here's a good fighter, you can't deny that. they've done a good job, and myjob deny that. they've done a good job, and my job is deny that. they've done a good job, and myjob is to be the same. i don't want to beat him and people to say, x, x, x. i listen to what he has to say. he's got passion. when i faced him, iwant has to say. he's got passion. when i faced him, i want to say i faced the best man possible. the man that is coming offa best man possible. the man that is coming off a defeated the best man. you learn from your mistakes. that is why i'm looking forward to the challenge. i've been in the past always preparing for my next fight as my last fight. i been doing it for many years like that. i definitely will need to give my best, notjust a little bit of it, but all my best. i want to have it all. i don'tjust want but all my best. i want to have it all. i don't just want to win the fight, i all. i don't just want to win the fight, iwant all. i don't just want to win the fight, i want to win the fight great. it's the final old firm derby of the season, and third placed rangers are yet to get a victory against the scottish

premiership champions celtic. and it's not looking likely today either. they're less than half an hour in at ibrox, and celtic have already shown why they're unbeaten domestically this season. scott sinclair put away an early penalty. and then there was a brilliant strike from leigh griffiths too. the power increased as it went into the net. 2—0 is the score still, after around a0 minutes. in the premier league, it could be a sad afternoon for sunderland, who take on bournemouth at the stadium of light. david moyes‘ side can be relegated, if they fail, to at least match hull city's result at southampton. we'll need a really, really good run of results for things to go our way, but while there's a chance we're not going to admit to anything else. so we've got to try and win. we have done and said in every other game that we've got to try and win and we've not done so. what i'd say about this one is we're at home, we've got a great chance, we played quite well in recent games so we'll take that into the game and hope we can get a result from it. sebastian vettel will be hoping to claim pole position for the first time this season after dominating

final practice for the russian grand prix. the german topped the timesheets by more than three tenths of a second from his ferrari team mate kimi raikkonen. and vettel was more than half a second clear of his championship rival lewis hamilton who was fourth behind mercedes team mate valtteri bottas. qualifying gets under way at one o'clock and you can follow the action on bbc radio five live sports extra and the bbc sport website. john higgins leads barry hawkins 13 frames to 7 in the semi—finals of the world snooker championship in sheffield. the match resumed this morning with higgins leading 10—6, the first to 17 goes through to the final. after winning a frame each, hawkins had the chance to narrow the gap to three frames but missed this pink. in fact it took the players over six minutes to finally get it in. and it was higgins who did to win the frame and take that six frame lead. that's all sport for now. now on bbc news, it's time for click. hackers beware — finally there is a box

which is immune to your attacks. hack—proof. totally secure. sounds like a challenge to me! over the last few years, billions of e—mail accounts have been hacked. has yours? last year, yahoo announced that over 1.5 billion e—mail accounts were compromised between 2013 and 2014 — the largest breach in history. then it emerged that russian hackers had gained access to 60,000 e—mails from hillary clinton's

presidential campaign. some believe the resulting leaks helped swing the election for trump. and what it certainly did reveal is something most of us already knew — we send, each of us, all the time, hugely personal information around the internet. information that we'd like to keep private, but others are all too often able to see. so how about something that guarantees to protect all of those e—mails? sounds like something you'd want to have, doesn't it? well, this is nomx, a box which promises to secure your e—mails 100%. it was at ces that we came across this device as it was introduced to the world, and it caught our eye. i met the boss, will donaldson, who has impressive security credentials himself. he has worked in computer security and worked on web applications for the pentagon, the marine corps and he was

chief technology officer for the f35joint strike fighter communications facility. so does he think is wrong with bog standard e—mail? well, the nomx promotional videos explain the problem — when you send an e—mail, copies of the message end up on several internet servers along the way. wilf says all of the recent big e—mail hacks have involved one of these servers being compromised — and what's more through a known vulnerability. so those vulnerabilities, we have identified six core ones that encompass 100% of hacks that have occurred to date. will's solution is a $199 box that acts as your own personal e—mail server. it will talk to other e—mail services, but where it comes into its own is when it connects directly to another nomx box at the other end, the pair of them replacing the cloud servers that your e—mails would usually flow through.

that means no copies are stored anywhere, but on your box and the recipient's. the idea has caught the imagination of some in the security industry, who have called it a "personal cloud on steroids" and will himself has become a bit of a star, being interviewed on us national television and elsewhere in the media as a security guru. so what you're pitching here is that you can make a black box, that black box there, that is more secure than a multibillion dollar compa ny‘s servers? absolutely. it's been proved they're vulnerable, my question is to you is — you're not a multibillion dollar company. not yet. why should i believe that your security is any better than theirs and why should i believe that there are no vulnerabilities that you have accidentally left in your box? what we have done is identify the categories of those vulnerabilities and all of the hacks

have occurred have been in those traces vulnerabilities. by removing them from the equation, we have now negated them on our protocol. so the theory sounds a good one — avoid making multiple copies of your messages across potentially vulnerable servers on the internet. you just have to rely on the nomx boxes themselves not being open to hacking. well... you all know this man, dan simmons, one of click‘s most experienced reporters and famously, if someone says something is unbreakable, you try and break it? yeah! well, look, often on this programme we look at new things and we are as excited as anybody to see them, but sometimes just sometimes, something seems a little bit too good to be true and absolute security, i've never heard anyone in the cyber security industry promise that, but that is exactly what this company are doing. so to prove a point, you're going to try and hack this box? yes. i think i have found somebody who may be able to do it. 0k!

scott helm is one of the uk's most respected professional white hat hackers, or penetration testers. he's helped discover some big security flaws in the past, including hacking home routers and electric cars. scott's had the nomx box in his hands forjust a few minutes and he's already suspicious. hey, scott. how's it going? how did you get on? good, yes. i have had a look over this device and i was quite surprised when you first gave it me. so when i flipped it over, we saw what we call the mac address here, which is the device's unique identifier and these first three segments identify the manufacturer, that tells you who builds the device. so i went away and i looked these up and they're actually registered to the raspberry pi foundation that make the raspberry pi computer. that's the hobbyists' computer we have seen on click. the credit—sized device. but nomx is the manufacturer? yeah. so what i did, i went ahead and opened this up and what we found inside...

if i canjust open these parts here. is there is in fact a raspberry pi inside this, which is white felt, all white. wow. there is nothing else they have done with this that we can see inside. that is just a standard £35 raspberry pi. correct. but what does that say to you when — as a security guy — when you look inside? i guess, there are further things to be found here that may surprise us. i've also asked professor alan woodward, a well known cyber security expert, who has advised the uk government and europol, to take a look at the nomx box to see how it works. so, how have you got on? well, already through the set up process, there is a few things for a product that bills itself as being absolutely secure, there is a few things that we found that give rise for concern. and we certainly want to look a bit further into it. just plugging it in has sent alarm bells ringing for alan. the set up of the device is through a web application that

wasn't particularly helpful. it doesn't ask alan to open port 25. now, that is a key port on his router he will need to communicate with popular e—mail servers like gmail or microsoft accounts. it's never going to receive e—mail from an external service. unless your change your router? unless you know to go to your router and change port 25. and does it tell you that? no, it doesn't, the documentation doesn't have it in there. it tells you all these other ports, but not port 25. so you're having a quiet life for a few years to come, receiving no e—mails at all? but it gets better. hotmail instantly knows that you're sending it from a domestic ip address. it's what's called a dynamic address, because it changes. it's not yours for life. every time you turn your router on you get a new one. it spots that and says, we don't accept e—mails from dynamic addresses. because theyjust assume nobody's going to be running an e—mail server on a domestic system like this. so this box can't send an e—mail to hotmail? to any hotmail address?

no. and if you try and send it to something like gmail, then what happens is, because of things like the the way hotmail spots it, as you will see there, we are actually blacklisted already. spam house, which is one of biggest spam filters, says this is a spam box. it has blacklisted us. now to be fair, nomx doesn't open port 25, it uses port 26. but as we have seen, without 25 open, it's going to be difficult to hear from the rest of the world. well, bearing in mind it has one job to do, which is be an e—mail server, that's a pretty poor show. and there were more surprises to come when alan opened the box. one of the simplest machines to break into is a raspberry pi. everything is on this one little card. it is on one of these tiny little cards. so all of your e—mails, all of your software, everything is running on one of these tiny little cards. now, actually, if somebody did have physical access

to this what they could do is they could whip that card out, copy it, put the card back in, put it all back together and you would be none the wiser and they have got a copy of everything, including your e—mail. because one of the things about this is it's not encrypted in any way on the card. this is not using any encryption? for storage, none at all. and what we did was, you said the simplest thing to do, because it is a complete raspberry pi, the simplest thing to do was actually plug it into a monitor and see what came up. so this is an hdmi. hdmi cable. here we go. the first concern would be if it is actually running raspberry pi as an operating system, which it is, it immediately tells you it is. postfix is the mail transport agent, that is part of the mail server. it wasjust all totally standard stuff. so how old is the software on there at the moment? well, that's another thing that we found, which was really... i would say alarming. in that it's so old we couldn't actually get hold of some of the software.

it's running raspberry pi's own operating system. it is a version called wizi, which you can no longer download from the raspberry pi website. they have taken it off because they don't want people downloading it, it's that old. likewise all this postfixed admin, there is another another piece of software called dovecot, all of which are free bits of software, but some of it dates back to 2009. it's inevitable that people will find bugs, flaws, in any bit of software and what people do is they release a later version with the bug fix. the problem with the way this is put together is there is no way of doing that. there is a whole series of things about the way this is put together that make you think, absolute security is... a stretch. now, it is important to say at this point, there is nothing wrong with the hardware or the software that you're talking about per se, raspberry pi is fine, the software used, postfix, admin, isjusta piece of off—the—shelf software. yes, i mean the raspberry pi

is a great bit of kit and postfix, as in the other programmes we have looked at, they do the job, if you've got the latest versions of them. but this box doesn't run those. by a mile it doesn't run those. they're still selling this box right now as a finished product? it was being sold when you were testing it? absolutely and as we are filming it is today. ok, you have studied the box, what next? well, surprise, surprise, scott thinks he can hack it. so i thought, yeah, 0k, fair enough, go ahead and we'll film it. so to start with, we decided to get a second box in, just to make sure this wasn't a prototype or there was anything dodgy with it and that came along in the post. right, got a letter in the post from nomx to say, "dear dan, as per your request i have enclosed another device for you to use in your bbc click programme." there you go, scott. see what you make of it. let's see. so we appear to have some instructions in this one. that is the first one?

yes, the original device. they do appear... it appears the same. so that, if it is the same, it is not going to be a prototype. yeah, so this is what we are looking for, are the additional ones they're sending the same. looking at the mac on the bottom, it appears to be a raspberry pi, as the last one. the hardware's identical, so scott's using a programme called meld to check if the software is the same too. it's showing us that they're virtually identical with a couple of minor changes that don't change the operation of the box. they're actually using the same user name and password on all devices, which is printed just there in the manual. so this is admin@example.com and the password is "password". and do they tell you to change that? 0bviously they do? no. they don't. it's not in the instructions and when i log into the device it also doesn't tell me to change it.

so all these high security boxes have the same admin log—in and password. yes. which is password. it is a fundamental flaw in security. you cannot have a weak password and a default password — and this is both — and leave it on the device. you should force the user to set their own password so that every device in the world has a unique password. because otherwise, because we're lazy, aren't we? we would just leave that as password, because i'll remember it. yes. look at this, here we go. you have one of these at home, it is just a normal router. this is 7f7f, a pin on here that's unique to this device. here is another device that i might plug in. that has its own unique pin. you pick up one of these nomx boxes, there is no pin on here, apart from the security through the web server, which is the password... "password". and knowing that, has opened a door for scott to deliver a package of his own. if users haven't changed their password, then scott's malicious software will hand him control of their e—mails. so this the picture of the cat,

there is the picture of stevejobs and those two things go in to this page. all he's got to do now is persuade unsuspecting users to open it. completely unrelated, i'm going to show you this funny web—site. top ten funniest pictures of your pet. and what i'm going to do now is i'm going to go back to the nomx device and if i scroll down, how many e—mail addresses are registered on this device. you have got two. where did that one come from? that one was placed there by the web—site with the pictures of cats and dogs on that we just looked at. but what this actually does is launch something called a cross site request forgery attack. now when i visit this web—site, while i'm reading this article, it is attacking the nomx device. i can do anything that i want on your nomx device, simply by you visiting this page. we then went back and looked at these older versions

of the software and this this is a fault that's been recorded over many years. wow! so they have in fact, notjust nomx, but everyone's known about this. yes. possible problem. time for a cup of tea. now, remember, nomx claim to have the world's most secure protocol, offering absolute security and they even take issue with with services like gmail and microsoft, saying everything else is insecure. but we've just discovered how to hack these boxes in a really simple way. the things i found are in the top ten, they are and have been for a long time the most common vulnerabilities found in the web. we have platforms that we look at. when you teach people how to develop web applications, you say, these are the things you need

to check for and it's in the top ten things you tell them to look for. is this a schoolboy error? yeah, for a company that's making claims about absolute security, then they should have been aware of the 0s top ten and run that list against their application. would you want one? no. i wouldn't pay folding money for it. i can't see how they can patch it and protect their consumers. that's my concern. i can't see how they can look after the people that have been put at risk and currently are at risk, and always have been at risk. this risk has always existed. we just didn't know about it. all we've done is find it. and bring to it life. i can't see how they can protect those people, other than telling them to unplug the device and stop using it. now it's worth saying that users who had changed their admin password wouldn't have been quite as vulnerable to this attack. so scott wanted to go further and found this key lying around in the code — an identical key on both nomx boxes. these innocuous looking two lines are the master password

for the whole system. it shouldn't be in full view when analysing the code on the box, but, hey, it is. now, it looks like gobbledegook, because this is the master password in encrypted form — known as a hash. and it is useless to anyone... unless you can crack it. scott's got some — shall we say — resourceful friends, but the fact the master password is a five—letter word all in lower case made it easy. a simple dictionary attack took less than ten minutes to decode it and now scott has the keys to the castle. it doesn't matter now if users have changed their admin passwords from password, they just need to click on the kittens. you don't have to visit this malicious web—site on the machine that you're administering the box with. itjust needs to be another machine that's on the the same

network as that box. so your teenage daughter, for example, or anyone else, granny or whatever, could get this message, click on the cute furry kitten and it's kittens? exactly. one of the scary things is if i know your e—mail address, i can actually change the passwords for your e—mail address and then immediately log into your e—mail account, so i can effectively hijack your account and take full control of it. that's not even the worst part. i can effectively almost wire—tap the device and see everything that you send from that point on. alerting a company quickly that they have a security problem is best practice for ethical hackers. so scott sends an e—mail to warn nomx its users are vulnerable to attack. right, so it's not absolutely secure then? no. not if that happens, no. what did the company say about that. they say scott's hack is a proof of concept. well, scott says it is a proof of concept. that's the whole point, they haven't

actually hacked anyone yet. the idea of ethical hacking, white—hat hacking, is to tell the company first that they can do something about it. and the clock is now ticking. scott's given them 30 days to sort this out, before he says he will publish the details of the hack. but nomx has no way of updating its boxes, so how can it possibly patch this problem? good point! 30 days are up and scott is ready to publish his findings. nomx have told him that they have notified 100% of their users and updated or upgraded any devices that could be affected by the hack. i have two of the devices in my possession. neither of which have been updated, and i also can't find a way to update them. in fairness, we have a box on click and we have not had any notification of any problem with the box either. ok, so it's not quite 100% then. nomx also told scott they have requested users not browse web—sites while the mail app was open.

it's not really viable. it puts the burden on to the user. so you as a user are responsible for behaving in a particular way so you can't be hacked. that's not really fair on the end user. to show goodwill, scott held off publishing the attack for another ten days. until today. and? what happened ? we got in contact with nomx to say, look, we are filming with scott and we need some answers if you wouldn't mind. we gave them an opportunity to be interviewed. they declined. but they did send us some responses to some of our questions. one of which, yesterday, the c0 told me, nomx security claims don't apply in your home network has been breached. now that's the kittens thing on the browser, if somebody clicks on that you're infected and basically will donaldson is saying that is nothing to do with us, that's your home network. that's a bit like saying if everything else in your

home is insecure, then we're insecure too. in fact the box doesn't add anything to the weakest link in your home and that is, i would say, at odds with what they're saying on their web—site. now, will told me that no boxes have been compromised again. i said, well how do you know? he said, well we've asked some of our users. right. it's april 26th. and we have learned today that will is removing the devices from his website and he won't be selling them any more, he won't be shipping them in theircurrent form, he says, with raspberry pi. he is going to wait for a hardware upgrade and then start again. although we have been on his website today and he looks like he's still selling them. right. now, he also says that all the major e—mail providers have been hacked in the past and actually still nomx hasn't. dan, well done. what a fascinating story.

alan, we don't know whether there are tens, hundreds or thousands of these boxes out there. but what does this tell us about the wider security industry? it raises that wider concern that anybody can make claims, they can put a product out there and make claims, even if they're really bold claims like this, "absolute security", butt nobody's checking it. there is no standardisation. there no is gold standard against which you can actually compare them. so really it's buyer beware. to be fair, do you think this idea of end to end communications could work? yes, you could make it work, but as is so often the case with security, the thing that really lets this down is the way it's implemented. 0k. so, scott, you are about to release details of your hack? yes. on to your blog, so it can be read by the world.

and this is not anything special that scott's doing for us. this is part of his ethical hacking procedure. are you still happy to publish? yeah, the company's told us that they have notified all their customers. there is an update or replacement device, so no users are at risk any more. go for it. off we go. there we are. i was kind of expecting a noise or something. but it's on your blog now. what would you say to anyone who owns one of these nomx boxes? if you have one, i would stop using it and repurpose the device. 0k. unattractive coaster? perhaps, buti would not recommend using it. scott, alan, thank you forfour time. my friend, i'm sorry, you're out of here! that is it for this special click. normal service is resumed next week and if you want more details, including a link to scott's blog, then check us out on

twitter at bbc click. if you can't stay absolutely secure, then try and stay safe. thanks for watching and we will see you soon. hello, there. as we had to the remainder of the bank holiday weekend, the weather is looking a little bit mixed. here is the scene this morning, taken by one of the weather watchers near twickenham. patchy cloud, but very thin across much of the country. breaking up during the afternoon to allow some decent spells of sunshine. towards the west, you can see the southerly wind arrows. they are going to be picking up on the west. very east, less windy, temperatures up to its team of 17 degrees. heading through into this evening, many of us ending the day

onafine, evening, many of us ending the day on a fine, dry, bright note. turning breezy overnight. cloud increasing from the south—west. that means it should be frost free, with temperatures of nine or 10 degrees. wet and windy weather on sunday across the south—west of england. nudging further north eastwards, much of eastern england, into scotland, staying dry and bright, temperatures up to 16 degrees once again, feeling a little cooler around the east coast. banco they monday, sunshine and scattered showers towards the south, brighter and dry in the north. goodbye for now. good afternoon. 27 european union leaders meeting in brussels have unanimously agreed their negotiating terms for britain leaving the eu. among other demands, they say the uk must agree a financial settlement, and the future rights of eu citizens, before any trade talks take place. from brussels, our europe correspondent damian grammaticas reports. it has taken just one month since

theresa may's letter trickling brexit was received here. you leaders now have their brexit position ready to go.