Subscribe
Share
Share
Embed
When your digital enterprise is everywhere, cyberattackers don’t need to scale walls or cross boundaries to breach your network. It takes just one identity – human or machine – from a sea of hundreds of thousands to get inside. It’s no wonder we have Trust Issues. Join us for candid conversations with cybersecurity leaders on the frontlines of identity security. We break down emerging threats, hard-won lessons, leadership insights and innovative approaches that are shaping the future of security.
[00:00:00.200] - David Puner
You're listening to the Trust Issues podcast. I'm David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security.
[00:00:19.600] - David Puner
Remember QR codes before COVID? They were a consumer novelty that never quite achieved long-lasting smart device liftoff. Just a few years ago, you still needed to use a third-party app on your smartphone to scan a QR code and get it to do its thing, which didn't seem worth the hassle when you could just type in a URL. But maybe that was just me.
[00:00:45.740] - David Puner
With the rise of the contactless era, the little black and white grids emerged from relative obscurity to replace everything from restaurant menus, to store discounts, to subway station ads. Governments around the world have embraced them to facilitate contact tracing and vaccination status verification.
[00:01:04.520] - David Puner
They've become today's business card, conference leave-behind, and virtual payment option. QR codes are accessible, easy to produce, and seemingly here to stay. They're also a perfect way for cybercriminals to steal your personal information. And, as of now, it seems like there isn't widespread understanding about that.
[00:01:28.390] - David Puner
On today's episode, we welcome back Len Noe. He's CyberArks technical evangelist and white hat hacker, and if you listen to Trust Issues' Episode 2, you'd know that he's also our own resident cyborg—or transhuman, if that's more your jam. You should check out the episode; it's pretty enlightening.
[00:01:47.080] - David Puner
Today, though, we're talking about QR codes. Also enlightening. It seems pretty simple, but it also feels like most folks don't know how QR codes are being used by criminals to wreak havoc. Innovation promotes innovation after all. So we talk about that. And we talk about what you can do to protect yourself. Here's my talk with Len. I hope you enjoy it.
[00:02:18.660] - David Puner
Thanks for coming on a second time. You're our first repeat guest. Episode 2 was very popular. I got really carried away in that episode in that I was so excited to get going on transhumanism and AI and all that kind of stuff that I never had a chance to ask you what you do. You're a technical evangelist and white hat hacker. What does that mean and what do you do?
[00:02:47.890] - Len Noe
What does that mean and what do I do? I do a lot of public speaking. I do a lot of research. It's my job to show the attack landscape from a CyberArk perspective in real-world terms. I do a lot of real-life attacks, showing how those attacks would actually either be stopped, mitigated, or prevented based on the CyberArk stack technology.
[00:03:16.510] - Len Noe
I'm a very blessed person. It's given me the opportunity to present a lot of information. I think I'm up to 29 different countries since starting at CyberArk. It's been an amazing journey. Honestly, this is the first time I've ever not had a job because if you've ever heard that old expression, "If you love what you do, you never go to work." So I feel very fortunate. I don't go to work. I love what I do, and I love the company that I work for.
[00:03:50.550] - David Puner
You mentioned the 29 countries since you've been working for CyberArk. I know you've just been on the road, as it were. Where have you been and where are you just back from? And why were you on the road?
[00:04:02.780] - Len Noe
Over the course of the last two months, let's see. I've been in Paris, France. I've been in Rome, Italy. Was in Boston for our Impact. Did a South American tour in Mexico, Colombia, Argentina, and Brazil. And just got back from our APJ Mid-Year Kickoff in Bangkok, Thailand last Friday. It's been a lot of travel and just an amazing journey.
[00:04:35.090] - Len Noe
To be honest, the reception that we've been getting post-lockdown has just been phenomenal. The attendees at all of the sessions have been so eager and just engaging. I think a lot of that has to do with the fact that we've been locked down for so long. But it's been just awesome being back on the road and live and in person again. It's not just great for us. We see the responses in the people that are attending our events, and it's good to be getting back to normal again.
[00:05:06.410] - David Puner
You've been on the road. Is a lot of what you're talking about QR codes these days?
[00:05:12.010] - Len Noe
Yeah. The QR response has been just absolutely phenomenal. From the point that the blog was put up, this research has just taken on an entire life of its own. I know it got picked up by Forbes. We were picked up in the La Parisienne. I'm going to probably mispronounce this, but I think it's called Nikkai or Nikkei newspaper in Japan. I just did two more interviews with the Thai media while I was in Bangkok. The QR code stuff has just been just blowing up. The fact is, it's something that affects both consumers as well as enterprise. This is one of those threats that's pretty much across the board in terms of who's a target.
[00:06:00.160] - David Puner
The blog post you're referencing is on the CyberArk blog. Of course, it's called Step Away From the QR Code and Read These 7 Safety Tips. A lot of what we're going to talk about here, if folks want to do a little bit of a deeper dive, they can go to that blog post. There's also a link in that blog post to a webinar that you've done on this subject.
[00:06:18.280] - David Puner
To get to the meat of it with QR codes, as we know, over the course of the pandemic, the QR code seemed to have a little bit of an explosion in popularity prior to the pandemic. I think that I'm probably among the majority here, but I thought the QR code was just like a marketing gimmick, and it was set the pasture. When it was at its best, it was lame. Am I wrong?
[00:06:46.200] - Len Noe
Prior to the pandemic, no, you're really not. Realistically, QR codes have been around for almost 30 years. They were originally designed by the Japanese automotive company Denso Wave. Prior, like you said, typically just a kitschy marketing thing outside of APJ, not a lot of heavy adoption in EMEA. But you hit the nail right on the head.
[00:07:13.190] - Len Noe
If you take a look at the blog post, there's actually a slide where you can actually see the statistics of QR adoption prior to the COVID outbreak and then post-COVID outbreak. It just goes through the roof. The problem with that is we were in a situation where we needed to find some way of doing contactless transactions.
[00:07:37.230] - Len Noe
Due to that, we saw a lot of heavy pushes from regulatory agencies; governments saying, "Use this. Use this. Use this." The problem is, is they didn't really look at the fact that these particular little funny boxes have the exact same capabilities and characteristics of a hyperlink in a spam e-mail. I've been saying all along, when it comes to advertisements with QR codes, these are physical forms of spam e-mail. You didn't ask for it.
[00:08:08.370] - Len Noe
I really think if people try to frame it in the same way that we've framed the context of our e-mail training campaigns, if this particular advertisement showed up in your spam inbox, would you click it? That's the link that we really need to try to make.
[00:08:25.530] - David Puner
I guess a prime example—and you can probably tell me some other prime examples if we get into it—but we get back to restaurants. You sit down at a table, and you've got the QR code on the table to order. How can that go wrong and what should you be looking for? Because this experience obviously is only getting more popular as time goes by.
[00:08:47.190] - Len Noe
Well, before we get into the restaurant, the one that I'd like to showcase before that is our Super Bowl a couple of years ago. That one was the one that really started me thinking about this whole concept.
[00:09:01.660] - David Puner
This was that advertisement where there was just a QR code in the screen-
[00:09:04.580] - Len Noe
You got it.
[00:09:04.580] - David Puner
-It was bouncing around, and nobody knew what it was for.
[00:09:07.420] - Len Noe
Nobody knew what it was. That QR code, which happened to be for a cryptocurrency broker, was hit 20 million times in one minute.
[00:09:19.580] - David Puner
Wow!
[00:09:20.180] - Len Noe
Nobody knew where it was going. When it comes to the idea of the menus, that has been something that's been going on since the pandemic started. In my actual blog post, I actually threw up two menus side by side, and the words on the deck slide are, "Can you tell the difference? Which one's safe?"
[00:09:45.270] - Len Noe
The truth is, by looking at them, you really can't tell. Personally, I will not scan them. One of the things that I've been really trying to push is we need to start asking and demanding more accountability from marketing departments around the world. We live in a zero-trust world. If we break down what zero trust means, it's trust but verify.
[00:10:09.340] - Len Noe
How am I supposed to verify when you're just giving me a QR code? I'm not anti-QR; I'm anti-irresponsible QR. So if you give me a QR code, and then you give me the link that I'm supposed to be getting redirected to, so that way, if I scan it, I can validate that I'm going where I'm supposed to, that's something different. I'm not saying that all QR codes are bad by any means.
[00:10:37.260] - Len Noe
One of the other things that I wanted to point out is the fact that when it comes to this particular concept, I'm strictly trying to focus around the redirection aspects of QR codes, not tokenization or authentication. But from an advertising perspective, we really do need to start demanding that point of reference for a source of truth.
[00:10:59.770] - Len Noe
One other example is over...I don't know if it was either in Hong Kong, or it might have been in Bangkok, but somewhere over in APJ, within the last month—and if you'd like, I can get you the reference so we can include this in the subnotes—there was a drone swarm that was actually utilized to create a giant three-dimensional QR code in the air. Once again, we were back to another situation where everybody that was close was scanning this thing and being redirected somewhere with no idea where they were going. We would never do that in an e-mail situation or any type of corporate environment that we've been accustomed to.
[00:11:38.760] - David Puner
So why are people so comfortable doing this? Why is there such little awareness for this issue? Is there ever a time when somebody would be okay to actually scan a QR code where there isn't a URL listed below it?
[00:11:55.560] - Len Noe
Why do I think it's happening? A lot of that, I think, is because of the pressure from the pandemic and the force for contactless transactions. We were in the middle of a situation where we were trying to make sure that people weren't going to be passing an infection. This seemed like the right idea at the time, and the fact that it was pushed so heavily by the CDC, the government. Even when it comes to COVID vaccination passports, these things were all keyed back into that QR system due to that remote contactless technology.
[00:12:28.890] - Len Noe
I think just through the use and the circumstance, we've been led to falsely believe that these particular pieces of technology are safe. But anyone who's deep into security is going to realize you're just basically activating a hyperlink redirect.
[00:12:48.630] - David Puner
At some point, we're going to get into what people should be on the lookout for and what they can do to keep themselves safe and best practices around QR codes. What are some of the things that are happening when people scan QR codes that are, I guess, rigged QR codes or whatever you may call them-
[00:13:09.930] - Len Noe
Oh, wow!
[00:13:09.930] - David Puner
-Scam QR codes?
[00:13:11.370] - Len Noe
Sure thing. Here's a couple of real-world examples. In China, scammers place fake parking tickets on illegally placed cars. Tickets actually contained a QR code and instructions to use the code to pay via a mobile payment app. Just to even make it more convincing, the fraudulent accounts set up to receive the payment actually use profile photos of real police officers.
[00:13:34.320] - Len Noe
Here in my home state of Texas, criminals started putting stickers with malicious QR codes on the city parking meters in Austin, San Antonio, and Houston. These were basically quick pay for parking. The truth is-
[00:13:48.840] - David Puner
And people would click through, or they would scan them and end up on a site that looked similar to what the real site would look like?
[00:13:54.880] - Len Noe
Exactly. Then they thought they were actually paying for parking. The truth is, they were just giving money to a scammer. In the Netherlands, there was a very large mobile bank that actually allowed their customers to use a QR code to set up a secondary mobile device to access their account. Scammers looked for those customers who were selling things online, obtained their account numbers, supposedly, so that they could actually pay them for like a Facebook market or a Craigslist type of purchase.
[00:14:24.680] - Len Noe
Then they use their own version of that app installed on their own device, generated the QR code, and then sent that QR code to the seller saying, "I need you to scan this to complete the transaction." In doing so, they would actually give the attacker access into their actual bank account. The amount of QR code scams that have been going on around the world has tripled since the point of the pandemic just because people have that false sense of security that these are actually safe.
[00:14:56.070] - David Puner
You mentioned that Super Bowl ad a couple of minutes ago. Is that something that you think today could still and would be approved and happen? If so, would there have to be some other things involved in that ad? It just seems that we've, as a whole, seem to be blind to what's going on here.
[00:15:18.540] - Len Noe
Well, due to the reach of this particular research, we're actually starting to see more marketing departments being held accountable for that source of trust. I've seen, especially since this article dropped, where I'm actually seeing a lot more QR codes with the associated URL provided in advertising literature.
[00:15:42.470] - Len Noe
Unfortunately, there is no antivirus. There's no EDR software. There's nothing you can put on a device that's going to actually be able to do any type of detection because they're not going to be able to extrapolate that information out of the QR code.
[00:15:58.420] - Len Noe
One of the attacks that we've been seeing out in the wild lately is people who are e-mailing corporate users QR codes in the body of an e-mail. Because, like I said, the EDR, the antivirus, nothing's actually going to do anything to that QR code, it's making it inside the enterprise, and then these users are physically scanning them with their mobile devices. So-
[00:16:28.200] - David Puner
Whereas a bad link, a spam link, a phishing link, something like that, would be caught by that software. If somebody's sending a phishing e-mail of sorts and it's got that QR code in it, that antivirus software is not going to spot that.
[00:16:41.570] - Len Noe
Correct.
[00:16:42.090] - David Puner
That is an issue.
[00:16:43.330] - Len Noe
This is not going to be a situation that's going to be able to be solved through application security or device security. This is going to have to be something that is a mindset change for the individual user, along with trying to force accountability for marketing agencies around the world to actually give us more than what they've given us in the past.
[00:17:05.160] - David Puner
What type of things are happening to people who are falling prey to malicious QR codes?
[00:17:13.600] - Len Noe
A lot of it is around financials. If you take a look in the crypto world, the idea of crypto scams and having your cryptocurrency stolen, very common. We're seeing a lot of phishing e-mails around QR codes, and we've seen a ton of disinformation being distributed via QR codes. Here in the US, there's been quite a few incidents where during the COVID pandemic, if you go to a testing facility, there would be QR codes to scan, to try and gain additional information in regards to the COVID pandemic.
[00:17:51.380] - Len Noe
We've seen numerous instances where somebody will actually walk up and place a sticker over the original QR code, and then when people scan it, it would take them to disinformation sites. They're very easy to use. Unlike when it comes to, say, a hyperlink in an e-mail, all you need is a printer. You can just print a sticker, put it over an existing legitimate QR, and you can do anything you want. So it's almost like a physical man in the middle.
[00:18:20.820] - David Puner
What can people do that's not going to take them 10 minutes extra time? What should the reflex become?
[00:18:29.690] - Len Noe
To be honest, I take issue with that last sentence, David, because when it comes to the amount of time that it takes to be safe, I really don't think we should put something on it. We need to remember, like I said before, these are physical forms of spam e-mail. If you wouldn't click on this, if it was in your spam inbox, why are you scanning it?
[00:18:51.030] - Len Noe
You didn't ask for this information. Maybe it's something you are interested in. What's the harm of actually Googling the product and going to that product's manufacturer directly? Is it worth it to scan the QR code? That, I think, is the number one first thing we need to do is just slow down and be aware of the situation and actually look at it through non-jaded or non—how shall we say?—social distancing eyes.
[00:19:27.060] - Len Noe
There was a time when during the pandemic that there was that line in the sand, and there was a lot of concern about people's health. We are not in that situation anymore at this particular junction. We need to start looking at the technology as a technology again instead of just a life-saving measure because I do believe that we've given way too much priority to these based around the potential hazards that were being attempted to be alleviated through the use of this technology.
[00:20:01.040] - David Puner
So you are not saying, "Don't scan QR codes at all." You're just saying, "Be a lot more careful." In being careful, what are the basic things that you can do?
[00:20:15.290] - Len Noe
We need to use every technology responsibly. I don't care if it's e-mail. I don't care if it's SMS. I don't care if it's QR codes. Attackers and bad actors are out there. They know what they're doing, and they're going to prey on the ignorance of the general populace. So slow down. Take a look at the QR code links. This is a big one.
[00:20:41.380] - Len Noe
Pretty much any common device, from a tablet to a cell phone that's been made within the last 2-3 years, when you scan a QR code, it's not going to automatically take action. It's going to ask you, "What do you want me to do?" Do I want to open this link, or do I want to copy the link? Look at the link.
[00:21:02.320] - Len Noe
If you're scanning, say, a CyberArk QR code on one of our pieces of literature, and the URL that comes up in your browser says, "Short link, Bitly," or something that doesn't have anything to do with CyberArk, this is your first clue that this could be an issue. I'm not saying that it is, but it could. This is where taking responsibility for our own individual security and our identities and how we want to be safe comes into play.
[00:21:34.000] - Len Noe
There are companies that use URL shorteners. Personally, if it's not something that I can immediately identify, I won't use the QR code. Once again, this is the reason we're from a marketing perspective, we need to know where that QR code is taking us so that if I don't feel comfortable typing or scanning that QR code, I can still navigate to where I need to go if I'm interested in that information.
[00:21:59.850] - Len Noe
The other option would be to just straight up Google the company CyberArk, and if it's a QR code to listen to this podcast, type in to Google, "CyberArk, Trust Issues podcast, Len Noe, David Puner." You'll find us. QR codes are meant to be easy, but anything that is typically easy does not necessarily mean secure.
[00:22:26.780] - David Puner
Speaking of that, with that example, did you notice at Impact in Boston in July, did you notice our poster, which also happens to be right over my shoulder? Was definitely thinking of you when I put the URL under that QR code. This is the-
[00:22:42.420] - Len Noe
Oh, I was so happy see that. I have gotten so many dirty looks from people on vendor floors where I'm walking. I will walk up to everybody on the vendor floor and be like, "You know, that's not a good idea. And this is why." It's like a personal crusade for me. When I see things like, especially the adoption from CyberArk, it shows that we do care about people's safety, and we do care about security, and we're giving them that source of trust. So they know that when they scan something from us, they're going where they're supposed to.
[00:23:19.710] - David Puner
What about third-party QR code apps? Could they be a better choice than using just the camera app that's on your phone?
[00:23:27.180] - Len Noe
Honestly, no. Pretty much the only time I would suggest using a QR code app is if you're using a device that is old enough to where it doesn't have that functionality built in to the standard camera. Any time you're adding a third-party app, you don't necessarily know what's in that app, so you're adding an additional layer of complexity.
[00:23:49.550] - Len Noe
Unless you have a specific need for functionality that doesn't come out of the box, stick with the default. It's not going to do you any better or worse. All you're going to do is open one more door.
[00:24:02.800] - David Puner
What about if somebody has been hacked successfully via QR code? I'm sure there's all sorts of different things that could happen to the device or them, for that matter, but what should they do if that's happened and how will they know?
[00:24:16.960] - Len Noe
Well, that is the million-dollar question. Due to the fact that there are so many different attacks, it's very, very difficult to know unless the adversary does something that's going to actually alert you to the fact that you've been breached. If it's just an information grab, you may not ever find out. If it's somebody's trying to ransomware your mobile device, yeah, you'll figure that out pretty quickly as soon as you turn it on and it says, "Pay me, or you can't get in."
[00:24:46.820] - Len Noe
If you're being used as part of a crypto-mining scheme, again, you might notice your device running slowly. Unfortunately, there is no real one answer in regards to how to detect if you've been compromised. You know your device; if it's acting funny, you should know. You know the behaviors of your own devices.
[00:25:09.270] - Len Noe
If you're actually compromised, this is where things start getting really tricky. In the case of credential theft, if you're using any type of device—on-device applications, banking applications, business applications—if they have a local credentials store, there is the potential that those particular accounts could get compromised.
[00:25:33.810] - Len Noe
I've mentioned the word identity quite a few times in here, and this is where having some type of multifactor authentication to actually limit the escalation and lateral movement that may be able to be done as a result of any compromise credentials comes into play.
[00:25:50.120] - Len Noe
I multifactor everything, so even if they managed to get on my device; they get the usernames, they're still not necessarily going to be able to actually execute anything with those stolen credentials. Even when we're dealing with QR codes on a personal device, the same concepts of defense-in-depth and a layered security approach apply just as much to the individual as they do to a corporate entity.
[00:26:15.630] - David Puner
If you want to go even deeper on QR codes with Len, you can check out Len's webinar called QR Codes in the Post-Pandemic World. You can find that via the CyberArk blog from the blog post that is called Step Away From the QR Code and Read These 7 Safety Tips authored by Len. Len, is there any kind of testing that you perform on a rolling basis around QR codes?
[00:26:41.580] - Len Noe
Yeah, actually, this goes right into one of the answers in regards to mitigation strategies, and that's pick certain circumstances that QR codes are not going to be used for. Draw a line in the sand in terms of "I will not use QR codes to do this."
[00:26:58.870] - Len Noe
One of the great examples for that is adding your device to a Wi-Fi network. We're seeing this a lot over in Europe right now, especially in hotels, where rather than giving you a username or a captive portal to actually log into the hotel Wi-Fi, they just want you to scan a QR code, and it'll take care of authenticating you to the wireless network. You have no idea what you're signing into.
[00:27:24.460] - Len Noe
To that point, one of the things that I like to do when I go to a lot of these conferences that I speak at is I'll print off about 25 business cards, and whatever the conference is, I'll get their official logo, and I'll put a QR code on the business card and above that, I'll put the text that says, "Conference Wi-Fi." Then I'll just throw them around the conference, and if they scan the QR code, it doesn't attach them to a Wi-Fi; it actually takes them up to a website that's just got a hit counter on it.
[00:27:54.030] - Len Noe
Because we're CyberArk, and we're GDPR compliant, no, I am not saving any customer data of any kind. All it does is it's a single-hit counter, and when you get to the page, it says, "You really should be aware of what you're scanning." The minimum amount I've ever gotten was 8 out of 25. The most I've ever gotten was 18 out of 25.
[00:28:18.400] - Len Noe
Even at security conferences, we're still not actually taking the security measures we need. I think just getting more information out around QR codes; we need to use them responsibly. We've said that so many times during this interview, but it's something that I just can't stress enough.
[00:28:37.630] - David Puner
Wow! The irony of it being at security conferences, really eye-opening stuff. Anything else about this particular topic of QR codes that you want to get into this particular conversation?
[00:28:50.940] - Len Noe
The last couple of points is, I have seen a lot of utility companies now including QR codes on a lot of their invoices and bills. I am one of those people that will tell everybody, "Navigate directly to the website," or if your electric company or your utility company has their own dedicated app, use that."
[00:29:14.390] - Len Noe
Finally, don't use QR codes as a shortcut to downloading applications from either the App Store or the Android Marketplace. Use the correct app stores or markets for your appropriate device and don't take those shortcuts because there have been numerous incidents in the wild where people are actually pulling down copies of those marketplace pages and actually supplying Trojans as opposed to the actual APKs or application files. Just basically, if you look at what we tell people in corporate environments, assume breach. On a personal device, assume that somebody's trying to get in.
[00:29:58.470] - Len Noe
The last thing I want to point out to that is this part of this conversation I have had with more people than I can count. "Len, I don't have anything on my device that anybody would want. I hear this all-
[00:30:11.010] - David Puner
Is that right?
[00:30:12.170] - Len Noe
Oh, I hear this all the time. People are like, "Oh, I'm not worried. I don't have anything on my device." It's not always about what's on your device. These are the things that I wish people would realize. You could be used as part of a larger proxy chain in a large-scale attack. So I could basically route my traffic through you and make it look like you were the one that was actually doing the bad deeds, and then you have to try and deal with the authorities to clear your name.
[00:30:42.500] - Len Noe
I could use you as a counterfeit, identity theft, information theft. Please, just because you're not some type of a Fortune 100 company, please don't think that somebody gaining access to one of your technical devices does not provide them an advantage and put you at risk—because it does.
[00:31:04.690] - David Puner
Len, it is always illuminating speaking with you. I'm sure you'll be on again. As a tease, potentially, do you have any new implants of note that you'd like to mention now, or are we going to save those for some time down the road?
[00:31:18.490] - Len Noe
Well, as a tease, I know the last time we talked, we were discussing my peg leg, which is the Raspberry Pi Zero that I was putting in my leg. I-
[00:31:27.890] - David Puner
[crosstalk 00:31:26]
[00:31:26.970] - Len Noe
I've been doing a lot of work with that. We had a couple of failures in the bioencapsulation and some issues with the indirect charging system, but we managed. I did manage to get the indirect charger working, and I just shipped off four more prototypes to the company that's doing the medical bioencapsulation for me. They're going to go ahead and seal those up, and we're going to get them tested. As soon as they pass QA, I've already got my installer waiting for me. At that point, we'll have the Cali in the leg. We'll see how much fun it is trying to get through an airport at that point.
[00:32:03.720] - David Puner
You do not seem like a man who is heavily jetlagged at this moment, but really appreciate you coming on here to talk about QR codes. Always a pleasure.
[00:32:13.280] - Len Noe
Absolutely, David. Thank you very much for having me back. I enjoyed it.
[00:32:22.840] - David Puner
Thanks for listening to today's episode of Trust Issues. We'd love to hear from you. If you have a question, comment—constructive comment, preferably, but it's up to you—or an episode suggestion, please drop us an e-mail at trustissues@cyberark.com. Make sure you're following us wherever you listen to podcasts.