Smashing Security podcast #142: Mercedes secret sensors, smart cities, and ransomware runs riot

Let's see, this is what I've been saying, right? In fifth grade, they asked me if I'm going on a train from New York to California, at what point do I arrive if I'm going 40 miles an hour? I know this, but why doesn't a civil engineer know the answer to this, right? When I arrive at that intersection, it knows I've been doing the speed limit since the last six streets. Why isn't it just turn them green? It should know when I'm arriving. Yeah, turn them green for Jack.

Smashing Security, Episode 142 Mercedes Secret Sensors, Smart Cities, and Ransomware Runs Riot With Carole Theriault and Graham Cluley Hello, hello, and welcome to Smashing Security, Episode 142 My name is Graham Cluley And I'm Carole Theriault Hello, crew Hello We are joined by podcast royalty in the form, this week, of Jack Resider of Darknet Diaries Yay!

Not quite royalty, but I'm very happy to be here. This is the second time coming and it's really exciting to begin. You've made a return visit. I think that really means that you're part of the family now. And you come here to cheer up. It's perfect.

So, Carole, what stories have we got this week? Well, first, a huge thank you to this week's sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free. What makes it huge, Carole?

Why don't you watch and find out? You haven't seen my story yet. Settle in, guys.

Now, chaps, chaps, I wonder, Jack, are you a driver? Do you have an automobile?

Yes, I do. I only have one car, though. It's an older car, so it's not one of these special smart ones or internet connected. Very sensible, I would argue. Now, some people, Carole, I don't know if you have, but I used to own a Mercedes-Benz. a cartoon. I can't even remember what cartoon it was, but there was this huge chested guy with his big blonde foppish hair and he would drive around a red little convertible thing that was much smaller than his body. Well, thank you for saying I had a big chest Carole. That's very kind of you. I think it slipped somewhat, rather like Obelix. for a specific city or just the sun?

No, it's the Sun. It's a national newspaper here in the UK run by Rupert Murdoch. And it's not really a newspaper. It was famous for... Page three. Yes, it's Page Three Beauties back in the day. I don't know if they still do that. It is a very high selling newspaper, not renowned for its high quality, however, quite tabloid. Do

you remember when they tried to address the page three problem, which was basically scantily clad women by introducing, I don't know if this was just in Canada, but in Canada on page seven, you'd have this tiny black and white page seven guy. Yeah, it's called the page seven fella. That's what they had. Yes. So it was international. There you go. Yeah, we had the page seven. Well, I didn't. But yes, it was. Brilliant. So a tracking device, basically if you get into trouble, we'll be able to find you without a phone call kind of tracking device.

That kind of device. So I guess it was communicating in a GPS style way. So Jack, for instance, I mean, you're obviously someone who wants to preserve your privacy. I understand that. Most of us, we don't want our information out there. But this would be a way for the guy who sold you your car potentially to find out where you live or where you like to go.

That's the way you have to balance it, right? Is there more of an upside? Is there more of a benefit to having somebody know where you are versus having your private information in the hands of somebody you don't know? And that's a hard balance.

And if you're someone a bit hot, right, you, Carole, I mean, obviously not at the moment. You don't mean temperature having a

fever. You mean more good looking

You're pretty hot tamale, right, Carole? Definitely. Absolutely. Yeah. The hottest. If the Mercedes dealer took a shine to you, they might be interested in where you go, what clubs you go to. You know, imagine if every time you went to the discotheque, there was the Mercedes dealer doing the Lombardo or a John Travolta or something. Or a stalker.

Yeah, no, that sounds fun. That sounds great. Not fun at all, bro. Yeah. Obviously. Anyway, so Mercedes said that these sensors are put into every car. And this is different from your optional extra, right? Sometimes you buy an expensive car and you say, well, for security reasons, I want it to have the ability to track it if it gets stolen, for instance. This is something which is put in all of the cars. Very cool. So that's one way in which it can happen. So is it life or death situation? Is it missing persons? And apparently, no, that's not the extreme circumstance in which the Mercedes turned this on. more extreme than what you're saying. Exactly. I know. I know. You didn't pay your bill. Right. No way.

That was a guess. Yeah, it's a good guess. Oh, God. That's what Mercedes-Benz care about is have you kept up to date? Have you defaulted on your finance payments? They can track down your car and they can seize it off you.

Okay. So I don't like this idea. And the thing is because you're not treating the customers like adults here. You know, you're treating them like kids who are immature and irresponsible. And you're going to pull your little trick on them to get your car back. It's just not going to play well. I mean, and sometimes people can be immature and irresponsible, right? I mean, I remember, I'll tell you a story actually, Carole, about that car you were talking about. Or your hairdresser's car. No, I don't know technically. There's nothing wrong with hairdressers, by the way, or their vehicles. Leaving your car at the gas. Leaving my car because I was so used to doing the walk. I wasn't used to driving from there to my apartment, which was next door. Well, I left my car there for two days. Oh, my God. By the gas pump. Preventing other people from getting any petrol. And so you. And are they telling you that they're doing this? They're telling you that they have a tracker in your car? It must be in the

T's and C's somewhere. Well, Mercedes say around 80% of new cars from Mercedes are sold on finance plans. And apparently, if you do read all the small print when you sign off your soul to buy a Mercedes, it is included in there that we reserve the right to use, you know, in extreme circumstances, we can find out where you are and then get your car back so you can pay us your final bill. Now, human rights groups and privacy campaigners are a bit concerned about this. Liberty, for instance, have said that they're disturbed by this revelation and say it's all part of the creeping growth of surveillance. It is easy to see, isn't it, how this kind of feature could be abused by governments. For instance, they could put pressure on car manufacturers to share details of a vehicle's location or for intelligence agencies to hack a car manufacturer. Am I getting carried away with this or not? I think we need to bring it closer to home, right? I'm seeing a rash of incidents lately where domestic cyber spying is happening, where this is a husband spying on their wife or a boss spying on their employee, and they're using different tools to do that through their phones and turning on cameras and this kind of thing. Or maybe if they actually worked at the car company, maybe they would have access to these tools, just like we've seen in the past people who work for the police abusing databases which they have access to or looking up people's criminal records. Similarly, you might have someone at the car company who's able to determine where a particular car is.

But all that still just assumes that this whole thing is secure. And we haven't even got to the point of, are they good? Is Mercedes good at holding on to my data? And I don't know.

Right. Yeah. And we've certainly seen big car companies in the past goof up both in the firmware of their vehicles and also sometimes their own websites and systems have been breached. I wonder whether they're collecting this information. So presumably if these trackers were put on any car, right, just in the off chance that someone doesn't pay their bill, that data must be being snarfled all the time and collected into a database. From my reading of it, and who knows if this is accurate, because it is the Sun newspaper obviously, they say that the sensor has to be activated. So Mercedes are trying to reassure people this isn't turned on all the time, but only in really, really serious situations, i.e. if they're about to lose money, do they enable it. But that's worrying as well.

Right? That you have something in your car that can be remotely activated by a third party without your knowledge.

Well, cars these days, I mean, they are the mobile internet. Your car is crazy. No, my car doesn't do anything. My car beeps if I drive badly. That's what upsets you. It's all the beeps it gives me. Yeah, fair enough. You're probably right. It's not the car.

You're right. Here's my call to action here. This is just a matter of time before somebody figures out where that tracking device is and just yanks it off the car, and then puts that on the internet and says, here's how I disabled a tracking device. Because there's really literally no upside for the customer here. So everyone would just say, well, I need to disable this. There's nothing I get out of this. And just pull it right off.

Yeah. I think you're right. So my advice for anyone who doesn't want to be tracked by the likes of Mercedes and their cars would be to drive some old beat up car instead. Maybe like Jack has got. Do you remember the Robin, the Reliant Robin? Do you remember that?

I don't think Jack would have ever seen one of these. I didn't know they existed till I moved here, and you do see them on the road now. You still see them. It's like a three wheeled car, Jack. It's a real beauty. They had to be very careful going around roundabouts because they would sometimes topple over. So last year, Atlanta got hit with ransomware. This is becoming an epidemic or pandemic, whatever the word is. Ransomware is hitting U.S. government cities. And Atlanta didn't pay the $52,000 in ransom last year. But instead, they spent $2.4 million cleaning it up. That's right. Yeah. It's shocking. And it's depressing. Well, is it depressing? I should be. Well, yes. It encourages people just to pay the ransomware. No, no, they didn't pay. That's the thing. I know. But when other cities see the bill. Oh, I see. Right. They'll go, let's just pay. Dear God, let's get this headache over with. Why do the right thing? It's too expensive. So there's more here. So Baltimore this year got hit with a $70,000 ransomware and they didn't pay. Instead, they spent $18 million cleaning it up. See? You see? Or are they just padding? Are they padding the numbers? I'll put the links in the show notes so you can double check for yourself. But the FBI discouraged them from paying because they said, hey, even if you pay the $70,000 in ransomware, you've got a lot of problems you need to clean up, which is going to cost you a million anyways. So you might as well just do a full top-down inspection of everything and spend the money. Right. Right. So this year has been just a phenomenal year. We've had 60 ransomware attacks on state and local government in the US alone. Lake City in Florida paid $460,000 in Bitcoin just, I think, last month. To get rid of the headache. To just get rid of it. That's it. So that city completely paid. Another city in Florida, Riviera Beach, paid $600,000 in ransomware fees. But that one was interesting because they had insurance to cover it. That's interesting. So that is that what cyber insurance is for to pay the ransoms?

Possibly. I've never thought about that. Oh, yeah. It's one of the costs. I mean, it's not the only cost. That's the thing. It's not just it's immoral.

If you have life insurance, right, and you get kidnapped, can you use the life insurance money to get you out?

You can get insurance for anything, surely, can't you? If you're prepared to pay enough of a premium, I could get insurance for alien abduction, I'm sure, if I was able to prove it was alien abduction. Report into us next week. Tell us how that went.

I'll let you know how it goes.

Anyway, Jack, sorry. Carole was completely distracted us. It wasn't me.

So, yeah. On Friday, I saw this story that 23 towns in Texas were hit with a coordinated ransomware. And the Texas governor has actually issued a level two escalated response, which level one is the highest threat level, which is emergency. So they're getting close to having a statewide emergency there in Texas.

It's like a DEFCON alert, basically, isn't it? Yes. This is pretty serious.

23 in a coordinated attack. That's the first time I've ever heard of that. Yes. And the investigators are thinking this is from a single threat actor. Most towns are not admitting to this right now, so we don't really know what towns. But there's one town called Borger in the Panhandle. And they said this is affecting city business and financial operations. Birth and death certificates are not available online. And no payments are being accepted for utility payments from their 13,000 residents right now. Nobody can pay the bill because the systems are down.

Because there have been problems sometimes in the past of people who've actually had their power cut off because they haven't been able to pay their bills due to ransomware hitting a particular city. So I imagine if some sort of payment system is down, you have to be careful that any sort of background process isn't also going to be affected and take matters into its own hands.

Yes. And another city in Texas, which was not hit, called Denison, Texas, just said, you know, forget it. We're unplugging. And they took down their own Internet today as a precaution. Yeah. Try and get us. We're not even online, dudes.

Well, good luck to their residents being able to pay their bills online, of course. It could be a challenge. So they believe that this is the same hacker or group of hackers who are organizing all of these attacks. I mean, potentially they could be making an awful lot of cash if some of these towns do agree to pay up, like some of the places you already mentioned, which did pay up. Yeah, they could sweep up here. I mean, that's one of the things about this ransomware is that it is pretty profitable. It's easy to spread and get in there and pretty profitable. It's curious, though, it seems to be all these cities recently which have been hit rather than maybe more regular organisations. Is that suggesting to us that councils and towns aren't protecting themselves as well as commercial organisations?

I just think of how many people are available, right, in a city. You have a city of 100,000 that might be using a specific...

Oh, you think the stakes are higher because of the number of people who are affected. Because there's

More people available. In a company, you might have 1,000 or 500, and you might go for the big spearfish, right? Go for the CEO, CTO, CIO. And maybe then it's quids in. I mean, you put ransomware on one person's computer, you can get what, 300 dollars out of them. But you put it on a company, a hospital, a state, a city government, you're going to get a lot more out of that. So it's definitely a lot more profitable. And especially when you're impacting the way the bills are getting paid, they're not getting paid until this is fixed. So, you know, it puts a real big spanner in the works. And, you know, in my experience, things like councils and education and health tend to have systems that are a little bit more ropey than state-of-the-art firms. It's just a lot more scotch tape and spit holding things together because funds are shorter. You don't have as much money. You don't have as much resources. So maybe they're an easier mark.

I suppose you have to justify every buck, don't you, in the city budget, whereas a commercial organization, you may have seen past victims of this kind of thing and think we have to invest in security. We've got to protect our staff. We have to prevent these kind of things from coming in.

Yes, and that sort of transitions me into the next part of this story, which is who's there to help them? When it comes to pay rates and stuff, commercial and retail, they'll pay higher. And then you've got state and government kind of paying a little lower and maybe schools paying a little less than that, and charities and nonprofits paying even less. So you don't get the cream of the crop security people working in these state and local governments. And often I hear that these people, it's really hard to get fired out of here, which means that people are just going to kind of do their minimum job, what they need to do, not to get really fired. And even then they probably don't even get fired. So they just don't have a good cleanup crew. So some of the people who are coming to help in Texas is FEMA is actually going down there to help. The Department of Homeland Security is assisting. Texas A&M's Information Technology and Electronic Crime Unit is getting involved, which is their college down there. And even the Texas Military Department is throwing in their hat.

Going in with tanks. I mean, where's this going to stop? They need some kind of superhero, don't they? We've started. We saw it in Florida. Oh, do you want to get your tights out, Graham? Well, I don't think me. I'm just wondering what city. Could it be Gotham City next? Could it be Batman? Commissioner O'Hara ringing that phone. Carole, what have you got for us this week?

In my story, we're visiting the land of smart cities. And the thing is, is people use this term a lot, right? Smart city. And I didn't actually know how to define it or what the advantages and disadvantages really were. So I thought I'd do a little spotted digging and we could sift through some of the highlights and see whether we're thumbs up or thumbs down. Now, a smart city is one that uses digital info and communication tech to enhance the city, right? To enhance the quality of the services it delivers. So things like transport or health or climate or connectivity or crime or everything.

The kind of things which could be messed up with a ransomware attack. That's the sort of thing you're thinking of, right? Exactly.

So, you know, when there's a city with enough IoT services we've got what boffins are calling a smart city. And I take, you know, I don't think that's the right term. It should be smarter city because it's not all or nothing really, is it? It's a gradient of smartishness-ness-ness. Whatever. Anyway, so I'm digging around. And I get my hands on a list of smart city tenders. And this is what appears to be published by city councils around the world looking for an expert to make their city pop with some smartness. And there is a lot of them. Okay, there's a link in the show notes. But we're talking things like intelligent traffic and public transport systems, bike share schemes, air quality monitoring, smart solar storage, automatic weather stations, disaster alert systems, citywide Wi-Fi services, electric vehicle charging points. It goes on and on and on. Storm pollution control plans. All these things could make life so much better for all of us, right? But it does depend on real-time local data in order to work in a lot of cases. And that means you need a whole host of data collection, right? So you have things like city sensors around the city, and you also have data from residents and visitors. This would be gathered probably through apps and cellular use and city-hosted Wi-Fi. All of this information that they're able to collect from devices can feed into various systems.

So far, this all sounds very secure and nothing for anybody to worry about.

We should just record that and then just play it every episode, don't you think? It's a real standard. And all this data is used to create a system of smart behavior and alerts, which are supposed to help us. So imagine, for example, if traffic lights could automatically change pattern when traffic was increasing from one direction versus another. Well, see, this is what I've been saying, right? In fifth grade, they asked me if I'm going on a train from New York to California, at what point do I arrive if I'm going 40 miles an hour? I know this, but why doesn't a civil engineer know the answer to this, right? When I arrive at that intersection, it knows I've been doing the speed limit since the last six streets. Why isn't it just turning them green? It should know when I'm arriving. Yeah, turn them green for Jack. This is basic algebra. And maybe bins, right, would have sensors so that when they're full, a little sensor alerts the team that needs to come, you know, that they're ready to be picked up. The bonus, sweet smelling streets, I guess.

I'd just be happy with public loos, which did something that, Carole, which were able to tell when last time they'd been used. And so you could determine which one was used least recently.

On the outside, it would turn brown or something.

No, not brown. It would give you a green light. The other ones would be brown. So you'd know which one is most likely to be safe to use. That's what I want to see, that kind of technology.

There's life-saving possibilities here, up-to-the-minute information about accidents on the roads. So you could actually navigate help to the scene automatically without needing a passerby. And this would be huge in the UK, because if you stop, you know, alongside a car in distress, and say the guy's eyeballs are hanging out of his face in the UK, and you say, are you OK? They'll be, oh, gosh, yes, I'm perfectly fine. Sorry to trouble you. You know, it's insane over here. So this would help lives. It would save lives. So this is all great. And I do hate to ruin the whole Shangri-La-esque utopia that I've painted here. But there is a flip side, which we've already investigated earlier in the show. With everything connected and automated, it can make things much more disastrous if the system is disrupted in some way. So vulnerability exploit, a data breach, DDoS. And as we saw in the tenders, right, cities are actively looking for third-party experts to come in and make their cities smarter. They want their smart city dreams to come true. And from my reading today, this is hot market. And cities are competing for services and techies are promising a shiny world. And the question is...

They must, at the same time when they're asking for people to pitch for this kind of stuff, they must also say, but you have to do it securely. They must be saying we want all these really cool features. Let's play the game, right? So I'm the third party.

So you're going to say to me, you really have to do this securely. And I'm, of course, sir. Yes, well. What questions are you going to ask me? What questions are you going to ask me to kind of gauge how secure it's going to be?

I don't know, I haven't thought about this sort of thing, girl, but, you know, clearly, I mean. You sound someone who works at a council office. Okay, so Carole, is it possible that the ransomware attacks which you've been talking about against cities could actually in the long term be a good thing because it will wake up other cities to these threats and get them thinking more about security.

Yeah, I think city analysts, city people, what are they? They're just people who work in the cities. They are definitely paying attention to all these ransomware threats. And they're glued to this news when they see another city doing it. Because how did they pay? Did they not? How did they hire? Who helped them? You know, it's, well, hey, FEMA, you help that city. Why don't you help us too when we get hit? So, yeah, they are definitely paying attention to all this stuff. And, you know, here's what I think. Let's go back. Let's get out of our modern heads for a second and think about our cities when they started going online and allowing you to pay your bills online. We were saying, this is unsafe. This is insecure and all these things. And it was really ugly at the time. You know, it just didn't look good. And there was even an extra $2 fee or something, oh, there's a convenience fee to pay online. And so that shift of saying, okay, well, we're going to do what we used to do all the time, which was nice and secure. And we're going to shift it to this newfangled internet thing. That was quite a mind shift in our head. And it feels that's a new phase of this now is not only are we shifting to the future here, which is very internet connected stuff, but it's giving up all this extra data and telemetry and all this stuff. And again, it comes down to is the upside bigger than the downside.

I think it's a little bit like the shift which we saw maybe 20 years ago, because prior to Amazon, for instance, a lot of people's experience of e-commerce was not entirely satisfactory. And a lot of people were just laughed at the thought of ever entering their credit card information on the web. And then Amazon came along and it turned out not only could you order things, but things would arrive.

You know what? You guys are right. Why do we have the show? We shouldn't even bother. We should just be like, let's get with the time. Let's not worry about anything.

I think we should just build a big, beautiful wall around all of these cities, rather like the one which has disconnected itself from the internet. A huge wall or a moat or something like that filled with boiling oil, and that could stop all of these attacks from happening.

You want to hear some crazy research that's kind of tangentially aligned to my story?

Go for it.

There was research published by the Georgia Institute of Tech this month. And they found that if a hack randomly stalled 20% of cars during rush hour in Manhattan, it would cause complete road chaos. They said if even just 10% of the cars at rush hour were affected, it would create enough blockages to stop emergency vehicles from getting through traffic.

10%, frankly, is probably better than normal, isn't it? It's probably better than a normal day.

No, but it's on top of all that, of course, right?

Oh, I see. Right. Yes.

And also there's this, have you heard of Google's Sidewalk Labs?

No, what's that?

So this is like a Google Alphabet sister company. And they've been trying to create a smart city in Toronto. And they were like, this is affordable housing. We can build it faster, cheaper, smarter than anybody else. And this US venture capitalist, Roger McNamee, in June warned, this is the most highly evolved version of surveillance capitalism to date. So it's basically on ice at the moment.

So hang on, this is something which Google have initiated?

Yes, yeah, Google Sidewalk Labs.

So they're going to have like data-driven adverts or something. They'll determine who's walking down the street and...

Can you imagine? Like in a way, you kind of want to see what they would do, but I kind of wish they weren't doing it in a city that is...

You just don't want it to be a Canadian city, right?

Yeah, no, I just don't. I think they should do it somewhere where, you know, where there's a military base and people are paid to live there so they can actually study it and do it properly.

Oh, yes, that's fine, isn't it? Yeah, just experiment on soldiers, Carole. Great. Yeah. That's never caused any problems in the past. Seriously. I would just be happy if my town had gigabit internet.

Oh, really?

Oh, yeah, that's true. If you had gigabit internet, I'm prepared to put up with anything, frankly. You know, it's like steal my firstborn child.

Yeah, I would say to my cities, start there and then we can talk about the next thing.

Fantastic. So you've got an IT security team, but you want to turn them into security superstars. How can you best provide each employee with the opportunity to upskill themselves? Immersive Labs provides a cloud-based system, and it's available 24 hours a day whenever is convenient for them to learn. It provides hands-on experience with tools, technology, and even sandboxed malware. The platform provides story-based threat simulations. It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there. Check out Immersive Labs' skills development platform to drive down your organisation's cyber risk while reducing training costs. Check them out at ImmersiveLabs.com slash lite. ImmersiveLabs.com slash lite.

Fact, if you don't have a password policy in your place of work, you can bet your bottom dollar that someone somewhere has selected one of the following passwords. 1111, 1234, or maybe the very complicated to hack 123abc. Don't let them do it, guys. Look into LastPass Enterprise. It will help you sort out all your poor passwords and put you back in charge. Learn more about LastPass Enterprise at LastPass.com slash smashing. That is LastPass.com forward slash smashing with a G. And welcome back. Can you join us on our favourite part of the show? Yeah. So if App A is associated to my Facebook account, which I do not have, I'm proud to say.

If you go into the setting right now, you will be able to see what apps and what websites have been serving up information to Facebook and associating it with your account. So you'll be able to tell it, Stop doing that in future. You know what? It's

quite clever. It's for a security nut like me, I might want to go in just to see what Facebook activity they've been gathering to date.

Well, exactly. And it may give you a bit of a shock. You see, I'm not doing it.

I'm not falling for it. Oh,

I see. You're thinking of

gathering. Yeah. Yeah. Yeah, I'm on to you, Facebook.

You're thinking of bringing back your account from the dead just to see what it's been doing. Now, disappointingly, and this is Facebook, of course, so don't be surprised, hitting clear history doesn't actually delete your data. Of course it doesn't. Of course it doesn't. You're such assholes. It just unlinks it from your profile and apparently it maintains it in a pseudonymus. Can you say that? Well, no, you can't actually. Jack, would you to tackle that word? Pseudonymus. Anyway, and they're even saying that they won't do that in some circumstances. So if they think that you're a bit suspicious with your Facebook activity or engaged in fraud or naughty things, they will still retain a certain amount of the information they save for a longer time. And I think maybe that's acceptable from the sort of, well, when you consider some of the dodgy things which happen on social networks. In the last week, for instance, we've seen a number of reports from Facebook and Twitter alerting people to activity being done by the Chinese authorities against the protesters in Hong Kong. you might want to keep collecting some information if someone's already been tagged as a bit dodgy by the facebook police maybe i don't know get off facebook's my advice well exactly what do you think jack what are you facebook user i know but when you get on facebook it's a million options and clicking there's just so many different settings that finding this one yeah is going to be really hard and to know if it cancels out something else or override gets written i've It's horrendous, isn't it? And it's a shift in sands all the time because they're constantly changing it. It just always feels like it's changing. And, of course, you have to decide to turn off this off Facebook activity. Default for it is obviously on. You know, naturally, that's the way Facebook works.

I've bought the same mouse 15 times in the last 10 years. And so this is not a new mouse, but I love this mouse so much that I thought I might share it with you.

What is it? Which one is it?

I'll tell you at the end. So I hear someone on this call scrolling. And I hear this. Listen to this noise, right? That's what a normal mouse scroll sounds like. Listen to how my mouse scrolls.

It's hard to hear, but it's like a smooth scroll, right? It sounds a bit like a hamster wheel. It's like it's spinning freely.

It spins freely like a hamster wheel. And so I do a lot of scrolling. And so I can just scroll forever with this. It's so nice. I just love the scrolling aspect.

But it breaks often though if you've had 15 of them.

Well, it doesn't. It's that I want one for my work computer and my other computer and my dad's house. And everywhere I go, I'm like, you need this mouse. And so I just keep buying them wherever I go so I don't have to use any other mouse. And so the other thing is that it has something like 12 buttons on this thing.

Oh, for goodness sake. Why do you need 12 buttons? He's young and smart. His brain's still intact, Graham.

How many fingers do you have?

You can map it to whatever, right? And I'll tell you the one that just changes my life. And that is the scroll wheel itself has a button. You can click to the left or the right, right? So it's not just a middle click for the scroll wheel, but you can click left or right on the scroll wheel. The left button does that, right? Doesn't it? If you press the left button, you get a little—you're faster. I get it. Well, you can—it's like five clicks compared to two for him. Yeah, so I've remapped these buttons. Another one I did was search and find and all these other things so that I can copy something and then hit find and then find it—you know, I hit that button to search for it.

Jack, can you customize the different buttons depending on which application you're in?

No.

Oh, that'd be good, wouldn't it? Maybe, I don't know. There must be a tool out there which does it. But I'm just thinking if you were editing a podcast, for instance, how fantastic that would be for some of those functions which you regularly do. If you could do all of that from the mouse.

Yeah. Maybe.

Dream.

And the last cool feature is that the battery life is three years. So I'm rarely having to swap it out.

Is that because your hamster wheel is actually a generator, which is powering the battery?

The model of this is the Logitech M705, and I've bought a dozen of them at this point. And yes, it's my pick of the week.

OK, I'm Googling it right now to see if it looks like a weirdo mouse. Oh, it looks like a fairly ordinary mouse. The Logitech Marathon M705. Well, where are all these buttons on this? Yeah, they're just all around hidden. They're embedded, yeah. So, I mean, the mouse wheel can click right and left. And then where the thumb usually rests on the side of the mouse, that's got three or four buttons. How about that? Carole, what's your pick of the week?

Okay, before I get into the pick of the week, right? Do you guys have any favorite sayings or idioms? Like Bob's your uncle.

Oh, I do. Fine words don't butter parsnips.

I thought it was kind words don't butter parsnips. Maybe they're both right. I knew that would be your favorite. I had written that one down.

It's often been used in a salary negotiation. So when you go—

Yes it has.

When you have a meeting with a boss and they say you've done really, really well, you say, yeah, thank you very much. But kind words don't butter parsnips. In other words, give me some money so I can put butter on them. That'd be nice.

Do you have one, Jack? Think smarter, not harder. Oh, I like it. I like it. But I've got some seriously delicious ones for you. If you guys go to the link that I've provided, this is a list of 40 idioms that cannot be translated literally. And there is some glorious ones. Oh, actually, maybe you shouldn't look. Maybe you shouldn't look. You should tell me which country it comes from. I'll read an idiom and you decide what country it comes from. To wear a cat's on one head is the literal translation and what it means is you're hiding your claws and pretending to be a nice harmless person Graham but you're wearing a cat on your head.

Turkey. The only person I can think of about wearing a cat on the head is America of course with the current president but I mean so but it's obviously not America so Japan. Japan yeah. Oh, okay.

Okay, one other one? Yes, please. To blow little ducks. Bulgaria. It means to talk nonsense or lie.

Oh, thank heavens. I thought it might be rude. Anything else?

To slide in on a shrimp sandwich.

Okay, that one is definitely rude. That must be Swedish.

It is. It refers to someone who didn't have to work to get to where they are. So someone to slide like Paris Hilton slid in on a shrimp sandwich. How delicious is that? It's amazing. And there's also this one, Balls of a Swan. Oh, that sounds. Estonia. No, it means something that's impossible. And it's from Croatia. Oh, that's right. Muda la budowa. Balls of a swan. Balls of a swan. There you go. Anyway, there's 40 of them. Enjoy yourself. They're wonderful.

Are you suggesting people begin to incorporate these idioms into their own discussions? I mean, that'd be quite fun to do, wouldn't it?

Did you fall from a Christmas tree, Graham? I'm just saying you're not well informed. Polish style.

There's going to be a lot of this going forward, isn't it? Well, I think that just about wraps it up for this week. Jack, I'm sure lots of our listeners would love to follow you online and find out more about your podcast. What is the best way for folks to do that?

Twitter, I'm pretty responsive there. Jack Recider or just find me on darknetdiaries.com.

Cool. And you can follow us on Twitter at smashinsecurity, no G. Twitter won't allow us to have a G. And we've also got an active community now on Reddit as well. Go and find our Smashing Security subreddit and join in the chat. With a G.

Yes with a G on Reddit yes. A huge thank you to this week's Smashing Security sponsors Immersive Labs and LastPass and thanks to you wonderful listeners thanks to our new Patreon supporters and our new reviewers check out smashingsecurity.com for past episodes sponsorship details and info and how to get in touch with us.

Until next time cheerio bye bye bye bye.

A bit sexy there Jack well bye. So here's a little song, supporters on Patreon, made up of your names, because you know we're in the privacy game. Here goes. Shout out to 636B, Alex, Amanda, Andrew, Andy, Ben, Chris, CMDR, Divorced Pop, Dave, Dave, Dave and Dave. Thank you all. Emil, Eric, Fantastic Wolf, George, Hapmala, Hades, Heisenberg, Jack. You guys all rock. Job Matt, Mike, Nathan, Rangar, Richard, Robert, Sean, Susie, Tapakal, Elle, Tennis, Jay, Thom, Thom, Twilight, and Silar. You guys are making our show possible. Thank you for your support.