The shipping conglomerate Maersk, hit by the NotPetya ransomware in June 2017, estimated that it cost them as much as $300 million in lost revenue.
Gavin Ashton was an IT security guy working at Maersk at the time of the attack. He’s now written an in-depth article about what happened.
I want to help protect other folks from making these same mistakes, because there’s a lot of what seems to be defeatist wisdom out there; Yes, it is inevitable that you will be attacked. It is inevitable that one day, one will get through. And obviously, you should have a solid contingency plan in place in case of the worst. But that’s not to say you don’t attempt to put up a damn good fight to stop these attacks in the first case. Just because you know the bad actors are coming, doesn’t mean you leave your front door open and make them a cup of tea when they walk in. You could just lock the door.
Staying with the home analogy; Yes, there’s security cameras and wizard cloud-connected ‘Internet of Things’ (IoT) devices and all kinds of expensive measures and widgets, but a lot of organisations fail simply on the basics. Lock the damn door.
It’s a good read, and strongly recommended if you’re responsible for securing your enterprise from malware attack.
And make sure to check out this “Smashing Security” podcast we recorded back in June 2017, at the time of the outbreak:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Today's episode of Smashing Security is brought to you by Rapid7.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation is not only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial at www.rapid7.com.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation is not only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial at www.rapid7.com.
.com.
That's www.rapid7.com. And thanks very much to Rapid7 for supporting the show.
Smashing Security, Episode 31: Phisher Don't Know the Name of This Ransomware with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, Episode 31 for the 29th of June, 2017.
My name is Graham Cluley, and I'm joined as always by my co-host and good buddy Carole Theriault. Hello, Carole. How are you?
Smashing Security, Episode 31: Phisher Don't Know the Name of This Ransomware with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, Episode 31 for the 29th of June, 2017.
My name is Graham Cluley, and I'm joined as always by my co-host and good buddy Carole Theriault. Hello, Carole. How are you?
Hello, I'm good. Hello from the great big plains of Canada.
Oh yeah, you're out there at the moment, aren't you? Visiting the Theriault family massif. How's that going?
Well, it's going to be big. It's a big Canada Day weekend. So there's 40 of my family are coming over for a 3-day jaunt.
What?
40?
Yeah.
That is quite a party.
Yeah, there's a lot of prep work, but I've of course made time for the podcast.
You've got your priorities right. And the other person who's got his priorities right is our special guest today. He's prolific infosecurity journalist and blogger David Bisson.
Hello, David. Welcome to the show.
Hello, David. Welcome to the show.
Hey, how's it going? Thanks for having me. Yay.
Delighted to have you on board. Good. And I'm sure you've heard the podcast before, but if you haven't, this is how it works, everybody.
What we do is we each choose a topic from the news, last week's news of computer security and privacy, and we have a little bit of a chat about it.
And as tradition dictates, I get to go first.
What we do is we each choose a topic from the news, last week's news of computer security and privacy, and we have a little bit of a chat about it.
And as tradition dictates, I get to go first.
He's the guy who doesn't open doors for people either. So it's no problem.
What do you like?
What?
That is outrageous.
I don't think you've ever decided— even when I had an operation, I don't think you said, oh, let me carry that for you.
Oh, and the truth comes out.
Whoa.
That is quite something.
It's going to be a serious podcast today, folks.
Well, we want to make it edgy. We want to make it edgy.
Good job you're in Canada and I'm over here is all I can say. So, across the pond.
Something we've all got to talk about, of course, is this week has seen a massive new ransomware outbreak hitting companies around the world, primarily in Ukraine, but also in other countries as well, called Petya, or is it called not Petya?
It seems that computer security companies can't quite agree whether this is a variant of the Petya ransomware that we've seen before or something which is mimicking it in some fashion.
Maybe actually, that doesn't matter that much. Maybe sometimes we choose both.
Something we've all got to talk about, of course, is this week has seen a massive new ransomware outbreak hitting companies around the world, primarily in Ukraine, but also in other countries as well, called Petya, or is it called not Petya?
It seems that computer security companies can't quite agree whether this is a variant of the Petya ransomware that we've seen before or something which is mimicking it in some fashion.
Maybe actually, that doesn't matter that much. Maybe sometimes we choose both.
Yes, it matters. It does matter. Because, I mean, this has been going on forever.
As long as I've been in the industry, which is years, we've always had arguments about, you know, all the names and the different, you know, the names for these things.
And it happens because all the companies are working simultaneously on trying to develop and look at it and research it and then talk about it.
And they all come up with different names. And, you know, it's frustrating because you have to know what you're talking about in order to talk about it.
As long as I've been in the industry, which is years, we've always had arguments about, you know, all the names and the different, you know, the names for these things.
And it happens because all the companies are working simultaneously on trying to develop and look at it and research it and then talk about it.
And they all come up with different names. And, you know, it's frustrating because you have to know what you're talking about in order to talk about it.
But sometimes I worry that there is a danger that the security companies spend, all the analysts sort of, you know, on Twitter going, "It is not this, it is this kind of malware instead." Sometimes that doesn't actually matter very much to the man in the street.
And I thought Martijn Grooten, the editor of Virus Bulletin, summed this up rather well in a tweet.
He was basically saying, look, if he found an injured man who'd fallen out of a tree, if it was the InfoSec community, they'd spend half of their time saying, "Oh, you were really dumb to climb that tree." And the other half would be saying, "Oh, what kind of tree actually is it that he climbed," rather than dealing with the person who's seriously injured.
I think giving the advice on how to protect yourself was more important maybe than exactly what strain of ransomware it was.
And I thought Martijn Grooten, the editor of Virus Bulletin, summed this up rather well in a tweet.
He was basically saying, look, if he found an injured man who'd fallen out of a tree, if it was the InfoSec community, they'd spend half of their time saying, "Oh, you were really dumb to climb that tree." And the other half would be saying, "Oh, what kind of tree actually is it that he climbed," rather than dealing with the person who's seriously injured.
I think giving the advice on how to protect yourself was more important maybe than exactly what strain of ransomware it was.
I know, but I think, you know, people want to study this stuff, right? People want to be able to look at it and be able to say, this is similar to this previous version of a virus.
We saw this 5 years ago.
We saw this 5 years ago.
I get that, I get, and I know—
But it only came out yesterday. It only came out yesterday.
That's the thing, right?
It only just came out on Tuesday and yet everyone is, that's the thing is, I think focusing too much on that on day one is perhaps a little bit over the top and not the most important thing.
Let me tell you what I think is the most important thing about this ransomware. So in many ways it was a bit like WannaCry.
And you remember WannaCry, of course, a month or two ago, it was hitting organizations, particularly the British National Health Service, very hard and it exploited a Windows exploit which had been developed by the National Security Agency, the NSA, and they called it EternalBlue.
Now that same exploit was used in part by this new ransomware, which I'll call Petya for the purposes of simplicity.
So it was using that to spread, although it wasn't using it as vigorously and aggressively maybe as WannaCry was. And so we haven't seen quite as many infections.
And of course it was encrypting your files. If you booted up your computer, you would think your hard disk was being repaired because it was mimicking the old DOS command, chkdsk.
If you saw that message, by the way, turn off your PC immediately as it would stop the encryption. But it was also trying to gain admin access to infected computers.
It was scouring your memory for domain admin credentials.
It only just came out on Tuesday and yet everyone is, that's the thing is, I think focusing too much on that on day one is perhaps a little bit over the top and not the most important thing.
Let me tell you what I think is the most important thing about this ransomware. So in many ways it was a bit like WannaCry.
And you remember WannaCry, of course, a month or two ago, it was hitting organizations, particularly the British National Health Service, very hard and it exploited a Windows exploit which had been developed by the National Security Agency, the NSA, and they called it EternalBlue.
Now that same exploit was used in part by this new ransomware, which I'll call Petya for the purposes of simplicity.
So it was using that to spread, although it wasn't using it as vigorously and aggressively maybe as WannaCry was. And so we haven't seen quite as many infections.
And of course it was encrypting your files. If you booted up your computer, you would think your hard disk was being repaired because it was mimicking the old DOS command, chkdsk.
If you saw that message, by the way, turn off your PC immediately as it would stop the encryption. But it was also trying to gain admin access to infected computers.
It was scouring your memory for domain admin credentials.
May I interrupt? Why are you saying was? Because it's still hitting.
Well, yes, but it isn't really sort of spreading en masse. We aren't getting huge numbers of new reports of it compared to some of the other malware outbreaks which have happened.
It looks like, I mean, there certainly was a really big initial hit. Ukraine got hit particularly hard. They seem to be the initial ones hit.
Energy companies, Kiev airport, even the Deputy Prime Minister, Pavlo Rozenko, here I go again.
Pavlo Rozenko was tweeting pictures of his PC mid-encryption and he was saying, "Ta-da!" He was saying in his sort of Cyrillic accent.
It looks like, I mean, there certainly was a really big initial hit. Ukraine got hit particularly hard. They seem to be the initial ones hit.
Energy companies, Kiev airport, even the Deputy Prime Minister, Pavlo Rozenko, here I go again.
Pavlo Rozenko was tweeting pictures of his PC mid-encryption and he was saying, "Ta-da!" He was saying in his sort of Cyrillic accent.
He was saying, "Ta-da!" What?
Yes, ta-da. He was going, ta-da, here is my computer right now being encrypted.
So he was fairly laid back about it, which I thought was great because meanwhile Chernobyl nuclear power plant was being hit and the site's automatic radiation monitoring systems would be knocked out by the ransomware attack.
So there you go. Don't panic, folks. Nothing to worry about here. Nothing to see. It wasn't just Ukraine which was hit though.
There were other companies around the world, multinationals, the marketing goliath WPP, who's a parent company of a lot of— yeah, we know them, don't we?
A lot of marketing companies work for them. Shipping giant Maersk and Russia's top oil producer, Rosneft, all of which got hit.
So he was fairly laid back about it, which I thought was great because meanwhile Chernobyl nuclear power plant was being hit and the site's automatic radiation monitoring systems would be knocked out by the ransomware attack.
So there you go. Don't panic, folks. Nothing to worry about here. Nothing to see. It wasn't just Ukraine which was hit though.
There were other companies around the world, multinationals, the marketing goliath WPP, who's a parent company of a lot of— yeah, we know them, don't we?
A lot of marketing companies work for them. Shipping giant Maersk and Russia's top oil producer, Rosneft, all of which got hit.
So why the Ukraine? Why do we think— were they focused, targeted, or?
Well, you see, again, the conspiracy theories begin, don't they? Because we have seen attacks before against Ukraine. Against the energy systems over there.
And a lot of fingers have been pointed towards Russia as being doing that kind of thing. Some have suggested that there is a piece of software called MeDoc.
It's a Ukrainian accounting software program. It may even be mandatory in Ukraine, I'm not sure. And there are allegations that it pushed out a very dodgy update containing malware.
And what a fantastic way, if that was true, and I don't know.
We certainly know MeDoc did have problems with the malware, but I don't know yet if it's been confirmed whether they pushed out the malware or not.
And a lot of fingers have been pointed towards Russia as being doing that kind of thing. Some have suggested that there is a piece of software called MeDoc.
It's a Ukrainian accounting software program. It may even be mandatory in Ukraine, I'm not sure. And there are allegations that it pushed out a very dodgy update containing malware.
And what a fantastic way, if that was true, and I don't know.
We certainly know MeDoc did have problems with the malware, but I don't know yet if it's been confirmed whether they pushed out the malware or not.
But MeDoc actually posted something on Facebook denying that and saying that I guess its initial update came out on June 22nd.
But Malwarebytes came out and said, no, it initially happened on the 27th yesterday.
But Malwarebytes came out and said, no, it initially happened on the 27th yesterday.
So which was the day when this ransomware struck. So it—
Yeah.
And I guess that could explain if it was MeDoc, it could explain why there would be so much fewer targets because then you would figure that it would be foreign investors and companies that are linked to Ukraine's government that uses this software.
There's only been a reported 2,000 victims so far. So if it's tied to that software, it would make sense that it'd be smaller in scale.
And I guess that could explain if it was MeDoc, it could explain why there would be so much fewer targets because then you would figure that it would be foreign investors and companies that are linked to Ukraine's government that uses this software.
There's only been a reported 2,000 victims so far. So if it's tied to that software, it would make sense that it'd be smaller in scale.
Of course, if you are a multinational with offices in Ukraine and you had a flat network structure, and so the malware— this one of the things which it does is it doesn't spread, as I said, so aggressively between companies, but it is maybe quite aggressive inside your company, looking to spread laterally through your organization.
And that could have jumped it to other countries. Hence, we saw attacks in the UK, in Australia, in Spain, and so forth.
And that could have jumped it to other countries. Hence, we saw attacks in the UK, in Australia, in Spain, and so forth.
So do we know— sorry, I haven't read a lot about it as being on holiday. So do you know how it spreads? How does it spread?
Does it spread via network once it's infected a particular machine?
Does it spread via network once it's infected a particular machine?
Yeah, so it can find other computers on the network which it can try and infect. It can exploit vulnerabilities in order to spread as well. But so like WannaCry?
So yeah, but this initial infection is the thing which is the mystery. And some people were speculating maybe it was via email attachment.
So people were posting, "Be careful about clicking on—" But there's nothing really that being found on any scale yet.
So yeah, but this initial infection is the thing which is the mystery. And some people were speculating maybe it was via email attachment.
So people were posting, "Be careful about clicking on—" But there's nothing really that being found on any scale yet.
There's all these people looking, right? We'll find out soon.
Hopefully. Certainly this story about maybe a dodgy software update, that's tantalizing to me.
That's interesting, 'cause that would be an effective way of infecting a lot of computers, seeding malware very quickly if you were able to. To infiltrate something like that.
That's interesting, 'cause that would be an effective way of infecting a lot of computers, seeding malware very quickly if you were able to. To infiltrate something like that.
Do you think it was a question of having maybe less secure code within the update that allowed it to be able to carry a piece of malicious code?
Or do you think it was actually— you don't know yet, but I'm asking you to guess. This is what pundits do, isn't it?
Or do you think it was actually— you don't know yet, but I'm asking you to guess. This is what pundits do, isn't it?
Well, who knows? My guess is that maybe there wasn't sufficient digital signing on the updates to check that they had actually been approved. Maybe they'd been meddled with.
We don't know what the security was like at that company, or even if that company yet— I don't know if they were the ones to actually push out a dodgy update or not.
The good news is that there is a way of protecting your computers other than obviously an antivirus update and patching and so forth.
And that is you can create a file called PERFC with no extension. The guys at Cybereason, they blogged about this.
If you put that in your Windows folder, the ransomware, when it tries to start encrypting your files, it looks for that file, and if it's there, it won't encrypt your file.
So it's a good way of inoculating a single PC, but of course it won't stop the malware from spreading to other computers as well.
We don't know what the security was like at that company, or even if that company yet— I don't know if they were the ones to actually push out a dodgy update or not.
The good news is that there is a way of protecting your computers other than obviously an antivirus update and patching and so forth.
And that is you can create a file called PERFC with no extension. The guys at Cybereason, they blogged about this.
If you put that in your Windows folder, the ransomware, when it tries to start encrypting your files, it looks for that file, and if it's there, it won't encrypt your file.
So it's a good way of inoculating a single PC, but of course it won't stop the malware from spreading to other computers as well.
So this is an empty file just with that name?
Yeah, that's right, P-E-R-F-C. And we're putting a link in the show notes where you can read some more of all about that. Cool.
So the big question is, are the criminals making any money out of this? And the answer seems to be, well, David, I think you looked into this a bit.
That doesn't look like they're going to have very much success, are they?
So the big question is, are the criminals making any money out of this? And the answer seems to be, well, David, I think you looked into this a bit.
That doesn't look like they're going to have very much success, are they?
Yeah, from what I've seen, well, I guess they're following the tradition of WannaCry in a way because they didn't really make a lot of money from this either.
From that attack, they, I believe, sent victims to one of four bitcoin addresses as far as payment.
So they weren't able to track incoming payments as well as they should have if they wanted to make money.
So that basically then victims, when they paid the WannaCry attackers, the attackers never knew then who had paid. So it was just a mess in that sense.
Now, with Petya, it's a little bit different in that it seems like there's a manual payment validation where you have to send a proof of payment email to the attacker saying that, okay, yeah, I paid.
Here is, I guess, a screenshot or something.
From that attack, they, I believe, sent victims to one of four bitcoin addresses as far as payment.
So they weren't able to track incoming payments as well as they should have if they wanted to make money.
So that basically then victims, when they paid the WannaCry attackers, the attackers never knew then who had paid. So it was just a mess in that sense.
Now, with Petya, it's a little bit different in that it seems like there's a manual payment validation where you have to send a proof of payment email to the attacker saying that, okay, yeah, I paid.
Here is, I guess, a screenshot or something.
And you get to validate your email address the same.
Yeah, I know. It's perfect. Include your Social Security number and your address and everything.
So obviously, I mean, that makes it hard because then potentially you'd be getting hundreds, thousands of emails and that takes time.
But there's also this thing that happened where an email provider discovered that the address that was receiving basically proof of validation of payment, that email provider discovered that they were hosting that email for the attackers.
So they pulled the plug. Right. And that means that anyone who sends them proof of payment can no longer receive the decryption key.
So at this point, then it's basically, victims are out of luck if they were hoping to pay the attackers and if they didn't have any other backup mechanisms in place.
Let's hope that they did.
So obviously, I mean, that makes it hard because then potentially you'd be getting hundreds, thousands of emails and that takes time.
But there's also this thing that happened where an email provider discovered that the address that was receiving basically proof of validation of payment, that email provider discovered that they were hosting that email for the attackers.
So they pulled the plug. Right. And that means that anyone who sends them proof of payment can no longer receive the decryption key.
So at this point, then it's basically, victims are out of luck if they were hoping to pay the attackers and if they didn't have any other backup mechanisms in place.
Let's hope that they did.
And there's no— as we've seen before, there is no guarantee that if you pay, it's all going to go smoothly and everything's going to come back and it's like it never happened, right?
Of course, of course. Now, this email provider, that was Posteo. They're a German sort of privacy-focused email supplier, aren't they?
I think it's quite interesting that they did that because I certainly hope that they worked with law enforcement before shutting down that email address because obviously it could be inconvenient to victims who may want to try and pay.
I mean, whether you think it's right or not, it's a bit of a nuisance to them, isn't it? Because now that option has disappeared from them entirely.
But potentially there might also have been opportunities for the authorities to monitor that email address and maybe gather more information about who might have been behind it.
I think it's quite interesting that they did that because I certainly hope that they worked with law enforcement before shutting down that email address because obviously it could be inconvenient to victims who may want to try and pay.
I mean, whether you think it's right or not, it's a bit of a nuisance to them, isn't it? Because now that option has disappeared from them entirely.
But potentially there might also have been opportunities for the authorities to monitor that email address and maybe gather more information about who might have been behind it.
You make a really good point, right? Because you have to act fast in all this.
So, you know, you were complaining earlier that we don't have the naming and people worrying about all that.
It's because it's brand new and people are running around like headless chickens just to try and find out what this thing's doing, who's infected, how do we stop it?
And I can imagine that sounds like a very good idea. Stop the emails, right? Right at the beginning, shut it down. Shut down the email address would be a really good first idea.
But as we were hearing, it could be very difficult.
And would you, you know, maybe companies need to think about getting a policy together, you know, a security policy if this happens.
So, you know, you were complaining earlier that we don't have the naming and people worrying about all that.
It's because it's brand new and people are running around like headless chickens just to try and find out what this thing's doing, who's infected, how do we stop it?
And I can imagine that sounds like a very good idea. Stop the emails, right? Right at the beginning, shut it down. Shut down the email address would be a really good first idea.
But as we were hearing, it could be very difficult.
And would you, you know, maybe companies need to think about getting a policy together, you know, a security policy if this happens.
What's the protocol?
Well, in fairness to them, I think many of these email providers do have terms and conditions where they say, if you use our service for any criminal activity, we will shut down your account.
Yeah, so it's almost like an automatic process.
Well, in fairness to them, I think many of these email providers do have terms and conditions where they say, if you use our service for any criminal activity, we will shut down your account.
Yeah, so it's almost like an automatic process.
No, it's not a legal thing, right? It's not a legal thing.
But of course, it becomes more complicated, doesn't it? Because potentially, that might have been useful. I don't know.
So I don't know whether they worked with the authorities before shutting it down or not, but maybe it would actually have been handy to keep it up.
I always notice how some of these hacking gangs have Twitter groups, for instance, which seem to survive quite often for a long time without Twitter shutting them down.
And I've always been curious as to whether that's actually at the behest of law enforcement who may be trying to gather information about those groups and observing if anyone ever logs in without taking necessary anonymization efforts beforehand.
So I don't know whether they worked with the authorities before shutting it down or not, but maybe it would actually have been handy to keep it up.
I always notice how some of these hacking gangs have Twitter groups, for instance, which seem to survive quite often for a long time without Twitter shutting them down.
And I've always been curious as to whether that's actually at the behest of law enforcement who may be trying to gather information about those groups and observing if anyone ever logs in without taking necessary anonymization efforts beforehand.
Mm. So we have to remind everyone what they need to do because we've seen this many times. So what are the rules?
Ransomware isn't new, right? So you need to back up and you need to patch. Oh, and you need to back up and you need to have a layered defense. Oh, and you need to test your backup.
And after that, you need to back up.
And after that, you need to back up.
Maybe Paweł Rozęcko was having a backup, which is why he was laughing during his tweeting of pictures.
Oh, I was very impressed by your accent there, Carole.
Oh, well, I don't show off as often as you.
And let me just say too, please stop clicking on malicious attachments. Just if there's something wrong with the email, just delete it.
Well, hey, you know what? I have a— Yeah, okay, I get that. But have you guys seen— So I use Gmail.
And have you seen it now offers you kind of automated, an option of automated responses if you're busy?
So Graham, you emailed me yesterday about the podcast, and I could just click buttons saying, "Thanks for the update." Right? And you know— suitably generic.
And have you seen it now offers you kind of automated, an option of automated responses if you're busy?
So Graham, you emailed me yesterday about the podcast, and I could just click buttons saying, "Thanks for the update." Right? And you know— suitably generic.
Yes.
Basically meant, "I haven't read this, Graham." But you know, we used to always give advice, like if the email is worded too generically, or if there's, you know, if it doesn't sound like the person that you've emailed, don't, you know, open the, you know, don't read or don't open an attachment.
But somehow this automated system kind of reverts that, you know, you won't be able to see so much, right?
You're just going to get these automated responses that, you know, you won't be able to read through. And I think that could work to the criminal's advantages.
But somehow this automated system kind of reverts that, you know, you won't be able to see so much, right?
You're just going to get these automated responses that, you know, you won't be able to read through. And I think that could work to the criminal's advantages.
Okay, wise words. Well, David, what's your topic this week? What have you got for us?
All right, so I found this one story. It has to do with the Australian driverless vehicle initiative. So obviously driverless cars are in the news recently.
They're becoming more of a reality. Lots of different companies are developing this technology, testing it.
But this one initiative in Australia has some national quirks that it needs to work out just because of the nature of Australia and what its transportation system has to deal with.
So I guess they're working right now on trying to program the vehicles to recognize unsealed roads and unmarked highways.
And I guess I didn't know that this was a thing in Australia, but they have these huge trucks, if you will, called road trains.
Where it's these barreling 3 or more trailers, and they're 53 meters long. And these things are huge. I've never seen them in person.
They're becoming more of a reality. Lots of different companies are developing this technology, testing it.
But this one initiative in Australia has some national quirks that it needs to work out just because of the nature of Australia and what its transportation system has to deal with.
So I guess they're working right now on trying to program the vehicles to recognize unsealed roads and unmarked highways.
And I guess I didn't know that this was a thing in Australia, but they have these huge trucks, if you will, called road trains.
Where it's these barreling 3 or more trailers, and they're 53 meters long. And these things are huge. I've never seen them in person.
And they go fast. They really move. You get out of the way.
So it's a regular big articulated lorry. But think mammoth.
Big, big, big, big, big. And there's 3 or 4 trailers behind it.
They're actually trains in a way. They're just not running on rails. Yeah, oh, goodness. So there's all that going on.
But the interesting thing is that there's also a problem of local fauna. As it turns out, these cars are having a very difficult time accurately detecting kangaroos.
So what happens— I know it's weird. So what happens is that these cars use the ground as a reference point to detect distance.
Okay, so when the kangaroo's on the ground, it's fine. It can say, okay, well, that kangaroo is whatever, 50 yards away.
But when it's in mid-flight, I guess it looks further away than it actually is. But when it lands, it's closer. So that, I guess the distance is constantly changing with a kangaroo.
So there's the risk that you can't detect it accurately, and that it'll hit the kangaroo and then put the driver in jeopardy.
But the interesting thing is that there's also a problem of local fauna. As it turns out, these cars are having a very difficult time accurately detecting kangaroos.
So what happens— I know it's weird. So what happens is that these cars use the ground as a reference point to detect distance.
Okay, so when the kangaroo's on the ground, it's fine. It can say, okay, well, that kangaroo is whatever, 50 yards away.
But when it's in mid-flight, I guess it looks further away than it actually is. But when it lands, it's closer. So that, I guess the distance is constantly changing with a kangaroo.
So there's the risk that you can't detect it accurately, and that it'll hit the kangaroo and then put the driver in jeopardy.
Yeah, and totally screw up the system.
So the car—
God knows what the car's gonna do when it goes, "Whoa, you're way closer than I thought!" Yeah, so it's a perspective thing.
Because it's up in the air, the car sees more road beneath, and it assumes that it's further—
And it thinks, "My God, that's a really big kangaroo, but it's a good distance away." So you have to wonder, it's if the ground and this being in the air of the kangaroo is a problem, does that apply to say someone who could be running and they're in midair?
If a kid is jumping rope, would it produce the same effect? Or on a hoverboard?
Yeah, and you figure that— I mean, I know that a couple of different companies are developing flying cars and they're saying that there is going to be maybe in the air by 2020.
We'll see if that happens. Pogo sticks? Pogo sticks. Yeah, space hoppers.
As we get more and more into the air with our vehicles, then what can— can these flying cars, as they're calling them, drones, be pilotless drones?
Could those be— I don't know, it's an interesting dilemma that seems it could apply to other initiatives besides Australia's. It's how are they going to deal with this problem?
If a kid is jumping rope, would it produce the same effect? Or on a hoverboard?
Yeah, and you figure that— I mean, I know that a couple of different companies are developing flying cars and they're saying that there is going to be maybe in the air by 2020.
We'll see if that happens. Pogo sticks? Pogo sticks. Yeah, space hoppers.
As we get more and more into the air with our vehicles, then what can— can these flying cars, as they're calling them, drones, be pilotless drones?
Could those be— I don't know, it's an interesting dilemma that seems it could apply to other initiatives besides Australia's. It's how are they going to deal with this problem?
Wow. I bet they chose Australia, 'cause they're like, "Well, there's not that many people there.
It's not gonna be that many accidents." So what is the Australian Driverless Vehicle Initiative? What are they doing about this?
Are they putting sort of fake kangaroos on pieces, on rubber bands, and dangling them in front of cars to sort of mimic?
'Cause you don't want to make it, you don't want to have an accident, right? You don't want to crash into a real kangaroo.
Are they putting sort of fake kangaroos on pieces, on rubber bands, and dangling them in front of cars to sort of mimic?
'Cause you don't want to make it, you don't want to have an accident, right? You don't want to crash into a real kangaroo.
Maybe they're testing it with a bunch of bungee ropes, dummies on bungee ropes, where they can just kind of be popping and bouncing around, and then try and drive the car through a crazy course to see who gets hit and who doesn't.
I'll give that away as a possible experiment they can use.
I'll give that away as a possible experiment they can use.
This is bonkers, isn't it?
Yeah, I don't— apparently, well, this isn't just driverless cars either. In Australia, apparently there are 16,000 collisions with kangaroos a year.
So even with drivers behind the wheel, kangaroos are still a traffic hazard. So it seems more of a kangaroo problem than a driverless car problem.
I mean, they have to figure out what can we do about kangaroos?
So even with drivers behind the wheel, kangaroos are still a traffic hazard. So it seems more of a kangaroo problem than a driverless car problem.
I mean, they have to figure out what can we do about kangaroos?
I see where you're going. I see. Yeah, nice one. No, nice one, David. You're blaming the kangaroos. You're saying blame the kangaroos. That's what you're saying.
You want to have a kangaroo cull.
You want to have a kangaroo cull.
How high do kangaroos actually jump? I guess it's not— you know, that's probably the reason you don't actually have fences on the sides of the roads, right?
Depends how nicely you ask them.
Well, I mean, what I think— I mean, you see other countries doing this, how they have these Animal Crossing pathways that go either over the road or underneath the road or something like that.
Maybe Australia could start to incorporate that kind of infrastructure so that there'll be less collisions.
I don't know if that's feasible because it seems like this is all over the country, so that would be a huge project to undertake.
But it seems like they have to do something about kangaroos and then they can worry about the driverless cars.
Maybe Australia could start to incorporate that kind of infrastructure so that there'll be less collisions.
I don't know if that's feasible because it seems like this is all over the country, so that would be a huge project to undertake.
But it seems like they have to do something about kangaroos and then they can worry about the driverless cars.
But it makes you think, right, of, you know, this is just one country's, you know— I mean, other things hop. Yeah, right. Including Graham on his pogo stick. Exactly.
Thumbnail picture for the podcast. I do believe we have some listeners down under. We do. We definitely do. Yeah.
So if you are one of these poor Australian listeners who's afflicted by kangaroos hopping around and you're worried about your driverless cars, why not tweet us or send us a message and tell us what you think should be the solution to this problem?
Because it sounds like a serious topic for concern. So Carole, finally, we're over to you now. What have you got for us this week?
So if you are one of these poor Australian listeners who's afflicted by kangaroos hopping around and you're worried about your driverless cars, why not tweet us or send us a message and tell us what you think should be the solution to this problem?
Because it sounds like a serious topic for concern. So Carole, finally, we're over to you now. What have you got for us this week?
Well, I am going to talk about Amazon's new device, the Echo Show.
So for $229, you can get all the things you love with Echo, but now they've added a 7-inch video screen that's always on.
So welcome to your always listening, endlessly personalized world, and to hell with the teeny tiny scraps of privacy you still enjoy.
So for $229, you can get all the things you love with Echo, but now they've added a 7-inch video screen that's always on.
So welcome to your always listening, endlessly personalized world, and to hell with the teeny tiny scraps of privacy you still enjoy.
Exactly. As if you weren't happy enough that Echo was listening to you all of the time. Now it can see you. Now it can see you as well.
Oh, just wait. It's just— I did a bit of research this morning. It blows my mind.
So people like Echo because it does things like create shopping lists, or it sets kitchen timers, or it can play music, turn on the lights.
And now with the screen, you can now watch movies, or how-to videos from YouTube, or get a recipe and follow it.
Because I guess before, if people did recipes on Echo, you'd have to read it out to you and go, wait a minute, what was that again? Can you repeat that?
So now you can actually read it, right? But I kind of think, couldn't we do this with phones and tablets before? All this stuff seems a bit— anyway.
And also, these are menial tasks. Like a car, we're talking about cars. Cars get you from A to B, right? So a car can save me from having to walk 100 miles to go see my gran.
Providing there's no kangaroos. Yes, exactly. So it's dangerous, but it gets me there.
But, you know, an always available device so I can speak rather than write down my shopping list? Just seriously, it just doesn't seem the trade-off's there for me.
However, loads of companies are loving all the Echo stuff.
So there's companies like Ring and Arlo and Nest and August and Logitech, and they're all creating Alexa skills, you know, take advantage of the new functionality of the Echo Show.
So let's talk about the new feature, the brand new big feature of it. And this is called Drop In.
So I'll start off by saying, and you'll get where I feel about this, it's fortunately disabled by default.
But when it's activated, when it's activated, it lets you select people who you can remotely activate your Echo Show's camera and drop in without even needing to pick up the call.
Okay, so this is called instantly connecting to one of your Echo devices for a chat with anyone with the app on their device. So if Graham—
So people like Echo because it does things like create shopping lists, or it sets kitchen timers, or it can play music, turn on the lights.
And now with the screen, you can now watch movies, or how-to videos from YouTube, or get a recipe and follow it.
Because I guess before, if people did recipes on Echo, you'd have to read it out to you and go, wait a minute, what was that again? Can you repeat that?
So now you can actually read it, right? But I kind of think, couldn't we do this with phones and tablets before? All this stuff seems a bit— anyway.
And also, these are menial tasks. Like a car, we're talking about cars. Cars get you from A to B, right? So a car can save me from having to walk 100 miles to go see my gran.
Providing there's no kangaroos. Yes, exactly. So it's dangerous, but it gets me there.
But, you know, an always available device so I can speak rather than write down my shopping list? Just seriously, it just doesn't seem the trade-off's there for me.
However, loads of companies are loving all the Echo stuff.
So there's companies like Ring and Arlo and Nest and August and Logitech, and they're all creating Alexa skills, you know, take advantage of the new functionality of the Echo Show.
So let's talk about the new feature, the brand new big feature of it. And this is called Drop In.
So I'll start off by saying, and you'll get where I feel about this, it's fortunately disabled by default.
But when it's activated, when it's activated, it lets you select people who you can remotely activate your Echo Show's camera and drop in without even needing to pick up the call.
Okay, so this is called instantly connecting to one of your Echo devices for a chat with anyone with the app on their device. So if Graham—
Okay, yeah, so imagine I have an Echo Show. Let's imagine I have an Echo Show.
Yeah, right, and we've decided to say, yeah, we want drop-in and I'm one of your contacts, right?
Right, okay. As if, as if, right.
Yeah, right, okay. Right, so we have that set up and I can go on my iPhone and get the app and kind of say, "Call Graham," and it will instantly go to your camera, right?
So for the first few seconds after dropping in, it will show a frosted glass effect on my end, right?
So I guess if you're all nude or having sexy times or whatever, you have a few seconds.
So for the first few seconds after dropping in, it will show a frosted glass effect on my end, right?
So I guess if you're all nude or having sexy times or whatever, you have a few seconds.
In my kitchen. That's right.
Well, hey, why not? Why not in the kitchen?
That's good enough for Mickey Rourke and Kim Basinger, wasn't it? Maybe that's the whole thing.
Maybe Amazon is sick of people doing sexy times outside the bedroom, so it's forcing you back in here. But it gives you a few seconds to scramble out of the way.
Or you can actually say, please don't activate the video camera now, just voice please, so we can just listen to you rather than watch you.
Or you can actually say, please don't activate the video camera now, just voice please, so we can just listen to you rather than watch you.
Which is going to be suspicious, isn't it? Yeah, that's romantic. Sometimes it's kinkier to listen, isn't it? I don't want to see anything. I'd love to hear it though.
I was reading one article where a reviewer was reviewing this, and he came down and his wife had turned it around and he was like, what'd you do that for?
She goes, it's creepy, I'm doing my yoga. Right? Because it can detect when you're in the room.
So it never gets turned off, but it kind of goes to sleep, whatever that means, when it doesn't detect, it doesn't hear anyone or doesn't see anyone.
But if you're around, it kind of is there in waiting mode, waiting for instruction. Waiting for you to buy more stuff from Amazon.
She goes, it's creepy, I'm doing my yoga. Right? Because it can detect when you're in the room.
So it never gets turned off, but it kind of goes to sleep, whatever that means, when it doesn't detect, it doesn't hear anyone or doesn't see anyone.
But if you're around, it kind of is there in waiting mode, waiting for instruction. Waiting for you to buy more stuff from Amazon.
If you don't want to be detected, then do you have to turn off all the lights and just move very slowly?
Some guy tried and it didn't work. He brought it into his garage, turned off all the lights. I put the link into the show notes. I can't remember which reviewer did it.
And he didn't move it and it still knew it was there.
And he didn't move it and it still knew it was there.
How does it sleep then? I mean, to what degree do you have to go to unplug it?
Some people actually complain. There's your answer. Some people complain the display is really bright even in quiet mode. You can never turn off the screen so it's black.
It kind of darkens, but it's never black. Now here's the other big thing with this drop-in feature, right?
If you decide to activate drop-in, Amazon will then want to access all of your contacts so it can find which contacts have...
So it can snuffle up all that information without, for example, I may be on Graham's phone without anything to do with Amazon Echo, and yet it still has all my information because Graham's talking from my contacts.
It kind of darkens, but it's never black. Now here's the other big thing with this drop-in feature, right?
If you decide to activate drop-in, Amazon will then want to access all of your contacts so it can find which contacts have...
So it can snuffle up all that information without, for example, I may be on Graham's phone without anything to do with Amazon Echo, and yet it still has all my information because Graham's talking from my contacts.
I'm sure that's entirely innocent on the part of Amazon. I'm sure it is. They don't have any ulterior motives in collecting details like that.
I do have a good tip though. This is from one of the Redditors.
He said that he set up his Echo— I always forget the name— Echo Show with a Google Voice number to avoid having to share contacts with his device. So this is David Silver.
He said, "I use Google Voice to get a free number and set it up on my iPhone. I never enabled contacts and the intercom works like a charm." So that's using the app, I believe.
So apparently this is only available to US users.
He said that he set up his Echo— I always forget the name— Echo Show with a Google Voice number to avoid having to share contacts with his device. So this is David Silver.
He said, "I use Google Voice to get a free number and set it up on my iPhone. I never enabled contacts and the intercom works like a charm." So that's using the app, I believe.
So apparently this is only available to US users.
Yeah, Google Voice isn't available in the UK, I know that.
Yeah, apparently it's maybe only available in the States, but that may be a way to get around it if you don't— if you really, really want one of these crazy devices in your house.
You've still got this problem. I mean, I'm not overly concerned about these devices being hacked.
I mean, okay, so maybe that is an issue going down— Well, that might be an issue going down the road, right?
I dislike the idea of a camera constantly being on you on an internet-enabled device because maybe it could be hacked.
And clearly, if these things became really mainstream, it is something which bad guys might target.
But more than that, the thought of anybody being able to open up a camera stream to my house, even if they are a friend of mine, without me saying, "Yes, that's fine." Because it's just connecting.
There is the onus upon the poor person who's having someone drop in on them, having to quickly say, "No, what's happening?" Okay, so imagine this.
I mean, okay, so maybe that is an issue going down— Well, that might be an issue going down the road, right?
I dislike the idea of a camera constantly being on you on an internet-enabled device because maybe it could be hacked.
And clearly, if these things became really mainstream, it is something which bad guys might target.
But more than that, the thought of anybody being able to open up a camera stream to my house, even if they are a friend of mine, without me saying, "Yes, that's fine." Because it's just connecting.
There is the onus upon the poor person who's having someone drop in on them, having to quickly say, "No, what's happening?" Okay, so imagine this.
Yeah, imagine this, right? You have just stuffed your face with a big slice of pizza. I call you up, you can't respond because your mouth is just—
Tuesday nights at Graham's house.
Yeah, right. It's an implausible scenario.
Graham's mouth is completely full. He's like, "Ah!" And Alexa's like, "Great." And then I get to see it. I take a picture of it and then post it on Twitter.
That's what friends are for.
Now, what I find really ironic about all this is there's loads of security companies who are trying to jump on the bandwagon.
So, right, show me the front door or show me the basement if you think there may be an intruder or you think something's going on.
But isn't it weird that they're using a device that's basically completely eroding privacy and security digitally in order to do so?
So, right, show me the front door or show me the basement if you think there may be an intruder or you think something's going on.
But isn't it weird that they're using a device that's basically completely eroding privacy and security digitally in order to do so?
You know there's an Amazon Alexa skill for Smashing Security. So we've actually— if you say to your Amazon—
When you say we, you mean you did this on our behalf?
So if you tell your Amazon Echo, what's the latest Smashing Security or listen to Smashing Security, it'll do it all. You know that? All right.
So you bitch about these things.
You bitch about these things.
Things, then you try and take advantage.
We are basically doing that as well.
So some people actually think that they're targeting— what I found also weird is, you know, so I was reading all the fine print and I went into the FAQs for this, you know, Echo.
I can't remember the name. Echo Show. Echo Show.
I can't remember the name. Echo Show. Echo Show.
Like Echo and the Bunnymen, but with a show.
And there's really very little about security, really incredibly little.
And someone suggested that perhaps they're trying to target a more, you know, an older population with this because they're finding— I certainly know from my experience working with my, you know, my parents and stuff that it's, you know, it can be difficult, the interoperability between the systems and the apps and making sure everything works.
So, and maybe by not, maybe the whole strategy here is by not talking about security, it doesn't even come to mind and people don't discuss it.
Cause there's a lot of articles about this, reviews that aren't really going into the security elements of this at all.
And someone suggested that perhaps they're trying to target a more, you know, an older population with this because they're finding— I certainly know from my experience working with my, you know, my parents and stuff that it's, you know, it can be difficult, the interoperability between the systems and the apps and making sure everything works.
So, and maybe by not, maybe the whole strategy here is by not talking about security, it doesn't even come to mind and people don't discuss it.
Cause there's a lot of articles about this, reviews that aren't really going into the security elements of this at all.
You see, I think for some people, this might be quite a cool device because it does sound like it would be an easy way to do a FaceTime-like video chat with other people in your family.
And that would be lovely, wouldn't it, for people who are maybe slightly technology averse to use something which is completely voice activated rather than a user interface where they have to know what to click in order to do it.
And that would be lovely, wouldn't it, for people who are maybe slightly technology averse to use something which is completely voice activated rather than a user interface where they have to know what to click in order to do it.
I have a better one. This is the only thing that I thought, actually, this is really useful.
Say you have a much older relative and you're worried about them living on their own at this stage.
What a great thing to be able to— For example, my grandmother, before she passed, she fell and she was lying there for 24 hours in her apartment before, you know, until our next visit.
And it was awful, she couldn't get to the phone. So this may be able to save those kind of situations really well.
Say you have a much older relative and you're worried about them living on their own at this stage.
What a great thing to be able to— For example, my grandmother, before she passed, she fell and she was lying there for 24 hours in her apartment before, you know, until our next visit.
And it was awful, she couldn't get to the phone. So this may be able to save those kind of situations really well.
But even then, could Amazon not have had voice-activated approval for the connection? So it could have said, Carole is trying to ring you, Carole is trying to ring you, Grandma.
Say yes to accept. And Grandma could have said, yes, connect. Whereas this will just open up, furthermore, Carole, it's horrible what you're saying, you know, that sort of scenario.
But these particular devices, they aren't going to be located on the floor. They are angled upwards. They typically sit at sort of waist height or higher.
They're not gonna see someone who's fallen on the floor anyway, are they?
Say yes to accept. And Grandma could have said, yes, connect. Whereas this will just open up, furthermore, Carole, it's horrible what you're saying, you know, that sort of scenario.
But these particular devices, they aren't going to be located on the floor. They are angled upwards. They typically sit at sort of waist height or higher.
They're not gonna see someone who's fallen on the floor anyway, are they?
Yeah, no, but they might be looking—
Yeah, that's true. They're pointed at the ceiling.
They're seeing that rather, you know, that ugly unattractive thing where you can selfie yourself, you get all your double chin and your neck and all the rest of it in.
That's the kind of angle which these devices are using.
They're seeing that rather, you know, that ugly unattractive thing where you can selfie yourself, you get all your double chin and your neck and all the rest of it in.
That's the kind of angle which these devices are using.
I know it's weird, and it's weird that they're so static, you know, because you think, why would people want this over— I use my iPad all the time, right? I do a lot of cooking.
I bring my iPad in for whatever reasons, right? But I'd be able to take it in and out. And I like that flexibility.
Maybe Amazon just wants to sell more devices, sell their Echo Dots so you can go around the home. Maybe.
I bring my iPad in for whatever reasons, right? But I'd be able to take it in and out. And I like that flexibility.
Maybe Amazon just wants to sell more devices, sell their Echo Dots so you can go around the home. Maybe.
And I mean, you say waist-high height. I mean, I think of just kids. What if the kids are in the room and it's just— I'm going to go off on a tangent for a second.
So you have to wonder what do these kinds of devices— and we won't know this for years, but say that you're a kid and you're growing up in this house where these devices are always listening to you and now can always see you.
What— even besides protecting your information and trying to keep your life private— what does that mean for you as an individual becoming you when something is always watching?
The home is supposed to be the ultimate source of privacy where you can develop and form your own conception of yourself.
And now this— that just seems entirely possible if the only way that you can shut off this device is literally to unplug it.
So it just seems like it's damaging for our self-concept and then what does that mean for us going forward as far as advancing society and being different, having plurality in the world?
So you have to wonder what do these kinds of devices— and we won't know this for years, but say that you're a kid and you're growing up in this house where these devices are always listening to you and now can always see you.
What— even besides protecting your information and trying to keep your life private— what does that mean for you as an individual becoming you when something is always watching?
The home is supposed to be the ultimate source of privacy where you can develop and form your own conception of yourself.
And now this— that just seems entirely possible if the only way that you can shut off this device is literally to unplug it.
So it just seems like it's damaging for our self-concept and then what does that mean for us going forward as far as advancing society and being different, having plurality in the world?
And think about even dating, right? You're dating this guy, you decide, yeah, let's go on Drop In, we're buds.
Oh, it's not working out anymore— do you have to go locate them and take them off while they call you repeatedly, giving you their endless love?
Oh, it's not working out anymore— do you have to go locate them and take them off while they call you repeatedly, giving you their endless love?
I can tell you're there. I can see you hiding.
And poor— I have a friend who's named Alexa and I'm— oh gosh. For real. I wonder why they chose that name.
I wonder if it's one of the names that was least popular but easy to say in the Western world.
I wonder if it's one of the names that was least popular but easy to say in the Western world.
I don't know. But she's gonna have to change her name to Uber or something like that. As simple as that, right? Okay, I think we've got to that. Carole, we better do our sponsor slot.
Yes, we should.
And thanks again to our sponsors this week. Rapid7, the company which decided that Rapid4, Rapid5, Rapid6— well, who likes 6 that's rapid? They weren't good enough for them.
Now they call themselves Rapid7. Identifying, prioritizing, and managing vulnerabilities all the way through to remediation isn't only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started today with your free 30-day trial at www.rapid7.com.
And thanks again to Rapid7 for supporting the show. Okay, welcome back to the show. And it's time for us to choose— it's our favorite part of the show. It's the pick of the week.
Pick of the week.
Now they call themselves Rapid7. Identifying, prioritizing, and managing vulnerabilities all the way through to remediation isn't only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started today with your free 30-day trial at www.rapid7.com.
And thanks again to Rapid7 for supporting the show. Okay, welcome back to the show. And it's time for us to choose— it's our favorite part of the show. It's the pick of the week.
Pick of the week.
Pick of the week. Come on, David.
David, pick of the week. So my pick of the week this week is a podcast by—
Mine's a podcast too.
Oh, I feel so good. I didn't choose a podcast.
Oh, is it? Mine's a better one, I'm sure. Okay. My podcast is called Malicious Life, and it's a brand new podcast by a guy called Ran Levi.
And it looks at all about the origins of cybercrime, its early roots, all the way through to the modern crime ecosystem.
And along the way, he's going to cover ransomware, of course, and Stuxnet. And he's got an upcoming episode tackling the Dark Avenger.
And it looks at all about the origins of cybercrime, its early roots, all the way through to the modern crime ecosystem.
And along the way, he's going to cover ransomware, of course, and Stuxnet. And he's got an upcoming episode tackling the Dark Avenger.
I thought we decided the Pick of the Week was gonna be about things outside security.
I think we said it could be security related.
Oh, interesting, interesting, interesting. I think I'll go back and listen. All right.
You can have this one. Okay. Anyway, funnily enough, Ran actually interviewed me for the podcast.
Little shameless plug here.
And the first episode had come out this week. I think another episode is coming out this week as well. Should all be a good thing.
And I think after that, there'll be a new episode every two weeks.
And I was just thinking, if you like the Smashing Security podcast, you might want to try out Malicious Life as well, because there'll be some good old stories of good old days of malware and what's going on out there.
And I like his style. So links in the show notes. And that is my pick of the week.
And I think after that, there'll be a new episode every two weeks.
And I was just thinking, if you like the Smashing Security podcast, you might want to try out Malicious Life as well, because there'll be some good old stories of good old days of malware and what's going on out there.
And I like his style. So links in the show notes. And that is my pick of the week.
Cheating, cheating pick of the week. Self-promoting pick of the week.
David, what's your— Pick of the week.
My pick of the week is really an event more than it is a thing. I guess this week marks the 50th anniversary of the ATM. Oh, so it's been around for 50 years.
But before you break out the noisemakers, so it's old as Graham. Doesn't seem like the ATM is going to last for much longer.
Lots of people in the industry are saying, well, you know, with mobile payments and digital banking, we probably aren't going to see ATMs make it to their 60th anniversary.
So just the way society— whatever, whatever.
That's what they're saying, that more and more people are becoming hesitant to use cash and that we're just moving into the direction of a completely cashless society, thereby nullifying the need for an ATM.
So we'll have this cash. Do you love cash? Gas is cheaper with cash.
But before you break out the noisemakers, so it's old as Graham. Doesn't seem like the ATM is going to last for much longer.
Lots of people in the industry are saying, well, you know, with mobile payments and digital banking, we probably aren't going to see ATMs make it to their 60th anniversary.
So just the way society— whatever, whatever.
That's what they're saying, that more and more people are becoming hesitant to use cash and that we're just moving into the direction of a completely cashless society, thereby nullifying the need for an ATM.
So we'll have this cash. Do you love cash? Gas is cheaper with cash.
Yeah, right. Cash. Do you carry cash still? Seriously, are you a cash-carrying kind of individual?
Not as much as my wife tends to have a lot of cash, I've noticed. I don't tend to have as much.
Oh, I like having cash because then you're not being tracked every time you buy anything, right? You can just go pay for something with cash. I'm a big— I'm a cash fan.
You can do it anonymously.
If anyone wants to send me any cash, I'm happy to get it.
Can we get a link for that? Cash is pretty cool.
It's a bit like bitcoin, really, isn't it?
Exactly. Exactly. Yeah.
Without as much grubbiness associated with it. Yeah. It's all right.
Now, I have a fascinating fact about ATMs, which I happen to know, because I was reading an article about ATMs the other day. Okay. And you said, it's the 50th anniversary.
The world's first cash machine was opened or displayed in Enfield in London, which is a slightly unusual location.
But the interesting thing was that they had a celebrity come along to use it.
And this, I'm afraid, won't mean much to anyone outside of the UK, or indeed anyone who's under the age of 45. But the celebrity was Reg Varney from the ITV sitcom On the Buses.
So maybe I'll put a link in the show notes.
Now, I have a fascinating fact about ATMs, which I happen to know, because I was reading an article about ATMs the other day. Okay. And you said, it's the 50th anniversary.
The world's first cash machine was opened or displayed in Enfield in London, which is a slightly unusual location.
But the interesting thing was that they had a celebrity come along to use it.
And this, I'm afraid, won't mean much to anyone outside of the UK, or indeed anyone who's under the age of 45. But the celebrity was Reg Varney from the ITV sitcom On the Buses.
So maybe I'll put a link in the show notes.
David and I, whoosh, right over our heads.
Yeah, exactly. Because we're young and hip.
On the Buses was a rather sort of salacious and sexist sitcom about two geezers who— there was a driver and a conductor on a bus who'd drive around and sort of pull dollybirds.
And so we had sexual harassment in the video as well.
Probably. Well, no, it's not harassment. It was just, it was the '70s. It was just sexism. Oh yeah, who cares? Good old-fashioned sexism. But anyway, Reg Varney, really bizarre choice.
And I thought that might tickle some memories for people. Can I add another fact? Yes, please do.
And I thought that might tickle some memories for people. Can I add another fact? Yes, please do.
Please do.
Apparently, well, when the first ATM was created, this might have been after what you're referring to, Graham, but when they were created, tellers, human tellers hated them.
So what I heard is that lots of tellers would go out at the beginning of the day to where the ATMs were located and would pour honey on the consoles to render them useless because I guess they were very finicky back then where if one component failed, the entire machine wouldn't work.
So this went on for a while, but of course technology picked up and improved and then they just spread everywhere. But interesting.
Apparently, well, when the first ATM was created, this might have been after what you're referring to, Graham, but when they were created, tellers, human tellers hated them.
So what I heard is that lots of tellers would go out at the beginning of the day to where the ATMs were located and would pour honey on the consoles to render them useless because I guess they were very finicky back then where if one component failed, the entire machine wouldn't work.
So this went on for a while, but of course technology picked up and improved and then they just spread everywhere. But interesting.
I thought you were gonna say that there'd be a huge swarm of bees come towards the ATM. Well, that is also a deterrent. Drive away ATM users.
It's a good way to get, you know, for job security, just destroy the machines.
Or you could say, "ATMs, they're sweet." Oh.
He worked on that, and that's better than any joke you've done.
That was the whole point. Yeah, you know what?
How dare you, Graham? We have had to listen to so many bad jokes. We're not even going to go back to the LastPass.
Don't do it. Don't do that one. Don't do that one. Okay. Thank you, David, for your pick of the week. Carole, what's your pick of the week?
Well, mine's a podcast and mine's a podcast that's not about security. It's called The Bright Sessions. Now, I have just been on a flight over, flying around for last week.
So, I snarfed about 30 shows during that time. And I'm completely addicted.
So, it's called The Bright Sessions and it's a sci-fi audio drama about people with supernatural abilities in therapy.
And you're like this fly on the wall listening to the therapy session. It's great. I just, I love it. It's created by Lauren Shippen. And it premiered, it's been going for since 2015.
So it's not brand new, which is also great because it means you have a huge backlog of shows to catch up on, which is one of my favorite things when you find a great one and there's a nice backlog.
So every show is about 15 to 40 minutes long, and it's fly-on-the-wall style, you're eavesdropping.
But from early on, you get the feeling that the therapist might have ulterior motives, right? And hints of what was going on are dribbled out really slowly.
And it makes for very compelling listening, which is why I watched.
So, I snarfed about 30 shows during that time. And I'm completely addicted.
So, it's called The Bright Sessions and it's a sci-fi audio drama about people with supernatural abilities in therapy.
And you're like this fly on the wall listening to the therapy session. It's great. I just, I love it. It's created by Lauren Shippen. And it premiered, it's been going for since 2015.
So it's not brand new, which is also great because it means you have a huge backlog of shows to catch up on, which is one of my favorite things when you find a great one and there's a nice backlog.
So every show is about 15 to 40 minutes long, and it's fly-on-the-wall style, you're eavesdropping.
But from early on, you get the feeling that the therapist might have ulterior motives, right? And hints of what was going on are dribbled out really slowly.
And it makes for very compelling listening, which is why I watched.
And you said this is a sci-fi podcast?
Yeah, it's kind of a sci-fi podcast. Supernatural? Supernatural, yeah. They have supernatural— Yeah.
But it's also for anyone who likes all that, "God, I would love to be listening to a therapy session," because they actually do have a consulting therapist who's helping them with it.
So it seems pretty real. And the script is good. The acting's solid. The cast is great. And the story's all twisty-turny. Hooked. So I wanted to share that with all of you guys.
So perfect for your flights during summer holiday, you know, season. Okay.
But it's also for anyone who likes all that, "God, I would love to be listening to a therapy session," because they actually do have a consulting therapist who's helping them with it.
So it seems pretty real. And the script is good. The acting's solid. The cast is great. And the story's all twisty-turny. Hooked. So I wanted to share that with all of you guys.
So perfect for your flights during summer holiday, you know, season. Okay.
So the Bright Sessions, we'll put a link in the show notes where people can find out more. Super. Well, thank you very much, Carole, for your pick of the week.
And thank you, David, for joining us. It's been a pleasure having you on the show. That just about wraps it up. Thanks everybody for tuning in.
If you like the show, tell your friends, let us know what you think. Maybe even give us a 5-star review on iTunes. Don't give us a 4-star review or a 3-star review. I'm happy with 4.
And thank you, David, for joining us. It's been a pleasure having you on the show. That just about wraps it up. Thanks everybody for tuning in.
If you like the show, tell your friends, let us know what you think. Maybe even give us a 5-star review on iTunes. Don't give us a 4-star review or a 3-star review. I'm happy with 4.
I'm happy with 4. Really? Yeah.
I'm happy to be here at all. You know what?
It was great having you on the show, David.
You're a natural. It was indeed. And until next week, toodle-oo, bye-bye. Au revoir.
Bye.
I'll tell you what, mate, that put me right off of jelly deals. Oh, shut up, you stupid idiot!
