Smashing Security podcast #253: Cybercrime unicorns, HVAC hacks, and NFT piracy – with Mikko Hyppönen

This is Mikko. I'm an Infosec rock star. And I listen to Smashing Security podcast every time I go to a sauna. And I go to a sauna a lot. Episode 253, Cybercrime Unicorns, HVAC Hacks and NFT Piracy with Carole Theriault and Graham Cluley.

Hello, hello and welcome to Smashing Security Episode 253. My name's Graham Cluley. And I'm Carole Theriault. And this week we're joined by a special guest. A name familiar to all of us who work in cybersecurity is Mikko Hipponen. Hello, Mikko. Thank you very much and thank you for having me.

Thank you for being here. You're a hard man to get a hold of.

You're a busy, busy man. Well, I'm planning on the rest of the things I have to do before I leave for my summer holiday. And I've actually restarted traveling. I've done 18 flights this year already. Oh, traveling. I heard trolling. I was like, whoa. Yes, I thought you were

trolling on the internet. 18 already this year. That's rather impressive.

Yeah. But, you know, I can't wait for this year to be over with. I can't wait for normalcy to return.

Yeah. I'm going on my first plane ride in a few weeks. And I'm nervous. I'm nervous. Were you nervous the first time you went on a plane after all this stuff? I forgot my passport on the first flight.

That's pretty bad. As someone who used to fly 140 flights a year, that's pretty bad. Yeah, I'm going to make a note. I'll make a note. Okay.

Now let's thank this week's sponsors, 1Password, Perimeter81, and Thinkst. Their support help us give you this show for free. Now coming up on today's show, Graham, what do you got?

Oh, well, I've got a boiling bubbling question for you all about cybersecurity and heating systems.

Okay, Mikko, what about you? Well, I've got cybercrime unicorns and what they mean for offensive artificial intelligence and machine learning. Oh my god, okay, I'm going to be learning a lot there.

And I'm doing NFTs meets Pirate Bay and has a love child. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, order, order, because the podcast today is coming to you from the echoey halls of the Royal Courts of Justice in London, where in the past, judges have ruled on all kinds of cybercrime cases, the likes of Julian Assange, Laurie Love, Gary McKinnon. They've all had their day in front of the beak. So that's a fellow Finn, Laurie Love. Well,

yes. He got off it, didn't he, in the end? That's what I remember. I actually don't know him personally, but I do think he got off. You don't know everyone who's from Finland? Well, only most of them.

Okay. Until very recently, if you had a reason to visit the Royal Courts of Justice in London and you took your laptop out or your smartphone and thought, oh, I'll just go and check Twitter or, you know, just go and read my email or something, you might try and connect to the Wi-Fi. and you would find a variety of Wi-Fi hotspots available.

Like anywhere, like a Costa or a Pret or a Mickey D's.

Exactly, yeah, anywhere like that. And amongst the Wi-Fi hotspots you would find would be ones called Boiler Pump 1, Boiler Pump 2, Boiler Pump 3. And can you guess?

How many boiler pumps do they have?

Four boiler pumps, all with Wi-Fi. And according to the register, that scurrilous rag beloved by IT followers everywhere, aficionados, and yes, we love the register, those wireless networks were unsecured and passwordless. So you could connect to those wireless networks if you wanted to.

Surely those were honeypots. Tell me they were honeypots. Well,

it may surprise you. I mean, that would make sense, wouldn't it? Maybe some security researchers set that up in case some criminals come in and try and access their email. And, you know, maybe that'd be some way of intercepting their messages as they're about to have their day in court. But no, it appears not. Because if you did connect to them, you would find yourself at the login page of the Royal Courts of Justice HVAC system. Carole, do you know what HVAC is? I'm sure Mikko does.

Yeah, it's like vacuum stuff, isn't it? Like heating, isn't it? Yeah. Air conditioning.

Ventilation. Ventilation. Air conditioning. Yeah. That's it. That's exactly it. So.

I don't know what it stands for. It must stand for something. I

just told you. Heating, ventilation, air conditioning. HVAC. Oh, goodness sake. It's just. Oh, this is going to be a good show. It's going to be a great show. Oh, dear. Anyway, so. I'm blushing. Big buildings or, you know, big organisations will have an HVAC system to keep everything, you know, tickety-boo. Make sure there's air circulating so no one carks it.

Particularly important post-COVID that we have a lot of that stuff. Right.

Yeah, a lot of theatres I know in London sort of ramps up the ventilation system so air was moving more quickly.

Your hair is going, you can hardly hear the artist on stage.

So, in other words, you are now just one password away, because you're at the login page of these boilers, from accessing the industrial control system that these courts, top courts in London, run to control its heating and air conditioning, as supplied by a company called Armstrong Fluid Technology. Now, if you knew that password, you would be able to access the admin system, which would let you, for instance, I don't know, what sort of mischief could you cause by meddling with a ventilation system or heating system?

I think the biggest problem probably wouldn't be the ventilation system themselves, but using these as a vector to gain access to something even more interesting. Yeah, and I think we saw that before didn't we? Because when Target, for instance, was hacked back in 2013 I think it was, they used a password which they'd stolen from the HVAC supplier to the big retailer in order to gain access to Target's system. So that can be a problem, especially if default passwords are being used. But even if you just meddled with the heating system, imagine you turned off the heating pumps so it stopped the ventilation so all the air gets stagnant.

It's all stagnant. People start getting headaches and, you know.

Right, you could have that. Or maybe the water pipes might freeze. It's terribly cold here. You wouldn't believe how cold it is in England.

It's not. It's not cold at all. I'm Canadian, Mikko. It's ridiculous. They're whining like you wouldn't believe.

It's actually snowing outside right now, so just shut up.

Luxury, luxury. I reckon it's too cold here to snow. You've got the balmy heights of Helsinki there. But imagine your water pipes freeze overnight and burst. That could cause the building to close and court cases to be delayed. Or what if the heat was raised so the judges, there they are in their great big British wigs, sweating and sweltering. "Oh, I can't cope!" People are beginning to put their bikinis on. It would just be, you know, so if you were maybe someone who didn't want to be extradited or you knew someone who didn't want to be extradited, then maybe you might hack into this system. But of course, you wouldn't know the password to log into the boiler. I could guess.

I think I can guess. I would like to guess. Okay, I've done no research on this. I'm going to guess.

All right, go on then. Go on, let's try it. Let's try the Carole brain. Let's try it. Number one, is it "boiler pump one"? No, no. Okay, that would be a password with both letters and numbers.

Yes, but the same as the username or the Wi-Fi port, so I thought that might be one.

It's not a bad guess. It's not a bad guess. I think you've gone a bit sophisticated on the password, though. Okay, so, okay, "1111." Or you could just use Google because Google has indexed those PDFs as well. So no one obviously is dumb enough to never change the default password. Everyone always changes the default password, they would. Of course they would. Of course they would, someone at the Royal Courts of Justice, especially if it was accessible from a public place or from the street outside. Maybe the Royal Courts of Justice where often you get protesters who are campaigning for someone not to be extradited or someone, you know, to be let off, whatever they're being charged with.

I feel so bad for the IT intern that was the guy who set this up.

And this does remind me of Hollywood movies, because when you think about Die Hard 2 or Mission Impossible, it's always John McClane or Ethan Hunt crawling through the ventilation systems to hack the systems. So isn't it the same thing, basically? It's just a more digital version of the same idea.

Yeah, you don't have to be quite so flexible. You don't have to have wires which can support your weight if you use Wi-Fi. You don't need a harness. So thankfully, The Register tipped off the Royal Courts of Justice about this snafu, and they say that they've taken immediate action to secure the systems. However, interestingly, The Register also points out that just yesterday, a journalist reported that the temperature at the court was ludicrously cold and the jurors had been told they could keep their hands, coats and gloves on if they want.

Surely they can if they want anyway, no? I have to go do jury duty soon, so I'm a little nervous about this. There's a dress code?

Well, I'm a little bit surprised they told people that they could leave their hands on. So that's an option. Now, it's not new, as Mikko has already said, it's not new for HVAC systems to be the weak link in the chain. We saw the Target breach, for instance, where they managed to then sort of spread laterally through the organization by the HVAC. And I also remember earlier than that, in 2009, a security guard at a Dallas hospital hacked into computers, as well as the HVAC system, in order to launch DDoS attacks. There was a guy, Jesse McGraw. He called himself Ghost Exodus or Phantom Exodismo, and he was the self-proclaimed leader of the Electronic Tribulation Army. And he used his knowledge as a security guard to bypass physical security and he ran a password cracker on the HVAC computer. And he had the ability to change the temperature at this hospital and its environmental controls, which could obviously have affected people's treatment. He also had potentially access to patients' medical records and all kinds of impacts it could have had. He ended up being sentenced to nine years in jail. But the most notable thing about him, it's funny you mentioned Mission Impossible, actually, Mikko, because he made a video of himself doing this so-called botnet infiltration. He made no attempt to hide his face, but he did wear a hoodie. And while doing this, he had the Mission Impossible theme playing on a CD player in the background.

Oh, brilliant. Hey, what's up, everybody? It's Coach Texas. You're on a mission with me infiltration. I just so happen to be the only person here and you know what, we're going for a spin.

Good old Phantom Exo Dismo, just—

Yeah, Phantom Exo Dismo was a bit of a diz, wasn't he? Never mind, Mikko, what story have you got for us this week?

Well, artificial intelligence and machine learning has been all the rage for quite a while already, and I've been thinking about this a lot lately. You see, I've spent the pandemic downtime writing a book. I had my book come out last month.

Oh, we didn't even talk. Can you give us the name of the book?

It's called Internet, isn't it?

It's called The Internet, which is a great name for a book, especially since nobody had written a book called Internet before. So I did it.

Mikko, you say it's a great name for a book. I have to tell you that if you Google The Internet, you're—

Probably... I was just going to say the SEO will be expensive.

To be honest, it's rubbish. It's a rubbish name for a book.

Yeah, okay, but it's too late to change it. Nevertheless, I'm happy to tell you about the book, but you can't read it because it's only been published in my native language of Finnish so far. But Finnish isn't that hard. Even small children speak Finnish, so you can easily learn it. It's true. You come to Helsinki, you'll see small kids speaking fluent Finnish. So if you can't learn it, you must be thick. However, it will be published internationally in 2022, so you will be able to check it out. In that book, one of the topics I cover is everything that we've been doing with machine learning and artificial intelligence on the defense side, like how security companies use machine learning, which then brings us to the obvious question, which is how are we going to see and when will we see the attackers using machine learning for offensive use? And when I was thinking about this, I actually went back to my notes from 2016, because in 2016, I invented a new term, which was cybercrime unicorns. And here, unicorns is a reference to unicorn companies.

Oh, I was going to say my niece would be in love with you if you actually could personify them in some way.

No, no, it means unicorn company. Do you know what unicorn companies are?

Aren't they companies that get a lot of investment very quickly and become a huge bet with very little sustained growth?

That's a pretty good definition. I guess the way they officially define it is that it's a private technology company which is valued at over a billion U.S. dollars, which typically are exactly what you described—early stage companies with massive funding or huge growth wishes, like Theranos, for example.

Yeah, except it's no longer a unicorn because it's no longer valued like that.

Today, let's say SpaceX would be a unicorn company, or Reddit.

Really? Reddit?

Yeah, absolutely. It's the third most common or popular website in the world or fourth most popular website in the world. Of course, it's a unicorn and it's a private company, so it's a unicorn. Airbnb and Uber used to be unicorns, but now they're public, so they're no longer unicorn companies. So what I was thinking in 2016 is that I wonder if we one day will see cybercrime unicorns—organized online crime gangs which should be considered to be unicorns because they have wealth of over a billion dollars. And five years ago, it was sort of like a gag or a virtual chuckle. We didn't actually have them five years ago. Unfortunately, they have become a reality, and they've become a reality for two different reasons. Reason number one, the amount of money being made with business email compromise attacks and with ransomware has just skyrocketed, which is a big part of this. But even more importantly, these online crime gangs keep their wealth in Bitcoin or in Monero or in Zcash. And five years ago, we knew of several online crime gangs which had $10 million of wealth. Well, if you had $10 million five years ago in Bitcoin, if you still have them in Bitcoin, you've become a unicorn automatically, because today, I mean, the value of Bitcoin has grown 100-fold in five years. The question becomes, if we really have cybercrime unicorns as our enemies today, how are the attacks changing? When the enemy can afford to invest money into their attacks, how will we see the change? And some things we've already seen include that these guys, the professional crime gangs, are becoming more and more organized. In some senses, they start to resemble traditional real-world crime gangs, organized crime gangs. We know they run professional data centers. We know they hire lawyers and business analysts. And I think an especially eye-opening case was the case with Fin7 crime gang, which has now twice created these fake front-end companies to hire pen testers. Basically, recruiting from our side, proposing as a security company, hiring security researchers to do penetration tests against companies which have not ordered a pen test. So, of course, they will then find ways in which will then be used by the criminals.

It's astonishing that. So those penetration testers, they aren't aware that they're part of a criminal gang or that they're pen testing companies without the company's permission, I guess?

Yeah, well, this was the idea. I mean, Combined Security and Bastion Secure are the two companies we know of that have been set up like this. And I suppose the whole point of setting up a fake company is that you're trying to recruit professionals without them realizing that you're working for criminal organizations.

Makes it a bit easier, though for law enforcement maybe to shut down some of those operations. You can just go to LinkedIn. I imagine if you're working for them, you don't worry about saying, oh, yes, I work for this company.

But the company can just dissolve, right? So if the company dissolves and suddenly you're left holding the, well, I was a consultant for, you know, blah, blah, blah company. And I, yeah, no, I did do that. And the company told me to, you know, and here's some write-ups, but the addresses go nowhere. 404, 404, 404.

Yep. Doesn't look that good on the CV either, does it?

And of course, the pandemic has worked great to help with what's happening. You can work remotely. Just do pen testing from your home. And of course, these companies pay really well. They are unicorns. Fascinating. Now, I believe the main reason why we haven't seen AI attacks yet is that there's such a lack of skill. I mean, if it's hard to hire security experts, it's even harder to hire AI and ML experts, artificial intelligence, machine learning experts, and even harder to hire artificial intelligence, machine learning experts who work in cybersecurity.

Yeah, smaller pool. Yeah, there you go. So criminals haven't been able to do this. But now, as they are starting to be able to compete with salaries, with these small pool of skillset, it could happen. And this is what worries me. And this is why I believe we are on the verge of starting to see the enemy start to use machine learning in their attacks. Totally. Hey, you want healthcare? You want dental? Come here. We've got you. You want a pension? We've got you covered. You know?

Yeah. And then the question becomes, what will the first attacks using machine learning look like? And of course, we don't know. But I've been throwing this idea back and forth here at our labs. And I think a pretty common consensus would be that the easiest thing for them to do first would be to replace the humans that operate the malware campaigns that we are seeing today. So if you think about a typical malware campaign, let's say ransomware campaign, there's multiple moving parts. It's made by multiple different persons, but there's an operator. So let's say they want to send out emails with a malicious link to our website, which has an exploit, which then drops a ransomware binary on your Windows computers. There's an operator which prepares the email and selects the address list which to target and start sending out the emails and then monitors how well do the emails go through spam filters, adjusting as needed so they will go through better. And then monitoring how well the exploit works. Is it being detected by IDS systems at the companies? And if so, they modify it. And then monitoring how well the binary goes through endpoint protection system and compiling and changing it as needed. All of that could easily be replaced with a short Python script, which would do all of this and adjust accordingly and learn how the situation changes. And I believe this is what will be the first step. I mean, the humans running the operations will be replaced by learning systems, which will run these systems automated.

I'm worried that these poor old cyber criminals are going to be put out of a job. There'll be many of them who used to run these malware campaigns who are going to be kicking around now looking for something else to do.

Well, maybe we should add a section to Smashing Security where we can have confessions and then they can kind of say how they feel remorse for their actions. And we could have a little, you know, like a little, I don't know.

Will anybody think about the criminals? Yeah, exactly. We'll boohoo for them. And when I've been speaking about this, I've been surprised how many people have been surprised about the fact that we haven't seen this yet. A lot of people assume AI attacks are happening already. And they're not. I mean, when something like this would happen, of course, it would be very visible to us. And we haven't seen it yet. But why would it be visible?

Yeah, how would we know if they were doing this or not?

Yeah, we would know because they would be much faster in their reaction time. It's basically a game of ping pong where our end, the pong part of this, would be automated. Security companies automatically feed the samples, automatically analyze, detect them, create detections and ship them automatically. So, there comes a pong from the criminals and the ping comes right away. Then there's a delay and a pong again. So, it's a game of ping pong, ping pong. When they automate their end, then it's going to be ping pong, ping pong, ping pong, ping pong. The only thing which will stop a bad AI will be a good AI. And this change will be so obvious that we would detect it. I can't believe we're talking about the pong of cybercriminals. It feels like we need to improve the ventilation maybe. It doesn't sound that good, does it?

Okay, I'm going to start with a question. Have you heard of the term tulip mania?

Is it something to do with the tulip craze when everyone went bonkers buying tulips?

Like in the 16th or 17th century? Yeah, before cryptocurrency existed.

1634 golden dutch age when contract prices for some bulbs of the new and fashionable tulips reached super high levels and then there was a major acceleration that started in 1634 and then collapsed three years later and some are referring to the whole NFT as a similar blip. Have you got views Mikko on NFTs?

I've been following the whole thing around NFTs, don't own any NFTs myself. And of course, there's a massive amount of hype around it. Who knows, there might be some real innovation there as well. I've covered a number of stories on this. But at the moment, my view is those that were investing are playing a risky game, right? Because the bubble will maybe pop, likely to pop is my gut. It's a way of creating artificial scarcity. I mean, digital things typically can be copied and you won't be able to tell the copy from the original one. If you make a copy of an MP3, it's going to be the same thing as the original. And NFT makes it different from the original.

And this can be like a video clip, an image, a tweet, an article, and it goes up for auction. And the transaction results are recorded in the blockchain, like a blockchain eBay of sorts. And the winner or the purchaser of the NFT or of said digital good, it has a contract coded and then minted in a blockchain network. And this is a permanent part of the blockchain. So effectively, there's like a receipt of purchase. Is that fair? Like, you know, a digital receipt of purchase.

There's not a lot of people get it.

No, that's what I'm

saying. Anyone who will understand. Yeah, like it is hard. The other day, I had a listener contact me who said, you were talking about IoT, but I never really understood what IoT was. So it's always difficult with these terms, isn't it? To know how much detail to go into and try and explain these things. But

I think IoT is a lot easier.

Yeah, well, we forgot to do it. One of our listeners wasn't happy. Okay, okay. I'm sorry, listener. We'll do that better in future. Oh, yes, someone will want the entire set or if there's one missing, then we'll pay over the odds to complete the set. Exactly. It's like baseball cards almost, right? Well, you can't hang it on the wall. You print it? Well, you could print it anyway. I mean, you could go to an art museum and take a photograph and then print it out and shove it on your wall if you wanted. Right.

Right. So it's, yeah, it's impossible to regulate, right? Because you can't enforce someone not to do a save as of a JPEG or a PNG. Yeah. Whenever someone posts about NFTs, the first comments always are that I made a copy of your million dollar NFT. I just clicked, right click and saved it. Exactly. Other problems. Climate impact of course right because it takes a huge amount of energy to do all the calculations required to generate the certificate for the blockchain ownership of this NFT. Also the valuation right the cryptocurrencies like people are like oh that was bought for 69 million pounds and it's like well that was yesterday you know the prices are at the value you know at the time of sale if you leave it in there and it devalues then obvious what happens

The funny thing about Bitcoin valuation is that if you go to Bitcoin subreddits, you'll find plenty of people who used to use Bitcoin to buy drugs from Silk Road five years ago. So they paid like, you know, 50 Bitcoins for two grams of hash. Yeah, yeah. The most expensive product in the universe now. And then, of course, there's liquidity issues, because just because you've bought something, there's a lot of shady stuff out there and you may not be able to realize the cash from the purchase because there's lots of new players on the market not all ship shape.

Well no he doesn't mind being called Geoff he doesn't want to be called Geoff Huntley I think there is a difference

He is calling his work an art project he's a nutter The name being called the Billion Dollar Torrent. Okay. Right. And he says, hey, I'm Geoff. After many previous adventures involving cycling through many countries on a unicycle. I think you've told me enough. Now live a minimalist lifestyle in a van that is slowly working its way around Australia. Oh, boy. Okay. Yeah. But he's come up with a brilliantly simple idea. Has he? And I think it does underline the massive problem in the NFT thing, is that most of these are hyperlinks to images hosted on Google Drive or Web 2.0 web hosts. The images, in lots of cases, are not being stored within the blockchain. The image, he writes, these images are not stored on the blockchain contract. Anyone who finds them can save and have an exact digital copy of what you're trying to buy to sell. So he has basically created this website, a site of 17 terabytes, all available from a single source. And he is showing that you are buying the notification of owning a worthless piece of crap, in my view. On his FAQ page, it says, did you know an NFT is just a hyperlink to an image that is usually hosted on Google Drive, other Web 2.0 web hosts. People are dropping millions on instructions on how to download images. That's why you can right-click save as, because they're just standard images. The image is not stored in the blockchain contract. And the problem is, obviously, web hosts are known to go offline, 404 errors, right? So this handy torrent contains all of the NFTs. How many terabytes? 17 terabytes. Handy, handy. It's basically a backup. Yeah, it's basically a web archive. And he's saying at the end of this, he says, the reason I'm doing this is so future generations can study this generation's tulip mania and collectively go, what the fuck? We destroyed our planet for this. Signed, Jeffrey Huntley. Not Geoff. So, interesting. Extraordinary.

However, there is something about NFTs I want to mention since we mentioned my book. Plenty of the people here in Finland who has bought the book have bought the e-book, not the paper book. And some of them have asked me, could you sign my book? And of course, physical book, I'm happy to sign it. But how do you sign an e-book? There doesn't seem to be any solution to this. And I'm sort of waiting for someone to come up with something along the lines of NFTs where I could actually somehow sign it with a public key and have the e-book be wrapped up in a contract which would be stored in blockchain or something like that. That actually wouldn't be as stupid as many of the things we have here. If you're next to an author of something you have and he could somehow sign it for you so it would actually show that you actually did meet this person. And since NFTs are contracts, it could even work so that if someone would then sell a copy of the signed good, part of the price of that resale would go back to the original artist or original author. So maybe something like that could actually be useful.

Yeah, that's a very interesting idea. Mikko, do you ride a unicycle at all? Have you driven a camper van around Australia? Right, right.

No, no, but I am with you because, you know, doing art and stuff, it would be really nice that if you sold your piece of art to someone and they went, oh, I love it. Oh, actually, I don't love it. I'm going to sell it on that. You get a tiny bit of that one gun. And I think this is probably a foray into that. I just don't think they've got it down pat yet. So just one last thing. If users want to check whether their NFT is really on the blockchain as opposed to being hosted on Web 2.0, I have no NFTs, but this was recommended by Jeffrey Huntley himself. So make of that what you will. The site is checkmynft.com. It effectively looks at the contract definition. So you can also just look at the freaking contract and read the T's and C's before you get involved. Love you all. To secure and manage your global network with one unified platform. Securing remote access for cloud and hybrid businesses and organisations, Perimeter 81 provides unified solutions such as zero-trust network access, firewall as a service, device posture check and more. Learn more and request a demo at perimeter81.com. That's perimeter81.com. I don't even know if, okay, it's going to be fascinating when you say it, if I recognize it.

The program is called MailMate. I didn't know about it. And MailMate, I probably shouldn't mention this on a security-related podcast, to be honest. I shouldn't really tell you what my email client is, but too late, I've done it.

Click on the link I just mailed to you.

Let me attach a zip bomb or something malicious. MailMate is, yeah, it's what I use for email. And I have used just about every ruddy email client that exists for Apple Macs. And I couldn't find one which I really got on with until a few years ago I discovered MailMate. And in its own description it says, MailMate isn't the most widespread, the cheapest or the greatest looking email client. But I have no aspiration to make MailMate ever be one of those. Instead, it aspires to be the most powerful, the most flexible, the most efficient, the most standards compliant, and the most secure email client. And I have to say, I love it.

Okay, what does it do? It's so powerful, Carole. Okay, what does it do? It can do anything. Can it make me coffee? Yes. No, it can't. No, it can't. You're lying. God.

But it can do anything with email and it organises my email and it has rules and smart filters and folders. So it's IMAP compliant. So if your email's in Gmail or something like that, it can connect to that and you'll be able to meddle with it on your thing. I'm trying to think of other really clever stuff it can do. I'll tell you one thing clever that it can do is if, for instance, so I have a form on my website, right, where people can ask me to go and speak at an event, right? And I get an email to myself from a particular address on my website. And if I accidentally reply to myself rather than the person I was meant to reply to, it will pop up and say, whoa, whoa, whoa, Graham, you've CC'd this internal address, which you didn't mean to. So there's all kinds of little itsy-bitsy configurations. Or I've got another thing which says every time I send an email, because sometimes I'm a little bit curt in my emails, I'm not as polite as I should be. Really? Yeah, I know. Hard to believe. Sometimes. So what my email client does is it puts any email I send into a 90-second limbo. And I could make that three minutes. I could make it an hour if I wanted. And so I can go back to my email. I—

Love the idea of it being an hour. Graham's in the bath. Do-ba-do-do-do-do. Holy shit!

Exactly. Or I can schedule an email. So if I think I want to reply, but I don't want people to think I'm too keen, I'll send it to them in 90 minutes' time. So then it does it. And anyway, it is developed by just one Danish guy. You can buy it for a one-off fee of $49, but it is so essential to my work life that I actually give him cash every three months. I pay the equivalent of a subscription, which is entirely optional, but I choose to do it because I would be screwed if MailMate ever went away. Excellent software should be supported, so I'm happy to pay for it. Question. Yes. Would you be screwed if our friendship dissolved? I think we'll have to discuss who's going to pay who. Anyway, MailMate for Mac OS is my pick of the week. Cool one. Cool one. Mikko, what's your pick of the week? Well, since we are in a podcast, of course, I am going to recommend a competing podcast. So stop listening to Smashing Security right now, look for the Ted Dabney Experience podcast and hit play.

Ah, your passion.

I just bought a brand new 1993 Judge Dredd pinball machine, which is the best thing ever. So, you know, yeah, they are great. Nevertheless, this one is not about pinball. It's about old video arcade games. This is a podcast made in UK by Paul Drury, Tony Temple, and Richard May. Tony Temple is the world record holder in Missile Command. He actually just wrote a book about Missile Command history and how he made the world record.

Oh, that sounds good.

It's really good. I recommend the book. The book is called Missile Commander, and the podcast interviews people who were involved in the early days of the arcade gaming revolution, especially people involved in the early days of Atari. The name Ted Dabney Experience comes from Ted Dabney, who was one of the guys who started Atari together with Nolan Bushnell. It is really well done, production qualities are there, really good interviews, and they have access to people who typically don't give interviews. So if you are into old gaming, classic gaming or retro gaming, check out teddabneyexperience.com.

Yeah, and trust Mikko because he really takes gaming seriously! Yeah, no, that sounds great. I'll definitely check that out. That sounds a lot of fun. Okay, I got a truly special, special, special one. Not compared to yours, but compared to the previous ones that I've maybe dabbled with. And it's a movie currently available on my instance of Netflix called Ruben Brandt, Collector. Have either of you seen it?

I have seen the trailer. You have recommended it to me. I haven't had a chance to watch the actual movie yet.

I don't have Netflix, but I have heard of it.

Okay. I would say buy it. I would say don't walk, run, run, run. Okay?

It looked wonderful from the trailer. It looks wonderful. So beautiful. How would you describe some of the characters? I saw a lot of them seem to have three eyes or three faces. It's a bit sort of Picasso-like.

Well, yes. So it's so beautiful to watch because it's a bit meta in that sense. So you can literally watch it and try—

Hang on. You have to be careful with the word meta these days. That f. Yeah, yeah. He is an arse, isn't he? Can't get higher than that. That is seriously a pick of the year. There you go.

Well, maybe I'll find one. Boom! Whoa, pick of the year. Wow, okay.

Well, they can find me on Twitter as Mikko, that's M-I-K-K-O, or on my website, which is mikko.com.

Fantastic. And you can follow us on Twitter at Smashing Security, no G, Twitter on the last of a G. And we also have a Smashing Security subreddit where you can chat about the latest episodes. And don't forget to ensure you never miss another episode, follow Smashing Security in your favourite podcast apps such as Apple Podcasts, Spotify and Google Podcasts. And massive shout out to this episode's sponsors, the fabulous 1Password, the great Thinkst, and the wonderful Perimeter 81. And to our tremendous Patreon communities.

Until next time, cheerio.

Bye-bye.

Bye-bye. I'm making an NFT off this episode already.

Mikko, would you buy Mikko.wtf?

No, I have the best domain already. I have the .com, so I don't want to make.

But that could be for all your, I don't want to have this on my legit, legit site.

I have nothing to hide.

Sure, they all say that. They all say that.