The Host Unknown Podcast - Episode 151 - Like Mould it Grew Back
Episode Date: May 12, 2023This week in InfoSec (09:16)With content liberated from the “today in infosec” twitter account and further afield11th May 1997: Deep Blue Defeats Kasparov in Tournament MatchThe IBM computer and a...rtificial intelligence Deep Blue defeats reigning chess champion and one of the greatest chess players of all time, Garry Kasparov, in the 6th and deciding game of a tournament match, thus becoming the first time a computer defeated a chess champion in match play. A year earlier, Deep Blue had bested Kasparov in 2 individual games but Kasparov eventually won the match 4-2. This time, after being reprogrammed and upgraded, the 1997 Deep Blue, capable of calculating 200 million moves per second, won 2 matches out of 6 vs Kasparov’s 1 victory and 3 draws. After the defeat Kasparov asked for a rematch but IBM declined and retired Deep Blue.The defeat of a reigning chess champion at the hands of artificial intelligence made headlines around the world and marked a milestone in the development of AI and machine learning. From this early landmark moment, the advancement of computing power and machine learning has created even more powerful artificial intelligence. Kasparov in 2016 stated that “Today you can buy a chess engine for your laptop that will beat Deep Blue quite easily”. 9th May 1996: Linux Gets Happy FeetLinus Torvalds describes in an e-mail to a mailing list his conception of what he believes should be the logo for the Linux operating system. This is what soon becomes Tux the penguin, the “brand character” for Linux. Perhaps had he known the movie Happy Feet would be released a little over 10 years later, he would have chosen a Warbler instead. Rant of the Week (15:24)Twitter rolls out encrypted DMs, but only for paying accountsTwitter has launched its 'Encrypted Direct Messages' feature allowing paid Twitter Blue subscribers to send end-to-end encrypted messages to other users on the platform.End-to-end encryption (E2EE) uses private and public key pairs to encrypt information sent over the internet so that only the sender and the recipient can read it.The private decryption key is only stored on the sender's device and is not shared with anyone else. However, the public encryption key is shared with others who want to send you encrypted data.As the private decryption key is only stored on the local recipient's device and never stored anywhere else along the way, such as on the messaging app's servers, even if someone intercepts the message, they won't be able to read it without the decryption key.End-to-end encrypted DMs on Twitter have been a sought-after and massively requested feature that was teased and retracted in 2018.Last November, mobile researcher Jane Manchun Wong noticed that the source code of Twitter for Android hinted at work towards implementing an E2EE system, with Elon Musk all but confirming the suspicions.Almost half a year later, Twitter officially announced today the availability of an encrypted messages feature on the latest version of the Twitter apps for iOS and Android and on the web platform.Based on the details in the announcement, which mentions using a device-generated private key and a centrally-provided public key, Twitter has implemented an asymmetric encryption scheme. Billy Big Balls of the Week (23:18)India to send official whassup to WhatsApp after massive spamstormIndia's IT minister Rajeev Chandrasekhar will ask WhatsApp to explain what's up, after the Meta-owned messaging service experienced a dramatic increase in spam calls.India is the largest market for WhatsApp, with over 450 million users – many of whom have in the last couple of weeks received plenty of spam calls from overseas. Many of the calls involve fake job offers, usually with a request to negotiate the gig on a different messaging platform – which makes tracking the perps harder.The timing of that spam storm is intriguing. On May 1, Indian carriers were required to implement AI-powered spam call filters. As The Register reported in November 2022, the AI-infused system was developed after a blockchain-based spam-buster bombed.Might scammers have turned to WhatsApp after conventional carriers hardened up?Whatever the exact reasons for WhatsApp being whacked, Chandrasekhar is not happy about the amount of spam it's carried. He told local media his ministry will send a "please explain" missive to WhatsApp. HP https://twitter.com/dcuthbert/status/1656926678096986112?s=20 Industry News (30:35)Only 39% of IT Security Decision-Makers See it As Business EnablerCISOs Worried About Personal Liability For BreachesEU's Client-Side Scanning Plans Could be UnlawfulNextGen Healthcare Data Breach: One Million Patient Records AffectedSpanish Police Arrest 40 in Phishing Gang BustNSA and Allies Uncover Russian Snake Malware Network in 50+ CountriesTwitter Hacker Admits Guilt in New York Court, Extradited from SpainNCSC and ICO Dispel Incident Reporting MythsThreat Actors Use Babuk Code to Build Hypervisor Ransomware Tweet of the Week (39:15)Tweet of the Week is the part of the show where everyone chooses a tweet they like. It could be a funny tweet, an interesting tweet they’ve read, educational, amusing, or useful, whatever they like. It doesn’t have to be security-related necessarily.[Better not be!]https://twitter.com/InternetH0F/status/1656624723395051530 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So is Jav back from Indian jail yet?
Absolutely. Unfortunately, yeah.
He's, I say unfortunately, it's been great having Graeme here the last few weeks.
Jav is back from Indian jail and he's been fully rehabilitated.
It's not so much, Joe.
And it was just a big misunderstanding.
They are wonderful, wonderful people.
I just realised that sarcasm is a bit like electricity.
Half India just doesn't get it.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us and welcome. Welcome one and all to episode, I've lost 150.
Is it? No, it's 150 today, isn't it? Or is it 151?
It's 155.
Whatever episode it is, we've all lost count now.
Welcome one and all to this hundred and something episode of the Hosting the Lone Podcast.
And welcome back, Jav.
Thank you.
How are you?
How was prison for you?
Special guest starring Javad Malik.
Our regular host, Graham Cooley, was unavailable this week.
So standing in at short notice is Javad.
And Carole still refused to come on.
I don't blame her.
I don't blame her. I don't blame her.
In fact, I think that's called a restraining order now.
Yeah, against us, not her.
Yeah, exactly.
I'll tell you what really brought me back.
A little birdie told me that somebody's gotten older.
We've all gotten older, Jav.
Okay.
Some of us are ageing quicker than others, let's be honest.
How does that work?
Really?
How does that work?
You added another ring to your waist.
That's not far wrong.
That's not far wrong.
Yes, if you cut me open, there's an extra ring there.
But no, so I actually have a surprise here
that we did receive a very touching story
from the Duchess of Ladywell.
Oh.
Jav, do you want to hit it?
Yes, let's go for it.
If I can find the button.
Hello, Jav and Andy.
It's the Duchess of Ladywell here.
I thought as it was Tom's birthday,
I'm not sure that you actually know,
he is actually 40-12 today,
the f*** of m***.
And I think if you're
going to take him out for dinner, you ought to know
what kind of things he likes.
Back
when he was aged three,
he wouldn't eat meat at all.
It was dreadful. Even mincing it up for him, et cetera.
And then one day I saw on his plate that he put all the meat on one side
and had eaten the potatoes and the vegetables.
I said, now, come on, aren't you going to eat your meat?
He said, I'm saving it.
I thought, oh, this is a breakthrough.
I said, is that your best meat then?
Is that your favourite?
Or would it be chicken?
Oh, he said, I don't know.
I don't really know.
I've never had a bear.
Perfectly sensible answer when you think about it.
We eat cows, chicken, sheep, pigs, etc.
So if you're taking him out for dinner,
just bear in mind that he might like bear.
Hope you have a good day. Bye.
Technically correct, which is the best type of correct.
Exactly. Exactly. Always a smartass. technically correct which is the best type of correct exactly
always a smart arse
I still have a vague vague memory of that
you know it's funny
and it explains why you got
bare for dinner the following weekend
yeah that's right
the scars healed up about a week
a week or two later you know
that's brilliant.
That's brilliant.
Oh, I'm going to have to have words with my mother.
Can also just point out how well your mother comes across on audio.
And if we could have her, the better Langford, to replace you,
I think this podcast would be far, far better.
You couldn't afford my mother's rates.
No, but she might just do it out of charity.
Yeah.
She's far too busy to be messing around with you two.
She sounds like she's been cleaning up after your mess all your life.
So I'm sure one more round won't hurt.
Oh, dear.
Well, aside from that, Jav, how's your week been?
It's been good.
It's been good.
It's been a short week.
I just flew back in on Wednesday morning and I started work yesterday.
So, yeah, day two of the week.
So it's good.
If all weeks could be like this i'd be happy
yeah day two and let's face it it's friday so you don't do anything after lunch anyway so
after you're optimistic that i can even make it to lunch
yeah well you were late for this in fairness legal team i'm just joking i i'm gonna do my
fully contractually obligated hours.
And you did extra last night as well.
Yeah.
I actually, do you know what?
I've had a bit of a result this week.
Oh, yeah.
Managed to upset one of my sisters and, you know, made the other one happy.
I found a very good flight deal to Mauritius.
Yeah.
And I said, look, these are the dates it is the only
dates that this deal works for uh take it or leave it uh and one of my sisters said no can't do that
um don't go without me i said sorry but for this price every man for himself yeah um so it is
changing in jeddah on the way so it's not a direct flight but it is changing in Jeddah on the way, so it's not a direct flight, but it is £1,400 business class from London to Mauritius,
which is cheaper than BA's direct premium economy.
Wow.
So it is a no-brainer.
It is locked in.
And, yeah, unfortunately, it only works on those dates.
So yeah.
When do you go?
I shall be off in the end of October.
Nice.
Yeah.
So it'll be...
Going back to your roots.
Heading back home.
Get some paperwork sorted out.
Are you going to finally sell your land or take ownership of your land,
which has been used as communal dumping ground or something?
Yes, I am.
Well, he's going to sell the stuff that's on it first.
Well, no, no one wants to buy jackfruit trees.
It's kind of like a, you know.
I've got a couple of old cars on there.
I was going to say, the old cars, the stained mattresses.
I just love the confidence with which Andy says,
believes that he's going to be able to go
and in one trip sort it all out.
I'm efficient, right?
Forward planning.
I'm one of these, you know,
when you just visualise something and it comes true.
It happens to me all the time.
Everything works out for me.
He has a very dull imagination but besides that i think i'm going
to wake up this morning that was your uh birthday week did you uh did you get out and do anything
interesting uh well i went out for uh well a business dinner on wednesday but that was still
very nice and uh and uh one of my colleagues arranged for them to sing happy birthday to me
and all stuff like that.
So that was both embarrassing and lovely all at the same time.
So that was very good.
That's what you get on TGI Friday, sir.
Yeah.
Exactly.
I kept on getting sort of dazzled by all the badges they wore on their braces.
by all the badges they wore on their braces.
Helping another friend out with some IT problems,
shifting him from one laptop to another.
That was Tuesday night.
So that was fun.
But, yeah, very quiet, actually.
Going to have dinner with my kids tonight.
And then that's kind of it, really, birthday-wise,
which is fine, because as we know, as we get older,
we try and avoid talking about them, really, don't we?
So for today, thanks, guys.
So let's move on, shall we?
Talking of disappointing friends, let's see what we've got for you this week.
This week in InfoSec is somewhat lost on Jav.
Why didn't we keep Graham on?
Rant of the Week proves that Elon isn't finished with us yet.
Billy Big Balls is India's take on WhatsApp.
Industry News brings us the latest and greatest security news stories
from around the world.
And Tweet of the Week is straight from the Internet Hall of Fame.
So let's move on to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec.
It is that part of the show where we take a trip down infosec memory lane with content liberated from the today and infosec twitter account or further afield and this week we have
gone much further afield and it is extremely disappointing to have you back javad because
this is something that would fall under mr cl Cluley's specialist subjects in Mastermind.
He's definitely a ballywick.
Yeah.
So, I mean, the last couple of weeks, it's been great having Graham here talk about,
you know, being on the front line of these great historic viruses in our time.
And as we all know, one of his other subject matter expertise, besides, you know,
peeing in the middle of the night is actually
around chess uh and um you know his good buddy uh Kasparov uh so I was actually hoping for some
you know sort of side stories on that so uh yeah uh unfortunately you know we were going back 26
years to the 11th of May 1997 when Deep Blue defeated Kasparov in a tournament match.
And this was IBM's computer and artificial intelligence Deep Blue,
which defeated the at the time reigning chess champion,
one of the greatest chess players of all time, Gary Kasparov,
in a sixth and deciding game of a tournament match,
thus becoming the first time a computer defeated a chess champion in match play um and you know a year earlier deep blue had actually beaten cashbob in two
individual matches um but at the time cashbob did eventually win that match for two um but yeah
after uh being reprogrammed and upgraded the 1997 Deep Blue which was capable of calculating
200 million moves
per second. Won
two matches out of six versus
Kasparov, giving it one victory
in three draws.
After the defeat, Kasparov did
ask for a rematch but IBM declined
and retired Deep Blue.
They couldn't afford it for us. They probably couldn't afford
the electricity bill.
To keep coming up with those computations.
But I can stand in for Graham here a little bit
because he told me about this and he said that one of the reasons
why Deep Blue won was because it gave the impression
that it was human, which threw Kasparov a bit.
And the reason for that was they put in random pauses,
random length pauses between the start of its turn
and when it made its decision.
So it had actually made its decision in like a second and a half,
but then it would leave it a little bit longer,
a little bit longer, a little bit longer,
and then make the make the make the move yeah and so it gave this indication of consideration
and you know and deeper analysis rather than just a mechanical you know move move move yes so yes
the the other um uh theory that i i read about this at the time was, at the time, I mean later, was that there was a bug in the code on the first match where Deep Blue won.
And the glitch prevented Deep Blue from selecting the optimal move.
And it selected a random one.
And again, Kasparov misinterpreted that as a sort of deeper strategy
that it's going for interesting so whatever it was it was more of a a psychological play that
yes affected Kasparov uh as opposed to the the technicalities of the game so um well if I've
learned anything from watching the Queen's Gambit on Netflix,
it's all about the psychology of it.
Yeah.
It's like poker.
You don't play the cards.
You don't play the hand.
You play the man.
Exactly.
Or woman.
Or woman.
Person.
Yeah.
Okay.
Before we lose Jav again for another three weeks of rehabilitation,
our second story shall take us back a mere 27 years to the 9th of may 1996 when
linux gets happy feet uh so linus torvalds described in an email to a mailing list his
conception of what he believed should be the logo for the linux operating system and this is what
soon became the tux penguin, or, you know,
pretty much the brand for Linux.
And perhaps he had known the movie Happy Feet
would be released a little over ten years later.
And had he
done that, he would have probably chosen a
warbler instead.
A warbler?
What's a warbler?
Have you not seen Happy Feet?
No. Okay.
Save it for the younger generation.
You know, Tom, do yourself a favour.
Watch Happy Feet with surround sound.
It is beautiful.
Really?
Yeah.
I think I probably did have it on when the kids were young and I fell asleep because you know what it's like with the young kids.
You don't get much rest. so maybe that's what happened maybe that's what happened excellent thank you
andy for this week's this week in infrasur if good security content were bottled like ketchup
this podcast would be the watery juice
which comes out when you don't shake properly.
In a niche of our own,
you're listening to the award-winning
Host Unknown podcast.
And nominated in many, many categories,
I should hasten to add.
Oh, indeed.
European Blogger Awards.
Yeah, the timing of Jav's return is actually quite convenient.
Jav, we need to have a word.
Oh, yeah.
Because you're on the judging panel, aren't you?
Yes.
As Graham pointed out to us.
Okay, let's move on to the shouty part.
Listen up!
Rant of the week.
It's time for mother f***ing rage.
In another example of let's read their headline
and just fake outrage straight away,
Twitter rolls out encrypted DMs, fantastic,
but only for paying accounts.
Well, just when we thought Elon Musk was done with us,
he obviously isn't.
He's flexing his muscles massively here,
or however big his muscles are.
So Twitter has launched its encrypted direct messages feature
because, as we know, for the longest time,
DMs were not encrypted.
It wasn't a secure way of communicating.
But what it does is it allows Twitter blue subscribers
to send end-to-end encrypted messages to other users on the platform.
So as we know, end-to-end encryption, very, very handy.
It means it can't be, or if messages are intercepted,
they can't be decoded. They can
only be decoded on your device itself, stored only on the device. And so it's not shared with
anyone else. So even if the feds went to Twitter and asked for uh what communications have been sent they would not
be able to provide it um this is overall a great thing except for the part that it's just rolled
out to part of the twitter user group um so andy and i were talking about this before how does that
work when you are if if us you know and, Andy and I as mere Twitter mortals
were to communicate with Jav as part of the Twitterati
with his blue tick, which part is encrypted?
Is it just, is it our messages to him or is it?
Is it going to be one-sided conversation?
I would hope so.
I would hope so.
I would hope that mine are encrypted and you guys self-incriminate.
This is where it's time to put your money where your mouth is, security pros.
Oh, if only so-and-so provided this security, I'd be happy to pay for it.
Well, now's your chance.
I have to say I have been thinking about it, but I'd never told Jav that.
I'd never given the satisfaction.
Oh, crap, he's on this week, isn't he?
But it's an interesting point.
I mean, it is something that is needed.
It's something that is table stakes.
But I think the problem that I have in the rant here is that Elon's not really following any kind of sort of strategy or plan.
It feels like much of what he's rolling out,
much of what he's doing is very knee-jerk reaction
and just do this, do that, do the other.
If there was a plan, if there was a, okay, in nine months,
everybody has to pay for Twitter and it's
going to be X amount, but here's what you get. Here are the benefits. You don't have to start
paying now. You can start using this time to move onto alternative platforms, but for the time being,
you're fine. But as you pay, as you start to pay, you're going to get these added benefits as opposed to creating what seems to be like a rift between the free users and the sheer volume of people that are using it, et cetera,
what it's doing is alienating people rather than actually giving them time
and opportunity to consider what's doing and actually understand
what's happening rather than waking up and finding out that, well,
their stuff isn't encrypted but other people's is.
So it just seems
this is the part I struggle with is there's there's that there doesn't seem to be any kind
of plan here whatsoever. I don't see what you're struggling with, Tom. It wasn't your Twitter
deems weren't encrypted before and they're still not encrypted. Nothing's changed for you. There's
nothing to complain about. In fact, I think this
is a great strategy. This sounds like the Jerry Maguire strategy. Fewer Twitter users, better
quality of service to those paying Twitter users. Jerry Maguire was a film. Yes. Not a business that's why i didn't get my mba very good very good i i know i do i understand it i i do understand it but it's it's that kind
of thing it's a bit like the um uh we're switching off 2fa you know yes they switched off the the
right kind of 2fa in the fact that it was the least secure, etc.
Oh, no, they're switching on 2FA.
Sorry.
I can't even remember now.
Jeez, it's such a mess.
That's part of the problem.
It changes everything.
This is the thing.
You've got no idea.
You can't second guess what they might do next.
No, I can't invest in them as a platform
because I don't know if it's going to be worth my while
because something's likely to change in the future.
You know, you remember the movie Airplane?
Yeah.
And they're coming into land.
Airplane, what is it?
No, hospital, what is it?
It's a big building where sick people go.
That's not important right now.
I know.
And they say maybe we should turn on the runway runway lights now and william shatner goes no
that's exactly what they'd be expecting us to do because because he's like this ex vietnam sort of
like vet and he's like all about if if the if you're predictable the enemy knows where you are
what you're going to do next so he's always about being unpredictable that was airplane two the one on the moon yeah was it okay it was airplane two then but uh with the doors
with the sliding doors that you had to open by going yeah but this is what um this what this is
the ethos of elon musk right now it's like don't let him guess what your
second move is don't be predictable uh you know so he's like keeping everyone guessing and it's
it's a fun game it's if you've got money to burn absolutely but uh what is it how much did it cost
a month chad what is it seven less than less than 1400 to fly to maurius. Yeah, well, most things in this world are less than that.
But yeah, was it?
Is it 699 or something like that?
I don't know.
I just paid for a 10-year subscription up front in one go.
What?
Did you say 10 years?
Yeah.
No.
10-year subscription, as if.
A one-year subscription.
It was like 100 and something quid or something.
I just reached into the back of the sofa where I put the kids' money box
and just took some money out of there.
Where I put the kids' money.
Okay, so this week's rant is pivoting onto
why is Jav paying for Twitter for a year at a time?
Anyway, thank you.
That was this week's...
Rant of the Week.
30% nostalgic.
30% ranty.
30% ballsy.
And 30% terrible at maths.
You're listening to the award-winning
Post Unknown Podcast. percent terrible at maths you're listening to the award-winning host unknown podcast
okay jav loosen up do your stretches i know you haven't been in this in this hot seat for a little
while so get yourself ready for as i'm going to try and do it in the best way that Tom did it in the beginning,
India to send official WhatsApp to WhatsApp after massive spam storm.
So the great nation of India, their IT minister, Rajiv Chandrasekhar,
the right honorable, very good gentleman. He will go and ask WhatsApp to explain what is up after they have experienced a dramatic increase in spam calls.
So India is currently the largest market for whatsapp with over 450 million users
and many of them in the last couple of weeks have received plenty of spam calls from overseas
many of the calls involve fake job offers usually usually with the request to negotiate the gig on a different messaging platform, which makes tracking the perps harder.
Yeah, I mean, maybe next, what will happen next?
Maybe they'll start getting spam calls from Microsoft or something about their car warranty.
Anyway, the timing of the spam is intriguing. On 1st of May, Indian carriers were required to implement AI-powered spam call filters.
Because that won't go wrong at all, will it?
Yeah, yeah.
So it basically appears like maybe conventional carriers, because they've sort of like started blocking stuff for now uh they they've
just um uh moved to whatsapp and whatever the reason um they're not happy about the spam that
is being sent to them and uh that the ministry will send a please explain missive to WhatsApp. And yeah, I think this is, this really is a Billy Big Bull.
The audacity of the Indian government to send this kind of thing
after they are probably one of the largest brokers of spam in the world.
I mean, who has not received a call from an Indian call center?
the world i mean who has not received a call from an indian call center uh you know that that claims to be from microsoft or amazon or all your bank or something like that that just goes in and you
know if you follow like um youtube accounts like i can't was it ben browning or i can't remember
the name but you know the ones that they oh. Oh, the scam traps. The scam traps that they do.
And, you know, they're all based in it.
He finds out where they actually are, which building they're based in.
He acts into their CCTV, hands all the information over the police and everything.
And local police are just paid off and what have you.
So I believe as as the term goes, I think it's called karma.
As the term goes, I think it's called karma.
So the thing I like about this is the AI-infused system was developed after a blockchain-based spam buster bombed.
You don't say.
Yeah.
So let's move from one buzzword to the next.
I know, I know.
How does blockchain help spam filtering?
No idea, no idea.
There was just too much to unpack,
which is why I glossed over that part.
Yeah, exactly.
In case anyone asked any questions.
Yeah, and because I've been away for two weeks,
here's a second bonus Billy Big Ball of the week.
And this is brought to you by hewlett packard or hp
and they've sparked fury fury i say after a recent firmware update which blocks customers
from using cheaper non-hp ink cartridges in its printers uh before uh if you put in a third party
one it would just say um you know oh it's a it's a non-approved print non-genuine
non-genuine but now um if if you use anything without a hp chip uh it would just refuse to
print and the company said that this is to reduce the risk of malware attacks saying third-party
cartridges that use non-hp cartridge chipsP cartridges can pose risks to the hardware performance, print quality and security.
I'm not sure.
And, you know, as you both know, I'm not massively technical on this front.
I'm not sure I've heard of a printer cartridge attack vector no it's uh it's not something that
I think anyone in the world has ever heard of other than the the PR department of HP trying
to justify why they're blocking third-party cartridges I've seen i've seen printers be hacked so they can run doom because that's what hackers
do right but to to suggest that by inserting a print cartridge you can then spread malware
onto a onto a network i've well i'd be fascinated to see that research wouldn't you well i i say i'd be you you say
you'd be fascinated but if you went to a talk where someone's explaining that it would go
completely over your head yes it would go completely over my head but what i would take
away from it was is this is possible i don't i'm not sure it is and know, any of you fancy pants, you know, hackers and breakers out there, just let us know.
Is that true?
Is that possible?
Just message Quentin after this.
Oh, no, yeah.
Yeah, Quentin.
He's probably done it.
And he works for them.
No, he works for Canada.
He works for their competitors.
Same difference.
They all charge, right?
It's Quentin.
Who's still printing in this day and age?
Or is this the other Quentin that runs security for HP Europe?
Yeah, exactly.
There's basically a clone.
There's clones of them.
They all work for all the same sort of companies.
Wow.
Is that a big balls move or just a dick move?
I think it's definitely a dick move.
Maybe we need another section on here.
Anyway, excellent.
Thank you, Jav.
Billy Big Balls of the Week.
People who prefer other security podcasts are statistically more likely to eject usb devices
safely for those who live life dangerously you're in good company with the award-winning
host unknown podcast And statistically, those of us who like to live dangerously
also spend less time alive.
And talking of less time, see what I did there?
What time is it, Andy?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news from around the globe.
Industry news. Only 39% of IT security decision makers see it as a business enabler.
Industry news. CISOs worried about personal liability for breaches.
Industry news. EU's client-side scanning plans could be unlawful.
Industry news.
Next-gen healthcare data breach.
One million patient records affected.
Industry news.
Spanish police arrest 40 in fishing gang bust.
Industry news.
NSA and allies uncover Russian snake malware network in 50 plus countries.
Industry News. Twitter hacker admits guilt in New York court extradited from Spain. Industry News.
NCSC and ICO dispel incident reporting myths. Industry news.
Threat actors use Bavok code to build hypervisor ransomware.
Industry news.
And that was this week's...
Industry news.
Huge if true.
Huge.
Huge.
So this CISO's worried about personal liability for breaches.
That's got to be, what's his name, Jake Sullivan?
Yeah, well, probably since that event.
Yeah.
The old Uber CISO.
So, I mean, they're kind of saying that CISOs want insurance to protect them.
Just don't do dodgy shit.
Also, companies want insurance
as well. A lot of companies can't afford
cyber insurance.
Let alone the CISOs
themselves. But if you don't do
anything dodgy, and
incompetence isn't dodgy, that's just
incompetence, right?
If you don't do anything dodgy
and lie about shit,
then you're almost certainly not going to be sent down for it.
Yeah.
Would be my opinion.
Yeah.
Stressful joke.
Tom, are you worried about personal liability for breaches?
Well, I can't afford the insurance, so why worry about it?
Oh, dear. You've got nothing to come after you for no exactly they can have the house that i don't own anymore
i'll come for your lego next yeah oh okay okay maybe i should start to save a few pennies for the insurance then uh take it brick by brick i'm looking at the ncse and ico dispelling instant reporting myths and so this is them
saying that keeping a cyber instant quiet makes other attacks more likely and ultimately makes
everyone less secure so therefore in a rare joint blog post The two authorities came together In an attempt to dispel some of the common myths
Around instant reporting
That does look interesting
Because I wonder what they base that on
So they're saying the six commonly held
Misconceptions about instant reporting
Covering up an attack means
That everything will be okay
Reporting to the authorities
Makes it more likely
The incident will go public
paying a ransom makes the incident go away if an organization has good offline backups they won't
need to pay a ransom if there's no evidence of data theft organizations don't need to report to the ICO and all organisations will be fined if data is leaked.
So apparently these are commonly held misconceptions.
That actually sounds like a good and sensible list
for us all to think about.
Yeah, except they used a really bad analogy.
They say, imagine that you come home from work
and you find your house has been burgled.
Instead of reporting to the police and seeking support,
you quickly tidy everything up and carry on as if nothing had happened,
hoping no one would find out without investigating further.
The next week, your neighbor is burgled too,
although you might know not about it because they didn't mention it.
And the burglars return to your place again
because you didn't spot that the unlock window is still unlocked,
so it's easiest for them to get back in.
And, uh,
I think a lot of reason why people don't report physical stuff like, uh,
home burglaries or, or car accidents and stuff is because then your insurance
goes up and then because, well, yes, this is very true.
This is very true. And also you report it and the police go, okay,
here's your crime reference yeah
exactly exactly yeah unlikely to do anything it's non-violent crime it's low value yeah we're never
we're under resource for this yeah yeah so so the problem with with um and this happens in
organizations and and also at the ncse level and what have you they have they have reporting
features available so if you have a phishing email you can forward it to to them like phishing at ncse.org or something like that
uh there's also the text message one but it just goes into a black hole so yeah while I do not
doubt that it helps them we need to find a way to let people know how their contributions have helped
otherwise to close the loop on it yeah to close the loop on it, yeah. To close the loop on it.
And I think that's where the challenge comes from.
I mean, it's all well and good saying, oh, you know,
report and it'll help others, but hey, show me, you know,
that how, you know, when I shared some information,
you're able to take down a botnet or whatever it might be.
Well, it's a simple thing.
Like, have you notice on your
council tax in the last few years they now break down exactly where your money's going
23 goes to policing 10 goes to this you know it's not perfect we all still think we're paying too
much but at least we know where it's going to yes you know it's a you understand conceptually
you understand that these things cost money,
and therefore this money is going towards one or, you know,
this range of things.
It's the same thing.
You know, conceptually, I know that my one report isn't going
to make a difference, but if I can sort of, you know,
understand where it is in the bigger picture,
it's going to help people actually connect with the problem
in the first place.
Absolutely. Absolutely. I agree with you, Tom Langford.
Bloody hell. I'm glad we're recording.
Happy birthday.
Happy birthday.
That's your present.
Yeah.
Anything else here?
Ooh, hypervisor ransomware.
That seems to be a little bit of a topic
du jour at the moment especially with the
ESXi vulnerabilities
Look at Tom chucking in technical phrases
that he's been making up on his internal briefings
Tom you like this one
Certain build numbers in ESXi version
6.7 are vulnerable
Oh god I wish I hadn't clicked on this one now.
Former employer mentioned in the...
Or an adjacent.
Only 39% of IT security decision makers
see it as business enabler.
And this is a report from Delenia
where our good friend Joe Carlson works.
And I thought it's interesting, like, about,
because this is something you've been speaking about, Tom, for years.
For decades.
Yeah.
Literally decades.
Like, you know, the job of security is to help sell more beer.
I mean, like, you know.
Yeah.
How can it not be a business well it's good well i'm not
gonna go there because otherwise i'm gonna hand out all my talks for free on this program on this
show as opposed to the normal fee that you yeah my normal free fee yeah excellent excellent very
good thank you very much for this week's.
Industry News.
We're not lazy when it comes to researching stories.
No, we're just energy efficient.
Like and subscribe to the Host Unknown podcast for more ESG adjacent tips.
for more ESG adjacent tips.
And talking of energy efficient,
let's move to Andy now.
And our favourite part of the show,
the part of the show that we like to call... Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
Indeed, Tweet of the Week is the part of the show
where everyone chooses a tweet they like.
It could be a funny tweet, an interesting tweet
they've read, educational, amusing or useful, whatever they like.
It doesn't necessarily have to be security related.
It better not be.
Indeed.
And this week's Tweet of the Week is an old one and it's in the Internet Hall of Fame from Rob Perez,
who says,
$10 million right now in your your hand but there's a catch a snail is chasing you for
the rest of your life and if it touches you you die a terrible death the snail cannot be killed
it knows your location at all times and its only purpose is to find you are you taking the 10 million dollars yes yes i'll take a tenner for
that so oh that's brave so tom you actually think you can outrun a snail for the rest of your life
well i mean it depends if i've stretched in the morning or not but
well no for 10 million sure oh well you know you can surely just get on a yacht
or a cruise liner and like what's the snail gonna do be swim across the sea after you or something
no crawl underwater it's fine salty the snail cannot be killed so therefore it would just
crawl along the seabed and then swim up, get onto your boat
and kill you in your sleep.
But if you're constantly moving on the boat?
Well, then it's just got to arrange an intercept vector.
So now we're assuming the snail can do complex physics.
So as you dock in Costa Rica, the snail is waiting for you
as you step off.
Yeah, there you go.
There you go.
You get into the office and it spins around on the chair.
I've been expecting you.
I'm just going to eat a lot of eggs and then use the shells
and crush them up and surround myself with them.
It cannot be killed.
No, but it could be slowed down.
It could be slowed down i i would go to my
parents hometown in pakistan it's um a place called cura and uh on salt mountain it's salt
i would just dig a hole dig dig dig out the mountain and build myself a fortress within
that how is it going to climb crawl across a salt mountain because the snail
cannot be killed yeah but but for the americans this is a space salt mountain not to be confused
with a salt mountain which i know where you all your minds went yeah i'm up on a salt mountain
yeah Wow
I'd certainly take the dollars anyway
not the pounds
Well either way
10 million dollars
10 million pounds
they're not too far off
Yeah exactly
Exactly
Excellent
Thank you very much
for this week's...
Tweet of the Week.
So we have stumbled, fallen and crashed into the end of the show
like we normally do, utterly unprepared for the entire thing
and suddenly realise it's all over
and thinking we could probably have done a better job.
So, Jav, thank you very much for your contributions today
and your special guest star appearance.
Yeah, you're welcome.
It's good to be back on my podcast.
Andy, thank you, sir.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard comment and subscribe if you hated it
please leave your best insults on our reddit channel worst episode ever r slash smashing security
that was a slow painful one junkie with the... Oh, shit, he's still here.
Did you just call Jav a junkie?
Clunky, junkie, jagged, it was...
Painful.
Painful.
Yeah, we'll get Graham back next week.
Jav, do you want to take another break?
Well, who did he insult this time?
I can't remember. You did insult insult this time? I can't remember.
You did insult somebody this time.
I have never insulted anybody.
Wasn't it women this time?
I'm sure you did.
I did not insult women.
I'm sure you did.
I'm sure I thought along the way
you'd be put into a feminist re-education camp.
Right, switch off his mic
before he says something
that really gets us in trouble.