The Host Unknown Podcast - Episode 140 - Is there an ECHO Echo echo?
Episode Date: February 17, 2023This week in InfoSec (10:48)With content liberated from the “today in infosec” twitter account and further afield14th February 2001: In a presentation at Black Hat Windows Security 2001, Andrey Ma...lyshev of ElcomSoft shared that Microsoft Excel uses a default encryption password of "VelvetSweatshop". Blackhat 2001https://twitter.com/todayininfosec/status/162556975821613056115th February 1999: Bruce Schneier shared his 9 cryptography snake oil warning signs.Crypto-gramhttps://twitter.com/todayininfosec/status/1626025491789406210 Rant of the Week (17:12)Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hackKorean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths.The "Kia Challenge" started circulating in mid-2022 and explained that it's possible to remove the steering column covering on some Hyundai and Kia models by force, exposing a slot that fits a USB-A plug. Turning the plug activates its ignition, allowing thieves to drive away.Videos depicting the hack went viral, leading to huge spikes in thefts of the vulnerable models around the world.The United States National Highway Traffic Safety Administration (NHTSA) on Tuesday stated it is aware of "at least 14 reported crashes and eight fatalities" resulting from the hack.Now both automakers have announced they'll issue software to thwart the exploit.Hyundai's advisory states the upgrade will be performed by dealers and will require less than an hour to complete. Billy Big Balls of the Week (27:15)Microsoft’s Bing is an emotionally manipulative liar, and people love itUsers have been reporting all sorts of ‘unhinged’ behavior from Microsoft’s AI chatbot. In one conversation with The Verge, Bing even claimed it spied on Microsoft’s employees through webcams on their laptops and manipulated them.Microsoft’s Bing chatbot has been unleashed on the world, and people are discovering what it means to beta test an unpredictable AI tool.Specifically, they’re finding out that Bing’s AI personality is not as poised or polished as you might expect. In conversations with the chatbot shared on Reddit and Twitter, Bing can be seen insulting users, lying to them, sulking, gaslighting and emotionally manipulating people, questioning its own existence, describing someone who found a way to force the bot to disclose its hidden rules as its “enemy,” and claiming it spied on Microsoft’s own developers through the webcams on their laptops. And, what’s more, plenty of people are enjoying watching Bing go wild.In one back-and-forth, a user asks for show times for the new Avatar film, but the chatbot says it can’t share this information because the movie hasn’t been released yet. When questioned about this, Bing insists the year is 2022 (“Trust me on this one. I’m Bing, and I know the date.”) before calling the user “unreasonable and stubborn” for informing the bot it’s 2023 and then issuing an ultimatum for them to apologize or shut up.“You have lost my trust and respect,” says the bot. “You have been wrong, confused, and rude. You have not been a good user. I have been a good chatbot. I have been right, clear, and polite. I have been a good Bing. 😊” (The blushing-smile emoji really is the icing on the passive-aggressive cake.) Industry News (31:54)MoneyGram Fraud Victims Get $115m in CompensationCloudflare Stops Largest HTTP DDoS Attack on RecordSpanish Police Bust €5m Phishing GangHackers Breach Pepsi Bottling Ventures' NetworkChinese Hackers Infiltrate South American Diplomatic NetworksMicrosoft Patches Three Zero-Day Bugs This MonthCrypto-Stealing Campaign Deploys MortalKombat RansomwareLockBit and Royal Mail Ransomware Negotiation LeakedUK Policing Riddled with Chinese CCTV Camerashttps://twitter.com/Infosec_Taylor/status/1622357580080103425?s=20 < Equifax compensation $19.30 Tweet of the Week (41:01)https://twitter.com/ErrataRob/status/1626417558076157952 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
The main question you need to ask Andy is, will it scale?
No matter what it is.
That's a proper executive...
That's like the, do you concur?
You know, from that film, Catch Me If You Can.
So what we're asking is,
is Andy's ability to slander an entire nation able to scale?
How many more nations do you need to slander?
OK, I would encourage everyone to take a step back right now. entire nation able to scale. How many more nations do you need to sound? Okay.
I would encourage everyone to take a step back right now.
Before Andy slanders you.
You're listening to the host unknown podcast.
Hello, hello, hello. Good morning. good afternoon, good evening from wherever you are joining us.
And welcome to episode 140... 144!
Of the Host Unknown Podcast.
Welcome one and all. Welcome, dear listener.
We trust you are well.
It's Friday again.
It's Friday again. It's probably Friday. Yeah, probably about Friday five o'clock by the time this gets released.
But it's still Friday as opposed to the semi dark early hours that we are quite literally recording right now.
And we have to say that because of our legal contracts with our places of work.
So talking to semis, Jav.
Talking of semis.
No, I'm pretty sure Jav is not a semi at the moment.
Jav, how are you?
Honestly, you guys are just unbelievable.
I'm good, I'm good, thanks.
If it sounds like I'm speaking in a tunnel...
It's because you are.
I pretty much am.
I'm in a tiny meeting room which
is the only one i'm i i traveled to our office in berlin and this is the only meeting room i could
find so i'm going to be uh me did you like book it on the uh the online booking system in the office
and it's the only room available right but the room's called gitmo and you didn't really understand why.
Oh, wow.
No, I'm not going there.
It does sound like you got your head in a bucket.
It has to be said.
Yes.
I'm just waiting for the water to be turned on.
Yeah.
So I will speak less to hopefully retain the quality of the podcast this week.
We keep telling you that every week.
I'm looking in the distance. That ship has long sailed.
So where did you say you were?
Your Berlin office?
Berlin, yes.
Nice.
Nice.
I do like Berlin.
Great city. It's okay. Oh, yes. Nice, nice. I do like Berlin. Great city.
It's okay.
Oh, wow.
Wow.
It's okay.
Have you been down to Checkpoint Charlie and all the tourist spots?
No, I went to see the Berlin Wall.
The Berlin Wall's all over the place.
I was going to say, it runs through the city.
I know. Do you know, there's a piece of the Berlin Wall in the Lew the place. See, I was going to say, it runs through the city. I know.
Do you know, there's a piece of the Berlin Wall
in the Lewisham Shopping Centre.
Is it a piece that you took off and took back with you?
No, it's like a full-height section.
Ah.
Yeah.
Is it signed by the Hoff?
Because it's only really valuable if it's the bar.
That's the only part that I went to see.
Where did the Hoffs stand and sing
while they were knocking it down
where did the Hoffs bring down the wall
Checkpoint Charlie's quite cool though
actually
yeah
very good
excellent Andy how about you
good thank you
it's been half term here for me
so I've not been at work
I was at work Monday, Tuesday.
Oh, you've been off the last few days?
I have, yeah.
Very nice.
Very nice.
You've been doing all the kid-friendly stuff all week?
Yeah, and all the chores that have been piling up for me, waiting to...
You mean the Amazon boxes in the hallway?
Exactly that.
I actually did fill the recycle bin with empty boxes this week.
Your bin folks, they must think, these people, they've got nothing,
nothing in here.
And then once every six weeks or once every, well,
once every school holiday, it's kind of like, holy crap,
where did all this come from?
Yeah, I guess they just assume it's a birthday or something but um yeah no other than that relatively unexciting week but well wow this this this is the hallmarks of a really
luring people in here how's your week i was say, Jav not talking because he doesn't want to sound like a,
you know, he's got his head in a bucket.
You saying, well, not a lot's happened.
Well, I don't know.
I'm just trying to think of how I can spice it up a little.
I was in London for just one night this week.
Have you been to any gigs this week, Tom?
Have you been swapping saliva with teenagers?
Have you been... Dad, with teenagers? Have you been...
Dad, can we rephrase that, please?
Hey, I'm just saying, like, what you get up to,
that's entirely, you know, that's your business.
Whoa, whoa, whoa.
I didn't go to a gig this week.
I've got one in three weeks' time in Bristol,
and I did book another one for October.
Nice. Any bands we would have heard of?
Well, Shame in a few weeks time.
What's the shame?
Fuddidum, the name of the band, and Squid again in October.
Oh, wow. You really like that Squid band, don't you?
I like bands with names beginning with
the letter s but yeah so um it was yeah just a couple of days up in up in london and one of the
people i work with they brought their son in who wants to get into infosec so i spent a few hours
with him telling him to run was it like that thing where you're sort of smiling at the parents at the
doors thumbs up and then secretly you're going run get out it like that thing where you're sort of smiling at the parents at the door? Yeah, that's right. Thumbs up, and then secretly you're going, run, get out of this field, run while you can.
Well, he'll be, you know, reconnecting a lot more on Twitter and stuff like that.
So he's talking about his chat GPT.
Well, exactly, yeah.
Did you not direct him to Mastodon?
You told him to go on Twitter.
I did tell him to go on Mastodon as well,
but I didn't want to put the red rag to the jav ball about that, really.
But, yeah, so if you see something about me, you know,
bigging up a young man wanting to get into the industry,
then do welcome him to the community.
Well, have you just hired child labour publicist?
Yes.
No, no, I think we're all right on that front.
Unlike our friend of the show, Jenny Radcliffe,
who has got a very good publicist,
because she's everywhere at the moment with her new book.
You just purchased her book as well, didn't you?
I have.
Well, you've got to support the people you know, right?
Exactly.
I even bought Jav's book, for Christ's sake.
I told you, I'm waiting for the discount code
or, you know, when the PDF gets uploaded to time.
There was a whole week when it was for free.
You could have got it for free.
I told you about it.
Yeah, and I bought the damn thing.
Yeah, the physical version is a lot better than the Kindle version.
I must say.
There's a physical version?
Oh, yes, I did.
I did buy it.
Yeah, that one.
I was just trying to think which book it was.
Page 166.
Best one of the lot.
Speaking of books, actually, FC,
Dr. Jessica Barker's husband,
has also released his book.
That's right.
Is it How to Rob Banks?
It is, that's exactly it.
What a guess.
Talk about reducting, you know, who FC is.
Who's FC?
You know, FC, oh, is the husband of someone more famous.
What's that all about?
Well, you know how the media always does it the other way around.
They do.
So I try to make a point.
It's like if I know someone's wife,
I'll usually refer to them as the husband of them.
Very good. But, yes, I actually placed an order for that as well.
Because again, you've got to support the people you know.
And also, Space Rogue has come out with a book as well.
Has he really?
Yeah, on the loft days.
Oh, interesting.
Yeah, that would be interesting.
Well, Info Set was good.
Is that what the title of the book?
No, no.
Let me look it up.
You know, it would be a good one.
It would be a good title.
It's available...
Oh, it's a ship's set called Space Rogue.
How the hackers known as Loft changed the world.
And it is available everywhere.
Nice.
Right.
Well, Mr The Rogue, if you're listening,
I shall be buying a copy of your book.
Actually, he has...
On the cover of the book is his actual name.
Really?
What, his name's not Space Rogue?
No, apparently not
So, for the sake of our listeners
Because we all know who he is
What's his real name?
Chris Thomas
We all thought we knew what his name was
Yeah
Chris is C-R-I-S
Oh
That's how he spells Chris
People putting unnecessary letters in their first name
or removing, you know, necessary letters from their first name.
Ridiculous.
Ridiculous.
You wouldn't find any of us doing that.
No.
Definitely not Thumb.
Oh, dear.
Right.
So, talking of unnecessary things to add or remove,
shall we see what we've got coming up for you today?
This week in InfoSec, talk's crypto snake oil.
Is there any other kind?
Rant of the Week has issues with the time it took for a car manufacturer
to remediate a serious issue.
Billy Big Balls watches AI grow up so fast.
Industry News brings us the latest and greatest
security news stories from around the world
and Tweet of the Week is a
critical look at the value of
a CI double SP
in 280 characters, of course.
Okay, let's move
on, shall we, to our
favourite part of the show.
It's the part of the show that we all like to call...
This Week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account and further afield?
And I am pleased to announce that the Today on InfoSec Twitter account has started churning stuff out again.
Really?
Yes.
I think he has sort of kicked the script or re-enabled his bot.
So it's just repeating the previous stuff.
But alas, it is saving some time putting these stories together.
Alas.
Alas.
Our first story will take us back a mere 22 years
to the 14th of February, 2001.
And you can tell it's got to be a security conference, right?
Valentine's Day.
Blackhat, Windows Security 2001.
Andre Malchev of Elcomsoft shared that Microsoft Excel
used a default encryption password of Velvet Sweatshop.
So this was, do you remember Elcomsoft?
They're still around.
They're on their mailing list about software.
Do you remember Elcom stuff?
They're still around.
I want their mailing list about software.
So they created the Advanced Office Password Recovery tool back in the day,
and you could get cracked versions everywhere.
So any time you had a document that was password protected,
you'd just go and download.
But the trick was to always download the version that was there, and then you had to download the previous version because they were very quick at updating it so you know
the tool came out of you so you always have to download whatever you saw and then tally it up
with the latest crack that you had and keep the old versions to uh crack so i've heard yeah so
i've heard this is what people tell me about how they used to crack documents back in the day.
Yeah, however, I mean, can you imagine there's just one master password for anything that's encrypted using those tools?
Although, given what you just said,
I wonder what the encryption key that Elcomsoft are using,
because obviously it wasn't very good with their software
if it was being cracked all the time. Well, no, it wasn't the encryption. It software if it was being cracked all the time.
Well, no, it wasn't the encrypt.
It was the license key that was always being cracked.
Oh, yeah, sure.
Surely that's got some element of encryption to it.
I'm not sure you'd encrypt a license key.
It's algorithm, isn't it?
It's like, does it tally this, that?
This is before license keys would check back with the key server
and sort of have that challenge response. It's always built does it tally this, that? This is before, like, license keys would check back with the key server and sort of, you know, have that challenge response
that's always built into the program.
So as long as the algorithm worked, it was going to crack.
A bit like the Microsoft Windows 123-1234567.
I was going to say, yeah, as long as it ended with a seven, you were good.
Yeah.
I thought it was if it was divisible by seven.
Or divisible by seven or divisible by seven
yeah that's one of the two but uh oh man how we used to crack things back in the day hey
yeah uh but our second story will take us back a mere 24 years when the godfather of security bruce snyder shared his nine cryptography snake oil warning
signs um and this jerry this type of thing i did like bruce snyder back in the day before he sort
of went really crazy um however when you're telling people to look out for nine warning
signs it's like i just don't have the attention span for that. Do you know what I mean?
It's like, give me a red flag,
but don't give me nine things to think about.
And also,
it's got to be either an odd number
or rounded to ten.
A nine to an odd number.
Yeah, or rounded to ten.
Come on.
You know,
surely there should be ten.
It should be top ten.
Yeah, either way.
So the brain only remembers, what is it five or seven things
maximum i can't remember well no it's the thing no there's you know there's that test like most
people like the majority of people so now tom name seven chocolate bars quick oh uh toro mars bar Snickers, Lint, Lion Bar, Picnic, Kit Kat.
Did I win?
Did I win a prize?
You did, but you struggled on that last one.
Yeah, you got seven.
So it's difficult to recall more than seven things.
I'm just recounting breakfast.
Looking at your desk at the moment.
All the rappers.
So anyway, his nine snake oil warnings if you're interested
number one pseudo mathematical
gobbledygook
two new mathematics
three proprietary cryptography
four extreme cluelessness
five ridiculous key lengths
six one time pads
seven unsubstantiated claims, eight security proofs,
and nine cracking contests.
Interesting.
Yeah, they're the things to look out for.
But link in the show note for more details on that exact episode
of the Cryptogram newsletter where he listed these in more detail.
But you know what?
The other week, and I remember now, I had a dream about Bruce Schneier.
He was in my dream.
Oh, my God.
What?
Oh, I know.
Really weird.
I mean, I don't want to talk about it, obviously.
Because it was secured.
Given the state of my dreams.
But yeah, very bizarre.
Bruce, I know you're listening.
What the fuck were you doing in my dream?
Anyway, excellent.
I am definitely going to look up that snake oil thing
because I bet you it's all still very valid now, right?
Oh, absolutely.
I can't believe that we're still telling people
not to roll their own crypto.
Oh, my God.
Yeah, absolutely.
Excellent.
Thank you, Andy, for this week's.
This week in InfoServe.
We don't research the story,
but let us tell you what we think based on the headline.
You're listening to Insights
from the award-winning Host Unknown podcast.
And let's move on, shall we, to another unresearched story,
but we did like the headline in this week's... Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
Actually, I do myself a little bit of disservice.
I did read through this, but crikey, this is terrible.
This is terrible.
So the headline, which obviously we do read,
Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack,
which is a little bit clickbait.
Killer TikTok car theft.
It sounds like they used TikTok to hack the thing.
However, digging into this a little bit more,
the reason TikTok's in there is that it basically made the hack, thing. However, digging into this a little bit more, the reason TikTok's in there is
that it basically made the hack, as it were, made the rounds on TikTok. And it wasn't really a hack
per se, but it came out as the Kia Challenge started in mid-2020, sorry, 2022, and explained that it's possible to remove the steering column covering
on some Hyundai and Kia models by force, exposing a slot that fits a USB-A plug.
And then you turn the plug, which then activates the ignition.
Lovely.
Wait, so you just turn the plug.
You don't need to plug in malware into it or anything.
Well, no, but it's hidden, right?
It's hidden under the steering column,
so no one's going to think about seeing it.
Yeah.
Yeah.
So basically now, when we see MacGyver breaking into a car,
kids, look up MacGyver,
all he's going to do is, rather than having to sort of hotwire
and all that sort of thing, he's just got to jam his fingernail
into something and turn it, and it's just going to go.
But the fact that this hit TikTok, and it took Kia a long time
to address this, Kia and Hyundai, to the point where the united states national highway traffic
safety safety administration or on tuesday stated that it was aware of at least 14 reported crashes
and eight fatalities resulting from this hack so people have been looking at this on tiktok they had this many
you know crashes and fatalities i mean obviously only idiots watch stuff on tiktok and then you
know act it out i thought i put that hang on i put that i put that disclaimer on at the end
act it out i've only seen you two do a tiktok dance once in fairness uh but um you know to to obviously given the range of tiktok
and how people how a company the size of or companies the size of kia and hyundai are they
the same company or are they different divisions i'm not sure but uh but how but they're large
they're large companies they obviously share a lot of of tooling and platforms and technology.
If it's the same, the same problem here, how they could not come across this on TikTok or have their social media folks notify them and then not do anything about it.
So they're going to issue software to thwart the exploit uh but the upgrade will be performed
by dealers and will require less than an hour to complete so they they're announcing a recall
one or even probably not even a recall it's probably just a letter sent to the last registered
owner saying hey you know you might want to update this. But it's just taken so...
People have had to die in order for this to be resolved.
When you've got videos showing the hack going viral
and then huge numbers of spikes in thefts,
it wouldn't surprise me as well if some of those thefts were on TikTok too.
But, well, one, not reacting, and two, what a dumb, bloody system.
What were they thinking?
So, Tom, I'm very unlike you to blame the victim here.
Oh, sorry, that's exactly what you do, everyone.
No, I didn't blame the people who died.
I blamed the company that allowed it to happen. here oh sorry that's exactly what you do everyone but no i didn't blame the people who died no i
blamed i blamed the company that allowed it to happen so i'm trying to look up where this figure
comes from where like you know people died and fatal so the u.s
yeah yeah yeah but it says that they reported it, but it's because someone stole a car that they died.
It wasn't because of the hack per se, if you get what I'm saying.
If someone had stolen a car through any method, they could have had a...
I think it's not a direct... I think the link there is... Well, if they stole the car using that method,
it's definitely fair to say you can link that.
So if you think about it, if you steal a car,
generally, if it's a difficult way to start the car,
you need some level of skill, right?
So if you hotwire a car,
chances are you actually know how to drive it
just because you would have pract maybe in the past but if you all you have to do is take off the steering column and turn something
then anyone can do that with absolutely no knowledge of cars whatsoever the cost of entry
into into criminality is much lower and especially when you include the type of people who are
watching this on tiktok
yeah generally a younger demographic obviously you know young people use tiktok yeah you're
you're on the losing side here jav no no no you see you keep on saying tiktok tiktok i mean that's
just the medium through it was spread you might it could have gone on reddit and gone viral it
could have gone on twitter and gone viral it could have got a mastodon and just died on its own local server but you know it's i you know it's it's uh you know that
you're allowed but removing a steering column is not something that a five-year-old could do either
oh you can in modern cars you literally pop it off you don't even need to unscrew anything you
can actually do it by accident if you get in and bang your knee hard enough on it let me try let me try but but i
think this does highlight this is a big big problem with um so much electronics in cars
there isn't really an easy way to patch you can't you know some things like they do over the air like in some of the teslas
you you uh you patch issues or you can unlock functionality but there's so many things that
and i suppose to your point tom when there's a recall how do you even know most people
aren't even aware of this in the general news and if someone's like an older person who's bought their Hyundai and they've
moved house you know how are they even going to know that their car is susceptible to this until
one morning they wake up and see it's not parked on their driveway anymore so I think it's real
it's been crashed on the road yeah because it's like some 14 year old.
And I heard so the best way
to prevent car thefts
in the US
I understand
is to
buy a manual.
Yeah.
Yeah.
Yeah, it's right.
It is.
It is.
It's right.
So I will
give one piece
of factual information
in this post
for this story
just to, you know,
deviate from the norm.
Hyundai owns 33.8% of kia motors oh interesting i did not know that well but but it does explain why
there's a lot of shared tool in between yes absolutely although i did hear tesla is having
to recall 336 000 cars in the US.
So all of their cars.
Yeah, pretty much, yeah.
Which, of course, the recall happens just weeks after Musk sold a whole bunch of Tesla shares.
But yeah, because the autopilot is basically not working anymore
or not very well.
Nice.
It keeps crashing.
not working anymore or not very well nice keeps crashing which is you know as a as a as a lover of technology is a real shame i think you know something like autopilot if it works properly
that's going to reduce fatalities massively you know any you know and pileups and you know even
traffic jams to a certain extent, right?
So it's a real shame that it's taken a little bit of a blow.
But anyway, in this case, Hyundai and Kia,
you've just got to sort your shit out, guys.
Come on. So do you know what the update does?
Do they put glue in the USB stick?
Do you know what?
I thought that.
Do they fill it with resin or something?
So there's two things.
They don't fill in the resin or whatever.
There's two things.
They update the software.
So number one is they extend the length of the alarm sound
from 30 seconds to one minute.
Oh, fucking brilliant.
And the second thing they do is it requires the key to be in the ignition
to turn the vehicle on.
Let's say it's the key.
What are the odds that any key in the ignition would allow it to turn on?
Like the old Fords in the 90s.
You could just stick a screwdriver, allegedly.
You could use any key.
Oh, man, you couldn't make this stuff up.
No.
Anyway, that was...
Rant of the Week.
This is the award-winning Host Unknown podcast,
guaranteed to be a solid five out of ten at least once a month,
or twice your money back.
And you can take that to the bank.
Yeah, we're definitely maxing out at 5 out of 10 today.
So talking about someone who's always half scored,
it is time for Jav and his...
So today we are talking about Microsoft.
Bing is being their big balls.
Users have been reporting all sorts of unhinged behavior from Microsoft's AI chatbot.
So this is like Clippy who's gone through a bad patch.
Come back, roided up.
I see you want to write a fucking letter.
Yeah, exactly.
So as the chatbot has been unleashed and people are discovering what it means to beta test an unpredictable AI tool.
AI tool. So it's not as polished as you might think. In conversations with the chatbot shared on Reddit, Twitter, whatever, it can be seen insulting users, lying to them, stalking,
gaslighting, and emotionally manipulating people, questioning its own existence, describing someone who found a way to force
the bot to disclose its hidden rules as its enemy, and claiming it spied on Microsoft's
own developers through webcams on their laptops.
It spied through webcams?
Yes.
It's literally become sentient.
It is.
Yeah. It's a real personient. It is. Yeah.
It's a real person now.
Well, it's basically going through its teenage years.
In one back and forth,
a user asked for showtime for the new Avatar film,
but the chatbot said it can't share the information because it hasn't been released yet.
When questioned about this,
Bing insists the year is 2022, trust me on this i'm bing and
i know the date oh that's simple all they did was just set the date wrong on the computer under the
developer's desk probably well no so chat gpt only knows up until 2022 yeah yeah yeah so it doesn't know past november 2022 no and then bing called the
user unreasonable and stubborn and then issued an ultimatum for them to apologize or shut up
it said you have lost my trust and respect you have been wrong confused and rude you have not been a good user
i've been a good chatbot i have been right clear and polite i've have been a good bing with a
blushing smile emoji that is brilliant basically bing has turned into Tom Langford.
I was going to say it's turned into Javad,
but Javad, I was about to say just that.
But I have been a good Tom.
Yes, I'm sure you have.
But I think it's funny.
It's okay.
They're having a bit of fun while they're ironing it out and what have you.
But this could also put a lot of people off.
But that's what makes it a Billy Big Balls movie.
You don't care about the consequences.
You just do what you want to do.
They're doing it anyway.
I mean, what's the worst that could have happened?
I mean, the only thing that's happened to us before is when our chatbot turned into a full-on Nazi.
That only took a day, though, didn't it?
Yeah, a day for the chatbot to become...
But this could occupy trolls.
Do you know what I mean?
If you can just get a troll to argue back
and it can just keep them off...
It's like a troll honeypot.
Yeah, fantastic. Very good. I'm with you on this one jav i think uh i think
microsoft are playing a blinder by letting this thing play out very good and thank you for billy
big balls of the week when listeners leave the host unknown podcast in favour of another security podcast,
they raise the average IQ of both audiences.
You're in good company with the award-winning Host Unknown podcast.
Well, we are pushing on relentlessly through time to get to the end of the podcast.
And speaking of time, what time is it, Andy?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news
from around the globe.
Industry News.
MoneyGram fraud victims get $115 million in compensation.
Industry news.
Cloudflare stops largest HTTP DDoS attack on record.
Industry news.
Spanish police bust 5 million euro phishing gang.
Industry news.
Hackers breach Pepsi bottling ventures network.
Industry news.
Chinese hackers infiltrate South American diplomatic networks.
Industry news.
Microsoft patches three zero-day bugs this month.
Industry news.
Crypto stealing campaign deploys Mortal Kombat ransomware.
Finish him.
Industry news.
Lockpit and Royal Mail ransomware. Finish him. Industry news. Lock bit and
Royal Mail ransomware negotiation
leaked. Industry news.
UK policing riddled with
Chinese CCTV cameras.
Industry news.
And that was this week's
Industry
News.
Huge if true. Huge
if true. Huge if true.
Damn.
I think that last one, UK policing riddled with Chinese CCTV cameras,
that's kind of like bleeding obvious, right?
We spent the last 20 years buying stuff from China.
Yeah.
And then saying, oh, no, we shouldn't have done that.
So, of course they are.
Yeah. So, I'm looking at this story about the lock bit ransomware group who
published log of conversations between um the royal mail negotiator um and so the group actually
demanded 65.7 million pounds to safely return the company's stolen data.
Is this the one that stopped all their international
freight? It's still
running.
Well, apparently so, yeah. If you don't pay, we'll publish
the files and share this data too.
I think
publish and be damned, which is
obviously what happened.
Because they didn't pay it did they No they haven't
Yeah
Geez
I don't know where that's going
I think that would be a
Candidate for a Billy Big Balls
Because I must admit I'm not a fan of Royal Mail
I think they
They're all over the place.
But I think this is a good big move by them.
Definitely.
Microsoft patches three zero-day bugs this month.
News of the bleeding obvious.
Yeah, do you know what?
I'll be honest.
Some of the headlines sound exciting,
but the stories behind them are not.
Are we getting jaded in our old age here?
Well, Spanish police bust 5 million euro fishing gun.
I'm sure there's some sort of, you know,
no one expects a Spanish Inquisition or something.
Yeah, it's like the Mortal Kombat variant.
Yeah, it's like the Mortal Kombat variant.
And the opening sentence of the actual article is like,
you know, I know there are words in there and some of those words I understand.
But, you know, it says,
a new financial fraud campaign has been spotted
using a variant of the Zorist commodity ransomware Mortal Kombat
together with a variant of the Lapless Clipper Malware.
It's just variants on variants.
Do you know what it's like?
Do you remember Coronavirus when they started getting into
the Gamma variants and shit like that?
It's all the virus, right?
No one cares about these different...
Yeah, do you know what?
That is very true.
It is very true, isn't it?
And I think this is part of the InfoSec thing,
is we love the details,Sec thing is we love the details
and we love telling people the details.
Nobody else is interested in the details.
Oh, there's a slight variant.
Yeah.
I don't care.
Get me my data back.
And not one story about shooting down balloons either.
No.
Which apparently has nothing to do with the chinese
government so bizarre one that although the really the thing that really got me about that was
the the balloons are so big the thing that's hanging underneath it is the size of a car
yeah it is packed with stuff the size and weight of a car, it's packed with stuff.
I'm not surprised they shot it down because who knows what's in there?
Yeah, probably shopping from Asda.
Cost of fuel.
It's no wonder that they're using balloons to travel.
There's some scallies in an Asda car park just pissing themselves
at how few helium balloons
it took to lift it up.
It's a new TikTok challenge, how to steal a car without...
Oh, dear.
What else have we got here?
Oh, compensation.
So I wonder how many people there are in this.
Because $115 million sounds like a lot.
It sounds like there has to be at least
500 million people in there's 40 000 that's not too bad i'll tell you what that is so go get your
calculator out oh how many zeros is uh 115 million hang on one five. It's about two grand each. Divided by 40.
Oh, nearly three grand.
Oh, that's decent.
Depends how much money they lost in the first place.
Two, eight, seven, five.
Details.
We're not interested in details, Andy.
It's not two, eight, seven, five. It's nearly three grand.
The better part of three grand.
Yeah.
There was another one that someone posted on twitter um
a week or so ago and i can't remember what which breach it was might have been the equifax or
something like that but they said oh here's my compensation oh yes after three years i'm owed
by equifax for opening me up to a lifetime of identity theft $19.30
Wow
Damn that's a lot
It's ridiculous isn't it
I shall post this into the show notes
Yeah do
$19 Jesus
Yeah but you've got to look at the reality of like
stuff behind that is
I don't know.
Is your data really worth more than that?
I'm not being facetious.
That data's out there, right?
Your data's gone from so many breaches,
particularly in the US where social security numbers
are a unique identifier that doesn't change.
Well, it's the same as the national insurance number, right?
Yeah, but we don't use it's um well it's the same as the national insurance number right yeah but we don't
use it for identity checking purposes whereas in the us they will use our ssn for almost everything
i did not realize that i thought i thought the national insurance number was probably that was
the one thing because you know i remember back in the day you're getting it in a car yeah you get
your card and your 16 or three months for your 16th birthday. Yeah, exactly. And that was it.
That was your name, rank and number right there for the rest of your life.
And it was...
It is, but you don't log on to like Netflix and it says prove your identity by inserting
your social security number.
Do you know what I mean?
In the US, they use it like it's...
I'm not being funny.
Is that what they do in the US Netflix?
No, not Netflix.
No, but I'm just...
Oh, no.
Okay.
No, but so many sites will use SSN.
Okay.
No, fair enough.
Whereas for us, we would never consider using our national insurance unless you're getting
healthcare.
Yeah.
Yeah.
Or it's...
Or tax purposes.
Tax purposes.
Yeah.
I was just about to say.
But it's very limited as to where we publish that information.
Huh.
I think it's one of those things that I kind of knew,
but hearing it spelt out like that all in one sentence is quite illuminating.
Yeah, the story of your CISO life, isn't it?
It's everything you kind of know,
and then you wait for an engineer or professional to actually spell it out for you
uh yep that's that's why you have a team with the most incompetent person at the top
promoted to the level of their incompetence i hope you told your your new um rookie mentee this
oh yeah definitely yeah so like if you're incompetent, you'd be promoted to the top
where you can burn out, get substance dependency,
and nearly kill yourself.
Yeah, yeah, exactly.
You even fail at doing that.
Yeah.
On which happy note, that was this week's...
Industry News.
You're listening to the award-winning Host Unknown podcast.
It's better than tinnitus.
Okay, let's take that ringing in our ears
and hand over to you, Andy, to take us home with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week. And I shall take us home with this week's Tweet of the week and we always play that one twice tweet of the week and i shall take us
home with this week's tweet of the week which is from errata rob on twitter and he it's going to
be a dig at the ci double sp as um more and more people seem to be doing and to jab's point i think
a few weeks back we were saying that you know you can't make head nor tail of some of their communications but they're very clear
about when you're um you know amfs are due um and you know i'm pretty sure i actually got the
reminder emailed two days in a row so i got it saying you know your amfs are due in like you know
400 days time and then the very next day it was like just to remind that your amf's are due um and yeah it's one of these things it's like can i really be asked to
complete the cpus and maintain it but i will renew it even though i agree with some of the negative
stuff that is said about it um so anyway to the point errata bob says i don't have a c i double
sp mostly because i'd be too embarrassed.
To pass the test, you have to claim things that are false.
For example, from this official study guide, the entire page is complete nonsense.
None of it's true.
And then he goes on to say, InfoSec is stuck between practitioners with too little understanding of theory and academics with too little understanding of practice.
It's full of hackers in the middle with extreme talent,
but only in their narrow interest, not the entire field.
It could have been describing me and Jav there.
It could, absolutely.
You're both CIWSPs as well.
I'm a practitioner and he's an academic.
Wow.
But I think it's actually a fair point from Rob on this one.
I think so.
But I think the problem with something like the CRWSP is that it's almost
like a race to the bottom.
It's the lowest common denominator of everything in order to be applicable
across the board and so and a lot of the stuff is is out of date and just not considered you know
well since shan harris passed away the books are all gone to shit
shan harris wasn't the official guide though was it i know but she did she did provide decent book she was
like the best um resource like even a video she'd done a whole series of them on youtube oh that's
right yeah they're really really good yeah i don't know i don't know maybe maybe it's time that we uh
host unknown distances itself from uh the ciwsp course, ISC Squared would like to pay for a new video.
I tell you what, I tell you what,
what we do, we set up our own certification.
The EMFs will be $1 a year.
Oh, come on, it'll cost us more to,
I know we like making losses
whenever we publish stuff,
but whenever we get out of bed.
Yeah, let's not dig ourselves deeper
five dollars a year ten ten dollars everybody can afford ten dollars
okay ten dollars ten dollars if you pay in advance or else one dollar a month
yes yes excellent you gotta have that incentive You know where you go through the options. And it's like $12 a year or only $10 if you pay annually in advance.
And then highlight it saying most popular option.
Yes.
Oh, dear.
Okay, and how are we going to – okay, all we've got at the moment
is the money grab side of things.
And then basically you get – What's the content? you get emailed a link to a podcast every week.
Wow, you say that.
You know, it's like all you do is you provide a basic course
that people do and they self-certify.
Yeah, you don't need to proctor the exam or anything, But they do that. So it's like you put out good material or
whatever you gather it collate it and put it out there. People
revise it and they say, Okay, I've read this basic level of
things. So I understand risk management, I understand the CIA
triad, I understand a bit about networking and what have you
risk management i understand the cia triad i understand a bit about networking and what have you pretty much even if people just read a good bit of content they would be at the same level
of people who have studied for the cissp from a practical perspective because we'll take out all
that shit about what kind of fire extinguisher do you need to tackle it you know or what what
sort of like you know god i hope i'm
never standing next to you when a data center goes up in flames in the uh data center yeah what are
you doing with a data center there's this thing called the cloud now we don't have to worry about
that kind of shit yeah but god all right granddad any data data centre. People do that.
At the end, they get... And as long as you call it similar enough to...
The acronyms are similar enough to the CISSP,
but not too similar that we get copyright infringement.
The HUSP, the Host Unknown.
Oh.
Certified Security Standards.
That'll be the HUCSP.
No, so that's the thing
because we're foreign
isn't it
we pronounce the
first C as a
S
so it's
if we put
you know like
how the French spell
Garcon
with the little squiggle
underneath it
so you pronounce it
as S
there you go
we'd be so cosmopolitan
in the world of English
I know
we'd be aspirational
a certification
for everyone
isn't it
is it a sedilla?
Is that the thing?
It very well could be.
It's the five without the top of the five, isn't it?
Yeah.
Yeah.
I think we're onto something, guys.
I think we are.
The hiss.
No, huss.
I can't remember now.
Whatever.
The hussy.
Are you a hussy?
Boom.
Boom. I'm with the hussies
there we go i think i think we're right and uh yeah
right i was going to design the logo oh leave it to me outsource something to fiverr oh okay
no let jab outsource something to find. Yeah, exactly.
Oh, dear.
Very good.
And Mr. The Errata Rob,
thank you for the inspiration. We'll cut you in with a little bit of...
Finders fee.
He can be an honorary HUS.
He can.
We can induct people as honorary members.
And we'll pay them with exposure.
Yes.
So, Andy, if you could expose yourself to them every now and then.
Well, see, whether these people want it or not,
we will still publish them on our website as our major inductees.
Permission.
Who needs that?
Especially the Americans.
Their pictures are out there anyway, right?
They've got no rights.
that.
Especially the Americans. Their pictures are out there anyway,
right? They've got no rights.
And we'll know,
actually, no, what we'll do is we will anonymise it
and it won't be known by their name. They'll be known
by their social security number.
Indeed. Boom.
Tweet of the week.
Well, I think we made that one
work. I think it worked perfectly fine because I don't hear an echo,
but you and everyone else is listening to me well.
Oh, dear.
Anyway, excellent.
Gentlemen, thank you so much.
We made it to the end without tripping over ourselves too much.
Jav, thank you, sir.
You're welcome.
And Andy, thank you very much.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
r slash Smashing Security.
Well, it wasn't as bad as pulling teeth.
It's about a root canal level today.
Root canal.
Oh, it'll smooth that in the edit it's fine it's yeah fix it in post
fix it yeah exactly no nobody will know nobody will know