[SPEAKER_01]: Some people do have strong passwords, but they've only got one.

[SPEAKER_01]: Maybe these don't, no, I can't say no more Nick.

[SPEAKER_01]: Menomic, yes.

[SPEAKER_01]: Menom, menom.

[SPEAKER_00]: Smashing security.

[SPEAKER_00]: Episode four hundred and thirty-two.

[SPEAKER_00]: Oops.

[SPEAKER_00]: I also filled my password into a cookie banner, with gram pluley.

[SPEAKER_01]: Hello, hello, and welcome to Smash in Security Episode.

[SPEAKER_02]: Thank you very much.

[SPEAKER_02]: It feels like it's been forever, but I know it hasn't.

[SPEAKER_01]: Well, not forever, but it's been a while.

[SPEAKER_01]: It's been a while.

[SPEAKER_01]: Yeah.

[SPEAKER_02]: Everything going well with you and the host unknown podcast.

[SPEAKER_02]: It's going very well.

[SPEAKER_02]: We're on episode two hundred and twenty four or something like that.

[SPEAKER_01]: It is astonishing that you've kept going all this time.

[SPEAKER_02]: It's astonishing that we've not been taken off.

[SPEAKER_02]: I find it astonishing as well, but maybe for different reasons.

[SPEAKER_01]: This week on smashing security, we won't be talking about how a researcher downloaded the data of over a quarter of a million intel employees from an internal business card website, and a breached dubbed intel outside.

[SPEAKER_01]: You'll hear no discussion of how distraction lack of training them burnout, not technical complexity, are the factors driving most breaches?

[SPEAKER_01]: And we won't even mention how the governor of Nevada has warned that state officers are closed, websites offline, and bone lines up the swanie, following a suspected ransomware attack.

[SPEAKER_01]: So Tom, what are you going to be talking about this week?

[SPEAKER_02]: So I'm going to be talking about quantum and legacy like twenty years in the past and twenty years in the future, all in the same show.

[SPEAKER_01]: And I'll be describing how also pill can become auto theft.

[SPEAKER_01]: All this and much more coming up in this episode of smashing security.

[SPEAKER_01]: Now, Chamsyam's password's absolute bloody nightmare aren't they?

[SPEAKER_01]: A real nightmare wouldn't you agree to?

[SPEAKER_02]: This is the year of the past wordless systems.

[SPEAKER_02]: I'm sure of it.

[SPEAKER_01]: Well, hang on.

[SPEAKER_01]: I know we've been saying that for a while.

[SPEAKER_01]: Not just you, I think everybody's been saying that for a while, be the end of passwords, but they still seem to linger on, don't they?

[SPEAKER_02]: It's like this year being the year of the Linux desktop.

[SPEAKER_01]: I cannot be the only one who's working up in the middle of the night in a cold sweat.

[SPEAKER_01]: Not the male menopause, but worrying instead.

[SPEAKER_01]: Oh, my Netflix password.

[SPEAKER_01]: What is it?

[SPEAKER_01]: Is it password one two three?

[SPEAKER_01]: Is it one two three password?

[SPEAKER_01]: Is it password one two three four?

[SPEAKER_01]: It's like, oh, what could it be?

[SPEAKER_01]: It happens to men of our age, doesn't it Tom?

[SPEAKER_02]: It does.

[SPEAKER_02]: It does.

[SPEAKER_02]: As does waking up with in a hot sweat, but that is the male menopause.

[SPEAKER_01]: And that is what not the mailmen pause.

[SPEAKER_01]: And that is one of the reasons why we strongly recommend people use password managers.

[SPEAKER_01]: They run your password to you.

[SPEAKER_01]: So you're puny human brain.

[SPEAKER_01]: I'm not looking at you, Tom.

[SPEAKER_01]: Your puny human brain doesn't have to remember it.

[SPEAKER_01]: So, password managers really good for remembering your password if your memory's gone to shot.

[SPEAKER_01]: They're also really good at generating strong unique passwords which is of course what you really should be using because it's a disaster if you use the same password or something similar over and over and over again.

[SPEAKER_01]: Or if you have one really strong password that you've memorized some people do have strong passwords but they've only got one.

[SPEAKER_01]: Maybe if you don't know, I can't say no.

[SPEAKER_01]: on it.

[SPEAKER_01]: Yes, give up.

[SPEAKER_01]: Yes, give up.

[SPEAKER_01]: It may be you.

[SPEAKER_02]: Menermon on.

[SPEAKER_01]: Maybe you've memorized some method.

[SPEAKER_01]: Your weird crazy gibberish password.

[SPEAKER_01]: But you then use it.

[SPEAKER_01]: Everything.

[SPEAKER_01]: And that's laughed because all it was going to take is one day to preach.

[SPEAKER_01]: And the bad guys are going to have your password.

[SPEAKER_01]: And they'll be able to unlock your entire online life and terrifying consequences.

[SPEAKER_02]: Well, it's also something else as well, isn't it?

[SPEAKER_02]: Because it's also down to the sites that you use it on.

[SPEAKER_02]: And if that's high, it's not storing it correctly.

[SPEAKER_02]: Yes, it might be a data breach, but under normal circumstances, it would take the attackers a decade to break your password if it's ingrated, salty dash, barber, all that's good.

[SPEAKER_02]: But if the site you're using it on is a bit tough.

[SPEAKER_02]: Then it could be being stored in plain text or with a really poor encryption.

[SPEAKER_01]: It could be, it could be, and just the name of the site, which if they found out the name of the site that you might have an account on, that might reveal something about you, which maybe you wouldn't want known to hackers and criminals and blackmailers and all sorts, basically.

[SPEAKER_01]: Very true.

[SPEAKER_01]: Ashley Madison proved that.

[SPEAKER_01]: There you go.

[SPEAKER_01]: So user password manager people, that's our message, right?

[SPEAKER_01]: User password manager.

[SPEAKER_01]: And password managers can help prevent vision attacks.

[SPEAKER_01]: They look at the domain that your web browser is visiting and they won't offer to enter your password unless you're on the real website.

[SPEAKER_01]: So if you go to Lloyd's bank, it's only going to offer to enter your Lloyd's bank password if you are on the Lloyd's bank domain.

[SPEAKER_01]: Yep.

[SPEAKER_02]: Can be a pain sometimes because not all website again, down to the quality of the sites you go to, they don't always maintain a strictly consistent domain format, but you can also add in aliases.

[SPEAKER_01]: Yes, but you have to do that manually.

[SPEAKER_01]: Into your password manager, absolutely.

[SPEAKER_01]: So you can say, all right, I do want it to work on this particular domain as well.

[SPEAKER_01]: So, if you go to dojibank.com, rather than bank.com, it shouldn't offer to fill your password in for bank.com.

[SPEAKER_01]: So we all love password managers.

[SPEAKER_01]: We love them.

[SPEAKER_01]: We love them.

[SPEAKER_01]: We love them.

[SPEAKER_01]: They're fantastic.

[SPEAKER_01]: Absolutely.

[SPEAKER_01]: But unfortunately, some of them can still be tricked into helpfully hand in over your passwords and other sensitive information, such as your credit card details to the bad guys, to the cybercriminals.

[SPEAKER_01]: And that is what my story is about today, because a security researcher from the Czech Republic called Marek Toff described that the deaf-con security conference this month, how, if you have a browser-based password manager extension, like those available from one password last pass, Bitboard and Nordpass, et cetera, et cetera, AdNorzium, how those extensions can be tricked into coughing up your secrets.

[SPEAKER_01]: and hand in them straight to the bad guys.

[SPEAKER_01]: So what happens is this?

[SPEAKER_01]: This security researcher, he described how a browser-based password-manager extension like those we've discussed can be tricked into popping up your secrets.

[SPEAKER_01]: And this is how the attack happens.

[SPEAKER_01]: Imagine you are on a website and you go to the website.

[SPEAKER_01]: One of the first things you see is effectively a pop-up.

[SPEAKER_01]: a little thing pops up in front of the website which says click here to make it go away.

[SPEAKER_01]: So it could be something like an irritating cookie consent pop up and you see those sort of things when you visit Instagram or TikTok in your browser or it could be something like the cloud flare are you a human challenge page the capture?

[SPEAKER_01]: Yeah, you know, it's fairly common.

[SPEAKER_01]: I sometimes go to web pages and Google or say, oh, you know, are you really, you're not logged into Google account?

[SPEAKER_01]: You know, you have to agree on it.

[SPEAKER_01]: And you see all this Google branded thing, which appears there.

[SPEAKER_01]: And you have to say, yes, I'm constantly just not going to function on the page.

[SPEAKER_01]: And so you click on it only because who doesn't do that?

[SPEAKER_01]: But surprise surprise.

[SPEAKER_01]: A hacker has secretly slipped in underneath that pop-up and invisible login form.

[SPEAKER_01]: And your trusty password manager bless its silicon socks.

[SPEAKER_01]: Seize that form.

[SPEAKER_02]: Oh, interesting.

[SPEAKER_01]: Yeah.

[SPEAKER_01]: Seize that form and things.

[SPEAKER_01]: Oh, let me save you some time.

[SPEAKER_01]: Here is Tom's password and his credit card details and his inside leg measurement.

[SPEAKER_01]: So let me just step that that's scaring itself up.

[SPEAKER_01]: I'm going to go into the weeds now.

[SPEAKER_01]: I'm going to get a little bit nerdy.

[SPEAKER_01]: You know how [SPEAKER_02]: Because I, yeah, because I've got quite, I've got a point, but yeah, go on, go on, go on, go on, go on.

[SPEAKER_01]: Okay, well, I'll describe this.

[SPEAKER_01]: And if you've got anything, I mean, you are a great technical brain term.

[SPEAKER_01]: I'm expecting you to have great questions regarding this.

[SPEAKER_01]: We're both super cyber nerds.

[SPEAKER_01]: Let's go there.

[SPEAKER_02]: Exactly.

[SPEAKER_02]: My big question is, when can I get a coffee?

[SPEAKER_01]: Let's take the audience down this path and see if they can cope with what we're about to scrub into.

[SPEAKER_01]: Indeed.

[SPEAKER_01]: So imagine, you were tricked into visiting a dodgy site, a vision site.

[SPEAKER_01]: It had a name, a bit like the site you wanted to log into, or you received a fishing email with some HTML, high jinx, which made you think that you were going somewhere and in fact you were taking somewhere else.

[SPEAKER_01]: This webpage has been created by cybercriminals, like a regular fishing page.

[SPEAKER_01]: And they'd led you there through this malicious link.

[SPEAKER_01]: Normally, when you visit a page like that, your password manager can help you.

[SPEAKER_01]: Normally, if you visit a legitimate page where you would want to log in, it would inject a little autofill pop-up into the web page, a little thing will pop-up inside the web page, a little button, which is to jump it into your details, jump to fill these in view, but this.

[SPEAKER_01]: is a dodgy website which contains on it what is known as an invisible frame known as an eye frame which contains the login page of the real legitimate website.

[SPEAKER_01]: The real legitimate website is kind of embedded inside this dangerous website and that eye frame [SPEAKER_01]: I see, now you're gonna, that I frame has been made effectively invisible to the naked eye through the U.S.

[SPEAKER_01]: subscript, the CSS setting is basically set to opacity zero.

[SPEAKER_01]: And that means you can't see that the real thing is there.

[SPEAKER_01]: The attacker shows something like a fake cookie banner or a confirming your human box to cover the real auto-fill pop-up.

[SPEAKER_01]: And when you click, [SPEAKER_01]: When you click on the button to remove the cookie banner or the capture, what you're actually clicking on is not a harmless button.

[SPEAKER_01]: Your click is actually passed to the hidden auto-fill control that tells your password manager, go ahead and fill in Tom's password, credit card details to FA codes here.

[SPEAKER_01]: and they get build into a hidden form that they attack a controls, they collect it, and you didn't see a thing was being taken.

[SPEAKER_02]: So my question is yes, when I go to a website and as a login form and I click into the username, yeah, up pops of things saying, [SPEAKER_02]: do you want to put in this username password and then I have to do the touch ID or the secondary authentication.

[SPEAKER_02]: So I actually have to manually, not manually, but you know what I mean.

[SPEAKER_02]: My second factor is my fingerprint at the end of the day.

[SPEAKER_02]: So if that's in place, if you force that, [SPEAKER_02]: as a protective measure does that at least warn you that even though you're clicking into a fake form that it's trying to fill in a username password behind without you seeing.

[SPEAKER_01]: So would do because of course you would think why am I being asked to do a touch ID.

[SPEAKER_01]: Now your fancy pants Apple user who's got all this fingerprint ID touch ID sort of stuff set up.

[SPEAKER_01]: Many of the rest of us mere more.

[SPEAKER_02]: Do you have rich person?

[SPEAKER_01]: Does not have all that set up?

[SPEAKER_01]: And I suspect as well.

[SPEAKER_01]: Yes.

[SPEAKER_01]: Inside many password managers, there may not be an option to do that.

[SPEAKER_01]: Or it is not enabled by default.

[SPEAKER_02]: I think also we forget people's muscle memory of, oh, it's prompting me to touch idea, I must touch idea.

[SPEAKER_01]: Yeah.

[SPEAKER_02]: It comes up with a valid system request.

[SPEAKER_02]: It's from Apple.

[SPEAKER_02]: Therefore, I'm saying, oh, something's happening, I must need to touch it.

[SPEAKER_02]: Not necessarily question it.

[SPEAKER_01]: Yeah.

[SPEAKER_01]: I think you're right.

[SPEAKER_02]: So it's still dangerous, but there is a mechanism that may at least slow things down.

[SPEAKER_01]: It's a little bit of a safety net because you might think, well, why is this happening?

[SPEAKER_01]: Although, remember, you clicked on a link expecting to go to this particular website, perhaps.

[SPEAKER_01]: I mean, that is absolutely.

[SPEAKER_01]: That's a possibility.

[SPEAKER_01]: It may not have been the case as to how they're doing this.

[SPEAKER_01]: It may not have been pretending to be that website.

[SPEAKER_01]: And so you might think, well, this is okay for me to do that is also a potential.

[SPEAKER_01]: Yes, what we need are more safety nets.

[SPEAKER_02]: These criminals are clever.

[SPEAKER_01]: They are clever.

[SPEAKER_01]: So, your password, your card info, even your two factor security codes are getting filled into a hidden form.

[SPEAKER_01]: You didn't see a thing was being taken.

[SPEAKER_01]: What you can see is a big cookie consent form pop up on your screen or some kind of capture, something else which is irritating apparently legitimate clicks.

[SPEAKER_01]: on the apparently safe visible elements of that webpage are actually intercepted by the hidden eye frame and the credential factors occurred.

[SPEAKER_01]: So this is a bit of a problem.

[SPEAKER_01]: Yes, yes, and then some.

[SPEAKER_01]: So I think there's different people who have to deal with this problem and one of the groups of people are the people who actually run the websites themselves.

[SPEAKER_01]: So if you have a website which can be hacked, how can you prevent users of your website being jubed in this fashion?

[SPEAKER_01]: And what you can do is you can set options in your HTTP headers, but say that the site cannot is forbidden to be put in a knife frame and your web browsers will obey those and say, well, hang on, this particular webpage doesn't allow this site to be put into a knife frame.

[SPEAKER_01]: And so I'm not going to allow it.

[SPEAKER_01]: You can also say, look, my site can be put in a knife frame, but only on my domain name.

[SPEAKER_01]: Yeah, so if you were part of smashing security.com, smashing security.com maybe allows other bits of smashing security.com to put itself into a knife frame.

[SPEAKER_01]: We don't actually do that as far as I know, but we're not that fancy.

[SPEAKER_01]: We're not.

[SPEAKER_01]: That was it.

[SPEAKER_01]: Why would we do that?

[SPEAKER_01]: You know.

[SPEAKER_01]: Well, you wrote the website.

[SPEAKER_01]: Yes, I did.

[SPEAKER_01]: So I'm pretty sure I don't do that unless some hackers coming.

[SPEAKER_01]: You can also set a content security policy on your website, which is a more modern way of preventing your site from being put into my friend.

[SPEAKER_01]: And some websites, they want to be embedded on other sites.

[SPEAKER_01]: It's part of their business model.

[SPEAKER_01]: So Google, friends.

[SPEAKER_01]: Yes.

[SPEAKER_01]: YouTube.

[SPEAKER_01]: Yeah.

[SPEAKER_01]: People want to be able to embed videos on their blogs, on their new sites, on social media, Google Maps.

[SPEAKER_01]: people want to be up to embed Google Maps, Spotify, Twitter, TikTok, all those sort of things.

[SPEAKER_01]: They want to be embedded.

[SPEAKER_01]: So yeah, you kind of have a blanket ban of nobody can embed our stuff, but that would kill half of the internet content.

[SPEAKER_01]: What you can do instead then is you can separate your safe to embed web pages from the ones which aren't safe to embed.

[SPEAKER_01]: So for instance, a login page on YouTube or Google cannot be embedded exactly.

[SPEAKER_02]: Sounds like work for people, though, for webmasters everywhere.

[SPEAKER_01]: It is a bit of work, but the good news is most people's websites.

[SPEAKER_01]: They're probably some business case for being embedded if you were running a bank.

[SPEAKER_01]: Why on Earth would you allow any of your web pages to be embedded somewhere else?

[SPEAKER_01]: It just sounds like you're asking for trouble.

[SPEAKER_02]: If you're running a bank, why on Earth would you limit passwords to just twelve characters?

[SPEAKER_02]: And yet?

[SPEAKER_01]: And yet, some do.

[SPEAKER_02]: It's insane.

[SPEAKER_02]: It drives me live it.

[SPEAKER_02]: I have to say.

[SPEAKER_01]: So what can users do about this?

[SPEAKER_01]: We've spoken about what the website is and this can do what can users do about it.

[SPEAKER_01]: Where you can turn off auto fill for sensitive stuff like passwords and credit card details.

[SPEAKER_01]: Sounds like in a way you have to turn off auto fill time because it requires your fingerprint to go forward.

[SPEAKER_01]: I've told my password manager not to do it automatically.

[SPEAKER_01]: I have to do a further fill on click agreement.

[SPEAKER_01]: So when it tries to fill something in rather than doing it automatically, the actual browser has a little thing inside the browser context where I say, yes, this is okay for this extension to fill these details in.

[SPEAKER_01]: So I would be suspicious.

[SPEAKER_01]: You can obviously keep your password manager updated because some have been updated to protect against this.

[SPEAKER_01]: and in Chrome and Edge and Brave, if you're using those browsers, many people are obviously using Chrome.

[SPEAKER_01]: You can set extensions, including password managers, to basically operate on-click only.

[SPEAKER_01]: So they don't silently inject auto-pills.

[SPEAKER_02]: You have to click into the, into the field itself before it fills in.

[SPEAKER_01]: Well, you have to actually click, I think it's only icon in your browser toolbar to say, I now want my password manager to do something, which might be an idea for many people with extensions anyway, because some extensions have an extraordinary amount of access to what's going on on the page.

[SPEAKER_01]: You see, may only want to turn them on when you want to turn them on.

[SPEAKER_01]: So, this researcher, he tested eleven popular password managers.

[SPEAKER_01]: He found that nearly all of them were vulnerable to this trick, to a greater or less extent, and he told them about it back in April, and some like Dashlane and Keeper and Nord Pass and Proton Pass and Robot Form, they fixed it quickly.

[SPEAKER_01]: Others are.

[SPEAKER_01]: dragging their heels a little bit.

[SPEAKER_02]: It's the interest in how the larger names that she'll not be mentioned seem to be dragging their heels yet.

[SPEAKER_02]: The smaller ones, the ones with potentially less resources are just fixing it.

[SPEAKER_01]: It's curious, isn't it?

[SPEAKER_01]: Yeah, I mean, make sure they're worried about what else they might break and are looking for the right way to do this.

[SPEAKER_02]: That's true.

[SPEAKER_01]: But yeah, you would like to think that they would have done it by now.

[SPEAKER_01]: So right now, for some people in this estimated millions and millions of people are relying on these things.

[SPEAKER_01]: And rightly so.

[SPEAKER_01]: Yeah.

[SPEAKER_01]: And because we've been encouraging it.

[SPEAKER_01]: Yeah.

[SPEAKER_01]: You're on your podcast.

[SPEAKER_01]: Yep.

[SPEAKER_01]: The only thing standing between them and disaster is the hope that they don't click on us as suspicious, except cookies button, which let's be honest.

[SPEAKER_01]: Which we all do.

[SPEAKER_01]: We all do anyway, Tony.

[SPEAKER_01]: Oh, frankly.

[SPEAKER_02]: Well, have you ever been on?

[SPEAKER_02]: I'm sure you have on the HMRC website.

[SPEAKER_01]: Yes.

[SPEAKER_02]: I have repaid you open is except cookies except cookies.

[SPEAKER_02]: It's ridiculous.

[SPEAKER_01]: Is it to that?

[SPEAKER_02]: Why does it do?

[SPEAKER_02]: I know.

[SPEAKER_02]: I know.

[SPEAKER_02]: God, that's kind of like prompting poor behaviour in a place that is really close to your financial livelihood.

[SPEAKER_01]: Right, yes.

[SPEAKER_01]: Yeah, absolutely.

[SPEAKER_01]: So if you run a website, don't let your sensitive pages be eye-framed.

[SPEAKER_01]: And if you're a user, don't let your password manager feel stuff automatically without your explicit say so or without the thumbprint of Tom Langford.

[SPEAKER_02]: Absolutely.

[SPEAKER_02]: My thumb is available for rent.

[SPEAKER_02]: Tom, what's your story for us this week?

[SPEAKER_02]: So, this story, I'm going forward in time.

[SPEAKER_01]: Excellent.

[SPEAKER_02]: So, you know, between, I mean, maybe sort of seven to fifteen years in the future, is when the experts think that quantum computing will be mainstream.

[SPEAKER_02]: Okay.

[SPEAKER_02]: And quantum computing is, I was going to say the next step in sort of computing evolution, although it's actually more like a revolution.

[SPEAKER_02]: It's fundamentally more powerful by orders of magnitude, massive orders of magnitude.

[SPEAKER_02]: Things that may have taken a super computer today, ten thousand years to do.

[SPEAKER_02]: Right.

[SPEAKER_02]: We mentioned cryptography and how, you know, you can break passwords.

[SPEAKER_02]: If you set our supercomputer onto it for ten years, you can get a password out of it from an encrypted password for a quantum computer.

[SPEAKER_02]: We'll do it in seconds or minutes because of that exponentially massive growth.

[SPEAKER_02]: from a security perspective, all of our existing cryptography, even the highest level of cryptography today, is potentially going to just be blasted through by quantum computers.

[SPEAKER_02]: And that's not going to change.

[SPEAKER_02]: It's a bit scary.

[SPEAKER_02]: Yeah, it's potentially, do you know how hard it is to find a story to talk about that hasn't got AI in it?

[SPEAKER_02]: These those are ridiculous.

[SPEAKER_01]: It's almost as though someone should do a podcast specifically about AI.

[SPEAKER_02]: I know, right?

[SPEAKER_02]: You'd think if only I could find somewhere that would teach me more about it.

[SPEAKER_02]: But quantum is going to be the new AI in a few years, all we're going to hear about is quantum, because more and more computers will be quantum Microsoft, just recently launched a quantum chip.

[SPEAKER_02]: I say launch, it's not like you can go down a carries and buy it, but it's a pretty little gold thing that needs to be refrigerated or stored in a room the size of small house, basically, to put it cool to run.

[SPEAKER_02]: Although, that's changing.

[SPEAKER_02]: You know, think quantum chips are now starting to operate at room temperature, et cetera.

[SPEAKER_02]: Because that's the thing, you had to chill a quantum computer down to absolute zero in order for it to work.

[SPEAKER_02]: Progressions have been made, that means it doesn't matter.

[SPEAKER_02]: So anyway, experts therefore say, in seven to fifteen years, quantum computers will be maybe in the household who knows and maybe in a phone, you just don't know.

[SPEAKER_02]: I mean, it's Moore's law writ large here.

[SPEAKER_02]: So researchers are very concerned and cybersecurity people are very concerned about it, so we need to be quantum ready effectively.

[SPEAKER_02]: And what Microsoft has bravely announced that by twenty thirty three, that's eight years.

[SPEAKER_02]: Yes.

[SPEAKER_02]: And quite a few hundred patch Tuesdays from now that its products will be quantum safe.

[SPEAKER_02]: Go for a speak for.

[SPEAKER_02]: We'll worry about the apocalypse later, but here's a press release to make us look futuristic today.

[SPEAKER_01]: Okay, what do I mean by quantum say?

[SPEAKER_02]: What I mean by quantum safe is that their products, their computers, et cetera, will not be able to be taken advantage of by quantum computing in the way that we've just mentioned.

[SPEAKER_02]: They will have their own encryption methods, or at least what we might term as encryption today, who knows in eight years time, that will not be broken by quantum presumably it's quantum encryption, which will therefore take a quantum computer ten thousand years to break.

[SPEAKER_02]: Right.

[SPEAKER_02]: The pitch is that hackers are harvesting encrypted data now so that they can decrypt it later.

[SPEAKER_02]: So we talked in the last story about, you know, not all site store data properly, most sites do.

[SPEAKER_02]: And they store it in encrypted hash, sold to a bubblebarker away.

[SPEAKER_02]: So that's why it takes ten thousand years to get a parcel out of it.

[SPEAKER_02]: hackers know this, they just have to do it anyway, because at some point they will be able to use a quantum computer to decrypt that data in seconds.

[SPEAKER_02]: So because most people will not change their passwords over the next five years or many sites because they're not prompted to, why would they?

[SPEAKER_02]: Many people, they might reuse a password to your previous point.

[SPEAKER_02]: They might have a secure password, but they use it a number of different times.

[SPEAKER_02]: So it might be a hundred and twenty eight different characters, but they use it on ten different sites or a hundred different sites and don't change it because hate secure [SPEAKER_02]: Well, in five years time, it won't be, or eight years time, or whatever.

[SPEAKER_02]: And also, most people who don't listen to this podcast, but may be friends or family of people who listen to this podcast.

[SPEAKER_02]: I just still used in, you know, past with one season.

[SPEAKER_02]: Yeah.

[SPEAKER_02]: Of course, Microsoft is working with global standards bodies, which sounds great.

[SPEAKER_02]: until you just realise that's just a decade of committees and meetings about acronyms.

[SPEAKER_02]: But by the time they agree on what to call it, quantum computers will be teaching our grandchildren how to buy past login screens.

[SPEAKER_02]: Simple as that.

[SPEAKER_02]: By twenty thirty three and a half, one even be used in today's systems anyway.

[SPEAKER_02]: And the other half will still be waiting for windows, updates, and finishing, storing, or we're speaking of shutting down your computer.

[SPEAKER_02]: Please wait.

[SPEAKER_02]: Do not turn off your computer.

[SPEAKER_02]: So it sounds great.

[SPEAKER_02]: But if history tells anything, the real threat isn't constant computing, it's much of growing out another update, the breaks you printer again.

[SPEAKER_01]: It's telling you it's for security.

[SPEAKER_01]: Oh, come on, tell.

[SPEAKER_01]: As if they would do that.

[SPEAKER_02]: Yeah, as if they would do that.

[SPEAKER_02]: And anyway, most printers don't need a patch to break.

[SPEAKER_02]: They just break randomly anyway, right?

[SPEAKER_01]: Yeah, because you've made them a stake of injecting paper into them.

[SPEAKER_01]: That's the thing they're objecting to.

[SPEAKER_02]: It's a paper injection attack.

[SPEAKER_01]: Hello, I'm ground clearly, host to the smashing security podcast.

[SPEAKER_01]: I guess you know that quite often in your areas aren't I?

[SPEAKER_01]: Every week, tens of thousands of people tune in to hear me talk about hackers, scams, the latest blunders that make you wonder how some people ever got hired in cybersecurity, but here's the clever bit.

[SPEAKER_01]: Your business can sponsor this podcast.

[SPEAKER_01]: That means your brand gets promoted directly to an audience of security professionals, decision makers, and people who actually know what a far-all is, unlike your CEO.

[SPEAKER_01]: Sponsoring Smashing Security is simple.

[SPEAKER_01]: I reach a message, listen as hear it, and you look like a lip in genius but choose in the one podcast that manages to make cybercrime both informative and funny.

[SPEAKER_01]: So, before you blow this year's marketing budget on branded stress balls or throwaway socks, visit smashingsecurity.com slash sponsor and let's chat that's smashingsecurity.com slash sponsor.

[SPEAKER_01]: Okay, back to the show.

[SPEAKER_01]: And welcome back and you join us at our favourite part of the show, the part of the show that we like to call.

[SPEAKER_01]: Pick of the week.

[SPEAKER_01]: Pick of the week.

[SPEAKER_01]: Pick of the week is the part of the show everyone chooses the song they like.

[SPEAKER_01]: Could be a funny story, a book that they read a TV show, a movie, a record of podcasts, a website, or an app.

[SPEAKER_01]: Whatever they wish, it doesn't have to be scared he related necessarily.

[SPEAKER_01]: They're not big.

[SPEAKER_01]: Um, my pick of the week this week.

[SPEAKER_01]: Well, he is kind of security related.

[SPEAKER_01]: Um, if I was talking earlier, I was not about fishing and, you know, dodgy links and things like that and people like to play around with them.

[SPEAKER_01]: And a lot of people won't shorten a link, won't they?

[SPEAKER_01]: They were used as service like Bittley.

[SPEAKER_01]: I suppose there's a famous one.

[SPEAKER_01]: Uh, to create a short link, he don't really know where you're going until you've gone to it.

[SPEAKER_01]: It could be anywhere on the web and, oh my word, whatever I ended up.

[SPEAKER_01]: Well, I found a cute little website, which might be a lot.

[SPEAKER_01]: Might appeal to some people.

[SPEAKER_01]: And other people might be absolutely appalled by it.

[SPEAKER_01]: It is a website.

[SPEAKER_01]: where you can shadeify a URL rather than shorten it, you can make it a bit more shady.

[SPEAKER_01]: So you can turn your URL into something which looks super sketchy.

[SPEAKER_01]: And this was put together by a guy.

[SPEAKER_01]: We're not helping.

[SPEAKER_02]: We really aren't helping.

[SPEAKER_02]: Push the needle here, aren't we?

[SPEAKER_01]: Possibly not.

[SPEAKER_01]: This was put together by a guy called Robin in Hamburg.

[SPEAKER_01]: I will link to it in the show notes.

[SPEAKER_01]: Robbb.in slash shady it is.

[SPEAKER_01]: If you can see the link there in front of you Tom, I didn't go to the link.

[SPEAKER_01]: Okay.

[SPEAKER_01]: When you go to the link, you can enter a URL.

[SPEAKER_01]: And it will turn it into something which is probably going to be longer and hopefully would set the alarm bells of your users.

[SPEAKER_01]: Ring your nose enormously that they shouldn't click on it.

[SPEAKER_01]: So you give it a try, Tom, and see what you get.

[SPEAKER_02]: So if I was sent to your link that says malicious dash, do not trust dash by where dash forgery.io.gd slash garbage, adware.exe.

[SPEAKER_01]: Yeah, that sounds a bit dodgy.

[SPEAKER_02]: Guess which website that will take you to.

[SPEAKER_01]: I have to have no idea.

[SPEAKER_01]: Where does it take you?

[SPEAKER_02]: How's the nondot TV, of course?

[SPEAKER_01]: the URL of your podcast and test it.

[SPEAKER_01]: I love this and I hate it all at the same time.

[SPEAKER_01]: It's funny isn't it?

[SPEAKER_01]: I both love it and hate it and I can imagine many people listening to the podcast will both love and hate this.

[SPEAKER_01]: So I don't know if this should be a pick the week or a nit pick of the week and whichever it is.

[SPEAKER_01]: I thought you should be aware of it or I do not click of the week.

[SPEAKER_01]: But there you go.

[SPEAKER_01]: So that is how you shadeify your URL links in the show notes.

[SPEAKER_01]: Nice.

[SPEAKER_01]: Tell me what's your pick of the week?

[SPEAKER_02]: So I said I was going to go into the future and the path.

[SPEAKER_02]: So I am here to talk to you about a company called Juicy Crum who have produced a little product called The Dock-like G-Four.

[SPEAKER_02]: Now let's go back twenty-plus years in the Apple history.

[SPEAKER_02]: Do you remember, this is before Apple even moved onto the Intel chip, there was still running the PowerPC chip.

[SPEAKER_02]: Yes.

[SPEAKER_02]: They'd released their plastic PowerPC Max.

[SPEAKER_02]: Do you remember the, there was one that looked like colorful toilet seats and then they had the CRT monitors in plastic.

[SPEAKER_02]: That was the G-III versions.

[SPEAKER_01]: Yes.

[SPEAKER_02]: Do you remember those?

[SPEAKER_01]: Yes.

[SPEAKER_02]: So that's the kind of ear.

[SPEAKER_02]: And then they released a brand new line of IMAX.

[SPEAKER_02]: And it was called the iMac G-four, very, very imaginatively as the words.

[SPEAKER_02]: Yes.

[SPEAKER_02]: But do you remember this one?

[SPEAKER_02]: It was like a half dome with an articulated arm and the screen on the end.

[SPEAKER_02]: Some people called it the sunflower edition.

[SPEAKER_01]: It was like an angle poised lamp.

[SPEAKER_01]: Wasn't it in a way?

[SPEAKER_02]: like an angle poise lamp and it's a thing of beauty.

[SPEAKER_02]: In fact, I'm looking at two of mine at the moment.

[SPEAKER_01]: You've got one.

[SPEAKER_01]: I love them.

[SPEAKER_02]: Got two.

[SPEAKER_02]: I have a fifteen inch and a seventeen inch.

[SPEAKER_01]: Okay, stop bragging.

[SPEAKER_01]: I would love if Apple still use that design.

[SPEAKER_01]: I think that design was absolutely gorgeous.

[SPEAKER_01]: It's beautiful.

[SPEAKER_01]: Yeah.

[SPEAKER_02]: If you go to eBay, you can even just find somebody who takes broken ones and turns them into lamps.

[SPEAKER_02]: Yours for three hundred and sixty quid.

[SPEAKER_01]: I'm all right, thanks.

[SPEAKER_02]: Yeah.

[SPEAKER_02]: Anyway, these run PowerPCG for the lower versions can only take like a gig of RAM.

[SPEAKER_02]: They normally ship to two hundred and sixty to make.

[SPEAKER_02]: That's how long ago.

[SPEAKER_01]: Because they haven't made these things for almost twenty five years, have they?

[SPEAKER_02]: No, exactly.

[SPEAKER_02]: It's a long time ago, right?

[SPEAKER_01]: Yeah.

[SPEAKER_02]: So they're sluggish.

[SPEAKER_02]: You fired up, probably into your network.

[SPEAKER_02]: It'll get an IP address, but [SPEAKER_02]: good luck actually browsing anywhere because all the certificates have expired, you know, it's an unsported operating system, etc.

[SPEAKER_02]: But they are a single beauty.

[SPEAKER_02]: However, what juicy crum have done is create this product and dock like G-Four.

[SPEAKER_02]: What do you do?

[SPEAKER_02]: You open it up!

[SPEAKER_02]: Put it on its face, open up its bottom.

[SPEAKER_02]: You take out the units, you put in their board, which all aligns up properly.

[SPEAKER_03]: Yeah.

[SPEAKER_02]: Put it back together.

[SPEAKER_02]: You have now got a USB connected monitor.

[SPEAKER_02]: Monitor, monitor, and some space inside of that dome to put whatever you want in there that would fit.

[SPEAKER_02]: So, for instance, somebody got the inside of an M two Mac Mini, so not the smallest one, but the larger Mac Mini as it were.

[SPEAKER_02]: Right.

[SPEAKER_02]: An M two silicon Mac Mini.

[SPEAKER_02]: He said the screw holes actually line up, mounted that inside the half-done underneath, just in the HDMI, hooked up the USB, then had a fully working M-to-Mac in the sunflower G-four.

[SPEAKER_01]: In the classic, the classic former.

[SPEAKER_01]: Oh, that sounds like a thing of beauty.

[SPEAKER_02]: It's a thing of business.

[SPEAKER_02]: My doc is winning its way from Australia as we speak.

[SPEAKER_02]: So I can't talk to it just yet.

[SPEAKER_02]: So you can use your old keyboard, your old mouse, your old speakers.

[SPEAKER_02]: You can keep it looking genuinely retro.

[SPEAKER_02]: I'm putting an Apple TV inside of mine.

[SPEAKER_02]: As you were talking just before, I'm buying a new house.

[SPEAKER_02]: I fancy having a TV in a kitchen.

[SPEAKER_02]: Not just any TV.

[SPEAKER_02]: I want a retro Mac TV.

[SPEAKER_01]: How cool is this?

[SPEAKER_01]: That sounds so cool.

[SPEAKER_01]: Great pick the week time.

[SPEAKER_01]: Great one.

[SPEAKER_01]: Well that just about wraps up the show for this week.

[SPEAKER_01]: Thank you so much Tom for joining us.

[SPEAKER_01]: I'm sure lots of listeners would love to find out what you're up to and follow you online.

[SPEAKER_01]: What's the best way to do that?

[SPEAKER_02]: Oh, you can search for me, Tom Langford, that's T-H-O-M, a Langford, or come to hostonown.tv, or Tom Langford.com, or even Tom Langford.

[SPEAKER_02]: Dough photography.

[SPEAKER_02]: Oh, ways of getting hold of me.

[SPEAKER_01]: Terrific.

[SPEAKER_01]: And of course, smashing security is on social media as well.

[SPEAKER_01]: You can find us.

[SPEAKER_01]: on Blue Sky we can follow me on LinkedIn.

[SPEAKER_01]: And don't forget to ensure you never miss another episode follow Smash and Security in your favorite podcast app such as Apple Podcasts, Spotify and Pocketcasts.

[SPEAKER_01]: Through episode show notes, what should be in both guest lists and the entire back catalogue of more than four hundred and thirty odd episodes check out Smash and Security.com until next time.

[SPEAKER_01]: Cheerio, bye-bye.

[SPEAKER_01]: Tata!

[SPEAKER_01]: But you've been listening to a smashing security with me, Graham clearly.

[SPEAKER_01]: I'm grateful to Tom Langford for joining on this episode and to the chums who've signed up for smashing security plus and support the podcast by Patreon.

[SPEAKER_01]: They include Matt Cotton, Alan Lyska, Jan, David Smith or David Smith, he's got a wire in it.

[SPEAKER_01]: Jason B, Simon Yakan, Mike Hallert, Dmitry Rich, Semi-Dosa, Matthew Hunt, John Morris, Bunky Duck, Lars, Chip, and Jacob Lufgren.

[SPEAKER_01]: If you'd like your name to be one of those red out on the credits from Time to Time, that is just one of the simple pleasures you can earn yourself by joining Smash and Security Plus.

[SPEAKER_01]: He's sign up for his list of his five dollars a month.

[SPEAKER_01]: Get your name red out every now and then.

[SPEAKER_01]: but you also get early access to smashing security episodes and occasional bonus content.

[SPEAKER_01]: And by the way, those early episodes don't have any ads in them.

[SPEAKER_01]: Wonderful.

[SPEAKER_01]: Just go to smashinscurity.com slash plus for more details.

[SPEAKER_01]: Now, I realize that times are tough, and there's not a lot of money rattling around is there, so don't go any pressure to become a patron.

[SPEAKER_01]: You can also support the podcast in other ways.

[SPEAKER_01]: You can like, you can subscribe, you can give five star reviews if you feel in generous, and perhaps jot down a few words to try to entice people to give the podcast to listen.

[SPEAKER_01]: But you know what you also can do is just tell someone about the podcast, tell them you like it.

[SPEAKER_01]: Anything that gets the podcast in front of more people makes the effort all worthwhile.

[SPEAKER_01]: Well, that just about wraps up the show for this week.

[SPEAKER_01]: So thanks once again for listening.

[SPEAKER_01]: I really do appreciate it.

[SPEAKER_01]: And until next week, Cheerio, bye, bye.