The Host Unknown Podcast - Episode 129 - The Difficult 129th Album
Episode Date: November 18, 2022This week in InfoSec (07:14)With content liberated from the “today in infosec” twitter account and further afield12th November 2000 Microsoft Declares Tablets Are the FutureBill Gates demonstrates... a functional prototype of a Tablet PC. Microsoft claims “the Tablet PC will represent the next major evolution in PC design and functionality.” However, the Tablet PC initiative never really took off and it wasn't until Apple introduced the iPad in 2010 that tablet computing was widely adopted.17th November 2018: US President Donald Trump signed a bill into law, approving the creation of the Cybersecurity and Infrastructure Security Agency (CISA). The bill was the CISA Act.Trump signs bill that creates the Cybersecurity and Infrastructure Security Agencyhttps://twitter.com/todayininfosec/status/1328528180500717568 Rant of the Week (18:44)Germany says nein to Qatari World Cup spyware, err, appsWorld Cup apps from the Qatari government collect more personal information than they need to, according to Germany's data protection agency, which this week warned football fans to only install the two apps "if it is absolutely necessary." Also: consider using a burner phone.The two apps are Ehteraz, a Covid-19 tracker from the Qatari Ministry of Public Health, and Hayya from the government's Supreme Committee for Delivery & Legacy overseeing the Cup locally, which allows ticket holders entry into the stadiums and access to free metro and bus transportation services.Norway's data protection agency, meanwhile, this week said it was "alarmed by the extensive access the apps require" and warned that Qatari authorities likely use the apps to monitors' users location, in addition to snooping through personal data.See also: World Cup apps pose a data security and privacy nightmare Billy Big Balls of the Week (29:05)Australia to 'stand up and punch back' against cyber crimsAustralia's government has declared the nation is planning to go on the offensive against international cyber crooks following recent high-profile attacks on local health insurer Medibank and telco Optus.The aggressive posture was expressed in the announcement of a "Joint standing operation" that will see the Australian Federal Police and the Australian Signals Directorate (Australia's GCHQ/NSA analog) run a team with a mission "to investigate, target and disrupt cyber-criminal syndicates with a priority on ransomware threat groups."Minister for Home Affairs and Cyber Security Clare O'Neil said the operation will "scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyber-attacks, and disrupt their efforts.""This is Australia standing up and punching back," she said during an interview on local political talking heads program Insiders. "We are not going to sit back while our citizens are treated like this and allow there to be no consequences for that."O'Neill said the operation will "for the first time [be] offensively attacking these people." Industry News (36:10)T: Google to Pay $392m in Landmark Privacy CaseA: Billbug Targets Government Agencies in Multiple Asian CountriesJ: Euro Authorities Warn World Cup Fans Over Qatari AppsT: Majority of Companies Reduce Cybersecurity Staff Over HolidaysA: Chinese Spy Gets 20 Years for Aviation Espionage PlotJ: US: Iranian Hackers Breached Government with Log4ShellT: More Than Half of Black Friday Spam Emails Are ScamsA: Hundreds of Amazon RDS Snapshots Discovered Leaking Users' DataJ: Zeus Botnet Suspected Leader Arrested in Geneva Tweet of the Week (43:30)https://twitter.com/attritionorg/status/1593487371819192321https://twitter.com/SoVeryBritish/status/1592554974432866306 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So one of the best things I've bought from America for myself this time,
and at my age, I really appreciate it,
for only $15 was a giant 500 bottle of ibuprofen.
It's the best thing.
Was it Advil by any chance?
No, it's ibuprofen. It's the proper stuff.
No, as in the brand name?
No, no, it was a CPS ibuprofen.
So not only are you the age where you're popping ibuprofen like Smarties,
but you're also of the age where, actually, I don't need a name brand.
I just need the core, the active ingredient.
Absolutely. brand i just need the core yeah the active ingredient absolutely you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us and welcome to the all-star cast episode 129 133 there's a weird
echo in the room of the host unknown podcast welcome uh dear listeners welcome to our well
we've actually got the three of us together again it's incredible
welcome to our show jeff yeah you guys are so funny you're so hilarious hilarious mind you i
don't know why i'm laughing i was out the week before so uh uh yes welcome to my show guys it's
good to have you on hang on you were out only a few weeks before that.
Thanks for having me on your show, people.
I'll tell you what, he's pretty adaptable, this fella, Jav, isn't he?
I know.
He'd make a great auditor.
He would.
Wouldn't want to work for him, though.
Oh, dear.
So, gents, I trust you're well.
Jav, how has your three weeks been, or whatever it was?
Oh, it was great.
I was in Florida for two weeks.
The last few days I got caught in a bit of a hurricane,
which is my first proper experience. The hurricanes we get in the UK are not like the hurricanes they do over there.
Everything has to be bigger and we get in the uk are not like the hurricanes they do over there everything has to be bigger and and uh more outrageous in the states
but i was back i flew back last friday which is why i couldn't be on the show
i got here on saturday and then on sunday evening i flew out to zurich for another event
so um yeah you know i i'm desperately trying to maintain my silver status on BA.
It's terrible when you're desperately trying to maintain not even the top status, right?
I know, I know.
It's like we've kind of all taken it in turns to do excessive travel.
Yeah, yeah, yeah, yeah.
Mine finished a long time ago, unfortunately.
Yeah, and then I took the baton for a bit,
and now Jav seems to be off all phases.
I don't know why he keeps wanting to go to all these foreign countries.
I just don't get it.
Me neither.
No.
So, Andy, what about you?
How's your week been?
Not too bad at all.
Can't complain, except I will complain.
Of course. Good.
I actually hurt my hand yesterday quite badly.
Was it in a freak masturbatory accident?
Almost. That probably didn't help it.
But no, as I was walking from the station to the office, a guy...
You were doing it in public, for goodness sake.
I know.
But this guy, Taxi Driver, actually blew the red light
and almost hit me and multiple other people.
What?
And as he was passing by, I tried to smash his back window with my fist.
Yeah.
And it was actually really hard to smash it didn't
wow i gave it a good solid haymaker and uh ended up with bruised knuckles and a blood blister
on uh one of the knuckles where it was obviously as it was pulling off it rubbed really hard
and uh sorry we're back to the the the other thing there yes
for this this guy this this guy next to me he ran after he said i'm gonna get his number plate
like took a photo and um we've got terrible memories that we can't remember like seven
digits and we have to take a photo of it yeah i know but i was like dude, dude, I'm over it now. You're over it now? You've got it out of your system.
I've got it out of my system.
What are you going to do?
Yeah, exactly.
Well, Andy, if your hand's still hurting,
I've got some waterproofing you can borrow.
I'm just thinking, right, you know, in the UK,
you can't buy more than, what, like two packets at a time
in a single transaction, can you?
So, you know, yeah, I'll be on my way over
to dip my hand into the lucky
dip jar well you know get in the queue because he's he's uh bootlegging them to the street
so um talking to people that use uh ibuprofen tom how's your week been yeah
yeah very good very good um i have uh well i had a rare obviously to keep the joints yes cod liver yeah so i had a week
at um at home although had to go in yesterday into london uh for some face-to-face meetings
i was in a bit of a rush and some some muppet i had this bang on the back of my
car i don't know where it was but i had to go into had to go into London for a bunch of face-to-face meetings.
And then that morning, as I walked into the office,
the guy said, I'm not well.
We'll do it remote.
I was like, oh, great.
I was up at bloody half past five to get in on time.
And then the next follow-up meetings were the same.
It's like, no, can't make it.
Let's reschedule to next week.
So I was like, Jesus, you know, 200 quid of not my own money,
in fairness, so that's fine, but of travel for literally just sitting
in the office not having a meeting.
But, hey, you know, that welcome to hybrid
working, right?
Yeah.
The ugly side that no one tells you
about. Okay, so
shall we see what we've got
coming up for us today?
Well, this
week in InfoSec talks about
rebranding.
Rant of the week is a look at the ongoing shit show going on at Twitter.
Oh, no, no, no, hang on, hang on.
It's a football World Cup privacy nightmare.
Billy Big Balls is a story about Australia fighting back.
Industry News brings us latest and greatest security news stories
from around the world.
And tweet of the week is a relatable tax scam.
stories from around the world and tweet of the week is a relatable tax scam so let's move on to our favorite part of the show part of the show that we like to call this week in infosec
it is that part of the show where we take a stroll down infosec memory lane with content
liberated from the today in infosec twitter account and further afield and although uh we
said we'll be talking about rebranding and we are going to be talking about rebranding something
completely different to what we said we would talk about because I didn't update the show notes from last week so our first story is a prediction of the future and this is from
22 years ago so just a year older than I am on the 12th of November 2000 Microsoft declared that tablets are the future.
And at the time, Bill Gates demonstrated a functional prototype of a tablet PC,
making the claim that the tablet PC will represent the next major evolution in PC design and functionality.
And he was not wrong in his statement.
However, the tablet PC initiative never actually took off.
And it wasn't until Apple introduced the iPad 10 years later in 2010 that the tablet was actually widely adopted.
And they do give sort of various reasons for its failure.
Or, you know, people have sort of tried to understand what the issues were firstly you know they say they just merely tried to adapt windows yeah and the
technology wasn't there yeah because it was just it was designed for use with a keyboard and mouse
right so you had to have this sort of touch screen and pen um and people didn't really
just take to the interface um and yeah i mean they're saying that it appeared to be going backwards and
that you had this futuristic tech but using a pencil and paper style format where you actually
wrote on it so it really taped that and um yeah which is ironic because now obviously you know
i was just talking to you guys this week about the magic keyboard and the magic pen for the iPad and whether or not it's worth it.
Yeah.
So, yeah, 20 years ago or 22 years ago, Mr. Bill Gates said that this was the future.
I think it's interesting, though, isn't it?
Because I think Apple and Steve Jobs did get it right with the iPad.
They actually got it into a form factor.
I've still got my first gen iPad, which I use as a picture frame now.
And it's still a, it's a lovely piece of kit.
It feels right.
It's the right size.
It's the right weight, blah, blah, all that sort of stuff.
And it was right for the time.
Whereas 12 years before, it was just a clunky piece of kit with a bad screen
and, as you say, a poor interface.
But flash forward now, the Surface, Microsoft Surface laptops
or laptop stroke tablets are actually pretty damn good.
They're good pieces of kit.
The tech has finally caught up, and they've started to adapt the interface
so that it flicks between being a tablet
and being a computer quite seamlessly.
Yeah, yeah.
I also think that the iPad,
for those who are old,
that was really when the BYOD really began to kick off
because executives loved the iPad.
And they brought it into the office.
They were like, make it work.
I don't care.
Yeah, yeah, absolutely.
It spawned the whole BYOD and MDM sort of world.
Yeah, was it Good Ink was one of the key players?
Yeah, yeah, yeah.
They were huge on BlackBerry at the time, weren't they?
Yes.
Yeah, and that's kind of where it came from.
So with the BlackBerry stuff and then the iPad stuff, iPad and iPhone,
as the BlackBerry – well, the BlackBerry stuff declined
because the iPad and the iPhone kicked off, I think.
Yes.
Yes, it did because because
blackberry had that captive market because of their secure messaging and it could just lock
it down and give it to you so you could just make phone calls and read emails and not do much else
on it but the the ipad really changed it had a physical keyboard as well yes yes which i was a
big fan i still maintain i'm a big fan of it but the form factor
was really good for that but um but yeah no i think i think it was a big game changer in that
regard and actually if you see like perhaps stretching it a little bit but we wouldn't
have been so well equipped to deal with lockdown and remote working had it not been for those humble beginnings from uh byod the ipad initiated
i don't think you're far wrong to be honest with you i don't think you're far wrong yeah
i'm never wrong i don't think you're far wrong but i do think you're stretching it i mean we
are talking about you know two decades worth of technology progressing during that time
yeah but if you take away the entire you, work from home, work anywhere, bring your own device type stuff,
we'd still be on bloody desktops.
Or we'd still be on dialing in, well, maybe not dialing infrastructure,
but we'd still be...
Dial IP, where it calls you back.
Yeah, exactly.
Or we'd still be having to VPN into an office,
which catered for 10% of the workforce.
Yeah.
Anyway.
It was a game changer.
It was.
He wasn't wrong.
Bill Gates was not wrong when he said tablets were the future.
He just didn't get it right.
Yeah, they just weren't his tablets.
That was the problem.
Yeah, that's right.
We're talking about 500 tablets from CVS.
They're the future, according to Mr. Merritt.
Our second story takes us back a mere four years to the 17th of November 2018.
And I slipped this one in because I did not realize it was so recent. is when u.s president donald trump signed in assigned a bill into law approving the creation
of the cyber security and infrastructure security agency aka cisa uh the bill was the cisa act
or the cisa act depending on them who you uh you know who's speaking with what accent um
and so cisa you probably realize uh it actually got promotion to the rank of federal agency,
which put it on the same level as the US Secret Service or FEMA,
even though it's still under the Department of Homeland Security's oversight.
But yeah, the agency was expected to improve the cyber security defences
across other US federal agencies,
coordinate cyber security programmes with states
and bolster the government's overall cyber security protections in the face of mundane criminals and nation state hackers.
And it's hard to believe this type of thing actually happened under Trump's administration.
Was that who Krebs worked for?
The other.
It was.
Yes.
Christopher Krebs.
Yes.
And then he got fired by a tweet.
Yeah, that's right.
Yeah.
See, Trump was doing that before it was cool as well.
Yeah.
No, no.
Yeah.
He is.
He's the one learned from the daddy.
Yeah, exactly.
He's the Bill Gates to Apple.
You know, just do it differently.
Whenever I see CISA, all I can think of is the certified information security auditor
yeah same of isaka it just doesn't sit right as a you know an agency at all no
they're an acronym yeah they should they should have at least done a basic internet search you
know i know you should yeah they really need to but the problem is that ISACA and ISEE Square,
they create so many certifications now that, you know,
they probably, if they didn't have so many other certifications,
you could probably, you know, keep that as a, you know, premium.
You know, like the good domains, like top-level domains,.coms,
but they sort of spun off into like a.org,.co.uk,.co.nz,
and it's like now no one cares. It's just, yeah, it like a.org,.co.uk,.co.nz.
Now no one cares.
It's just, it's a free-for-all.
Anyone can get whatever they want.
It doesn't matter if it's a.com or a.london was one I saw the other day or a.whatever, it doesn't matter.
Speaking of ISEE Square, just while we're on that,
I cannot understand any of the emails that come through,
like the voting for board is open, director this and the other proxy voting instructions but in the
last four weeks I've received three emails reminding me that my annual maintenance fee is due
in December and that is very clear so you know if I don't pay by December I have to it's due in
December if I don't pay by March then I have to, it's due in December. If I don't pay by March, then like, you know,
I probably lose my certification.
The question I put to you gentlemen is, should I pay or not?
Oh, same.
So are we talking about ISC squared?
Yeah.
Yes.
Yeah.
Do you know what?
I am really not sure.
I'm in two minds about just that.
What about you, you Andy I would pay
yeah
you'd pay for
the entire Adobe
software stack and not use it
you're not exactly
a reliable source of
economic advice on this one
it is like if you just think
all the money you've put into it
over the years,
all of those CPEs you've logged,
all of the events you've done,
it's just...
Sounds like someone
on the slot machine in Vegas.
Yeah, it's a sunk cost fallacy, man.
It's got us where we need to be.
Do you know what?
I used to work for a company
that allowed me to expense
all uh costs for certification so now i don't i'll see what whether i maintain that same appetite
you know it's not even about the cost it's just the principle it's like oh man you know what it's
do i want to be the only thing i'm worried about is I let it lapse and I'm happy
and then for some reason my job changes or something.
You have to join another company and they say,
oh, you don't have a CISP.
Yeah, sorry, we can't employ you.
It's a mandatory requirement.
That's the only thing, honestly.
I have to say, at this stage of your life,
I think if they said, oh, you've got to have a cyst,
I think you'd be able to give them two fingers and go elsewhere.
You know, it's one of those things...
There's a lot of people out there with CIWSPs, Tom.
Yeah.
Gav's not really standing out from the crowd, you know.
You like to think that's the truth.
Well, not at five foot two, he's not.
Piss off.
Move on.
All right, that was this week's...
This week in InfoServe.
Feeling overloaded with actionable information?
Yep.
Fed up receiving well-researched, factual security content?
Yes.
Ask your doctor if the Host Unknown podcast is right for you. All right, talking of involuntary swearing and anger,
let's go to...
Listen up! Rant of the week. It's go to... Listen up!
Rant of the week.
It's time for mother f***ing rage.
I can't believe Andy got me to talk about football.
It was going to happen one day.
It was either football or wrestling.
I was trying so hard.
So the headline,
Germany says nine to Qatari world cup spy uh apps apps not spyware so
if you have been living under a non-football rock like i have um you you may not be aware
that there is a world cup going on, apparently, in Qatar.
Not a clue about this, but hey, there is a World Cup,
football World Cup going on in Qatar.
There has been a fair amount, although in fairness on the news, there's been a fair amount of noise about Qatar's ethics and morals and the way they treat their people and minorities and,
you know, for instance, LGBTQ people, et cetera, et cetera, and how it's a little bit of an
oppressive government, blah, blah, blah. But, you know, we know this. We know that it is Qatar. But for some reason, and I can't think why,
money, the
FAA awarded the
Qatari government
the World Cup.
I think this is, I think the last
place that had the World Cup was
Russia. Is that correct?
Russia has hosted the
World Cup before, yeah. That was the one before
the Qatari though, wasn't it?
Qatar
I don't know
Do you know what?
I actually can't remember that far back
It's only four years, but I can't remember
Yeah, I'm pretty sure it was Russia
Again, not sure
Was it Brazil?
Or one of those
Oh, who knows
Who knows
Anyway, the point I'm trying to make is
that it was quite a contentious
decision to have it awarded to Qatar in the first place.
Now, people are traveling there.
Some people are boycotting it.
I think.
Didn't even.
Wasn't Ariana Grande supposed to be singing there or something?
didn't even wasn't ariana grande supposed to be singing there or something and then she cancelled based on the uh human rights of uh of qatar sorry fans are devastated i know i know i'm selling my
tickets right now on the black market i mean that's forget it sorry well i think you know a
lot of people are highlighting some of this now the qatari
government obviously don't care that's not a problem for them they've got the world cup they've
got what they needed however in order to enter the country you have to download a couple of apps
a covid19 tracker from the qatari ministry of public health and a uh uh and an app called Havia from the government's Supreme Committee
for Delivery and Legacy overseeing the cup locally which allows ticket holders entry into the
stadiums and access to free metro and bus transportation services. Now, what Germany has found is that both these apps ask for an inordinate amount of
access to your phone. And the bottom line is they think you're going to be tracked.
You're going to have your movements tracked. They're going to listen into your conversations,
et cetera, et cetera. Even Norway's data protection agency said that it was alarmed by the extensive access
the apps required and warned that Qatari authorities likely use the apps to monitor
users' location, in addition to snooping through personal data. So there's two parts of this. This is a double-sided answer. One, you know, building an app under the pretense of hosting,
you know, an international event and using it as an opportunity
to snoop through people's phones.
One is just, ugh, disgusting and outrageous, et cetera.
The flip side to this is what did we expect?
The flip side to this is, what did we expect?
This is a country that has an incredibly poor record of abuses to human rights, etc., etc.
Of course it's going to do this. It's like if you went to China, for instance, for a World Cup and they asked you to download two apps,
of course it's going to snoop on your data.
This should come as absolutely no surprise whatsoever.
That said, do you remember, I mean, I think it was RSA a few years back,
the RSA conference, even their app screwed up
and exposed everybody's data to everybody else
do you remember that that was about 20 yeah was it you were able yeah you have to see everyone
else's details and yeah phone number yeah so the flip side to this again this is a three-sided coin
is that actually writing an app that allows you to do a whole bunch of things, et cetera, is sometimes quite hard.
Yeah, but do you know what?
I think genuinely in the RSA case, that was actually, you know,
they hired a third party that was just bad at development.
Yeah.
Whereas in this instance, I think this is by design.
Oh, this is absolutely by design.
The MVP, when the Qatari, you know,
people with the purse strings went to the
developers they said right first thing on the list download all the data yeah i completely agree i do
completely agree but you know it's it all just adds up to a are you surprised here now the
interesting thing will be is if you if if you go to uh qatar and you have to download these,
you have to have them in order to get into the events,
get into any kind of local facilities.
If you haven't got the COVID-19 tracker,
you can't check into your hotel, da-da-da-da,
all that sort of thing.
That's going to be interesting,
because you're being forced to do this.
The answer, of course course is to get a
burner phone but those are expensive and cost money it's going to be difficult right not everybody can
afford it says the man who's got like 15 different iphones that he doesn't need yeah exactly so many
iphones he actually takes them apart and mounts them on his wall so tom loafer telling people
who've bought like what 500 pound football £500 football tickets, like, you know,
a grand on, like, flights and accommodation,
that, oh, don't spend 50 quid on an Android phone
that you can pick up at Tesco because it's expensive.
Well, all right, but people might not even think about doing that either.
That's the other thing.
It's preying on people's um uh on people's ignorance right
and anyway you can give me the phone afterwards and i'll mount it in a frame for you
see i think i think there's there's a bit i get what you're trying to get at tom but it's like
as always i think you're just like taking the wrong angle on stuff it's like there's
there's like you know the human rights angle you're just like taking the wrong angle on stuff. It's like there's there's like, you know, the human rights angle, you mean?
Well, you know, you talk about it as if Qatar is the only country that has poor human rights records.
It's the only country in this story that I'm covering. Yes.
Yeah. But you make it out as if this is the first country to host the World Cup.
That that is not a bastion of free rights and freedoms and inclusivity
because, oh, last time it was in Russia.
Yeah, they're really fair and high in human rights.
That was kind of the point I was making.
It was in Brazil.
Oh, why don't we hold it in America?
Yes, because they're really big on abortion and women rights
and human rights and all that kind of good stuff.
I mean, literally, when you go through it, there's hardly any countries.
Now, what you're trying to do is shoehorn everything into a Western, very convenient narrative,
conveniently forgetting that, you know, even Google this week got fined $400 million.s location tracking probe um so you know i think it's it's while it's
an important issue absolutely i think the framing of it just say this is a qatar issue or just about
the world cup is incorrect this is a systemic problem that is embedded within tech overall
and it's a global issue because everyone is living in glass houses.
Okay, so you disagree with this story.
You're saying that this is fine because everybody else is doing it.
I've said what I've said.
Do not try to put words into my mouth, Piers Morgan.
Stop trying to put words into your mouth.
No, no, that's right. Okay, okay.
Still trying to put words into your mouth.
No, no, that's right.
Okay, okay.
I'm not convinced you actually heard the first half of what I was talking about anyway.
I think you were off.
Irrelevant, irrelevant.
I wanted to make a case and make it look bad.
Hopefully someone will take the snippet of this
and post this to TikTok and like, you know,
give up, destroy Tom Langford on Andy's podcast.
And when you say hopefully someone, you mean you're going to do it?
Well, yeah.
Is that why you switch the cameras on for everyone?
So.
Oh, man. I tell you what
I'm looking forward to
your story because for once
it's not about actually supporting a criminal
rant of the week
attention
this is a message for all other InfoSec podcasts.
Busted.
We caught you listening again.
This is the Host Unknown podcast.
All right.
Let's move on to the rather, well, oddly named,
because it's certainly not true,
Jav's Billy Big Balls of the Week.
Billy Big Balls of the Week.
So, while Tom said, oh, thankfully it's not standing up
for the criminals this week, this is where he's wrong,
because we go to our favourite penal colony.
Con-o-ly.
And I'm standing up with our British Texans Australians um so the Australia's government has declared and and this is I can just imagine there's a lot of like you know
fists on desk like you know moment where behind closed doors and someone said okay the australian
government declared the nation is planning on going on the offensive against international
cyber crooks following high uh high profile attacks on local health health insurer medibank
and telco optus and uh the uh this aggressive posture was expressed in an announcement,
a joint standing operation that will see,
Andy, phrasing,
so that will see the Australian Federal Police
and the Australian Signals Directorate,
which is their version of GCHQ or the NSA,
to run a team with a mission.
And the mission is to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups.
And if this is not like enough bravado enough. Their minister for home affairs and cybersecurity, Claire O'Neill,
said the operation will scour the world,
hunt down the criminal syndicates and gangs
who are targeting Australia in cyber attacks
and disrupt their efforts.
This is Australia standing up and punching back.
I think that quote should actually be,
scare the world, hunt down the criminal syndicates and gangs
who are targeting Australia in cyber attacks
and disrupt their efforts.
Yes, yes, exactly.
We are not going to sit back while our citizens are treated like this and allow there to be no consequences for this.
Wow. O'Neill said the operation will be for the first time offensively attacking these people.
Honestly, if you just replace ransomware groups with bin Laden, this could be a george bush speech just before they're it's basically saying they're gonna they don't care what country you're in they're coming for
you yeah exactly the australian sas are going to be called in yeah they're going to parachute in
you know or maybe parachute in their their secret ninja kangaroos and they come and kick your servers offline.
Right. Unleash the ninja kangaroos.
Well, the best defence is going to be emus, isn't it?
Yes.
Australians can't fight back against emus.
Exactly.
So we have long talked about, or not just us personally, but the industry as a whole, long talk that hacking back is never a good idea.
Well, you know,, do not hack back.
I think it's the job of our governments to hack back.
I think it's something that should be done against criminals.
It's a bit like saying you shouldn't um uh you know there's no such thing as a as a um a civil was a civil
arrest or whatever it is you know and you shouldn't go out and uh and hunt criminals yourself
citizens arrest yeah because your citizens arrest because you're because you're a you know a
vigilante that's the job of the government through the police force and that's that effectively is
what this is they're saying that we're going to take the fight to them because you can't do that you're
you're either you know too small ill-equipped or also or you're just going to you know um
create more damage for yourself yeah yeah no i think i think that's right i think there's a
difference so between hacking back and actively prosecuting or going after.
I don't know.
I mean, the language used in this is very...
Like, this isn't prosecute.
This is scour the world,
hunt down the criminal syndicates and gangs
who are targeting Australia.
Yes, yes.
And then we're going to kneecap those bastards.
Yeah, exactly.
There's nothing there about, you you know following the law and prosecuting
this sounds no no no well yeah but that's political rhetoric this is political again this is like
it is but it's also worrying that it sounds like it's people who don't really have a clear
understanding of what happens in the cyber world to that are making policy and saying right
go and fuck them up what happens in the cyber world that are making policy and saying, right,
go and fuck them up.
Go and get him, Dave. He's definitely worth it. Yeah, exactly.
And, you know, we just need to be a bit
you know,
there needs to be a bit more thought and intelligence
but then we're talking about Australians, so
yeah, Good luck.
Blimey.
I'm loving the way...
They're all asleep.
They won't hear this.
No, this is true.
This is true.
Yeah, but they're asleep in the future,
so they've already heard it.
Oh, shit.
Good point.
And my internet goes down in three, two...
You hear that glass crashing?
That's people in black outfits in parachutes
jumping through your skylights.
Oh, dear.
So that was, well, very good story, Jav.
I loved the way you turned it around
so that the Billy Big Balls was, in your words,
actually about
criminals you're welcome billy big balls of the week
you're listening to the double award-winning host unknown podcast Okay, time has marched on.
If you're listening to this in Australia,
you're listening to it in the future.
So, well, what time it's with you, we don't know.
But Andy, what time is it for us here?
It is that time of the show where we head over to our news sources
over at the InfoSecPA Newswire
who have been very busy bringing us the latest and greatest security news from around the globe. in landmark privacy case. Industry news.
Billbug targets government agencies in multiple Asian countries.
Industry news.
Euro authorities warn World Cup fans over Qatari apps.
Industry news.
Majority of companies reduce cyber security staff
over holidays.
Industry news.
Cybersecurity staff over holidays.
Industry news.
Chinese spy gets 20 years for aviation espionage plot.
Industry news.
US, Iranian hackers breach government with log4shell.
Industry news. More than half of Black Friday spam emails are scams.
Industry news.
Hundreds of Amazon RDS snapshots discovered leaking users' data.
Industry news.
New spotnet suspected leader arrested in Geneva.
Industry news.
And that was this week's...
Industry news.
Huge. Huge.
Huge.
Immense.
So I'm looking at this story
about Euro authorities
warning World Cup fans
over Qatari apps.
Yeah.
Yeah, I mean,
like there's not any other countries
that they should be warning
people about, right?
No, exactly.
So I clicked on this this uh majority of companies reduce
cyber security staff over holidays wow shock horror i know this is like do you reckon marketing
like industry rags have the same sort of story like majority of companies reduce marketing staff over holidays exactly yeah or catering weekly uh that's a good experiment maybe host unknown research division should
come up with these stories like from security but apply it to a different industry say like
developers are you know reduced over the holidays and developer burnout is a real thing and developers are less chief uh head of development suffer from stress yeah uh head chefs yeah
hr weekly heads of hr suffer from stress and burnout I love this
more than half of Black Friday spam emails are scams
I mean yes
obviously
no
groundbreaking
do you know what the other day actually
I was in the kitchen
and I was reading my emails
and I've been looking at air fryers
recently and I've been thinking do air fryers recently and I've been
thinking do I get one you know I'm thinking wait for the Black Friday sales and it's like
you're really I've been thinking like for the last year whether or not to get one
and um at that time as I was standing up I was like pressed my phone I was looking at my email
an email came in and it said something like 20% off like Ninja Air Fryer.
And I was like, oh, crap.
Like, you know, that's the type of thing I'm waiting for.
But as I stood up, like the email disappeared.
And I was like, oh, shit.
You know, like you shake your phone to sort of undo archive and stuff like that.
I'm like, what happened?
What happened?
What happened?
Anyway, couldn't get it back.
And later that day, I was like, actually, let me check my spam folder.
It was actually a spam email.
And so it'd come into my inbox and then got moved to junk.
But it was one of those things.
I was desperately thinking about buying one.
It was very timely.
It came in.
And I'm sure I would have figured out it was spam had I clicked on a link
and it took me to some Chinese website. However know I don't think everyone would have had that presence
of mind but I was very close to thinking I had a bargain in my mailbox and I have to say a bit of
consumer advice those ninja air fries are really good they are definitely worth the hype I've had
one for a couple of years and it is brilliant. What happened after a couple of years?
Yeah, I was going to say,
I thought that's going to be a negative story to the end.
No, no, it's really good.
It's got the air fryer, it's got the bake,
it's got everything safe enough for the kids.
Well, not really safe enough for the kids to use,
but I'll get them to use it anyway.
Make their own pizzas in it and what have you.
Just keep your head out of it.
Yeah, exactly.
But yeah, no, on the
stories, going back to the stories, there's a new
spotnet suspected leader arrested
in Geneva and unfortunately
it's not the Australian
task force that have taken him down.
So I think that was a quick win they could
have had there.
I just want to see, you know,
when they arrest them and they walk them off, I just want to see you know when they arrest them and they walk
them off I just want to see somebody you know
cable ties behind his back
being walked off by two kangaroos
yeah well I'd like to see like a kangaroo
come out the crowd in like a hat and an
overcoat and just sort of like
pull a gun out and shoot him dead
and the hat has got corks on it
yeah
and it's called Bruce And the hat has got corks on it. Yeah.
And he's called Bruce.
Yeah, and he skulls a can of Fosters and then he pops off.
I was in Australia in the early 90s with a friend of the family's.
And this guy's name, swear to God, was Bill Blood.
B-L-O-O-D.
I mean, do you think possibly his forebears may have been pirates?
Yeah, definitely.
Bill Bloody Blood. Yeah, definitely. Bill bloody blood.
Yeah.
Anything else here?
US Iranian hackers breached government with log4 shell.
I'm not sure if that's business as usual
or why is the US falling for simple vulnerabilities?
Yeah, well, this is actually an alert from CISA,
the Cyber Security and Infrastructure Security Agency,
which was set up about four years ago.
I thought they were auditors.
Yeah, this could be one of those.
A lot of success is based on just making sure your name's out there
and not necessarily saying anything particularly useful.
It's worked for jazz for years.
Exactly.
And so I'm just thinking maybe Caesar's saying,
look, this stuff's happening out there.
Patchy vulnerabilities, people.
Good.
Well, I think that's it because jazz gone quiet as well
so that was this week's
industry news
this is the host unknown podcast
home of billy big ball energy
right Andy we're going to hand it over to you to take the show home with this week's
sweet of the week and we always play that one twice sweet of the week and i shall take us home
with this one and because you've played that jingle twice i'm going to give you two for the
price of one yay uh the first tweet it is just because all the doom and gloom
surrounding Twitter at the moment. So I picked out a tweet from Jericho at Attrition and he says,
I don't care if Twitter lives or dies. On the off chance it does, InfoSec is full of scumbags.
By that, I mean to a degree a lot more than people realise or want to admit. Integrity is a core part of InfoSec in theory,
but not in reality as far as practitioners go.
Wow.
Strong words.
Very strong words.
Yeah.
And I'm not going to disagree with him in case he puts me on his website.
Right.
Exactly.
Errata.
Errata.
Yeah, exactly.
Yeah. exactly errata errata yeah exactly yeah so
it's uh
no I think
every industry's
got its fair
share of bad
apples and
every industry's
got its fair
share of
pretenders
um
you know you
get the right
PR people
you market
yourself properly
and you too
can be a
success
yeah and I'm
not sure this
you know integrity
is a cool part
of infosec
well I'm
sure of that
in theory.
It's literally the I in CIA, Tom.
Yeah, I know. But it says in theory, but in reality, as far as practitioners go,
I think it's purely the medium pulls out the scumbag in people.
But that's the same across all industries and all walks of life.
Absolutely. And I think it's a very much again it's like many things it's a very us-centric point of view
you know you look in the uk most people who i've worked with in organizations they're not on
twitter and secondly a lot of them are genuinely just decent people, come in, do a good job and then go home and have a life outside
of security.
You're talking about me, aren't you?
No, I'm YouTube
represent the scumbagry part of InfoSec
that I agree with.
Well, no, the thing is
on British Twitter there's an awful lot
of, oh, excuse me, sorry, sorry,
yes, okay, no, after you.
Oh, lot of oh excuse me sorry sorry yes okay no after you thanks okay next story tom sorry i just had a uh coughing coughing fit there so i muted first um so yeah you're gonna have to cut this part Anyway, our second tweet is because the first one was US
centric, this one is going to be British centric. And this is from Very British Problems. And they
say, finding out you're wanted for tax evasion via a phone call from an automated recording of
an electronic voice with an American accent. Classic HMRC. And if you live in the UK, you will have received this phone call.
Obviously a scam, but I thought that one was very relatable.
I've received them even in the British accent.
And not a recording. No, no.
Someone from HMRC. Yeah, that was actually, yeah.
I think we knew what happened with that one.
That's it.
Oh, man.
Brilliant, brilliant.
Thank you, Andy, for this week's
Tweet of the Week.
So, we've come through it
and just in time for Jav to make his 10 o'clock call,
which is all the better.
So, yes, gentlemen, thank you so much for this show.
Jav, thank you for your contributions
and for agreeing with everything I said.
Yes, you're welcome.
And Andy, thank you.
Stay secure, my friends.
Stay secure, my friends. Stay secure. a host unknown podcast. If you enjoyed what you heard, comment and subscribe.
If you hated it,
please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
Well, you're talking of Smashing Security.
Isn't it about time they went on holiday
for Christmas break?
I hope not,
because I'm going on in a couple of weeks.
Oh, I thought they normally leave about
Thanksgiving and come back at Easter.
Oh, I don't know.
I don't know.
I've never actually listened to their podcast, so I've no
idea.
That's an outrageous thing to say,
Jav, especially from one of our
well, only
sponsors.
We took the money.
We said their name on air.
What else?
It's not like we got married or anything.