The Host Unknown Podcast - Episode 121 - The Live One
Episode Date: September 16, 2022This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield9th September 1947: An error in the Mark II computer at Harvard University was due to a mot...h trapped in a relay. The moth was attached to the log book with notation "first actual case of bug being found." https://twitter.com/todayininfosec/status/130371748042313318611th September 1992: The movie "Sneakers" was released. With a budget of $35 million, it grossed $105 million at the box office. A hacker movie classic! Bishop, Whistler, Cosmo, and Mother!https://twitter.com/todayininfosec/status/1304574876922019841Sneakers IMDB Rant of the WeekGoogle and Meta fined over $70m for privacy violations in KoreaSouth Korea's Personal Information Protection Commission (PIPC) has issued two large fines for privacy violations: a $50 million penalty for Google and $22 million for Meta.The PIPC's beef is that neither Google nor Meta properly obtain consent or inform users on how they collect and use data, particularly with regards to behavioural information used to predict interests for marketing and advertising purposes.The data watchdog claims Google hides the setting screen to agree or disagree to collection methods and sets the default to "agree" while Meta only asks for agreement when a user creates an account and does so in unclear ways.AND / ORA surveillance artist shows how Instagram magic is madeWhen traveller Daniele Brito posed in front of the Temple Bar in Dublin, Ireland in late August, she likely didn’t realize the camera was watching her.Yes, there was the one pointed at her, capturing a photograph that would later be shared to Brito’s more than 2,700 followers on Instagram. But there was at least one other one observing her: a surveillance camera stationed on the corner opposite the bar.The FollowerThe Machine Billy Big Balls of the Week Chess player denies using anal beads to cheat in match against world champion: ‘This is not a joke’A chess underdog who unexpectedly beat a champion player has been accused of using anal beads to cheat his way to victory.Yes, we know – you probably never expected to see “chess” and “anal beads” in the same sentence, but here we are.The furore kicked off when Norwegian chess champion Magnus Carlsen announced he was withdrawing from the Sinquefield Cup, a lucrative tournament which attracts some of the world’s best chess players.Carlsen posted on Twitter to say he was leaving the tournament, but gave no explanation why.The Hans Niemann story from redditChess player Hans Niemann denies using sex toy to help him beat grand championVibrating Butt Toys Are Exactly What Chess Needs Industry NewsCops Raid Suspected Fraudster PenthousesUS Treasury Sanctions Iranian Minister Over Hacking of Govt and AlliesHackers Steal Steam Credentials With 'Browser-in-the-Browser' TechniqueiOS 16 Launches With Lockdown Mode, Spyware Protection, Safety CheckVulnerabilities Found in Airplane WiFi Devices, Passengers' Data ExposedCybercrime Forum Admins Steal from Site UsersUser Alert as Phishing Campaigns Exploit Queen's PassingYouTube Users Targeted By RedLine Self-Spreading StealerNotepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence Tweet of the Weekhttps://twitter.com/SecurityAura/status/1570232260485386242 The Joseph Carson Talk Tweet Threadhttps://twitter.com/J4vv4D/status/1569704538252214274?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
well there's no point in even trying to edit the show because he actually sounds like he's in the
closet anyway so i i'm not in a car i've been out of the closet for a long long time just ask
many of my friends oh my god what friends well so so so we're doing this doing this completely
live this week yeah because um completely well i don't have time you don't have time we know jav's not gonna do it i'm on the road anyway so that's why i sound like crap
that's why it sounds like i've got my head in the closet cool
you're listening to the host unknown podcast Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode, I've lost track.
127.
So, okay, 127 minus 4, 123, is that right? 122? I don't know.
107 minus 4, 123, is that right? 122? I don't know.
So yeah, welcome to this week's fully live, fully, completely, completely off the cuff.
I haven't even read the show notes. I'm on the road. These two are busy.
Exactly, so we're all over the place. But yeah, Jack, how are you this fine morning?
And I'm just laughing on the inside how, like, you know,
someone with 20 grams worth of Apple product sounds so shit.
It's just absolutely amazing.
Hey, yeah, but on Zoom calls, I still sound better.
It's just that we have very high exacting standards and this podcast malarkey, right?
Yeah, that's right when people that's exactly
when people play word association game you say host unknown podcast they say quality high standards
well i did meet somebody at the 44 con uh conference last night and he did subscribe
to the host Unknown podcast.
He left his phone unattended, eh?
I was going to say, we should only be down four or five viewers,
listeners this week as a result, rather than five or six.
What have you been up to this week, Joe?
Well, I was at the Gartner conference for three days this week.
So, yeah, I've had to have like seven showers
just to get the stench off and lisp off me again.
Not a euphemism.
I was going to say, that's the CISO equivalent of...
That's the CISO equivalent of 44Con, I'm guessing, right?
Oh, no, listen. that's the sea cell equivalent of 44 con i'm guessing right oh oh no yes yeah 44 con you um yeah let's not talk about you and your history of 44 con and you recommended like
speakers to us oh no god i've forgotten about that once like seven or eight years ago so once good lord yes but we were trapped at the front
yes right under his nose while he was talking yes and behind his girlfriend yeah behind his
girlfriend as well yeah so we couldn't even snigger until jav basically bailed out and just
right i just couldn't no so top tip for anyone
ever at a conference never ever sit next to uh these two especially andy because he has the the
knack of sending you the the most unhinged stuff ever that will have you rolling on the floor
literally laughing and he he would just sit there with that permanent smirk on his face.
He doesn't go beyond that smirk.
And, yeah, it was very embarrassing.
Very, very funny.
So, once again, I'm the only one that's been in the office, right?
Yeah, pretty much.
No, no, I've been in the office this week.
I've been in the office this week.
But, Jav, who did you take the piss out of at Gartner
as a result of you being there?
Oh, well, I went to a few talks,
and then I was a bit like, you know,
these are Gartner people, and, like, they put me to sleep.
I did attend a session by a good friend of the show,
Joseph Carlson, and...
Oh, yes.
He actually gave a really good talk. I live and i live tweeted it to the best of my ability
so if you follow me on j4vv4d on twitter you will see that one you will see you brand expert
as you told me once jab if you have to explain it you've already lost but also you said that joe did a
really good talk yeah he failed at the last hurdle what was that no takeaways so his his talk was
really good he done it then at the end he said well thank you for coming to my talk and and thank
you for and look after each other and stay safe.
And, you know, he just sort of like bumbled on for like 10 seconds.
It was just that little bit where he lost his train of thought
as he was wrapping up right at the end and he was thanking people.
And I thought, yeah, you know, I've got high standards, you know.
As you know.
Yeah.
As anyone listening to this podcast will will recognize that uh
we only associate our names with quality i was gonna say with quality like that joe has got a
future as a host unknown podcast presenter right yes me yeah andy what about you how was your week
in the office uh it was good until uh Feather went into effect, which is the Queen's line in state.
And the queue goes past the office, so I have abandoned heading into the office due to sheer volumes of crowds,
plus the additional security that's been going on.
So, yeah, having to show your pass and that kind of
stuff god no time for that so speaking of additional pass your office and and the fact
that you're very very english did that mean that you felt like you had to join the end of the queue
until it got to your office and where at which point you go in uh indeed yeah although my um the uh
the african in me actually just q jumped i just went straight to the front and uh pretended not
to speak english speaking of security speaking of security have you seen the new king's man he's
he's all over tiktok now the the bodyguard is like a Sikh but he's like really well
dressed up and they call him
the Singhs man
he's like the personal bodyguard
he's like the personal
bodyguard to the king and like there's
been bits where he's been getting in and out of the car
and his jacket's moved to the side and you see
the butt of what looks like
a golden gun or something
I'm surprised Andy hasn't seen it, he's on TikTok all the time but if you look him up the butt of what looks like a golden gun or something.
I'm surprised Andy hasn't seen it.
He's on TikTok all the time.
But if you look him up, quite a character. I have actually seen it.
I thought it was a taser.
Yeah, I thought that was a taser, the yellow gun.
I'm not an American.
I do not know the difference between a taser and a gun.
All I know is someone points a banana at me,
I'll comply, yeah?
Well, instead of shouting taser, taser, taser,
it's banana, banana, banana!
Yeah.
Oh, dear.
How are your travels, Tom?
How was your week?
Yeah, very good.
44Con was good so I helped judge
alongside
typical
white man, typical old white man
judging others
well absolutely, I was
going to say I also bumped into
Joe Carson this week but it wasn't
it was Dave Lewis obviously
the separated at birth brother of Joe Carson, so, but it wasn't. It was Dave Lewis, obviously, the separated-at-birth brother of Joe Carson.
So he and I were judges for this incident management game,
as it were, that they set up for the evening's entertainment.
And it was really good fun.
It was really good fun.
What do you know about this?
Was it like tabletop scenarios?
Yeah, well, it's a tabletop scenario,
obviously lots of tables and each table one
was security and one was incident response and one was hr and legal and so on and so on and it was
like different rounds and they were injecting various new information and how they interacted
and all that sort of thing and basically joe uh joe god i've done it again dave and i uh were Basically, Joe, Dave and I were the, what they called the red team,
but were the C-level execs that had to report to us every round.
We had to ask questions and ask why they did stuff.
And then we would go around and interact with them and see what they were doing and stuff.
It was really, really good.
go around and interact with them and see what they were doing and stuff it was it was really really good although in the wrap-up at the end i had to say um words along the lines of you know
what in real life i'm not actually as much of a prick as i as i have been the last you know hour
and a half objection your honor hearsay yeah exactly that's that's funny that's what an awful lot of other people who knew me said
as well
but yeah it was very very good
a couple of pictures on Twitter of it
which was good but very enjoyable
44 Con is good
a little smaller than the previous years
I've been but I'm surprised
given it's the first proper one back
but yeah nice to bump
into a whole bunch of folks I haven't seen for ages
Jamie Duxbury
he seems good, although
he's half the man he used to be, bloody hell
but he's like 7 foot 2
how can he be half the man he used to be
I know
the first thing I said to him was
where have you gone?
it turned sideways and I'd have missed him
but no, it was really nice I'd have missed it. But,
no,
it was really nice
to catch up
with a whole bunch of folks
and it seems like,
you know,
the conferences
are coming back
nice and slowly.
So,
yes,
and talking of
things coming back,
should we see
what we've got
coming up for us
in this week's show?
Yeah,
with no backing music.
Yeah,
is it in the deck thing? Have we got the backing music? It's not, no, I didn't put any backing music in there, no. Oh, with no backing music. Yeah, is it in the deck thing?
It's not, no, I didn't put any backing music in there, no.
Oh, well.
So, this week in InfoSec takes us
back to the first ever report
of a computer bug. Rant of
the week goes all machine from person
of interest. Billy Big Balls
is a theoretical story of how
to overcome anti-cheating measures
when the world is watching you.
Industry news brings the latest and greatest security news stories
from around the world.
And tweet of the week is a bold strategy cotton.
Let's see if it works out for them.
I didn't understand a word of that last one at all.
So let's move on to this week's...
This week in InfoSec.
See, pop culture references are wasted on these people.
It is that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account and further afield,
whilst the others read the show notes to see what they're going to be talking about later on today.
So our first story takes us back to your university days, Tom, a mere 75 years ago, when on the 9th of September 1947, an error in the Mark II computer at Harvard University was discovered to be the result of a moth trapped in a wee lake.
Ah, yes, yeah.
Now, the moth was subsequently attached to the logbook with the notation, first actual case of bug being found.
case of bug being found so it was obviously back on the 9th of september 1947 a team of computer scientists and engineers were credited with reporting the world's first computer bug
and this is even though thomas edison had reported bugs in his designs as early as the 1800s
this was the first bug identified in a computer and so obviously the team at Harvard University found
their computer the mark 2 was delivering consistent errors so they did what any engineer does when
something isn't working as expected they took it apart and obviously when they opened the computer's
hardware they found a moth and that trapped insect had disrupted the electronics of the computer
and just interesting bit of trivia
among the team who found the first reported computer bug was actually computer language
pioneer Dr Grace Hopper and although she is often given credit for reporting the bug that isn't
actually true but she was however the person who likely made the incident famous. And so, yeah, this is the first ever bug report in the computer.
Literally a bug.
And I'm sure whoever made that gag had told that story from every party they attended from that day onwards.
Absolutely.
What I think is fascinating, when you said when they opened the computer,
what you mean is when they opened the massive barn doors of the
of the building that the computer was housed in walked through 17 different corridors of valves
you know it wasn't quite you know let's pop this thing open onto the desk you know no and it is a
they that's when you say they open the computer because it's not a one-person job. It is a team effort, coordinated effort.
Oh, dear.
But our second story is more of a reminder of, I guess,
great movie and film long associated with hackers.
And so this is the story of 30 years ago, the 11th of September, 1992, the movie Sneakers was released.
And with a budget of $35 million, it actually grossed $105 million at the box office.
And obviously became a hacker movie classic with the characters Bishop, Whistler, Cosmo and Mother.
And it was actually released at different times in different countries,
which used to be common back in those days,
until, you know, movie studios discovered that as technology evolved,
they were just sort of encouraging piracy
for those who couldn't be bothered to wait.
So it was 11th of September in USA, 29th of October in Australia,
not until the 13th of November in the UK.
But this is a movie, I'm sure, well, I guess in our area,
everyone kind of, you know, anyone around my generation,
you know, born in the late 90s is aware of this.
But it did bring many examples of social engineering and hacking techniques.
And I'm sure inspired many people who are currently in the industry today.
sure inspired many people who are currently in the industry today um no didn't didn't robert redford have to wear a wetsuit or something like that he did yeah to defeat the heat yes defeat
the heat sensors so yeah and all these things the other one with the um the voice uh pattern
the voice recognition you know the the authentication for the guy's um access to the
office so they recorded him saying various phrases and put it all together on a tape
um but just all the things they do like just fantastic examples of um while he was wearing
the wetsuit he had to move really slowly to defeat the motion sensors exactly he did a drax from guardians of the galaxy
yeah but the whole thing i mean you know the sort of whole opener you know no spoilers here if you
haven't seen it it is like i say 30 years old so you know sorry yeah but you know just the whole
you know he gets paid to break into banks you know that that's sort of yeah yeah you know so
so you get paid to break into banks. It was, you know, fantastic.
But just to round that off,
I will add that September has historically been a great month for hacking movies
because it was 27 years ago, the 15th of September, 1995,
that the movie Hackers was released.
Obviously introducing us to the world of Zero, Cool, Acid Burn, Lord Nikon,
Serial Killer and Joey, which is another fantastic hacking film. obviously introduced us to the world of zero cool acid burn lord nikon serial killer and joey
um which is another fantastic hacking film
so surprisingly though uh swordfish was released in june so um they should have moved that to
september as well i don't like i don't count but that was not a good hacker movie right no it really wasn't
that's the best movie ever made no not having it what I'm not having it I mean I I can I can
take Hollywood creativity but when you start talking about dropping 128-bit Trojans on
firewalls that is just no come on come on Hugh Jackman was so realistic.
Is that the wrong number of bits?
I'm not quite sure what was wrong with that sentence.
Excellent.
Thank you for...
This week
in InfoServe. The Host Unknown Podcast.
Orally delivering the warm and fuzzy feeling you get when you pee yourself.
Ah.
Now, this is going to be very, very interesting
because I have quite literally not read ahead in the notes at all.
So this is, um, let's see how we go, shall we?
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
And just before we start, so Jav, rule 101 of any kind of radio or podcast is don't crash the jingle, man.
I'm staying quiet just in case you decide to play a jingle the moment i speak
right google and meta have been fined over 70 million dollars for privilege privacy violations
in korea well enough said right i don't really need to go much further than this google kind of
doesn't surprise me the whole do no evil thing didn't really last to go much further than this. Google kind of doesn't surprise me.
The whole do no evil thing didn't really last that long, did it?
And Meta, well, I mean, of course.
When do we actually release a podcast when Meta have not been fined for something?
I don't know.
But anyway, South Korea's Personal Information Protection Commission, the PIPC,
has issued two large fines for privacy violations.
$50 million for Google and $22 million for Meta.
So their problem is that neither Google nor Meta properly obtain consent or inform users on how they collect and use data particularly regards to behavioral information used to predict interest marketing and advertising purposes so this this
really gets me so a lot of these companies they do tend to pay lip service to any of the you know
consent is required for um you know you need to give us your consent in order to use our services and
tick this box blah blah blah if you had to read exactly what you were consenting to it would take
you hours and hours and hours so of course it's it being uh you know the google market or the
the facebook market whatever people just click through it and that's that's perfectly acceptable
and the whole perfectly acceptable for them and the whole point being that people should have informed consent
very very difficult when you fill that consent form with huge amounts of legalese and huge you
know large volumes of words and makes it impossible so and and then it's you know people think they're
just merely consenting to
having you know their data stored somewhere and maybe looked at or whatever but it's all of that
metadata that's being obtained as well so in this case as as we just said behavioral information
you know allowing them to predict interest and all that sort of thing now i know that these services
are being provided for free therefore you know you're going to pay for something but people don't understand in fact many people
can't even comprehend um and you know what data they are actually exposing about themselves when
they use a service quite literally where their mouse moves and things like that you know on a
web page all of which is being gathered
all of which is you know being sort of identified to them etc etc so uh in this case the the the
data watchdog claimed that google hid the setting screen to agree or disagree to collection methods
and sets the default to agree while meta only asks for agreement when
a user creates an account and does so in an unclear way so it's exactly what i'm talking about here is
they whilst they understand they have to abide by certain laws and of course it's very different in
different countries different practices in europe to obtain consent versus other countries etc they still go as far as they possibly can to obfuscate what it is that they're
they're asking for and why and what the implications are it's a shady practice it's a shady as fuck it
really is it's like walking into a shop and, you know, and when you leave, actually having your face recorded, every single item of clothing that you looked at recorded, everything you took off to look at and hold up against yourself in a mirror, having that recorded.
it fitted you having that recorded such that when you get home you could then get a phone call from a shop assistant to say hey i noticed that you looked at this this this and this today
how do you fancy you know trying these different things etc if that happened in real life that
would be seen as the creepiest bloody um business practice that you could think of. And yet we seem to accept it all.
In this case, the Korean Pipsi didn't accept it.
But it seems many of these companies seem to think it's acceptable.
Like last week's story about Halfords.
And send in an email of legitimate interest,
even though it culminated in basically saying,
come spend your money with us. And here's the website, here's your voucher, here's our website,
here's how much it's going to cost you with us, blah, blah, blah.
And they were still pushing back, thinking that it was legitimate interest.
So, yeah, this should not be that difficult for companies of this scale
and with this amount of money to address, right?
Well, I think the problem is that amount of money allows them to,
you know, like Halford's paltry $30,000, £30,000 fine.
This is a paltry $50 million to Google.
Well, you know, yesterday...
That's right. In fact, we were saying this last night as...
Go on.
Oh, well, OK.
This is the beauty of not having an edited podcast.
You can hear where we talk over each other, folks.
But yet again, once again, Tom Langford has missed the point.
The sheeple amongst us reads a headline,
reads a headline, gets outraged exactly at what the headline
wants him to be outraged at,
and then goes on a long rant.
It is, well, I don't mind his rants,
because that's one step closer to a stroke or a heart attack for Tom.
And that's good for everyone.
But, you know...
My mum's going to have words with you.
Yeah, okay.
Well.
So, you know, the issue here is that, oh, people are saying Google and Facebook are collecting data.
Oh, my God. Heaven forbid I get better targeted ads.
So that's the typical reaction to most people.
The real question here, though, is that, like you said, every week we hear about Google and Meta and, you know, all these companies getting fined millions and millions of dollars.
Where is that money going?
I don't see any of the regulators say, oh, all of you people were impacted by this.
Here's five dollars each or ten dollars each.
No. Where is it going?
It's like a stealth tax going into the
back pocket of some corrupt politicians i think that's the real story they want us to get outraged
at where you know oh your privacy has been invaded okay what have you done well we find
them well how does that help me it doesn't help you at all but we find them that's the question bangford that's the question wake up
so so jab what you're saying is where's my cut of the money that the uh the koreans the korea's
personal information protection commission have gained where's your cut of that money no i'm saying
where are the south korean people's cut of that? And the ICO in the UK have fined them.
And, you know, all the European regions have fined them.
America has, you know, their regulators have been fining these companies.
Where does that money go?
There's billions of dollars in there around the world that has been taken.
But where has it gone?
Are you going to start another podcast
to analyse where all this money's going?
Because that would be good.
I mean, Andy and I have got this.
Andy and I can cover this side.
We're fine.
You crack on with that.
I'm here to ask the hard questions.
Don't ask me to do the actual research
because that sounds very difficult.
me to do the actual research because that sounds very difficult you sound like a like a right-wing american talk show host you know hey i'm just asking the questions okay i'm just asking the
questions anyway that was this week's rant of the week I've just hovered my button above the sweeper that says the queen listens I'm
not gonna play that one
the host unknown podcast orally delivering the warm and fuzzy feeling you get when you pee yourself
yeah so obviously with the the end of Queen Elizabeth's reign,
the changeover for a lot of brands that may be high into it,
anything that's got the royal warrant,
the coat of arms on their product packaging,
along with those we also need to rebrand a couple of our jingles.
Apparently we're going to have to reapply for our our royal our royal brand we will yes uh although i'm i spoke to charlie and
he is amenable um to when you say you spoke to charlie does that mean you just had a very
you know close nasal encounter with charlie no i mean i spoke to your son, Charlie, and he said it's all good.
I don't know how to approach this story now.
There you go, Chad. You're two for two when it comes to crashing jingles.
I said I don't know how to approach this story now today
because I've just been called a right wing American talk show host and I'm still processing that.
I might put that on my Twitter profile.
All right, Joe.
Hello, Rogan.
I'm just asking the questions here, Jab.
I'm going to get some elk meat now and, like, you know, have a barbecue.
I'm going to get some elk meat now and have a barbecue.
If you are a grand high chess master... It is your turn, Grant.
...and playing the game,
I don't mean metaphorically a chess master,
I mean really like playing chess,
and you see all these cameras on you and you're just sitting
opposite you think cheating would be very difficult it's not like um you know the audience
there and someone's going to be coughing like like uh who wants to be a millionaire who wants
to be a millionaire yeah yeah there's another 30 year old reference there yeah because nowadays
if you cough in a place oh dear, that you really distorted there.
Yeah, that doesn't work for you, Tom.
Nowadays the problem is if you cough like that in public,
they're going to be like, it's COVID, let's remove it from the audience.
So, but there was a chess underdog who unexpectedly beat a champion player.
So what do you think?
Obviously, people are like, oh, Prodigy, you know, new champion is here.
And then obviously there are probably fans of the champion who say
there must be something a bit untoward here.
And so we don't know whether this is theory or whether it's a wild accusation or whether it's true.
But the underdog who beat the champion has been accused of using anal beads to cheat his way to victory.
You know, it's the first thing I thought of.
Yeah, exactly. Exactly. I mean, every time I leave a monopoly, I point at the person and say anal beads.
So, yeah, apparently he was accused of cheating because he was like one of the lowest ranked players taking part in the tournament.
His win came as a shock.
He ended the champions 53 games win streak, which made it even more suspicious to fans.
And they, you know, apparently he was using wireless anal beads that vibrated and gave him indications.
I don't think it's apparently. I think it's allegedly.
Oh, allegedly. So thank you. Thank you, my attorney.
And, you know, it's like, you know, I don't know where to go with this if that's not a
Billy
Big Beans story
I don't know what is
but you know
whether it's true or not
the fact that it can
even be possible and that this
is being touted as a valid
possibility I think that what a time to be alive it can even be possible, and that this is being touted as a valid possibility.
I think that, what a time to be alive.
Do you know what?
I want a link to where one can purchase said wireless anal beads,
just for the purposes of research,
and just to see if it's possible.
But I'm going to need a link to start.
The link's actually in the
show notes um but if you look at the pink news uh link there's a link in there just click on the
anal beads which is underlined uh but so like to get it as i understand it you can set these at
different uh vibrating speeds intens Intensities.
And that determines what...
So he would have had to memorise
a whole load of plays
based on the intensity.
Or Morse code.
Morse code, maybe.
Okay, yeah, I guess, yeah.
Well, I mean, it's not
a common communication
but I guess, you know, if you know, if you study mean, it's not a common communication tool, but I guess, you know, if you know it, if you study it, it's viable.
Yeah, OK.
If you think that Morse code is not a common communication tool,
neither is vibrating anal beads.
So to combine the two, that's what I mean.
I was going to say, in this story,
the fact that he might have learnt Morse code is the part you don't believe.
Oh, dear. this story the fact that he might have learned morse code is the part you don't believe oh dear wow apparently he did say this is absolutely ridiculous i'll i you know i'll play the next
game naked if i have to which i thought was you know that's also a billy big balls move right
well it is but again you know my understanding's also a Billy Big Balls move, right? Well, it is.
But again, you know, my understanding of anal beads is that they're not always hanging out your body anyway.
So he's going to be sitting on his backside naked.
You're still not going to see him.
You're going to want a portion of them hanging out because you're going to want to, you know,
I don't know, remove them at your leisure.
I don't know. this is getting a bit
it's a bit like those action man dolls where you pulled a ripcord on his back and he'd start
talking you know you're gonna want to put your finger through a ring and pull something you know
yeah okay as soon as you mention ring when we're talking about anal beads
abandoned thread yes yes tom just going off on one my boots okay okay okay that was this week
hang on let me find it i've lost the jingle again all right, nice one. Billy Big Balls of the Week.
Now, I'm not sure what jingle this is.
250 episodes.
Blimey, I didn't think Graham was capable of lasting that.
250 episodes.
Blimey, I didn't think Graham was capable.
Oh, here we go. Let's try this one.
In 2021, you voted us the most entertaining cybersecurity content
amongst our peers.
In 2022, you crowned us the best cybersecurity podcast in Europe.
You are listening to the double award-winning Host Unknown podcast.
How do you like them apples? Yes, you like them apples well we seem to be enjoying
ourselves we're having a pretty good time there aren't we so uh if we're having a good time what
time are you having andy uh i'm having that time where i look out the window and decide it is that
time of the show where we head over to our new sources over at the infosec pa newswire who have
been very busy bringing us the latest and greatest security news
from around the globe.
Industry News
Cops raid suspected fraudster penthouses.
Industry News
US Treasury sanctions Iranian minister over hacking of government and allies.
Industry News. Apple steals Steam credentials with browser in the browser technique.
Industry News. iOS 16 launches with lockdown mode, spyware protection and safety check.
Industry News. Vulnerabilities found in airplane Wi-Fi devices. Passengers data exposed. Oh, that's me, is it? User alert as phishing campaigns exploit Queen's passing. Industry news.
Oh, that's me, is it?
YouTube users targeted by redline self-spreading stealer.
Industry news.
Notepad++ plugins allow attackers to infiltrate systems.
Achieve persistence.
Industry news.
And that was this week's
Industry News.
Huge if true.
Huge if true.
Huge. Huge. I'm going to
pick, unsurprisingly, the Apple
story here, but I'm going to take this in a different
direction, which is
Apple are running
a very, very dangerous game at the moment,
given that they put in all of this privacy stuff that stops ads from being run on their devices
and put a massive dent in Google and Facebook's revenue and all that sort of thing.
And apparently now they're opening up a huge amount more of ad spaces using their own ad services for developers and things like that.
That's bad news.
If that's going the direction I think it might be going, then that is really bad news.
Apple might well have screwed this up big time.
And that's coming from me.
Yeah, but how much of a hassle would it be to move from the apple ecosystem for
you right now massive exactly and so that's why they can afford their three trillion dollar
company they can afford to play about with these things and see what impact it has but you spend
so much time effort and money investing in we are the privacy company.
We don't want to share your data.
We don't want to give you ads that aren't relevant or give you ads at all and blah, blah, blah,
and then say, oh, apart from our ads.
Yeah, but they didn't get to become a $3 trillion company by selling privacy.
I think people like their devices.
They like the way they work.
Yeah, but they did.
That was part of it.
No.
If I upgrade my phone, I don't think...
I'm going to get the iPhone 14
because it's got all these privacy features built in.
I'm going to get the iPhone 14
because everything else I've got is Apple
and it's just going to keep working.
Yeah, you're absolutely right.
But privacy is a part of it.
It's not like you just buy the phone because of the camera.
You just buy the phone because it's got a new processor.
You buy the new phone because it's got a good camera, a good screen.
It's got great screen protection.
It's got great quality. It's got a um screen protection it's got great you know quality it's got a huge amount
of memory you buy the new phone because apple deliberately inhibit the productivity of older
devices by slowing down the processes yeah yeah yeah yeah 100 come on i don't agree with that one
no they got fined for it it is a fact exactly They got fined for not saying that they were doing it.
You're right.
They got fined for not saying they were doing it.
What they're doing is trying to maintain the performance of a phone.
But that's, you know.
You're right.
They got fined.
They shouldn't have done it.
Apple confirms it's slowing down your old iPhone.
Yes.
I know.
I know.
Apple fined for slowing down old iphone
apple has been fined 25 million euros for deliberately slowing down older iphones
yeah and and the question is apple agrees to pay 100 did any of the people who were forced to work
with slow phones or upgrade them unnecessarily get any of that 25 million see that the thread
are you just asking the questions i'm just asking the questions here man that was 25 million here
it's 113 million in the us um so this was like yeah every country's got it's different
um yeah anyway i'm not slamming apple for that I'm slamming for the fact that they may have just
screwed the pooch
on selling themselves
on privacy and no ads
and now starting to push their own ads
yeah but they're safe and private ads
that's horribly cynical
it's horribly cynical
and I hate it I really do
anyway but that's not even in this week's news.
I'm sure they'll be crying into their
three trillion
dollars in the bank.
Yeah.
Oh dear, Tim's going to be wiping the tears
away with his hundred dollar bills.
Well, it'll be with
unpaid labourers in
sweatshops that make the processors.
Why even use...
Why ruin money when you can ruin people, which is cheaper for him?
I'm trying to see...
Jav, what is a browser-in-browser technique?
I have no idea.
I assume it's like one of those pop-ups.
It's like when you get a browser, yeah?
And then this browser in the browser is what steals your data.
Come on.
It's obvious.
Unlike traditional phishing, which opens phishing webpages in a new tab
or redirects them to it,
which opens phishing web pages in a new tab or redirects them to it.
My understanding is this type of resource opens a fake browser window in the same tab in order to convince users that it is legitimate.
I think that's a lot of effort, given that most people,
whose phones especially I go to, they have like 200 tabs open.
They have no idea that they're all open.
I had to close them all.
Yeah, that's right.
So it's kind of like, I suppose,
the old iframe technique or whatever.
Iframe? Bloody hell, mate.
The 90s called.
They want their
browser
techniques back
I'm just saying everything
I'm just looking at that other
the other headline
about the cybercrime forum
admin stealing from site users
as if there's just
no honour amongst thieves anymore
oh man
yeah that's right.
That's right.
This is what admins do.
Admins look up Excel spreadsheets of people's salaries
because they happen to be on a secure drive in a network, allegedly.
So Altenin is an English-language cybercrime forum
that's been around for about nine years,
and they process payments via an escrow system
with a site admin managing that escrow account.
Is that the point of an escrow account
not being in the control of one of the interested parties?
Yeah, so this is one of the examples.
That's what I like.
There's actually a lot of haggling going,
like a true marketplace.
So in one case, this customer bought a laptop from another user then messaged the
moderator asking for confirmation that received the money had been there
instead they received a demand for an additional escrow fee of 128 dollars which he then managed
to haggle down to 80 dollars which he paid and then the purchase fell through and
when he asked for the escrow feedback the moderator disappeared
because they didn't know where why'd you disappear it's like surely we have a home
address for you and know where you live and work and know that the moderator disappeared
yeah i know but surely it's the
moderator not employed by the company oh yeah i mean this is the whole point the company's
screwing its users oh jesus christ
let's see anything anything else here vulnerabilities found
in airplane Wi-Fi
devices that's kind of
old news though isn't
it
different vulnerabilities
I think
same attack vector
different vulnerabilities
yeah same shit
different vulnerability
yeah that's right
given that you can
allegedly fly a plane
from this from one of
the passenger seats
yeah exactly
unless Jav wants to talk about
the note plus notepad plus plus plugins which um allow you to infiltrate systems and achieve
persistence no we'll pick it up another time then yeah yeah i tell you what you know i'm happy to
cover that myself it means an episode to itself. Yeah, that's right.
And at least 20 minutes notice.
Yeah.
Actually, that was this week's.
Industry News.
I can't find one.
Here we go.
If you work hard,
research stories with diligence,
and deliver well-edited,
award-winning,
studio-quality content
for high-paying sponsors,
then you too
can be usurped by three idiots
who know how to think on their feet.
You're listening to
the award-winning
Host Unknown Podcast.
Woo!
Okay! We are barreling into the last part of the show uh and it is our favorite part of the show
honestly and the part of the show that we like to call sweet of the week and we always play that
one twice sweet of the week and i shall take us home with this one this week's tweet of the week
is from auraura on Twitter.
It says,
Every now and then I remember that client who got hit by ransomware
and lost multiple VMs because they had no backup.
Then realised that the threat actors had exfiltrated the VMs.
They didn't pay the ransom, waited for their data to be leaked,
and downloaded the VMs to restore the lost data.
waited for their data to be leaked,
and downloaded the VMs to restore the lost data.
They probably literally only had a couple of weeks downtime.
Much cheaper than paying the... Wow, nice. I love it.
Yeah, I think someone summarised it as saying,
two wrongs don't make a right, but three less make a right.
What?
Three less.
That is really good.
That is really good.
Brilliant.
I like that.
Well, you've got to have balls of steel.
In fact, that's a Billy Big Balls movie.
That is.
Let's face it.
In fact, that's a Billy Big Balls movie.
That is.
Let's face it.
Was that picture of Jordan Peele,
that gif of him just standing there sweating?
Do you know what I'm saying?
Yeah.
Please, it's going to be released soon.
It's going to be released soon.
Which Jordan are you talking about?
Because I know you get all your Jordans mixed up a bit, Tom.
That's what we want.
References to conversations from outside of this podcast.
I know, I know.
No one else gets that. Jordan Peele.
Jordan Peele, yeah.
He's a Canadian professor, isn't he?
Yeah, something like that.
Or was he the one in Wolf of Wall Street?
Oh, get out oh no
was he in that film
get out
right excellent
okay
oh dear
right thank you Andy
right we've done it that was our live episode and we only screwed up a little bit Andy right
we've done it
that was our
live episode
and we only
screwed up a
little bit
well
we only screwed
up a little
but very often
I think
no more than
usual
it's just
you're not
going to
go through
and mute
Jav when he
talks over
stuff
yeah
I tell you
what
definitely Jav you definitely crashed the jingles far more
this week than any other week you know what i'm gonna do you buy your anal beads i'll get the
remote every time i'm about to talk like a walkie talkie i'll press the button before talking so you
don't hit the jingles when i'm talking
uh all you're to hear throughout the show
is me saying say it again
say it again
oh well talking of
bringing me pleasure thank you
so much for your
contributions this week
I get lost man you're just such a bunch
of amateurs, honestly.
Oh my God.
And while I'm rapidly trying to find the outro here,
thank you, Andy, for your lovely contributions this week.
Stay secure, my friend.
Stay secure. It's not on here hu outro where are they you've been listening
to the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it
please leave your best insults on our Reddit channel. Worst episode ever.
R slash Smashing Security.
Fantastic.
I think we got away with that.
Yeah, no one's going to notice it at all.
Quality on point.
Studio quality.
Studio quality.
We did skip the story about, obviously, the intro said that, you know,
AI goes all machine, and we didn't even talk about the guy that does the,
released the follower to identify, you know,
influencers taking photos in public places.
Oh, that's right, because it said and or.
You're right.
You're right.
We didn't.
Yeah.
Yeah, that was freaky.
I'll leave the link
in the show notes, folks,
so you can take a look.
But that is really weird.
You've got to look at that.
Yeah.
Well, that's it.
Right.
Thank you all.