The Host Unknown Podcast - Episode 147 - John Wick Seventeen and Three Quarters
Episode Date: April 14, 2023This week in InfoSec (08:48)With content liberated from the “today in infosec” twitter account and further afield5th April 2002: A hacker compromised a server containing California's payroll datab...ase. The state's Controller's Office waited 2 weeks to warn victims. As a result angry lawmakers reacted by passing the first state data breach notification law in the US, SB 1386. https://twitter.com/todayininfosec/status/1643711958032719874 6th April 2011: The Georgian interior ministry announced that a 75-year-old woman was charged after she disrupted Internet service in neighbouring Armenia.An elderly woman scavenging for copper? Add that to your DoS threat modelling diagram!https://www.bbc.co.uk/news/world-europe-12985082https://twitter.com/todayininfosec/status/1643964851188912129 Rant of the Week (14:53)Pentagon super-leak suspect cuffed: 21-year-old Air National GuardsmanThe FBI has detained a 21-year-old Air National Guardsman suspected of leaking a trove of classified Pentagon documents on Discord.US Attorney General Merrick Garland confirmed the arrest, saying Jack Douglas Teixeira of the United States Air Force National Guard in Massachusetts was nabbed earlier today.The suspect was being held "in connection with an investigation into alleged unauthorized removal, retention, and transmission of classified national defense information," the AG said.The Washington Post reported yesterday that whoever leaked the files was thought to be a twenty-something American who liked gaming and guns, and worked on a military base.It's said he also controlled a private Discord server, and allegedly posted photographs of the classified Pentagon documents to impress the private group's 25 members, which included netizens in Europe, Asia, and South America.It is believed those classified files were shared beyond that Discord chat, and surfaced in one form or another on social media, where it all spread like wildfire. The documents were said to be war plans detailing secret US and NATO support for a Ukrainian offensive to regain land invaded by Russia, and that American and British special forces were already in Ukraine. Billy Big Balls of the Week (28:05)To improve security, consider how the aviation industry stopped blaming pilotsTo improve security, the cybersecurity industry needs to follow the aviation industry's shift from a blame culture to a "just" culture, according to director of the Information Systems Audit and Control Association Serge Christiaans.Speaking at Singapore's Smart Cybersecurity Summit this week, Christiaans explained that until around 1990, the number of fatal commercial jet accidents was growing alongside a steady increase of commercial flights. But around the turn of the decade, the number of flights continued to rise while the number of fatalities began to drop.According to one analysis, [PDF] the rate of fatal accidents fell from nine per 10 million flights in the 80s to six per 10 million in the 90s. Between 1995 and 2001, that figure was three per 10 million.“There was a big game changer,” Christiaans told the Summit. “Millions of people a day now fly in commercial aviation, and nothing happens.”While acknowledging that improved technology, more mature processes and improved leadership all helped to improve aviation safety, the former pilot and field CISO at tech consultancy Sopra Steria said the biggest improvements came from a change to a “just culture” that accepts people will make mistakes and by doing so makes it more likely errors will be reported.In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement.“We're not trying to blame, we're not trying to point fingers, we're trying to find the reasons behind the mistake,” said Christiaans. “There are of course, exceptions like negligence where of course you will be punished by law. But otherwise, if you speak up freely, you will not be punished.”and...While Twitter wants to sell its verification, Microsoft will do it for free on LinkedInAs Elon Musk tears at Twitter's credibility by demanding businesses and individuals pay for their blue verification checks, Microsoft is pushing ts own free digital ID technology to companies and their employees on LinkedIn.Later this month, Microsoft will let organizations use its Verified ID tool to prove their workers' employment, with staff then being able to display that employment verification on their LinkedIn profiles.Like the trust the unpaid-for blue check mark on Twitter once conveyed, the Verified ID on LinkedIn will show that the people on the business-focused network – which has about 900 million users – work at where they say they work."By simply looking for a Verification, members and organizations can be more confident that the people they collaborate with are authentic and that work affiliations on their profiles are accurate," wrote Joy Chik, president of identity and network access at Microsoft. Industry News (38:18)Latitude Financial Refuses to Pay RansomKFC Owner Discloses Data BreachUS Scrambles to Investigate Military Intel LeakEthical Hackers Could Earn up to $20,000 Uncovering ChatGPT VulnerabilitiesRapid7 Has Good News for UK Security PostureSuperyacht-Maker Hit by Easter Ransomware AttackPakistan-Aligned Hackers Disrupt Indian Education SectorOver 20,000 Iowa Medicaid Members Affected By Data BreachFive Arrests in Crackdown on $98m Investment Fraud Gang Tweet of the Week (47:18)https://twitter.com/DeathsPirate/status/1646840360478359553 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
How was the recording last week?
I thought you two did it.
No, you were going to do it.
No, no, no, no. I said I wasn't going to be there because it was Easter.
You always do this, Tom. You're so unreliable.
No, no. You said you were going to be there.
I literally said it would be the first time I wouldn't be here since forever.
You always say it's the first time you're ever going to be there.
Yeah, yeah. You're a fine one to talk. You always misinterpret stuff.
Oh, please. I should get some physio for the amount I carry on this bloody podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome to... Oh God, I've lost count. What count? Where are we?
Episode 147. Episode 151.
I lost count as well.
Is it three I add or four? I can't remember.
Oh, yeah. So episode 147.
Oh, I always know it's four. I just didn remember. Oh, yeah. So episode one, four, seven.
Oh, I always know it's four. I just didn't know what, you know, one, four, seven plus four to reach for the calculator.
And yes, we have come back from a little break. Two of us were on our Easter holidays.
I don't know what you were doing, Jav, but you certainly weren't there to carry the podcast.
That's for sure.
As opposed to what I do every week?
What do you mean?
Carrying the podcast. Sort of turn up as a special guest star.
Becoming a lot less special every week, I'm telling you.
So funny.
Oh, he's special.
He's special, all right.
Our little engine that could harsh harsh fair but harsh oh dear jeff so how are you have you been these last couple of weeks
well getting hangrier by the day so only a week left and then this is true
ramadan will be over so then i can uh be caffeinated up and uh trade blows with the two of you
effectively rather than just kind of you know sit there in a semi-comatose state and just just agree
with everything we say i'm just literally on the floor in the fetal position
with the mic next to me,
just trying to make it through this episode.
You mean you can't even have some water or something?
Not even water, yes.
Not even water.
Andy, what about you?
How have you been the last couple of weeks?
Good.
I have discovered I have a couple of weeks? Good.
I have discovered I have a very high tolerance for chocolate.
I mean, this is nothing new.
I phased it out for a long time.
Obviously, Easter came along.
I've got lots of eggs. I can eat 34040 gram egg in a single sitting and not even feel sick
it's wow you know yeah it's quite impressive so so there's a lot of people in your family
who are trying to sabotage your svelte looks is what i'm hearing absolutely everyone's trying to
do it's like yeah it's just oh yeah it's all right you just just eat bits of it you don't
have to eat all in one go of course i'm gonna eat it all in one go. Of course I'm going to eat it all in one go.
Exactly, until they not know you.
It's got one wrapper.
You know what I mean?
It would be split into different sections
if you weren't supposed to eat it at once.
I'm just picturing that meme about,
I've found the person responsible for all my problems,
and it's me.
Looking in the mirror.
Yeah.
You've got the breaking strain of a warm mars bar there
but uh how was your weekend are you been enjoying easter uh yes very good i did uh i did a wedding
just before easter that was uh that was that was good fun uh especially as the as the groom he's
sort of opening words to me where i don't want any pictures taken today. Okay, I'm glad
I'm not being paid by the shop then.
So, yeah, but it
turned out really well.
So that's the guy who
he's obviously
using a fake name or something. He doesn't
want his actual wife to know
that he's getting married.
Best part was, he'd already paid for
the package, do you know what I mean?
It was so real okay.
He's got a secret family somewhere else
and he doesn't want pictures ending up online.
Definitely.
I couldn't possibly comment.
Couldn't possibly comment.
But it did work out very well.
He very much got into the spirit of it
and was very, very happy at the end.
So, yeah.
But that was good fun, although a long day.
That was like 6 a.m. to midnight.
Wow.
Yeah.
You work harder at this gig than you do in your real job.
Yeah.
Yeah.
Do you know how much money I made for that 18-hour day?
How much?
Nothing.
160 quid.
160 quid. You did it for the experience right i did it for less than less than minimum
wage that's basically time for prints yeah eight pound that's like eight pound 80 per hour you made
i know right i know my son makes more in co-op
but it was good fun i really did enjoy myself and then um yeah easter so i spent some
time with uh with my daughter went to cinema we went to see dungeons and dragons on monday night
that was really really good i highly recommend you go to see that oh is that so last week i took
the kids to see the Super Mario Brothers movie.
Oh, yeah.
Oh, how was that?
That was actually enjoyable.
Really?
So two programs from my childhood into movie form.
Are they sort of true to form?
Like in terms of general storyline versus the game?
What I'll say is for Dungeons & Dragons is my daughter plays D dnd and she said she could really imagine it being played as a campaign you know the decisions oh
that type of dungeons and dragons i was thinking of like you know dungeon master who just rocks up
and disappears yeah oh no no dungeons and dragons yeah yeah yeah that's what i remember that's the
only one i think of yeah so she said she said she could really imagine it being played as a campaign
because the decisions are making,
the side quests that have to go on,
the characters that kind of appear.
Okay, slightly different to what I was thinking.
I'm less enthused about that one now.
No, seriously, it is a surprisingly good, fun film.
You don't look at your watch at all through it
because it just keeps you going.
The day before, I actually went out and saw John Wick 4,
which is basically John Wick kills Japan and Paris.
I honestly struggled to tell the difference
from all of the other films.
I watched the third one just the other day to get me in the mood for John Wick 4.
I think I needed to watch it again, I must admit.
But not that it would have made any difference,
because basically he did all the same stuff, do you know what I mean?
Yeah, yeah.
It's just that there were more swords because it was in Japan.
Yeah, yeah.
I enjoyed the first one because it had a bit of a plot,
but then it just sort of
unraveled with like everyone every homeless person is a secret assassin every taxi driver is an
assassin every hotel is a is a it's it just like seem you see this is a problem jeff you need to
take the blue pill you're just not you don't walk around with your eyes open. You see this stuff every day. You're not looking properly.
Yeah.
Thanks, Andy Tate.
Andy Tate.
Andy Potato Head.
Anyway, talking of vegetables,
shall we see what we've got coming up for you today?
Well, this week in InfoSec takes us back to when one person
bought down the internet service of a neighbouring country.
Rant of the week is the consequences of bragging about your classified job.
Billy Big Balls aims to take a page out of a pilot's playbook
for the good of security.
Industry News, of course, brings us the latest and greatest
security news stories
from around the world.
And finally, tweet of the week is career advice
from someone who builds security leaders.
I have no idea what that means.
So shall we move on to our definitely qualified favourite part of the show, the part of the show that we like to call
this week in infosec
it is that part of the show where we take a stroll down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account.
And today we shall take you back a mere 21 years to the 5th of April 2002,
when a hacker compromised a server containing California's payroll database.
California's payroll database and so he was unidentified at the time access the California server housing the state government's payroll database gaining access to name social security
numbers and salary information for 265,000 state workers from the governor down so you know I mean
265,000 people the breach itself was small potatoes.
But what actually emerged is that the California Comptroller's Office waited two weeks before they actually warned anyone.
And so in response to that, angry lawmakers reacted by passing the nation's first breach disclosure law, known as SB 1386.
And that law requires hacked organisations
to promptly warn potential identity theft victims.
And now up to 45 states have enacted similar laws.
California has always been ahead of the curve on this sort of stuff.
They have, yeah.
They always have.
They literally, when they would do some policy like this,
the other states follow suit very quickly.
Wow, quick for the US.
I don't know if it's the quickest.
Yeah.
Yeah.
Yeah, but two weeks, why would you?
Well, because they didn't know what to do, I guess.
Yeah, I mean, think back in 2002, right?
They're like, do we have to tell anyone?
I don't know.
It's like, I don't know.
Do you know?
I don't know.
Can we speak to legal?
Yeah, get legal on the phone.
And then, yeah, you just sort of sit around and say,
well, there's no law that says we have to.
But, yeah, we wrote this ethics policy last week,
and everyone kind of signed it. And depending on where you fall on the ethics of this, law that says we have to but yeah we we wrote this ethics policy last week and you know everyone
kind of signed it and you know depending on where you fall on the ethics of this uh maybe let's see
if somebody complains and then we might do yeah yeah so what's the worst they could do with all
this information good question yeah it's right um yeah so i'm sure they've got some free credit
monitoring out of that uh Maybe 12 months, 24.
Who knows?
I don't know.
That seems to be the playbook, doesn't it?
Free credit monitoring, which you can also get for free.
Yeah.
Yeah, but shh, don't tell anyone that.
That kind of dilutes the benefits,
the positive affirmative action they're taking to make right.
But alas, our second story takes us back a mere 12 years to the
6th of april 2011 when the georgian interior ministry announced that a 75 year old woman was
charged after she disrupted internet service in neighboring armenia and so it turns out that the elderly woman was scavenging
for copper accidentally ripped out the fiber optic cables that uh the whole country's internet was
going through and uh yeah managed to take out their internet connectivity um so yeah add that to your threat modeling that's bizarre was she scavenging in on her own
land was she had she shimmied up a telephone pole well so yeah it's really weird isn't it
she was in some small village of uh if i pronounce this right you know kasani georgians don't come
after me um but you know she'd been searching for copper, apparently,
and, you know, the cables that were originally owned
by the Georgian Railway Telecom Company.
And, yeah, she just, I guess, grabbed a bit too much.
Wow.
But it's a bit like, yeah, we've just got this.
Even if you have an office, you have, like,
two or three different cables coming in just for redundancy.
But you've got this entire country.
We're just like, you know, just bury it under the dirt.
One copper wire should be fine.
I guess that's the other thing, right?
Even in companies, you tend to have like a cupboard
where you put like some sort of protective piping around it.
Yeah, exactly.
This is fibre.
You know, it's not even copper that is probably quite resilient to weather.
This is fibre that the slightest dent can mark you.
Yeah, exactly.
And ruin the whole connectivity.
With the single connection to the country next door.
I wonder if the main isp for um um for armenia basically then
sort of squatted on onto georgia's wi-fi just to maintain access do you know what i mean right
bastards i'm gonna i know their wi-fi code i'm gonna i'm just gonna connect up
hook everything through that wow i can't even begin to imagine that's right so i'm reading the
article so linkedin has shown it's actually saying there's impact to um azerbaijan as well
it's a one country wasn't enough yeah so i don't think they were taken out
totally but yeah they definitely had some sort of disruption
very good thank you andy for Yeah, they definitely had some sort of disruption. Very good.
Thank you, Andy, for...
This week in InfoSec.
People who prefer the Smashing Security podcast
over the Host Unknown podcast
are statistically more likely to enjoy
the Harry and Meghan documentaries.
Read into that what you will.
more likely to enjoy the Harry and Meghan documentaries.
Read into that what you will.
All right, let's move on to the ranty part.
It is time for... Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
Never let it be said that we sit on old stories.
This is brand new, this story i think the the um
the headlines only came out this morning isn't that right andy uh yeah we are um i'm not saying
we put the show notes together right before we we started recording last minute yeah but this is
this is very new as because i remember reading this on on the train just earlier coming back from London. So you may know that there have been some secret plans
that were leaked from the Pentagon
that showed America's involvement in Ukraine
and the Ukrainian sort of defensive activities
that have been carried out against the Russian invasion.
And also that puts at risk many of those Ukrainian plans
because obviously any kind of insider intel on active activities
going on in a war zone is going to give any kind of opposing force
some kind of insight and uh and quite apart from the fact that
that lots of campaigns that may have been arranged for many months in advance now have to be changed
and that can delay things so really big deal that these these files were found well the fbi has FBI has detained a 21 year old Air National Guardsman suspected of leaking this trove of classified Pentagon documents on Discord.
OK, it gets better. This really does get better.
Oh, my God. So the suspect was being held in connection with an investigation into alleged unauthorized removal,
retention and transmission of classified national defense information, the attorney general said.
The Washington Post, who have obviously dug a little deeper.
Said that whoever leaked the files was thought to be a 20-something American
who liked gaming and guns and worked on a military base.
It also said that he controlled a private Discord server,
nothing wrong with that if you like gaming and, you know,
fairly well known, and allegedly posted photographs
of the classified Pentagon documents to impress the private group's 25
members which included netizens what's a nice word in europe asia and south america
what the this is like where uh where you post classified stuff to our group chat, Tom, right?
Where you're trying to impress myself and Jeff.
Yeah, exactly.
Because I know that sort of stuff really impresses you two.
Yes.
It is believed, however, these classified files were then shared
beyond that Discord chat and surfaced in one form or another
on social media where it spread like wildfire well
obviously if it's got pentagon and top secret on it of course yes there was said to be war plans
detailing secret us and nato support for a ukrainian offensive to regain land invaded by
russia and american and british special forces were already in ukraine What the bloody hell? So a couple of things here. Do you guys, I know it's a long
time back for you guys as well, but it certainly isn't for me. Do you guys remember how dumb you
were when you were 21? Yes, absolutely. And not just that, I actually think I did have quite a lot of responsibility
before that age.
Yeah, absolutely.
But, yeah, I mean, who knows?
But, you know, you were still dumb.
You probably did some dumb crap, right?
Oh, yeah.
Still do.
But if you saw documents that said top secret,
highly classified, from the Pentagon,
you probably wouldn't have shared it with, say, us.
Probably wouldn't have.
No, I'd be disappointed if Andy didn't share it with us.
And that's talking about now.
But here's the thing.
You're a dumb idiot when you're 21.
I mean, even biologically speaking, your brain doesn't evolve, hasn't finished growing until you're 25 on idiot when you're 21. I mean, even biologically speaking,
your brain doesn't evolve,
it hasn't finished growing until you're 25 on average, right?
So you're still maturing, et cetera.
So not only is this an Air National Guardsman,
and that means he's a part-time person as well, I believe, the National Guard, right,
is the equivalent of the Territorial Army.
It's just that you get to fly things as well as do other stuff.
So not only was he a part timer, he was a 21 year old part timer who had access to these highly classified documents,
who also had access to these highly classified documents while in possession of his camera phone, presumably.
access to these highly classified documents while in possession of his camera phone presumably um so i i can actually so for that i believe he started uh writing out copy like he was like
transcribing a lot of the documents he was doing the monk attack yeah but then because uh he was
like then you know resharing it on discord and he got bored of it he started taking photos of his uh notes and posting those
so one why are you letting a 21 year old part-timer part-time bloody um uh uh air force
person have access to these documents what what this happens right so the young the youngsters
are propping up almost every country every company sorry everywhere i know i know you know but it
rolls downhill and you know the people giving those 9 a.m briefings are not doing the work
themselves but you think think this highly sensitive,
highly confidential, top secret stuff,
you'd think you'd have someone who had
a little bit of a track
record of not sharing
shit on social media.
But you know what replaces people with chat GPT, right?
This is what it is.
They've got access with this data.
They are analysing it and sharing it for the big boss.
But yeah, chat GPT will only link it to what is a 21 year old gonna analyze on he's probably he's already just
thinking about what guns he's gonna shoot that that weekend and what games he's playing on his
private discord server with a whole 25 members yeah i just I find this absolutely insane.
It was bad enough with Edward Snowden,
but at least he had a little bit more of a track record
of having access to this stuff.
Yeah, but that's what they're saying.
The difference is that Ed Snowden was a whistleblower, right?
Or Chelsea.
They did that for whistleblowing purposes.
Whereas this guy's just an idiot.
Yeah, it's this guy.
So what they say they're charging him with?
It was unauthorised retention and transmission of national defence information.
Yes.
Yeah, we know what lawyers are like, right?
They say these things in different words.
Yeah, they do, yeah.
The Lord agreed.
Your Honour, I'd like to put forward the charge of this man being made of erectile tissue.
Exactly. Or whatever the Latin word is for...
Erectus giganticus.
So, Tom, I get that you're ranting and you're angry and I appreciate your rants.
I'm still a bit unsure. Are you ranting about the youth doing youthful things
or are you more ranting against the military
for having poor access control and management?
Both.
All of the above.
All of the above.
So, yes, poor access control.
There should be better controls on what they can and can't do with this stuff.
And secondly, I am ranting at what the
youth does because really he's joined the national guard he should know what he's there for so unless
he's a russian plant in which case okay he's bloody good at his job he's probably 37 year old
you know rushenko litvinenko whatever who just happens to look like he's 21 you know, Roshenko, Litvinenko, whatever, who just happens to look like he's 21,
you know,
a bit like Channing Tatum in 21 Jump Street.
But,
you know,
maybe he's a plot.
I don't think so.
It doesn't sound like it.
What the hell?
How could he possibly think that was okay?
Yeah.
He's,
yeah.
I'm going to take Jav silence as as consent oh wow no uh no no yeah what i meant is don't apply that principle that my silence means consent
it just means i'm too hungry to think of something
appropriate to come back to you with.
Oh, great.
I'm glad we invited you on this episode, Geoff.
Anyway, that's my rant of the week.
For goodness sake, you know,
Department of Defence, sort your act out.
And young people who sign up to the armed forces
to do stuff like this.
Really? Really?
Rant of the Week.
This is the podcast the King listens to.
Although he won't admit it.
Do you know what the problem is that these uh so what's
it was 21 years old but that's that's gen z gen z right so oh yes they've always been you know
they've had technology around do you recall in early 2000s um claire swires of Norton Rose that email chain
where she
had an email chain with a guy
he basically sent a joke about
a guy walks into the sperm donor bank wearing
a ski mask holding a gun
and it's like a whole joke anyway she replies
to it and she says lucky I swallow
so that won't be happening to me
and then he replied back and he was like
you know not all the time, I hope.
And she said, you know, I haven't swallowed for years,
but yours was yum yum and like this whole thing.
And then this guy sent it to his mates and said,
now that's a nice compliment from a lass, isn't it?
And then one of his mates said, like, you know, this beggars belief,
I feel honor bound to circulate this.
And he sent it to everyone in his address book.
And then it kind of spiralled from there.
And this is where I first learned of Norton Rose as a law firm.
But the point is that Gen Z have never been through this consequences of,
you know, oversharing to the wrong people, you know,
stuff getting out of control.
Okay. So when you join the Air Force,
do you not think they sit you down and go,
when something's top secret, do you know what that means?
That means you can't share.
I reckon they do in most countries,
but I just have this feeling in the US they're like,
you know, this is the pointy end.
Don't point this in your face.
This is the end that goes bang.
Yeah, exactly.
Yeah. this is the end that goes bang yeah exactly yeah but so I
don't think that it's
fair to say Gen Z don't
haven't suffered the consequence I think
this is a generation that has more like targeted
repercussions with like revenge
porn and things like
that so I think there is
a lot of that still around
but it's just more targeted and more
like active bullying as opposed to the
previous one, which was just like, Hey everybody,
look over here and the whole world's looking and pointing and laughing,
but not necessarily in a personally attacking way or.
Yeah, fair enough. Yeah. No, fair shout.
He's still an idiot.
shout he's still an idiot still an idiot for goodness sake he's in the air force even if he is a weekend warrior he's in the air force he should know what was that what was that meme you
shared uh andy that was like oh crikey that could be one of hundreds of thousands.
Why don't you try and narrow it down a little bit?
No, there was one about someone posted something like,
oh, this is the first war I'm seeing in my lifetime.
Oh, yes.
Between civilised nations.
And then someone replied saying,
what about America's two invasions of Iraq?
And he goes, I don't consider America to be a civilised nation.
Yeah, exactly.
Harsh.
But fair.
Yeah.
Right, Jav, I can see you warmed up and ready now.
So, you know, let's bang your gum shield in,
take your silk dressing gown off and push you into the ring with this week's.
I've got two balls this week.
So the first one is actually taken from a talk done by the director of the Information Systems Audit and Control Association, ISACA,
Serge Christians, who spoke at Singapore's Smart Cybersecurity Summit this week.
And he drew an analogy of cybersecurity with the airline industry.
And he goes, up until the 1990s, there was a number of fatal commercial
jet accidents was growing. But around the turn of the decade, the number of flights continued to
rise while the number of fatalities began to drop. And according to one analysis, it was basically down to not stop blaming the pilots.
So it shifted from a blame culture to a just culture, as they say.
A just culture.
Yeah.
In a just culture, errors are viewed as learning opportunities instead of a moral failing.
So, you know, something just happened as opposed to like,
let's find a scapegoat for this.
So it created transparency and enabled constant improvement.
So people weren't scared to report when they've done something dumb, right?
Yeah.
Or scared to make certain decisions in case they got blamed for it.
Yes.
Yeah.
Yes. And. Yes.
And this actually ties in nicely.
There was one of Malcolm Gladwell's book.
I can't remember which one.
Outliers maybe or something like that.
But he speaks at length about cultures and how that affects pilots and airplane crashes.
And he was talking about, I can't remember, in China or something.
No, it was a Korean.
It was one of the worst.
Yeah, Korean was one of the worst.
Yes, exactly.
It was two aircraft on the runway.
Yeah, and what it was, the co-pilot always felt scared
to directly challenge the pilot.
Oh, yeah.
In fact, it was the co yes in fact and the engineer as
well because it was a larger aircraft yes there was three in the cockpit both the co-pilot and
the engineer felt they couldn't question him exactly and and they said well when these planes
are designed by boeing they don't take that into consideration. They're like, everyone's an equal in the cockpit. Therefore everyone, everyone's voice will have the same impact.
And so the culture really does, you know, play a big part in it.
It's all well and good saying, okay, we're,
we're going to not have a blame culture,
but changing that and turning that around in different places around the
world can, can mean different things.
But I agree with the point.
I think far too often people are looking for, you know, the smoking gun or like looking for a 21 year old to blame for, you know, the leaking of sensitive information as opposed to like, OK, it's a just incident.
Like, you know, don't be a Tom, basically.
That's the moral of this story.
Yeah, so point the finger.
How about we just change the fact and not put bloody 21-year-olds
in the presence of top secret documents?
Maybe.
Just saying.
So what about we give them to, like, 70-year-olds like Donald Trump?
I'm sure he'll take far greater care of them.
There's probably a bell curve here where there's an optimum place,
an optimum age that you can give them to, right?
Yes, yes.
And in the words of Joe Biden, I think this is one of the...
OK, so...
LAUGHTER
Something, something, something, black and tans.
Yes.
Oh.
The second story is the headline is
while Twitter wants to sell its verification,
Microsoft will do it for free on LinkedIn.
So as Elon Musk tears at Twitter's credibility
by demanding businesses and individuals
pay for their blue verification checks,
hey, there's nothing wrong with that.
Okay.
Microsoft is pushing its own free digital ID technology to companies and
their employees on LinkedIn.
So later this month,
Microsoft will let organizations use its verified ID tool to prove their
workers' employment with staff then being able to display that employment
verification on their LinkedIn profiles.
Like the trust, the unpaid for blue checkmark on Twitter
once conveyed, the verified ID on LinkedIn
will show people that on the business focus network,
which has about 900 million users,
they actually work where they say they work.
So by simply looking for verification members and organizations can be more confident that people they collaborate with
are authentic so there goes like you know about 600 million bots off the network yeah
well so you joke but that's probably a good reason for them to do this, right? To help get rid of a lot of these bot accounts,
all of these sock puppet accounts.
Yeah, yeah.
I think this is...
Well, yes, and so I like it.
No, I absolutely love the idea.
But who's doing the verification?
Because I think, you know, my last company,
where there's 22,000 employees,
who's going to say, yes, this person works here?
Like, who's going to actually, oh, pay a 21-year-old, obviously.
Yeah, that's right.
Look up the AD.
Does this name exist in AD?
Yes.
Okay, click.
Yeah, that's all you need to do.
Just connect it to your AD and, like, you know,
I'm sure it's going to be part of Office 360 or whatever, Microsoft 360.
M365? part of Office 360 or whatever, Microsoft 360. M365?
Yeah.
Office 360?
M365, Jack.
Spot the Apple user.
I don't know.
Google user.
Apple and Google business, yeah.
Yeah, Google business.
Sure.
Anyway, I think it's, on one hand, it's a good idea good idea but on the other hand you've got a whole
bunch of people that don't actually like publicly saying where they work they've got a linkedin
profile but it's just like works that confidential confidential yeah yeah um so so but i i think what it is, it's a good move by Microsoft
because I have seen a lot more activity on LinkedIn
since Twitter has been, you know,
all the rats have been jumping ship, so to speak.
So there's been more activity there.
So they have an opportunity to create more out of it
and become the de facto sort of like professional social media network or whatever
i don't think you'll ever actually replace twitter and by while we're talking at twitter i'll sneak
in a third billy big balls here um jesus twitter now go to the doctor with three balls twitter's
now announced their subscription service so as a creator you can offer people subscription to your
wait a second i thought twitter already had a subscription service i thought that's what the
blue tick was no no no that's no so you can get so people need to pay to read your tweets not all
of your tweets so so there's tweets you can put out for free and then there's like paywalled tweets
that only your subscribers
so if you two could just subscribe to my feed
that would be excellent
that would pay for my Netflix
I'll get right on that
and I think Elon
I saw something yesterday
I think he first said that for the first year
anyone that's doing it
they're not going to take a cut off it
it would just be
all of it will go to the creator also
how do i not believe him whatsoever he's going to change his mind in two months because he's
going to see you know you keep a metric buttload of money going through twitter which he's not
getting he's going to go oh this is such a success we we need to accelerate this. But let's take our cut. You say that, honestly.
If you saw the BBC interview and I shared with you a clip
and you didn't say anything, surprisingly, Tom.
Well, I got annoyed halfway through because Musk was horrible.
No, he wasn't.
He was asking a fair question.
He was horrible.
The reporter said there's been a rise in hate.
And he goes, OK, do you have any examples?
Well, no, I don't.
So it was like, that's the sum of it.
So he's like, you come up with these accusations,
and then you don't bring any of the receipts.
And I think that's a big, big failing on behalf of that reporter.
Yeah, it was, absolutely.
But Musk is still a horrible man.
No, he's not.
He turned the situation to his advantage.
I think that was very well played.
That doesn't mean he's not a horrible man.
He's done nothing horrible to me.
It's made you pay to use Twitter.
Yeah, I'm pretty sure Hitler didn't do anything to you either, Jav.
You know, if we're being sort of accurate.
When you have to bring
Hitler or the Nazis in,
you're an argument. You've already lost.
Yeah. Alright,
I'll replace Hitler with Pol Pot.
Stalin. I don't know.
Whoever you are.
Brilliant.
Thank you, Jav, for our
triple whammy of...
Billy Big Balls of the Week.
This is the EasyJet of security podcasts.
Let's be honest, your cheap ass couldn't tell the difference
between us and a premium security podcast anyway.
And talking
of arses,
Andy, what time is it?
It is that time of the show where we head over
to our news sources over at the InfoSec
PA Newswire who have been very busy bringing
us the latest and greatest security news from around
the globe.
Industry
News
Latitude Financial refuses to pay ransom. Industry News Latitude Financial refuses to pay ransom
Industry News
KFC owner discloses data breach
Industry News
US scrambles to investigate military intel leak
Industry News
Ethical hackers could earn up to $20,000 uncovering chat GPT vulnerabilities.
Industry news.
Rapid7 has good news for UK security posture.
Industry news.
Superyacht maker hit by Easter ransomware attack.
Industry news.
Pakistan-aligned hackers disrupt Indian education sector. Industry news. Pakistan-aligned hackers disrupt Indian education sector.
Industry news.
Over 20,000 Iowa Medicaid members affected by data breach.
Industry news.
Five arrests in crackdown on $98 million investment fraud gang.
Industry news.
And that was this week's...
Industry news. And that was this week's... Industry news.
Huge, if true.
Huge.
Jav, would you like to comment on that story about the...
He did.
...Priestine-aligned hackers disrupting the Indian education centre?
I did.
What's your critical insight on this?
Well, I'd assume, given the literacy rate in those
countries they probably just took down one server and that was it oh all right moving swiftly on
yeah yeah thank god he made that joke and not us okay andy uh so i'm looking at the five
wrestling crackdown on the 98 million dollar investment fraud gang that is
like even with my bad maths that's nearly
20 million each right if you split in 100 you split 98 million five days that's um it's a fair
i mean how long would you do in prison for 20 million and bear in mind these are financial
crimes so it's like white collar it's pretty yeah but they'd lose the money right it's not like pay me 20 million and i'll do six months or whatever yeah but it's well unless they've
embezzled it already right yeah but they'll they'll claw it back somehow won't they i don't
know i don't know i mean they'll close down a couple of high street phone shops and stuff like
that yeah or there's American candy shops.
All those American candy shops.
Yeah.
Yeah.
So there is actually a story.
So the KFC owner disclosing the data breach story, right?
And this is a US fast food company.
Yeah.
So Yum owns all these companies. They've been sending out breach notification letters to individuals from an event that happened in January. However,
I'm not going to talk about this story because this is just reminding me about something else,
because I did not know that KFC and Taco Bell and Pizza Hut were owned by Yum until like,
you know, recently. And the reason I found out was because the reason this group owns them all
is that it was to do with pepsi getting into
the market i think you shared this with me isn't it yeah so pepsi couldn't compete with coke in the
old days right and so what pepsi did the way they did it was they actually acquired um through like
these brands um kfc and taco bell and pizza hut and then replaced distribution of
coke so it was cheaper for them to buy these chains than it was to try and compete with coke
on a you know purely marketing level market and then that's genius absolutely genius and over time
what's happened is that kfc taco bell pizza that's why you tend to see them all together on the same complexes.
So Yum then realised it was easier to set them up close to each other
on the same land, so they're only paying for the land once, right?
Rather than sort of paying for different premises,
like spread out all over the place.
They combine them all together.
But it all came about so Pepsi could break into the market.
Absolutely genius.
But isn't it funny how whenever you go somewhere and you ask,
I'll have a Diet Coke, and the people behind, if they've got Pepsi,
it's almost an apology.
I'm sorry.
I'm sorry.
We've only got Pepsi.
Is that okay?
Yeah.
And how Coke has sort of gone into the vernacular now,
whereas Pepsi just hasn't.
And it will forever play second fiddle to Coca-Cola.
Yeah.
I just find that...
I actually prefer Pepsi.
I'll just put that out there.
Pepsi Max is my diet drink of choice.
Diet drink?
No, Jen, I didn't think you drank diet drinks.
I don't normally, but, you know, if I have to,
or if, like, a special occasion or something, then I'll have it.
If he's trying to lose weight.
Yeah, I was going to say, yeah.
Jeb's trying to keep himself in shape.
What?
You know,
when all your
medical illnesses
like start creeping
up on you
all at once,
then,
you know,
you sort of
have to talk.
Creeping up on you?
I think they body slammed
you from behind,
didn't they?
Pretty much.
They snuck out
from under the ring,
chair shot,
back to the head.
What's he going to do about it? What are you going to do about it Standing over your
Your body line on the floor
Oh dear
So I want to know what Rapid7
And why they've got good news
So I'm actually going to click on the link and have a look
Because that's how much I care
About these stories uh uh they have reduced exposure to high risk ports and oh okay so
basically rapid seven has done a quick scan and said that companies are reducing their attack
surface yeah okay well that well, that's disappointing.
I bet they reached out to our InfoSec PA newswire as well
and said, hey, if it's a slow news week,
we've got a story for you.
Let's get our name in the headlines.
Yeah, if you've already run the dead donkey story,
we've got this one for you.
Yeah.
Superyacht maker hit by Easter ransomware attack.
And this is like a noted maker of luxury yachts,
founded in 1875, German shipbuilder Lürssen.
What?
I'd have to check up on my order in that case.
I know, I know.
They make an annual revenue close to €2 billion.
And, you know, so they were hit by ransomware.
And this just reminded me of this other thing I heard of.
And I can't remember which brand it was.
It was Rolls-Royce or Maserati or one of those.
Ferrari.
Ferrari.
Ransomware recently, yeah.
No, no, no, no.
It's one of these high-end sports cars
that go for like ferrari's not high-end enough for you sorry okay i forgot i was speaking no no
but they they get they go for like quarter of a million starting basic yeah so or like half a
million and they stopped showcasing their cars at car shows because they were just so expensive
and you know compared to like oh you can get a you know something for 30 expensive and, you know, compared to like, oh, you can get a,
you know, something for 30 grand, which is, you know, not as fast or as good looking, but it,
it's pretty comparable. So then they started advertising at super yacht shows because
compared to a 5 million or 10 million pound super yacht, your half a million pound car seems like a bargain.
And they started to get more deals that way.
I think a 10 million super yacht is technically just a yacht.
Yeah, yeah, okay.
100 million super yacht, whatever, I don't know.
I don't know.
Jav doesn't check the prices of these things, Tom.
No, I don't.
I just put it on my tab.
Yeah, exactly.
If I have to ask the price, then I
obviously can't afford it.
My money manager, Don King, says it's all in there.
Don King.
Well, that Don King fella,
he's got to have a job ever since he stopped throwing
those barrels down those slopes, didn't he?
Excellent. Well well let's
a thrilling round
up of news there for this week
all of which we took
completely seriously
Industry News
You're listening to the award-winning
Host Unknown podcast.
Like a real security podcast,
but lighter.
And let's hope we've got a lighter note
to take us home, Andy,
for this week's...
Tweet of the Week.
We always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week
is more career advice via,
what do we call them, influencers?
I don't know, people positioned on LinkedIn.
And so this week's tweet comes from Death Pirate,
and he has taken a screenshot from LinkedIn.
And this screenshot from LinkedIn is from Dr. Richard Diston.
And Death Pirate says,
in today's issue of charlatans of
cyber security don't ever be this guy and what he's done is posted uh dr richard distance
with a sub headline i build real security leaders uh he's like real in capital letters
in capital letters yeah just to emphasize that real security leaders and he gives
this piece of wisdom another day another fucking pen tester who thinks they are a security
practitioner talking about an industry they do not understand and concepts they prefer to interpret
rather than learn this one wants to advise high schoolers about a career in cyber. A career that won't exist in about five years or else be
unrecognizable from what we have today but they aren't smart enough to notice. My advice would be
to stay in school, study hard and get a different career not populated by IT tossers who cannot stay
in their lane. I suggest carpentry, something actually actually useful pen testing is actually just quality
assurance for it not as sexy when you call it what it is eh what
so i mean he has issues i'm guessing he doesn't like pen testers uh i see where he comes from on
that that angle well they're expensive but there's no reason to go for the jugular like that.
What does he think about pens testers, though?
Oh, now that's where it's at.
That's where the money's at, man.
But, I mean, pen testing has been around since I can.
I know it went commercial, but at least like, what, 2005?
Oh, at least.
Probably longer. I mean, it's not going away anywhere soon i i mean obviously learning carpentry is a skill highly
recommended as well because you know those guys make money but there's money in cyber as well at
the moment and whether or not you like that it's called that that has entered vernacular
and people understand what you mean when you talk
about it yeah and also quality assurance for it yeah i mean god i mean if it just did it properly
in the first place they wouldn't need pen testers right well exactly i mean i mean okay yeah you can say it's a form of assurance
it is yeah but you know it's like pen testing like you said it's its own term now and everyone
understands it and and you know what pen testing has changed over over the years like you see like
you know before it was like a bit unstructured but then you've got like you know crest crest and
you know you've got all these defined methodologies in place
and, you know, web app and then infrastructure and testing.
C-Best for financial institutions.
And, you know, a career that won't exist in five years.
I think he needs to.
Yeah, good luck with that because developers are still going to fuck up.
Yeah, yeah luck with that, because developers are still going to fuck up. Yeah, yeah, exactly.
Wow. Dr. Richard Diston, if you're listening, because I'm sure you are, because our listenership is far and wide, please come on the show and defend this.
But frankly, I think it's indefensible. And I think this is just clickbait.
It's just the attitude, yeah. And i actually saw someone post this on linkedin
and they said that because they disagreed they ended up getting blocked and their comment deleted
by dr distant oh for fuck's sake well there you go i think that sums up entirely if you're gonna
if you're gonna go out there with stuff like this be prepared to defend it yeah you know. Oh, dear me. Dear me.
Well, that wasn't
as fun as I thought.
What can I say
except you're welcome.
Well,
marvellous, marvellous. We have
breezed through. Actually, no, we haven't
breezed through. We've been on here for 50 minutes.
This is quite a long one.
So if you're still with us at this stage,
I apologise. Jav was obviously
particularly chatty with the hunger.
But yes,
Jav, thank you very much
for your fine contributions
this week. Yeah,
you're welcome.
Thank you, sir. sir stay secure my friends you've been listening to the
host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it
please leave your best insults on our reddit channel worst episode ever r slash smashing security God, Jeff dragged that one out with,
didn't it just last week or the week before
he was telling me that I take up too much time
with today in InfoSec?
Yeah, and there he is with his three stories.
I know.
Oh, guys, I'm too weak with the hunger
to do anything this week.
Shut your pie holes. I'm too weak with the hunger to do anything this week. Na-na-na-na-na-na-na-na-na-na-na-na-na-na-na.
Shut your pie holes.
That's what we were saying to you.