The Host Unknown Podcast - Episode 150 - Yet Another Intern
Episode Date: May 5, 2023Vote for us here! -> https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewformThis week in InfoSec (08:15)With content liberated from the “today in infosec�...�� twitter account and further afield3rd May 1978: Earliest known case of spam. Gary Thuerk, a marketing representative for Digital Equipment Corporation, sends out an e-mail promoting an open house for the company’s latest computer systems to 393 recipients on the ARPANET, a precursor to the modern Internet. While this number sounds small by today’s standards, this was all the ARPANET users on the west coast of the United States. Given that this was an unsolicited commercial e-mail, it is now considered the first of its kind. In other words, the first spam message well before the term was coined. It brought a quick and negative response from many users and Thuerk was warned by ARPANET administrators that mass mailings were not an acceptable use of the network. The backlash notwithstanding, the open house was largely successful with over $12 million dollars of DEC equipment being sold. I guess it was better to ask forgiveness than permission in this case! https://nakedsecurity.sophos.com/2008/05/27/spamreg-or-spam-whats-in-a-name/according to Hormel’s SPAM® FAQ, the name was dreamt up by a chap called Ken who received a $100 prize for his efforts. Hormel says that we have to thank him that we’re not all eating Crinkycrinky or Canned Flappertanknibbles.29th April 2004: The Sasser worm is released into the wild, infecting over 1 million Windows XP and Windows 2000 computers worldwide.Although the worm did not have an intentionally destructive payload, it caused many computers to slow down or crash and reboot repeatedly along with clogging up network traffic. Among the effects of the worm, the British coast guard had to resort to paper maps for the day, a French news agency lost satellite communication for hours, Delta Airlines had to delay or cancel many flights, and the University of Missouri had to disconnect its network from the Internet. (GC: Memories of Sasser? 🙂)Author Sven Jaschan. German kid. Also created the Netsky worm. Bragged about it to his schoolmates.Following his arrest, Microsoft said that they had received tip-offs from more than one source, and that the $250,000 reward for identifying the author of the Netsky worm would be shared between them.https://en.wikipedia.org/wiki/Sven_JaschanGot off very lightly as he was underage when the virus was written - just given 30 hours community service. No fine.Went to work the next day as normal.... which was as a developer for a German cybersecurity company called SecurePoint. In retaliation, the anti-virus company Avira officially halted its cooperation with Securepoint. Rant of the Week (17:12)Cloudflare Q1 Earnings Call Transcripthttps://www.linkedin.com/posts/mattfivesixpartners_pretty-brutal-takedownthrowing-under-the-activity-7058819871119175681--ULh/?utm_source=share&utm_medium=member_ios Billy Big Balls of the Week (28:46)graham@grahamcluley.com Feel free to talk about anything you want which might fall into the category of big ball energy as you don’t need to be spoon fed like the other muppets I work with.Joe Sullivan.https://www.washingtonpost.com/technology/2023/05/04/sullivan-sentencing-uber-executive/ Industry News (37:56)UK Gun Owners May Be Targeted After Rifle Association BreachT-Mobile Reveals Second Breach of the YearHackers Exploit High Severity Flaw in TBK DVR Camera SystemBitmarck Halts Operations Due to Cybersecurity BreachDark Web Bust Leads to Arrest of 288 SuspectsThree-Quarters of Firms Predict Breach in Coming YearApple and Google Unveil Industry Specification For Unwanted TrackingUS Authorities Dismantle Dark Web "Card Checking" PlatformConsumer Group Slams Bank App Fraud Failings Tweet of the Week (46:48)https://twitter.com/joshlemon/status/1654268564160020482 Vote for us here! -> https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So, Andy, I think last week's intern didn't really hit the mark.
I don't think they particularly worked well for us.
Mea culpa, that's my bad.
But I have been on to the agency and they've sent us someone else.
Ah, awesome, awesome. Let's get cracking then.
You're listening to the Host Unknown Podcast.
Hello, hello and welcome to episode 150 of the Host Unknown podcast.
My name is Graeme Clu.
Whoa, whoa, whoa. Andy!
You're listening to the Host Unknown podcast.
Hello, hello, hello and good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all to episode 154 of the Host Unknown podcast or 146 as Graham often joins in.
He's, you know, like snapping at our heels, like trying to join in on the joke and not quite getting it.
Graham, welcome. How are you?
Hello. Oh, well, it's a real pleasure to be here. It's been a long time.
It has.
I'm delighted to be back again.
Well, it's funny. We just joined this morning and realised you didn't disconnect from last week.
I've been stuck here.
God knows what you've heard all week.
To be honest, it's been the best conversation I've had for seven days.
It's been wonderful.
But yeah, Jav still
hasn't shown up, has he? I know.
I was going to say, I did dip in and out on the
channel. I'd go,
guys, guys, are you there?
Oh, come on. I know you're joking.
So seven days, not bad.
But yes, Jav,
your marvellous buttocks,
Graham, have fitted neatly into Jav's,
into the shape left by Jav's buttocks on the seat
that you're currently in.
I mean, I like Jav, but I don't know that I like him that much.
But anyway, I mean...
It's the shape of Jav.
Isn't that a song by someone?
Isn't that a cheering song or something?
We don't want any copyright issues going on.
Let's not.
Allegedly.
Is that right?
Is that a thing to say?
I don't know.
So, Graham, have you been keeping well this week?
And thank you, I should say, for coming back.
I'm amazed.
It's rare we get people on twice in a row.
He didn't believe it was that bad last week
he had to come back and double check
yeah Carole wasn't available again is that right
it's right yeah yeah she wasn't available
yeah I was going to say we barely get Jav back two weeks in a row
let's face it
I think just have a rotating door now for the third place.
I mean, it is.
I mean, you could get anyone.
I'll be like, have I got news for you when Angus Deaton got caught
with the marching powder up his hooters.
You know, you could have, who could you have on?
Brian Honan, he'd be good.
You could have Frank Boff.
You could have Wincy Willis.
I don't know.
You could have all sorts of people come on and do the show.
Mr Motivator.
Yes.
We're aiming for a different demographic, I think.
Yeah, you're going one direction.
One direction.
We actually need one direction.
Yes, yes.
That's right.
Anyway, I'm pleased to be here.
It's been a strange old week.
The number of people who've come up to me and said,
hey, I heard you on the Host Unknown podcast has been quite, quite...
In the tens.
I can't begin to tell you what that number was.
Because I lost count after one.
Yes.
I could round it up probably to a round number,
the ultimate round number.
But anyway, so, yeah, pleased to be here.
Pleased to be here.
Jolly good.
And you've had a good week generally,
apart from being hassled about your appearance on our show.
Oh, yes, yes.
Wonderful, wonderful, yes.
Yeah, we put out an episode of Smashing Security,
an alternative.
Not as good as you guys because I saw that you've been nominated
for an award again.
We have.
We have.
In many of the same categories as you, I believe.
Well, I don't think I'm in as many categories,
or smashing insecurities in any categories.
That's because you weren't as shameless as we were
when we nominated ourselves.
Well, possibly not.
And, of course, my co-host isn't actually a member of the judging panel.
But anyway anyway that's
this is true this is very true hey you've got to work with what you've got graham it's uh
what's what they call that you know nepo babies what are they called nepo babies yeah yeah you
gotta it's all about connections graham you Yeah. You should know this by now,
and, you know, now you're reaching your twilight years.
You should have realised.
Well, he does look charming, charming.
He doesn't even turn up to his own podcast recording,
so, you know, you are bloody well out.
So, therefore, how can there be a conflict of interest?
Good point, good point.
I just need to sabotage this recording
so you definitely don't win.
That's all right. Your mere presence alone, Graham, is helping that.
Andy, what about you? Have you been getting on?
Good. I actually think it's been a very productive week.
So obviously it was bank holiday in the UK on Monday.
And so I've crammed five days' work into four.
And I think that we're on to something with a four-day week.
I think so.
I think it actually works out.
Everyone seems to be quite productive this week in terms of realising
there's time to make up.
Well, in all seriousness, every experiment that's been run on it
in recent times says exactly that.
People are happier and are more productive.
I mean, why wouldn't you be?
Well, they did say that Thursday was the new Friday
for going out and drinking.
Maybe Wednesday now becomes the new Thursday.
Then Thursday becomes unproductive, yeah.
Yeah.
I think employees are happier.
I'm not sure if the companies are happier.
Well,ivity is up
as I understand
from the
probably no doubt
biased reports.
Why don't they take this to the logical conclusion then and see if
productivity further increases
by maybe not
getting people to do any work at all.
I was going to say cut it down to three days a week.
Yeah, well, begin to make that.
I mean, it sounds blissful, to be honest.
I'd be really productive at finally getting around
to cleaning my kitchen and stuff like that.
Yeah.
But talking of productivity, how was your week?
What side gigs did you complete this week?
I had a rare week at home this week.
I've been working from home this week rather than up in London.
So that was very nice.
So I've been to the cinema twice.
So I saw Rise of the Evil Dead on Wednesday night.
That was good.
I enjoyed that.
It was executive producers Sam Raimi and bruce campbell and if you
know you know yes all right so yeah that was very good it's good fun and then last night i saw
guardians of galaxy volume three which is superb i have to say i really really enjoyed it very
moving very funny very um engaging so yeah i would highly recommend it james gunn uh is definitely on
on the ascension in this in these regards so yes it was very good very good so talking of things
that are surprisingly fun uh let's see what we've got coming up for you this week this week in
infosec takes us back to a sassy time. Rant of the
week takes leadership lessons from Cloudflare's CEO. Bully Big Balls is about the former CISO
of Uber. Industry News brings us the latest and greatest security news stories from around
the world. And tweet of the week is some lawyer talk.
is some lawyer talk.
So without further ado,
let's go on to our vaguely familiar favourite part of the show.
The part of the show that we like to call...
This week in InfoSec.
Love that music. Love that music. So it is that part of the show where we take a stroll down infosec
memory lane with content liberated from the today and infosec twitter account and further afield
and this week we have gone further afield and our first story takes us back a mere 45 years to the 3rd of May 1978,
which was the earliest known case of spam.
And this is caused by a guy called Gary Thirk,
who was a marketing representative for DEC,
the Digital Equipment Corporation.
And he sent out an email promoting an open house
for the company's latest computer systems to 393
recipients on the ARPANET which was the precursor to the modern internet and so 393 people probably
sounds like a cc list by today's standards but back then it was a cover your arse list, yeah. Yeah, exactly. Back then it was all of the ARPANET users on the West Coast of the US.
Wow.
And given that this was an unsolicited email,
it is now considered the first spam email.
And commercial in nature as well.
And commercial in nature, yeah.
And it absolutely brought a huge, as you can expect,
quick and negative response from many users.
Were those people replying to everyone else?
Yes. Please remove me from this list.
Yeah. Stop sending. Stop replying to all.
But Gary was warned by the ARPANET administrators
that mass mailings were not an acceptable use of the network.
It's unsure whether or not there was an acceptable use policy at the time,
but I'm sure that this may have also been a precursor to one of those
if there wasn't.
But the backlash notwithstanding, the open house was largely successful
with over $12 million of DEC equipment being sold.
Oh, there you go.
Well, and there you have the reason why spam is still used today.
Yeah.
It's like, this is really bad, but we could make lots of money.
This is not so bad.
0.05% of people, if they buy it, it was worth it.
Yeah, exactly.
If that event was a failure,
I wonder if in some parallel multidimensional universe that spam is just no longer a thing.
Spam is quite literally the tinned meat and the song by Monty Python.
That would be a nice thought, wouldn't it?
Did you know that spam was...
That's where it got its name.
Well, we all know that, yes.
But did you know that spam was not the original name? Well, we all know that, yes. You know, spam, spam, spam.
But did you know that spam was not the original name of spam, the meat?
I'm talking about the meat now.
Was it not?
No, it was originally called something like...
I'm going to probably get this wrong.
You'll have to look this up.
It's called something like flapper.
It's called something like...
Don't bring your smutty, you know, smashing security content to our show.
We got plenty of that ourselves.
I think it was called Flapper Tank Nibbles.
I think that was the original proposed name of the spam meat.
Come on, Andy, do your magic.
You're normally multitasking in the background.
So we could now.
Flapper Tank Nibbles.
Not nipples. Nibbles Tank Nipples. Not nipples.
Nibbles.
Nibbles with a B.
So Flapper Tank Nibbles.
So we could now be running, rather than anti-spam solutions,
we could be running anti-Flapper Tank Nibbles solutions.
Oh, God, I hope that name is real.
I really hope that name is real.
I'm pretty sure I'm right about that.
We don't get this quality of information and story, you know,
with Jav on the show, do we?
No.
Well, spam's not halal, so, you know.
Well, this is true.
This is true, yeah.
But alas, our second story takes us back a mere 19 years
to the good old time of 29th of April 2004,
when the Sasa worm was released into the wild,
which infected over 1 million Windows XP and Windows 2000 computers worldwide.
And although the worm did not have an intentionally destructive payload,
it caused many computers to slow down or crash and reboot repeatedly,
along with clogging up network traffic.
And among the effects of the worm, the British Coast Guard had to resort to paper maps for the day.
The French news agency lost satellite communication for hours and Delta Airlines had to delay or cancel many flights.
With the, well, is it the biggest of all?
The University of Missouri had to disconnect its network from the internet.
The horror in 2004.
But it was speculated that the author Sven Jasschan?
I don't know.
Sven Jasschan, I think it was.
Sven Jasschan.
So he reverse engineered Microsoft's patch for lsas vulnerability that was actually released
earlier in that month in order to create that worm and um knowing that most computers would
not have been patched and it would spread quickly he released the worm on this day which was his
18th birthday and some people need a hobby well he was lucky for him was that the German government determined that he had actually written the word
when he was 17.
Yeah.
So he was found guilty of computer sabotage
and tried as a minor.
Yeah.
Instead of an adult.
You only got...
You must have something on this.
Oh, yeah, yeah, yeah.
This is back in my hero.
Were you the person at the front that kicked his door down?
Were you there with the German authority?
No. He also wrote...
Ashton, Ashton, motherfucker!
So, yes, Sven Jasson, he was a teenager.
He was going to school.
He wrote both Sasser and he wrote a very prolific email worm called Netski,
which spread around via email attachment back in the day.
And, of course, he couldn't help himself but brag about it to his
schoolmates. That's where it gets you. And it turned out Microsoft had issued a $250,000 reward
for information leading to his identification. And what do you know, some of his schoolmates
grassed him up. And so he was arrested, but he got off really lightly as andy says he was
he wasn't 18 when he wrote it so because of that apparently uh that helped him get off because uh
and he only got 30 hours community service what didn't get a fine or anything yep hugely damaging
couple of viruses caused lots and lots of damage got off of it because of
his age um i think times probably would have changed a little bit now maybe the other thing
was he was working or no he because he became notorious when he was arrested there was a german
cyber security company called secure point which announced that they were hiring him they said oh
isn't this wonderful he's a talented. We're going to get him in.
And there was another antivirus firm called Avera.
They're still going, or they got bought by somebody.
Anyway, they're still around.
Avera were working with SecurePoint,
and they announced that they were going to cease all cooperation with SecurePoint because they didn't want anything to do with this kid.
Well, you say that, but back then, do you remember,
all hackers were getting jobs.
It was like a badge of honour to hire this hacker.
Yeah.
That's true.
Jav's mate is exactly that, isn't it?
Mitnick.
Kevin Mitnick.
Yeah.
Yeah.
Don't start me on that.
But who's Gregory D. Evans?
He even made a career out of it, didn't he?
The world's number one hacker.
Was he a criminal in the first place?
Gregory D Evans.
He sort of said that he was locked up the same time as Kevin Mitnick
and they were cellmates.
So he had some sort of story which was proven incorrect.
I mean, there was a lot about what Gregory said.
Everything he published was proven false, allegedly.
Yeah. But, I mean, he published was proven false, allegedly. Yeah.
But, I mean, he traded on it for a while.
He sort of built a company and took some people's money.
Yeah.
Wow.
Wow.
Okay, excellent.
Well, thank you, Andy, for this week's...
This week in InfoServe.
this week in infosec people who prefer other security podcasts are statistically more likely to eject usb devices
safely for those who live life dangerously you're in good company with the award-winning
host unknown podcast All right.
Time now to move on to the ranty-shouty part of the week.
It is time for...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
And so you've both heard of Blame the Intern, right?
There's been a few sort of notable companies that have done this.
Equifax, FireEye, SolarWinds.
Yeah, exactly.
We've now got a slightly new version of it
where the CEO of a company cloud flare uh who do a bunch of
stuff on tintanet um they recently had um a sales call and their ceo managed to say all the quiet
stuff out loud um so bottom line is that um they said they've had a you know it's not it's not been too
bad a you know a period um they've made money they've got a third of the fortune 500 as
customers blah blah blah he then goes on to talk about mixing his metaphors about you know fish
jumping into the boat and tide going out and stuff like that.
Isn't that what Eric Cantona spoke about?
Yeah, exactly. The sardines which follow the trawler or something.
Seagulls.
Exactly.
And then he says, but at the risk of mixing water in metaphors,
as the tide goes out, you get a clear view who's not wearing shorts.
And I reread that a few times.
I'm trying to work out, is it a good thing if you're not wearing shorts is it bad because if you're not wearing if you if you're not wearing shorts
that means you're either in your underpants or you you've got trousers on and either way that's
not great for business but if you are wearing shorts or did you just get naked in the first
place yeah exactly i'm not sure so you, man's obviously slightly confused and then talks about the macro and economic environment
gotten harder, blah, blah, blah.
And we see some on our team who aren't dressed for work.
It's either because they're in their pants or shorts or trousers.
I can't work it out.
Maybe they need to, you know, hand out waders.
So digging in with Mark, Mark Baroditsky,
the new president of revenue.
Sounds like Hatchet Man to me.
Sales director in any other organization.
Exactly.
We've identified more than 100 people on our sales team
who have consistently missed expectations.
And that's not, you know, that's not, if you've got, you know,
500 people on your sales team, 120%, you know, standard bell curve, which we, you know, maybe
we kind of get that fair enough. And it does go on to sort of say, just to put that into context,
you know, those 100 plus people contributed approximately 4% of annualized new business sold over the last year.
So, you know, there were some challenges with these people.
There's no doubt about it.
So what they decided to do is, well, he's not said make redundant or fire.
They're quickly rotating out those members. I don't know whether they're not. You know when just before you do, what is it, not hide and seek
or something, but you spin somebody around with a blindfold on.
Maybe that's what they're doing to confuse them
and get them to sign something.
As they rotate them out.
Business speak for, look, we're just getting rid of them.
And they're rotating out those members of our team
who've been underperforming and bringing in new with sales people
who have a proven track record of success, grit,
and strong cultural fits.
Now, I've got a number of issues here.
One, you've just identified anybody who's got Cloudflare
on their CV or LinkedIn in the last year
and is looking for work, you've now basically told the world
that as far as you're concerned, they're lazy, they don't do the job.
So that's not great.
And maybe they do.
Maybe that is the case.
But it's a very public forum which those individuals don't have access to
in which to make that statement.
The other thing to say is
bringing in new salespeople who have a proven track record, isn't that what all salespeople
have on their CVs? So presumably when they were hired, they had a proven track record
because otherwise, why would you have hired them? Or have your hiring process has been so bad that you've just hired,
I don't know, the first person who's got a pulse.
Yeah, they've got lovely hair.
Let's give them a shout suit.
Or what is it, the entry criteria for the British Army,
which is you put the potential squaddie in a locked room with a metal bar,
and if they don't bend it, break it, hurt themselves with it or lose it after half an hour, then they've qualified.
Maybe that's where it is.
I thought you were going to use the American squaddy test
where it's like you put them in a room with a box of crayons
and as long as they don't eat the crayons, it's...
Wow.
So roughly the same then.
Way too annoying members of the military there, Andy.
I'm just going to step back from some of these comments.
No, I'm just going to say, if there are members of the military,
let us know if that's true,
because obviously we both heard those stories from members of the military.
Let's face it, we didn't make those up.
So anyway,
so,
but it's... They'll never be able
to spell our email address,
Tom.
I'm doubling down.
It's a.tv domain.
Come on,
they're never going to get it.
Exactly.
Exactly.
Do you know what?
Those are expensive,
those domains,
.tv.
You boys insisted that we get a.tv.
It's like, Christ, you're not the ones paying for the damn thing.
Anyway, so yeah, I find this utterly outrageous.
Let me ask, where's your rant on this?
So is it because, one, he's talking, like he's mixing his metaphors, or...
There is that.
That's one.
But to me, he has identified underperformers, and he's mixing his metaphors or there is that that's one but to me he has identified
underperformers and he's clearing them out absolutely and then announcing that on a sales
call announcing that on a sales call basically say not you know not saying we're pivoting or we're
you know we're gonna we're reviewing our sales team and we're going to create action plans
or suggest alternative employment or whatever.
He's basically saying the next 100 people who leave Cloudflare are shit.
And by the way, from what I've said here,
our hiring practices were pretty shit as well.
Or even our culture was so bad that people who joined us
with a track record of success, grit, and a strong cultural fit
had been driven and ground into the floor
because we're such an awful place to work for that they can't succeed.
But don't people who work in sales expect this?
Isn't this the way sales works, is that you can make yourself
a ton of money if you're good and if you get the numbers in,
but it's understood that if you miss your target for so many months
that your job is going to be in peril.
I thought this was the career decision that they made.
My concern is basically is know throwing the sales organization under the bus in public
yeah i wouldn't would you join a sales organization with somebody like that
i could never join sales i mean it turns out both my parents were married at the time so it's uh
yeah i don't qualify for sales but uh no i would never
one choice but two i actually think this is expected if you underperform consistently
you gotta go i'm not suggesting that i'm just suggesting that in a sales call you're you're
taking down these people and your sales organization and your higher people have no
emotions anyway it's not sales people aren't real people.
Exactly.
Has Cloudflare considered
taking its sales force, dunking
them into a lake,
slowly lowering the level of water
and working out who's not wearing shorts
and getting rid of those people?
This is true.
But that's it. Are they wearing shorts?
Are they not? I don't know.
Should they be wearing shorts?
Well, you know what Cloudflare needs to do?
I mean, I'm not a huge fan of Cloudflare, I have to say.
Oh, okay.
Why?
They've blocked your site in the past or something?
Have you got beef?
They've throttled your traffic.
Did they not pay an invoice?
Cloudflare has a long history of helping very dodgy websites stay online
and protecting them from takedowns.
So you will have, for instance, Booter sites,
which are launching DDoS attacks against people,
protected by Cloudflare in some cases.
You will have far-right and ghastly racist sites and things.
I'm trying to remember what that website was.
4chan or something?
Well, it's 4chan style stuff, which has been protected by Cloudflare.
And Cloudflare has always said, oh, it's nothing to do with us.
You know, we will sell to absolutely everybody.
And you just think.
Well, yeah, they've got to make their sales figures.
They've got to make that 4%.
So I think this is where they need to double down,
is they need to find more and more people who are running vile websites
and be the partner for them.
Sign them up as customers.
I bet there are websites, there are probably websites of lots of men
not wearing shorts who would love to be.
Or wearing leather lederhosen-type shorts.
Well, whatever takes your fancy, Tom.
I mean, it's, you know.
You know, I'm very happy to Nazi shame, but are you kink shaming?
Is lederhosen the kink?
I don't know.
Probably.
Everything's a kink.
The way you said it, it was.
Well, just stop looking at me.
Stop pointing at me. Can I get out of this conversation? I can't help it. The water's gone down, and there you are it, it was. Well, just stop looking at me. Stop pointing at me.
Can I get out of this conversation?
I can't help it.
The water's gone down and there you are in your leather shorts.
It was cold.
That's all I'm saying.
The water was cold.
I think he missed a trick, though,
because he was doing all these metaphors about going fishing in his boat
and the water and everything.
And then he talks about the macroeconomic.
Shouldn't he have done mackerel economic?
Oh, yes.
I thought you were going to say we're going to need a bigger boat.
I thought that was coming.
Oh, dear.
Anyway, I'm not happy with this.
I think he sees the equivalent of throwing the intern under the bus here.
And like I say, saying the quiet parts out loud, you're right.
Salespeople aren't real people, so it doesn't really matter.
But I just think as a CEO, you've got to word your stuff a bit more carefully than this.
Rant of the Week.
30% nostalgic. 30% nostalgic.
30% ranty.
30% ballsy.
And 30% terrible at maths.
You're listening to the award-winning Post Unknown podcast.
Okay, Graham, I think it's now over to you for this week's...
Graham's Giant Gonads.
Charming.
Lovely.
Lovely to have my own jingle.
Yes, it's the Billy Big Bull.
Actually, before I begin the Billy Big Bulls section,
I want to say, while Tom was talking about Cloudflare
and I wasn't listening, I was Googling...
The spam thing.
The spam thing. The spam thing.
And I can tell you that according to Hormel's spam FAQ,
they are the inventors of spam,
the name was dreamt up by a chap called Ken
who received a $100 prize.
Well done, Ken.
Well, it's short for Spiced Ham, right?
Well, yeah, he came up with the name,
but other names for consideration were crinky crinky
or as i said flapper canned flapper tank nibbles so there you go i presume because they were going
to be taken to war and it was a bit like having meat in a tank i don't know anyway you could
nibble on them but um anyway so i just want you know, I'm sure lots of our listeners have been hanging on trying to find out.
I want to tell you about my big balls of the week.
I want to tell you who's got the big ball energy right now.
And I think it has to be a chap called Joe Sullivan.
Joe Sullivan.
His name sounds familiar.
Yes.
Well, we might have talked about him a few times before.
We certainly have on the Smashing Security podcast.
He used to be the CSO at Facebook.
In fact, I remember having a couple of phone calls with Joe Sullivan back in the day,
which went along the lines of him threatening legal action if I wrote about various Facebook scams.
It was very aggressive.
I didn't like him very much, and I feel now I'm comfortable saying this.
So he then went on to be the CISO of Uber and other places as well.
But back in 2016, it was found, two hackers actually found,
that Uber's software engineers had left login credentials lying around on GitHub,
which allowed the hackers to access data on an Amazon web bucket
run by Uber. And those hackers stole data about 57 million Uber customers and Uber drivers.
And as you can expect, the hackers contacted Uber, demanding payment for erasure of the data.
demanding payment for erasure of the data. And this message arrives on the desk of Joe Sullivan,
the CSO of Uber, and he decides, well, hang on a minute, we don't want this causing too much of a fuss. We don't want anyone telling my bosses that there's been a security breach, which is going to
look bad on my watch. So instead, what we're going to do is we're going to pay these hackers $100,000 in
Bitcoin, ask them to delete the data and keep quiet about the breach, and we'll hush it all up
as a bug bounty. So that's what he did. He actually visited the hackers, got them to sign a
confidentiality agreement in the hope that the news wouldn't become public either outside Uber or
indeed inside Uber too much.
Because there's one thing we know about criminals
is that they respect legal paperwork.
They abide by the NDAs, yeah.
And they know when they're dealing with people of similar criminal minds as well.
Game recognises game.
Uber executives, yeah.
And so it was pretended there was a bug bounty.
And the hackers obviously loved that, getting all that money.
And in fact, they used it as a selling point when they hacked other companies.
They hacked, for instance, lynda.com, if you remember lynda with a Y, the education website.
They said, you know, we've hacked you and we expect a big payment because we've just had another big company pay us close to seven digits.
Here's our reference customer.
Yeah, exactly. Here's a testimonial from someone called Jay Sullivan.
And if you could just sign this NDA, we'll be on our way.
Anyway, a year later, the breach became public, became huge news, Uber breach,
you know, embarrassing, embarrassing. And it was subsequently revealed that Uber's CSO had done this deal
with the hackers to hush it all up, and the prosecutors grabbed it.
And I think that's a pretty ballsy move of the CSO, actually,
to keep his job that way and to keep the company's reputation.
Did he go off reservation when he did this,
or was it with the explicit sign-off and approval of the CEO?
Ultimately, he's been the only person who's been prosecuted on Uber's side.
The rest of Uber seems to have got away with it.
And the prosecutor said, we're not looking at anybody else in connection with this.
So it's unclear whether other people high up.
There were changes in Uber's senior management around about this time.
But certainly the CEO, when it became public, had known nothing about it.
But he said he didn't want, he wanted to conceal the hack from other drivers,
stop them defecting to rivals and keep the money flowing. And prosecutors said, well,
this actually defrauded drivers by holding onto this information. So he kept the hack secret,
his own ego, really Billy Big Balls kind of move. He he kept the hack secret, his own ego,
really Billy Big Balls kind of move.
He didn't admit to failure on his watch.
And he, who by the way, was a former federal prosecutor.
So he's not just your regular CSO.
He knew about the law.
So he knew how to write an NDA.
Right, exactly.
He has just been sentenced to three years probation and 200 hours community service.
He did subsequently, and this is interesting, after Uber, he actually went to work as the CISO at Cloudflare,
where he stayed until the middle of last year when he began to prepare for this trial.
Now, the judge who's just sentenced him said,
if I have a similar case tomorrow,
even if the defendant had the character of Pope Francis,
and I can tell you, having spoken to Joe Sullivan,
that he does not have the character of Pope Francis.
Oh, so he leaves children alone then?
Oh, Tom.
Allegedly.
They would be going to prison, he said, if someone else had done this.
When you go out and talk to your friends, to your CISOs,
you tell them you've got a lucky break, mate,
not because of what you did, not because of who you are,
but because this was such an unusual event.
So it appears the judges said, this is a really weird case.
Normally, you'd have gone to prison.
But frankly, well, how bizarre.
You can just do a bit of community service instead,
which I find personally astonishing.
But I think very big balls of Joe Sullivan.
Yeah.
I also wonder when he applied for the job at Cloudflare,
whether he talked about his proven track record of success,
Griffin, and has a strong cultural fit.
Was he wearing shorts?
That's how I see where the water went out.
So he was ex-Facebook, right?
And so what was the other?
Stamos, wasn't it?
Alex Stamos.
Yes, Alex Stamos.
He went there after falling asleep at the wheel
at Yahoo as well, didn't he?
So he took his
proven track record
to Facebook and then got
caught up in the whole Cambridge
Analytica scandal with all that
data being sold from under his nose.
I hate to be Jav, right?
I hate to be Jav, but if Jav were here
he would right now be saying this is completely unfair
and we can't victim blame.
We can't point fingers at companies who've been breached.
No, no, Jav is the one who does victim blame.
Oh, is he?
I'm playing Jav at the moment.
But I'm just saying, like, so these people must have some –
I'd love to see their CVs because they've got some really just fantastic wording.
Yeah, it just exudes really big ball energy.
People say, do you know what?
Yeah, this person has sold me.
Like this person, like, you know, sat over two breaches, you know,
one at Yahoo, one at Facebook.
I want this person at my company.
And so, yeah, so Joe Sullivan's done exactly the same at Cloudfair.
So whatever they're saying is the good stuff.
Yeah, they impress.
They've got big, large, titanic testicles.
I think maybe that's what your jingle needs to be now.
It's about titanic testicles.
Tom's titanic testicles.
There you go.
That's true.
Tom's Titanic testicles there you go
I could pivot from being angry
to just cradling a large
pair of Titanic
testicles every week
extraordinary
excellent thank you Graham
Graham's
giant
gonads
huge if true
not Tom's testicles.
We're not lazy when it comes to researching stories.
We're just energy efficient.
Like and subscribe to the Host Unknown podcast
for more ESG-adjacent tips.
You got your timing there wrong, Graham.
You're crashing jingles again.
What can I say?
Who's pressing the button playing the jingles again what can i say who's pressing the button
playing the jingles yeah me i can't hear any of them that's the best part of it but talking of
poor timing andy what time is it it is that time of the show we head over to our new sources over
the infosec pa newswire who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry News UK gun owners may be targeted after Rifle Association breach.
Industry News
T-Mobile reveals second breach of the year.
Industry News
Hackers exploit high-severity flaw in TBK DVR camera system.
Industry news.
Bitmark halts operations due to cyber security breach.
Industry news.
Dark web bust leads to arrest of 288 suspects.
Industry news.
Three quarters of firms predict breach in coming year.
Industry news.
Apple and Google unveil industry specification
for unwanted tracking.
Industry news.
US authorities dismantle dark web card checking platform.
Industry news.
Consumer group slams bank app fraud failings.
Industry news.
And that was this week's...
Industry news.
Huge if true.
Huge, huge.
Very good.
I don't want to dig into this story, but I always find it amazing
that Apple and Google always still manage to work together
despite hating each other.
But it's actually not – you do find that big companies do –
I wouldn't say secretly work together.
They have mutual interests.
Yeah, yeah.
Aligning.
The enemy of my enemy is my friend, as it were,
and all that sort of stuff.
But yeah, it's like they're constantly at each other's throats,
you know, and real competitors in many spaces
and Apple making it harder for people like Google
to make money on adverts and stuff.
And then they jump into bed together on something like this,
which is good. It's a good thing. Don't get me wrong, but I, I find it.
I, I, yeah, I find it fascinating. Not, not, you know,
it's not that I don't understand it, but yeah, I find it fascinating.
Anyway, Andy, I jumped in on you. What were you going to say?
Well, no, it's given me time to read the T-Mobile beach.
Beach?
Beach?
On the water thing.
T-Mobile USA, they began notifying customers
of yet another breach at the firm.
So the first breach they had was, what,
49 million customers were hit.
And this one is, yeah, I don't know.
I mean, at this point, does it matter?
Like, do you know what I mean?
The data's out there.
That's it.
It's done.
And T-Mobile's been hacked umpteen times in the past as well.
This is just the second this year.
But it's, I mean, this is the thought I was having as well.
When you're talking about Alex Stamos and Joe Sullivan
and these CISOs who oversaw hack, I mean, it's like,
well, all companies get hacked, don't they?
I mean, it's not a matter of when.
Sorry, it's not a matter of if, it's when, isn't it?
I mean, they are all going to be breached.
So I think when you're hiring a CISO, trying to hire someone,
wouldn't it be better to hire someone with experience of handling a breach
than someone who's actually never had a problem, actually?
Yeah, exactly, who's experienced that, because then you've got actual real world uh experience um a proven track record of handling
breaches that i created they that's how you that's how you yeah yeah so this is interesting
so there was a headline at three quarters of firms predict a breach in the coming year
so this is like they're actually
putting the a time frame on when they're expecting to get breached so i don't know if they're putting
it maybe it's like because it's um you know sort of objective setting time in a lot of companies
after the start of the financial year they're sort of saying that well well we're going to have one
breach this year uh so you know we'll try and keep it down to one that'd be my kpi yeah and quarter
three we're going to have a breach that that particular headline three quarters of firms i
swear i read that as three quarters of films predict breaching coming year like wow this is
becoming mainstream no well i think it is so mainstream already that people just don't even
care do you know i think there is an element to that right you know i think it is so mainstream already that people just don't even care
do you know i think there is an element to that right you know i think it is there is an element
of okay so it's out there what what am i going to do you know and i've only got so much data
and i've only got so much you know so many um accounts sooner or later they're all out there
right yeah my netflix account got, I'd say, hacked yesterday.
I got a notification that someone had logged in from Tunisia
with an Android device.
Ooh.
Yeah, but then I was thinking, actually,
what can they actually get for my Netflix account with that password?
But they could find out what you've been watching.
So if you've been watching Bridg if you've been watching, you know, Bridgerton or something,
or, you know, Sex and the City, it could be blackmail worthy
if it was something embarrassing.
Yeah, there's nothing embarrassing on my Netflix, I assure you.
But, you know, I was actually thinking, I first read it, I thought,
oh, God, you know, this message came in like four hours ago,
I should do something.
You know, it says change your password immediately if it's not you.
And it's not a spam one,'s genuine netflix right um and then uh i thought
you know what it's my in-laws use that netflix account as well and so if i change a password
it's gonna be a hassle because i'm gonna have to talk them through how to you know what the new
password is and i was like you know what the reason it's a simple password is so everyone
can just log into it it's that easy and i'm like'm like, so some guy in Tunisia is going to use Netflix.
As long as he creates his own account, I don't care.
Just don't be on it the same time I want to be on it, and we're good.
What you should troll him, set up a profile for him that says Tunisian guy.
I'll actually do that, yeah.
And just say, look, please don't. Oh, that would and just say please please don't
oh that would be awesome
and
I don't know if you can get stats
from Netflix
but see if it's logged into
on that one
that would be
great
but yeah
I probably shouldn't have chosen
password 1234
anyways
the password
but like I said
come on
you should have put
an exclamation mark
at the end
I know
I know
I am
my son uses our Netflix account.
Now, he's only a young lad, right?
I mean, he's not quite a teenager yet.
Should I be disturbed that I see on his recently played list,
he's been watching a series called Too Hot to Handle,
which appears to be some sort of Love Island clone,
sort of pneumatic young people
and in their...
I don't know if they're wearing shorts or not.
I think you should be concerned
not because of the visual
content, but because of the fact that it's
reality TV.
I'm just looking this up.
On the shores of paradise, gorgeous
singles meet and mingle.
But there's a twist.
To win $100,000 grand prize, they have to give up sex.
He's 12.
He's watching this in the bath.
Should I be concerned?
I haven't mentioned it to him yet.
Listeners, let us know what I should do.
Yeah, but he listens to our podcast.
He might not listen to yours, but he listens to our podcast. He might not listen to yours,
but he listens to ours.
You've just outed him.
You're as bad as that Cloudflare CEO.
I might actually watch this.
It looks interesting.
I'm just looking at IMDB now.
Yeah, not now.
Not now, Andy.
I know you can multitask,
but we need both hands on the desk for this.
Oh, dear.
Another slow news week otherwise.
I think so, yeah.
UK gun owners, there's not that many in the UK anyway.
Maybe targeted?
I don't know.
Who would target?
What?
I think that's just a clever play on the headline, wasn't it?
That was the...
Jolly clever, yes.
Sorry.
I missed it. I missed it.
Completely missed it.
Yeah.
Another slow news week,
which is fine, but come on, people at the PA Newswire.
Let's get some more interesting stuff.
Industry News.
If good security content were bottled like ketchup,
this podcast would be the watery juice which comes out when you don't shake properly.
In a niche of our own, you're listening to the award-winning Host Unknown podcast.
Okay, Andy, why don't you take us home this week with uh this week's sweet of the week
and we always play that one twice sweet of the week and so this week's tweet of the week comes
from josh lemon and he's actually posted a meme and you know i know we always have this argument
don't post visual memes on a podcast because no one else can see it however it does have text description that i can read out and this is excellent lawyer speak uh i believe
so it's based on the uh drake hotline meme uh where you know it's a reaction meme where he's
sort of shunning one and then like accepting another and so the first one is the phrase
we don't have the logs to see what they accessed.
And that's not a good way of phrasing it.
So what you say is, we have no evidence that this incident involved any access to customer data.
And that's how you rephrase it.
It's so true. It's so true.
You know, it's one of those standard things like, you know, we take security seriously.
No personal financial records were stolen no credit card data was stolen no credit yeah you don't even have it yes that's right that's right so very good very good
another another visually effective uh story to end on. Thank you, Andy, for...
And so we have crashed into the end of this show.
Graham, thank you very much.
We might see you next week.
We're not entirely sure.
Graham, can we come back next week?
Will you have us back on next week?
That's right.
This is true.
This is true. Hedging his bets in the old awards. Yeah next week? That's right. This is true. This is true.
Hedging his bets in the old awards.
Yeah.
Yeah, that's right.
That's right.
We will put a link in the show notes for voting for the awards.
So please do give all of us a vote.
So that's Graham's Smashing Security, our host, Unknown TV,
and, of course, my TomManker.com.
I'm also up as well as for Tice Talk as well.
So the very diverse and representative Tice Talk.
We've turned a corner on that front.
So, yes, please do vote for us all there,
but give me primarily a few more votes.
Well, start with Host Unknown
and then we'll just see what you feel like after that, right?
I think just be nice to Jav surely is the recommended way
to do well in these awards, isn't it?
Well, this is true.
This is true.
Our entirely independent judge on the panel.
So we shall see.
But yes, Graham, thank you so much for standing in for Carole again.
That was very good of you.
Absolute pleasure. Thank you.
I have absolutely no idea if Jav's back next week or not.
Do you, Andy?
Well, whether we want him back or not, I don't know.
Yeah, just look at the downloads. Try and work out if things have improved while he's been away. Well, whether we want him back or not, I don't know. Yeah, just look at the downloads.
Try and work out if things have improved while he's been away.
Well, this is true.
This is true.
So, yes, thank you, Graham and Andy.
Thank you, sir.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard comment and subscribe
if you hated it please leave your best insults on our reddit channel
worst episode ever r slash smashing security
so graham have you ever had any host unknown complaints on your on on the reddit channel
sorry who complaints on the Reddit channel. Sorry, who?
Well, that's your invoice
lost.