The Host Unknown Podcast - Episode 142 -The Back in Safe Hands Episode
Episode Date: March 3, 2023The one and only Andy (13:10)With content liberated from the “today in infosec” twitter account and further afield2nd March 2013: Evernote announced that it had reset 50 million users' passwords a...fter hackers accessed users' email addresses and hashed passwords. https://twitter.com/todayininfosec/status/16313029523957104671st March 1988: The MS-DOS boot sector virus "Ping-Pong" was discovered at the Politecnico di Torino (Turin Polytechnic University) in Italy.Ping Pong Virushttps://twitter.com/todayininfosec/status/1630965727128612864 Rant of the Week (19:18)News Corp outfoxed by IT intruders for yearsThe miscreants who infiltrated News Corporation's corporate IT network spent two years in the media monolith's system before being detected early last year.The super-corp, which owns The Wall Street Journal, New York Post, UK publications including The Sunday Times, and a broad array of other entities around the world, first reported the intrusion in February 2022, saying the snoops got into email accounts and gained access to employees' data and business documents.A year later, according to a four-page letter sent to employees, News Corp executives said the unidentified cybercriminals likely first gained access to a company system as early as February 2020, and then got into "certain business documents and emails from a limited number of its personnel's accounts in the affected system."Both News Corp and Mandiant – the now-Google-owned cybersecurity house brought in to investigate the intrusion – said the attackers likely were nation-state players linked to China with the aim of gathering intelligence. Billy Big Balls of the Week (28:16)Salesforce banks savings by sweating tech infrastructure for an extra yearCRM giant Salesforce has decided to sweat its infrastructure for an extra year, and make employees wait the same period before giving them new PCs.News of the company's decision to live with old tech came in the SaaS supremo's Q4 2023 earnings call, during which CFO Amy Weaver told investors "Our guidance includes slightly under one-half points of benefit due to a depreciation change to the useful life of certain equipment by one year effective February 1st. For our infrastructure-related equipment, this changed the useful life from approximately four to five years. And for IT employee equipment, this changed from approximately three to four years."Salesforce is not the only tech giant to have decided its hardware can last longer: Microsoft last year extended the life of some servers to six years, while Google has stretched the life of servers to four years and is happy running some five year old networking kit.Salesforce's operations aren't as extensive as the hyperscalers, but this is still bad news for the hardware industry. It shows a major player is entirely happy running mission-critical workloads on older kit for longer without the usual upgrade cycle. Industry News (36:35)Keylogger on Employee Home PC Led to LastPass 2022 BreachUS Gov. Agencies Have 30 Days to Remove TikTok, Canada Follows SuitAttacker Breakout Time Drops to Just 84 MinutesGoogle Workspace Adds Client-Side Encryption to Gmail and CalendarICO Calls for Review into Private Message Use by MinistersRussian Government Bans Foreign Messaging AppsWH Smith Discloses Cyber-Attack, Company Data TheftWhite House Launches National Cybersecurity StrategyAPI Security Flaw Found in Booking.com Allowed Full Account TakeoverBBC Tik tok https://www.bbc.co.uk/news/technology-64797355 Tweet of the Week ( https://twitter.com/mtanji/status/1631314289397997572 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
we had complaints about last week's podcast and the production quality.
Jav, what did you do to the podcast?
Andy, yes, what did you do?
I delegated it to you.
Hang on, Jav, you said you were going to do it.
You said you were going to do it.
It's literally in the recording, Jav.
You said that you would take care of it.
So there I was, Friday night, about to take the dog for a walk,
open up my podcast app.
Oh, that's interesting.
There's nothing new here.
So it was both of you who did this.
When Steve Jobs, rest in peace, used to get up on stage and say,
oh, this is what I'm going to do, it wasn't him that was going to do it.
He was going to get his team to do it.
That's what good leaders do.
They delegate.
And my team let me down.
But being a good leader I am, I'm not going to throw anyone under the bus.
Andy.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. And welcome, one and all, dear listener, to episode 142 of the Host Unknown podcast.
Welcome, welcome, welcome. Yes, we had complaints last week.
I've got the email here. I say I've got the email here.
I've got the email in my email box somewhere
that I'm frantically clicking through to find.
But, yeah, we had a complaint last week that the sound wasn't good.
So who was that?
Who did it?
Who actually did it?
So because no one else had done it.
Hey, listen, listen.
Wait, wait, wait, wait, Andy.
As leader, i take full responsibility
yes i am leader and i'm glad you take full responsibility however jab i'm not going to
fire you i'm going to let you turn this into a positive learning experience and hopefully in
the future you can learn from this thank you lord sugar for opportunity. I won't let you down again.
Andre wrote into us, actually wrote into us and said,
in the latest episode, 141,
there seems to be some sound issue with the jingles.
Inconsistent volume level,
or that the bit rate somehow differs from the previous episode.
What the hell happened?
What did you use?
I'll be honest, I updated it because i was left to do it um because remember jab actually said oh
i don't even know how to log into it so there i log into the porcelain javad.malik
like using his account because you know i don't have one and he claims he's never logged into it
um and yeah i update i'll be honest i updated d script right before i
did it uh which is always a bad idea yeah and it's a completely different um like since the last time
i did publish it it's only was probably only last month i published a podcast and yeah it's
completely different interface yeah it was so so actually it's d script's fault yes well no i will accept i what was published
wasn't the final copy that i what i exported was not what i had on my d script there was an edit
after that um so yeah jab takes full responsibility and uh and and then we're done. Okay, good. Yeah.
Good.
So, Jav, apart from fucking up the podcast last week,
how was your week?
So this week was a week of doctor's appointments.
I had a blood drawn.
I had a very uncomfortable conversation at what they call a diabetic clinic.
And then I spent...
Oh, I thought you were going to say proctologists.
And then i had like
half hour lying down in one of those mri machines so that that was my week bloody hell what was
was that just a standard checkup or no no there's a few things falling apart so just uh just trying
to see whether it's uh something going wrong inside or whether it's all in my head you're
not gonna like try and claim some type of disability
and we need to make allowances for you on the podcast, right?
Yeah, but we might get paid money by the government
to have him on the show.
Yeah, but, you know, if you have a blue badge,
you don't pay any road tax and you're exempt from congestion charging.
It all makes sense now.
I didn't know you didn't pay road tax
if you had a blue badge well if the car's registered as as yours and like yeah yeah well
yeah nonetheless very good very good um well not very good i'm sorry to hear about your
your ailments jav i do i do I do hope the bone doctors get everything put together,
back together.
Oh, thank you.
I know.
Just hanging out with you two on a weekly basis on this podcast
is stressful enough.
It's aged me horribly.
No, I think there might be other things that are aging you horribly,
probably the age of the people you're hanging out with.
But, Andyy what about you
how was your week being a busy week for me i um do you know what yesterday i had a complete
nightmare when i got into the office i'd left my badge at home my access card for the first time
since i joined the company so i thought no problem went up to like the building reception said hey
like you know i just need a visitor pass.
I can deal with it.
Once I get upstairs, I can get myself into the office.
And the guy was like, which company do you work for?
So I said, OK.
He said, yeah, we can't let anyone up until their phones come on at 9 o'clock.
And I was like, what?
And he said, unless you're on a list, you can't get access to the floor.
And I'm like, I work there.
And he's like, well, without a badge, you can't prove that, can you?
I was like, smart ass.
Good man.
Good lad.
So I took out my phone.
He wasn't just correct.
He was technically correct.
He was.
And I opened up Teams on my phone, tried to find.
And at that point, my colleague literally sent me a text saying,
I overslept.
I'm not coming into the office this morning.
And I was like, mother.
And then I was going through Teams to find out who was in the office.
And it turns out my boss was in a meeting already, but actually physically face-to-face.
So she wasn't looking at Teams.
Her EA was at yoga on a Thursday morning.
Who knew?
You know, because the boss always has a meeting at that time.
So she stays out.
And then, yeah, pure chance,
one of the IT service desk guys walked past on his way to the showers
because he just had a runny head.
I was like, Paul, can I borrow your badge?
And he was like, no.
I was like, come on, man.
Is this a trick? Yeah, exactly. I was like, just buzz me in, right? And he was like, can I borrow your badge? And he's like, no. I was like, come on, man. Is this a trick?
Yeah, exactly.
I was like, just buzz me in, right?
And he's like, no.
And then building security is like looking at me.
I was like, can you at least vouch for me that I work here?
And he's like, yeah, yeah, he works here.
As far as I know, up until yesterday, he worked here.
But you need to confirm with HR.
Yeah, but anyway, that just got me to my floor right and then we've got those uh sort of capsule
doors anti-towel gate so you can't get more than one person through so i was standing outside
like a lemon uh waiting for reception to turn up and it wasn't you pretend to be on your phone
uh well no i was deliberately trying to look through the door trying to catch someone's attention as they walk past um but they uh we had a temporary receptionist uh a cover receptionist who sort of looked at me
and she was like signaling that they don't open till nine and i'm like i know i work here
and then uh she came out and i was like look i left my badge here. She goes, oh, okay, yeah. Any ID on you? Yeah. I was like, I don't think.
But, yeah, good to see that these controls do work.
I was going to say, you've got any ID on you?
Yeah, I've got my access badge here.
Ah, bollocks.
I've got it.
Yeah, that would have been.
But, you know, it's good.
Like I said, I've worked at places before,
and it was quite normal in the UK, at least.
I know in the US, they're very, yeah, not just waved in.
People hold the door for you and just say, you can literally say to them,
oh, sorry, I left my badge at home.
And they're like, oh, that's all right.
But yeah, and then I'll tell you, it goes one step further.
So the office I work in has another lock on it,
which only certain cards can open, one of which my card is.
So I got to that there
was one person there already in the corner um and i knocked on the door i'd never met him before in
my life i've been there like seven months eight months i've never met him before he's been at the
company 10 years he's never seen me uh we've never had any meetings together so it was like
can i help you i was like yeah i work here and he's like where and i'm like
over there and uh yeah he's like what's your name he's like no i don't know you i was like i can
tell you there are four empty glass empty bottle empty glass bottles of vos water on that desk
i would not know that unless i sat there unless i'd managed to get in yesterday using the same methods yeah yeah oh wow but yeah
he could have looked you up on the on the uh on the do you know what and this is something i said
so i had a new starter this week as well and i said to her please um put a picture on your profile
because it is the one thing i still have not yet done uh because all of my headshots and
this is a big problem all my headshots of me with hair and so i said i'm gonna get you know i'm gonna
update my photos i've just not got around to doing a good one yet i want a professional one
you sent a good one to us this morning uh yeah but i was naked in that and that's not professional
well hey well it is professional just not in. Hey, well, it is professional,
just not in your profession.
Yeah.
Well,
I mean,
if you're in a different profession,
it would be perfectly professional.
Obviously that's the one that I use my only fans account,
but I don't want people,
you know,
reverse image searching that and,
you know,
tying that to my,
my spicy content.
So,
uh,
yeah,
something with a shirt and tie.
I'll bring my camera with me one day when we meet up in london and we'll we'll get it done yeah that'd be superb so yeah that was my
way it was kind of like you know i'm i'm half impressed that controls were working and it's not
do you know because all the different areas like reception building security office it was i was
actually kind of impressed but also
at the time incredibly frustrated that i'd left my cards at home yeah and you didn't have your
photo on the internal no that's i'll admit okay mea culpa after seven eight months i should have
yeah probably address that should probably be done probably yeah that's how's your week anyway
yeah very good uh very good as you saw what was it on monday night i decided i had a i had a
spare iphone se with a broken screen i thought i know i'll fix that now um because i had a
replacement screen so i i decided to do that on Tuesday night, got halfway through it,
realised I was missing a bit.
That arrived last night.
I fitted it all back together and then it promptly overheated and died.
So I now have a lovely paperweight,
which is a little bit disappointing, I have to say,
because I thought I'd done quite a good job on it,
if I might say so myself.
But, yeah, so that was outside of work and in work.
It's, yeah, well, busy as always, I guess you could say,
but only a couple of nights up in London, which was nice.
And, yeah, and I also did...
You've nailed some points there, surely? I know, I know i know leaving them on the table that's not good
uh and i did a a webinar yesterday for tice the european information security
ah yeah something i saw you at their conference last week didn't they yeah that's right yeah we
were we were there that's right so now i'm doing a tice talk every thursday
for them which is good fun yesterday morning i had a lovely breakfast briefing um with the
london markets forum in the ivy in the city which was lovely so yeah getting back into that see-saw
uh uh into that see-saw lifestyle well you could have at least given me a call because i was
actually in the city yesterday morning outside the office waiting to get in so i could have come across for a breakfast briefing
yeah but they wouldn't have let you in your name wasn't on the list
right talking of lists shall we see what we've got coming up for you today
this week in infoseSec talks ping pong.
Rant of the week has a question about dwell time.
Billy Big Balls is a bold move for Salesforce.
Industry News brings us the latest and greatest security news stories
from around the world.
And Tweet of the Week is the foundations for our industry.
So let's move on to our definitively favorite part of the show the part of show that
we like to call this week in infosec
it is that part of the show where we take a stroll down InfoSec memory lane with content liberated from the today in InfoSec Twitter account.
And we shall burn through it this week because I am very conscious that we are exceeding well over time due to a late start this morning.
Thanks, Jeff. Our first story takes us back a mere 10 years to the 2nd of March 2013, when Evernote announced that they had reset 50 million users passwords after hackers had accessed users email addresses and hashed passwords.
So with this, they actually provide on the security notice actually said, you know, don't worry about it.
We just detected some suspicious activity.
It's a coordinated attempt to access secure areas of Evernote.
But as a precaution to your data, we have reset your passwords.
However, you know, although we're taking this extra precaution, there's no evidence of payment information or any Evernote premium or Evernote business customers data was accessed.
And all the passwords are hashed and salted. But we are just going to reset your passwords for the sake of it.
Which good practice. Who knows? Do we really know what happened at that time?
I think this is pre-disclosure laws. So, you know, it could be one of those things they got away with.
They were an interesting business because also they were one of the first ones that said,
oh, and by the way, the people in our company can read all your stuff.
Yeah.
How do you like them apples?
Or 50 million.
I mean, 50 million.
I didn't realize they had that many users back in 2013.
It was, you know, widely used.
Or that many accounts, yeah.
Yeah, quite how many were in use and or being paid for.
But yeah, I moved off onto OneNote as a result of that, I have to say.
Ah, interesting.
So there's an example of when an actual instant made you switch providers.
Well, it was the fact that they could...
Oh, read your data.
Yeah, read your data. Yeah, read your data.
As opposed to Google and Gmail,
who only read it for advertising purposes
and not just for the sake of it.
Exactly, which is why I don't have Google and Gmail.
But also, nowadays, I'm not sure I'd be quite so principled
because it was such a pain in the arse to move everything.
Yeah, exactly.
It's funny how quickly principles go out the window for convenience, isn't it?
Yeah, exactly.
He says from his Apple ecosystem.
Our second story takes us back a mere 35 years
to the year I was born on March 1st, 1988.
The MS-DOS boot sector virus ping pong
was discovered at the Politecnico di Torino,
which I believe is just the Italian word
of Turin Polytechnic University in Italy.
Turin Poly.
Yeah, exactly.
In it, bruv.
Yeah, so computers could be contaminated,
obviously, with an infected
disket uh which showed up as a 1k bad cluster uh so it was obviously the last one on the disc
um and soon to be labelled as a bad cluster ms dos would avoid overwriting it and then it could
just infect discs on every active drive and even infect non-bootable partitions in the hard drive
we need graham
clooley for this part because this is this is his bread and butter it is probably this is probably
about that you know as he was coming to the twilight of his career wasn't it in 88 yeah as
he was approaching retirement so it's probably one he knows a lot of detail on so he was going
out on a high bread and butter when he used to work for Alan Sugar. No, Solomon, one or the other.
Bread and butter.
It's like, how can someone have done something so long ago
and ridden that wave for, like, so long?
And still be alive today.
Yeah, exactly.
Oh, Graham, friend of the show, you know we love you.
Well, actually, speak for yourself.
As far as I know, you two have been invited on this podcast recently,
and Tom, you, many times.
And I'm still waiting for my invite, Graham.
So if you want these cusses to stop, you know what to do.
You work for a vendor, Geoff.
Yeah, you work for a vendor.
That's exactly it.
You have to pay to get on.
Pay to play.
It's as simple as that.
Oh, I thought it was just a race thing, but okay.
So it's also...
You heard it here first.
Smurfing security is racist.
Okay, well, okay, you carry on.
I'm going to do some research.
You're going to look at a list of guests, aren't you,
and then Matt will do a whole list.
He's going to have a spreadsheet with white, brown, black.
This is like, I'm not even going to say it, but, you know.
Oh, dear. Oh, dear. Oh dear
Lawsuit impending for either you
Or Graham
One way or the other
No lawsuits needed
All we need is like the Twitter army
Or like the Mastodon army
To get out their pitchforks
And cancel Graham
I think that's all we need
Unless we reach some sort of agreement, Mr. Cluley.
The agreement is simple. You pay
money, you get on the podcast.
Okay.
This week in
InfoServe.
This is the award-winning
Host Unknown podcast.
Guaranteed to be a solid 5 out of ten at least once a month.
Or twice your money back.
And you can take that to the bank.
Right, time now for...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
Now, far be it from me to victim blame, because it's just not something I do on a regular basis.
But News Corp, our favourite, in fact, the world's favourite media organisation, News Corp.
It's owned by that Australian chappy. What's his name?
Murdoch. That's him. Owned by Murdoch.
And they own such things as The Wall Street Journal, New York Post, even The Sunday Times.
A whole bunch of a whole bunch of and they own Sky as well, don't they? And stuff like that.
They own Sky as well, don't they, and stuff like that.
So News Corp were actually attacked and breached by intruders,
cyber intruders.
And the miscreants who infiltrated News Corporation's corporate IT networks spent two years in the company's systems before being detected.
That is a long time.
When they talk about...
Yeah, go ahead, sorry.
I was going to say, given that six months is considered a long time
or is considered an unsurprising amount of time,
but four times that amount is huge, right?
Absolutely. Yeah, it is a huge amount.
And I was going to say,
considering the industry that they're in as well,
you'd think that they were quite targeted.
Well, that's where I was going.
This isn't somebody who manufactures widgets
or brews beer or whatever.
This is a company that, by all accounts,
likes to stir it up somewhat, you know,
and likes to support really questionable people
and has some very questionable business activities
and all that sort of thing.
So you'd think they would be on their A game on this.
And, you know, any company that's attacked is is you know the standard position
should be that actually let's not blame them let's blame the the attackers here i can't help
but feel a little bit of you know a little bit of slight joy of happiness maybe even a little bit of
we came out about the fact that they've been attacked quite so
quite so
dramatically and for so long
so this is
so this two years is about
so this two years is about as long
as they were in
deceased people's voicemails
isn't it
oh roughly yeah
yeah and actually longer than the average lifespan of a CISO isn't it oh roughly yeah it's yeah yeah and actually longer than the average lifespan of a
yeah yeah exactly well maybe they got through two or three in that time who knows who knows but
but you know what that that voicemail thing that's that's why there's a little spark of joy here because they're on their watch
and consistently there were some particularly poor
journalistic activities carried out
in the interest of finding the story.
Literally giving hope to the parents of missing children
that they were still alive
because their voicemail had been accessed.
Absolutely appalling, appalling stuff.
And they first reported this intrusion,
not into the voicemails, into their systems, I mean,
they first reported the intrusion in February 2022,
saying that the Snips got into the email accounts and gained access to employees data and business documents.
Unidentified cyber criminals first gained access to a company system as early as February 2020 and then got into certain business documents and emails from a limited number of
personnel's accounts in the infected systems. Now, if a year after they reported that first
intrusion, they are then saying, oh, and then they got in two years before.
reported that first intrusion and they are then saying, oh, and then they got in two years before.
There's a there's a problem here about, you know, levels of disclosure, I think, and when they should have disclosed that things had happened and, you know, all that sort of stuff.
But there is one good piece of news.
The the world famous and well, they seem to be everywhere all the time all at once uh mandiant are now
on the case um i can't bloody move without hearing about mandiant i tell you they are
sure i think people are going to mistake what actually people are mistaking like mandian the
company for it just being a phrase about instant response do you know i'm gonna imagine
just like you google something just like you google something i think you're right do you
know what mangin is going to enter into the vernacular i think you're absolutely right
this is i think this has become the you can't get fired for for for using ibm this is like the
we take security so seriously we've got got Mandiant. We hired Mandiant.
Oh, they've got Mandiant.
Okay, that's all right then.
They're going to really get to the bottom of this all because everyone else is not up to the job.
Yeah, yeah.
It does seem like that.
If you can get someone like Mandiant, I think part of it actually,
Mandiant are also willing to attest that once they've looked at your systems,
in their opinion, they're clear.
Your systems are clean.
Not many other companies will do that, and I think that's part of it.
They also want to drop a lot of black box stuff, apparently.
Well, this is a few years ago.
Someone was telling me that they wanted to put a black box in their network
to get that validation and everything.
They were like, no, we're not going to do that.
We're a government entity.
Yeah, you ain't going to be allowed that.
But anyway, Mandiant said that the attackers were likely
nation state players linked to China.
China!
So as Kevin Mandiant once said, it's China.
So anyway.
Well, don't anyway anyway, because you've gone through this whole rant
quite actually you know without raising your voice i don't know how your blood pressure's doing but
you know gleefully uh you know talking about how news corp deserved it and you know this goes
beyond victim blaming you are you are relishing the fact that someone got breached and someone who accessed
dead people's voicemails yeah someone who deserves to get breached i mean the thing is what could you
do with the information they have at news corp anyway right let's just be honest here like
the contents they publish at fox news of the world those sort of places right how like okay say you
hacked into them what are you going
to do change stories to be outrageous how could you tell the difference between every day you
know make outlandishly unfactually unfactually accurate statements so again no one would be
able to tell the difference between a day this is probably how they survived for so long all i'm saying all i'm saying is do not let your enemy become your teacher just because they're bad people and
they had all right son sue calm down just because they hacked into things without permission it
doesn't mean we should adopt that philosophy and say, we're happy that someone hacked into them.
It's like the doctor's Hippocratic oath or what have you.
You know, someone could be a bad person, a bank robber is brought to them, but with a gunshot wound, they have to put their feelings aside and fix them.
And I think as security professionals, it's a very slippery slope when you start taking matters into your own hand,
becoming judge, jury and executioner and sayer and say well oh they got breached oh that's good because i didn't like that
company anyway and i think you should be ashamed of yourself tom that's an incredible sum up of
of the previous five to ten minutes uh and we're glad to see that you're in support of people who in your own words
access dead people's voicemails of the week
we don't research the story but let us tell you what we think based on the headline
you're listening to insights from the award-winning host unknown podcast
right let's let's let's have the reverses rolled or is it the other way around i can't remember
and let's go to jav and this week's
so before i get into the story this story this story reminds me of something i heard about many
years ago i was probably in university or something where um there was a match match box manufacturer
like they make boxes of matches that's what a match box manufacturer is for those that didn't
get it well they make boxes for matches not necessarily the matches
themselves well they make the whole thing they make the matches they they pack them into match
boxes and what have you and uh a consultant came up to them and said you know i could save you like
30 in in costs and uh they were like really uh they're like yeah and he's like yeah but i want
a percentage for whatever. Anyway,
his solution was,
you know,
you got the strips on either side of the match box,
would you strike the match against?
Yeah.
He goes,
just put it on one side.
Don't put it on the other side.
Because there's enough on one side to use all the matches in the box.
And,
you know,
that is an expensive part of the process.
So is this a true story is this like
one of these urban myths that goes around but yeah i've heard you know another one along that line
of that you know i can double your revenue like increase your sales by 30 percent i want to
potentially go and it's like for toothpaste just make the whole two millimeters wider
and so people use more toothpaste so okay so these probably are urban
myths but someone at sales first force sales for us salesforce heard these and they've implemented
it for real for real so this is so this is or in 15 years are we going to be saying there is a story yes about salesforce yeah who wants who who thought they will get some massive
savings by treating their tech infrastructure the way that nike treats bangladeshi kids
they are going to sweat them for an extra year.
We're going to say allegedly here.
I'm not sure quite how true this is.
And that's Nike with a Y.
Yes.
Yeah, yeah, yeah.
Yeah.
Nike.
Yes. But if Nike, the trainer company, wants to sponsor us.
And redress the balance.
Yes. So, yeah. a company wants to sponsor us and and redress the balance yes um so yeah uh anyway salesforce has decided to sweat its infrastructure for an extra year and make and this is the hard sell
employees wait the same period before giving them a new pc
wow so so if you imagine like companies what they normally have a three, four year cycle.
Three years, I think, isn't it?
Three years on laptops or desktop. And imagine now you have to wait four years.
You're going to feel so, you know, so like living in the stone age.
I tell you who wouldn't have to wait four years.
Who?
All the senior executives yeah well you know so this was
announced at the uh q4 uh 23 earnings call which uh during which their cfo had to be a cfo had to
be a bean counter it's always the bean counters right yeah told investors our guidance includes slightly under one half points of benefit due to a deprecation change to the useful life of certain equipment by one year effective February 1st.
For our infrastructure related equipment, this changed the useful life from approximately four to five years.
And for IT employee equipment equipment this changed from three to
four years it seems like such a long time for a laptop yeah yeah i'm fed up with the laptop i got
last year they're not the only ones microsoft last year extended the life of some of their servers to
six years and uh google has stretched life of servers to four years and is happy running some five-year-old networking kit.
I'm less concerned about that stuff.
Yeah, but I think Google have always used unbranded stuff.
They've always kind of come into it as long as it's cheap to run.
They're okay because they've got so much of it.
It's not sort of where they can afford
for, you know, big chunks of it to go down and die.
They've done a different cost-benefit analysis
of, you know, we can buy 10 times as many
and then have five times more in stocks
for when they fail.
Yeah.
Whereas the likes of Microsoft,
and in fact, even Google,
it sounds like these assets are going to be there longer than employees, the way they're making.
Yeah, that's right. Yeah.
Well, we're going to see we're going to see news news reports and are going to be stacks of servers outside outside their offices, you know, with cardboard boxes and potted plants next to them.
potted plants next to them.
Yeah.
So I think it's a bold move by Salesforce.
Again, something that might go down in future as like I heard the story.
I think one part of this
is which they probably haven't considered
is how will hardware manufacturers respond?
Because you know,
they ain't going to take this lying down
because all of a sudden their profit cycles
are getting stretched out for another year or two years.
So what are the odds that there's going to be more updates
or more components built to fail within three years
as opposed to four years?
Extra read rights on the drives.
Yes, yes.
I'm not saying that's what they'll do tax you know yes yes but i i used to work for a company that did sweat its assets because it you
know it'd gone through a bit of a downturn and and the pressure on the it cut on a team was
insane yeah every day somebody's laptop had broken.
We didn't have replacements.
We didn't have replacement parts.
We weren't allowed to order any parts.
We literally, there was a scrapyard of laptops
where we would pull a screen off one
or a motherboard off another.
And it was horrendous.
And you get a new joiner
who's all excited to join his company
and say either
I've got this piece of junk here
don't mind the duct tape and the chewing gum on it
or we haven't got a computer for you
you're just going to have to wait
until next week when so and so leaves
and it's a dreadful
that's the
hopefully not where Salesforce or anyone else will be week when so-and-so leaves and that it's a dreadful you know that's the you know that's
hopefully not where salesforce or or anyone else will be but that's the natural sort of
end point right no i don't think that's the natural i think what's going to happen is you
you just have people and you know what a lot of departments don't need high spec high functioning
machines for a long time they just need something that will run emails and PowerPoints and Excel sheets
and what have you. I think if something breaks,
they'll probably just replace it, you know, if it breaks or whatever.
So maybe after two or three years,
employees might be accidentally spilling coffee on their laptops or dropping
them downstairs. But I think outside of that,
they'll probably last for four years and you know,
some people just won't.
Fingers crossed.
Yeah.
Yeah, we had this situation where people were bringing their own stuff in.
This was way before bring your own device
was even a thing.
Just bringing their own laptops in and saying,
put Office on that.
I can't put Office on that.
I'm not licensed to, you know.
Yeah.
Yeah, but they were caught between a rock and a hard place.
You know, so.
What's the license?
Yes.
Precisely.
Anyway, excellent.
Thank you, Jab, for that little lesson in urban myth.
Billy Big Balls of the Week. People who prefer the Smashing Security podcast
over the Host Unknown podcast
are statistically more likely to enjoy
the Harry and Meghan documentaries.
Read into that what you will.
So isn't it about time we stop talking about Harry and Meghan?
Obviously not.
Speaking of time,
speaking of time,
it is that time
when we head over
to our news sources
over at the InfoSec PA Newswire,
who've been very busy
bringing us the latest
and greatest security news
from around the globe.
Thanks, Geoff.
Industry News.
Keylogger on employee home PC led to last past 2022 breach.
Industry News US government agencies have 30 days to remove TikTok. Canada follows suit.
Industry News
Attacker breakout time dropped to just 84 minutes. Industry News Google Workspace adds client-side encryption to Gmail and Calendar.
Industry News
ICO calls for review into private message use by ministers.
Industry News
Russian government bans foreign messaging ministers. Industry news. Russian government bans
foreign messaging apps.
Industry news.
WH Smith discloses
cyber attack
company data theft. Industry
news. White House
launches national cyber security strategy.
Industry news.
API security
flaw found in booking.com allowed full
account takeover
Industry News
And that was this week's
Industry News
Huge if true
Huge
Huge
Andy don't worry I had you back
you missed your spot
He did didn't he I'm stunned that you actually managed to get Huge. Huge. Yeah. Andy, don't worry, I had your back. You missed your spot.
He did, didn't he? Do you know, I am stunned that you actually managed to get all the words out.
What, English being a foreign language for him?
Yeah, exactly.
Oh, wow.
Well, this is a really interesting story, Andy.
The keylogger on an employee home PC led to LastPass 2022 breach.
That is phenomenal.
Like, LastPass, what are you up to?
How did someone get it onto your home machine as well?
Exactly.
He clearly wasn't using LastPass on his home machine.
No.
Customer vault data from encrypted storage.
Yeah.
Stark reminder as to why, you know, remote working and BYOD
is increasingly blurring the lines between home and network.
More generally, Javad Malik, lead security awareness advocate,
I know before, said the incident is a
persistent i wondered why you focused on this one i've literally just got down to the part
where you're quoted as a talking head okay i thought it was for other reasons if i'm so did i
no no i just noticed it was a complete surprise oh complete surprise was it yeah
what do you think about this tom yeah it's uh it's challenging but the thing that really
interested me is the wh smiths who knew that they were still even in business like no there's a
company that sells more things than it knows about.
Surely they should be out of business now.
They've got prime real estate at airports.
They charge, like, £3 for a, you know, 10p KitKat.
So their profit margin is huge. 10p KitKat?
Where are you buying your KitKats from?
Cash and carry.
Or is it just carry in your case?
Yeah.
Yeah.
It's also, like, like you know the audi alternative so it's like kit cop or uh you know like wait for fingers yeah wait for fingers
do you know the the audi and little alternatives are pretty damn good i have to say
so you've heard right it's not that you ever shop there yeah oh god no oh god do you do you remember
at um the the tice talk last week with the panel that uh quentin was on and he was talking about
referring to uh and wait wait shows and m&s you know in between waitrose and m&s you know in front
of a room full of people it's like like, Quentin, where are you?
You can tell he's a CISO on a proper exec wage.
Jeez.
Although he does also refer to Greggs as patisserie Gregoire.
Yes.
That's a good learning.
They don't have a Greggs, do they?
They've got an alternate.
Wenzels, I think he said, which is like a a greg's but it's a bit more upmarket yeah so you need to go through greg's um greg's uh
quentin slides and say replace waitrose with aldi or liddle and then you'll be more a man of the
people yeah you know your audience. Brackets, be more relatable. Yeah.
Oh, dear me.
Russian government bans foreign messaging apps.
I'm surprised it's taken them that long.
That is honestly just rearranging deck chairs on the Titanic.
It is, isn't it?
It's the least of their worries.
Yeah.
Although, ironically, so many people use Telegram and you know other russian apps elsewhere
yeah i know telegram geez come on everybody knows not to use telegram uh 84 minutes to get into uh
into a uh to make an attack happen that's that's quite scary. Yeah. Well, yeah.
I mean, if you think that's on News Corp,
that's, you know, 84 minutes to get in,
you know, two years to detection.
Yeah, yeah, yeah.
Sounds about right.
Sounds about right.
But honestly, what is it with everyone against TikTok?
I know.
It's such a political farce see all of this stuff so that
they're saying that china's focus historically has been on intellectual property theft but there's
indications that uh chinese communist party may look to information and influence operations in
advance of its strategic goals and they are referring to their ability to they can use data
to deliver targeted timely psychological operations against individuals this is like what
more jiggly breasts or something it's going to be like wrestling content they're going to send me
more wrestling content yeah i don't get it in the show notes i've added a link to a story on the bbc from a
couple of days ago uh where where they've got like tiktok answers three big cyber security fears about
the app and you know there's there's actually like tests done by like citizens lab and uh the
georgia institute of technology and both of them
have stated tiktok collects similar amounts of data to other social media and mobile apps there's
nothing new there's nothing extra they've done about it then then there's the the theoretical
risk about the uh the uh the government doing that and then it's like oh tiktok being used as a
brainwashing tool or an influencer and you know if you want to talk about influencing tool look at
the the u.s elections and how and even brexit and how twitter or facebook were you know when
when like zuckerberg was was being questioned in uh by some senators or something
they're like how did you not know or like one of his people were being how did you not know this
was um you know oh we didn't have you know and they were like you see a payment for an ad which
is for a u.s election coming from russia being paid in rubles and you did not have the data
yet you only need three data points to know exactly where I was yesterday and
what I had for breakfast.
Yeah.
Yeah.
Let's not trace the money too much because then we might not make quite so
much money.
Yeah.
Yeah.
Unfairly,
unfairly targeted.
Yeah.
Yeah.
I agree. I agree. And I'm not even a fan. Yeah. Yeah, I agree.
I agree.
And I'm not even a fan of TikTok.
And anyway, I get all the good stuff through you guys.
Yeah.
Curated.
Yeah, curated.
That's what I like to call it.
Private message use by ministers. I think they should rightly be concerned about this
because surely ministers
when carrying out ministerial duties for the uk government and their the people who put them into
power should be using uh platforms that record what they're doing and what they're saying right
platforms then you've got something then you've got something to hide. Yeah this all came about because of that
journalist who ghost wrote Matt Hancock's autobiography about you know going through
the pandemic and you know his role in it. So Hancock made her sign an NDA and then gave her
copies of all WhatsApp conversations that he had which is informal communications and I heard they
don't actually need to record it it's all off the record yeah so the pandemic diaries memoir that um
that she wrote and when she read it they were like group chats with like other ministers and
stuff where they're you know one saying they even discuss having to cull um people's cats and dogs
because they didn't know whether coronavirus could be spread um you know between cancer it's like oh you know we're gonna have to we've avoided the cat or data
support so you know we don't have to carry out the cat coal and all this kind of stuff um but yeah
they sort of mocked people like mocked colleagues in group chats and sort of you know took the piss
out of people staying in pandemic hotels and all kinds of things like that um but it's all off the record and had
she not broken her you know non-disclosure we would still be none the wiser this stuff happens
yeah okay so so what we're saying is supposed to be beyond reproach yeah so so what we're saying
is let's not use a ghost writer to write the host's unknown memoir.
Well, you know what?
The one thing I will say about this, one, this ghostwriter, one, she offered to write the book for free, which should have been a red flag.
Wow.
Two, she is an ardent Remainer.
And three, she has opposed Hancock's policies in the past with all this stuff.
And four, she's the one that also wrote the part about David Cameron, the ex-prime minister, performing a sex act on a pig's head, which is an unfounded allegation.
So, you know, I mean, it's in terms of inviting the enemy to get into bed with you,
getting it done for free is not always a good thing.
No, no.
But you know he just stopped reading at free.
Yes, exactly.
Exactly.
It's a bit like Tom being asked, oh, would you come and present here?
Like, well, I don't know.
It's a paid gig. We provide lunch.
All right, yes.
We provide lunch. No,. Yes. We provide lunch.
No, it was breakfast, remember?
Breakfast yesterday.
But, yeah, it just goes to show what the type of people
that we are voting into public office,
the people who have absolutely no idea and are purely in it for
themselves and well all those four things you just pointed out how can any one of those is a red flag
any single one is a red flag unbelievable unbelievable i i i weep i weep i do for the state of this country for the state
this country and uh god and on that depressing note i think it's time that we uh we we close this
this this it's uh self-reflection and oh madness
industry news reflection and madness.
Industry news.
You're listening to the award-winning host unknown podcast,
like a real security podcast, but lighter.
Yeah. Let's stick to the light stuff and less racism. Yeah, absolutely.
Oh, who's that pointed at java just want to say for the record you know because we are on the record saying
uh right uh andy why don't you take us home with something hopefully a little bit bit happier than
matt hancock give us a happy ending Give us a happy ending indeed and give us
this week's Tweet of the Week.
And we always play that one
twice. Tweet of the Week.
And this week's Tweet of the Week
is from Matanji
and they say any sufficiently
novel,
creative or impactful idea
in cyber security will
take 20 years to go from crazy person shouting into a storm to pillar of a national cybersecurity strategy.
Oh, yes.
Oh, wow.
Deep knowledge, that is.
Don't change your passwords every 30 or 90 days.
Only change them when you think they've been compromised.
It's classical.
That was standard protocol.
Yeah.
Change them regularly.
Treat them like your underwear.
Change them often and never share them.
Well, you know, I think there's two points that you take from here.
One is that risks change.
So things that were relevant before uh you know
not relevant before they become relevant today so that's why those things you know do need to change
but also it also shows we're terrible communicators if it takes you 20 years to get your message
across like you know i think we're you know the way we we as an industry express
these things is is is uh wholly in inadequate and does a disservice to to the people who really need
to hear the messages but sometimes i think you know we've gone in so high you know in the past
it's always doom and gloom if you don't do this then this is going to happen the world's going to
your business is going to shut down yeah everything's fun so you know over time it's
become a bit of a oh well you know it's not that big a deal they're always they're always talking
about events that never happen there's always guys falling with these guys yeah we we jumped
the shark like fonzie as soon as we started giving bugs like you know logos and dedicated websites
and theme music yeah oh my god oh my god it's Heartbleed yeah oh my god it's Busted Wine Open
that's that was what we would survive this onslaught.
And things like, you know, attribution names, you know,
things like, you know, the Mandarin marsupial and whatever else they call these things.
Yes.
The lengthening, I don't know.
I can't even make these up.
I don't know how people get these names
together.
It's incredible.
Very good. Excellent.
Thank you, Andy, for cheering us all
up a little bit there.
It's Leeds of the Week.
Well, we come to the end of the show,
at last. We're running a little bit
late, hopefully, or
my 9 o'clock meetings won't
mind me being a few minutes late this morning.
And same for you guys.
So, gents, thank you
very much for your time. Jav,
thank you.
You're welcome. Stay secure.
He is there. Jolly good.
And Andy, thank you.
Stay secure, my you. Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
There's a bit of a delay going on here.
Are you guys like on the end of a modem or something?
Maybe we're just messaging each other talking about you.
We've got like a private beach.
Yeah, it's off the record, so don't worry.
Host unknown has got to be on the record.
We know this. On WhatsApp with disappearing messages.
And we're out.