The Host Unknown Podcast - Episode 11 The One What Was Sponsored
Episode Date: June 19, 2020This weeks episode includes Kim Kardashian, toilet flushing shenanigans, a plethora of expertly written industry news, the Cambodian Government Covid-19 'scam', eBay and their excellent customer servi...ce and finally Paco Hope tells us about his big cat reserve in Florida.Thom also reveals who Graham's least favourite guest on carole's Smashing Security Podcast is. Honestly.Thank you to our Sponsors, the wonderful Carol Theriault and the adequate Graham Cluley of The Smashing Security podcast.https://www.smashingsecurity.com Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Every legend has a sidekick. A Robin to a Batman. A Cagney and Lacey. A Robson and Jerome.
The list goes on. We're no exception.
Graham, this is our very first Smashing Security ad.
Yeah, this is an advert for our podcast on somebody else's podcast.
Right.
Extraordinary.
I suspect all listeners know that since they're listening to it on another podcast.
So the way we're going to do this is I'm going to ask you a very important question and I want you to answer it.
It's about Smashing Security, the podcast that we both co-host.
Now, the question is, who was your least favorite guest?
Least favorite?
Yes, your least favorite, not most favorite.
Are we including people who maybe appear on other security podcasts?
Sure, the whole gamut.
We've done 180-some shows, so there's a lot of guests to choose from.
Join Graham Cluley and Carol Terrio on the Smashing Security podcast.
Join Graham Cluley and Carol Terrio on the Smashing Security podcast.
Find it in Apple Podcasts, Spotify and all good podcast apps or at SmashingSecurity.com.
It's not all filth.
You know, having been a guest on that show, most of it is filth.
They just fix it in post.
Are you not nervous that your name's going to be mentioned in the most unpopular guest they've had on the show?
It's the least favourite.
Maybe.
Well, we'll see what happens over the next two advertising songs.
So, folks, if you're a little confused, this is not the Smashing Security podcast,
friends of the show.
This is the...
You're listening to the Host Unknown podcast.
Indeed, it's the Host Unknown podcast and this is episode 11.
The one that actually got sponsored.
Hello folks, how are you?
Hello Andy, hello Jav.
Morning, Mr. Lampard.
How are you doing?
Very well, thank you.
Very well.
It's a very wet and windy day around where we are. I think if you're anywhere in the uk it's wet and windy is that right i'll take your word for it i can't explicitly
talk for every region in the uk um i do not have the weather um on my screen to tell me that but
i would take your word for it for the safe agreement yeah it says it on my mirror so it
must be true.
Andy's one of those people that prefaces
every one of his tweets or emails.
This is just my personal opinion.
They do not reflect the opinions
of every white person in the country.
They do not reflect the opinions of my employer.
White person?
I thought Andy was from Mauritius.
He is from Mauritius, yeah.
That's a bit of a generic statement you're making there jeff that's uh yeah that's where it starts man yeah
exactly you know were you adopted because were you adopted because i've seen photo of you with
your quote-unquote family in mauritius and where are you going with this
what the pigment of my skin is different to the rest of my family is that where are you going with this?
What the pigment of my skin is different to the rest of my family.
Is that where you're going?
This is this is how it starts.
This is where it's institutionalized.
No, I'm saying that your jawline, the waistline, it's very, very different.
OK, yeah.
So I guess having an upbringing in the UK did help with the waistline yeah you know i'll be honest i didn't have quite the same restrictions that a lot of my family had
growing up you i must admit you sound like the type of person who would only buy a comic if it
had a free suite on the front of it something like the dandy perhaps maybe the dandy, perhaps. Maybe the dandy, yeah, that's right.
20p plus a lollipop.
It's like I'm cheating the shop, you know?
That's right.
Little did you know that you were the product because you became a consumer for life?
Yeah.
So how are you doing anyway?
Yes, very good.
Thank you.
Very good.
Work's picking up a little.
Had a lot of fun on Twitter and LinkedIn this week.
So, yeah, it's all looking good at the moment.
All looking good.
That doesn't mean we don't still need sponsors, but, we're still we're all right we're all right you know you know uh
sponsors are so last year i mean we've been there done that i mean being on a sponsored show i mean
obviously we made it the next step is to follow in the footsteps of what comes next for a good
podcast show and you might remember about a month ago,
Joe Rogan podcast got picked up by Spotify for a reported hundred million deal,
a multi-year deal.
I remembered, and he probably doesn't.
And I'll take your word for it though.
You've got no reason to be lying to me.
But that made the stock jump about 7%.
But they, yesterday or the day before, signed up someone else
and their stock jumped a whopping 15% to an all-time high.
Wow.
Can you guess who they signed?
Kanye West.
Nelly, the fellow who took our video off YouTube.
Very close, Andy. I'll give you that point we're doing an impromptu quiz show now
it was
Kim Kardashian West
oh, okay
she has a history of breaking
the internet, whatever
yeah, yeah she Yeah. Yeah, she does.
She does.
Apparently.
Um,
I'm looking for a natural.
Yes.
I'm just thinking,
is she actually a singer?
I don't know for,
but on Spotify,
what's she doing?
Like podcast?
Yeah,
she's doing,
okay.
Uh,
she's,
uh,
doing a podcast about her work on something called the innocence project
a quote-unquote non-profit legal organization that seeks to
exonerate people who have been wrongly convicted
i thought you weren't supposed to talk about your charitable interests
Talk about your charitable interests.
I'm talking about Kim Kardashian West.
Yeah, no, no, no.
That's my point is, you know, doing a podcast about what a wonderful human being you are because you run a charity or you sponsor a charity or whatever.
Isn't that kind of, you know, we give a lot to charity, but we don't like to talk about it, mate.
Smashy and Nicey, another dynamic duo. Smash smashy and icy well how did we forget them so yeah that's i don't know it seems odd it's like i it's it feels like they're in a in a battle
for relevance do you know what i mean yeah i'm talking about kim garaci and not smashy and icy
oh well i think that the ship sailed for Smashy and Icy, unfortunately.
Exactly, yeah.
Yeah, it's a strange one.
I mean, from Spotify's perspective,
I think they're trying to do the whole Netflix or Disney Plus model
where you get exclusive content, so people just subscribe to you,
so picking up a few big names and seeing a subsequent um stock
price so if if any other you know big label wants to sign up a security podcast with three people
who who host it then you know yeah a few hundred million deal wouldn't go wouldn't go miss no no exactly we we promised to produce something most weeks oh for sure yeah
and i would also eat until my ass looked like kim kardashians as well i would do that for you
sponsors do you mean you'd die until your ass looked like kim kardashians mate you'd do that
anyway hey planning i'm ready to hit the ground running that's what i'm saying i'm free prepared and your ass look like Kim Kardashian's. Mate, you'd do that anyway.
Hey, planning.
I'm ready to hit the ground running.
That's what I'm saying.
I'm pre-prepared for this.
You know what they say.
Find something you love and you never have to work a day in your life.
Exactly.
Mate, and I saw your Christmas card
with you kind of like bent over
with a champagne glass on your backside.
With like a stream of Haribo going over your head i mean you're already
there i'm just missing the sponsor that's what i'm getting at and the audience
right i think we need to move on i think we need to move on we're um
we're paddling it at the in the shallow end of
danger here at the moment oh that's the sound of sponsors dropping sponsor dropping
uh right so i've i had to reorganize my soundboard so i can't find anything at the moment
uh here we go don't worry we can't
tell the difference no exactly exactly there's an awkward silence in between everything anyway
tweet of the week uh so um yeah i've got tweets of the week haven't i
so tweet of the week this week was from uh the washington post and i like this one because it's it's talk it it raises
a subject that was very close to my heart um not physically but you know metaphorically very close
to my heart and i've been talking about this as a concept for a long long time and it actually
now kind of turns what i've been talking about it on its head slightly.
So the Washington Post tweet was toilet plumes, in adverted commas, could spread the coronavirus.
A new study posits.
This sounds like something this is like preaching to the converted, I guess, when you're reading this article.
Yeah. Experts advise closing the lid before flushing.
Now, anybody who's listened to me for more than five minutes knows that I do talk about toilets and flushing and all that sort of stuff.
Sharks and toothbrushes.
Sharks and toothbrushes. Yeah. I'm waiting for a Washington Post article on sharks so we can use that as a tweet of the week.
on sharks so we can use that as a tweet of the week um but knows that uh you know i i the the crux of the talk i did about you know toilets and sharks and toothbrushes was that you can flush
your toilet with the lid open because there is no uh greater risk of disease or anything yes you
might get aerosolized poo and wee on your toothbrush, but frankly, it makes no difference. But people will close the lid because they don't like the sound of that.
Well, now it's actually true that you could get sick from it.
So I really like this tweet because it talks sense,
and actually there is a very real risk of not putting the lid down before flushing.
a very real risk of not putting the lid down before flushing um and being a lid down aficionado um it's not like i clean my bathroom often enough anyway so it doesn't help in by being
sprayed by the contents of it um i think this is uh a very valid piece of study and
i may have to resurrect the talk as a result what you mean the
talk went away that one talk i mean i've seen it so many times i thought i gave that talk
i generally thought it was my talk i know it so well i was surprised when it had your name on it
well that's why i had to change it to bears and babies but yeah it's good i like i like this and i like the analogy stuff i mean i know this
is an analogy but to your point i do like the analogies of things and the
um but i think it was you jav who first put me onto the spurious correlations
uh website by tyler tyler vegan i think it is yeah that's
the one yeah which is brilliant um which does uh throw a lot of this into context but yes so
that was my tweet of the week
very good interesting and probably um resonating with you because it's something within your echo chamber.
My what?
Your echo chamber. Echo. Echo.
It's my echo chamber and I'll say what I want.
What I want. What I want.
Hey, did you have to drop the...
Oh, sorry. Hang on.
Okay.
There we go.
You didn't remove that from the soundboard.
Sorry, what were you going to say, Andy?
I wasn't.
I was just saying that you're obviously a big fan of that tweet of the week
because it plays back exactly what you have been talking about anyway.
It's like giving you validation to your
well it kind of almost disproves what i'm saying in a sense because there are new factors in play
there's there's a there is a you know and a higher um a higher impact and likelihood
as a result so the risk changes as a result, and hence why we should absolutely keep our risk models up to date.
Oh, wow, I see what you're doing there.
And if you don't know where to start,
there is the patented Malik Langford risk model.
I thought it was the Langford Malik.
Well, it's the Malik Langford.
No, it's alphabet man at Blankwood. No, it's alphabetical.
Everybody knows that.
This is that rip-off of the Andy risk model, isn't it?
You guys have rebranded it.
Yeah, the Andy risk model, which just said, fuck it.
Eat Haribo.
Eat Haribo.
Yeah, it's a three-dimensional risk matrix with colour of Haribo, eat Haribo. Yeah, it's a three-dimensional risk matrix with colour of Haribo,
shape of Haribo, cost of Haribo.
Does it come with a dandy?
Does it come with a dandy?
An 18th century...
I thought you said Tandy is in the 80s and 90s electronics store.
And computer. And computer.
And computer, yeah.
I think I remember buying a zip drive from there once.
Wow.
Blimey, zip drives, 100 meg on one disk.
I know, I was rocking it.
And then the updated one, which held 250.
So, you see, I went from zip to spark with a q um which was yeah so it did
um a gig one gig it is extremely unreliable though mine used to
break all the time just couldn't read the discs but uh it certainly was a large file
i went from the zip to the unfortunately named Jazz Drive, which was, I think they did one gig and two gig variants.
But what I did like about them, both the Zip, et cetera,
because they were large storage at the time, obviously.
What I did like about them was that the actual disks themselves
were fairly inexpensive.
So you could actually buy a bunch of them and just, you know,
chuck them in as you needed.
Then again, USB kind of killed that.
A bit like, you know, video killing the radio star.
Yeah.
I think the USB killed the parallel port SCSI interface.
Yeah, it doesn't have the same ring to it but no no good point no and then apple kind of
killed everything after that going forward apple are very genius absolutely genius you're still
holding out for that sponsorship aren't you yeah that's right hey i'm still using firewire 800
devices at the moment.
They're good.
They're really good.
They take all the processing off the CPU.
It's perfect.
Are they better than USB-C?
Oh, no, because they're like... It's about 100 years old.
Yeah.
Exactly.
That's the point.
In fact, I have a video camera which supports FireWire,
and that video camera will have tapes from DEF CON,
a couple of the early ones when I took my video camera.
So maybe like DEF CON 6 or 7.
It's a really expensive camera.
Yeah, if you need me to rip it it i've got the technology for it still
absolutely i just uh honestly wouldn't know what else was on those tapes um i didn't exactly label
them back in the day yeah well it's more than what else will you find on there
live stream it from the host on a new
so we can sit there with everyone else and discover
what was going on yeah we can we can place bets on how much sweat will come out of andy's face
while we're watching them oh dear but no in all seriousness if you want if you want to rip that
into digital format i've got the um uh the old firewire connections and all that sort of stuff because i got a similar sony camera okay if i had the soundboard andy i'll be playing it's a trap yeah
no no after i've ripped it this will be you
i'm not gonna play it all, don't worry.
Just get into the good part, man.
Oh, man.
Right.
I reckon it's time to move on.
We've got our roving reporter,
our man with his pulse on the industry out there.
What else did we say we were going to call him or her?
The InfoSec Stig.
The InfoSec Stig, yeah.
Working title, working title.
Absolutely.
Patent pending.
We're just checking if anyone else has used the phrase Stig.
Yeah, it's in inverted commas.
And in fact, you know, the mailbox has been absolutely not inundated with messages of alternative names for our Stig, Stag, Stog, whatever.
So please give us a name because otherwise we're going to have to go with whatever Andy comes up with.
So, yes, we've had lots and lots of ideas which we won't be going with.
But, yes, let's go to our man on the – or woman – on the –
Person.
Yeah, Dan, I'm sorry.
Industry news.
Global DDoS attack dismissed as T-Mobile misconfiguration.
Industry news.
ESET CTO.
AI can work with correct human intervention.
Industry news.
Aerospace executives targeted via LinkedIn recruitment messages.
Industry news.
And that was this week's... Industry News. And that was this week's...
Industry News.
Feel a little light on content this week.
It's certainly, if that was a drink,
it would definitely be a single measure.
Yeah.
Yeah, yeah.
I think our inverted commas stig is slacking off a bit.
Although.
No, no.
It's all about quality of the articles.
If you go and find them, do a search for these and read them,
you'll find that they're very in-depth, very informative.
So you've read them then, Geoff?
No, I'm just saying.
That's the standard that our person on the street,
our intrepid reporter, strives to.
My interest was piqued with the global DDoS attack being dismissed
as a T-Mobile misconfiguration, as in what has someone done
to cause something that looks like a global DDoS attack?
You know, this is more than just, you know,
spanning tree was left enabled on
the on the router someone has messed up big on that one yeah and also from you know a second tier
kind of um telco operator they're not one of the big boys are they t-mobile are they not
i thought they were well t-mobile doesn't exist in the well I mean they merged with EE didn't they
so I thought they became
and EE have merged with BT
but I think T-Mobile
is in the US but I don't think they
are they're certainly not Verizon
or AT&T
well perhaps if they sponsored the show they could tell us more
about themselves
or even if a spokesperson would like to reach out
and tell us about about themselves. Indeed. Or even if a spokesperson would like to reach out and tell us about this
and not, I hope, give us a cease and desist.
Industry news.
As it comes to us.
So, good.
Very good.
So, yes, I think we're about halfway through the show now, aren't we?
So, you know. we're contractually obliged to
contract contract contractually obliged to um do something oh yeah i think we can do one of these
you're listening to the host unknown podcast More fun than a security vendor's briefing.
I tell you what, that sounds more expensive than the 10 quid I paid for it.
That's one of my favourites, that one.
Only Tom could go to Fiverr and pay 10 quid.
Cheap at twice the price.
I was a struggling student.
I had to help.
Oh, man.
For all your financial advice, please contact TL2 Security.
Do you know what I think it's time for?
Surprise us.
I think it's time to hear the next segment of our sponsor saga.
Are we ready for this?
Absolutely.
Now, the question is, who was your least favorite guest least favorite yes your least favorite not
most favorite least favorite we've done 180 some shows so there's a lot of guests to choose from
there's been a lot of people there's been gary casper there's been jamie butler there's been
brian class oh name dropping name Jabad, Tom Langford.
Right?
Who are they?
I don't remember them.
Join Graham Cluley and Carol Terrio on the Smashing Security podcast.
Find it in Apple Podcasts, Spotify, and all good podcast apps,
or at smashingsecurity.com.
It's not all filth.
security.com it's not all filth
jav did did they just give us money to insult us you know the biggest insult is the one you didn't hear whose name did they not mention in that list well that's because he's not been a guest what you got i'm a guest on like episode
195 or 196 i can't remember which one it was did you not did that one not make it to air
um not without a time machine no ah interesting uh must have been episode 183
must have been cut in post or something so so basically what you're saying
is that carol and graham appeared in front of you in like silver time travel spacesuits and said
no time to explain come with us andy let me episode 196 can i just check what month is this
what year are we in at the moment all i can tell you is it's episode 11.
Oh, right. So you guys don't... Oh, my days. So, wait.
Have we been through the fourth phase of that virus we had?
No, because you're still here.
Yeah, that was a killer. I mean,
that COVID-32 really got me.
That was a bad year.
Just when you thought it was safe.
COVID-32.
Do you know what it is?
I spent so long being paranoid about dropping information.
I mean, even the first podcast we did,
the amount of editing we had to go back and sort of take out.
Because sometimes I would just open my mouth and I would say things
and it will probably end up in litigation or upsetting some companies
which require them to sue me.
And I'm not in a position to defend myself on a lot of these areas.
Well, given how upsetting Javin, I find you being on the podcast,
it's not surprising.
So anyway, Smashing Security, lovely, or friends of the show, sponsors.
I think they deserve one of our special uh sponsored by jingles don't you
of course okay host unknown sponsored by smashing security
carole and graham in that order uh so i don't know if you got an obviously the answer is going to be yes
but did you guys listen to um episode 183 of smashing security
remind me again which one that was so that's okay so that was that was yesterday's
and there is one part that uh they went a completely different route to what I was thinking as I was listening to it.
So they talked about a show that you'll probably remember in the UK called Noel's House Party.
Oh, with Mr. Blobby.
Yeah, exactly.
And they talked about, do you remember that thing where they had that hidden camera in the room and they would go, you know, they'll just go live to someone in their living room oh
yeah and you know that person has to do something they won a prize or whatever and i don't know if
you recall but um i was younger at the time anyway and there was a rumor which went around our school
as you know all good rumors uh do that so so to put it in context obviously this was a saturday night tv show on bbc one
family time family time but it was also on after baywatch which was a tv show on itv like another
channel so it'd be quite common yeah you'd get in on a on a saturday you sit down you watch baywatch
and then flick over to noel's house party and that where I thought
uh you know Graham was going when he was talking about this uh particular part uh was the rumor
about some guy was uh you know obviously caught enjoying watching Baywatch yeah and that story
that rumor that went around sort of petrified everyone in my school to, you know,
sit on your hands while you're watching Baywatch.
Well, just in case your parents have written in to Noel's house party.
Well, exactly.
Yeah, but no, they didn't go in that direction at all.
So that's, you know, this is why I'm often not on the same wavelength as...
You mean the jingle is true, it's not all filth?
It's not all filth.
Must have been just the
episodes I was on then.
Oh dear, well we do
love having them as sponsors
and we do love them, they're certainly part of the show.
Friends of the show even.
So yes, very
happy to
be sponsored by them.
Andy, I think we should move on to...
Now, do I have one for this?
Oh, shall I wait for the end of that jingle?
That's a question, wasn't it?
Do you have something for this?
Do you know what I do?
I'm just completely caught unawares by this one.
However, I will gloss over it and give you the cliff notes
and meanwhile look up the details
until I figure out what I'm actually talking about here.
So you want us to fill some dead air for you?
Absolutely, yeah.
So, Jav, how long do you think we should keep Andy on they on the show for because i mean he's constantly dropping the ball like this is literally literally weren't
ready this is mutiny this is show notes were not ready on time i mean he was typing them up as we
started the show what do you reckon well you're the one that said he ticks our mauritian irish Irish and Irish. That's a good quote. True.
True.
You get a two for one.
Yeah.
I mean, talks with a few other people, you know, I'm just saying.
This is mutiny.
This is, I'm not standing for this.
You can be fine in the bridge for this.
It's not mutiny at all.
We've been saying this for eight, oh, mutiny, not mutiny.
Sorry.
Right.
Anyway, so Billy Big Balls of the Week.
This is that segment of the show where we talk about something uh where someone has displayed massive cojones uh in their approach
to to something or something they've performed uh this week's billy big balls of the week um
is to the cambodian government so cambodia has relaxed its entry restrictions in light of the current pandemic to allow people
into the country however in order to access the country all foreign visitors have to deposit
3 000 us dollars on arrival and then they go for lab testing medical treatment and uh you know other other stuff which goes on to um detect
for covid19 uh so the swabs are done the cost of those swabs are a hundred dollars
and if you test negative uh you know they return the rest of your money and you're free to go if
you test positive you are then quarantined in a hotel which then comes at a cost of uh you've got a daily rate for your meals uh and uh you know also
additional uh accommodation costs uh sanitary is it the four seasons cambodia uh it's not no so
considering the the swabs cost a hundred dollars the accommodation only costs 48 dollars oh my god
and then the meals uh also cost about 4040 as well on top of that.
So essentially that $3,000 will cover a two week quarantine period.
Right.
So you have to be very sure if you are going to Cambodia as a foreigner that you are not, you know, going to test positive for COVID-19.
But it's a bold move.
I think it does make sense.
I mean sense I imagine
I have no figures in front of me
I imagine Cambodia is not one of the richest
countries in the world
but does attract a fair amount
of tourism etc
but as we've seen with New Zealand
there were two folks
who went to New Zealand
and have actually
tested positive for COVID,
you know, reinfected basically the country after it was clear.
You know, so Cambodia needs tourism to survive,
but it also needs to pay for anything that happens as a result of it.
So it's a smart move.
The only thing that concerns me is, you know,
if they're feeling a bit short on money,
do they just tell an entire plane full of people
that one person tested positive, therefore they have to stay?
I mean, is the system open to abuse?
Do you trust the government not to abuse it?
Well, I probably trust the Cambodian government
more than the British government at the moment.
Yeah, I mean, at least they've got a plan.
It reminds me of this episode of The Simpsons where Mr Burns,
he gets a million-dollar note.
And him and his site, Smithers, they go to Columbia or something.
And they're sitting with the president of the country.
And he's like, I have this million dollar note.
And he goes, oh, can I see it?
And he turns to Smithers.
He goes, oh, should I give it to him?
He goes, oh, he's the president.
And so he takes the note from him.
He folds it up, puts it into his pocket.
And Burns is like, can I have my note back?
He goes, what note?
So yeah, $3,000.
Yeah, do I get a receipt?
No, go and stand in that line over there.
Which line?
The one with the coughing people in it?
Same swab going in everyone's mouth.
That reminds me of that story.
You know where Trump toured a testing facility
and refused to wear a mask.
And then picked up some samples.
Yeah, picked up some samples.
And then they had to destroy every single swab that was in that factory that day as a result.
I mean, the utter hubris of that man is staggering.
Jeez.
The fact they even let him in there without a mask.
Well, he said last week that scientists have come up with an
aids vaccine and then scientists came out and said no we haven't
or is um i i didn't flee to to the um uh what's it called the thing underneath the white house
that keeps them so into into the panic room. Oh, the bunker.
The bunker.
I inspected it three times.
Inspected it quickly.
Unannounced inspection at like 10 to midnight or something.
Oh, man.
We've done what we said we wouldn't do and speak about him and politics.
Okay, let's move on.
Anyway, the Cambodian government this week's
oh you could have given me a bit of warning hang on hang on ah there we go the cambodian
government this week's billy big balls of the week and you know just for future reference
the warning is that part where you say anyway we should we should move on. This is true. This is true.
Hey, you know, it's tough herding you two.
It's like herding lizards with you two.
I'm not just multitasking.
I'm sort of multitasking in multiple dimensions.
Yeah, so we have moved into Trump territory.
It's very difficult, though. It's very difficult.
It's, you know, when the onion is running out of stories
because everything they write is just coming true anyway,
it's a little difficult to not keep him in, especially when he just wants something to point and laugh at.
That's why we keep Tandy around.
Oh, this is true.
So you're literally confirming that 95% of your material does come from me
that that's how I'm interpreting now
maybe like a small percentage of our entertainment comes because of you
well a large amount of our entertainment comes from you I don't know how much of the
listeners entertainment yeah yeah and all I'll say is
one of your photos
makes it into my slides
regularly and that's
about it.
A picture that you
supplied me with.
Is that interesting?
Which?
Is that the one with him
in the red onesie
in Sheffield?
No, no.
It's not one off him.
It's one he supplied.
Oh, which one's that?
This is my audit box,
isn't it?
Yes, the audit box.
Oh, man.'s that? This is my audit box, isn't it? Yes, the audit box.
Oh, man, that takes me back.
And I always am very, very discreet.
So now you've let the cat out of the bag.
Well, unless Tom beeps it.
This is the picture that I use in my slide off an audit box where it's like all these documents are pre-cooked,
pre-prepared to give to an auditor.
So when they come in, it it's like you've got a network
diagram here it is what are your procedures on access control here it is and i do recall
in a talk i gave at b-side many many years ago calling you out on that without even knowing you
without even knowing you yeah and i'll be honest i was only in your talk because i was too lazy to walk down the
hall because this was when b-side was in uh uh what's that place in barbican yeah it was actually
yeah so it i mean it's a pain walking between those hallways and uh there was a talk that i
was at that i enjoyed and then there's another talk that was going to be in that room again
um and i kind of wanted to see this talk that was down the corridor
but uh couldn't be asked to go down and come back uh so i sat down i just stayed there and uh lo and
behold i felt personally attacked as you were talking i was like is he making eye contact is he
is he one of our auditors yeah Yeah. So, I mean, you know, historically, these were things,
I called them efficiencies, you know.
We had this great time where this one auditor came over from,
I think he came from Canada to audit us about the handling of their data.
And, you know, just the usual, open up the talk.
Oh, how's it going?
Oh, you're here with your family. First time in England in england oh great what else are you doing while you're in
london oh you've got to check out the eye oh your mum came as well right okay do you know what all
of this stuff is pretty standard so let me tell you what i will give you all of this evidence that
you need and if there's anything outstanding feel free to shoot me an email and,
you know,
I'll cover it off,
send it to you via email,
no issues whatsoever.
But,
you know,
you should really make the most of your time while you're in London.
And that was a five day audit reduced down to two hours.
We passed it.
We passed that audit.
It was,
uh,
you know,
I remember walking back into the office
and the MD looked at me and was like, what have you done?
I'm like, no, no, it's cool.
It's all sorted.
He's like, why is it over so quickly?
I'm like, no.
Did he quickly check the petty cash tin?
No, no, you know that you don't use a petty cash tin.
It takes more than just petty cash to bribe an auditor exactly wow it requires a
purchase order and everything that's incredible that's i don't think you've heard you told me
that one before no yeah so that was uh yeah i mean that's uh and this is why i guess now time
you know statutes of limitation uh or something like that is probably protect me from some of those stories.
However, you know, I will not talk about current cases.
But the ethics of that auditor, that's outrageous.
Yeah, outrageous.
I mean, it's...
Stop joining in, Jav.
I know whose side you're on.
in jab i know who's side you're on but um but you know andy if you ever go independent like like tom has decided to go and you set up a2 security or double security or like agrc limited
or something yes that's right i like double a2 security myself with the two a's in a bracket
then um then uh andy will can be the corporate the securities
ray donovan you're a problem you have an auditor he will find unconventional ways but he will sort
out your problems and no there was no ethics violations on my part you know that was
you provided the information and you said yeah actually i mean apart from
manipulating the situation to your advantage but yeah no no manipulation
if there are any lawyers listening or solicitors or people that deal in this kind of thing
or heads of audit organizations yeah or any expert on Twitter, because everyone on Twitter is an expert.
Yeah.
Or someone that's read an article.
Yeah.
Yeah.
More than we have today.
What's your take?
Was Andy in?
Morally, we know he's always, you know, in the grey.
The wrong side of the line.
Yes.
But legally, did he do anything wrong?
Or was it all the blame on the auditor? Yes. But legally, did he do anything wrong?
Or was it all the blame on the auditor?
Andy, were you a member of ISC Squared or ISACA at the time?
In, let's see, what year was it?
Don't mention the year!
Something.
No, I would not have been a member.
Okay, so you wouldn't have been held to the ethics.
But again, I didn't violate any ethics. i was purely making the job easier for the auditor um you know i don't know you manipulate
you know i've been through i've been through many audits i know how to make them more efficient
um you know it's you know we could sit down all day and you know talk through this talk through that
when you're going to ask for the evidence and I'm going to have to send it and here it is anyway
you know if you go through this and then decide whether or not you know it doesn't answer your
questions yeah come back I'm here for you you know I'm here all week the Amazon number one
bestseller the efficient auditor yeah it. It's a book of cash.
Yeah.
You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
Right, Jav, we're going to move on to you to rant of the week.
I'm going to search out the little jingle for it and fill this dead air right now
you ready yep okay marvelous rant of the week so i'm gonna have to give you the short version
because i realized we're actually like rambled far too long today yes very unlike us yeah but
i think delving into Andy's, you know,
dodgy past makes me feel better about myself and my,
my life choices.
Don't say anything,
Andy.
I know what you're going to say.
Don't say anything.
I'm going to bury you. This is.
What was that thing you were looking to buy on Amazon?
I've just got it up.
I'll send it to you now.
What's that thing you were looking to buy on Amazon?
I've just got it up.
I'll send it to you now.
Sorry, just a reminder, folks.
Rant of the week.
Speaking of things to send people,
if someone says something,
writes something bad about your company,
or not necessarily bad, something that might even be true,
but you just don't like.
You could be an amateur like bleep, blab, blabs,
and send a cease and desist.
Thanks for saving me the post. Yeah.
Or you could be experts like eBay.
Or you could be experts like eBay.
You know, there were six employees,
including their former senior director of safety and security and their former director of global resilience,
David Harville and James Bao.
James who?
Bao.
Oh, right.
um so james who bow bow oh all right um if you can't tell i'm not collecting my thoughts i'm trying to read the story as i
do you know had you listened to the smashing security podcast you would have heard this story
uh discussed in detail yeah well we're just we're just what we're trying to do is to re-emphasize and you know re-message
smashing security stories so that they reach a greater audience i mean that you know
this is what good money pays for absolutely and you know had we recorded yesterday we would have
got the story out first yes that's right's right. Except our recording days have slipped from Tuesdays to Wednesdays to Thursdays and now to Fridays.
We need to change that up so we get it out.
But anyway, so there was a newsletter that went out and six eBay employees, instead of like trying to have a conversation with them or trying to change their practices for the better,
employees instead of like trying to have a conversation with them or trying to change their practices for the better they they launched what was described as a cyber stalking campaign
which included sending the couple who ran the newsletter um threatening messages disturbing
deliveries including a box of live cockroaches what yeah a a funeral wreath and a bloody
bloody pig's mask that that draws a line for me and that is not allowed man no i know and
conducting covert surveillance of the victims one out of one star would not buy from again
no no um so so we had a chat about this yesterday
and andy was like shrugged and he was like what's the story
well i mean it was it's not as blunt as that it's it's more of a case of these are old school tactics you know it may not be yeah it's
definitely not not ethical um you know there's no doubt about that but i'm not surprised by some of
these tactics um it is i mean you know the whole fly larvae um you know maggots in a in a box with uh pork chops raw pork chops and then
sent second class post um so it takes a you know a few days to get there over summer in a spring
loaded box that is not yeah it's not something i'm surprised by very specific andy well i'm just
saying i mean the funeral wreath thatreath, that's a cold one.
You know, typically I would have seen something like a tarot card of death
or something, you know, just a...
You're getting very specific again, Andy.
I'm getting a bit concerned.
These are very old school tactics.
You know, how can I come out of this without i don't know
all i'm saying is that yeah it's a it's a story i guess what's the rant
what it's bad yes 100 agree with you but a bit of naivety if people do not realize this
happened or used to happen a lot.
Well, yeah.
I mean, you look at Silicon Valley
and you look at the profile of all their execs,
you know, you wouldn't expect this from any of them.
You know, they are, like,
mentally on a different plane than everyone else.
Well, eBay are the second-hand good dealers
of Silicon Valley valley aren't they
i mean they're like the used car salesman yeah they're the better call soul of better call soul
with um with their buddies paypal too well this is just it you know boxer maggots paid through
paypal they're gonna find out who sent them. Right? It's like, you know, I'd be interested if they actually...
You don't buy maggots off eBay, man.
I'm sure you could.
Oh no, you could, but you don't.
Well, I guess because they're second-hand, right?
But yeah, they're called flies.
But it's, you know,
I'd be fascinated, did they send them through the eBay
channel where they sent, you know, out of
band?
Jav, you read the story.
Yeah, yeah. No, they probably sent it out of band.
You know what? It doesn't matter.
I think what you see is when you look at these types of execs, at these types of really big companies, they do exist in the bubble.
They do think that they're above the law
they they think that they can get away with anything but they get lots of money they've got
lots of money from a young you know quite often from a young age yeah um you know and they're
surrounded by people who you know we would typically consider assholes um and so you know
they don't have that sort of the checks and balances of people to uh you know sort of of rein them in. You know, if they don't get their own way,
they act like children. They throw a temper tantrum,
but they've got the money and resource to, you know,
get some sort of gratification out of it.
But the fact is, this wasn't just one person who was, you know,
maybe a high functioning psychopath.
This was six people who, between them,
thought it was a good idea.
At which point do you think, even as three people,
we know where to draw the line?
Well, I say we know where to draw the line.
We often stop ourselves from doing stuff
because we know that that's just, you know, the wrong way to go. But six people, all of them agreeing.
Yeah. Maggots in the post. That's a great idea.
It's just a prank, bro.
That's it.
By sticking the word bro on the end with a question mark means it's a prank.
Yeah.
I just, you know i'm taking over your rant because you're not ranting oh no no that's fine i just bring up the stories and you know
pull the pin and let you two do the talking but you know it does raise the question what else did
these people get up to because i don't think you go from everyone just doing their job to let's send some live maggots to people i think there's a gateway that you go through and it
might have started with like you know let's sign people up to newsletters they don't want and maybe
they'll get the message i don't know gateway behaviors putting people's car for sale in the
auto trader or something like that with their phone number.
That's always a classic.
Yeah, registering them on those.
Again, guys, very specific.
I feel like the innocent in me is being ruined by you two.
Sure, I will.
Well, no, I won't actually say. I i was gonna say some of the things that we go through
today as a company um you know some of the stuff we receive in the post uh from disgruntled
customers is uh really yeah absolutely um oh paul you're gonna kill me kill me for revealing this um but things like use condoms um in the post
sent to uh yeah there's some pretty disgusting stuff that comes through is that your ex-girlfriend
that's sending them to you andy not addressed to me i don't even know my i personally i don't
know which office i work out of um so you you know, I never know where to get posted.
But, yeah, no, this happened to an office, not in the UK,
but one of our European offices.
Jeez.
Again, there's some pretty... I know.
I'm going to...
These guys have stiffed me on a credit report, apparently.
I'm going to do something and package it up into a box and send it to them.
What?
Yeah.
Well, you know, you should take it, submit it to Ancestry.com
or one of those.
Yeah.
Oh, yeah.
Yeah.
No, no.
What you go and do is then actually commit a crime
and leave that evidence at the scene.
Oh.
That's what you need to be doing allegedly no if if you
wanted to you know mess with someone so see the show notes for the link of a recent crime that
has been solved folks it's like the uno reverse card yeah the person is insisting they're innocent
but you know anyway thank you jav that was this week's rant of the week
so we are
wow we're running on and on
we're going to move on to the little people
right now and now this week Jav
we've got Paco Hope
indeed Mr Baguan himself
now Paco we asked paco to tell us about his tiger sanctuary in
in um in florida but he decided not to talk about that um we will let you um decide for yourselves
what well listen for yourselves as to what uh talked about. So here we go.
Yeah, I do talk a lot about InfoSec,
but I did run a website that had a CVE with a 9.8 CVSS score for three weeks.
SQL injection, RSE, unauthenticated, knock yourself out.
It was terrible.
But here's the thing.
Like, website is for people with spinal cord injuries,
traumatic brain injuries, that sort of thing.
So the first time some joker resets the admin password using that SQL injection, they start messing around. I think, OK, cool, I'll turn on MFA. That's going to protect us there.
But people who are trying to type with a mouth stick or they're using assistive tech in their browser, man, that TOTP MFA sucks.
Man, that TOTP MFA sucks.
It's super hard to use.
And the forum software, in addition to this lovely CVE,
didn't give me a range of options on security here. It wasn't like MFA for some admins.
It wasn't MFA for some actions.
It was either MFA for all admins and all admin actions,
even right down to like basic content moderation,
or it was no MFA for anybody.
So since I couldn't leave my most important users locked out of the site's admin functions,
I just had to live with that SQL injection for a few weeks.
And I would have gotten it done faster,
but the damn patch had a bug that broke the whole site.
And so I'm glad I tested it on a test site,
because then I had to spend a few extra days hunting down the one line patch on some support forum somewhere so yeah even when you talk a good game sometimes
you end up looking like amateur hour in real life hey wait you're recording that hold on
some good points well made yeah i i could i i'm i'm amazed about, you know, that big cat he was talking about, you know,
in the second half.
Incredible, the stories, the background
that some of these animals have gone through.
It's amazing.
And ultimately, it's always that damn Carol Baskin.
Damn, yeah, absolutely.
Yeah, absolutely.
So Paco, thank you for that.
Very enlightening.
Sorry, Jav, you were going to say something?
I was going to say, you know, this episode should be dubbed
the keeping it real one because we're actually keeping it real.
This is a reality.
You know, it's one thing to say, well, oh, you should patch all your servers
or you should, you know, be honest with your auditor or you should.
Or feed all your big cats.
Or feed all your big cats.
But, you know, the reality is, you know, when you look at real life,
there are bad people, there are good people, there are bad processes.
And, you know, there are lots of things that are a decision to make.
So don't at me on Twitter, but that's my hot take.
Very good.
Very good.
Thank you, Jav.
And that was our the little people
so i think we draw to an end uh again at a record-breaking time despite the fact that we
said we were going to keep it about 45 minutes before the show started but uh but there you go
um what we mustn't do is forget to say thank you to our sponsors,
Carol and Graham of the Smashing Security podcast.
We also mustn't forget to play the last part of their of of their sponsorship package before we go.
But just just a just a little hint here.
When they sent me these little uh advertising jingles
when graham sent them to me when he the first email i got when i listened to them all the third
one didn't have any bleeps in it and then he immediately did the you know recall email sorry
i sent you the wrong one and sent me and sent me this one so but you know that to guarantee someone reads an email
just recall it absolutely and then send another one because it makes them go back and read the
first one and then they yeah absolutely so what i've done is obviously i've kept an offline copy
of uh of the first one he sent without the bleeps in it um and you You'll see what I mean later on. Anyway, yes, Jav, Andy, thank you so much.
Always a pleasure.
Thanks for coming on my show.
You're going to leave us hanging?
You're not going to tell us who the underdog is?
It's one of you two.
My money's actually on Tom.
No, no, no.
I'm keeping this very simple.
Carole and Graham, if you'd like us to not reveal who it is you can go to our sponsor page
and sponsor another episode or if somebody gets there first somebody else gets there first
um we can reveal to them either privately or online or online so anyway you've missed this
haven't you but the reason they gave us these jingles they've probably trademarked that music which they play and now they're just going to go
go and get a takedown notice like we've now we're going to get some maggots in the post aren't we
exactly and uh with a cease and desist letter exactly yeah if people learn these things and
just repeat the cycle oh my days we God. As we walked into it.
Yeah, absolutely.
Anyway, thank you, folks.
Appreciate you listening.
Jav, goodbye.
Goodbye.
Andy?
Stay secure, my friends.
Stay secure, my friends.
I hate you guys Host Unknown the podcast
was written, performed
and produced by
Andrew Agnes, Juvad Malik
and Tom Langford
Copyright 2015
or something like that
Insert legal agreements here
as applicable and binding
in your country of residence.
We thank you.
Who was your least favorite guest we've had on Smashing Security?
On the podcast?
Yep.
Don't worry, we'll bleep it out.
We'll censor out the name.
Least favorite guest.
Least favorite.
Yeah, least favorite.
Oh.
Not worst.
How?
Oh, oh, I do know.
Yes, of course.
Does it rhyme with ****?
Join Graham, Clulee, and Carol Terrio on the Smashing Security podcast.
Find it in Apple Podcasts, Spotify and all good podcast apps
or at smashingsecurity.com.
It's not all filth.
You're going to have to tell us who it is.
All right. All right.
All right, I will.
Stop reporting first.
I'm going to tell you right now.
I'm going to tell you right now who it was.
It was...