends on your operating system, but between 60 and 70% of page loads now take place on HTTPS instead of—
That's pretty cool.
And we're making massive progress in this. HTTPS has been around for a while, but the drive towards HTTPS all the time by default is really only kind of been the last few years.
Yes.
And we've made staggering progress in that short period of time. And it's very similar on Firefox as well. We're seeing kind of around 65% 64, 65% of the time.
Again, depending on your platform, for some reason we have the most HTTPS usage on ChromeOS. So if you're using something like a Chromebook, yeah.
Next is Mac, next is Windows, and then Android is kind of trailing behind and is reliably the lowest. But they're all well over half.
So we can now say definitively that more than half the time people are browsing on a secure page as opposed to an insecure page.
Again, depending on your platform, for some reason we have the most HTTPS usage on ChromeOS. So if you're using something like a Chromebook, yeah.
Next is Mac, next is Windows, and then Android is kind of trailing behind and is reliably the lowest. But they're all well over half.
So we can now say definitively that more than half the time people are browsing on a secure page as opposed to an insecure page.
And why do you think that's a really good thing? I mean, for people that never even thought about this before, why would you say HTTPS is what you want to look for?
Because there's so many different things that we can go wrong and there's so many different things that HTTPS protects against. We need to have a default encrypted web.
We need to come away from this standpoint that kind of like right now, HTTP is fine.
If you go to an HTTP website, you don't get any warnings in the browser even though it's completely insecure. The browser doesn't say, hey, whoa, stop.
You know, like, this is terrible. Don't put usernames and passwords and credit card information into this page.
We need to come away from this standpoint that kind of like right now, HTTP is fine.
If you go to an HTTP website, you don't get any warnings in the browser even though it's completely insecure. The browser doesn't say, hey, whoa, stop.
You know, like, this is terrible. Don't put usernames and passwords and credit card information into this page.
But they are beginning to step in that direction, aren't they, browsers? They are beginning to move towards that.
I mean, it's— we're not far away from those alerts really beginning to appear, are we?
I mean, it's— we're not far away from those alerts really beginning to appear, are we?
And this is one of the really amazing things. This is kind of one of the multiple different prongs of the attack in driving the web to HTTPS. And it's exactly what you say.
It's that right now, if a site goes HTTPS, you have the potential to screw it up. You can get yellow warnings, red warnings, things can break.
If you just stay on HTTP, nothing bad happens. So what they're introducing is, it's essentially what they're saying is the obvious.
If you go to an HTTP page and it asks you for a password or a credit card, the browser will pop up an error and say, whoa, this is not secure.
It's that right now, if a site goes HTTPS, you have the potential to screw it up. You can get yellow warnings, red warnings, things can break.
If you just stay on HTTP, nothing bad happens. So what they're introducing is, it's essentially what they're saying is the obvious.
If you go to an HTTP page and it asks you for a password or a credit card, the browser will pop up an error and say, whoa, this is not secure.
Yeah.
Now we've always known that. That's always been the case. We've just never given that negative warning. And they will be here much more prominently by the end of this year.
Yeah.
So I guess actually the main advice here is if you are on the web and you see an HTTP site without the S, don't enter sensitive information in. Is that what you'd say?
Yeah. And one of the things I really like about the direction this is going is that every time we have to say something like that to a user, I kind of feel like we failed.
Because any technical measure or any security measure where we have to convey a message to the billions of people in the world and say, all of you billions of people need to do this thing.
Straight away, you're going to miss like half of them. So we've already missed like half of the planet in population terms.
Because any technical measure or any security measure where we have to convey a message to the billions of people in the world and say, all of you billions of people need to do this thing.
Straight away, you're going to miss like half of them. So we've already missed like half of the planet in population terms.
Scott, sorry, maybe you haven't heard what our listener figures are. It's pretty impressive.
We've had a report this week that we are the third most popular technology podcast in Zimbabwe.
We've had a report this week that we are the third most popular technology podcast in Zimbabwe.
Wow. So here we go.
Not kidding you.
So our numbers, our HTTPS numbers are going to go through the roof after this week.
After this one.
Hello, Zimbabwe.
Yeah.
Actually, that's quite a global audience.
You're quite right. I mean, certainly we are seeing an uptake of HTTPS.
There've been things like the initiative from Let's Encrypt, which has made certificates freely available for anyone. So you can't use the financial excuse anymore.
It can sometimes be a bit of a pain setting it up.
And I can speak from personal experience here actually, 'cause last weekend the Smashing Security website, so my personal website is HTTPS, Smashing Security website isn't HTTPS, but I thought, yes, I know, but I thought we'd better fix that, right?
And I'm using a podcast hosting service who are very cool.
And so there's some complications there in terms of certificates, but I thought, well, I'll use Cloudflare and I'll chuck that up in front of it.
And I did that and I could go there and all of my browsers and everything was smashing and wonderful. And you know, it was all HTTPS.
And I thought, yeah, we the man, we sorted this out, right? But then I got a tweet from somebody saying, is there a problem with your podcast feed?
And it turned out that Apple Podcasts was popping up a warning about the certificate because I guess the Cloudflare one wasn't matching the one on my website host or whatever it is.
And it was freaking out about it. And of course, you know, I thought, crikey, we might lose those 11 listeners in Zimbabwe. So we, I better turn off HTTPS.
So obviously I'm going to have to go and fix that. Help me, I might speak to you about this offline.
There've been things like the initiative from Let's Encrypt, which has made certificates freely available for anyone. So you can't use the financial excuse anymore.
It can sometimes be a bit of a pain setting it up.
And I can speak from personal experience here actually, 'cause last weekend the Smashing Security website, so my personal website is HTTPS, Smashing Security website isn't HTTPS, but I thought, yes, I know, but I thought we'd better fix that, right?
And I'm using a podcast hosting service who are very cool.
And so there's some complications there in terms of certificates, but I thought, well, I'll use Cloudflare and I'll chuck that up in front of it.
And I did that and I could go there and all of my browsers and everything was smashing and wonderful. And you know, it was all HTTPS.
And I thought, yeah, we the man, we sorted this out, right? But then I got a tweet from somebody saying, is there a problem with your podcast feed?
And it turned out that Apple Podcasts was popping up a warning about the certificate because I guess the Cloudflare one wasn't matching the one on my website host or whatever it is.
And it was freaking out about it. And of course, you know, I thought, crikey, we might lose those 11 listeners in Zimbabwe. So we, I better turn off HTTPS.
So obviously I'm going to have to go and fix that. Help me, I might speak to you about this offline.
We can get that sorted.
To get it sorted. But, you know, it's not always easy to do.
But I think the great thing is, as the browsers begin to alert more and more and warn people that sites may not be secure, there will be pressure from the sales and the marketing people inside companies to say, we've got to get this sorted on our website.
These are people who never cared before about HTTPS.
But I think the great thing is, as the browsers begin to alert more and more and warn people that sites may not be secure, there will be pressure from the sales and the marketing people inside companies to say, we've got to get this sorted on our website.
These are people who never cared before about HTTPS.
That's so important. That's so crucial is, you know, all of these different prongs I talk about, now using HTTPS gives you a positive boost.
Your SEO is only small, but it is an SEO boost. Yeah, you can get better performance. And Amazon have proved that the faster your pages load, the more sales you will convert.
You know, there's so many different ways now that you can go to your organization and, you know, if SEO helps you sell it internally and get the budget for the project, there you go.
If it's performance, off we go.
You know, there's so many different things, not just security, because I often find myself not even talking about the security and privacy aspect the effects of HTTPS now, because to be honest, most of the time that's not going to sell it.
It's kind of like the analogy I use a lot is, is Tesla with sustainable transport, right? They're selling sustainable transport, they're selling green cars.
You don't ever hear them talk about that. They just made them look really pretty and go really fast and people buy them. And that's kind of what we're doing with HTTPS now.
No one cares about the security and privacy part. That's the boring bit. I want stuff to go fast and be better.
That's where we're getting to now, which is why we're seeing this surge in adoption because, you know, we're now selling it on all the benefits as well, not just the obvious security and privacy.
Your SEO is only small, but it is an SEO boost. Yeah, you can get better performance. And Amazon have proved that the faster your pages load, the more sales you will convert.
You know, there's so many different ways now that you can go to your organization and, you know, if SEO helps you sell it internally and get the budget for the project, there you go.
If it's performance, off we go.
You know, there's so many different things, not just security, because I often find myself not even talking about the security and privacy aspect the effects of HTTPS now, because to be honest, most of the time that's not going to sell it.
It's kind of like the analogy I use a lot is, is Tesla with sustainable transport, right? They're selling sustainable transport, they're selling green cars.
You don't ever hear them talk about that. They just made them look really pretty and go really fast and people buy them. And that's kind of what we're doing with HTTPS now.
No one cares about the security and privacy part. That's the boring bit. I want stuff to go fast and be better.
That's where we're getting to now, which is why we're seeing this surge in adoption because, you know, we're now selling it on all the benefits as well, not just the obvious security and privacy.
That's really interesting.
It sounds awesome. So you're going to be producing a— you say you do this report every 6 months or so, is that right?
It's literally done and dusted. It's being proofread and it will be published probably in line with this podcast, actually. So that will be coming out right as, right.
Give us the link and we'll slam it into the show notes.
Awesome.
Carole, what's your topic this week?
Well, I would like to talk about Alpha Two, this adorable little robot designed for kids. It's part of the latest generation of humanoid robots.
Now, instead of me introducing you to Alpha Two, let us watch the promo ad that they used on their Indiegogo campaign, which actually helped them raise $1.5 million to help build this Alpha Two.
$1.5 million? Yeah, dollars, yeah. So here, watch the video. Take a look so you can see what's going on.
Now, instead of me introducing you to Alpha Two, let us watch the promo ad that they used on their Indiegogo campaign, which actually helped them raise $1.5 million to help build this Alpha Two.
$1.5 million? Yeah, dollars, yeah. So here, watch the video. Take a look so you can see what's going on.
Introducing Alpha 2, the newest member of your family. Okay, Joyce, let's move to the next pose.
Okay.
With 20 joints replicating human motion.
Oh my goodness, how freaky is this?
It's a bit cheesy as well.
Yeah, I'm not sure that would make my yoga be more fun.
Rise and shine.
This isn't cheesy, Scott. This is terrifying.
Yeah. Look at it walk.
Look at it walk.
What's the word for orange juice?
How long would that take to get across the table? You'd be like, come here, Alpha.
I wish that robot would drink the orange juice.
Why would you want it to sit and watch you eat? You're cute.
No. Oh, it's helping her with her Spanish.
Alpha 2 is an in-home nurse or a veterinarian.
That is weird. I don't think they should be calling each other cute. Thanks, Alpha.
Alpha 2 is the perfect nurse.
That makes it a vet.
I'm annoyed by it in this ad, which is promoting it.
Goodbye, Kate. If you're going out, there's a 75% chance of rain.
Yeah.
Oh, I can't watch this.
I'm stopping.
Cute, right? Now, do you see how he hands over the screwdriver like a perfect little helper?
Yes.
I mean, this Alpha, you know, can learn movements. It can see through cameras. It can hear, can speak through microphones. So it's basically, right?
It's basically an Amazon Echo with limbs. That's what I'm seeing. Of course, that's what we need, isn't it?
It's basically an Amazon Echo with limbs. That's what I'm seeing. Of course, that's what we need, isn't it?
We need a portable spy device, not just the spy device on my desk.
Yes, thank you. You've given Geoff Bezos some new ideas. Yes. Let's have it moving around. Let's have it as a drone now. Fantastic.
And it turns out that someone, of course, has figured out a way to make these cute little limbs do things that they were not intended to do.
Ethical hackers from ioACTIV found a way to hijack the controls of a number of different Alpha behaviours, one of which is to move its little arm around at random in a stabbing motion.
Okay, take a look. Yeah, yeah.
Ethical hackers from ioACTIV found a way to hijack the controls of a number of different Alpha behaviours, one of which is to move its little arm around at random in a stabbing motion.
Okay, take a look. Yeah, yeah.
Stabbing.
So, so when he's armed with something like a screwdriver, just say hello to Chucky. And anyone who was around in the 1990s knows who I'm talking about.
Yeah.
These white hat hackers made a video demoing the results of their findings, and it's quite crazy to see the cute little Alpha 2 programmed just sitting there going, "Hi, I'm Chucky, and I'm your friend to the end." So researchers said the reason this has all happened is that they did not verify any cryptographic signatures when downloading and installing the APK apps into the mobile device.
So this basically allowed an app-to-server missing encryption.
This app-to-server missing encryption made it possible for a man-in-the-middle attack, which allowed it to change the APK URL and install a customized malware on the device or the robot.
So the whole point of this exercise is basically to say that critical vulnerabilities could have been prevented by implementing well-known cybersecurity practices.
And UbiTech are just one of many companies, right? We've dealt with this before, even on the podcast. Graham, you covered a teddy bear thing, didn't you?
So this basically allowed an app-to-server missing encryption.
This app-to-server missing encryption made it possible for a man-in-the-middle attack, which allowed it to change the APK URL and install a customized malware on the device or the robot.
So the whole point of this exercise is basically to say that critical vulnerabilities could have been prevented by implementing well-known cybersecurity practices.
And UbiTech are just one of many companies, right? We've dealt with this before, even on the podcast. Graham, you covered a teddy bear thing, didn't you?
Oh yes, yes. Those dreadful connected toys. Yes.
Right.
They were awful.
Yeah. And there was that Barbie, do you remember that Barbie in 2015?
Yes.
It could record your kids' conversations, the little next-gen Barbie.
Time and time again, this is happening, isn't it? These ghastly devices are coming out and—
And this is just the basics.
Yeah.
You know, encrypt the stuff that goes over the internet. You know what bugged me though?
What bugged me a bit was UbiTech, this is the company that makes the Alpha 2, their general manager for North America, John Rhee, had this to say, and this was for IT Pro.
He said, "UbiTech has been made aware of the sensationalistic video produced by IOActive featuring the Alpha 2.
The video is an exaggerated depiction of Alpha 2's open-source platform." And he goes on to say, "Alpha 2 robot was designed to be an open-source platform where developers are encouraged to program the robots with code.
UbiTech has fully addressed any concerns raised by IOActive that do not limit our developers from programming their Alpha 2." IOActive told them about this six months ago in January.
So they've had this whole time and they've waited till now to come public with this information. So they've had six months to work on this.
And I don't know why I don't see any, hey, thanks for alerting us to the flaws in our coding, you know, our product is now better than ever, we're really appreciative of that.
He said, "UbiTech has been made aware of the sensationalistic video produced by IOActive featuring the Alpha 2.
The video is an exaggerated depiction of Alpha 2's open-source platform." And he goes on to say, "Alpha 2 robot was designed to be an open-source platform where developers are encouraged to program the robots with code.
UbiTech has fully addressed any concerns raised by IOActive that do not limit our developers from programming their Alpha 2." IOActive told them about this six months ago in January.
So they've had this whole time and they've waited till now to come public with this information. So they've had six months to work on this.
And I don't know why I don't see any, hey, thanks for alerting us to the flaws in our coding, you know, our product is now better than ever, we're really appreciative of that.
You never get that as a white hat. Let me just set that record straight.
Is it possible that they've actually got these little robots doing the coding?
And that's why it's taken them so long, they've been programming the robots to tap on their keyboards in order to fix themselves.
And that's why it's taken them so long, they've been programming the robots to tap on their keyboards in order to fix themselves.
Well, I don't know. Watching the video will make you realize how scary these little things can be if they're improperly secured.
And a message to all IoT device manufacturers out there, don't be douches. Bake security in from the get-go, you know, all us consumers will be so grateful for it.
And a message to all IoT device manufacturers out there, don't be douches. Bake security in from the get-go, you know, all us consumers will be so grateful for it.
But you know, and it's so much cheaper to do that, honestly, just secure it from the start, then ship it and then try and patch it and brick it.
Duct tape a bit of security on the outside. Yeah, anyway, so there you go, be wary of IoT robots not being properly secure.
Well, that's the latest in our series of horrors connected with the Internet of Things. It seems every week we have something.
This video though, people have really got to watch it because a worse advert for a robot butler in your house I've never seen. It's the creepiest, most spooky thing imaginable.
I wouldn't want this in my house.
This video though, people have really got to watch it because a worse advert for a robot butler in your house I've never seen. It's the creepiest, most spooky thing imaginable.
I wouldn't want this in my house.
And they could do this while you sleep, right? Wake you up in the middle of the night and make something go bump.
Well, I never thought that people would have Amazon Alexas and Echos everywhere, but most of the houses I've visited in the last six months seems to have one.
Oh, really?
Yeah.
They're so handy though.
Yeah.
Do you have one?
You have one?
Yeah. I have four.
Oh my.
Why do you? Oh, right. Stop everything.
These are state of the art.
Right. Okay. So what's going on here, Scott? Why have you got four?
Because I have Philips Hue lights throughout my house. I have Samsung SmartThings integration. I've got the Logitech Harmony to control all my media system and stuff.
You've got too much money on your hands, mate.
No, I just like tinkery gadgets and this is so cool to be able to control stuff. I have the Nest thermostat as well.
So when I leave my house, it detects my phone leave and then turns off the heating and all of the lights for me.
So when I leave my house, it detects my phone leave and then turns off the heating and all of the lights for me.
That would take five seconds.
Well, not if they're upstairs. You've got to go up the stairs and then back down the stairs. And it's just all automatic. There is a lot to be said for convenience.
Yeah, it is a good selling point.
Yeah, it is a good selling point.
Geoff's beady eye is on you at all times.
I think what's happened here, Carole, is that we have just witnessed what's known as the generation gap.
Yep.
You and me on one side of the river, and then there's Scott.
Yep.
Whooping it up.
Yep. They're having a great time. We'll see who has the last laugh.
Happy millennials.
Actually, probably him. He's younger.
The thing is though, the Echos are all in places where there were already microphones. So I have my desktop PC. I'm obviously talking to you through an internet-connected microphone.
I have a smartphone and a tablet and a laptop which are all kind of internet-connected microphones.
So it's one more internet-connected microphone in the mix rather than, you know, look at this brand new spy device.
I have a smartphone and a tablet and a laptop which are all kind of internet-connected microphones.
So it's one more internet-connected microphone in the mix rather than, you know, look at this brand new spy device.
Says security advisor Scott Helmeee.
Just one more.
Who cares?
You've got it. You've got to balance these things, right? I already have an internet-connected microphone or five. So, you know, what's six? I mean, come on.
I don't have to run upstairs. Duh.
Exactly. And you know, I open my under stairs cupboard and it turns the light on automatically. It's like you can't, you literally can't appreciate convenience like that.
I've got a downstairs cupboard and the light goes on automatically.
I know, but I bet you have an old school little switch on the door, right?
Clap on, clap off. That's all you need.
No, I've got one with a sensor and it knows when the door's opened. I don't need to connect to the internet.
So none of you guys have Echos? I cannot shout activation commands down the mic at you?
No. Oh no.
Please don't ask her to do anything. She's listening. I've just said her name.
I did do this to somebody who was streaming on Twitch the other day, and I asked it to buy something for her. Because you can get it to put things in your Amazon basket.
I did do this to somebody who was streaming on Twitch the other day, and I asked it to buy something for her. Because you can get it to put things in your Amazon basket.
Ooh, we will fill in the gaps. All right, I think it is time to find out who is our sponsor this week.
We love our sponsors. They're so great.
And thanks again to our sponsors this week, Rapid7, the company which decided that Rapid4, Rapid5, Rapid6, Rapid6— well, who likes 6 that's rapid?
They weren't good enough for them. No, they called themselves Rapid7.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation isn't only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial at www.rapid7.com.
And thanks again to Rapid7 for supporting the show. Welcome back, and it's time for our favorite part of the show, Pick of the Week. Pick of the Week.
They weren't good enough for them. No, they called themselves Rapid7.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation isn't only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial at www.rapid7.com.
And thanks again to Rapid7 for supporting the show. Welcome back, and it's time for our favorite part of the show, Pick of the Week. Pick of the Week.
Pick of the Week.
Pick of the Week.
Scott, you've got to say it.
Oh, okay. Pick of the Week. Sorry.
That's perfect.
If you'd have told me about that up front, I would have totally nailed that.
Well, we try to do it just by luring you in.
And my pick of the week this week is a game. I have a Nintendo Switch. I say I have it, it appears to have been inherited rather rapidly by my 6-year-old son.
It's good that you didn't pretend it was his upfront though, and you know, it was just open to the fact that it was definitely yours.
It was bought on my birthday, although it doesn't seem to be something that I use. I don't know quite how that works. Anyway, so actually we have been playing a game together.
We are playing a game called Overcooked, and it's not just on the Switch. You can get it for your PC and your Mac and via Steam and probably on all consoles as well.
And it is fabulous. It is a cooperative cooking game.
We are playing a game called Overcooked, and it's not just on the Switch. You can get it for your PC and your Mac and via Steam and probably on all consoles as well.
And it is fabulous. It is a cooperative cooking game.
Oh, show us, show us.
There's a little video. I'm going to show you a little video now, and there's some other crazy ones online as well, so you can get an idea of it. So here it is.
So you see, you've got these little guys. And they're racing around in the kitchen.
These particular ones, you're on a pirate ship and you have to get the ingredients and chop them up and clean the dishes.
So you see, you've got these little guys. And they're racing around in the kitchen.
These particular ones, you're on a pirate ship and you have to get the ingredients and chop them up and clean the dishes.
Why does the tomato have a health bar?
Well, I think that's quite a good thing. If only real tomatoes came with a health bar, that'd be excellent, wouldn't it?
So really you're working in the game, but you actually don't have any real food to eat at the end.
You don't. There's no real food to eat at the end of the game, but you are playing with other people on the sofa — look, look! The boat is tipping some things.
Now you're playing with your mates, so you're kind of saying to them, hey, go and get the pans, go and get the tomatoes, quick, quick! Where is it? Where's the plate? Plate it up now!
Because you've got to serve it on time. Oh, it looks like a really good family game too. It's a great family game, and it gets more and more bonkers.
At one point you are playing in kitchens which are on the back of trucks going down the motorway, and you're on different trucks, and so they've got to wait for them to time up and then jump from one to the other.
And it is crazy bonkers, let me tell you. And I'm guessing a lot of fun. Hilarious. Quite hilarious. Good pick. You've seen it in a nutshell there. It is enormous fun.
And if you've ever wondered how Gordon Ramsay gets quite so fucking angry, with people in the kitchen, play Overcooked, because in no time at all you'll be saying, "Where's the salad?
Bring this, heat that. You've let it flambé for too long. Get the fire extinguisher." Because you need a fire extinguisher at some point if you leave things on the hot plate.
It is hilarious fun.
Now you're playing with your mates, so you're kind of saying to them, hey, go and get the pans, go and get the tomatoes, quick, quick! Where is it? Where's the plate? Plate it up now!
Because you've got to serve it on time. Oh, it looks like a really good family game too. It's a great family game, and it gets more and more bonkers.
At one point you are playing in kitchens which are on the back of trucks going down the motorway, and you're on different trucks, and so they've got to wait for them to time up and then jump from one to the other.
And it is crazy bonkers, let me tell you. And I'm guessing a lot of fun. Hilarious. Quite hilarious. Good pick. You've seen it in a nutshell there. It is enormous fun.
And if you've ever wondered how Gordon Ramsay gets quite so fucking angry, with people in the kitchen, play Overcooked, because in no time at all you'll be saying, "Where's the salad?
Bring this, heat that. You've let it flambé for too long. Get the fire extinguisher." Because you need a fire extinguisher at some point if you leave things on the hot plate.
It is hilarious fun.
You sound like an Amazon Echo owner. They're always barking orders when I'm at their house.
You kind of become accustomed to not saying please, which is not great, actually. I really want to do the stupid sandwich thing that Gordon Ramsay does. Have you seen that?
No, what stupid sandwich?
He just like, when somebody does something dumb, he gets two slices of bread and slaps them on each side of the head and says, what are you? What are you?
An idiot sandwich. Idiot sandwich what? An idiot sandwich, Chef Ramsay. You definitely have to show your son that, Graham.
He'll love that. Oh yeah, that's the kind of thing I want to teach him. Great. Yeah, use Gordon Ramsay as a role model. Fantastic. Anyway, Overcooked. That is my pick of the week.
Scott, do you have a pick of the week for us?
Scott, do you have a pick of the week for us?
I do.
So my pick of the week, I'm tad concerned about this after our Amazon Echo discussion just now, but my pick of the week is cyborg implants and probably more specifically my cyborg implant.
What?
So my pick of the week, I'm tad concerned about this after our Amazon Echo discussion just now, but my pick of the week is cyborg implants and probably more specifically my cyborg implant.
What?
Are we talking to a cyborg at the moment?
No way. Yes way. Yes, you are actually talking to a cyborg.
Oh my God, we've been fooled. What happened?
I did it at DEF CON a couple of weeks ago. You may have seen me. I did a couple of shows with the BBC from the largest hacking conference in the world.
And one of the things that you can do there, apart from hack everything, is hack your own body and you can get an implant.
And one of the things that you can do there, apart from hack everything, is hack your own body and you can get an implant.
Okay, whoa, whoa, whoa. Did BBC say you had to do this in order to pay for your ticket over?
No, actually. Was it part of the deal? It was me that was kind of pushing to have this done anyway because it looked really cool. Hang on, you've—
So you've got a video of this. Can we check this out right now?
There's a good segment on Twitter that we can go have a look at.
Oh, that felt weird. I love how people are like, that felt weird. Yeah, did it feel weird?
Yeah, because you can actually kind of feel it poking around inside your hand. Oh, so it is kind of—
You're gonna let that guy implant— What's wrong with him?
He looks like he's, you know, done tattoos.
Scott, I can see blood.
Yeah, so they were really strict with what we could put on the BBC, so I'll send you a little shot of the actual needle.
No, please don't.
Which could have probably been used as a javelin in the Olympics, to be honest.
Wow, you're crazy for doing that. You're crazy, I think you're crazy, I think you're crazy.
It kind of ties into the whole convenience thing again. So basically it's an NFC chip. So you know how you have contactless payments on your card or you have NFC on your phone?
It's essentially like all the gubbins from that inside what they call a little bioglass capsule, and they implant it into your hand.
It's essentially like all the gubbins from that inside what they call a little bioglass capsule, and they implant it into your hand.
Why would you want to do that?
So you can do all of the things that you can do with NFC by just waving your hand like magic rather than using your hand as God designed it to open stuff.
And then, you know, the worst thing for me, so we have keycard access for the building where I hot desk, and forgetting your keycard is a real pain.
And I did it a lot, but now I can literally just wave my hand past the door on the way in and it will open for me.
And then, you know, the worst thing for me, so we have keycard access for the building where I hot desk, and forgetting your keycard is a real pain.
And I did it a lot, but now I can literally just wave my hand past the door on the way in and it will open for me.
Such a pain, isn't it? I know.
Are you not worried of anyone chopping your hand off to get into your building?
Honestly, if someone was going to chop my hand off to get into the building, they could have probably just mugged me for my wallet instead anyway.
So if anything, I've made it more difficult for them.
So if anything, I've made it more difficult for them.
Did you find it very inconvenient in the past when you were buying things at shops that you had to sort of smash your forehead down on the till where you had your barcode tattooed across your face?
Was that a difficulty? And that's why you thought, oh no, what I need is an actual implant.
Was that a difficulty? And that's why you thought, oh no, what I need is an actual implant.
It's really funny because it gets really mixed kind of reactions like that.
Oh, I don't think you're getting a mixed reaction here, Scott, I think we're pretty much in unison here. We all think you're crazy.
Do you have a motorised scooter at home? Do you have one of those chairlifts to get you upstairs as well?
Just in case, just to wait. But then do you carry cards with NFC capabilities on them? Do you carry—
In a special NFC-proof wallet?
Yes, I do. Check you guys out.
Well, I'm very glad that someone has decided to be a guinea pig for this.
So well done, Scott. Yes, you should try it. Yeah, we're getting closer to Star Trek uniforms with no pockets, right? This is it, this is where we're going.
Exactly. Scott can just wear a bodysuit, a onesie. He doesn't need pockets. Snake hips Scott, cannot wait to see the larger population wearing little— yeah.
Oh, Carole, save us. Have you got any kind of sanity that you can—
Okay, I've got something fantastic to share. It is a video of 250,000 dominoes being toppled over at Zeal Credit Union's Incredible Science Machine: Game On.
Now, I have to admit, I do have a bit of a penchant for the satisfying video. Do you know what I mean when I say that? The videos that kind of—
Now, I have to admit, I do have a bit of a penchant for the satisfying video. Do you know what I mean when I say that? The videos that kind of—
What video satisfies you, Carole?
It's not porn. I don't want to click the link now.
It's not porn. It's things like processes, you know, lots of chocolate bars being made at once, or— is that you? You don't know what I'm talking about?
Okay, just go look for satisfying videos. Okay, at some point when you have time.
Okay, just go look for satisfying videos. Okay, at some point when you have time.
Should I just punch that into Google? Yes, satisfying videos.
Public service announcement, please do not do what Carole just asked you to do.
This dominoes demo is just so beautiful. The only thing I wish is the video was better quality.
I mean, these guys really deserve a proper camera crew to take this because it's just so incredible.
So it's basically the beautiful destruction of 250,000 carefully placed dominoes. Across this humongous track, right?
And it's kind of celebrating games that we've all played in our childhoods. So like Mousetrap and Meccano and Mario Kart. All right, let's—
I mean, these guys really deserve a proper camera crew to take this because it's just so incredible.
So it's basically the beautiful destruction of 250,000 carefully placed dominoes. Across this humongous track, right?
And it's kind of celebrating games that we've all played in our childhoods. So like Mousetrap and Meccano and Mario Kart. All right, let's—
Shall we check it out? Check it out.
Let's have a look.
Oh, this is wonderful. They've got a Scrabble board. Oh, it's lovely, but it's just— you can only do this once, can't you? You can't redo it. Oh, there's Mousetrap. Yes.
It's a nightmare setting up Mousetrap, let me tell you.
It's a nightmare setting up Mousetrap, let me tell you.
Yeah, there's Meccano in there. Oh, that was Monopoly.
Graham, there is even chess. And they have sports. I mean, trying to keep my interest. All I can say is you've seen nothing yet.
If you, you know, check out the full video.
Yeah, check out the full video. You'll see.
It goes on for like 14 minutes.
That is how long it takes to get all 250,000 dominoes down.
Okay, that's awesome.
It took 19 builders from 5 countries over 7 days, so 1,200 hours combined, to build the track, and it took about 14 minutes to destroy.
And a lot of people would say that's a waste of time, but you know, they're so joyous about this destruction, and I just think there's something really gloriously human about it all.
So watch it.
And a lot of people would say that's a waste of time, but you know, they're so joyous about this destruction, and I just think there's something really gloriously human about it all.
So watch it.
You say a waste of time, Carole, but Scott has an enormous amount of time on his hands now because he's made his life so convenient. I was just waiting for that.
It was right there, right for the taking. I wouldn't say destruction either though. It's like building a rocket and watching it launch into space.
You know, it's going to crash to the Earth and break, but that was the pinnacle moment of it.
You know, it's going to crash to the Earth and break, but that was the pinnacle moment of it.
It is an incredible video. I mean, I've seen some— obviously we've all seen dominoes being toppled before, an enormous domino. This one is incredible, isn't it?
Yes, it's a very satisfying video. Yeah.
Good for them. Brilliant. Well, excellent. Thank you very much, Carole, for your Pick of the Week. And that just about wraps it up for this week.
Thank you very much, Scott, for coming on the show. And where can people— where's the best place for people to go and find out more about you or follow you online?
Thank you very much, Scott, for coming on the show. And where can people— where's the best place for people to go and find out more about you or follow you online?
Oh, you just connect to him. Connect to him by his hand.
You can just scan my hand.
I actually have my business card in my hand, but on scotthelme.co.uk is where you will find all of my socials and emails and all of the things I talk about all get published onto my blog.
So it's probably the best place to go.
I actually have my business card in my hand, but on scotthelme.co.uk is where you will find all of my socials and emails and all of the things I talk about all get published onto my blog.
So it's probably the best place to go.
Awesome. And for those people who are on Facebook, you can join us on our Facebook Smashing Security podcast group. And we've had a few people buying t-shirts now. It's very exciting.
Go to smashingsecurity.com/store and you can help support the show. Another way you can support the show of course, is by leaving a review on somewhere like iTunes.
We really appreciate it, especially those people in Zimbabwe where we're very popular at the moment.
If you like the show, tell your friends and go to smashingsecurity.com, drop us a line, or follow us on Twitter as well. Until next time, from all of us, cheerio, bye-bye, bye-bye.
Thanks for listening.
Go to smashingsecurity.com/store and you can help support the show. Another way you can support the show of course, is by leaving a review on somewhere like iTunes.
We really appreciate it, especially those people in Zimbabwe where we're very popular at the moment.
If you like the show, tell your friends and go to smashingsecurity.com, drop us a line, or follow us on Twitter as well. Until next time, from all of us, cheerio, bye-bye, bye-bye.
Thanks for listening.
I have something very funny to say right now and I can't remember.
Do you? Nobody close the tab, Carole might be about to be funny.
It's alright, I can't remember. I can't remember. I can't remember.
Regardless of the tabloid hype, I’m not sure a sex robot really has to be that sophisticated to kill its intended target. For instance, a “female” sex robot would only have to be fitted with a jumbo pencil sharpener to do some pretty serious damage to a male target with kinky intentions, or just give you a particularly aggressive bear-hug.
Other “news” stories that have recently appeared in the Daily Star include “STUNNING Russian TV star who splashed £30,000 on boob job reveals she wants to be a NUN”, “Crocodile turns into a ‘SPEEDBOAT’ to annihilate impala casually hopping across a river”, and “Knickerless star exposes booty in flesh-flash exposé.”
If that’s your kind of thing, hunt for them yourself on the Daily Star‘s website yourself. I don’t think I’ll link to them. Who knows what other unpleasantness lurks inside that seething hell-hole.
What about autonomous car ?