The Host Unknown Podcast - Episode 101 - My Brain Hurts

Episode Date: April 29, 2022

This Week in InfoSec (09:26)With content liberated from the “today in infosec” Twitter  account and further afield26th April 2013: LivingSocial informed its employees that 50 million users' names..., emails, dates of birth, and SHA1 hashed passwords were compromised.LivingSocial Hackedhttps://twitter.com/todayininfosec/status/151903974730119987226th April 1999: The first known virus to target the flash BIOS of a PC, the CIH/Chernobyl Virus triggers on this day, erasing hard drives and disabling PCs primarily in Asia and Europe. One of the most destructive viruses in history, Turkey and South Korea alone reported 300,000 infected systems. As Seen on Reddit (23:29)My thoughts on a decade of Cyber Security: 10 Lessons I’ve learnedReddit user u/CrowGrandFather has spent more than a decade in the Cyber Security Industry and has come up with 10 lessons he learned along the way.1. Cyber is risk and nothing else2. No one cares about your stats3. Understand that not everyone is as smart as you4. Stop with the playbooks5. Read the news for your boss6. Blackhat is mostly pointless7. Location, Location, Location8. You’re probably doing threat intelligence wrong9. Don’t write to be understood, write so that you can’t possibly be misunderstood10. Make friends with your Marketing team[That was this week's As seen on Reddit] Industry News (42:07)LinkedIn Becomes the Most Impersonated Brand for Phishing AttacksCosta Rica Refuses to Pay Cyber RansomBored Ape Yacht Club Customers Lose $3m in NFT ScamFrench Hospitals Cut Internet Connection After Data RaidSecurity Teams Should Be Addressing Quantum Cyber-Threats NowPrivate Investigator Admits Role in Hedge Fund HackUK Schools Can Sign-Up to Free Government-Grade SecurityCoca-Cola Investigates Data Breach ClaimCrypto Trading Fund Partners Accused of Fraud Tweet of the Week (45:00)https://twitter.com/austinpeay/status/1519397653305561088https://twitter.com/austinpeay/status/1519399475785125889 Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 Recording all of that, it would have been a perfect opener. Can we do like a Kardashian, you know, where they recreate scenes where something funny happens and then they say, no, no, let's just do this and pretend this is what happened when the cameras were on. Jesus. Let's just tell everyone it was a fun opener. Okay, but as long as I'm Chloe.
Starting point is 00:00:24 That's the only one I know. Sorry. Is Kanye still a... He's not a Kardashian anymore, is he? No. Isn't he? Well, actually, I don't know why I said that. I didn't even know he was even considered to be.
Starting point is 00:00:36 Well, he was married to Kim, and now they're divorced. Fair enough. These people are obviously moving in circles that I do not frequent. No, I don't think you frequent the Cardicians. But you are now a CISO, so you are back in certain circles, aren't you, Tom? I am. I am. I'm meeting with vendors for dinner and everything.
Starting point is 00:01:00 You do it, you all. You're listening to the Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. And welcome to episode 101-ish of the Host Unknown Podcast. We are back after a two-week Ramadan and COVID hiatus. Welcome, gentlemen. How are we? Andy, what's occurring? Well, like our listeners in North Korea, I cannot complain.
Starting point is 00:01:39 You've been waiting 100 episodes to say that one, haven't you? 104 episodes to say that one. I'm telling you, I counted the episodes. We really are on 101. But as we point out, just because you didn't record them on your side, it doesn't mean that we didn't record them. But if a tree falls over in a forest and there's nobody there to hear it, does it make a sound?
Starting point is 00:02:03 Well, as I say, if i talk into a microphone with you guys and we have a loose agenda right i'm counting that as a recording like if you're not copying it on your side that's on you okay so in which case we're on about episode 382 given given the amount we often chat about stuff, and they go, oh, we should have been recording that. Yeah. No, not too much. I'm winding down at work. I'm moving jobs one week to go.
Starting point is 00:02:33 Ooh, moving jobs. Does this mean you're actually going to have more time or less time? Well, you can't have less time. You literally can't fit any more hours. No, do you? It's going to be fun. I'm also intrigued as to what's going to happen. Yeah.
Starting point is 00:02:47 I'm just going to say, all I'm going to say is my one piece of, my one warning is you can be fired with just your notice in the first two years with no legal recourse. I'm just saying. I'm just saying. Spoken like the voice of experience. Absolutely. Absolutely.
Starting point is 00:03:05 And for all my current and future employers, when I say fired, I mean, you know, pursuing different avenues. Yeah. Yeah. Difference of opinions. Exactly. Exactly. Jeff, how are you? Fantastic.
Starting point is 00:03:19 Thank you. So last week I was in Orlando for Know Before Con, the first physical conference Know Before has had in two years. You were doing your Chris Rock impression, weren't you? I was. Trying not to get smacked in the mouth by the boss. I didn't get smacked in the mouth. I was the emcee for the event, so I did actually start off by like, please nobody Will Smith me because unlike Chris Rock,
Starting point is 00:03:43 I can't actually take a punch or a slap. Were you writing these on the plane on the way out there? No, I was just scrolling through TikTok and stealing ideas. It's a lot easier. So you had one job when you were out there, you know that, and you failed, which was our mutual friend, Kai Rohr, and the other chap, Perry Carpenter, our mutual friend as well, both wrote a book, and you were there with them both.
Starting point is 00:04:18 All I asked for was a free signed copy of their book, and no, couldn't do it. Couldn't do it. Yeah, what they heard was free copy they didn't care about this so i know you tried to play to their egos and so they're like yeah yeah of course but uh they're professionals man they see right through that stuff yeah you know i got a a copy but i only got perry to sign it i didn't have it on me when i met kai so i thought you're gonna say you asked asked Kai specifically not to sign it.
Starting point is 00:04:50 Well, Kai signed so many books that his unsigned ones are more valuable, aren't they? Yeah. Yeah, I've ordered it. It's arriving today. I've actually had to pay for a book my friends, colleagues have written. I'm heartbroken. I'm heartbroken i'm heartbroken i'm remember this when i when i finish my book as as a see-saw you must be it must be a really alien experience to actually have to pay for anything yeah he's just remind him he could probably expense it it's literally called security culture isn't it oh yeah that goes under education and learning doesn't it yes yeah and after reading it you can claim, doesn't it? Yes. And after reading it, you can claim CPEs for it as well. You mean after claiming I read it, I can claim CPEs for it. I have a lot of books on my shelf that I claimed I've read.
Starting point is 00:05:37 Just go to summaries.com or whatever the website is. They do the short versions, which are really good. website is you know they do the the short versions which are really good and and actually if um youtube uh sometimes they have like really good like audio summaries off a book and if you listen to it at 1.5 or 2x speed then you can actually quicker it's even quicker it's absolutely brilliant anyway how's your uh how's your week been how's's your two weeks been, COVID boy? Well, yeah, so I start work on a new job at the beginning of April All good Test positive for COVID at the beginning of the next week
Starting point is 00:06:16 I'm in bed for a week And then still positive, although walking wounded for the third week So I'm working from home So this last week was only my second week in the office. But I tell you what, this CISO job is difficult, isn't it? It's hard work. Why are you asking me? I don't know.
Starting point is 00:06:34 Yeah, actually, why am I asking either of you, to be honest with you? My God. You didn't already try and fail at this CISO job in the past. As in what, sorry? Didn't you already try and fail at this CISO job in the past? As in what, sorry? Didn't you already try and fail at this CISO job in the past? No, I successfully failed at the last. Oh, no, I did not successfully fail at all. I didn't fail at all.
Starting point is 00:06:56 No, I just, I think because the last CISO role I had, I kind of, because it was the result of an acquisition and because it was effectively Greenfield and all that sort of stuff and because I had an existing team which I built on, it was a slightly easier process. Whereas at the moment, it's like, bang, no induction, no onboarding, in you get. And it's just really I feel like I'm drowning at the deep end
Starting point is 00:07:23 while they keep tying extra weights to me. I did have a couple of breakthroughs this week, which was good, which was good, actually. Breakthroughs are better than breakdowns. Well, yes, exactly. Been there, done that. Don't recommend it. So, which was good, you know,
Starting point is 00:07:39 and I've got my first security board report that I'm presenting the week after next deck's got to be in next week so you know there's there's lots of um you know proper work going on and everything uh so yeah it's an interesting environment i'm enjoying myself lovely people but wow i'm confused as hell steady tom this sounds like an actual useful bit of information we should do this on the podcast regularly the first 90 days as we start your your mental health declining yeah part of my sort of security board review um deck will be you know level of work my mental health yes quality of work
Starting point is 00:08:21 work-life balance work-life balance. Work-life balance. Number of topics covered on Host Unknown podcast. Cost of rehab. Or everything else is MasterCard. Yeah, yeah. Or corporate Amex, let's face it. Yeah. Let's face it.
Starting point is 00:08:39 Well, okay. Let's see what we've got coming up for you today. Well, this week in InfoSec talks about the life before Groupon. Rant of the Week is still on holiday, the lazy thing. So this week we are covering, as seen on Reddit, Billy Big Balls is also still on holiday. So we'll go straight on into industry news, which brings us the latest and greatest security news stories from around the world, and tweet of the week is an urgent message for users.
Starting point is 00:09:14 Okay, so let's get on, shall we, into our favourite part of the show, the part of the show that we like to call This Week in InfoSec. It is that part of the show where we take a stroll down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account and further afield. So our first story takes us back a mere nine years to the 26th of April 2013 when Living Social informed its employees that 50 million users' names, emails, dates of birth and SHA-1 hash passwords were compromised.
Starting point is 00:10:10 So for those who don't recall this company, which boasted huge numbers at its peak, LivingSocial was, and still is in a different way, an online marketplace, which allowed users to buy and share things through in their city. So formerly headquartered in Washington, LivingSocial had around 70 million members around the world in 2013. So not a small company by any stretch of the imagination. So they were founded in 2007 by four employees of a health group company. And they initially launched LivingSocial as like a daily deals website. And they offered their first deal to the public in July of 2009 so like two years later that was and in less than 12 months after that they had actually launched 25 in 25 different
Starting point is 00:10:53 cities huge growth everything was looking good right so they had raised over 800 million dollars in venture capital funds wow they were hiring dozens of workers each month, constantly breaking into new cities around the globe, collecting hundreds of million dollars from investors. They actually acquired at least eight companies around the world in the space of two years, boosted their numbers up to 4,500 employees. And amongst her investors actually include Jeff Bezos. Wow. So he chucked in $175 million as an investor. So life was good, right?
Starting point is 00:11:34 And then obviously Murphy's Law kicked in. So despite best efforts, the company didn't reach the size it needed to be for these particular tax breaks to kick in um and so they had to they'd released some sort of subleased offices that they had previously purchased uh and at the same time the industry kind of had this realization that daily deals were just not a sustainable business um and so just as the company was sort of strategizing how to adapt you know where do they go in the future? They said, well, we're going to go from a daily deals website to become a mobile app.
Starting point is 00:12:19 Then obviously the 26th of April 2013 rolls around and the CEO announced that their database had been hacked and 15 million of their registered users were impacted. Is this like the equivalent of, you know, a restaurant sort of slowly going out of business and then suddenly it catches fire the next day? Yeah, well, do you know what? There were suspicions of that, but they don't know because they did try and go on for a bit longer. I think they obviously did panic in terms of, you know, I mean, I don't know if you remember when Groupon first sort of hit big in the UK. You know, you sign up to it and, like, the first two weeks were like a novelty. And then it was like, holy crap, stop spamming me.
Starting point is 00:12:51 And it's like you literally just add them to the spam filters. Well, you use it because you see that one product that, oh, yeah, that looks good. I love that. And then, you know, before you know it, you know, if you like this, if you like network cables, you like mattresses. Yeah, 46% off hair straighteners yeah yeah do you know and there's only so many pairs of those I could buy yeah
Starting point is 00:13:11 one for every day of the week yeah exactly but uh obviously they're they did the classic announcement so this was back in 2013 and it's an announcement that stood the test of time. Credit card information was not compromised. Yes. Yes. Hallelujah. And they take cybersecurity seriously. They take cybersecurity seriously.
Starting point is 00:13:37 But every other bit of user information they had, dates of birth, password, everything was exposed. But in the announcement, the at-the-time CEO, Tim O'Shaughnessyy told customers that the stolen passwords had been hashed and salted um which meant that you know past codes were converted into a one-way cryptographic representation that used random strings to cause each hash string to be unique um and so he obviously went on to make the statement that your living social password would be difficult to decode which then sent twitter into overdrive on commentary obviously but i'm not saying that the breach was the fatal blow to living social but you know from
Starting point is 00:14:17 its peak of 4 500 employees uh they dropped to 800 employees after the breach um wow and yeah they two years later they dropped to to just 200 employees uh in 2016 they still go now they are but they were acquired by Groupon in 2016 for an undisclosed amount of money so Groupon was one of their competitors at the time um so it was undisclosed at time of acquisition and then a couple of months later Groupon confirmed that the amount they paid was zero dollars they just took on the debt they just took on the debt and the customer base I guess um mercy kill yeah yeah it was a mercy kill but although uh you know it's common you know during these attacks uh yeah this you know this, this happened a year after the LinkedIn breach, two years after the Sony breach. Has anything really changed?
Starting point is 00:15:09 Advice that came out from a lot of security professionals, one I saw from Chris Weisopel, said that there's some concrete steps individuals can take to protect themselves because it's not clear exactly when the attack happens. Check your email, see if it's been accessed from strange places or if it's not clear exactly when the attack happens um check your email see if it's been accessed from strange places or if it's been forwarded elsewhere and if you're using the same password on multiple sites now is the time to change them and use a password manager i've had that somewhere before it sounds really familiar but it sounds like really familiar yeah it sounds like you jav actually because what you say in all of your articles uh yeah so this obviously on 2013 wouldn't surprise me jav you're still quite the fan of
Starting point is 00:15:56 replicating other people's content back then weren't you still quite honestly that is objection your honor That's harsh. Funny, true, but harsh. Funny, true. What are you talking about? Oh, dear. Motherfuckers. But this is an interesting one because, you know,
Starting point is 00:16:15 very often you talked about the two other examples. What was it, LinkedIn and Adobe, did you say? Sony. Sony, that's right. Yeah, Adobe were prior to that. Yeah, and Adobe as well. But, you know that both those cases and Sony as well all three of them
Starting point is 00:16:28 those are companies that have continued to grow and expand afterwards as well this is a rare example of a company dying after a security breach
Starting point is 00:16:44 but it does show that it's actually more complex than just a security breach will kill the company because it sounds like they were already on a little bit of a downward spiral anyway, right? Yeah, well, I think, I guess, if you don't have a good product, I think that's the thing. There's only so many daily deals you can span out to people.
Starting point is 00:17:07 People are not going to buy stuff every day. If your business is not robust in the first place, then a security breach could take it out. Yeah. But if it is a robust business, chances are you'll survive it and continue to grow. Yeah. But in terms of, you know, what they said, everything they suggested,
Starting point is 00:17:26 playbook response seemed to be pretty good, pretty standard. But alas. So our second story takes us back 23 years to the 26th of April, 1999, when the first known virus to target the flash bios of a pc The cih virus triggered on that day erasing hard drives and disabling pcs primarily in asia and europe So it was one of the most destructive viruses in history with turkey and south korea impacted by at least
Starting point is 00:18:02 300 000 infected systems. And I have no idea why the stats focused on Turkey and South Korea, because they're not the usual yardsticks for virus. 300,000 in today's terms is nothing, right? Yeah, but this is 1999. Yeah, I know, I know. But, you know, today you'd hear, you know, we restricted it to just 300,000 systems.
Starting point is 00:18:24 Yeah, only a small percentage. Only 2% of our user base was impacted. Exactly, exactly. But, you know, today you'd hear, you know, we restricted it to just 300,000 systems. Only a small percentage, only 2% of our user base was impacted. Exactly. In Turkey and South Korea. Chernobyl, also known as CIH or space filler, was a Microsoft Windows computer virus that it first emerged in 1998. And its payload is highly destructive to vulnerable systems. Obviously, overwriting critical information and like on system drives and in some case, destroying the BIOS.
Starting point is 00:18:52 And a student named Cheng Yinghao at Taitung University in Taiwan created the virus, which he confessed to. Wikipedia stated it infected up to 60 million computers around the world and they obviously put an estimate of 1 billion us dollars in commercial damages but chen claimed to have written the virus as a challenge against the uh bold claims of
Starting point is 00:19:17 antiviral efficiency by antivirus software developers um and then he said his classmates spread it um and then you know he apologized to the school made an antivirus program available to download to stop it um but despite him admitting to writing it prosecutors couldn't charge him with anything at the time um because no victims came forward uh with a lawsuit yeah so therefore um that led to a new computer crime legislation in taiwan um which obviously applied retrospectively but yeah he like you know not only held his hand Therefore, that led to a new computer crime legislation in Taiwan, which obviously could be applied retrospectively. But yeah, he not only held his hands up, he got away with it scot-free.
Starting point is 00:19:52 But just to bring this around, so the Chernobyl virus, so it was CIH originally, but it was called Chernobyl because the date of its payload is the exact date of something big that happened in the Soviet Union back in the day. Yeah. On a similar day. But this is the one that in March 1999, several thousand IBM machines were shipped with the virus pre-installed. And this was just a month before the virus would trigger. And famously, in July of the same year, in 99 um do you remember at defcon um the
Starting point is 00:20:26 cult the dead cow gave out copies of um back orifice 2000 yeah for free and this is defcon 7 and all of those discs were discovered by the organizer of being infected with cih and also companies like yamaha they shipped software updates um to the sort of cdr writer drives that were also infected with the virus. Wow. So this was a time when software distribution didn't really check what they were shipping out. When you say Yamaha distributed, et cetera, yeah, makes sense.
Starting point is 00:20:56 I mean, Sony have distributed rootkits before, right, and all that sort of stuff. Cult of the Dead Cow shipping stuff shipping you know stuff with their stuff with with um with this on that sounds that sounds incredible i mean it really does go to show that because the cult the dead cow were serious players right we know they were but i don't think they had antivirus installed in their machines if i'm honest well no but they're the sort of people who'd be looking at things at a far lower level than antivirus would in the first place right you know it just goes to show that how how much of a sort of burgeoning um activity this sort of this type of uh increase in number and and uh technical complexity of viruses were that
Starting point is 00:21:40 even people in the know weren't really looking for it. Yeah. But it's always the same, like people with privileged access, right? Your IT department are the worst for bringing infections into the company than, you know, your average employee. Yeah. I mean, I remember the days when you had to use a floppy disk to program your BIOS, you know. That was far more secure than using Windows.
Starting point is 00:22:06 And that was revolutionary compared to the tapes that you used to have to wind on, right? Tell me about it. The punch card that you used to have to punch yourself with a whole punch. I used to back up VAX VMS systems with reel-to-reel tapes. That was one of my first jobs.
Starting point is 00:22:22 Oh dear. Brilliant. Excellent. Thank you very much, Andy. That was one of my first jobs. Oh, dear. Brilliant. Excellent. Thank you very much, Andy. That was fascinating. This week in InfoServe. We are officially the most entertaining content amongst our peers. And that reminds me, isn't there another award ceremony coming up? There are. Does that mean we're going to have to change the jingles?
Starting point is 00:22:51 I think so. Yeah, probably. We are now no longer officially the most entertaining. God, it's going to cost us money. We're going to have to win. We're going to have to make sure we socialise where people can vote for this so we can win under the banner of save us money, get have to win. We're going to have to make sure we socialise where people can vote for this so we can win under the banner of save us money, get us to win again.
Starting point is 00:23:10 Yeah. I think that would work. I think that would work. Right. So in a change to our normal programming, we are going to move on to a new segment, which I think we've done once before, but this is going to be sort of like the middle third of the show in reality.
Starting point is 00:23:27 We are going into. This is the sound of the Host Unknown podcast crew putting on their armour, getting ready to do battle with the hordes of strong opinions. This is As Seen on Reddit. Snappy jingle. Snappy jingle. So As Se seen on Reddit, the headline is My Thoughts on a Decade of Cybersecurity. Ten lessons I've learned. Noob.
Starting point is 00:23:56 Yeah, yeah, I know, right? I know. So Reddit user Crow Grandfather has spent more than a decade in the cybersecurity industry and has come up with 10 lessons he's learned along the way. Clue is in the title. So we're going to go through these. Some of them, yeah, make sense. And some of them I really don't agree with at all. Oh, yes. At all.
Starting point is 00:24:20 Wait, hang on a second. People disagree on Reddit. I know. It's outrageous. Absolutely outrageous. So disagree on Reddit. I know, it's outrageous. Absolutely outrageous. So the first one, cyber is risk and nothing else. True. Yeah, true. I agree with that. Jav?
Starting point is 00:24:35 Yeah, true. It's all about risk. It's not about right or wrong. It's all about risk. Two, no one cares about your stats. False. No, no one cares about your stats. False. No, I'd say it's true. It depends on what stats they are, how they're presented, what stats they are. You don't want stats.
Starting point is 00:24:53 You want information. I think, broadly speaking, they're poorly presented in many places, but sometimes they actually do work. Okay, so the consensus the is the consensus that we disagree with this uh i do think we i well i think it's touch of what jab said there is some color in this right no one cares about um how many attacks your firewalls blocked yeah um but they care about you know how many times people are you know failing to complete i don't know mandatory training or people are constantly doing stuff you know trying to extract
Starting point is 00:25:33 data from the company uh you know that will tell you is it a pattern that you're actually deliberately accidentally stopping people from working or are people deliberately trying to exfiltrate data um i think this is going to depend on what type of company you are that's the difference between a statistic and actually data and you know data that you've been able to put together and draw conclusions from yeah but they um you have to get the stats in in order to to analyze the data absolutely so um when when they say no one cares about stats that's your external audience right they don't care about those numbers they care
Starting point is 00:26:12 about the statements you make as a result i do think that's going to change i'll be honest right i've definitely seen trends if you think about new regular um like regulations that have come in like eba the European Banking Authority guidelines, CPS 234 in Australia for the financial sector and insurance sectors, they're pretty much putting the onus on them that when you deal with third parties, you have to be comfortable that the information you get
Starting point is 00:26:40 is as you would run it yourself. And so what a lot of companies are asking for is basically access to this sort of information what are the stats for um you know how are you managing these things how what's your vulnerability burndown rate um you know that type of thing so i don't know i think this is a very macro level though isn't it i mean this very macro and also it's one of these things it's like, hey, dude, like you're buying the service from us, take it or leave it.
Starting point is 00:27:07 If you want to run it yourself. But this is just the reality of where, you know, well, we need to have this realisation in third party, right? Where people have just gone too far in terms of the information they think they need,
Starting point is 00:27:20 you know, versus what they can actually do with that information. Yes. I mean, I think there's a caveat to this, you know know in the sense that no one cares about your stats to the point that you know jav said we don't care how many viruses you blocked or or spams you filtered or anything like that but statistics are an important part of providing actionable business outcome decision making yes so it's fair to say that statistics are important in actionable business outcome decision-making.
Starting point is 00:27:45 Yes. So it's fair to say the statistics are important. Yeah. I think they're important, but they need to be presented a lot better. Yeah. Most people don't care about the stats. They care about the actionable business outcome. Because the question is, are stats important? The question is the stats aren't our stats important the question is no one cares about them okay i would tend to agree with that doesn't mean the stats are bad
Starting point is 00:28:13 we're now confusing ourselves let's move on i'm absolutely fine you know you're the one who's uh confused anyway this one this one's a doozy you know and i might have to um go outside and have a have a quick uh breath of fresh air after this one understand that not everyone is as smart as you bullshit they're usually smarter apps oh my god if you if i was thinking about this on the train last night because it pissed me off straight away. Hang on. Hang on. We've got something for this.
Starting point is 00:28:50 Listen up! Rant of the week. It's time for Mother F***ing Rage. I mean, bloody hell. What kind of arrogance is it where you say, I'm the smartest one in the room. I don't need to explain myself, blah, blah, blah. That is the wrong way to look at things. Assume you're the dumbest one in the room. I don't need to explain myself, blah, blah, blah. That is the wrong way to look at things.
Starting point is 00:29:09 Assume you're the dumbest one in the room, and if that means that when you're trying to explain something that you're assuming that they already know what you're saying, then that's fine. If they already know it, they'll either tell you or they might even learn something from you. Just the sheer hubris of, you know, I know this, you don't know that, that's so wrong, so wrong. It is.
Starting point is 00:29:33 I mean, I just reword this completely to understand that you're not as smart as everyone. I would say understand that you're not as smart as you think you are, especially in this case. I'm sorry, Crow grandfather. I don't know who the hell you are or what you do, and you may well be the smartest man in the room. You would be between me and you, I'm sure.
Starting point is 00:29:52 But that's the wrong way to look at things. But I think this is also cultural differences in terms of, I'm going to guess that this guy is an American. No, no, in the nicest possible. You know, Americans are very good at self-promotion yes yeah you're right you're right i think you're you're absolutely right so all of our american um of uh listeners out there tell us about why you're smarter than we are we don't have time to read all of that there There's too many ways. You know what they say.
Starting point is 00:30:25 If you're the smartest one in the room, find a different room because you've cleared him of all things. Yeah, and also, you'll never learn anything. I don't know why I stayed with you two here, but, you know. You'll never learn anything, right? No. You'll never learn anything. I mean, I always, after doing the Hosting Home podcast with you two,
Starting point is 00:30:43 I always go to another room because, frankly, it's exhausting being the smartest one in this room. I was going to say, the only reason you guys are still around is because you've never been the smartest one in the room with me. Smartest or sole founder, one or the other. Oh, dear, yep. So I'm glad we are viciously agreeing on this one uh number four stop with the playbooks interesting it's interesting i mean like what you meant to do just make it up on the
Starting point is 00:31:14 fly i mean i thought we were doing that throughout the 2000s i mean literally like making it up on the fly and this is a problem when you've only got 10 years of experience right if you had 20 years of experience you'd realize why you had the playbooks yeah although again and this is all in the detail and you know this is all in the interpretation stop with the playbooks that you maybe have either produced or seen produced right that doesn't mean that all playbooks are bad so playbooks are very often overly written, overly complex, overly jargonised, et cetera, when frankly a 30-page playbook could probably be a two-page thing, which then turns it into an aid memoir. Does it say, say your company, for example, Tom,
Starting point is 00:31:59 does yours a two-page playbook when in case of emergency, just call Tom? That would do, right? Yeah tom yeah yeah easier easier far easier well and also to the earlier point the way i look at things is if the document is long complex and difficult to read then people like me aren't going to read it you know i need something simple to read something something simple that's broken down and easy to understand. Yeah. Number five, read the news for your boss. Oh. What?
Starting point is 00:32:36 Is this like Jackanory or something? Yeah. Morning, boss. It's our morning news meeting. So in industry news today. So he said said don't read the news to your boss read it for your boss uh so what would your boss be reading effectively put put it this is you know um put yourself in an in another man's shoes you know walk a mile in another person's shoes, right? That's what I say.
Starting point is 00:33:06 So telling your boss that you don't know about something that hit mainstream news hurts your credibility as a professional. Yeah. Or just say you knew about it. Yeah. Oh, dude, that's a classic response that you – what do you call yourselves, evangelists? I don't know.
Starting point is 00:33:21 That's a classic Jav maneuver, isn't it? I think that's in his playbook. Yeah, yeah, I know. Don't you do let me in with that advocate, Jav. Excuse me, excuse me. I'll provide a quote for your media outlet and then quickly Google what's happening. Why is this?
Starting point is 00:33:38 Text message. Yo, has anyone heard about Log4J? Excuse me, excuse me. Give me a quick summary who was asking that question two weeks ago first day on their new job it's a jab maneuver my arm wasn't me because i had covid two weeks ago oh you know three weeks ago from the back of a taxi on the way to the office exactly i was just back of a taxi on the way to the office. Exactly. I was just telling you I was on my way to the office.
Starting point is 00:34:07 I wasn't asking for a quote. Oh, dear. Number six. I know where Andy's going on this one. Black hat is mostly pointless. So I'm assuming they mean in Black Hat USA, not Black Hat Europe. Yeah, of course. And it's the RSA of DEF CON, effectively.
Starting point is 00:34:30 Yeah, the RSA of DEF CON, wow. It's full of vendors. Yeah. Black Hat is mostly pointless. Well, mostly pointless for this individual. You get out of it what you need to get out of it. Yeah, it varies. I mean, your mileage may vary.
Starting point is 00:34:44 I know some people who absolutely hate rsa other people say it's the best best conference for them because of the nature of their work and same thing with black hat or defcon or b-sides you get you know these a lot of these are very you know specific in in their nature and to your point i think you just get out what you put in. If you go to these places without a playbook, then you're just going to be wandering around and thinking, oh, this is just rubbish. I know this because I'm the smartest one here.
Starting point is 00:35:18 Yeah, exactly. But hallway con is always the best part of any conference, right? Absolutely. The hallway track, without a shadow of a doubt. And here's the thing, and I think this is it. My thoughts on a decade of cybersecurity. That's a decade of cybersecurity doing what? Just one particular job, a range of jobs? Have you gone from purely technical to maybe...
Starting point is 00:35:41 So I can answer that. Okay. So I did actually check him out and so he clicked on the link and everything i did yeah he started fixing computers at his local pizza place uh before leading a sock at a multi-billion dollar enterprise with thousands of users and hundreds of thousands of machines so a narrow field of of work uh well i mean started at a small company hands-on and then moved on no but i mean you know we always see this with uh sock being you know usually see themselves as the infosec department right everyone's sort of uh what once being instant
Starting point is 00:36:18 responder or an analyst or you know forensic uh investigator yeah yeah interesting right number seven uh i'm glad you clicked on the link because location location location is is that the tv show that they like to watch the most uh so this uh one of the most in his own words one of the most challenging concepts sock analysts seem to deal with isn't investigating new malware strains it's understanding the location of our sensors and what they can provide um okay so when again go back my thoughts on a decade of cyber security it should be my thoughts on a decade of being in a sock yeah uh i mean it's very sock heavy right yeah it's very tech heavy, right? Yeah. It's very tech heavy. There's nothing about legislations or the boring stuff, the contracts, the daily bread and butter. Yeah.
Starting point is 00:37:15 Right, move on. You're probably doing threat intelligence wrong. Probably. It depends who you speak to. I would tend to agree with this, and I think this would include this individual as well. Yeah. Whatever Gartner say is the right thing, it's the right thing at that moment in time.
Starting point is 00:37:30 Yeah. Number nine, don't write to be understood. Write so that you can't possibly be misunderstood. I quite like how that's worded, but also it has an element of covering your arse into it too. I was just about to say, I quite like how it's worded, absolutely. And I think if you're writing documents, if you're writing a blog or some kind of piece, you're absolutely right. But this strikes me as a little bit of you know slash anti-work um in the sense that
Starting point is 00:38:06 you know always make sure you uh you you you get in writing exactly what your boss has told you to do always make sure that you are very clear about it it does feel very cover your ass yeah and finally number 10 make friends with your marketing team i agree man i mean you guys made such good friends you actually joined them well jazz more pr than marketing yeah well pr sits under marketing anyway in the all chart but yeah but i i i agree i think if it's not marketing it's internal comms or someone that can help you get your message out yeah how about just make friends wow now that's a novel concept i know let's all not be that arsehole security
Starting point is 00:39:00 person right you know it's hard it the the truth is it's a real struggle making friends who are all with people who are all dumb as you dumb dumber than you yeah this is true this is true yeah so maybe this you know he thinks marketing are the ones that are either the dumbest or the ones closest to him i'm not sure anyway that was this week's just remember to be nice in the comment section as seen on reddit you're listening to the award-winning host unknown podcast officially more entertaining than smashing security So I'd just like to say, we were attacking the ideas presented by that user, not the user themselves. I'm just trying to think what possible legal ramifications could be coming our way, because you got that disclaimer in there quick. And so now I'm trying to think what was said.
Starting point is 00:40:05 you you got that disclaimer in there quick and so now i'm trying to think what was said i just felt a bit like i don't want it to be misconstrued that we're being mean towards a person for sharing their opinion i think it's it's really good that people share their opinions we're being their opinions we've made a whole podcast out of sharing our our opinions and i think it's our fast underbate yeah exactly and and it's absolutely right to attack opinions or ideas and... Check and challenge. Yeah, exactly. But what isn't cool is when you attack the individual, the person behind it.
Starting point is 00:40:34 So, Tom, I know you've fallen foul of this many times and, you know, you've had... Once! Once! Don't make me call out the specific blog posts where you called out specific individuals who then got a bit offended. Oh! Once! Once!
Starting point is 00:40:53 Ed the Fed actually came to find you in the UK. My God, I love the way that the truth never gets in the way of a good story. Did Ed the Fed come and see you after you wrote a response to one of his blog posts? No, he didn't. No, he didn't. I've never met him since. And also, I didn't attack him.
Starting point is 00:41:17 I attacked his performance. Well, he took it as a personal attack. So that's why I'm just clarifying that these things can be missed. He didn't take it as a personal attack. He that's why I'm just clarifying that these things can be missed. He didn't take it as a personal attack. He asked what I thought was wrong with his performance. And then he said, please, would you consider removing it? And here's my phone number. Please call me up directly.
Starting point is 00:41:33 Here's my email. Hang on. Are you in my LinkedIn account? You've got the same password you've been using since 2012. Exactly. The same password that was on my facebook account yeah yeah and your boy's face yeah oh dear dreadful right i think we're gonna move on to this week's industry news which we're just
Starting point is 00:41:58 going to recount i i can't see we're going to comment too much on it i think we've we've sort of discussed our way out of things but here is this week's industry news linkedin becomes the most impersonated brand for fishing attacks industry news costa rica refuses to pay cyber ransom. Industry news. Bored ape yacht club customers lose $3 million in NFT scam. Industry news. French hospitals cut internet connection after data raid. Industry news. Security teams should be addressing quantum cyber threats now. Industry news.
Starting point is 00:42:44 Private investigator admits role in hedge fund hack. Industry news. UK schools can sign up to free government-grade security. Industry news. Coca-Cola investigates data breach claim. Industry news. Crypto trading fund partners accused of fraud. Industry News. Crypto trading fund partners accused of fraud. Industry News.
Starting point is 00:43:08 And that was this week's... Industry News. I removed every story that referenced Russia or Ukraine. So we're scraping the barrel here, right? So I'm looking at the UK schools can sign up to free government grade security. So I'm trying to understand what government grade is. By the cheapest possible vendor. Yeah, that's military grade, isn't it? Oh, well, government grade. It's whoever Boris gave the money to. Yeah. Yeah. Are you a pub landlord or neighbor of one of the
Starting point is 00:43:46 prominent tourists yeah so this is literally uh mail check uh so it's for schools and it's to help uh so it's been provided by ncse mail check and web check services so they previously offered these to uh further education colleges and universities mail checks designed to help organizations improve anti-spoofing to stop frauders from sending emails in their name um so it basically just checks your spf your sender policy framework your domain keys identified mail and your domain-based message authentication but can't you do that through i can't remember what it was. Free websites.
Starting point is 00:44:28 Yeah, there's a free website that does it for you as well. Yeah, but the people who do Quad9, they also push – I can't remember what it's called, where you're making changes to your DNS so it can't be spoofed and et cetera. So, damn it. Maybe I should have done some research. Yeah. There's something else out there.
Starting point is 00:44:48 Yeah, well, we are rapidly running out of time, so I'm going to move us on from this. So that was this week's... Industry News. This is the Host Unknown Podcast. Jav, we are coming to the end, and you are going to take us home on this week's Tweet of the Week. And we always play that one twice. Tweet of the Week.
Starting point is 00:45:11 So this week's Tweet of the Week is from Austin-Payne State University. It's APSU alert. Sorry. We are under a ransom, ransomware. There's a typo in it. We are under a ransomware attack. If your computer is connected to the APSU network, please disconnect immediately. And this is great because most of the people are a bit confused in the responses and they're like well why are you asking folks to shut down rather than forcing a network shut down or
Starting point is 00:45:54 you know and i'm sure all of your people connected to the network are on twitter just waiting and following your your um your for your advice and what have you. It's a really weird one. Also, I think this was reissued because I think originally it said Ransom Spaceware. Oh, yeah. Do you know what? I actually see the original one is even better.
Starting point is 00:46:22 It says APSU Alert Ransom ransomware attack and then it goes all caps it says this is not a test shut down all computers now oh my gosh i have not seen that one do you know what i think apsu would have benefited from in a situation like this a playbook a playbook exactly exactly so you know someone was just freaking out and typing the first thing they came across rather than having a template they could have used yeah yeah it's just a very it's literally like running around with your hair on fire saying what do you do just like shut it off shut it off yeah yeah yeah but know, hopefully they're okay. I mean, you know, ransomware sucks and the people who do it are criminals. And I'm sure the people inside APSU, despite what you say, Jav,
Starting point is 00:47:12 were doing their very best to deal with this. And, you know, we shouldn't be victim blaming, right? See what you did there, you son of a bitch. I just get you back for the other 27 times you've done it to me anyway that was this week's so we come crashing into the end of the show gentlemen thank you very much for your time this week andy thank you uh what do you know this whole episode has gone completely out of sync right Thank you very much for your time this week, Andy. Thank you. Do you know what? This whole episode has gone completely out of sync, right?
Starting point is 00:47:51 It's like you came to me first on the intro. You're coming to me first now. So when you say thank you, I'm supposed to say stay secure, my friends. But now you're going to go to Jev and he's going to say it. Steal my line. This is episode 101. I mean, you set the schedule up. It's completely screwed up you know what's this bloody you know as seen on reddit for two episodes for two whole chunks i
Starting point is 00:48:12 mean our timing's completely out yeah you didn't say what you didn't even ask what time it was i know i didn't i didn't did i well hey this is a new show we're moving forward you know you should know andy spends the whole week coming up with a response to that, and you didn't ask him. You denied him that. All right. Next week, I will work out a really interesting way of asking you what time it is. Some serious edging going on here.
Starting point is 00:48:36 Serious. I will permit you your release of telling us the time. I'm just glad Andy got to get out his North Korea gag early on. This is true. This is true. Right, Jack, thank you very much, sir. Appreciate your time this week. Honestly, I don't know why I bother with this one.
Starting point is 00:48:57 Okay. And Andy, thank you. Stay secure, my friends. Stay secure. You've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please leave your best insults on our reddit channel worst episode ever r slash smashing security that's painful that was so painful honestly it was just like tom was completely off yeah it's the ramadan of podcasts this is the covid of podcasts old man covid this is the advocate of podcasts
Starting point is 00:49:40 oh so rich. Hey, you know, Andy and I are professionals. You know, we're executives. How quickly? Oh, you're not even out of his probation period yet. And I'm a professional like Andy. I know which side to go to.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.