The Host Unknown Podcast - Episode 146 - The Hungry Hungry Caterpillar
Episode Date: March 31, 2023This Week in InfoSec (08:33)With content liberated from the “today in infosec” twitter account and further afield29th March 2010: OpenSSL version 1.0.0 was released. It's easy to take for granted ...how pervasive the open source library is in the myriad of technologies used to transmit data over the internet and other networks. Take a moment to think about it. https://twitter.com/todayininfosec/status/164121520119741235225th March 2010: 2010: Albert Gonzalez was sentenced to 20 years in prison for stealing credit card data from TJX and other companies. He is currently serving his sentence at FMC Lexington and is scheduled to be released in less than 4 months.Find an inmate: BOP Register Number 25702-050https://twitter.com/todayininfosec/status/1639657037935067137 Rant of the Week (13:55)NHS Highland 'reprimanded' by data watchdog for BCC blunder with HIV patientsIn a classic email snafu NHS Highland sent messages to 37 patients infected with HIV and inadvertently used carbon copy (CC) instead of Blind Carbon Copy meaning the recipients could see each other’s email addresses.This is according to Britain’s data watchdog, the Information Commissioner’s Office, which has “reprimanded” the Health Board, which serves a regional population of some 320,000 people and has an annual operating budget of £780 million ($964 million).The error took place in June 2019 when a member of staff opened the prior group email and copied all those on the list and emailed a newsletter to the the group of 37 “data subjects” - aka patients - without using BCC. Efforts to recall the mail failed.Rather than issuing a £35,000 ($43,000) fine, the ICO is instead taking its “public sector approach” introduced in June 2022: working with senior leaders to “encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong.”The ICO described the email error as a “serious breach of trust.” In a statement, Stephen Bonner, ICO deputy commissioner for regulatory supervision, said of the mistake:“The stakes are just too high. Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data.“Every HIV service provider in this country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe,” he said.The ICO said using BCC incorrectly is within the top 10 “non-cyber breaches, with nearly a thousand reported since 2019.” Billy Big Balls of the Week (25:06)Microsoft Security Copilot is a new GPT-4 AI assistant for cybersecurityAfter announcing an AI-powered Copilot assistant for Office apps, Microsoft is now turning its attention to cybersecurity. Microsoft Security Copilot is a new assistant for cybersecurity professionals, designed to help defenders identify breaches and better understand the huge amounts of signals and data available to them daily.Powered by OpenAI’s GPT-4 generative AI and Microsoft’s own security-specific model, Security Copilot looks like a simple prompt box like any other chatbot. You can ask “what are all the security incidents in my enterprise?” and it will summarize them. But behind the scenes, it’s making use of the 65 trillion daily signals Microsoft collects in its threat intelligence gathering and security-specific skills to let security professionals hunt down threats.Microsoft Security Copilot is designed to assist a security analyst’s work rather than replace it — and even includes a pinboard section for co-workers to collaborate and share information. Security professionals can use the Security Copilot to help with incident investigations or to quickly summarize events and help with reporting. Industry News (33:13) NCA Harvests Info on DDoS-For-Hire With Fake Booter SitesNew MacStealer Targets Catalina, Newer MacOS VersionsFrance Bans TikTok, Other 'Fun' Apps From Government DevicesChatGPT Vulnerability May Have Exposed Users’ Payment InformationThieves Steal $9m from Crypto Liquidity PoolNCA Celebrates Multimillion-Pound Fraud TakedownsNorth Korean Hackers Use Trojanized 3CX DesktopApp in Supply Chain AttacksGCHQ Updates Security Guidance for BoardsUK Regulator: HIV Data Protection Must Improve Tweet of the Week (41:24)https://twitter.com/TrungTPhan/status/1641480574996217858 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So I called this episode the Hungry Hungry Caterpillar after you, Joe,
because I know we're now doing this outside of normal hours to cater for you.
Thank you. I appreciate it.
But it is quite late in the day, but it's not late enough for it to be sunset.
Joe, we're going to hit sunset halfway through this episode.
Oh, my goodness.
You're listening to the Host Unknown Podcast
Hello, hello, hello, good morning, good afternoon, good evening
From wherever you are joining us
And welcome one and all to episode 145
149
Of the Host Unknown Podcast Is it 45 or 46 i don't know
losing track already whatever number you say plus four yeah exactly exactly hello hello dear listener
we trust you are very very well and that you're not too disappointed you had to wait until after sunset for this week's episode
but uh well not just after sunset it's already saturday for some of our listeners this is true
this is true because we've got some in the future haven't we yeah but we're doing this we're doing
this not for me and andy we're doing it for jav we're doing it for Jav. We're doing it for Jav. Just putting it out there, Jav. So I hope,
I hope since you did bother to turn up this week, Jav, that actually you're going to, you know,
going to, well, be thankful. You should be thankful. I'm helping you
meet all your diversity quotas, your inclusivity quotas. What do you mean? I've got a gay African on the show?
You've got to be careful, Joe.
You know what Jav's like with his spreadsheets when he decides to go on
the diversity audit.
You should have seen the colour drain from Graham's face when I mentioned
about Jav doing a spreadsheet.
Did you tell him, actually?
Yeah, I did.
Oh, no.
Sorry, Graham, if you're listening, and I know you do.
I started it as a joke, and then it got very serious for me by the end,
and I felt secondhand embarrassment, and I wanted to burn that spreadsheet,
but then I'd already shared it with Andy and Tom.
But the numbers don't lie.
Statistically, you do not have many people of colour on your show, Graham.
Thank you.
He wanted to burn it, but he'd already emailed it to InfoSecurity magazine.
Dear me.
Jav, you should be ashamed of yourself.
The hunger is making you do things that you really
shouldn't be doing well let's talk about the manels that you've been doing every week for
thais tom if you want to talk about diversity every week on linkedin not my manels every week
on linkedin thais is posting this poster like come and listen to this panel hosted by Tom Langford. And the m-m-m is all white men in it every week.
Well, the next one is on diversity.
So fingers crossed, eh?
So you definitely have white men on there.
So are you well, Jav?
How's your week been?
Oh, it's been good.
You know, I still haven't listened to last week's episode because i was i was on the red carpet last week and um well i was in a user group in the morning and
the red carpet in the evening you came along to that as well didn't you tell me it was yeah yeah
and then we recorded the day after as i recall so you weren't on a red carpet where was i oh yes i
wasn't i i wasn't around the day after i had another event to go to so uh so very nondescript about where you
were once you were like oh yeah let's move on quickly well okay I was in Birmingham of all
places so yeah nothing really yeah yeah I can understand why you'd want to sort of gloss over
that yeah yeah but but this week in question, how were you?
You know, it's a blur of hunger and misery and pain.
That's all I can say.
So just a normally... A regular week.
Andy, talking about keeping regular, how are you?
All good, thank you.
Do you know what? I have fully embraced the AI this week
you know I've kind of dabbled with it before yeah yeah like no one's like at work I've changed my
profile picture because I didn't have one before I've got AI to generate me a profile picture
of which I sent both you guys various options for.
And I know you said, look, it's weird because it looks like you, but it's not you.
It's uncanny. It's like it's like vampire you.
Yes. So I'm waiting for any of my colleagues to say that's a really weird picture that you've got.
I mean, if you look at it in totality there's nothing
wrong with it right you know you look perfectly normal it's not like you've got you know weird
bits hanging off your ears like you're having you know many ai photos right and little bits like
that it looks like you it's just that it's not quite it's it's it's like if there was a
a slight contamination in the cloning process yes yes uh there is actually
one picture which i'm using for uh it's definitely a catfish picture which i look pretty good in it's
sort of black and white is that the one with hair uh no that's uh that that one is uh me after two
weeks in turkey but yeah no there's another one it's sort of like a really nice
black and white profile style picture and i'm like damn yeah i look good in that that's uh
that's definitely a catfish perhaps i'll upload some on the on the twitter stream
yes there's one you sent you look like uh look like a US politician or TV anchor.
It's like we ring a...
No, no, you mispronounce that.
What's that?
It rhymes with anchor, right?
Yeah, yeah, yeah, you know.
I'm fasting.
I can't be swearing.
But you have the side parting hair there and you've got that...
Like from the 60s though right
you know this is so great we're an audio podcast talking about photos that and he's saying
we're just like the three of us have seen of an inside joke right now yeah let's talk about
these photos that we three have seen.
Nobody else has. No, I'll add some with your permission, of course, Andy, with your consent.
I'll add some to when we pop this onto the tweets and the and the mastodons.
I think I think that's very funny.
Yeah. But how was your week anyway?
Good.
Unexpectedly at home all week, which is nice, actually,
because I got all my washing done, I cleaned the bathroom,
kitchen's next, you know, changed the bedclothes.
It's weird being at home during, you know, during the week.
So, yeah, very nice.
Very nice.
So for all these people who say that,
all these employers who think that employees are not productive when they're at home um just listen to tom he managed to clean his
house in the evenings i'm just saying because i don't get that when i'm in london i can't nip
back and just clean my my flat in the evening because otherwise why am I staying in a hotel for the
points Tom oh yeah yeah that is that is very true that is very true those points are what make
everything worthwhile and talking of worthwhile things let's see what we've got coming up for you
this week uh this week in infosec takes us back to the birth of PCI DSS. Around to the week is a top 10
hit with our friends at the ICO. Billy Big Balls aims to make everybody redundant. Industry News
brings us the latest and greatest security news stories from around the world. And Tweet of the
Week underscores the importance of never asking accountants to hire security professionals.
So let's move on to our favourite part of the show,
the part of the show that we definitively call...
This Week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane with content
liberated from the Today in InfoSec Twitter accounts.
And our first story takes us back a mere 13 years ago to the 29th of March 2010 when Open
SSL version 1 was released.
2010 when OpenSSL version 1 was released and it's easy to take for granted how pervasive the open source library is in the myriad of technologies used to transmit data over the
internet and other networks and so just for context OpenSSL version 1 was a significant
release for the open source software library as it provides those cryptographic functions which
enable these secure communications that we all rely on over computer networks.
And one of the most notable features of OpenSSL version 1 was the inclusion of support for
the elliptic curve cryptography algorithm, which if you have completed your CIWSP, you
will be familiar with.
And so, yeah, with this ECC the open
SSL issues a number of other significant improvements including support for the
TLS 1.2 protocol improved performance and memory management and better support
for hardware cryptographic accelerators and yeah the one downside to this was it
was also the version that introduced the heart bleed bug, which wasn't actually identified until the April of 2014.
So a whole four years later, it had been running.
Did it really come out in 2014?
It feels like it just came out yesterday.
Yeah.
Yeah, it does feel like that.
But no, the whole logo and you know hey guys
i've got something big coming this week you know cue the music um that's really weird
fantastic wow okay very good cool and our second story will also take us back a mere 13 years
because it's very easy for me to do those calculations of taking 2023
and uh minus 13 so to the 25th of march 2010 when albert gonzalez was sentenced to 20 years in
prison for stealing credit card data from tjx and other companies and he is currently serving his
sentence at the fmc lexington and is scheduled to be released in less than four months.
Blimey, that's a long stretch to get some cheap socks, isn't it?
Well, I think we actually covered this story maybe two years ago about this time.
But just to remind you, Albert Gonzalez was the notorious American computer hacker
who was responsible for some of the largest credit card thefts in history,
certainly InfoSec history.
He also went by the names SegVec and SoupNazi,
and he led a group of hackers who stole tens of millions of credit
and debit card numbers from major retailers in the US,
including TJX and Heartland Payment Systems.
He certainly made famous the SQL injection attacks, packet sniffing, Wi-Fi interception.
And yeah, it's pretty much as a result of the work that him and his gang did,
the PCI, the payment card industry, data security standard was created um and a whole
bunch of auditors were born indeed yeah and it's just does he get royalties from pci yeah well
sadly not but you know it's going to be fun to see whether he starts hitting the speaking circuit
when he gets out yeah of course he will it's. Of course you will. It's like, I think like, XX from Enron
should get royalties
from socks.
It's like...
Socks?
Yeah.
Yeah.
That's a nice link
back to TJX.
The other type of sock
without the K.
Exactly.
No,
it has got a K.
It's got an X in it.
No,
no,
not that one.
The other one.
What? Whatever. Whatever. whatever and also point of order for our uk listeners tjx otherwise known as tk max indeed and another point of order
it's not 2023 minus 13 it's 2023 minus 2010 which gives you 13 see that's why maths is not my strong point.
You mean math.
For our American listeners.
Indeed. Indeed.
So, excellent. Thank you. Thank you, Andy.
That was very quick.
Well, this is to go with Jav's moaning before the show.
Don't spend too long on this week in InfoSec.
You choke up all the time.
Jav's hungry.
And also, they're rather technical subjects,
so we really don't have much to add.
Yeah.
This week in InfoSec.
You're listening to the award-winning Host Unknown podcast.
Like a real security podcast, but lighter.
Let's move on to this week's...
Listen up!
Rant of the week.
It's time for Motherf***ing Rage.
Rent of the week.
It's time for Mother F***ing Rage.
NHS Highland have been reprimanded by the Data Watchdog,
that's the ICO for us in the know,
for a BCC blunder with HIV patients. So it's a classic email snafu that resulted in data being shared through names and through email addresses being part of the CC field rather than the BCC field of 37 patients who were infected with HIV.
And therefore, all 37 patients knew the names and, given the content of the email,
the medical status of everybody else.
This was pretty serious, as you can well imagine. But they have got away with a reprimand,
even though the health board, which serves a regional population of 320,000 people,
has got an operating budget of £780 million. They got away with it. and the reason for that is that the um that the the ico have decided
rather than to sort of fine them which in this case would have been a standard fine of 35 000
pounds they're taking its public sector approach which was introduced in june 2022 which means that
it works with senior leaders to encourage compliance and prevent harms before they occur and learn lessons when things have gone wrong.
Which I think, even though this is a rant, which I think is actually a very good idea.
So why take money away from a public body, which is obviously going to be paid by the taxpayer, when actually they could obviously benefit from a bit of help, to say the
least. However, the problem I have here, the rant I have here is that what this comes down to,
sending emails with a CC instead of a BCC is a very, very human mistake.
The thing that really gets me is that given the NHS is all about confidentiality and obviously you don't want to be sharing medical details around everybody,
why the NHS didn't actually have an email system or even email rules that stopped uh ccs of two
external parties um dlp yeah bit dlp whatever whatever it didn't it shouldn't take much
and in fact i would have suggested that the ico should have insisted on a technology being implemented.
And this is me who does not normally go for a technology solution.
But this is something that human error is always going to come into play
and an area where you can't afford to make these kinds of mistakes
because the actual real- uh ramifications are so great
so the the rant here is very clear that actually the nhs or certainly nhs uh highland um really
should be investing this you know the the not having to pay this fine but invest in that money
into ensuring it doesn't happen again through uh well i hate to say
oh my god shoot me now security by design oh i feel dirty just saying the word but uh words but
i just think in this instance it's required you know that is yeah it's these are based
fundamental foundations these are table stake mistakes that are being made here.
And again, the ICO has once again proved it's rather toothless
by not actually insisting that this was done
and rather, you know, more just consulting with them
and working with them to encourage compliance and prevent harms, there should be
very, very clear guidance. And, you know, we were going to fine you £35,000. Well, that's your
starter money for your DLP solution, you know, or whatever it might be, even some basic email rules.
So, yeah, this is, well, a serious matter, quite frustrating, and I think is going to happen again.
The interesting part, though, was that or the other interesting part was the ICO said that using BCC incorrectly is within the top 10 of non-cyber breaches with nearly 1,000 reported since 2019.
So it was 1,000 that have been reported.
God knows how many have not been reported.
But this feels like an OWASP top 10 here.
So let's get the systems updated.
It's not even top 10.
It's just OWASP zero.
It is.
Yeah.
Email zero.
I mean, it is. It's just a web zero it is yeah email zero i mean it is it's it's just
using the wrong tools or misconfigured tools for the wrong way it's like all these organizations
that do you remember when covid they they were doing the tracking and i think accenture built
them a spreadsheet with all the nhs trust and they cheat for billions yeah and they mixed up
the columns with the rows so they it filled up really they mixed up the columns with the rows so it filled up really clearly.
Mixed up the columns for the rows.
I mean, Jesus.
Yeah.
And the amount they were getting paid to do that as well,
and they decided to put it in a spreadsheet.
I mean, Christ, the intern in bloody 10 Downing Street
could have done that.
Yeah, he did.
But Accenture just took the money for it.
I think that was the problem.
So I'm just going to add i appreciate the um the public set you know don't find public sector because you know it's us that's paying for
it right i do get that but considering the type of data they've got i do think there is something
this industry and all public sector industries can take when they're handling that level of data
you know particularly healthcare data.
And so, you know, the FCA in the UK, that's the Financial Conduct Authority.
They're one of the regulators for the financial sector.
They have the concept of approved persons, you know, in organizations
and these people have to be, you know, pass a fit and proper test
and they're responsible for ensuring all of the conduct rules are followed.
Now, if something goes wrong, like very badly wrong,
these people can be fined personally.
Now, I am not against this type of thing being done.
And they have to be part of senior management.
So that's the other thing where they can't be, you know, sort of a scapegoat.
They are ultimately responsible for practices.
It sounds, I get where you're going, because sometimes unless somebody's job is on the line
or unless somebody is very clearly responsible, changes don't happen, if you see what I mean.
My concern with that is who's going to want to take that job?
They're going to be extraordinarily highly compensated
because, you know, who knows, they might be out of a job and be fined,
in which case we're emptying the purse even more,
probably even more than £35,000 a year, I'm sure,
you know, on top of what
their normal salary is and then what you just get another person who probably doesn't want to do the
job unless they're you know extensively financially compensated again and it just becomes a bit of a
money pit almost who is it barney stinson that's the job that barney stinson does on how i met your mother no
but he's actually designed to just take you know take the fall well exactly well no there's got to
be an incentive to do do a good job right then it's uh totally totally but i mean nothing else
has worked for them i think they you know they can at least try this model they're going to try
something they're going to try something else i think. They're going to try something. They're going to try something else.
I'm not wholly against the idea.
I think for me personally,
I think there's a germ of truth and an idea in there,
but I'm not sure having a single person nominated as...
If you lose data...
You have three people.
It doesn't have to be one person.
You can have three people.
Okay, and if something goes wrong, you all lose your jobs?
Not necessarily.
You can be personally fined instead.
Great, great.
You lose your marriage then.
Yeah.
And your house.
You got an incentive, haven't you?
Maybe it's the lack of food,
but this sounds like really, really bad ideas
you guys are coming down with right now.
It's just like absolutely terrible.
But, you know, so how do you think they're going to treat people
that are responsible for then sending out these mail merge emails?
You just cost me my bonus this year, mate. Fired.
Exactly.
And then hopefully, you know, the incidents go down the following year.
Yeah. You know, you said you were looking for people. I think it was it was last week, Andy, you said you were looking for people to work for you because they sounded like, oh, that's right.
It's the person who said that they worked 18 hours a day, even during a mammogram and a cancer scare and all that sort of thing.
I don't think you're going to get many people lining up to work for you at the moment based upon what you do based on your bucket I'm just well no I'm just saying there is obviously no
so the whole point is you're responsible for putting in processes and training and making
sure you've got the right controls in place right if you can demonstrate you have done all that you
can and it's a genuine mistake you're not going to lose your job. You're not going to get fined.
But if the fact is you don't have, you know, adequate training, you don't have technical control.
I'm not saying you have to put technical controls in all the place,
but in this particular instance for healthcare data,
it's probably justified to spend the money on technical controls to ensure
that there's no unauthorized disclosure of data. So, you know, in this case, I think someone would be liable. I agree with that.
Unauthorized disclosure of data.
So, you know, in this case, I think someone would be liable.
And if you would like a job with Andy, just send your CV in to us and we will pass it on.
Let's move on, shall we?
Rant of the Week.
You're listening to the award-winning Host Unknown podcast.
It's better than tinnitus.
All right.
Let's see if they are still big
or if the hunger has actually reduced them somewhat.
But let's move on to...
Are you ready to get down with the big balls?
Because let me tell you, things are getting wild out there
in the world of artificial intelligence.
So get this.
Microsoft, the tech giant and grand master of clippy uh for those of you
remember that annoying little paper clip has just unleashed its newest ai creation uh the security
co-pilot assistant for office apps it looks really good yeah it's called mic Yeah, it's called Microsoft Security Copilot. It's a new assistant for cybersecurity professionals.
It's powered by ChatGPT 4.
So they've leveled up from GPT 3 to 4,
which in AI terms means it's like they've unlocked
the final boss level of AI capabilities.
Or they've let it look at data from before February rather than before November.
Yeah, yeah, yeah.
Now, this looks at, behind the scenes, at about 65 trillion daily signals that Microsoft
collects in its threat intelligence gathering and security-specific skills to let the pros hunt down
threats. It's kind of like sounds great on paper, but, you know, I know some skeptics might be
questioning the legitimacy. But, you know, we've all been there, isn't it? I mean, like desperate
to secure our devices, we've all turned to even the most bizarre of antivirus programs,
just hoping that McAfee can keep us safe from beyond the grave.
It's like, you know, turning to a Facebook psychic
to predict the future cyber attack.
Which, so, you know, on a stats basis alone, that should work out.
But don't worry, Copilot isn't just any AI tool.
It comes with features like proactive suggestion making and enterprise knowledge management.
It also has like a pinboard section for co-workers to collaborate and share information.
for coworkers to collaborate and share information.
You know, it sounds amazing and scary,
but I thought, you know,
I've let ChatGPT-3 write poems and even help out writing grocery lists.
So why not let GPT-4 dabble into cybersecurity?
Am I right?
Are they not the biggest balls ever?
I'm sure you've used it to get it to write more things than that,
but I'm not sure about it.
I'm struggling to see this work in real life.
It's almost like I can see a human, an AI,
having a chat at like 3 a.m. in the morning in a sock going,
what do you think that is?
And the AI goes, I don't know, what do you think?
It looks pretty dodgy to me i'm a big convert recently to um just because it made you good
looking and you know and look younger and vampirific exactly no so this the whole co-pilot
for office right so the reason i like the look of that one it can do your minutes for you okay i know the previous transcribing in teams was pretty poor um but copilot it sort of identifies who speakers are
and if you say oh yeah i'll take care of that it creates that is an action right and so it'll
produce everything for you at the end of the meeting transcribe it say these are the actions
and it will draft the emails to all the recipients and
say you know these are the minutes and it can then create the tasks to assign to the people that said
that they would do those actions right so it's it's just like it's a time-saving thing right i
don't think this is going to replace anyone it's not going to replace your sock and i think you're
crazy if you think that but if a new vulnerability comes in like that um you know that supply chain one this week the 3xs or um you
know whatever it was you can literally say to co-pilot you know are we vulnerable to the three
3cx supply chain hack and it can come back and say we've got no assets that are vulnerable to
whatever exploit i'm sorry dave i can't Yeah, exactly. But obviously you still have to check it, right?
Because this stuff's not accurate 100% of the time.
So I ask it a question, it gives me an answer,
and then I don't trust that answer,
so I still have to do the work anyway.
Well, no, you can say show your workings.
Yeah.
And then I have to check the workings.
Well, over time it learns.
Yeah, you can do like sample testing.
I think one of the great things on this and especially in the sock environment is you can get it to query large
data sets really quickly and that's what takes a lot of people time you know yeah you're writing
out the commands and you're trying to like query your sim here and your dlp there and they say like
okay i'm looking for this here are all the systems you know tell me um you don't even have to say
that you just have to say, tell me.
And it does that in the back end.
So I think it's...
You're writing all the commands.
I thought it was all GUI now.
Oh, you know what I mean.
You're clicking on the plus sign to make the commands
and build massive if this, then that statements.
So the thing is, I think it's like Andy.
I mean, you know, Marshall, I was a convert before him.
But it really does.
It was like the whole TikTok when I tried to get Jav into TikTok
and then he immersed himself in it.
Like Jav was doing the same with me on this stuff.
He was sending me like barely links like, you know, months ago.
And I was like, yeah, it's cool,
but I just don't see the benefit of someone else doing the work for you.
It is, you know, I
actually turn to
chat GPT before I go to Fiverr
these days, and that's saying a lot.
What?
Blimey.
So it can do your gardening
and your concrete work
and chop your trees and all that sort of thing.
Yeah, I just say, like, send emails to all the people, negotiate a price with your gardening and and your concrete work and chop your trees and all that sort of thing yeah
i just say like send emails to all the people negotiate a price with them and here's my bank
account details yeah because what's the worst that could happen yeah exactly well i don't know i i'm
pretty sure this isn't going to be the last we hear of this um especially with who's it musk and
some other fella saying that it's the end
of the world and we need to slow down on the ai um so the man who wants self-driving cars on the road
like five years ago geez although interestingly the italian privacy regulator has banned chat gpt
uh today where the alleged privacy violations so it's italy in italy in all of italy yeah
wow so uh it's temporary order until the company respects eu's gdpr that's very interesting
yeah so the authority says the company lacks legal basis justifying the mass collection and
storage of personal data to train the algorithms i guess the the real question is has chat gpt4 signed an nda
and on that note billy big balls of the week
you're listening to the award-winning host unknown podcast it's better than tinnitus
do you know it's really weird i can't hear these jingles being played so i'm never quite sure if
they finished or not but oh they finished and do you know whether you've played them twice or not
because uh you definitely just played that one a second time oh did i oh well i'm pretty sure i didn't press it but don't worry about it at least
people know people know it's live we're not one of these shows that you know fixes stuff in post
oh my goodness no or you know invite chat gpt4 on as a as a special guest and then and then call it
you know javad malik or something i mean that's what
it sounded like in the past so uh yeah talking about not knowing whether they finished on time
or not andy what time is it it is that time of the show where we head over to our new sources
over at the infotech pa newswire who have been very busy bringing us the latest and greatest
security news from around the globe. Industry News.
NCA harvests info on
DDoS for Hire with fake
booter sites.
Industry News.
New Mac Stealer targets Catalina.
Newer Mac OS versions.
Industry News.
France bans Le TikTok, other fun apps from government devices
industry news chat gpt vulnerability may have exposed users payment information
industry news thieves steal nine million million from crypto liquidity pool. Industry news.
NCA celebrates multi-million pound fraud takedowns.
Industry news.
North Korean hackers use Trojanized 3CX desktop app in supply chain attacks.
Industry news.
GCHQ updates security guidance for boards.
Industry news. GCHQ updates security guidance for boards Industry News
UK regulator
HIV data protection must improve
Industry News
And that was this week's
Industry News
Huge if true
Huge
Huge
I got the impression, Tom tom you've never heard the uh
sane booter sites before is that like the restaurants uh yeah exactly yeah booter exactly
like that yeah yeah it's you know i mean hooters is all well and good but booters that's where the money's at yeah yeah it did throw me i have to say
so booter services i can understand the context now yeah i can understand the context now but
at the time i was confused it's a vernacular that uh you know these youngsters use these days right
i know i know nothing worse than a fake booter.
Anyway, from these stories, I never thought I'd say it,
but Les French have done something that I agree with.
So.
Yes.
Or maybe they're just very good at hiding their xenophobia,
but they didn't just.
As if France doesn't have other things going on in the country this week.
Yeah, that's right.
Exactly. That's right.
So while the rest of the world is busy just banning TikTok,
they've taken a different threat model and said,
well, on government devices, forget TikTok.
Well, we're going to ban that.
But why don't we ban Twitter and dating apps and Netflix and other,
like Candy Crush?
There you go. See, like Candy Crush.
There you go.
See, that makes sense.
That makes sense.
That makes sense.
So I'm actually looking in this article. There's no mention if they're trying to, oh,
I'm actually quoting in this article.
I'm just looking at it.
Oh, there you go.
Do you know what?
Is it you or is it ChatGPT?
I was about to say, did you quote or did you get AI to quote on your behalf?
It's attributed to me, so it doesn't matter.
I'd like an answer to the question, Judge.
When Jav told us on the WhatsApp group that he was getting AI to answer,
he was actually typing Al.
Yeah, it was WhatsApp gpt that he's
got installed here we weren't even talking to jeff yeah i know but but what what i thought was
well maybe there's a the french have an app to organize riots and protests and they're probably
using this whole thing just to ban that app from
government devices so at least they would come into work i think of all the things the french
need they don't need an app to organize a protest and a riot let's face it there's one thing they're
very good at yeah yeah absolutely absolutely we think we're pretty good at that kind of thing no no we we've got no staying power when
it comes comparing us to the when have we ever rioted or protested the the last time we ever
anything was that was the 80s yeah exactly poll tax like the french are writing right so the uk
putting up the uh mandatory return, not mandatory, the retirement age
before you can claim pension and stuff to 68, right?
Yeah.
The French are rioting because the government's proposing
putting theirs up to 63.
Yeah, I know.
And we just take it.
We're like, okay, it's going up 66 to 68, cool, whatever.
Yeah, we'll deal with that in 20 years' time.
Yeah. Yeah. going up 66 to 68 cool whatever yeah we'll deal with that in 20 years time yeah yeah it does make me wonder how much of it is and this this could be a very you know this could
be a touchy socio-political topic but how much of it is they're just in it for the crack compared to
actually this they're they're writing against something they feel is fundamentally wrong.
I do.
I think they seem quite passionate about it.
And they're actually saying, I saw a video on Politics Joe,
that the UK should write more.
They think that we just take it too much.
Yeah, we do. We don't actually say anything on any topic,
even like really important topics and what have you.
Well, we do.
We write stern letters to Prime Minister have you. Well, we do. We write sternly. We write stern letters too.
Yeah. Yeah.
I will shake my newspaper and harumph.
Yes. Yes. But, but, you know,
I was reading something about the French rights on retirement.
It's a bit more, slightly more nuanced about that because.
I take the cliff notes, Geoff.
At the moment, like there's certain professions you can retire a lot earlier.
So say you're in the army or you're doing hard physical labour,
certain jobs, you can retire early because you realistically
can't work those jobs when you're in your 60s.
Because you're fucked.
But they wanted to blanket all of these professions in with that,
move it up to 64 or what have you except except
the caveat was the politicians exactly politicians really yes i'm not even sure boris would have done
that oh i i don't know wow that is that is transparent at its best.
Oh, my God.
Yeah, yeah.
Even I might decide to draw on a placard and wave it around.
Draw it on your bald head with a Sharpie, Tom.
That would be far more effective.
The helicopters can see it.
Exactly, you can see it from the air.
Exactly, exactly, yeah.
Thieves steal nine million from crypto liquidity pool.
Well, colour me surprised.
Yeah.
I mean, this is just like thieves stealing thieves, right?
Yeah.
Thieves steal money.
Really?
From insecure bank.
Oh, right.
Unregulated insecure bank.
Unregulated. That's right. Unregulated insecure bank. Unregulated.
That's right.
Police uninterested.
We don't often see a Trojan.
Sorry, Mac Stealer.
Yeah.
Information stealing malware has been observed targeting Catalina and newer versions of Mac OS running Intel M1 and M2 CPUs.
Tom's like, I don't see that.
Where is that article?
I don't see it at all.
All I'm seeing is Catalina.
I'm like, no, that's not me.
Yeah.
Right.
Excellent.
Thank you for this week's Industry News.
When listeners leave the host unknown podcast in favor of the smashing security podcast they raise the average iq of both audiences you're in good company with the award-winning
host unknown podcast right let's take us home shall we with uh this week's sweet of the week and we always play
this one twice sweet of the week and i shall wrap up the show with this week's tweet of the week
from trung fan who's uh basically posted the uh article of a job for her majesty's his majesty's treasury and it's the
job for head of cyber security and uh trung has said the uk treasury is offering 57 000 pounds
which is 71 000 us dollars for its head of cyber security seems a little low the best part of this is 57 and a half thousand
is the top end yes it actually starts lower than that so 50 50 and a half or 50 550 to be precise
yeah wow and so there is um and you is and the actual thread.
So as Lincoln has shown us, he's actually put a thread in there. He's followed up some additional jobs, which references over 600 senior government officials on the most recent Cabinet Office spreadsheet of civil servants.
Those are only one hundred and fifty thousand pounds and over.
Has just one job with the word cyber in their title.
And it turns out they were a contractor who has since left to join the private sector as a CIO.
Talk about completely devaluing the role.
Yeah.
Yeah.
That is shocking.
I know they get good pension,
don't they?
It's typically about 25%,
isn't it?
Public sector.
Probably final,
final,
yeah,
final salary or something.
Yeah,
but even 25% of fuck all is still.
Yeah,
exactly.
Exactly.
I'm like,
Tom's normal pension will pay more than his full-time salary.
So,
but, but what, what, what is interesting in, I'm like Tom's normal pension will pay more than his full-time salary.
But what is interesting in here is that civil servants joining on level transfer,
HM treasury will honor their current substantive salary if higher.
And so that made me think as a conspiracy,
maybe they already know who they want for the role and
it's someone internally so they said let if we lowball the external things we can always
justify that no one qualified game and oh look over here oh very good that's entirely plausible
yeah we'll find out if it is an internal appointment when it does get appointed right
because i think everyone's gonna be keeping track of that we're gonna keep track of that
aren't we i'll ask chat gpt to uh well this is true yeah yeah when the job disappears from
linkedin ask clippy uh but yeah just to uh oh it's co-pilot these days tommy gotta get oh sorry
it's uh sorry i'm using rewind to record everything we're talking about now anyway so i'll get that to uh
remind me um so just to emphasize how low this salary is there is someone in the message thread
that says that you know european some european countries display monthly salary instead of the
annual salary so is this uh are you sure this isn't a per month rate? No, this is definitely the annual salary.
Wow.
I mean, I'd be interested to see the job description
and the scale of it and all that sort of thing.
I mean, but even so, it's...
Two days a week. It's doable.
Yeah, exactly. Yeah, two days a week.
I'd be down for that.
I could probably squeeze it in with this job.
Yeah.
You just have to cut out your uh your house cleaning and you'll
have all that extra time well there you go there you go right excellent thank you andy
well we have barreled into the end of the show once again gentlemen thank you as always for
your time effort contribution and uh even a touch of humour as well this time.
Jav, thank you very much.
You're welcome.
And thank you, Andy.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
How much longer till sunset?
45 minutes, 50 minutes.
Yeah, 45.
Yeah.
So Jeff has literally just sent to the group chat his entire segment
that he spoke about earlier was actually written by chat gpt not entirely i mean i got it to wow
well i so that's why you two were laughing so much
yeah it wasn't your humor. It was actually funny.
It's actually said things, but seriously,
and stuff like that to put in.
So get this.
Damn, man.
Oh, but don't worry.
Security Copilot isn't just any AI tool.
Because I asked it to write an SNL-style monologue.
Oh, is that what...
That was the prompt. I said, write an
SNL style monologue
on this story. That was the prompt.
Very good.
Very good. I'm sure our listeners
feel very happy with their value
for money now. Oh, you're still
recording, you arsehole.