On Saturday morning the residents of the US state of Hawaii received a terrifying message on their mobile phones:
“BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.”
A similar message was broadcast on television and radio stations.
“If you are indoors, stay indoors. If you are outdoors, seek immediate shelter in a building. Remain indoors well away from windows. If you are driving, pull safely to the side of the road and seek shelter in a building or lay on the floor.”
The people of Hawaii must have been petrified. After all, just last month, Hawaii started testing its nuclear warning sirens for the first time since the Cold War. And since then United States and North Korean leaders have been trading insults with each other about the “bigness” of their nuclear buttons.
Thankfully, the alert was a false alarm. An employee of the Hawaii Emergency Management Agency had pressed the wrong button, as a spokesperson explained:
“Somebody clicked the wrong thing on a computer….We needed a cancellation procedure. So basically we’re going back and checking all of our processes. We’re aware that our credibility is vital. We’re doing everything we can to reassure the public that this was a one-time error, that it will not happen again.”
The Washington Post sheds some more light on what went wrong:
Shortly after 8 a.m. local time Saturday morning, an employee at the Hawaii Emergency Management Agency settled in at the start of his shift. Among his duties that day was to initiate an internal test of the emergency missile warning system: essentially, to practice sending an emergency alert to the public without actually sending it to the public.
Around 8:05 a.m., the Hawaii emergency employee initiated the internal test, according to a timeline released by the state. From a drop-down menu on a computer program, he saw two options: “Test missile alert” and “Missile alert.”
This sounds like terrible user interface design to me. Why have the genuine “Jeez Louise! Freak out everybody!” option slap-bang next to the harmless one labelled “Test the brown alert”?
Even though the menu option still required confirmation that the user really wanted to send an alert, that wasn’t enough, on this occasion, to prevent the worker from robotically clicking onwards.
The sending of the false alert wasn’t the only problem. The scare was compounded by how long it took for the equivalent of a “Whoops, sorry. We shouldn’t have sent that alert. Don’t panic” message to be sent to the Hawaiian population: 38 minutes.
You see, the Hawaii Emergency Management Agency is allowed to send out missile alerts via the civil warning system, but it didn’t have permission to send out a correction. D’oh!
That meant it took until 8:45am local time for the wording of the correction to be approved by FEMA, the Federal Emergency Management Agency.
Meanwhile, as Alia Wong of The Atlantic vividly describes, the people of Hawaii went through a horrendous experience:
Matthew LoPresti, a state representative whose district is very close to Pearl Harbor (the likely target of a hypothetical bomb), recalled putting his young daughters, who are 4 and 8, in the bathtub, attempting to explain what was happening, and telling them to pray. “I couldn’t even get through a Hail Mary without my phone going off,” LoPresti, who is the vice chair of the House public-safety committee, told me. “As I sat there with my kids… I was going between this doesn’t really feel real and this is actually what it would feel like. It’s unbelievable that weapons would bring this kind of destruction.”
What can we learn from this horrific false alarm?
We should remember that it’s only human to make mistakes. Each and every one of us goofs up every day – the only difference is that for most of us it doesn’t make international headlines. We shouldn’t beat up on whatever poor soul made this error, but instead look at what could have been done to make their human error less likely.
Poor user interface appears to have played its part in the erroneous alert.
There was an “are you sure?” message, but the user clicked it anyway. Clearly the “are you sure?” last-chance-saloon wasn’t worded carefully enough, or didn’t stand out sufficiently from the regular working of the interface, to make the worker think twice.
The authorities have already said that they are putting systems in place to reduce the likelihood of such a monumental goof occurring again. For instance, in the future genuine alerts will need to be authorised by a second employee to reduce the chances of a single user sleep-walking through the process.
In addition, a system has been put in place to incorporate a “Whoops!” button, which will mean that if an alert is sent out in error in future, it can quickly be followed by an “It’s a false alarm. Please disregard” message before too much harm is done.
For further discussion of this issue be sure to check out this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
This is the whole conversation that we're having right now.
No, I know. So let's just shut up. Let's just shut up. Let's go. Shut up. Let's start this baby. Oh, now I'm warning you, I have a cat. It's— he's—
Well, do that in the introduction.
Okay.
Shut up. See, you shut up. Everyone shut up.
Shut up.
Let's just do the show.
Shut up.
Shut up.
Smashing Security, Episode 61: Fallout Over Hawaii, Missile False Alarm, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 61.
My name is Graham Cluley.
My name is Graham Cluley.
And I'm Carole Theriault.
And we are joined today by a returning guest. He hasn't been with us for a while. It is Mr. Paul Ducklin, also known as Duck from Sophos. Hi, Duck.
Hello, chaps.
Hi.
I said that very forcefully just because I couldn't think of a better way to say it.
Do you know, Duck, I think that you have been the guest that has returned most out of all guests that we've had on the show.
I think this may be his 6th time on the show, something that.
Because he's great.
I was going to offer my own opinion, but I'll take yours.
Actually, I think we have now relegated Wanyu Schweitzer to guest status on the webpage rather than co-host.
That's good company, Duck. That's good company.
It is.
Well, he is quite a cool cat. That would be cool. Oh, sorry, I've just got a text message. Ballistic missile threat inbound to Hawaii. Seek immediate shelter. This is not a drill.
Sorry, I better deal with this.
Sorry, I better deal with this.
Let's deal with it after the break. Smashing Security is supported by CloudBerry. Now listen to this.
With CloudBerry, you can back up files, folders, and system images to the cloud storage of your choice with built-in 256-bit encryption. Ensuring your precious data remains private.
CloudBerry supports over 30 cloud storage providers, working on Windows, Macs, and Linux. Plus, no subscription—you pay only once. So download a free trial at cloudberrylab.com.
But there's more—you could also go to smashingsecurity.com/cloudberrylab to get a whopping 30% off the Windows desktop version that goes for about $20. Boom!
This episode of Smashing Security is sponsored by LastPass. LastPass sophos.com/lastpass.
Sophos simplifies password management for companies of every size, but it isn't just for enterprises. It's equally a great solution for business teams, families, and single users.
Learn more at smashingsecurity.com/lastpass. On with the show.
With CloudBerry, you can back up files, folders, and system images to the cloud storage of your choice with built-in 256-bit encryption. Ensuring your precious data remains private.
CloudBerry supports over 30 cloud storage providers, working on Windows, Macs, and Linux. Plus, no subscription—you pay only once. So download a free trial at cloudberrylab.com.
But there's more—you could also go to smashingsecurity.com/cloudberrylab to get a whopping 30% off the Windows desktop version that goes for about $20. Boom!
This episode of Smashing Security is sponsored by LastPass. LastPass sophos.com/lastpass.
Sophos simplifies password management for companies of every size, but it isn't just for enterprises. It's equally a great solution for business teams, families, and single users.
Learn more at smashingsecurity.com/lastpass. On with the show.
And welcome back.
Well, last Saturday in Hawaii, just after 8 o'clock in the morning local time, people were woken up by a message bleeping on their phones saying ballistic missile threat inbound to Hawaii.
Seek immediate shelter, this is not a drill. And similar warnings, of course, automatically appeared on TV screens and on radio stations.
Now, I don't know about you chaps, but if you saw a message that, and of course if you were in Hawaii, what would your reaction be?
Well, last Saturday in Hawaii, just after 8 o'clock in the morning local time, people were woken up by a message bleeping on their phones saying ballistic missile threat inbound to Hawaii.
Seek immediate shelter, this is not a drill. And similar warnings, of course, automatically appeared on TV screens and on radio stations.
Now, I don't know about you chaps, but if you saw a message that, and of course if you were in Hawaii, what would your reaction be?
I don't think I would believe it for a long time.
No, I wouldn't either.
No, I would be oh, it's going to be a hoax. And then I'd panic.
Well, I just think it was those traffic signs that get, you know, zombie apocalypse coming, that someone's hacked it, obviously. That's what I would assume.
But maybe in Hawaii you're brought up to learn about these missiles and the missile threat. Maybe it's something to do with their location or something.
But maybe in Hawaii you're brought up to learn about these missiles and the missile threat. Maybe it's something to do with their location or something.
Yeah. Well, I think we may have forgotten what it was like to be in the middle of the Cold War. I mean, I'm of an age—
Graham fought at the Bay of Pigs, man!
Maybe not Bay of Pigs, but suddenly in the early 1980s— No, I can't! I just can't! Sorry. With his little spectacles.
Yes, but certainly in the 1980s, you know, there would be little public information films on the television and there were warnings about what to do.
You got leaflets through the door as to, you know, really? Yes, yes, absolutely.
About hiding under the stairs and painting yourself with white paint and things to reflect the nuclear blast.
Yes, but certainly in the 1980s, you know, there would be little public information films on the television and there were warnings about what to do.
You got leaflets through the door as to, you know, really? Yes, yes, absolutely.
About hiding under the stairs and painting yourself with white paint and things to reflect the nuclear blast.
You're bringing me—
Yes. I remember hiding under the desk. We had, yeah, we had a bit of that. Yeah.
So you poured PVA over your head, or did you have to use emulsion? Seriously? Yeah, yeah, seriously.
And just last month in Hawaii, they started retesting their nuclear warning sirens for the first time since the Cold War.
You've got to remember, Hawaii is a target not only because it's a huge military base, but also, of course, it's quite close to countries who may not be entirely friendly.
To America.
And just last month in Hawaii, they started retesting their nuclear warning sirens for the first time since the Cold War.
You've got to remember, Hawaii is a target not only because it's a huge military base, but also, of course, it's quite close to countries who may not be entirely friendly.
To America.
Oh yeah, strategically perfectly placed. Right.
And if you're going to launch some missiles, Hawaii is quite likely to get hit, I would think.
And of course, it's not just that they've started retesting their nuclear warning sirens.
We've also seen the United States and North Korean leaders have, you know, trading insults with each other about the bigness of their nuclear buttons. And well, which is—
And of course, it's not just that they've started retesting their nuclear warning sirens.
We've also seen the United States and North Korean leaders have, you know, trading insults with each other about the bigness of their nuclear buttons. And well, which is—
It's so sad.
I know, but you know, your reaction there was to laugh and I know, I know.
It's because I don't know what else to do, because it's just so depressing. I think that's it.
Yeah.
If we imagine getting a message like that on our mobile phones, our reaction is to be cynical and laugh or think, oh, someone's hacked the system or something like that, because the other possibility is almost too horrific, isn't it, to contemplate?
If we imagine getting a message like that on our mobile phones, our reaction is to be cynical and laugh or think, oh, someone's hacked the system or something like that, because the other possibility is almost too horrific, isn't it, to contemplate?
Exactly.
I guess we're all used to scams and phishing and spam and all the sorts of nonsense you get even when you ask not to receive it, that you're just awash in garbage SMS that— what a strange vehicle unusual, it seems to me, to use to tell someone that there's a nuclear bomb coming.
On the other hand, if there is one coming, you don't have very long. You do want to use the fastest, most efficient medium, don't you?
I guess we're all used to scams and phishing and spam and all the sorts of nonsense you get even when you ask not to receive it, that you're just awash in garbage SMS that— what a strange vehicle unusual, it seems to me, to use to tell someone that there's a nuclear bomb coming.
On the other hand, if there is one coming, you don't have very long. You do want to use the fastest, most efficient medium, don't you?
These messages were sent not by traditional SMS, but by— I think it's called Flash SMS or SMS Zero. I'm trying to remember, but there is a way of sending emergency alerts.
And they do this in other American states as well. If there's a terror alert and they can basically blast a message to everybody's mobile phone.
And they do this in other American states as well. If there's a terror alert and they can basically blast a message to everybody's mobile phone.
And I can't remember the name. You can do it in a region. I think they use it, I think they use it, have used it, or do use it in the UK for things like flood warnings, don't they?
Right, yeah. The idea is you can get a message quickly to everyone who happens to be in that region.
So it's not done by subscription, it's done by where you are, which is obviously more important than if you happen to be visiting Liverpool.
Right, yeah. The idea is you can get a message quickly to everyone who happens to be in that region.
So it's not done by subscription, it's done by where you are, which is obviously more important than if you happen to be visiting Liverpool.
Well, hey, I'm just happy we're not relying on Facebook to do it, you know.
Well, as far as I know, it was this message sent to mobile phones, but also automatically appearing on people's TV screens and radio stations.
We've got a recording actually of the message which went out on radio stations, which was constantly repeating.
We've got a recording actually of the message which went out on radio stations, which was constantly repeating.
The US Pacific Command has detected a missile threat to Hawaii.
A missile may impact on land or sea within minutes. This is not a drill.
If you are indoors, stay indoors.
If you are outdoors, seek immediate shelter in a building.
Remain indoors well away from windows.
If you are driving, pull safely to the side of the road and seek shelter in a building or lay on the floor.
We will announce when the threat has ended.
This is not a drill. Take immediate action measures.
So what went wrong?
Well, the first thing which happens, of course, is if you think that a North Korean missile is going to hit your country in 20 minutes, you go into complete pandemonium and people were running around like headless chickens.
You kind of think, oh, that's sort of funny, but it's not funny because you could seriously hurt yourself.
Thankfully, there don't appear to have been any casualties from people panicking around and hiding in places, but there've been some really harrowing stories online as well.
There's an article in The Atlantic, stories of people putting their kids in the bath and just praying with them. And the kids are in tears and the parents are in tears.
You kind of think, oh, that's sort of funny, but it's not funny because you could seriously hurt yourself.
Thankfully, there don't appear to have been any casualties from people panicking around and hiding in places, but there've been some really harrowing stories online as well.
There's an article in The Atlantic, stories of people putting their kids in the bath and just praying with them. And the kids are in tears and the parents are in tears.
So it sounds as though this was all predicated upon the idea that there was a response that people hadn't really been correctly briefed on, which is a little different from how I understand it is, say, in somewhere like Japan where they do regular earthquake drills.
My understanding is they do them from when you're tiny and you just know what to do when there's an earthquake.
My understanding is they do them from when you're tiny and you just know what to do when there's an earthquake.
I think that's part of the problem. I think the other problem is that in Hawaii, I believe they don't have many underground shelters and they don't tend to have basements.
And so it's like, well, where do you go, you know, when something like this happens? Some people didn't panic at all.
I saw some videos online of people who were sort of halfway through their round of golf when they got the message and they sort of left a message for loved ones saying, well, I'm gonna— if I'm going to die, I'm going to— I'm just hitting the 17th hole.
And so it's like, well, where do you go, you know, when something like this happens? Some people didn't panic at all.
I saw some videos online of people who were sort of halfway through their round of golf when they got the message and they sort of left a message for loved ones saying, well, I'm gonna— if I'm going to die, I'm going to— I'm just hitting the 17th hole.
I'll be home soon. Love and kisses. Exactly.
Well, or if I'm not, you'll know that I was happy because here I was. Because I'm not at home. So as Ducker said, this was a false alarm. This was a mistake.
And what happened was a member of staff at the Hawaiian Emergency Management Agency started their shift, and one of their jobs on this particular shift was to initiate an internal test of the warning system.
And they opened the menu, they dragged their mouse down the menu options, and there was one option which said "Test Missile Alert" and another one which said "Missile Alert." And guess which one they clicked on?
And it was as simple as that. Someone pressed the wrong button and sent the message. It's not really as simple as that, is it?
And what happened was a member of staff at the Hawaiian Emergency Management Agency started their shift, and one of their jobs on this particular shift was to initiate an internal test of the warning system.
And they opened the menu, they dragged their mouse down the menu options, and there was one option which said "Test Missile Alert" and another one which said "Missile Alert." And guess which one they clicked on?
And it was as simple as that. Someone pressed the wrong button and sent the message. It's not really as simple as that, is it?
You could have a command line thing where you had to type in a command and put minus, minus. Yes, I am very sure indeed. It seems that should it be that easy for an alert to go out?
I have a secondary step even with my email, right? If I try to delete 100 emails, are you really sure you want to do that?
Oh, well, actually, to give them credit, there was an "are you really sure" message, a dialog which popped up, which they went past.
They just went, yeah, yeah, yeah.
They just went, yeah, yeah, yeah. Now, maybe the test alert, maybe it says, do you really want to send a test alert? I don't know.
And maybe they're just in the habit of going, yeah, yeah, you know, do this all the time. Who knows? Maybe they were just a bit sleepy starting their shift. Who can say? Right.
And maybe they're just in the habit of going, yeah, yeah, you know, do this all the time. Who knows? Maybe they were just a bit sleepy starting their shift. Who can say? Right.
You imagine there's some procedural thing that must have got missed, surely, because you then— the next stage is you go and verify that a test alert, not a real alert, got received.
And when you look, you'd see that you didn't get a test, you got the real thing. You'd know that something had gone wrong.
And then presumably you have procedure B, which is the alert just kidding! We failed the— well, they did a test, and to be honest, the test failed. Yes, yes.
And they didn't notice the test had failed. And to me, that's more of a problem than maybe there was a GUI that was too easy.
And when you look, you'd see that you didn't get a test, you got the real thing. You'd know that something had gone wrong.
And then presumably you have procedure B, which is the alert just kidding! We failed the— well, they did a test, and to be honest, the test failed. Yes, yes.
And they didn't notice the test had failed. And to me, that's more of a problem than maybe there was a GUI that was too easy.
Well, Duck, you're getting ahead of yourself because you have put your finger on it, so to speak, because they did recognize that the test had failed because it wasn't, so they asked if they'd done the real thing.
The problem was that the Hawaiian Emergency Management Agency aren't authorized to send out corrections.
They can tell you that a missile is on its way, but they can't tell you that a missile isn't on its way.
They can't send a follow-up saying, "Whoops, ignore that last alert." They're not allowed to until the wording of the correction has been authorized by another agency.
So they get a marketing team in to huddle, you know, "What's the spin we're going to put on this?" "Well, don't you think we should get this message out quickly?" "Yes, but we have to word it properly." "Your security is important." Graham, we have faced that exact scenario in our work life in situations.
The problem was that the Hawaiian Emergency Management Agency aren't authorized to send out corrections.
They can tell you that a missile is on its way, but they can't tell you that a missile isn't on its way.
They can't send a follow-up saying, "Whoops, ignore that last alert." They're not allowed to until the wording of the correction has been authorized by another agency.
So they get a marketing team in to huddle, you know, "What's the spin we're going to put on this?" "Well, don't you think we should get this message out quickly?" "Yes, but we have to word it properly." "Your security is important." Graham, we have faced that exact scenario in our work life in situations.
Wow.
Well, so that is why it took them 38 minutes to send out the follow-up message saying that last one was a mistake.
So I'm sure they did try and organize it quickly, but of course they were caught off guard. But, you know, as you can see, this wasn't purely a user interface issue.
This was a procedural issue. They hadn't thought about what would we do if we sent out a wrong alert.
So what they've done to fix this, because humans do make mistakes and humans will make mistakes in the future, they've put systems in place now so that they can speedily put out a whoopsie.
You know, didn't mean that one. Sorry. Well, that's good. Great. So they can do that now without getting authorization if they goof.
Additionally, a second person has to approve the sending of the genuine alert now.
I don't know if a second person is also required for the test alert or what, but at least a second pair of eyes just to make sure that that's the right thing to do.
But I think, you know, we shouldn't beat up whoever was responsible for this too much because, you know, people make mistakes and it was an easy mistake to make and we should use technology to reduce the chance of this.
So I'm sure they did try and organize it quickly, but of course they were caught off guard. But, you know, as you can see, this wasn't purely a user interface issue.
This was a procedural issue. They hadn't thought about what would we do if we sent out a wrong alert.
So what they've done to fix this, because humans do make mistakes and humans will make mistakes in the future, they've put systems in place now so that they can speedily put out a whoopsie.
You know, didn't mean that one. Sorry. Well, that's good. Great. So they can do that now without getting authorization if they goof.
Additionally, a second person has to approve the sending of the genuine alert now.
I don't know if a second person is also required for the test alert or what, but at least a second pair of eyes just to make sure that that's the right thing to do.
But I think, you know, we shouldn't beat up whoever was responsible for this too much because, you know, people make mistakes and it was an easy mistake to make and we should use technology to reduce the chance of this.
I don't think anyone is beating up the person. I think people are kind of shocked at the system's lack of fail-safes when something does go wrong.
It is a tricky one because it's one of those things that you expect to use 0 or 1 times in your life. Yeah, yes. And you're kind of hoping it's zero. So how do you test a real alert?
Yeah.
Yeah.
I'm sure now there will be people who, through this experiencing, will be thinking much more about what would they do if this sort of emergency occurred in terms of their family and their own safety.
It's a narrow, narrow silver lining on this cloud.
Also, though, there's this danger the next time people are going to think, oh yeah, yeah, yeah. You know, it's crying wolf, isn't it?
That they may be less likely to believe an alert next time or just wait a little bit to see if something else comes through as well.
It's not good news, but I suppose the good news is there wasn't a missile. Exactly. So from that point of view, a success, I guess. A yay moment. Hooray!
So, Duck, what have you got for us this week?
That they may be less likely to believe an alert next time or just wait a little bit to see if something else comes through as well.
It's not good news, but I suppose the good news is there wasn't a missile. Exactly. So from that point of view, a success, I guess. A yay moment. Hooray!
So, Duck, what have you got for us this week?
Well, I've got interested all over again. It's not a New Year's resolution, it just happened that way in phishing.
Ever-increasing number of phishing emails relating to cryptocurrency, hanging on words like blockchain.
And typically in the past few months, whenever crypto mining, cryptocurrency, blockchain, bitcoins, Monero, any of that stuff has come up in the context of cybercrime, it's either been 'Oh, somebody hacked such and such a cryptocurrency exchange and ran off with a load of currency,' or 'Somebody broke into your computer and put software there to use your electricity to mine coins.' It was always the end rather than the means of the cybercrime.
And in this case, because of the popularity in the news, given the rapid increase in value of things like bitcoin or Monero, the malware in this case had absolutely nothing to do with crypto mining at all.
Ever-increasing number of phishing emails relating to cryptocurrency, hanging on words like blockchain.
And typically in the past few months, whenever crypto mining, cryptocurrency, blockchain, bitcoins, Monero, any of that stuff has come up in the context of cybercrime, it's either been 'Oh, somebody hacked such and such a cryptocurrency exchange and ran off with a load of currency,' or 'Somebody broke into your computer and put software there to use your electricity to mine coins.' It was always the end rather than the means of the cybercrime.
And in this case, because of the popularity in the news, given the rapid increase in value of things like bitcoin or Monero, the malware in this case had absolutely nothing to do with crypto mining at all.
And the crypto mining was just a sort of believable, interesting story that was the lure that was meant to get you to open attachment or click the link rather than naked pictures of Jennifer Lopez or here is the invoice or, you know, thank you for buying these airline tickets?
They're saying to you something about cryptocurrency to make you click on an attachment or click on a link?
They're saying to you something about cryptocurrency to make you click on an attachment or click on a link?
Yes, blockchain verification PDF. Oh, right.
The interest in this story to me was there was a— neither of these things is new on its own, but it was the first time I'd seen two at the same time.
Unusually, in this particular campaign, the attachments were .iso files, so disk images, which people would normally associate with Linux distros or a Windows installer download or a ripped CD.
The interest in this story to me was there was a— neither of these things is new on its own, but it was the first time I'd seen two at the same time.
Unusually, in this particular campaign, the attachments were .iso files, so disk images, which people would normally associate with Linux distros or a Windows installer download or a ripped CD.
Or have no idea what it means.
Right?
Yeah, and of course, as we know, Windows— and it's not the only operating system, but I'm just pointing my finger at Windows here— Windows really thinks that you don't need to know that a file is called blah blah blah.iso, even though it uses the .iso extension to guide its own handling of the file.
It's not important to you, don't bother your little head with it. So by default, they suppress extensions. So you think you're opening a PDF.
You're actually opening an ISO file, which unfortunately most people sort of associate with, even if they know what it is, with not much to do with malware.
So unlike a zip file where it opens up and it looks like a file that you saved to disk and opened, when you double-click an ISO attachment on Windows, it opens up as if it were a drive.
So you get a drive letter, right? So it kind of— that visually it's very different from what you'd expect if you download a file and it's on your desktop and you open it.
It looks different in File Explorer.
Yeah, and of course, as we know, Windows— and it's not the only operating system, but I'm just pointing my finger at Windows here— Windows really thinks that you don't need to know that a file is called blah blah blah.iso, even though it uses the .iso extension to guide its own handling of the file.
It's not important to you, don't bother your little head with it. So by default, they suppress extensions. So you think you're opening a PDF.
You're actually opening an ISO file, which unfortunately most people sort of associate with, even if they know what it is, with not much to do with malware.
So unlike a zip file where it opens up and it looks like a file that you saved to disk and opened, when you double-click an ISO attachment on Windows, it opens up as if it were a drive.
So you get a drive letter, right? So it kind of— that visually it's very different from what you'd expect if you download a file and it's on your desktop and you open it.
It looks different in File Explorer.
But Duck, do you get a warning when you double-click on this attachment? Even though you cannot see the extension, does it try and warn you before it launches the ISO?
I only did it from a webmail, so I can't answer from, you know, an installed standalone email client. I didn't. It just opened up as far as I remember.
So I'm interested as to why online criminals might be using .iso files rather than something like .zip.
I would imagine that we've seen so much malware now being distributed by zip that some people are more suspicious of zip files. It's old hat. Exactly.
Suddenly suspicious of .exe files.
I would imagine many companies created their own rules and their own filters, and they said, look, we're going to allow certain file types in, but a zip maybe will go through some more thorough testing, if not blocked entirely.
But ISO, I suspect many people haven't even thought about.
I would imagine that we've seen so much malware now being distributed by zip that some people are more suspicious of zip files. It's old hat. Exactly.
Suddenly suspicious of .exe files.
I would imagine many companies created their own rules and their own filters, and they said, look, we're going to allow certain file types in, but a zip maybe will go through some more thorough testing, if not blocked entirely.
But ISO, I suspect many people haven't even thought about.
Absolutely. They've just— you've never, probably never seen one. Yes. Yeah.
Because it's not something which would commonly be emailed around.
I agree with that. We wrote about this particular issue because I got the email, so I was quite intrigued by them.
I wrote about it on Naked Security and a commenter came back and actually said, you know what, well, of course we block ISO files. Who'd want an ISO in email? It's kind of pointless.
You can just go and download it. But I had to go and check because I couldn't put my hand on my heart and remember, it was so long ago.
It was a bridge we'd never thought to cross or revisit. And I had to go back and verify that I really had put this in as a rule years and years ago.
It's the kind of thing you don't really think about. Now, crooks have been using ISO attachments for ages, but it's always pretty much been under the radar.
I wrote about it on Naked Security and a commenter came back and actually said, you know what, well, of course we block ISO files. Who'd want an ISO in email? It's kind of pointless.
You can just go and download it. But I had to go and check because I couldn't put my hand on my heart and remember, it was so long ago.
It was a bridge we'd never thought to cross or revisit. And I had to go back and verify that I really had put this in as a rule years and years ago.
It's the kind of thing you don't really think about. Now, crooks have been using ISO attachments for ages, but it's always pretty much been under the radar.
It is crazy just how many different file formats there are out there, either which act as archive or container formats, or indeed can contain executable code.
For instance, I mean, executable code-wise, it's things like Windows font files or Windows help files can contain malicious code and things which probably the average chap in the street would never consider could potentially infect their computer.
For instance, I mean, executable code-wise, it's things like Windows font files or Windows help files can contain malicious code and things which probably the average chap in the street would never consider could potentially infect their computer.
You're right. There are any number of other, if you like, container objects. If you think of MSI, even a DOCX file or an XLSX file, that's a zip format as well.
But there are lots of other ways in which you can package things. You're on Macs, you've got DMGs, which are disk images.
And if you go to something like HDIUtil, the hard disk imaging image utility on a Mac, I never realized just how many different variants of ISO type files that there are that are natively supported by many operating systems.
So you see this file and you don't realize that when you open it, you're basically mounting a new disk and it can have any number of things inside it, including more zip files that can have more doc files and so on.
But there are lots of other ways in which you can package things. You're on Macs, you've got DMGs, which are disk images.
And if you go to something like HDIUtil, the hard disk imaging image utility on a Mac, I never realized just how many different variants of ISO type files that there are that are natively supported by many operating systems.
So you see this file and you don't realize that when you open it, you're basically mounting a new disk and it can have any number of things inside it, including more zip files that can have more doc files and so on.
Your advice here really is be wary of blockchains as a lure and be wary of attachments that you're not expecting.
Yeah, I guess those are— that's the old advice is, you know, watch out for attachments you weren't expecting.
But of course, a lot of us these days in our job like if you work in HR or something and you're dealing with CVs, your job is kind of opening unsolicited documents half of the time because somebody's applying for a job.
You don't know who they are. You want to open the file and see what it is. So it's very difficult just to say don't open attachments.
The big deal in this is that, yeah, cryptocurrency and blockchain. Wow. Got to read that. Don't be fooled.
But I think the big advice is if you have Windows, open File Explorer now, click on the View menu and say Show File Extensions. Yeah, change the default.
Don't let Windows lie to you about the full name of a file, because as we know, when the crooks put a double extension in there, like .pdf.iso or .pdf.zip, you— particularly if they give the file an icon that looks like a PDF— even a well-informed user with the default setting of not showing extensions would have to be forgiven for assuming that what they were looking at was the real deal.
Good advice. And Microsoft, please change the default.
But of course, a lot of us these days in our job like if you work in HR or something and you're dealing with CVs, your job is kind of opening unsolicited documents half of the time because somebody's applying for a job.
You don't know who they are. You want to open the file and see what it is. So it's very difficult just to say don't open attachments.
The big deal in this is that, yeah, cryptocurrency and blockchain. Wow. Got to read that. Don't be fooled.
But I think the big advice is if you have Windows, open File Explorer now, click on the View menu and say Show File Extensions. Yeah, change the default.
Don't let Windows lie to you about the full name of a file, because as we know, when the crooks put a double extension in there, like .pdf.iso or .pdf.zip, you— particularly if they give the file an icon that looks like a PDF— even a well-informed user with the default setting of not showing extensions would have to be forgiven for assuming that what they were looking at was the real deal.
Good advice. And Microsoft, please change the default.
Oh, well, they're never going to, are they? I mean, it's been so many years.
I can still ask and I can get more and more plaintive.
Can you? Go on then.
Yeah, do this plaintively as you can.
Microsoft, please change the default.
It wasn't quite plaintive enough. Could you try again?
Did I say the word plaintiff with two Fs by mistake? Was that a Freudian slip?
Carole, what's your topic for us this week?
Well, I want to talk about Google Play Store. So we all know that Google does automated malware scanning of apps submitted to the Play Store.
And we also know malicious developers are constantly working to try and beat those security filters. Hang on, Google doesn't have malware anymore, does it?
And we also know malicious developers are constantly working to try and beat those security filters. Hang on, Google doesn't have malware anymore, does it?
Didn't they redefine it as potentially harmful applications?
Not in this beautiful Play Store.
Well, sit tight, sit tight. Who would write malware for Android anyway?
So imagine the scene, okay? Graham, Graham, I'm gonna use you here.
Yes, hello.
So imagine you're busy making dinner for your son, okay?
Yes, okay, sandwich.
And suddenly he starts freaking out. He starts freaking out. Daddy, daddy, daddy, my game! There's a nudie lady on the screen making all these crazy screaming noises.
Make it stop! Crazy screaming noises? Are you talking about what I think you're talking about?
Yes! What a nightmare scenario, right? And here's how it happened. So 60 gaming apps, mostly aimed at children, were sitting happily in the Google Play Store waiting to be downloaded.
But these apps weren't what they purported to be. Instead of being cute little gaming apps to keep your kids entertained, they were full of nasty surprises.
So say hello to what Check Point have aptly named the Adult Swine App Collection. Adult Swine. Yep, Adult Swine malicious app collection. So this is how it works.
After a user installs one of these 60 gaming apps, the first step is report home to the command and control center about the successful installation and also to send data about the infected device and the user.
Then it waits to receive instructions on how to operate. Now, according to Check Point, these malicious gaming apps had 3 potential attack vectors. All right.
Now, one was to display highly inappropriate content, including porn. So you'll see, I've sent you guys a pic of one of the more mild examples of the ads presented.
And there's also a comment from one of the victims. So this is someone that actually downloaded the app. And he says, don't install for your kids.
I did, and my son opened it and a bunch of filthy hardcore porn pictures popped up. Not good at all. My son is only 4. So please, parents, beware, don't install it. One star.
Can you not give no stars? One star. Oh, it was okay.
But these apps weren't what they purported to be. Instead of being cute little gaming apps to keep your kids entertained, they were full of nasty surprises.
So say hello to what Check Point have aptly named the Adult Swine App Collection. Adult Swine. Yep, Adult Swine malicious app collection. So this is how it works.
After a user installs one of these 60 gaming apps, the first step is report home to the command and control center about the successful installation and also to send data about the infected device and the user.
Then it waits to receive instructions on how to operate. Now, according to Check Point, these malicious gaming apps had 3 potential attack vectors. All right.
Now, one was to display highly inappropriate content, including porn. So you'll see, I've sent you guys a pic of one of the more mild examples of the ads presented.
And there's also a comment from one of the victims. So this is someone that actually downloaded the app. And he says, don't install for your kids.
I did, and my son opened it and a bunch of filthy hardcore porn pictures popped up. Not good at all. My son is only 4. So please, parents, beware, don't install it. One star.
Can you not give no stars? One star. Oh, it was okay.
Apart from the porn.
It's that. Yeah.
Anyway, I guess you can't leave a review without it. So the idea of these images is to get you to click through to visit a hardcore website.
That's the idea. Exactly. Right. So they're ads. These are ads being popped up during the game.
But of course, very inappropriate ads for the demographic that these games are going after or purporting to go after. Now, that's just one of the things it can do.
The second thing it can do is it can attempt to trick users into installing fake security apps.
So this is what we call scareware, where messages are displayed maybe with a Google banner and a Google layout and Google fonts to tell you that a virus has been detected on your device.
And then it recommends that you buy and install this particular security app, which of course is not a security app, but another fake app designed to steal something from you.
And 3, it could try also to dupe the user into paying for premium services.
And the way that the apps do this is to display an ad that claims that the user's entitled to win a new iPhone by simply answering 4 short questions. Yeah.
But you know, this really—
But of course, very inappropriate ads for the demographic that these games are going after or purporting to go after. Now, that's just one of the things it can do.
The second thing it can do is it can attempt to trick users into installing fake security apps.
So this is what we call scareware, where messages are displayed maybe with a Google banner and a Google layout and Google fonts to tell you that a virus has been detected on your device.
And then it recommends that you buy and install this particular security app, which of course is not a security app, but another fake app designed to steal something from you.
And 3, it could try also to dupe the user into paying for premium services.
And the way that the apps do this is to display an ad that claims that the user's entitled to win a new iPhone by simply answering 4 short questions. Yeah.
But you know, this really—
It's saying that to Android users. Yeah.
You know, loads of legitimate companies trying to give away competitions and stuff, and this just kills it.
Well, at this point, you'd want to switch, wouldn't you?
Yes, you would. Yeah. Oh, that's true.
I didn't even think about that.
I didn't even think about that. Of course.
Tired of porn on your Android? Fill in this form. Just put your Social Security number in here and it will all go away.
Yeah, so anyway, once they completed filling out these questions, they were asked to enter their phone number, needed to receive the prize, they said.
But of course, that phone number was used to register the user for fraudulent premium services, all at, of course, the victim's expense. Now here's what I consider the boom moment.
You know, this app wasn't just downloaded by a few hundred or a few thousand people. According to Google's Play data, the app's been downloaded between 3 and 7 million times. Whoa.
So in other words, that's like everyone in Trump's beloved Norway downloading the app or everyone in definitely not a shithole El Salvador downloading it.
But of course, that phone number was used to register the user for fraudulent premium services, all at, of course, the victim's expense. Now here's what I consider the boom moment.
You know, this app wasn't just downloaded by a few hundred or a few thousand people. According to Google's Play data, the app's been downloaded between 3 and 7 million times. Whoa.
So in other words, that's like everyone in Trump's beloved Norway downloading the app or everyone in definitely not a shithole El Salvador downloading it.
Our researchers keep running into this is that, well, A, the whole business of pop-up ads seems to be much more tolerated in the mobile market, at least in Android, than people would tolerate it on the desktop computer, because it's kind of the price of free.
You know, you have the free app and it has ads, and then you pay a modest fee and the ads go away, and people sort of deal with that.
And Google have tried to say, oh, well, you can't have full-screen ads, they can't be too intrusive, and they can't be too loud and whatnot.
So people are kind of used to the idea of ads. That's the A. So they're kind of an accepted part of the ecosystem, if you like.
But B, my understanding is that a lot of apps where the developers probably aren't rogues are, they're saying, well, I need to addify my app.
So you go out and instead of knitting your own ad serving code, you just go out and choose a library that has the code, sort of like coin mining.
You go and you pick the library and you pick the server and you sign up for the service. And so your app looks okay, maybe passes all of Google's entirely automated tests.
So it looks okay because, oh, it's using this ad framework and ad frameworks are big and they serve lots of different constituents.
Even if that ad backend is not a bunch of rogues, you're assuming they're completely competent and they won't mix up 4-year-old children with 22-year-old males.
You know, you have the free app and it has ads, and then you pay a modest fee and the ads go away, and people sort of deal with that.
And Google have tried to say, oh, well, you can't have full-screen ads, they can't be too intrusive, and they can't be too loud and whatnot.
So people are kind of used to the idea of ads. That's the A. So they're kind of an accepted part of the ecosystem, if you like.
But B, my understanding is that a lot of apps where the developers probably aren't rogues are, they're saying, well, I need to addify my app.
So you go out and instead of knitting your own ad serving code, you just go out and choose a library that has the code, sort of like coin mining.
You go and you pick the library and you pick the server and you sign up for the service. And so your app looks okay, maybe passes all of Google's entirely automated tests.
So it looks okay because, oh, it's using this ad framework and ad frameworks are big and they serve lots of different constituents.
Even if that ad backend is not a bunch of rogues, you're assuming they're completely competent and they won't mix up 4-year-old children with 22-year-old males.
I feel a little bit sorry for the app developers who are trying to make some— I can't believe they were building apps designed for kids and kids' games and thought, I know what we want to do.
We want to display some adult ads in the middle of here. It's not as though that's going to drive a large number of people to those adult websites.
They're certainly not going to sign up for those websites, are they? Because—
We want to display some adult ads in the middle of here. It's not as though that's going to drive a large number of people to those adult websites.
They're certainly not going to sign up for those websites, are they? Because—
And their app's going to get kicked out of the App Store, the Play Store, sorry.
And their developer, their developer certificate or their developer ID is the one that's going to get in trouble, not the library that they've chosen.
And their developer, their developer certificate or their developer ID is the one that's going to get in trouble, not the library that they've chosen.
See, I find ads in apps really irritating. I don't like them. They're always irrelevant.
Well, this is the point I'm going to come to, Carole, is that I think we need to find a better way to monetize apps than advertising.
Well, this is the point I'm going to come to, Carole, is that I think we need to find a better way to monetize apps than advertising.
Hey, let's do coin mining!
Because they're— well, the problem is that the ads are often irrelevant, or they get in the way, or they just get in the way of what you're trying to do.
But of course, people aren't prepared to pay $1 or $2, which is the cost of— I don't know, probably less than a coffee costs. I have no idea because you don't drink coffee.
I don't, but to buy an app. So here's one idea, right? Because I would love it if we had an ad-free app universe, right? If there was some other way to do it.
I accept that people won't necessarily be prepared to buy an app blind.
So I'd like to see some ability from these app stores to let you trial an app for a while, first of all, decide if you like it, and then you can buy it after 30 days or something if you want to carry on using it.
But another method which may be could be used would be, why can't an app store say, look, you can have access to thousands and thousands of apps.
And what we're going to do is we're going to charge you $1 a month or something like that. Netflix model. Yep.
And then the app stores could actually divvy that up with micropayments to the app developers whose apps are actually being downloaded and say, look, this is the way you're going to make your money.
We'll get a chunk of it. Don't worry, Apple. They'll still get their chunk, and Google will get their chunk as well. But some of it will be passed on to the app developers.
That, I think, would improve the quality of the apps and mean that they're not festooned with these irritating, sometimes malicious ads as well. You heard it here first, Google.
But of course, people aren't prepared to pay $1 or $2, which is the cost of— I don't know, probably less than a coffee costs. I have no idea because you don't drink coffee.
I don't, but to buy an app. So here's one idea, right? Because I would love it if we had an ad-free app universe, right? If there was some other way to do it.
I accept that people won't necessarily be prepared to buy an app blind.
So I'd like to see some ability from these app stores to let you trial an app for a while, first of all, decide if you like it, and then you can buy it after 30 days or something if you want to carry on using it.
But another method which may be could be used would be, why can't an app store say, look, you can have access to thousands and thousands of apps.
And what we're going to do is we're going to charge you $1 a month or something like that. Netflix model. Yep.
And then the app stores could actually divvy that up with micropayments to the app developers whose apps are actually being downloaded and say, look, this is the way you're going to make your money.
We'll get a chunk of it. Don't worry, Apple. They'll still get their chunk, and Google will get their chunk as well. But some of it will be passed on to the app developers.
That, I think, would improve the quality of the apps and mean that they're not festooned with these irritating, sometimes malicious ads as well. You heard it here first, Google.
I'm not trying to be an Apple or a Mac or an iOS fanboy here, but we don't seem to have the same degree of abuse in Apple's App Store.
A lot of the problem with Android is people say, oh, it's because it's the price of freedom. You know, you can choose to go off market and you could get your app somewhere else.
But this is stuff that's in Google Play. Yeah. That's had millions of downloads, presumably because the app's okay, but it's got into bed.
It's got in partnership with this live programming library that's built in that's serving Roe, basically malvertising, if you like. Yes. Of a different sort.
How come, how come this problem is so much worse, seems to be so much worse on Google Play than it is in the App Store?
A lot of the problem with Android is people say, oh, it's because it's the price of freedom. You know, you can choose to go off market and you could get your app somewhere else.
But this is stuff that's in Google Play. Yeah. That's had millions of downloads, presumably because the app's okay, but it's got into bed.
It's got in partnership with this live programming library that's built in that's serving Roe, basically malvertising, if you like. Yes. Of a different sort.
How come, how come this problem is so much worse, seems to be so much worse on Google Play than it is in the App Store?
I just think their walled garden isn't as strong as Apple's.
Well, so, you know, does the buck stop with Google then?
They make a big play about, oh, there's no more— we're not calling it malware, they're just potentially harmful applications.
We do this great job, you don't need an antivirus, you're all golden, we'll look out for you.
They make a big play about, oh, there's no more— we're not calling it malware, they're just potentially harmful applications.
We do this great job, you don't need an antivirus, you're all golden, we'll look out for you.
Yeah, I'm not an iOS app developer, obviously, but I do know there are lengthy, lengthy rules and guidelines of what hoops you need to jump through to get your app actually accepted into the store.
And there may well be guidelines regarding how adverts are presented. There may even be guidelines, I don't know, regarding approved ad networks.
I don't know if you have to sort of get into bed with Apple regarding that, but there certainly will be a lot more control, I would imagine, as to how ads are actually displayed on the screen, much, much more than there would be on Android.
And there may well be guidelines regarding how adverts are presented. There may even be guidelines, I don't know, regarding approved ad networks.
I don't know if you have to sort of get into bed with Apple regarding that, but there certainly will be a lot more control, I would imagine, as to how ads are actually displayed on the screen, much, much more than there would be on Android.
But you guys touched on a few points that I agree with. First off, I should say that the games have now been kicked off the Google curb after they were alerted by Checkpoint.
But here's my big beef. I haven't seen a "sorry, we screwed up" from Google, and you know what, they should. And if they have, they haven't done it loud enough.
After all, Google indeed have the reach to disseminate information pretty broadly, right? So I don't know.
I mean, put it this way: if a supermarket like Tesco sold kids lollipops riddled with maggots, would the store remove them from the shelf and say "hey, thanks for the heads up" or "we'll be more careful"?
Or would they be forced to do a very public mea culpa?
But here's my big beef. I haven't seen a "sorry, we screwed up" from Google, and you know what, they should. And if they have, they haven't done it loud enough.
After all, Google indeed have the reach to disseminate information pretty broadly, right? So I don't know.
I mean, put it this way: if a supermarket like Tesco sold kids lollipops riddled with maggots, would the store remove them from the shelf and say "hey, thanks for the heads up" or "we'll be more careful"?
Or would they be forced to do a very public mea culpa?
I just think Google is all free and easy and doesn't really care about it, does it? As long as it's getting your data.
Well, there are a few recommendations that I can put out there. One is maybe consider getting your apps from a category called "Designed for Families" on Google Play.
From what I read, a little bit more vetting goes in to ensure that the apps follow the rules for that audience.
And the other thing is that these 60 games, they generally had a kind of—they were knockoff games.
So, and I hate saying this for the reason you mentioned earlier, Graham, is how do you support new legit app developers that come out that have something important to share?
But maybe stick to apps that are from well-known and trusted suppliers.
From what I read, a little bit more vetting goes in to ensure that the apps follow the rules for that audience.
And the other thing is that these 60 games, they generally had a kind of—they were knockoff games.
So, and I hate saying this for the reason you mentioned earlier, Graham, is how do you support new legit app developers that come out that have something important to share?
But maybe stick to apps that are from well-known and trusted suppliers.
Although even that on Google Play, that can be tricky, can't it?
Because there was that famous case recently where somebody had uploaded an app that didn't pretend to be WhatsApp, but it pretended to be WhatsApp, you know, like from WhatsApp that would help you with WhatsApp.
And the reason it got through and looked legit is they put a, I think, a non-breaking space character at the end of "WhatsApp, Inc." as the company name, non-breaking space something like that.
Google let it through because it wasn't an exact match, so they figured, okay, that's obviously—it's not WhatsApp, and nobody would possibly be confused, which of course they were.
But it seems an irony that they've got this curated part, but it does seem that the curation is kind of wanting.
Because there was that famous case recently where somebody had uploaded an app that didn't pretend to be WhatsApp, but it pretended to be WhatsApp, you know, like from WhatsApp that would help you with WhatsApp.
And the reason it got through and looked legit is they put a, I think, a non-breaking space character at the end of "WhatsApp, Inc." as the company name, non-breaking space something like that.
Google let it through because it wasn't an exact match, so they figured, okay, that's obviously—it's not WhatsApp, and nobody would possibly be confused, which of course they were.
But it seems an irony that they've got this curated part, but it does seem that the curation is kind of wanting.
Yeah, I mean, it's such a clever company, Google, right?
They've built the world's best search engine, they've got driverless cars, they're hoovering up our Wi-Fi credentials, they're taking photos of us left, right, and centre.
No doubt they're also planning a manned mission to Mars or something like that.
And yet they can't handle a non-breaking space character in an app name without thinking, oh, what's the world coming to?
They've built the world's best search engine, they've got driverless cars, they're hoovering up our Wi-Fi credentials, they're taking photos of us left, right, and centre.
No doubt they're also planning a manned mission to Mars or something like that.
And yet they can't handle a non-breaking space character in an app name without thinking, oh, what's the world coming to?
Yeah, what I want to know is, if it had been a breaking space, would that have been easier to handle?
This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises—it's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses. Remember Cloudberry?
With them, you can back up files, folders, and system images to the cloud storage of your choice.
There's no subscription, plus you get 30% off the Windows desktop version if you go to smashingsecurity.com/cloudberry. On with the show.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises—it's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses. Remember Cloudberry?
With them, you can back up files, folders, and system images to the cloud storage of your choice.
There's no subscription, plus you get 30% off the Windows desktop version if you go to smashingsecurity.com/cloudberry. On with the show.
And welcome back. And you join us at our favourite part of the show, which we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
So my Pick of the Week this week is a picture, actually, a picture which was sent to me on Twitter. On a podcast. Good. Yes. This is going to be fun. It is the audio podcast, isn't it?
I forgot. So a chap, I imagine it's a chap called Ruan Yifeng, who I believe is Chinese, posted an image on Twitter. Now I want you to imagine this, right?
Because it's hard to describe a picture on a podcast.
You know when you book a seat on an aeroplane, you get quite often a diagram of where everyone's seat is and these ones are near the loos and this is near the galley and this is the aisle and you can choose where you sit and there's little drawing, you know, icons of people and all the rest of it.
Well, it's a bit like that, but it's not an aeroplane which is being conveyed here.
Instead, what he has a picture of is a visual display showing the occupancy, not of airline seats, but of lavatories. I've got to see this.
So, this is an image, I imagine it's at a supermarket or some large office block or something like that, and there are lots and lots of cubicles and at the moment, 1, 2, 3, 4, 5, 6 of them.
I forgot. So a chap, I imagine it's a chap called Ruan Yifeng, who I believe is Chinese, posted an image on Twitter. Now I want you to imagine this, right?
Because it's hard to describe a picture on a podcast.
You know when you book a seat on an aeroplane, you get quite often a diagram of where everyone's seat is and these ones are near the loos and this is near the galley and this is the aisle and you can choose where you sit and there's little drawing, you know, icons of people and all the rest of it.
Well, it's a bit like that, but it's not an aeroplane which is being conveyed here.
Instead, what he has a picture of is a visual display showing the occupancy, not of airline seats, but of lavatories. I've got to see this.
So, this is an image, I imagine it's at a supermarket or some large office block or something like that, and there are lots and lots of cubicles and at the moment, 1, 2, 3, 4, 5, 6 of them.
I have never seen so many cubicles in a lavatory in my life.
So about 6 of them are occupied and probably— 45. How many do you think? We've got about 40.
45 loos. Are there 45?
6 are occupied and it goes up from C1 to C45. All right. Oh, it'll be C for cubicle then.
Oh, very good. And Chinese word must be the same. And if it's a green man, or green person inside—
They're sheilas in this case.
If it's a green woman inside the cubicle, then that means presumably you're good to go in that one. And if it's red, it's a beware. And this, of course, is a very helpful thing.
Oh, that was a pun, I suppose. And we've completely failed to notice it. Oh dear. Do you want to try that one again, Graham? I didn't—
Well, I didn't— wasn't aware I'd made a pun, actually. Oh, good to go.
You normally wee for quite a while. Sorry, do go on.
So I think it works like this. You go into the lavatory and you think, oh my goodness, I'm bursting.
Gotta go, gotta go, gotta go, gotta go.
Right? I've got something that I need to get out of my body. I need to find either the nearest cubicle without trying all the doors or without checking.
But maybe you're trying to evacuate from yourself something which you don't want other people to overhear, or maybe you're concerned about the environmental impact.
And so you want to choose a lavatory—
But maybe you're trying to evacuate from yourself something which you don't want other people to overhear, or maybe you're concerned about the environmental impact.
And so you want to choose a lavatory—
Graham's saying it's so you can pick one with lots of empty space on each side, I think.
Exactly, exactly so.
Or you don't want a neighbour.
You don't want a neighbour, but also normally with a lavatory where you have back-to-back lavatories as well.
Then it could be someone behind you and that could also be awkward, right? So this way you can make sure there's absolutely—
Then it could be someone behind you and that could also be awkward, right? So this way you can make sure there's absolutely—
Are you a shy peer?
Is that what's going on here? I am, yes. I've got— I'd like to say I've got plenty to be shy about, but I don't have plenty to be shy about. I'm just shy.
We'll take your word for it.
When it comes to these things, I'm just English, right? And so, but anyway, I think this is the future. And it reminds me rather of what you now see in car parks.
So we've got a new car park here in Oxford, the Westgate Centre, which is— we can talk about that for a long time, my issues with the Westgate Centre.
But the new car park has a little green light over the empty car parking spaces and a red light.
So we've got a new car park here in Oxford, the Westgate Centre, which is— we can talk about that for a long time, my issues with the Westgate Centre.
But the new car park has a little green light over the empty car parking spaces and a red light.
Do you know, Graham, that in other parts of the world that technology has actually been used for about 10 years?
Has it? But Oxford— it's not rushing into the 20th century. Yeah, here in Oxford.
Well, I've often thought that there should be some sort of traffic light system working on lavatories. I've thought, wouldn't it be terrific?
Because the other problem is not just whether a lavatory has been vacated, but the state in which it has been vacated.
Well, I've often thought that there should be some sort of traffic light system working on lavatories. I've thought, wouldn't it be terrific?
Because the other problem is not just whether a lavatory has been vacated, but the state in which it has been vacated.
Oh, I cannot believe this is your pick of the week.
No, all I'm thinking is that you could take this one step further. Wouldn't it be great to have a traffic light system so that when you left a lavatory—
Green, red, and brown, I suppose.
I was thinking more of aroma rather than what you've left behind.
But simply hitting something as you left would maybe start a timer, which would then denote this cubicle hasn't been used maybe for a minute, right?
Which may have been enough for anything that you've left behind in the atmosphere to dissipate, whereas you don't want something which is still sort of fairly bright pinkish, for instance.
But simply hitting something as you left would maybe start a timer, which would then denote this cubicle hasn't been used maybe for a minute, right?
Which may have been enough for anything that you've left behind in the atmosphere to dissipate, whereas you don't want something which is still sort of fairly bright pinkish, for instance.
Yeah. So if people want to keep track of this conversation, you have to go to our show notes to see the image.
Well, I'll tell you what's missing from this diagram, and that is it shows you which ones are empty. So say you're outside, you're in the food court or something.
You think, oh, I'd like to go. I want to go to the gents, or in this case, the ladies. And so you're going to which one has got plenty of empty cubicles.
So when I get there, I won't be fighting with someone for the last one. What I want to see is because I'm clever enough to see the little red or green thing on the door.
What I want to see in there is a little blob next to the person that says whether there's paper left.
Because there's nothing worse than going in, sitting down, and realizing that you're on your own.
You see, this is because you can shout to the guy next door, anyone got spare rolls?
You think, oh, I'd like to go. I want to go to the gents, or in this case, the ladies. And so you're going to which one has got plenty of empty cubicles.
So when I get there, I won't be fighting with someone for the last one. What I want to see is because I'm clever enough to see the little red or green thing on the door.
What I want to see in there is a little blob next to the person that says whether there's paper left.
Because there's nothing worse than going in, sitting down, and realizing that you're on your own.
You see, this is because you can shout to the guy next door, anyone got spare rolls?
I don't know a woman who doesn't want— you know, doesn't carry tissues for this exact scenario. Oh really? Yeah, that's one of the reasons handbags are great.
I want a cleanliness button there. I want this, the last person flushed correctly, flush operated, and onto a little light that says spare roll.
You've always got shirt tails as well, I suppose you could use.
I noticed that cubicle C13 is larger than the others, so that's kind of handy if you've got a lot of shopping with you or if you've got young kids. And there's the mysterious C25.
I noticed that cubicle C13 is larger than the others, so that's kind of handy if you've got a lot of shopping with you or if you've got young kids. And there's the mysterious C25.
Yes, I was wondering about that. That's obviously broken because it's not neither green nor red, it's just empty.
I was thinking it may be a portal to another dimension.
I'm not sure, but I wonder whether we will see something like this occurring and whether, you know, in other lavatories around the world.
Maybe listeners can keep in touch with us and tell us the developments on the lavatories.
I'm not sure, but I wonder whether we will see something like this occurring and whether, you know, in other lavatories around the world.
Maybe listeners can keep in touch with us and tell us the developments on the lavatories.
With you, you're the one who's lavatory obsessed.
I'm fascinated with the paper, you're fascinated with other issues.
What worries me most about this diagram is it goes up to, what is it, C45, and if you ignore the accessible toilet where the entrance is from the outside, which has its own base.
Listen, there are 40, more than 40 cubicles. There are 40 carsies and 4 sinks.
What worries me most about this diagram is it goes up to, what is it, C45, and if you ignore the accessible toilet where the entrance is from the outside, which has its own base.
Listen, there are 40, more than 40 cubicles. There are 40 carsies and 4 sinks.
4 sinks. Really?
I guess they're not big on hygiene. That's a little worrying. It is a weird idea though.
And I wanted to know, you know, you mentioned the plane thing, Graham, can you, you know, when you, if you're outside, can you play a joke?
Can you click on the person who's in C22 and move them to another cubicle and they just teleport?
What we don't know, because none of us can reach— Maybe you can reserve a cubicle.
And I wanted to know, you know, you mentioned the plane thing, Graham, can you, you know, when you, if you're outside, can you play a joke?
Can you click on the person who's in C22 and move them to another cubicle and they just teleport?
What we don't know, because none of us can reach— Maybe you can reserve a cubicle.
I'm just gonna come back in 5 minutes, guys.
Maybe you can click on it and it's reserved. You should pre-book one. Maybe that's the mystery of C25, Graham.
Some people are— Someone's reserved it, and for 2 minutes you can go in and it's yours, and your phone unlocks the door and you go in, and so you're guaranteed that so you don't get disappointment.
Some people are— Someone's reserved it, and for 2 minutes you can go in and it's yours, and your phone unlocks the door and you go in, and so you're guaranteed that so you don't get disappointment.
Some people are remarkably regular. You can sort of set your clock by their movements, can't you?
And so if you knew that, oh, after lunch, 2 PM, chances are I'm likely to want to go to the lavatory, and you could book it. That's a fantastic idea. I like it.
And so if you knew that, oh, after lunch, 2 PM, chances are I'm likely to want to go to the lavatory, and you could book it. That's a fantastic idea. I like it.
Well, thank you very much for that wonderful Pick of the Week, Graham. I've enjoyed it so much. Thank you. My pleasure. Duck, what have you brought us this week?
Well, I'm feeling a bit guilty because unlike Graham's, mine is actually entirely connected with computer security. So bad. So bad. Very much of a letdown.
My pick of the week, or how I'm supposed to say it in a funny voice but I can't bring myself to it, is apparently some law enforcement guys, some cops in Taiwan had a kind of cybercrime quiz and they gave out prizes, USB keys, and unfortunately they had malware on them.
Oh boy. Oh dear. Facepalm moment. Yeah. Yeah.
My pick of the week, or how I'm supposed to say it in a funny voice but I can't bring myself to it, is apparently some law enforcement guys, some cops in Taiwan had a kind of cybercrime quiz and they gave out prizes, USB keys, and unfortunately they had malware on them.
Oh boy. Oh dear. Facepalm moment. Yeah. Yeah.
I'll call them the phoings.
And remember, Graham, when you went to the RSA conference all those years ago? Oh yes. And they gave you a USB stick.
I was, yeah. You have to put your presentation on this. Yes, that's right.
And you had a Mac, which of course is immune to malware, as we know.
Plugged in the key and found out that you weren't immune to the malware that they just handed you and had to ask them the difficult question, "How many other Windows laptops has this been in before it reached me?" And you just think, wow, some things we never learn.
You know, when you stick a USB key in a device, it can, generally speaking, can get written to as well as read.
And if you want to validate one or verify it, to be secure and safe and correct before you hand it out, you've got to use a special system that does not auto-mount it and doesn't write things onto it.
And you'd kind of hope that law enforcement, who are in chain of custody and preserving evidence, you'd have thought that that was the last place where that would have happened.
Plugged in the key and found out that you weren't immune to the malware that they just handed you and had to ask them the difficult question, "How many other Windows laptops has this been in before it reached me?" And you just think, wow, some things we never learn.
You know, when you stick a USB key in a device, it can, generally speaking, can get written to as well as read.
And if you want to validate one or verify it, to be secure and safe and correct before you hand it out, you've got to use a special system that does not auto-mount it and doesn't write things onto it.
And you'd kind of hope that law enforcement, who are in chain of custody and preserving evidence, you'd have thought that that was the last place where that would have happened.
These were prizes for a cybersecurity quiz.
It's awful. Yeah, I think so.
I remember this happened to IBM years ago as well, didn't it? At the AllCert conference. Did it? It did.
I was there, I got one of those keys, and in fact I wiped it and I carried it around with me for quite some time afterwards as a kind of "there but for the grace of God go I" warning.
So every time I see it, I think, yeah, yeah, be very careful. And I then, I ended up sometime later at Black Hat in Vegas, and I was a bit late on the evening to the PONY Awards.
And as I walked in, the hall's full, and they were just announcing that IBM was up for a PONY Award. I can't remember whether they won. For that very blunder.
And I was able to— they didn't have a sample, and I was able to haul this one out of my bag, and it went on display for the Pony Awards.
So, and I think, was it Aldi once were selling pre-infected computers? Olympus had pre-infected cameras. Yeah, yeah, yeah. Wow.
It's if you're going to give somebody something that represents you, it's a very bad idea to have malware on it. Yep. Yep. Yep. Yep.
The irony makes it double worse in this case, but it's bad for anybody. Crow, what's your pick of the week?
So every time I see it, I think, yeah, yeah, be very careful. And I then, I ended up sometime later at Black Hat in Vegas, and I was a bit late on the evening to the PONY Awards.
And as I walked in, the hall's full, and they were just announcing that IBM was up for a PONY Award. I can't remember whether they won. For that very blunder.
And I was able to— they didn't have a sample, and I was able to haul this one out of my bag, and it went on display for the Pony Awards.
So, and I think, was it Aldi once were selling pre-infected computers? Olympus had pre-infected cameras. Yeah, yeah, yeah. Wow.
It's if you're going to give somebody something that represents you, it's a very bad idea to have malware on it. Yep. Yep. Yep. Yep.
The irony makes it double worse in this case, but it's bad for anybody. Crow, what's your pick of the week?
My pick of the week is Google's Art and Culture app, which helps you find your very own art doppelganger.
It has this cool new feature where apparently you take a selfie and it trawls its data bank of paintings to find the closest match.
It has this cool new feature where apparently you take a selfie and it trawls its data bank of paintings to find the closest match.
So who do you look like, Carole?
I haven't unfortunately been able to do it. Why? Because it's not available in the UK yet.
So I would love to hear from some of our US listeners about their thoughts on this app, because I obviously— I downloaded the app yesterday.
I read about this feature, I downloaded the app, and then I couldn't find—
So I would love to hear from some of our US listeners about their thoughts on this app, because I obviously— I downloaded the app yesterday.
I read about this feature, I downloaded the app, and then I couldn't find—
Is it an Android app?
It's both iOS and Android app.
Oh, it's good to know that they've been working on this. You know, it's very important, this sort of art doppelganger feature, rather than looking for non-breaking space characters.
Look, I kicked them in the shins on the first story, and on this one I'm saying this is kind of cool.
Now, even without this feature, this little game that people are playing, the app itself is actually kind of cool. It's full of little gems.
You can learn more about arts and culture through online exhibits.
There's cool kind of virtual museum explorations, virtual tours of historical sites, histories of influential artists, etc. So I actually think it's quite a cute little app.
Now, even without this feature, this little game that people are playing, the app itself is actually kind of cool. It's full of little gems.
You can learn more about arts and culture through online exhibits.
There's cool kind of virtual museum explorations, virtual tours of historical sites, histories of influential artists, etc. So I actually think it's quite a cute little app.
So they match you with an artist, with a celebrity? Do they match you with somebody in a famous painting?
No, no, it's just matching you with famous paintings. Watch the video, Doug. Yeah, watch the video. Just click on the link.
No, I'm not clicking on the link because I Rickrolled you guys yesterday, and I know that I include one and I just don't do it.
You'll have to tell me. On that bombshell, ladies and gentlemen, I think it's time to wrap up the show. If you like, you can follow us on Twitter @SmashingSecurity without a G.
Twitter wouldn't allow us to have the G.
You can join us on Facebook at smashingsecurity.com/facebook where we have a Facebook group, or go and check out the store where you can buy all kinds of goodies at smashingsecurity.com/store.
Thank you, Duck, for joining us. If people want to follow you online, where's the best place to do that?
Twitter wouldn't allow us to have the G.
You can join us on Facebook at smashingsecurity.com/facebook where we have a Facebook group, or go and check out the store where you can buy all kinds of goodies at smashingsecurity.com/store.
Thank you, Duck, for joining us. If people want to follow you online, where's the best place to do that?
Nakedsecurity.sophos.com, or on Twitter I am @duckblog.
And for the rest of you, thanks for tuning in. If you like the show, rate it on Apple Podcasts. It really does help new listeners discover the show.
So thanks to everyone who's done that already. And you can check out our past episodes on our website, smashingsecurity.com as well. Until next time, cheerio, bye-bye.
So thanks to everyone who's done that already. And you can check out our past episodes on our website, smashingsecurity.com as well. Until next time, cheerio, bye-bye.
Bye-bye.
We're done. I think we're done.
With his little spectacles. How do I get— how do I exit?
Let’s hope the user interface design of the nuclear firing option is different!
More saliently, let's hope that the military's missile defence command and control infrastructure is more robust. Presumably there's some kind of parallel system to alert commanders of an incoming attack for possible retaliation. If that works in a similar way, we're in real trouble.
Another comprehensively explanatory article with a delicious dose of wit :) A *learning opportunity* indeed and perhaps also an assurance that there are substantive controls in place so that the gentleman with the "even bigger" button was not able to take immediate retaliatory measures.
No matter what reasonable answer there may be, the lunatic fringe is going to blame President Trump anyway. They already have.
Lunatic fringe? Goodness me. Can we all stop obsessing over his hair?
Does the lunatic fringe include the tin foil hat brigade? This story is already circulating the UFO conspiracy channels on youtube. Apparently it was not an error but a test by the government to gauge a population's reaction. Apparently it was also linked to the highly classified unknown payload of the most recent SpaceX rocket launch which is allegedly spy satellites or some form of defence hardware for the impending alien invasion heralded by strange happenings in the skies over Hawaii, Michigan and parts of the UK in recent days oh boy!