The Host Unknown Podcast - Episode 109 - The Helium Breather
Episode Date: June 24, 2022This week in InfoSec (12:04)With content liberated from the “today in infosec” twitter account and further afield24th June 1998: The NSA published the Skipjack encryption algorithm used by the Cli...pper chip, after the algorithm was declassified.Clipper Chiphttps://twitter.com/todayininfosec/status/127588206375369932824th June 2012: In the wake of the Flashback botnet which targeted Macs, Apple removed a statement from its website bragging that OS X isn't susceptible to viruses.Apple removes claim that ‘Macs don’t get PC viruses’https://twitter.com/todayininfosec/status/1275969494330949632 Rant of the Week (19:12)Government employees banned from using VPNs in IndiaIn the latest chapter of India's ongoing battle against online privacy software, government employees are now barred from using third-party VPN services.The new directive came following the decision of some of the best VPNs to shut down their Indian servers amid privacy concerns over new data law. So far, ExpressVPN, Surfshark and NordVPN have all announced they will physically leave the country before CERT-in directives come into force on June 27.All this was discovered because:Indian government issues confidential infosec guidance to staff – who leak itIndia's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector."The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens. Billy Big Balls of the Week (28:13)Amazon can't channel the dead, but its deepfake voices take a close secondIn the latest episode of Black Mirror, a vast megacorp sells AI software that learns to mimic the voice of a deceased woman whose husband sits weeping over a smart speaker, listening to her dulcet tones.Only joking – it's Amazon, and this is real life. The experimental feature of the company's virtual assistant, Alexa, was announced at an Amazon conference in Las Vegas on Wednesday.Rohit Prasad, head scientist for Alexa AI, described the tech as a means to build trust between human and machine, enabling Alexa to "make the memories last" when "so many of us have lost someone we love" during the pandemic.In an explanatory video, Amazon showed a child asking: "Alexa, can Grandma finish reading me The Wizard of Oz?" at which point the assistant's normally artificial voice shifted gears into a softer, more natural timbre. The point being that it's supposed to convincingly sound like the kid's grandma. Industry News (36:07)BRATA Android Malware Group Now Classified As Advanced Persistent ThreatFormer Amazon Worker Convicted of Capital One Data BreachGoogle Chrome Extensions Could Be Used to Track Users OnlineNew DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain TakeoverCloudflare Outage Knocks Hundreds of Websites OfflineUS Bank Data Breach Impacts Over 1.5 Million CustomersEuro Cops Dismantle Multimillion-Dollar Phishing GangYodel Cyber Incident Disrupts UK DeliveriesLess Than Half of Organizations Have Open Source Security Policy Cloudflare lava lamps:https://www.cloudflare.com/en-gb/learning/ssl/lava-lamp-encryption/Michael Reeves goldfish tradinghttps://youtu.be/USKD3vPD6ZA Tweet of the Week (44:01)https://twitter.com/InfosecEditor/status/1539992708617568261https://twitter.com/mattjay/status/1539776073180893189 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Thank you for turning out in record numbers to make your voices heard.
You voted and you delivered a clear message.
You chose hope and unity, decency, science, and yes, truth.
You chose Host Unknown as the best non-vendor cyber security podcast.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us
and welcome to the twice award-winning Host Unknown podcast episode.
I've lost track, 109.
113.
Indeed.
So, gentlemen, what's it feel like to be a winner?
Indeed. So, gentlemen, what's it feel like to be a winner?
Well, I'm used to feeling like a winner anyway, but today, and you know what's going to be really funny,
is if this is not just something we're hearing locally, but if your voice is genuinely being recorded as myself and Jav are hearing it, it's going to sound like you are high on helium.
myself and Jabba hearing it,
it's going to sound like you are high on helium.
So you have been celebrating, since you don't drink alcohol,
you've been celebrating by...
Down the balloon shop.
Exactly.
What are those little small canisters you see everywhere?
Laughing gas.
Yes.
For making soda water.
Yeah.
Well, yeah, you're going to see a whole pile of those
empty in the bin in his hotel room.
Instead of alcoholic miniature bottles, yeah.
Oh, dear knows.
Man's got to have a habit, you know,
got to have a hobby, you know.
Yeah, exactly.
But that's the high life of winners though, right?
Exactly.
People always say, you know,
talent that was destroyed too early if it wasn't for the demons inside them.
Exactly.
And do you know what?
If it wasn't for the laughing gas, I wouldn't be laughing during the show.
So, you know, it's a necessity.
It's a necessity.
Anyway, Jeff, how are you?
Very good.
And, you know, we spent the last three days hanging out quite a lot at InfoSecurity Europe in
the new location of Excel.
Yeah, where all the fuddy-duddies were like, oh, I don't like it here.
It's too far away.
Can't get a train.
Well, there was a train strike.
Mere details. There was a nationwide train strike
people in
Europe could get a flight over
to City Airport and then walk over
so if you were living in like
Germany or Holland or
something you could
it was more likely you would turn up at
the event than if you lived in some...
Southeast London, like somewhere else we could mention.
Yeah, exactly.
But was it even worth it?
Was there anything worth seeing at InfoSec, other than people?
Well, people are the thing worth seeing.
I found one product that I'm going to pass on to my CTO.
Oh, okay.
Do you want to give an insight into what it does?
Without mentioning them by name because, you know,
they're not paying for sponsorship yet.
But, you know, double award wouldn't show.
They might want to.
Absolutely.
Absolutely.
Basically, it's the – I hate to use these terms,
but I know why they get used.
It's that single pane of glass view into all of your cloud environments.
So on AWS, Azure, et cetera.
And it monitors for configuration vulnerabilities and stuff like that. So anybody who's had to set up AWS,
it can get immensely complex
because we're talking about virtual environments
across the board.
And what it does is map it all out
and show you where the weak links are
in a real sort of looking left to right
on a diagram process.
It shows you traffic flows, et cetera,
and where you need to make changes.
And then, best part of,
there's a big green button that says Remediate.
It just does it for you.
It's not a logic monitor by any chance, is it?
No, it's not.
Okay.
No, it's not.
Why? Are they sponsoring since you mentioned them?
Well, no, but they could do
because obviously you've mentioned a product
and whoever gets here first, right?
First pass the post.
Exactly.
If you're a competitor to Logic Monitor.
Yeah, so Emetic, if you're listening,
you may want to have a, you know,
if you want to get ahead in the game.
You know, that reminds me,
there was this one product,
and I can't remember what it was,
but it had a big red button in it, and it was like self-heal.
Self-heal?
Yeah, it was kind of like you'd find issues on your network
or what have you.
This is going back a few years, so it must have been on-prem
or something, but it was like a big red self-heal button
that you'd press, and it would apparently go out
and fix everything.
It would probably break half your infrastructure as a process.
Well, that was one of the questions I asked was,
does it have an undo button?
Because, you know, you might want to press the big green button,
but if it screws it up, you want to undo it all as well.
I said, yeah, yeah, we've got that, we've got that.
Yeah, all the promises made on the stand that don't translate to real world.
I'm not going to buy it.
This is just beautiful.
end that uh yeah obviously i'm not gonna buy it this is just sorry the the self-professed non-technical person was wowed by a big green button at infosec and he's passed it on to the
cto tom cto if you're listening just put it into the delete folder and you'll save yourself a lot
well i know the guys who set it up,
because I know them from the publicist days.
And also, there's an ex-Sentinel One guy there as well.
So it was actually nice to bump into him, I have to say.
He was a very talented guy.
He left in December to join them.
So, yeah, anyway, anyway, like I said,
I'm not going to buy it,
but I should be passing the details on.
So what do you know?
What do you know?
So Jeff,
did you have a good week?
I did.
Yes.
I enjoyed it immensely.
It was,
it was good catching up with people.
I mean,
I did say it kind of felt a bit soulless because there weren't as many people yeah yeah uh to me
there's no question about it i was reflecting a bit on it last night and i thought i i enjoyed it
quite a lot because although i met fewer people i think the quality of interactions were better
because everyone had no one else to talk to.
So you ended up having longer,
better conversations with people.
And so from that perspective,
I did enjoy it rather than like meeting everyone for five minutes throughout
the whole day and say,
Oh,
we need to catch up.
Yeah,
we will make.
And then you never see him again.
Yeah.
So why was it?
Pretty much what we do.
Yeah.
Well,
yeah.
The only reason we still talk is because of this damn podcast.
Sorry, this damn award-winning podcast.
So why was it soulless?
What was the difference?
You know, Excel was a venue.
I know it's a purpose-built thing and there's many positives to it.
It is a soulless venue.
It is a soulless venue.
It's like a bit sterile.
It's a bit like walking into a massive hospital ward or something it's just or an airport which ironically isn't that
what it became during the pandemic yeah it was uh one of the 19 girls wasn't it one of the 19 girls
so uh andy what about you how's your week been you know not being not that we've been able to
catch up with you this week no not been at infoseSec, but not actually that bothered about it, if I'm honest.
Excel has never been one of those places that I look forward to traveling to.
However, I have had my own challenges, and that is trying to secure a caterer or a private chef for my sister's birthday, which is in a couple of weeks' time.
We're going away somewhere.
I said about three months ago I'd take care of the catering and uh so i started it this
week and everyone of course said nah mate we're booked till september nah mate it's it's wedding
season we'll book that so um so how many people you end up cooking for uh well so fortunately it's only an intimate dinner so i do have a rosette awarded personal
chef coming um isn't that what you give ponies i do you know what i'm not entirely sure like
he's available right and and so we'll start with the uh minimum viable product what do i need
someone that can turn up on this sat night and do the cooking, right?
And someone who you can pay in sugar cubes and carrots.
Yeah, exactly.
And fortunately, he ticks all these boxes.
Wow.
I just don't understand why they say he's a 10 to 1 favourite.
I'm not sure what that means.
Yeah, you thought he said he was going to turn up a 10 to 1 favourite. I'm not sure what that means. Yeah, you
thought he said he was going to turn up at 10 to 1,
but no, he's actually
a 10 to 1 favourite.
But yeah, logistical
challenges. But we're sorted now.
I got someone yesterday
and I need to contact
him today just to talk about the menu.
So at least
we now know what you were really doing
on Wednesday when you said you were going to come to the show well I would say well I've actually
been doing this since Monday like the amount of emails I've been sending back and forth
like you know to different places and it basically got to the stage where I was just copying and
pasting before I tell you what I need do you have availability on 16th of July? And everyone's like, no, no, no, no.
And, you know, this person initially said no,
and then realised that actually they were available.
He was like, yay!
Did he stamp his foot four times to say he was available?
So did you have a productive week Tom uh I did yes
I did it was it was very good it was very good it was night the show was lovely on Tuesday and
Thursday I tell you it was really good nice and quiet yeah nice and quiet you know but
money well spent by all the exhibitors yeah I didn't win any um any lego though which was
unfortunate you've got a couple of figures from...
Yeah, quite a few
actually, because nobody was taking it
on the last day, so
quite a few of those. I did win some AirTags,
interestingly.
Nice. Yeah, that wasn't
a fixed dealer.
Oh, someone coming around, looking at everyone's
badges, and then surprise, surprise,
Tom wins the first prize
Which is a pair of ear tags
Looking for budget holders
Yeah it was a bit of a total fix I have to say
I have to say
But I'm not complaining
So
Shall we see what we've got coming up
On the show for you
This week
Well this week at InfoSec,
Talks Clipper Chips.
Rant of the Week brings us the latest
on the Indian government
doubling down on their cyber security
requirements.
Billy Big Balls is a review of the latest
episode of Black Mirror.
Interesting News brings the latest great
scripting stories from around the world. And finally,
Tweet of the Week talks about bragging,
which I think we'll be doing an awful lot of
over the coming 30 to 40 minutes on average.
Okay, so shall we get on to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane with content
liberated from the Today in InfoSec Twitter account and further afield so before i take you back to our first story i just want to give an honorable mention that only
12 years ago on the 17th of june the stuxnet worm was discovered by sergey ulaz ulazen
a belarusian antivirus software um expert so there's a great write-up on the Kaspersky website.
And to be honest, not many people are buying Kaspersky these days anyway.
So, you know, send them the traffic anyway.
But there's a great write-up about how Sergey was at a wedding on a Saturday afternoon when
a tech support team in Iran was like reporting random blue screens of deaths.
And if you can imagine, this is you on call, right?
How many people actually investigate when those blue screen of death messages
come up?
Like how many people just hit the reset button or the reboot and just get on
with their day?
How many people answer the phone when they're at a wedding?
Well, I assume he was on call, you know maybe it's yeah it's part of his job but yeah
anyway so he was diligent uh and he ended up discovering one of the biggest worms which uh
targeted scar the systems um and was believed responsible for causing substantial damage to
the nuclear program of iran um but yeah well worth a read up on the kaspersky website for that one
um but that's not the story i'm focusing on this week. I'm going to whiz through this one,
but because we raised it a few episodes back,
I shall take you a few years back,
a mere 24 years to the 24th of June, 1998,
when the NSA published the Skipjack encryption algorithm used by the
Clipper chip after the algorithm was declassified
so who cares about the clipper chip well if we want to learn from history the clipper chip was
a chipset that was developed and promoted by the NSA under the Clinton administration
and it was an encryption device that secured voice and data messages with a built-in backdoor
that was intended to allow
federal state and local law enforcement officials the ability to decode intercepted voice and data
transmissions um and the the original plan was it was intended to be adopted by all telecommunications
companies for voice transmission right yeah um and it suggested the device itself was vulnerable
to brute force um you know from the device itself was vulnerable to brute force
um you know from the beginning but other opponents pointed out that if only u.s manufacturers were
required to include the chipset then foreign manufactured phones would just be imported
um you know resulting in the program's failure and obviously caused material damage to the u.s
wireless phone manufacturers um you know so the the likes of Verizon or those guys,
they wouldn't be happy.
So introduced in 1993, it was
entirely defunct by 1996.
Obviously, yet today's
governments around the world still want
this ability to eavesdrop on communications
of anyone they want
under the guise of anti-terrorism.
So the thing there, I kind of
get federal agencies, etc, but local law enforcement?
Have you seen some of these people?
I know.
And, I mean, obviously this wouldn't be abused at all.
No, no, never.
Because even like, you know, local law enforcements
that look up like, you know, ex-partners or, you know,
ex-partners, new partners, or like just run their number plates
to see where they live or, you know what I mean?
It's, yeah, this is...
Would never happen.
Yeah.
Never happen.
Never happen.
So, yeah, there's just no positives from this.
But I genuinely think that the thing that really swayed it
was actually the telecoms providers saying that, you know,
you're going to destroy our market.
Yeah.
I don't even
think the government thought about this was a terrible idea for the other reasons dear me
but alas history keeps repeating itself i know but um yeah our last reference takes us back to
just yesterday a mere 10 years ago when on the 24th of june 2012 in the wake of the flashback
botnet which targeted max apple removed a statement from its website bragging that osx
isn't susceptible to viruses so their website used to say a mac isn't susceptible to the
thousands of viruses plaguing Windows-based computers.
That's thanks to built-in defenses in Mac OS X that keep you safe without any work on your part.
But then after the flashback Trojan infected more than 600,000 Macs worldwide, the wording was changed to say,
it's built to be safe. Built-in defenses in osx keep you safe from
unknowingly downloading malicious software on your mac well i suppose this statement this statement
still was true because it wasn't affected by the thousands of viruses that attack pcs
because those weren't platform cross-platform viruses yeah but i think uh and it still said a lot these i still
hear people say i actually heard it recently is that you know max don't get viruses i know yeah
people still believe that stuff they do it's just and i think you're because it comes from like all
things from a grain of truth way back in history and it just gets repeated and amplified you know it's just
that it's not financially viable or as much fun to to screw up as much well it does it doesn't
have quite the same ring to it where like our footprint in the in the in the world is so small
attackers aren't bothered to develop viruses for us. It doesn't have quite the
same ring to it as, you know,
we don't have viruses.
They don't want the
art files that you
were working on.
There's only so many smoking
chimpanzees you can
ransom, right?
Excellent. Andy, thank you very much for this week's and ransom right excellent Andy
thank you very much for this week's
this week's
in InfoServe award-winning studio quality content for high-paying sponsors. Then you too can be usurped by three idiots who know how to think on their feet.
You're listening to the award-winning Host Unknown podcast.
I'm going to take exception with that because I'm going to suggest
we really don't know how we think on our feet.
We're not that smart, let's face it.
we're not that smart let's face it okay let's uh let's move on to our next segment shall we uh to this week
rent of the week it's time to mother rage so i am going to pick up on a story that we covered
not so long ago actually or actually is related to a story we covered not so long ago.
But the headline is government employees banned from using VPNs in India.
So this is an interesting one.
It's the latest chapter of India's ongoing battles against online privacy software.
Government employees are now banned from using third-party VPN services. This came from
this recent story we covered about some of the best VPNs have been demanded to be shut down
and shut down their Indian servers over privacy concerns,
over new data.
So I can't remember the name of which company.
Was it ExpressVPN?
Yeah.
Yeah, ExpressVPN.
Yeah.
Well, all three of them.
Yeah, they just basically shut down their operations in India
because they don't keep logs of who's going through them.
And the privacy law said, you have to give us all your logs or you may be called upon to give us all your logs,
which, of course, they can't comply with.
So I think they moved many of their servers to Singapore, was it?
Or certainly around that sort of area.
So they all are going to physically leave the country before it comes in on June 27th.
Now, how do we know that all this is going on and that the government employees are now banned from using these third party VPNs?
from using these third-party VPNs?
Well, because after the Indian government issued confidential information security guidance to staff,
it was leaked straight away,
possibly through the use of a VPN, who knows.
But these guidelines that were leaked
to the 30 million plus workers it employs,
that's quite a government payroll, isn't it?
To adopt better work practices.
And unfortunately, as if to prove the point,
the document was leaked.
So it does give the impression
that information security could be a little bit more loosey-goosey in India's government than many other governments.
You know, unlike, for instance, local law enforcement in the US where absolutely nothing, services systems are never, ever abused.
No, no. um no so yeah this is i this feels like uh a little bit of a a game of escalation
um yeah i mean i can't believe that they're not just doubling down they uh they every week when
when more and more people are saying look this is a bad idea you can't do this it's gonna like
it's like they don't care they double down even more it is just crazy yeah
it's getting harsher and harsher and i think you know this this world's largest democracy
um is well it's a little bit like the world's second largest democracy starting to not look
like much like a democracy anymore you know um it's there are things that are changing. It's a very, very authoritarian approach to things.
Now, I'm all for, you know, good security practices in certainly in government. I mean,
I'd like to know that my money is being put to good use and not to pay in ransoms and stuff like
that. But, you know, it's it, you've got to look a little bit deeper
than just saying what you can and can't do
in an environment this large and this complicated.
As you say, rather than just doubling down,
you need to be looking at some slightly more alternative measures
to this, you know, and how you can actually encourage people
to behave a little better so
yeah i'm uh i think this is just the tip of the iceberg as far as i can make out um this is going
to be really um we're going to we're going to be reading more and more about this and i think there
may well be a few more ranks to say the least uh well i I'd love to know what the first people prosecuted for not reporting
vulnerability scans on their websites or something, what the fines are going to be.
But yeah, including this list of things, they banned the use of VPNs, but they've
also banned the use of third-party NTP servers and third-party DNS servers.
So you have to use the Indian government's DNS server.
Interesting.
And you have to use the Indian government's NTP server,
which is, you know, where's that getting its sink from?
It's very much like the Great Firewall of China.
Yeah.
But what I find also interesting, though,
is that it's really easy when it's at this scale and this level to see how ridiculous it is.
But when you look within, actually, at a lot of the security industry and when you look at enterprises, it's not that different in the approach that sometimes the policy is a list of do's and don'ts.
And it doesn't explain quite the why or the intent behind it
or what the actual desired outcome is and for for too many years i think that has caused you know a
lot of rift and we talk about say compliance as as an example is like oh you have to comply with
pci or whatever and this at the other and you know i think it it's all it all stems from the government with a mandate which actually means well,
which is we need to protect our stuff online.
And they've given it to some department
who've outsourced it to some student.
And they've come up, well, the way we can do it
is if we block VPNs and if we block DNS
and third-party cloud services, then we'll become secure.
And that isn't the way to go about it.
Yeah. third-party cloud services, then we'll become secure. And that isn't the way to go about it.
Yeah.
Well, and that was this week's Jav's Rant of the Week.
Rant of the Week.
You're listening to the double award-winning Host Unknown podcast.
Ha, ha, ha, ha, ha, ha, ha. You're listening to the double award-winning Host Unknown podcast.
Jesus, Andy, that one's dark.
You say that we're double award-winning,
and I'm thinking we're triple award-winning.
I think we've won twice at the Blogger Awards,
and I think we also won at the Unsung Hero Awards.
Oh, we did? We did, yeah.
Can you get your money back on that one, Andy?
I'm sure I can.
I'll get a revision later.
Yeah, I mean, you say your man knows us,
but he forgot that part.
He forgot that part.
Not that I'm petty or that these things actually mean anything to me,
but I just, in the interest of accuracy, that's all.
We should also give a shout-out to our big friends of the show uh smashing security that's uh carol and graham who won
uh most entertaining security blog this week at the uh europeans uh blogger awards
yeah had we had a blog we would have won that as well that's what they thought
as well because they don't have a blog either as far as their concerns
oh really oh okay consolation prize but you know it's okay exactly yeah so uh but nonetheless
nonetheless um have to say that uh uh both graham and Carole were one of the
first people
outside of the immediate awards who
reached out to me and congratulated me
so fair play to them and thank you Graham
and Carole for
allowing
well for living rent free
in our heads for so long that
actually we feel that this is a really important thing
yeah
well they were previous award winners in I think 2018 that actually we feel that this is a really important thing. Yeah, yeah.
Well, they were previous award winners in, I think, 2018, 2019.
They've won loads of awards.
They've won loads of awards.
And, you know, rightly so.
I mean, they've built something quite incredible.
But come on, it's time for the young ones to come through now, right?
Something, something irony. Time for the young ones to come through now, right? Oh, dear.
Something, something irony.
Right.
Shall we go on to this week's?
Billy Big Balls of the Week.
So the Billy Big Balls of the Week is a review of the latest episode of Black Mirror,
where a vast megacorp sells AI software that learns to mimic the voice of a deceased woman
whose husband sits weeping over a smart speaker listening to her dulcet tones.
listening to her dulcet tones.
Only joking.
This is a real life.
This is Amazon.
And it's one of their latest experimental features on Alexa,
which was announced at their Amazon conference in Vegas on Wednesday,
which is probably why there weren't as many people at InfoSec on Wednesday.
Rohit Prasad, head scientist for Alexa AI,
described the tech as a means to build trust between humans and machines,
enabling Alexa to make the memories last.
Where so many of us lost someone we loved during the pandemic.
What a load of utter horse crap.
Have these people not watched Black Mirror?
I mean, Jesus.
I have no idea.
But what I did think that if, you know, I mean,
I would actually get my voice put on Alexa just so that every now and then
it would come on your speaker saying, why did you kill me, Andy?
Why did you kill me, Tom?
No, please don't smother me with that pillow.
No, no, stop.
Help, I'm trapped.
I'm trapped.
I'm trapped in this little box. That was another black mirror, wasn't it? Where they take a recording of your brain,
i.e. to make a copy of you
and then trap you in like an Alexa box.
So it can, you know,
it's the thing that knows your routine the most.
And they actually bully this avatar,
this virtual representation of a human being
who actually thinks it's alive
and is a human being who actually thinks it's alive and is a human being
trapped in a sort of environment and bully it into behaving like an Alexis type device.
It's incredible.
Fantastic.
This is interesting.
So they had a video where Amazon showed a child asking, Alexa, can grandma finish reading me The Wizard of Oz?
And the voice changed.
No, Timmy, grandma's dead.
Yes, yes.
But it does raise a lot of interesting things about the digital afterlife.
And I remember years ago reading this story about this this guy
his his dad died and he used to play a car racing game with his dad and his dad would always beat
him so his dad had the the best lap time around it so he got on the game one day and the ghost car
was his dad actually there so he'd race against his his dad. And then one day he overtook his dad
in his back to beat him.
But then he stopped before the finish line
to let his dad's ghost car win.
Because if he had won,
he would have overwritten that.
Isn't that the story of cars?
He stops just before the finish line
to let his father figure drive past him.
No, no.
But another thing.
So one of my cousin's sons,
he done an internship at one of these robotic kitchens.
And it's like you have these robotic arms there
and you put all the sauces and the ingredients in them.
No, no.
Just checking.
So you would upload the recipe of how to make a pasta.
And it's mainly for mass catering and what have you.
But it would then take all the ingredients
and make them perfectly every single time.
So you could have...
Andy, maybe you should look into this for your sister's birthday.
But the robot would then mix all the
ingredients together and make it and so what they then had is that i think they had some
gordon ramsey or or uh what's the other jamie oliver to train it into how to make a certain
dish and it would then replicate it and make it every time and even he was saying that one of the
features like that future planning when when it becomes more commercial or whatever, is like you could ask your grandmother to make whatever, you know, ravioli the way she makes it.
And then the machine would remember it. So even if she lives in a different country or she's passed away, the kitchen would make it exactly how grandma would make it.
the kitchen would make it exactly how grandma would make it.
And I think something like that actually makes a bit of sense because it's food that you like and it's cooked in a certain way
that you're used to and what have you.
But this Alexa and using AI just to simulate someone,
it just feels a bit creepy to me.
Well, I mean, one of the comments has made me laugh because obviously
you know we're talking about deep fakes potentially being a serious issue uh in terms of you know
people getting uh you know called up hey it's me from so ceo mr accounting department please can
you transfer all this money to this account you know in that voice and that sort of thing and
make it interactive but there is a funny comment here which says uh hi billy it's grandma after story time take all of mine and mummy's
jewelry put it in an envelope and send it to me in heaven p.o box one two three four nigeria
well it's only a matter of time. Yeah, and will voice authorization work anymore, right,
in terms of...
This is true.
You know, can you mimic voice as a form of authentication?
My voice is my passport.
Verify me.
Well, it's like when you're chatting to somebody on FaceTime
and they shout out to their Siri or their Alexa and yours responds,
right?
It's like you can take control of devices just like that.
So it's perfectly plausible.
Yeah.
So Billy Big Balls or Rent?
I don't know.
I think they could be interchangeable as is very often the case here, I think, but they could be interchangeable, as is very often the case here, I think.
But they could be interchangeable.
I don't know.
Maybe we get Alexa to emulate the voice of the Indian government
to remind government workers not to use VPNs.
Or to download and install VPNs all of a sudden.
Yeah, there you go.
Hello.
We've always been at war with Oceania.
This is your Prime Minister, Modi.
Please download a VPN.
I don't know.
I won't arrest you.
Anyway, thank you.
That was this week's...
Billy Big Ball balls of the week
feeling overloaded with actionable information
fed up receiving well-researched factual security content
ask your doctor if the host unknown podcast is right for you always read the label never That does sound about right, in fairness.
So, just as it's always time to take your medication, what time is it now, Andy?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News Brata, Android malware group now classified as advanced persistent threat.
Industry News
Former Amazon worker convicted of Capital One data breach.
Industry News
Google Chrome extensions could be used to track users online.
Industry news.
New DF... I'm going to start that one again.
New DFS Coers.
NTLM relay attack enables hackers to perform Windows domain takeover.
Industry news.
Cloudflare outage knocks hundreds of websites offline. Industry news. Cloud flare outage knocks hundreds of websites offline.
Industry news.
U.S. bank data breach impacts over 1.5 million customers.
Industry news.
Eurocops dismantle multi-million dollar phishing gang.
Industry news.
Yodel's cyber incident disrupts uk deliveries industry news less than half of organizations have open source security policy industry news
and that was this week's industry news Industry News Wow
Huge, especially
this one's dark
Eurocops dismantle multi-million dollar
fishing game
I didn't think dismembering was like
legal in any of the
kind of European countries
that we operate in, I mean the death penalty seems a bit harsh
let alone pulling them apart
limb by limb.
Good one. So you talked about this story,
Tom. What is this one about, the new DFS coerced NTLM relay attack?
Can you explain that one a bit? I could, I could, but I think it's
far more interesting to hear you talk about the Cloudflare outage and
how that happened.
It's far more interesting to hear you talk about the Cloudflare outage and how that happened.
Yeah, it's probably like some misconfigured DNS or something, isn't it?
Isn't that how it always happens?
Or some of the lava lamps became a bit predictable.
Yeah.
So, yeah, so Cloudflare one, they had an outage that affected traffic in 19 of their data centres,
and it was caused by a change that was part of a long-running project to increase resilience.
Ironic.
So they pressed the green button.
Yeah, that's right.
They quickly did.
Control Z.
Control Z.
Well, they didn't have an undo button.
That's the key thing.
You've got to have an undo button.
But it is Cloudflare, isn't it?
It has something like 128 lava lamps that they film,
and the movements of the lava in the lava lamps is what creates their high
entropy random generator thing.
Isn't that right?
I genuinely didn't know that.
I did not know that.
No, I did not know that no i did not know that but
there's a youtuber called michael reeves and he's absolutely oh yeah yeah yeah and he he done this
experiment like in his last video a few weeks ago where he put uh stocks of two companies up on the
wall and there's a fish tank underneath it and he used to track which half of the fish tank the fish would spend more time in.
And whichever side it would spend more time in,
he would buy that stock.
And so it's completely random, chosen by a fish.
And he compared it to the actual stock market
and also a Reddit channel called,
I don't know, there's a Reddit channel
which gives you stock tips or something. And the fish outperformed all of them so but this is like um you know like
doing world cup and big sporting events when people have a uh like yeah that sort of thing
like a terrapin in a tank that goes one way or the other and it picks a winner and people will
literally bet everything they've got on you know whatever this thing randomly decides it's a 50 chance thing isn't it deron brown does
that thing where he he gets um a woman to pick he gives uh someone i think it's a woman in this case
he gives her um uh the winner of a of a horse race and it comes in so he gives her the second
winner of a horse race and and it comes in and so on to the point where he gets her to remortgage her house and get loads
and loads of um uh loads and loads of uh loans and you know loans from friends and all that sort of
thing to put all the money on a final horse um and because she's won five of the previous five horses races she does she puts it all on
and the horse loses but then he reveals that actually he didn't put the money on the horse
he said he would he put it on another horse which was the one that actually won but when you go back
to it it actually turns out in the first time around he approached six people and gave them
six different horses and then just
chose they only chose to broadcast the one that was and so on and so on and so on right so it was
uh you know uh he also did a thing where he flipped a coin and it and it landed up heads
10 times in a row and it you saw the entire sequence what you didn't see was the 23 hours
of filming it took to get 10 heads in a row.
Yeah.
So the perspective can sometimes be all over the place on it.
Yeah.
What else have we got in here?
I don't believe everything you're saying.
What else have we got in here?
Yodel Cyber Instant Destructs UK Deliveries.
Those of us in the UK who are aware of Yodel's unreliability at the best of
times have probably noticed no difference in service.
But Yodel are saying they're experiencing a cyber incident,
which is causing service disruption.
And they have rolled out the classic, you know,
I don't think we've lost any card data.
Well, they should do is what Hermes did, which is, you know,
have such a bad
reputation that you rebrand
and then all everybody talks about
is how bad every was
and anyway it's just Hermes and a different
rapper.
There's not a lot you can do
about that.
The rest of the news is all about InfoSec
Europe, which I deliberately
left out.
Good choice. Apart from one story, right? The rest of the news is all about InfoSec Europe, which I deliberately left out. Yeah, because...
Good choice.
I mean, apart from one story, right?
Did I leave an InfoSec Europe story in there?
The winners of the most entertaining blog.
Oh, of course.
Yeah.
Come on.
Obviously.
I mean, that's just a given, that one.
Okay.
Anyway, on that note, that was this week's...
Industry News.
In 2021, you voted us the most entertaining
cybersecurity content amongst our peers.
In 2022, you crowned us the best cybersecurity podcast in in europe you are listening to the double award
winning host unknown podcast how'd you like them apples awesome you're literally burning through
all of the new jingles i mean we've got to get our money's worth and also you're gonna have to
get that one re-recorded as well. Well, yeah, triple award winning.
Oh, my God.
I think if you just have it as multi-award winning,
that will just cover us for the future.
Multi-award winning.
Absolutely.
Right.
Let's bring it home, Andy, with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week. And we always play that one twice. Tweet of the Week.
And I shall give you two because you have played that jingle twice.
And it has to be because there's an honourable mention in here.
And the first Tweet of the Week is from Eleanor Dalloway.
And it says, when I say that's a rap, it's an actual rap.
15 years of InfoSec and my last as part of the organising
team it's been a blast and you
have no idea how emotional seeing my
wall of favourite covers makes me
thank you to everyone for making
this show so fucking
special
as we know Eleanor is stepping down as the editor
of InfoSec magazine
and has been
an unwitting contributor to this show for many a
year jav can you can you see you and me on that wall of um of covers there yes i can try and don't
claim you're some of the reservoir dogs that are up there no no we're in the one the third one from
the left the one where arm goes over with all that oh you're looking this is that your little
panel thing where you're looking up and down and like loving lovingly into each other's
eyes yeah no well yeah same difference yeah yeah violence is jav's love language
yeah oh dear no but it's uh it's been a fantastic run, 15 years, Eleanor,
at InfoSecurity.
And I remember, like, when I first started out,
so this is, like, going back probably about 15 years.
Were they trying to sue you for being cool to you?
No, no.
Oh, OK.
No, when I first started, when I...
Yes, he did.
Quicker than a deck chair.
For fuck's sake, guys. Anyway sake guys anyway anyway yeah get your story out
no i i was approaching a whole bunch of like i was looking at security magazines and who the
editors were like the register and infosec sc and everything and elena was the the editor at that
time and i she looked far too important i said this to her the other day when when um she invited
me on her podcast and i was like you seemed far too important then and you she looked far too important. I said this to her the other day when she invited me on her podcast and I was
like, you seemed far too important then and you still
seem far too important for me to just
cold call you or say like, hey, do you want to do
an interview or something?
But no, she's been an absolute institute
and she's done
a fantastic amount of
good for the community.
Just a shame that her last
InfoSec had to be
so soulless, right, Jeff?
Yeah.
I mean, your words,
not mine.
Okay, what's the other tweet?
I'll rescue
here, you Jeff. So our second
tweet is one of these fantastic visual ones
where you actually have to click into it to see it.
So it's initially a tweet by Lisa Farbstein from TSA Spokesperson,
and she has a photo of all of the liquids,
oversized liquids, gels, and aerosols that travelers had in their carry-on
at an airport over a three
day period um so it's like this huge collection of like bottles and stuff um you know and she
reminds everyone the limit for liquids through a checkpoint is 3.4 ounces and the tweet was
quote tweeted by matt j and he says imagine being in infos in infosec and proudly announcing all of the false positives that you
blocked which i think is a great analogy for this one um it's yeah okay great they stopped
you know people with you know deodorant and toothpaste and you know water because they're
when combined they can potentially make explosive substances right
well i think that's the that's the reasoning behind the course so when they dispose of the
said liquids they keep them separated and dispose them carefully rather than just throwing them into
a large container into the same container getting them all close together and mixed up for a post-opportunity.
Yeah.
I bet half the TSA agents take some of this stuff back.
Yeah, definitely.
Well, they take iPads and shit.
Why wouldn't they take somebody's wash and go?
I mean, there's a couple of things here.
One, I think it was a knee-jerk reaction at the time to do this,
There's a couple of things here. One, I think it was a knee-jerk reaction at the time to do this, and it wasn't done on any kind of fact-based evidence and all that sort of stuff.
And the reason why there's a picture like this is twofold.
One, I think the communications as to why it's needed is just not clear.
It's just a purely thou shalt not do this.
And secondly, because of that, people don't understand it.
And so when they're packing and they're looking at a bottle of shampoo, they're not thinking, oh, that's 3.4 ounces or that's more than 3.4 ounces.
It's just like it's an unnatural yeah especially for want of a better term
yeah especially if you don't understand freedom units as well i mean yeah yeah yeah but if you
look at the picture in the front row on the right there they've got like snow globes like those
little round things that you shake and because that that's got liquid, that's been confiscated. There's peanut butter in there.
That's neither a liquid nor a gel.
It's a paste, I get.
It's a paste.
Exactly.
Pastes count.
Toothpaste.
Yeah.
It's just like so much.
What about a frozen bolognese sauce?
Would that count?
I have no idea.
Because it's a solid, right?
Well, what temperature does it become?
Well, room temperature, I presume.
But, you know, when you take it through, it's a solid.
So could you take a frozen bottle of water through?
No.
Why not?
It's a solid.
Anyway, like I say, it just doesn't make sense.
Yeah.
I don't know.
It's a strange one.
Mind you, why we're trying to make sense of the TSA is another matter entirely.
Yeah.
It's an exercise in futility.
It's late of futility. Right.
We've reached the end, gentlemen.
Thank you so much.
We've covered a lot of ground,
mostly about how we are a multi-award winning podcast.
Indeed.
The most important story.
Oh, dear.
Who did we beat, by the way?
Down the rabbit hole.
Raphael.
Down the rabbit hole.
Really?
Yeah.
Yeah, he was a runner up.
My God, it must have been thin on the ground for competition
if they were the runner up.
I know.
I think that would just add it in to rub it in Graham's face even more.
Not only did you not win, you weren't
even the runner-up. So you were like,
you know, he's now thinking, like,
did we even get a podium
place at all? I'm sorry, but
smashing security is far better than down the
rabbit hole. It's got to be said.
Oh, absolutely.
No, but we don't say that out loud.
We don't want to give great
feed his ego yeah yeah and it was it was great because uh on the day of the awards yvonne
eskenzi who heads up eskenzi and they there is she goes oh uh would you mind said to me would
you mind co-hosting the awards with me i said that's that's absolutely fine and and and I thought I I'm nominated in the categories I was one of the judges
uh my the company I work for sponsored is one of the awards and now I'm hosting and now I'm
hosting it there's absolutely no conflict of interest anywhere here whatsoever. It was a shoo-in. In your face, Graham.
We won, you lost.
Yeah.
However we decided to do it.
We did make that unnamed contribution to their charity afterwards.
Oh, yes, there was that as well.
Exactly.
So just in the interest of transparency because that's
what we're like we believe in radical transparency yeah absolutely we're very happy to say when we
bribe the officials right jeff thank you very much sir for your contributions this week and
so lovely to see you for all these days yeah no thank you it was uh it was a pleasure to see you for all these days. Yeah, no, thank you.
It was a pleasure to see you.
And thanks for...
So just on the last point, on the last day, my daughter was off,
so I took her into InfoSec.
And she was a bit shy going around asking for swag
because I was like, you can go and just get swag.
And so Uncle Tom took a round
and uh I was I was sat at the at my booth and like half hour later she comes back with two
massive tote bags filled to the brim she goes hold on to this I'm off to get some more
Uncle Tom will show you how to do it we did well didn't quite get the tv off the wall like you tried one year
andy but we did pretty well i thought it was free yeah that's right yeah no it was good it was it
was lovely walking around and talking about all the all the different stands and well all the
different techniques of how you get swag basically uh but But, yeah, it was lovely, and it was lovely to see her there as well.
So, yeah, it was good.
And, Andy, thank you very much for today.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash Smashing Security.
I cannot wait to hear how your voice comes out in post on this one.
I am really worried.
Especially as I've got to edit it yeah yeah
uh my daughter came back home i'll tell you tom my daughter came back home and she was like
father christmas is like her brothers and sister were around and she was like all their eeds had
come at once and she was like there's a baseball cap for you there's a baseball cap there you. There's a baseball cap. There's a torch for you. There's this for you. There's a universal USB charger.
Yeah.
I got to the point,
notebook.
Oh, I've got enough notebooks.
USB charger.
I've got enough USB chargers.
Yeah, we weren't fussy
in the first half.
The second half was like,
have you got any...
Oh, no, it doesn't matter.
It doesn't matter.
She became quite discerning towards the end.
Yeah.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to the twice award-winning Host Unknown podcast episode of Lost Track 109.