The Host Unknown Podcast - Episode 126 - Don't Worry Its Organic
Episode Date: October 28, 2022This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield29th October 1969: The first message sent over the ARPANET was from Leonard Kleinrock’s U...CLA computer, sent by student programmer Charley Kline at 10:30 PM to the second node at Stanford Research Institute’s computer in Menlo Park, California.The message was simply "Lo." But not on purpose.How a simple ‘hello’ became the first message sent via the Internethttps://twitter.com/todayininfosec/status/118931809415140966625th October 2001: Microsoft releases the operating system Windows XP, the successor to both Windows 2000 and Windows ME. Designed to unify the Windows NT line and Windows 95 line of operating systems, Windows XP was not replaced by Microsoft until January 2007 with Windows Vista. However, with a nearly six-year run and the public debacle surrounding the release of Windows Vista, Windows XP remained the world’s most popular operating system until August 2012. Rant of the WeekAn ex-TikTok moderator, who was paid $10 a day and had to scroll through child abuse and gun violence, was required to keep her webcam on all night, report saysA Colombian ex-moderator for TikTok said she was required to keep her webcam on all night, according to a report by The Bureau of Investigative Journalism. TBIJ spoke to nine moderators who shared their experience but requested that their identity remained secret for fear they might lose their jobs, or risk future employment prospects. All names have been changed, according to the outlet.Carolina, a former TikTok moderator who worked remotely for Teleperformance, a Paris-based company offering moderation services and earned $10 a day, said she had to keep her camera continuously on during her night shift, TBIJ reported. The company also told her that no one should be in view of the camera and was only allowed a drink in a transparent cup on her desk.Related: https://www.bbc.com/news/technology-57088382 Facebook moderator: ‘Every day was a nightmare PILOT PROGRAMME FOR FIRST CHARTERED CYBER PROFESSIONALSCIISec and (ISC)² announced as pilot participant partners to assess candidates under the pilot programme.The UK Cyber Security Council has announced it is set to usher in the country’s first chartered cyber professionals through a pilot scheme. The first two specialisms kickstarting the pilot are Cyber Security Governance and Risk Management and Secure System Architecture and Design. The Council has confirmed it will partner with two pilot participant bodies – (ISC)² and The Chartered Institute of Information Security (CIISec) – for the pilot, with the organisations responsible for assessing applications from their membership base, against the Council’s newly established professional standard. Billy Big Balls of the WeekElon Musk walks into an office with a sink. Apple’s Killing the Password. Here’s Everything You Need to KnowFor years, we’ve been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura next month, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs.Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now.Apple’s rollout of passkeys is one of the largest implementations of password-free technology to date and builds on years of work by the FIDO Alliance, an industry group made up of tech’s biggest companies. Apple’s passkeys are its version of the standards created by the FIDO Alliance, meaning they will eventually work with Google, Microsoft, Meta, and Amazon’s systems. Industry NewsDHL Replaces LinkedIn As Most Imitated Brand in Phishing AttemptsICO Warns of "Immature" Biometric TechSee Tickets Discloses Major Card Data BreachLondon's New Cyber Resilience Centre Set to Fight Cybercrime in the CapitalHive Ransomware Group Leaks Data Stolen in Tata Power Cyber-AttackMedibank Backtracks: All Customer Data Was Exposed to HackersGitHub Bug Exposed Repositories to HijackingWhite House Launches Chemical Sector Security SprintLinkedIn Unveils New Security Features to Tackle Fraud National Chief Information Security Officer Tweet of the Weekhttps://twitter.com/codesixonline/status/1585629859052605443 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
The less you care about what you say on air and the less you care about getting cancelled,
but those of us with mortgages do actually care about keeping our jobs.
Yeah, just because you don't care, Geoff.
It's a prison of your own choice.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you're joining us.
And welcome to episode 126, I think it is.
131.
Guys, just like listening to Bullseye, isn't it?
Of the Host Unknown podcast. Welcome one and all uh how are we doing
dear listeners we hope you are well and haven't had too much of a tumultuous week in uh under
our new prime minister here in the uk this week's prime minister this week's prime minister for
october that's right that's right yeah he a twofer in October. You know, my favourite
meme, there's been so many memes going around about this. And one of my favourite ones,
like NIST has updated their guidance to say, change your password whenever Britain gets
a new PM. Yeah. Jav, how are you? Anyway, how's your week been? In fact, you've been a birthday boy this week, haven't you?
Maybe
Oh yes
How old are you?
It doesn't matter
You stop counting after a while, don't you?
It was a big one
It wasn't a big one
Yeah, it was a big one
Lots more grey hairs
Was it really the big one? 50?
No
Come on
What was it. Come on.
What was it?
Come on, how old are you, Geoff? 51.
This is like the episode numbers, isn't it? Like, what episode are we on?
Yeah.
You two are just like that.
Except Andy's not coy about the
episode number. You are coy about your your
birthday you blush in there or something never ask a lady or jab their age i'm just so miserable
as to how quickly life has gone by and how i'm at this age he always knew he would get old he
just didn't realize how quickly it would happen. Yeah, exactly.
Tied it off my autobiography.
And sex tape.
So what did you get for your birthday?
What was your biggest and best present?
My biggest and best presents, there were two. And they come from two of my best friends.
One was this massive jar of halal
jelly sweets which is um maybe maybe halfway done done now and oh hello brother oh hello and the
other one was this tiny desktop retro arcade game with like over 150 retro games in it like street
fighter and all those sorts and it's absolutely brilliant i'm like
i turned it on and the soundtrack is just like all the original games and i'm like 12 year old
again and the brilliant thing is you can actually hook it up to your tv and you can play on your tv
it's just epic all i can say is whatever andy tells you they were both my idea
yes i've got a nice um payment in my account from pegging rs refunds or something it was
just as you were going to take it to uh some official source
official place to get your passport exactly get mine Set up a new bank account in another country
and show that I have funds
coming in on a regular basis
from Peg and R Us.
Well, I mean,
you've never had your eyes watered for so
cheap, is all I can say.
And how has your week
been, Andy? Has it been you know eye-wateringly easy for
you uh it has you know what i will um tell you an issue i've been having with my boiler right
um because right this is a boiler i got replaced in february and uh every evening like it's like
the heating comes on all day long no problem. Once it drops below a certain temperature, heating comes on.
Gets to the evening, doesn't come on.
And it just won't come back on.
I have to switch it off, reset it, then I have to force it on downstairs,
like override it.
And this has been happening for a couple of weeks. And I'm like, look, I bought this boiler brand new in February.
There should not be any issues with it.
So this afternoon, plumber you know
he's in the area he says well i'm in the area do you want me to come out i'm like yes please
hot plumbers are in your area exactly so he's um he's checking it and he can't see anything
wrong with it like he's taking the whole thing off he's like everything is far enough all the
diagnostics are fine he's like he said this is a real head scratcher i can't figure out what's
wrong i'm like trust me every evening same issue like i have to switch it off like for an hour
doesn't come back on so i have to override it he's like okay he goes uh go upstairs do the um
he goes put it on you know like permanent now just take it on 24 hours i'm like okay
so i come upstairs look at the timer i've left it on once so the timing only comes on once a day
completely forgot about this programmer up here like where you either set it once a day twice a
day or leave it on 24 hours and uh yeah so i quickly put it on twice went back downstairs
said right you know i can't figure out what the issue is mate it's exactly as it's supposed to be but what i'll do is like next time it happens i'll give you a call
oh man between jabs back passage and your boiler i don't know you know you two you're struggling
with your adult adulting aren't you and i guess talking of adults, how was your week?
It was good.
It was good.
First, well, I had Monday off.
I was playing around with some green screen photography with my photographer friend.
So I bunged a few pictures up on Instagram just to sort of, because we were messing around.
And then, yeah, back at work. So there's plenty to do, plenty going on.
Quite a busy week, really.
No incident-adjacent events occurring this week?
No, none at all.
None at all.
I have no idea what you're talking about.
For our listeners, would you like to pimp out your Instagram account?
Oh, yeah, it's at Tom Langford.
I think you can find Tom on most socials,
at Tom Langford.
Yeah.
I think so, yeah.
In fact, I think YouTube, they're just doing handles now, aren't they?
They are.
I saw something like that.
Yeah.
Although I've got a different handle on every social media.
They sent me the email saying, you can choose your handle now.
Click here.
You click there and it says,
we'll be telling you soon when you can choose your new handle.
Standard Google.
Standard Google.
Pain in the bum.
So, yeah.
Yeah, it's been a nice week.
Going to Comic-Con in London on Sunday,
which should be good.
Yeah.
Taking my daughter and a friend
and a friend of mine as well.
So we should be having a good one.
Nice. When did you get the tickets for that?
Last weekend.
Oh wow.
Literally last weekend.
Just got it for Sunday though.
So yeah,
my daughter and her friend are going
in cosplay so I told her I was as well.
I'm going as Captain Underpants.
Oh, no.
Oh, man.
It's going to be horrific when they realise you're not joking.
Yeah.
Right, shall we see what we've got coming up for you this week?
This week in Infosec reminds us of the world's most popular operating system.
Rant of the week is a story about big corporations exploiting workers
and hard-working security professionals alike.
Billy Big Balls is a story about when a company realised they had the intel all wrong.
is a story about when a company realised they had the Intel all wrong.
Industry News brings us the latest and greatest security news stories from around the world.
And Tweet of the Week is a response which is not wrong.
And news just in, Billy Big Balls is also about the password killer.
Yes.
That's what you get when you're typing halfway through
exactly
not impressed
not impressed
slight lag there
slight lag on the edit
I know
I know
shall we move on to our favourite part of the show
indeed
it is the part of the show
and our favourite part
is the part that we call
this week in InfoSec is the part of the show and our favourite part. It's the part that we call...
This Week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account and further afield. And so our first story takes us back 53 years.
And as I read this story, it makes me realise that we did this story this time last year as well,
when it was only 52 years.
It's the beauty of this section.
It is, actually.
We've only got to get 52 pieces of news.
I know.
I think we can actually just start editing them in now.
I don't need to be doing this each week.
So 53 years ago, on the 29th of October 1969,
the first message sent over the ARPANET
was from Leonard Kleinrock's UCLA computer,
sent by student programmer Charlie Klein at 10.30pm
to the second node at Stanford Research Institute's computer
in Menlo Park, California.
The message was simply low, but not on purpose.
So the message text was actually supposed to be the word login
and the L and the O letters were transmitted,
but the system then crashed,
hence the literal first message over ARPANET was low.
But about an hour later, having recovered from the crash,
the computer effected a full login and more history was made.
And the message gin was sent.
Yeah, gin. Gin. was sent. Yeah, gin.
Gin.
Low gin.
Oh, dear.
But, yeah, no, 53 years to think that, you know,
where we've come from in that time.
Yeah, via a whole bunch of AOL CDs.
Yes.
Yes.
One of the best marketing campaigns in the world, that was.
Genius.
Genius. Genius.
Alas.
Our second story takes us back 21 years to the 25th of October 2001.
Definite calculator sounds for that one.
So this is when Microsoft released the operating system Windows XP,
which was the successor to both Windows 2000 system Windows XP,
which was the successor to both Windows 2000 and Windows NE, designed to unify the Windows NT line
and Windows 95 line of operating systems.
But the great thing about this is that Windows XP
was not replaced by Microsoft until January 2007,
so seven years later when they released the next update, which was
Windows Vista. However, with a nearly six-year run and the public debacle surrounding the release of
Windows Vista, XP actually remained the world's most popular operating system until August 2012.
It's incredible. I mean, six years alone is a great run,
let alone 11 years, right?
And it's not surprising.
It was a brilliant operating system.
Yeah, and it's still used in a lot of ATMs today, isn't it?
Yeah, yeah.
A friend of the show, ATM hacker Leanne Galloway,
will attest if she takes them apart.
But it was as solid as hell.
You could use it for business or games or both.
Yeah, good compatibility.
Yeah, exactly.
They kept on building on it.
I remember when it suddenly got multi-monitor support,
although you had to put an extra monitor card in there.
Graphics card.
Graphics card, yeah.
I've got a picture of my desk with two Mahoosive CRTs on it, you know,
because I could.
But, yeah, it was such a good operating system.
Had they not ended support for it,
I think it still would be probably the most popular operating system.
Well, it was, wasn't it?
That was a big thing when they ended support
and then they went into extended support for a while. And everyone's like no it's too soon we can't move off it and
it's like it's been 12 years yeah but but vista was awful oh yeah i mean i think it was supposed
was it was it written from the ground up or was it just another bolt-on because it was
overly complex it really hit the cpu you know and hit the um the hardware
really hard it didn't run half the stuff that you used to be able to run really easily it was it was
just horrible i remember installing it on like a water-cooled um pc that i built and it struggled
to get anything you know it had this scoring system didn't it about you know how the
performance index and struggling to get it above you know three out of ten yeah it wasn't yeah
it was a short-lived vista wasn't it i think they kind of try and forget it erase it from the history
books yeah a bit like windows me i think vista was the equivalent of windows me i'd actually
forgot about forgotten about Windows.
So you say Me.
Wasn't it supposed to be Windows Millennium Edition?
I think it is.
Because it was 95, 98, then ME, Millennium Edition.
And then finally XP.
But as you say, it was Windows 2000 and the NT stuff all coming together.
Yeah. 2000 in the office stuff all coming together. Yeah.
2000 in the office, ME at home.
Yeah.
Yeah, that was it.
That was it.
Or just XP everywhere.
Yeah, exactly.
Alas.
Good times, Microsoft.
Yeah.
Yeah.
Nice one.
Excellent.
Thank you for that one, Andy.
Thank you, Andy.
This week in InfoServe.
You're listening to the double award-winning
Host Unknown podcast.
Ha, ha, ha, ha, ha, ha, ha.
I thought that was going to say,
how do you like them apples?
Has Tom dropped off?
Oh, whoops.
Right, let's get on to our double header of a rant of the week,
because I can't work out which one annoys me the most.
It is time for...
Listen up!
Rant of the week.
It's time for Mother Listen up! Rant of the week. It's time for mother f***ing rage.
So I'm doing two and it's all about the big corporations exploiting people.
So the first one, and I know you two are fans of TikTok and all that sort of thing. And Andy, I know you very regularly say, and I
tend to agree that TikTok is not the enemy in most places. It's just providing a service that
people want. No worse than Facebook. And in fact, in many cases, much, much better. But
a Colombian ex-moderator for TikTok has said that she was required
to keep her webcam on all night, was paid $10 a day and had to scroll through child abuse and
gun violence materials in order to keep her job as a moderator. Now, what is interesting is it doesn't look like she was
actually employed directly by TikTok, but by a company called Teleperformance. So maybe our
ire should be aimed at Teleperformance first and then TikTok for not managing their third party's better. So just be clear, the rant is that she was paid $10 an hour.
A day.
A day. Far too much.
I agree with you. This is disgraceful.
I know. I know.
For like 50 cents.
If a kid can make me my Nike trainers for 50 cents a day,
then this is, you know, sitting in front of a computer for 10 or a day.
I'm sorry, have I got this one confused with your Billy Big Balls jab?
I mean, that seems to be what normally happens here, right?
No, but here you go.
So this was, while it was a, you know,
I believe it was a working from home gig, as it were.
And I know Columbia's probably, you know, not got the highest pay ranges,
but it seems like $10 a day is pretty low in any kind of modern society.
She had to keep her webcam on continuously.
They also told her that no one should be in view of the camera
and she was only allowed a drink in a transparent cup that was on her desk.
This seems rather Machiavellian doesn't it it seems
like why does there need to be that level of well i wouldn't even say security but you know
massive massively intrusive oversight it's it's it's pretty poor if you ask me so and um you know
maybe it's uh there's there's a cultural thing that we're missing here
from you know teleperformance as an organization and the countries it operates in but it doesn't
seem like it's uh you know respectful of of you know human rights uh in any way shape or form
and this is um do you know what when you do third-party assurance this is one of the things
you know when you're working with subcontractors or suppliers, vendors,
this is why it's more than just about security.
You should be checking their human rights.
Yes.
We talk about ESG and all that kind of stuff.
And there's a reason for it.
It's because when you do this diligence on people you're working with,
because to your point, you started off talking about TikTok.
This is reflecting bad on TikTok.
Yeah. because to your point, you started off talking about TikTok. This is reflecting bad on TikTok. Yeah, yeah.
In the meantime, I did actually look up the average monthly wage in Colombia,
which is $246.
So if I say that she's doing five days a week,
she should be being paid at least 12.30 cents per day rather
than 10 so slightly under average this uh salary which is kind of salary it's shocking for us uh
where you know we're used to 10 or an hour sure but well come on jam let's be honest you haven't
seen that sort of salary for a long time right 10 an hour you're
more like 10 a minute he doesn't even pay his builders that you know because he just lets next
door pay for him yeah jav doesn't get out of bed for less than 15k uh you know to pick up the phone
it costs 15k you know what speaking of the builders i told i was telling my my family that
oh i only paid the neighbor 200 for the for 200 for the drive to be done at the back.
And they're like, why so little? And I said, oh, he must be related to Andy.
Because that's what Andy does. He just pays for all his neighbours' work to be done.
Did you have any trees taken down while you were at it, Geoff?
You know what? He did say, if there's anything else you want while the builders are here,
and I'm actually considering asking him to paint the outside as well
because it needs a new...
Do it.
Might as well do it.
Maybe like £2.50 should cover that, I think.
Or a tenner.
Okay, I'll give him $10.
How about that?
In line with Colombian average wage.
tenner okay i'll give them ten dollars how about that in line with colombian average wage anyway so yeah it's uh not good and tiktok needs to do better although i get a feeling that tiktok
probably won't care in fairness uh but we shall see we shall see and the second one you say that
well i was gonna say it's quick a lot of the old sweatshops, do you know, like the Primark and, you know, whatever, the budget clothes,
they got shamed into using, you know, the sort of vendors that they were using.
You know, once this sort of thing was exposed, they were sort of shamed.
But they're not owned by China.
True.
Oh, yeah, coming back to the good point.
Yeah, you've got the old sweatshops.
Yeah.
Yeah.
Yeah, to be fair, this yeah yeah to be fair they could probably
this is one of these things they could probably do cheaper in region why china outsourcing yeah
what the hell they'll just round some people up off the streets outside a chinese embassy
oh i suppose there's something in about not giving your own citizens emotional damage by
watching this content and this content
is like i've posted another link it's like from last year uh it's a bbc article where a facebook
moderator they they talk about how every day was a nightmare because this content i cannot imagine
uh no possibly the the the absolute horror of having to go through that type of content.
I could not do that.
And some of the crap that gets...
And not crap as in poor quality,
but some of the awful stuff that gets loaded up there
on a supposedly open platform is shockingly bad.
You're right.
I thought you said you hadn't seen Jav's TikTok account.
No. I'm definitely moving on now.
Definitely moving on now.
I don't want to think about Jav's jiggling breasts anymore.
Why not?
Right, so both of you, you've got CI double SPs, haven't you?
Certainly do.
And have you got other qualifications like with ISAC
or anything like that?
I do, yes.
Yeah.
I had a SANS
GIAC
GWAPT
but I let that
You gave that up
far too easily, Jav.
GIAC
GWAPT
NICNAC
PADIWAC
Yeah.
Yeah.
What do you mean
I gave that up too easily?
Well, just the hassle
of getting it in the first place.
You may as well just keep it.
Like, just re-sit the exam.
I'm not re-sitting the exam.
I don't know how I passed it the first time.
Anyway, let's get back on topic.
And we all have the...
And we complain about having to do the CPEs every year.
We complain about having to pay them money,
or at least the hassle of putting it through on expenses in Andy's case.
We complain about the organisations themselves,
and IC2 are one of those at the moment,
and we're not going to touch on that just yet.
And also, it's kind of like one of those things
where you feel like you have to have it
in order to proceed in your industry, in your chosen your chosen career well not to dilute this any further but the cii sec and isc squared have announced a pilot
a pilot participant partners to assess candidates under a pilot program for chartered cyber professionals.
That was a bit of a mouthful.
So the UK Cyber Security Council has announced it is set to usher in the country's first chartered cyber professionals through a pilot scheme.
Now, I know when we first heard about this, Andy,
the first thing you said was, shut up and take my money, right?
But it's like, how many more of these things do we need
you know another standard another certification it's it just reminds me of the xkcd comic uh of
you know are there's far too many different standards for i can't remember what it was java
or whatever there's you know we've got we've got 13 different standards what we need to do is to start unifying them
and then six months later
we've got 14 different standards
this is too many
and this is exactly what this is
it just seems to be
a money making exercise
at the end of the day
I was on a preparation call
for a podcast that I'm doing later
that I'm guesting on later this month, the other day.
And it was talking about ISE squared saying
that there's 2.7 million unfilled InfoSec roles,
blah, blah, blah, blah, blah.
And just said, you know, you've got to think about,
you know, who's saying this.
ISE squared are saying this
because they want to sell certifications to people
so they feel they can become the professionals to fill their gap.
This is a very similar thing. This is, to my mind, rather cynical money-making exercise more than anything else,
especially as in the UK there's already a chartered, or the British Computer Society's already chartered,
of which there is a strong security function in there.
Why not combine with them so at least that we're not sort of over-duplicating things here?
So this just seems to be just a very cynical money grab again, as far as I'm concerned.
And it's annoying. Annoying that I'm going gonna have to fork out more money and take another exam yeah well um i painfully agree with you tom it's i don't see really what the value
here is uh for who and to who except for a chartership means something in other professions
because it proves that you're competent in doing something to a certain degree.
Cybersecurity is so broad.
I mean, how are you going to, you know,
someone could be a really good web app pen tester.
Are they going to be chartered to the same level as someone
who's great at GRC or third-party assurance?
And they all fall under the same banner or someone that's a developer or someone that's a CISO.
And I think this is where we're at.
Well, they're going to expand it, I'm sure.
Yeah, they'll probably expand it.
And they talk about helping create more direct routes into employment and everything.
And it's just arse about face.
This is not the right way to go about it.
What we need is better ways to attract talent into the industry.
We need more apprenticeships or more career paths for people who want to move
from an adjacent career into cyber and make it easier like that.
I mean, having these kinds of things, you're just burdening people with like false hopes,
more debt, and then they're still going to be stuck without a job for a period of time.
Yeah.
Yeah, completely agree.
Completely agree.
More internships, more apprenticeships, more routes into the industry.
That's what they should be working on.
Rant of the industry. That's what they should be working on. Rant of the Week.
We are officially the most
entertaining content amongst our
peers.
How do you like them apples?
Are you going to redo all the jingles
with that on the end?
Yes.
I think that would be worth every penny.
Yeah.
Right, Jav, it's over to you to talk about your favourite cyber criminal of the week.
It's you and...
Bill McColls of the Week.
You just like... So the first story, and I read read this and there's a film called walking tall it's
got the rock in it and it's based on a true story of like one of these army vets that came back to
his small town in the u.s and it's run by a corrupt sheriff and you know he's in bed with all the big
developers and what have you and they jump in and he takes him to court and then he wins.
And then he gets appointed as sheriff.
And there's a scene,
he walks into the sheriff's office
and he gets the badge
and then he looks to everyone there
and he goes, you're all fired.
And they all walk out
and it's all like one of those badass moments in the movie.
And I was reminded of that today
as I imagine Elon Musk walked into the Twitter headquarters
with a sink of all things,
saying, let that sink in.
And he walked in and he fired most of the execs.
I'm sure in his mind,
he thought he was being really cool and edgy like
the rock in reality it was a bit of a dick move but i still think it's a billy big balls move to
do it at that level to to have that much money where you really do not care and you can walk
in and do that i just have to give my hat tip to that man so he fired like quite he'd fired the ceo the cfo and general counsel didn't he it was like
the top execs of the company yeah just like that the ones who actually know the business yeah
oh yeah i find that stunning i find that stunning that on day one you know it's not like you know
all he's had is he's done a little bit of due diligence and in fact not even that much right from what we can make out he bought it so he didn't have to go
to court because i'm not convinced he actually particularly wants it no he's running his first
move is to fire those you know the as you say the three most senior execs who know the business
come on he's he's just doing this for publicity yeah
what a tall him He's just doing this for publicity. Yeah.
I'll call him.
So, yeah, it doesn't surprise me you applaud him, Jav.
Yeah.
You know what?
I don't really have much sympathy for the CEO.
I think he was way over his head.
He didn't come across as a nice person, and he tried to throw Marge under the bus.
And, you know, I think I'm more inclined to believe much than him just from all the facts that have
come out so anyway moving on to the next billy big ball story off off the the day i think we're
all coming in twos today um passwords yeah passwords are one of those things you don't talk about in security a bit like politics and religion
because no one really agrees on what passwords how they should be how to be formed what constitutes
a strong password how quickly they should be rotated 16 characters rotate every 90 days
special character uppercase lowercase no sequential letters no
sequential 26 characters no sequential can't repeat any characters no reusing of character
in the passwords ever if anyone in the planet has ever thought of that word it's not applicable yeah yeah yeah so apple is killing the password um so password killer yeah apple the password
killer uh i think apple is uh they they're trying to recreate that image of like we're the underdog
we're david going up against goliath you know we're just a three3 trillion David. Apple, that well-known underdog.
Yes, exactly.
David with his 900 lawyers standing behind him.
Yeah.
That's brilliant.
So, you know, with the latest iOS 16 update
and macOS Ventura next month,
the software will include password replacement known as PassKeys
for iPhones, iPads, and iMacs, or Macs.
I can't remember what they're called now.
Anyway, PassKeys now allow you to log into apps and websites
or create new accounts without having to create, memorize, or store a password.
The Passkey is made up of a cryptographic key pair, replaces your traditional password, and is synced across the iCloud's keychain.
It has the potential to eliminate passwords and improve your online security, replacing insecure passwords and bad habits.
So how does this work then?
So if I'm going to Just Eat, I'm going to buy some food,
and Just Eat asks me to log in,
and I put in my email address and password,
one, two, three, four.
Like, what's different here? i don't think it does that in
the first place i think what it's using is the um is the apple keychain or the you know the yeah
the apple keychain to store all those details and it will encrypt and recode those so they're not
even accessible yeah a bit like when you do log on with apple it's signing with apple basically
so when you create an account you can use a pass key instead of a password and essentially my
understanding is that you're just using your face id or touch id to do that yeah and and it does
everything in the background for you so next time you go to that website, you just use your biometrics to log in rather than typing in anything.
So how is that different to now, right? When I go to the site, it's already got my details
pre-filled because I've got them stored in my phone.
So it's not going to be using pre-filled credentials. It's tied to that particular phone and your
biometrics on that phone. So you know how nowadays...
And it relies on the other end yeah
so nowadays even now you can go to a website and you can switch on the authenticate me using
biometrics so it still has the id and password in the background in case yeah biometric web
but it speeds up the process i think this is all based on the the fido guidance and framework and everything
so it's not like they they're it's something radically new they're just eliminating right
account creation process gotcha so everyone has to support this this isn't just uh that's exactly
something that apple's forced right okay so apple has done a really good job of marketing this
yes to sort of say look we, we're the password killers,
but you actually need everyone to get on board.
Yeah, but they are using the open standards of the Fido Alliance, though.
So, for instance, Google, Microsoft, Meta, Amazon,
they are all working on this as well.
I think Apple are just putting the news out there first.
Right. this as well i think apple are just you know putting the news out there first right so if i go to just eat on my phone i'm sorted because it's like an iphone if i'm at home and i'm on my mac
it's all good if i'm in the office using a windows machine that's not going to work yet i still have
to go back to the old username still waiting for microsoft although microsoft have made some big
strides in in passwordless stuff as well,
haven't they, with Windows Hello and stuff like that?
They have.
They have.
But I think what the key to this is,
is that this isn't an Apple standard or a Microsoft standard
or a Google standard or whatever.
This is an open standard that can easily be adopted across the board and it's not going to happen
overnight obviously but there is now some kind of move towards or some kind of realistic move
towards you know passwordless environments yeah and i think more than the the passwordless nature. And if we put that aside,
I think what this is really, really good for
is a better user experience.
I think that's the key thing here.
Security comes as a byproduct.
The thing that will cause people to adopt this
is the convenience that now you can go to our website
and just scan your face and boom,
accounts created, sorted, secured, and as long as you're
currently within that Apple ecosystem, it will be all fine. It does put more burden on the keychain
remaining secure, and I know a lot of people have some issues with uploading secrets to the
keychain to allow them to synchronize across your devices and what have you but um you know that's
just the way it is but i i think that it's it's really about that that user experience if we can
make that frictionless and people can just like easily create accounts and easily just like
authenticate and and do what they need to do i think that is is the real uh real deal here
and this is it this is uh you know i definitely agree with this as a Billy Big Balls,
because to openly say we're now going to be doing this and supporting it,
it does take a company of someone like Apple and or Microsoft and or Google
to get behind something like this.
Indeed, indeed.
I don't know. I still think in three years time we'll still
be getting that password killer well i'll tell you what we will i think so i think you're right
i wouldn't be surprised because there are so many aspects to this to to get it to work and
collaboration and everything and and the thing is these things sound great until you lose a device or you have to log in through some other means or you're traveling and something happens.
That's when you really see how good or effective some of these things are.
So I think we'll still have a need for passwords.
It won't replace every password immediately, but I think we'll get a portion of passwords uh taken out and um
this there was sorry go on tom i was gonna say this does feel like though the first solid step
in in the direction of actual end users being able to use something like this though
well it it like you said i think it's it's the first good marketing push we've had publicly.
It's all about the marketing, right?
If you don't market it, who's going to know about it?
And who's going to get excited about it?
Yeah, yeah.
So just to tie into this, just the last part and the user experience,
Ian Levy was the director at NCSE and he's leaving after a long time working for the NCC and GCHQ and you wrote a really good
blog post and he one of the points he had 10 points on it and one of the points was about
incentives and he goes like we need to think about the right incentives and he goes say you
you are looking to switch to a broadband provider, a new broadband provider, and there's two options.
And one of them sends you a 60-page PDF or document, and it talks about how they secure the MPLS network and how the fiber is managed and how it's switched and all that kind of thing.
And the other one offers you free Netflix for a year.
Who are you going to go with?
Yeah, absolutely. So I think that's what
we need to think about we need to meet people where they are that that's the other thing I
saw another post on LinkedIn I don't know why I spend a lot of time LinkedIn this week but
someone said that Disney you need to meet people where they are not expect them to meet you where
you are which is what i think i thought
that was such a good way because security always tries to force people to to their standards and
they said disney done uh done the research into how long people are willing to carry rubbish for
before they're going to dump it and based on that data is how they positioned all their
their bins around their parks so that people
get to a bin within that minute or two that they're willing to carry their rubbish for
well it's like the desire paths isn't it yeah yeah exactly exactly so i think if we can do more of
that we need obviously we need to secure stuff in the background but i think we need to think more
of how do we make the journey easier for the people actually using this on a day-to-day basis and that's where the
biggest balls are pains me to say it but i completely agree with you jeff completely agree
and on that bombshell billy big balls of the week.
This one's for you, Andy.
Feeling overloaded with actionable information?
Fed up receiving well-researched
factual security content?
Ask your doctor if the
Host Unknown podcast is right
for you.
Always read the label. Never double dose on episodes.
Side effects may include nausea, eye rolling
and involuntary swearing in anger.
How do you like them apples?
Do you know what?
That wasn't the jingle I thought that was going to play.
So maybe I'll get it right next time.
And talking of next time, it is now that next time.
What time is it, Andy? it is that time of the show
where we head over to our news sources over at the infosec pa newswire who have been very busy
bringing us the latest and greatest security news from around the globe industry news
dhl replaces linkedin as most imitated brand in phishing attempts.
Industry news.
ICO warns of immature biometric tech.
Industry news.
SeaTickets discloses major credit card breach.
Industry news.
London's new cyber resilience centre set to fight cybercrime in the capital. Industry news. London's new cyber resilience centre set to fight cybercrime in the capital.
Industry news.
Hive ransomware group leaks data stolen in Tata power cyber attack.
Industry news.
Medibank backtracks. All customer data was exposed to hackers.
Industry news.
GitHub bug exposed repositories to hijacking.
Industry news.
White House launches chemical sector security sprint.
Industry news.
LinkedIn unveils new security features to tackle fraud.
Industry News.
And that was this week's...
Industry News.
Huge, if true.
Huge.
Huge.
So LinkedIn's new security features,
is that where they just rebrand people as DHL?
Yes. I'm actually uh interested every time i log into linkedin it asked me to put in my phone number and i'm like hell no don't do it
i once actually did that by mistake this is like years and years ago did it take all your contacts
it took all my contacts and then it
populated my calendar with everyone's birthdays and it is just such a mess and the thing is once
you've got those birthdays in your calendar you can't get rid of the bloody things no yeah
i would happily i can't even tell what their new features are. Yeah, it's... They're using... Artificial...
They're saying AI-empowered deep learning model
made with AI-based synthetic image generation technology.
So they've outsourced it to Columbia, then?
Yeah.
They're paying someone $10 a month, or day, a day,
to look at photos and see, is this a real or not?
Yeah.
So this is...
Oh, OK, so they're looking to remove
fake accounts yeah right okay and adding some warnings for messages that could potentially
include phishing yeah wow you know when it comes to like catching up so we're talking about just
passwordless stuff before like how many people actually use password managers do you mean like
and they're relatively easy to copy and paste passwords transfer them across and you know
that's what i mean i'm still yeah i don't know sounds good just a bit behind the curve i think
linkedin you can do better considering your size and resource yeah microsoft right so microsoft
exactly why don't you move to passwordless go on do it linkedin hello
so it's london's new cyber resilience center set to fight cyber crime in the capital all i'm seeing
in my head are you know people in hoodies and jeans and trainers with swords and shields in their hands running through the streets.
Sounds about right.
I don't know what the CPEs are for that, but count me in.
Yeah.
Do you want to get CPEs and your steps in for the day?
Oh, there's 250,000 London-based small to medium businesses.
Sorry.
Wow.
There's more than that.
They're saying around 250,000 London-based SMBs
suffered at least one attack or breach in 2021.
Hang on.
What do they define as an attack?
You know, port scan of the firewall.
Yeah, I was going to say.
A port scan and then somebody looking at them oddly through the window of their shop.
Yeah.
This is interesting.
I mean, I don't know.
You already have like action fraud and you have the NCSE.
It just feels like there's more.
It's like I don't know who to report
stuff to anymore it's like what do you do
what do you not do
yeah what is
their remit and why
it's not clear
there was that conference that was on fairly recently
not I was caught
just down the road Olympia
quite a smallish one but there was
something like three or four different cyber resilience centres.
I think they had the Welsh one there and the London one there
and another one there.
And it's like, do you guys talk to each other?
You know, I'm just...
Yeah.
Swap information.
They're cropping up like B-Sides conferences.
What's the other thing that you two are part of that?
The... What's that other thing that you two are part of that?
The, what's the... ISACA?
No, the small business, the NCSE sort of backed...
IASME.
Yes, IASME.
No, that's not me, that's him.
Yeah, weren't you part of it as well?
No, no, just cyber...
No, it's just Tom consulted on clients
that I happened to audit.
Right, right, right.
So no backroom dealing going on
there, was there? There was literally
nothing. It was only when Tom
actually said, that's one of my clients or something.
Yeah, that's right.
It's when you saw Tom coming out
of the bathroom and be like, Andy, what are you doing?
As Andy's got one leg in his trousers.
Oh, dear.
But yeah, no, there are lots of...
But, you know, I asked me, to their credit,
and not just them, NCSE,
because there were four...
It went up to five bodies that could issue cyber essentials.
And the NCSE actually combined them all and said, no, only one of you will take this forward.
And it was iASMI.
And it was iASMI that was chosen, yeah.
And so now all the other bodies, you know, who were there, they all tuck under iASMI.
Yeah.
It's impressive.
So it can be done.
It can be consolidated.
Yeah.
Yeah. Actually's that's a
really good um comparison actually you just need some kind of direction from you know from
somewhere in authority to bang their heads together and tell them to sort it out yeah
there's a big tender process and everything and i think it was quest was one of the bodies
and obviously because they used to sell pen tests alongside the certification.
So they were really unhappy at losing.
If you went through a Quest body, you always got a pen test with it.
Obviously a bit more of a cost.
But yeah, they were pretty unhappy with losing that status.
But it was a fair process.
And people said, look, this has to be achievable.
This is what the
yeah the mandate is and yeah this is the best company for it yeah yeah yeah but yeah i would
just quickly go ahead i was just looking at the hive ransomware group leaks data stolen in tata
power cyber attack and uh it was it was quite interesting because tata power got hit and i was
like shit that that probably caused lots of power outages so I spoke to one of my Indian friends and he laughed and he goes like we always get
power outages regardless of whether there's there's a cyber attack or not yeah there's three
or four a day right yeah at least business as usual mate yeah do you know so I used to um
when I worked at a place that had an Indian office that would often do audits,
you know, when they got audited by clients, you know, this team would always stand up
and present the evidence.
And if it was a virtual audit, say typically you'd do a two-day audit, they would always
book three days just to account for power outages and things like that.
You know, it can happen on either side.
Yeah.
So like where it would be a two-day audit anywhere else, they would literally book three days in the Mumbai office
just in case there's outages.
That's interesting.
And it's entirely normal practice.
That's interesting because everywhere I've worked in India,
they've either got standby generators that are there for when the power kicks out
or the entire campus generates its own
electricity interesting well i say this is you know the the outage could be on either side it
could be on the auditor or true if it's on the auditor side yeah yeah yeah but yeah so you know
part part of our iso certification was being toured around these these um basements with huge mahoosive generators in
them yeah just permanently running yeah yeah so one one story that isn't there and speaking of
big mahoosive stuff uh the nhs is looking for a chief information security officer. So a national CISO.
Applications closed Wednesday 16th November.
So Tom, I think, you know...
Not on that salary.
150 grand they will pay.
You probably have to wait six hours
before you're allowed access into your office.
But that's just the nature of the NHS.
Sorry, that was a terrible one.
But I do not know who would want to take this job.
Whoever takes it, I wish them the best of luck.
If it's a national one, it would seem to me to be more of an executive-stroke, political-stroke, public role
than a hands-on CISO role.
Do you want to spend time in Parliament answering questions like...
Yeah, I think that's what it comes down to.
And would you like to get your budget cut
without any discussion whatsoever?
Yeah.
Yeah, by the brand-new, you know, treasurer or treasury, you know.
Oh, and it sits within the digital policy unit within NHS England.
Is that Nadine Dorries?
Oh, no, not anymore.
No.
So you're the NC, so you sit within the DPU,
which is itself part of the NHSE,
which you can already see the red tape here, Tom.
Yeah.
Honestly, someone like you, Tom. Why don't you just sit back and do nothing and, you know.
It would be ideal for you, Tom.
You could just literally live in the red tape zone for the next, like,
whatever three years you have to live or whatever.
I'm laughing because I'm thinking about just that you might even be able to edit and publish this podcast on time well yeah if we're
not delaying by eight hours in a day i mean for goodness sake it's ten past six on a friday Friday. We're already on NHS times.
Right.
On that note,
and obviously delayed by many,
many minutes,
that was this week's...
Industry News.
In 2021,
you voted us the most entertaining cybersecurity content amongst our peers.
In 2022, you crowned us the best cybersecurity podcast in Europe.
You are listening to the double award winning Host Unknown podcast.
How do you like them apples?
Yes.
Hey.
Finally got it.
It finally got it it finally got it i will just quickly say on that job it comes
with a civil service pension which has an average employer contribution of 27 percent what so that's
the average so whatever you put in you expect you know 27 on top of that I'm guessing you could probably get more
the more you put in yourself
that could be perfect
for a newly single man like myself
it could
if only you weren't past retirement age already
what is it
Liz Trust she was in office as PM
for what 45 days and she gets
a pension now
115 grand a year pension?
Yeah.
No, no, it's a 115K salary.
Oh, ongoing salary, yeah.
But I think, doesn't she have to pay for her own security
and stuff for that after that?
I'm not sure.
I don't know.
People won't remember her as Prime Minister.
No.
Let's be fair.
She'll blend in. Had. Let's be fair.
She's bled in.
Had one night stands last longer.
On that note, it's time for this week's... Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And I shall take us home with this one.
And this is a tweet which I just thought was simple and I
loved it and it was in response to New York Post who posted the New York Post has been hacked we're
currently investigating the cause and some person called 61 yard just replied quite simply the reason
people get hacked is because somebody else found out their passwords and stuff.
Hope that helps.
And, yeah, that's it.
Just simple and effective.
And you know what?
61 post or 61yard is not wrong.
No?
No, no.
I mean, people will spin it to say this was a sophisticated nation state.
Significant resources.
Yeah.
Yeah.
Yeah, it turns out that someone used the same password elsewhere.
To buy the Twinkies that kept the teenager fed throughout the three hours they spent on it.
Yeah, it's probably the same password they use on Just Eat
or any other site.
It's New York
Post 123.
NY Post, but
the zero instead of an O.
Yeah. And a five
instead of an S.
Exclamation mark.
If they're really secure, they might
put 2022 at the end.
So just for their annual change.
Ooh, someone's got cyber security training.
You're assuming that they actually changed it this year.
It's actually got 2021 at the end of it.
2019, that was the last time anyone was in the office to change it.
Yeah, yeah.
Oh, man.
Very good, very good very good thank you andy
well we made it we made it thank you gentlemen for uh your contributions today
thank you slightly later i will take my um my share of the blame for that your share i was suggesting starting 15 minutes
later you suggested eight hours later i am man enough to admit that mistakes were made
and uh you know you're a fighter not a quitter i'm a fighter not a quitter
you two remind me of like um the ge and Tony Blair era. The Mitchell brothers, go on, say it.
I'll watch, Chad.
George Bush and Tony Blair, when they were in power and the Iraq invasion happened, the amount of backbiting,
it's like Bush would get out there and he would actually look really pleased
just to be able to make it to the end of a sentence
without forgetting what he was saying.
That's you, Tom, by the way. be able to make it to the end of a sentence without forgetting what he was saying that's
you tom by the way and and andy's doing his best tony blair spin of like mistakes were made i'm
profoundly sorry but still it was the right decision i stand by my decision i for one i'm
glad we have a brown person in office now and uh we'll soon
sort out this whole country once when you say now you mean for now yeah for now yes yeah it's
almost november it's almost november exactly exactly right jav thank you very much sir for
your time today uh thank you always and. And Andy, thank you, sir.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash Smashing Security.
It's quarter past six.
I'm buggered if I'm going to edit this one.
It's going live, isn't it?
It's pretty much going live.
I don't think there's anything controversial said, sir.
No, we're talking over each other, but that's normal, right?
Yeah.
Organic.
Can we rebrand it the Organ podcast okay i gotta make sure i type
that right and tom like putting a jingle on and then forgetting to come back for like 30 seconds
yeah i don't know what you mean
Thank you.