The Host Unknown Podcast - Episode 159 - The Organ Grinder Episode
Episode Date: July 7, 2023This week in InfoSec (11:06)With content liberated from the “today in infosec” twitter account and further afield6th July 1995: Simple as 1-2-3: IBM Buys LotusIBM completes a $3.5 billion buyout o...f Lotus Development, the producer of the once-dominant Lotus 1-2-3 spreadsheet software and the then-popular Lotus Notes groupware. IBM had hoped to leverage Lotus 1-2-3 to challenge the increasingly demanded Microsoft Excel software, but alas, there was little slowing down the Microsoft juggernaut during the 1990’s. Lotus 1-2-3 steadily lost market share, and IBM finally announced the end of support for the software in 2013. Lotus Notes groupware faired little better than 1-2-3, succumbing to Microsoft Exchange as the dominant groupware platform among large companies, but it remained entrenched among certain corporations for many years under the name IBM notes. In 2018 IBM sold Notes along with other software products to HCL Software for $1.8 Billion. HCL still develops and supports Notes to this day with a focus on security and lower cost as a way to compete with Microsoft Exchange. 1st July 2003: California's data breach notification law went into effect. It was the first US state to require disclosure of breaches of personal info.California SB 1386 - Personal Information: Privacyhttps://twitter.com/todayininfosec/status/1410750152671825925 Rant of the Week (20:12)Nickelodeon investigates breach after leak of 'decades old’ dataAt the end of June, a rumour emerged about a major leak from Nickelodeon's animation department. Proof of the alleged data leak started circulating on social media, showing an extensive collection of reportedly 500GB in documents and media files.Nickelodeon has confirmed that the data leaked from an alleged breach of the company is legitimate but some of it appears to be decades old.The data breach supposedly occurred in January this year and allegedly ended with Nickelodeon blocking the unauthorised access two months later. However, there is no reliable evidence about this..According to some sources, all the files were leaked on a private Discord server, and many of them are being reposted elsewhere. Billy Big Balls of the Week (28:38)Study shows 25% of kids apps violate COPPA.The researchers at Comparitech analyzed the top four hundred children’s apps offered in Apple’s App Store and found that one in four potentially violate the Children’s Online Privacy Protection Act (COPPA). Industry News (37:48)Croydon Council Hit With Enforcement Notice For FOI FailReport Reveals Companies Unprepared For Darknet Data LeaksSecurity Experts Raise Major Concerns With Online Safety BillEuropean Commission to Tweak GDPR For Cross-Border CasesUK Citizens Wary of NHS AI Use, Citing Privacy ConcernsNagoya Port Faces Disruption After Ransomware AttackSuspicious Email Reports Up a Third as NCSC Hails Active DefensePolice Arrest Suspected OPERA1ER Cybercrime KinHuman Error the Leading Cause of Cloud Data Breaches Tweet of the Week (48:03)https://twitter.com/jason_kint/status/1676791388145430528 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So you're going to say monkey and organ grinder or moose and mountie?
Yeah, moose and mountie sounds a bit porny if you ask me.
But yes, this week we do have the organ grinder or the moose, one or the other,
instead of the monkey.
Let's just start.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you're joining us.
And welcome, welcome one and all to episode...
163!
159, that's right.
Oh, thanks, Andy.
Now I'm the one doing the sums.
Yeah, episode 159 of the Host Unknown podcast. Yet another one without the third wheel
in our increasingly inaccurately named troop of three
of Host Unknown, Javad, because he's away again.
He's off.
It's ridiculous.
Yeah, he decided to go to New York for 9-11 to celebrate.
What? We wait. Sorry, 4th of July, not 9-11 to celebrate. What?
We win.
Sorry, 4th of July.
My bad.
My bad.
Sorry.
That's coming up.
That's coming up.
Happy Independence Day.
Yeah.
Happy.
Yes.
We try to talk about the colonies on July 4th.
Anyway.
So, yes, instead of the intern, we have
the actual one in charge.
The brains behind Smashing Security.
The brains,
the, well,
the driving force,
the character,
everything, all of those other words behind
Smashing Security. Carole, welcome!
Thank you, guys.
Well, a few weeks. But yeah. Oh, since I've been on the show, you mean? Yeah, it's been a while well a few weeks but yeah oh since i've been on the show you mean yeah it's been a long time no uh i've missed you guys i'm glad to be here thanks for
inviting me we appreciate you slumming it i know this is like a for you this is like coming to a
travel lodge on like a long weekend it's not because you take three hours to record so you know
yeah this this is like coming to a badly run airbnb it's a long checking process
painful bates motel it's expensive it's uh yeah everything just takes too long
anyway carol how are you how have you been this week um i'm uh pretty good actually
and i've had a really good morning uh because you know i i paint in the morning actually how
about i share with you what i did today because i did a good painting today do you know what that
would be perfect for a podcast exactly i'm gonna put it in i'm putting in the show notes i'm putting
okay oh well we'll drop it in the show there you go oh hang on hang on i'm looking now yeah and is this um
well you did this this morning this morning yeah that's a very productive morning she's it is
carol is very very prolific on the painting front i have to say i have four five of your pieces in
my flat yeah you're you're a very lucky man you i give you art you give me tech
it works yeah exactly exactly there's a nice little like nice combination i love it yeah very
good so so yes uh corral thank you for joining us we really do appreciate it um although this is
this is the uh the smashing security takeover of host unknown sorry award-winning smashing security oh sorry
if you don't mind if you don't mind just just just just be mindful as to who's got your awards
at the moment and what i'm going to be scratching you can keep them you can keep them to remind you
to give us something to aspire to exactly you can you can look at it and go one day
one day what do you mean one day you mean last year the year before
the year before that do you know you know what you could do you could do what my brother did i
was a big swimmer as a kid and uh he stole my awards one year i can't remember how old we were
and he scratched out my name on them right and kept them in his closet so you know you could do
that literally what tom's done. Yeah, exactly.
It's too bad the name's so long, Host Unknown, you know, podcast.
Smashing Security, Host Unknown, larger font, it's fine.
It's fine.
We can make it work.
We can make it work.
I mean, it was humiliating, you know, especially as I've been asked,
you know, are you around to pick up in case Smashing aren't aren't there to collect and i'm thinking oh is this a double bluff am i being checked to
see if i'm going to be there or not uh no it wasn't it was quite simply uh you know you've
lost can you pick up the winners please it was a win-win for me to be away and not not away to
miss the party but to have you go and pick it up It's like an extra icing on the cake that's already perfectly delicious.
I never knew you were so cruel.
I'm not cruel.
I'm just funny.
I've told you.
Tom just enjoys being a cuck.
Oh, listen to Andrew Tate over here.
Dear me.
Blimey.
Just because you don't have a hairstyle.
I can't believe, as i sit here now and i'm
just like i've been asleep at the wheel i've always worried about jav trying to take over my
podcast but now i realize jav was never the problem he's like you know he'd already written
himself out and every week it's like i'm here with two of Smashing Securities' presenters. The amount of time you spend on that podcast, Tom.
I realised, hang on a second, it's not Graham and Tom, it's Carole and Tom.
And now I'm like, my back's against the wall.
I'm like, what's going on here?
And I let it happen.
I was asleep.
I watched it.
I held the door open.
Well, yes yes I was on
Smashing this week
absolutely
were you
in fact
the week before
was it the week before
I can't remember
yeah
so he's on so often
he doesn't even know
how often he's on
was it
am I the second
most invited guest
I think something like that
no really
after Dave Bittner
no no
Maria
oh so I'm the third most oh god but are you actually invited Tom No, really? After Dave Bittner? No, no. Maria?
Oh, so I'm the third most.
Oh, God.
But are you actually invited, Tom, or did you just show up because you got the link and you know what time they record it? Well, you say potato, I say potato, you know.
Anyway, talking of potatoes, Andy, how are you?
I am good.
It's been a, I don't know, productive week.
Productive week. Avoiding the word busy. It's been a productive week. Yeah, it's just been
busy. You've been in the office much? I've been in the office three days this week. What?
You've been in the office much?
I've been in the office three days this week.
Yeah.
How do you live? And particularly with a train strike as well.
So yesterday I actually, well, not trains,
they're overtime bands, so there's like messed up trains.
But yesterday I met up with old friends that I used to work with
and I came from a place that was completely, you know,
they went all home-based, you know, post-pandemic.
And they're like, you really go into the office?
What's it like?
But when I was working from home, I would, you know,
there's just no distinction.
You roll out of bed, you sit in front of your machine in your pants
and just like you work all day, go down and get something to eat.
And then, you know, it's the end of the day
and then you go and get something to eat again,
come back up to the office.
And then I might have a shower and then, you know,
generally we work till like two in the morning but when i go into the office it's actually very simply
you know i get this train i go in to do a day and then leave at the end of day and that's it i really
don't have to do much work in the evening i check the odd email but there's such a clear break and that time traveling to and
from the office i like what shows i've downloaded and i actually really enjoy it again but i don't
have to go into the office but i've actually started to go in more um because you can do
yeah it well it feels not do less it's actually just focusing more of my time
sorry yeah you did say that some people from your
your company do listen to this podcast yes we do have to be careful do you think some of it is
um interacting with people like yeah that is good and you know you can say there's some people who
are purely home-based uh i'll put it that way that uh you know you get on a call with them
and you think okay this is two minute call and it's like 20 minutes it's a bit like, you know, when you first joined this morning, you're like, OK, what's taking so long?
It's like that, you know, you're on a call. It's like, OK, you've clearly not spoken to someone for a while.
We're craving human contact.
Yeah, you just want to keep talking. But no, I don't know. I've kind of gone the other way.
I was all for home base permanently, but I really enjoy going into the office now.
So what you're saying is you don't have the discipline
to switch your laptop off at the end of the day?
Pretty much.
Right, OK.
But talking people like to discipline, how are you doing, Tom?
Hey!
Damn, mate.
We're getting good at these, you know.
The segues are incredible. incredible awards are in the horizon boys
i said tom not dom just to you know
so what about me well i i was uh i was on holiday early this week um i think i mentioned it last
week i was i went off to sidmouthmouth with a friend for a long weekend.
That was lovely.
Sidmouth, a little bit of a sleepy seaside town,
which was absolutely perfect.
Just chilled out.
We completely missed the weather.
But that was fine.
So that was lovely, I have to say.
Tomorrow I'm going to Bristol Pride, which is going to be
good fun, going with my daughter.
So, yeah, we're going to do the
march and then go up to the
up to the Heath, the Common,
I can't remember what it's called now,
for the big parties afterwards. So, yeah,
really looking forward to that. Awesome.
It's going to be good.
It's going to be good. And
talking of good stuff
shall we see what we've got
coming up for you today
while it's still being written live
this week in InfoSec
is as simple as 1, 2, 3
rant of the week
looks at the data retention practices
of a children's TV channel
Billy Big Balls
is a copper.
A copper of what?
We shall soon see.
Industry News brings the latest and greatest
security news stories from around the world
and Tweet of the Week says, sign me up.
So let's move on to our favourite
and for Kroll, very familiar part of the show.
The part of the show that we like to call...
This Week in InfoSec.
Love that music.
It just really feels familiar, doesn't it?
Yeah.
Very unique, I think you'll find.
And open source and free.
Just saying.
It is that part of the show
where we take a trip down InfoSec memory lane
with content liberated
from the Today InfoSec Twitter account
and further afield.
And even that music may have been liberated
from further afield.
Our first story takes us back
a mere 28 years to the 6th of july 1995 when it was as simple as
one two three ibm purchased lotus so ibm completed a 3.5 billion dollar buyout of lotus development in 1995 3.5 in 1995 yeah and at the time
lotus were the dominant uh providers of spreadsheet software uh very familiar lotus
123 excel was just a twinkle in microsoft's eye at the time. But yeah, IBM had hoped to leverage Lotus 1-2-3
to challenge the increasingly demanded Microsoft Excel software.
But alas, there was little slowing down from the Microsoft juggernaut
during the 90s.
Lotus 1-2-3 steadily lost market share,
and IBM finally announced the end of support for the software in 2013.
2013? You could still get lotus 123 yeah
so i remember i worked at a place called kimberly clark corporation oh yeah the tissue paper the
toilet roll people yeah that's what everyone says sounds about right andy yeah but uh king of the blues as a uh as a hormonal youngster uh it was very handy so the best thing was i
learned a lot about um you know the kleenex premium brand versus tesco own brands all that
kind of stuff it came out the same machine they literally there was someone whose job it would go
around once they hit a certain number just swap the labels and it was the exact same tissue that came out it was it was amazing the
stuff that went on there um but i remember when i was there i modernized their and i put this on
my cv for like the next five years i modernized their inventory system. And by that, I mean, I copied everything from Lotus 1, 2, 3 into Excel.
And that was the future.
Open Excel, file, import.
Yeah, it wasn't that easy back then.
There's a lot of manual work.
But you know when people have these sort of jobs?
This was a company where people had jobs for life back then.
There were people that had been there 20 plus years. Traditional manufacturing kind of. jobs um this was a company where people had jobs for life yeah back then it was you know there
are people that have been there sort of 20 plus years traditional manufacturing kind of yeah but
my job was done like i started at seven in the morning and my job was done i kid you not by 11
in the morning and so i used to work on i had a website at the time like with loads of jokes
and stuff so i used to literally spend the rest of the day just populating my website with jokes and editing stuff.
And it was great.
It worked out well for me.
And they were happy with what I did.
They thought I was doing amazing stuff.
But ultimately, I did leave for a job in London.
You know, 3.5 billion, I just looked looked it up works out to 7 billion in details dollars so
that's a serious chunk of change but they had it going for how long they had it going for over 10
years right 20 years practically 18 years but then again you're not getting 17 of those were
probably profitable yeah i was gonna say you're charging serious support um support fees on that
yeah yeah exactly but well lotus not only standing for lots of trouble usually serious which is about
right for all of their software and the cards as well um at least they did have the lotus notes
thing which actually did do quite well isn't that still going now or is it gone? Yeah, so Lotus, it did last longer.
Again, it was competitive.
They were trying to compete with Microsoft Exchange.
Yeah.
But they sold that in 2018 to HCL for $1.8 billion.
So they made quite a loss off it.
Yeah.
Well, yeah.
I mean, it's obviously the $1.8 billion now
versus what they'd invested
back then but but notes is still going actually yeah but i don't know where i think we've mentioned
this before obviously it's a lot of security it's very high security it was very clunky
it was also very very flexible as well well you needed to be like i'm not dismissing or you know talking down any skills
from an exchange administrator but you know i taught myself exchange very easily uh yeah same
notes group where i had to learn you know let's go on a course yeah and then even then you had
like a guru in the office that you have to go to and sort of say how do i do this our guru we had
lotus notes at a company i worked in our guru was the ceo and literally like say, how do I do this? Our guru, we had Lotus Notes at a company I worked in.
Our guru was the CEO.
And literally, like say someone in comms would say,
I really want to create some page saying X, Y, Z.
He would literally come down to the desk
and give them the development book
and say, read this and figure it out.
And it's like a huge manual, right?
I remember him dropping it on her desk
and she just going, Jesus.
I went to a place that was very similar.
Our time tracking and costing and billing system was an app called CLA,
which stood for the CEO's name of Colin, Colin's little app.
He just kept the thing running.
I mean, it worked. It was good but but bloody hell i mean that's not how you run a you know multi-million you know
pound business as it were but then then we got bought out by coopers and live brands and obviously
the merger with and pwc and so we moved everything i did a project that moved from exchange to notes.
That was fun.
Don't know people that go that way.
Exactly.
Exactly. That was, we moved something.
Well, we moved millions of emails in a two-week period
and trained people at the same time on notes.
It was, yeah, it was interesting.
How can I make life harder and more expensive to operate?
That's right. That's right that's right
that's it alas our second story takes us back a mere 20 years i can do the math easily on that
one to the first of july 2003 when california's data breach notification law went into effect
and it was the first u.s state to require disclosure of breaches of personal information
wow which which actor is this uh the california sb 1386 snappy yeah it's really catchy um but it's
uh i don't recall i should have actually checked sort of thing that they'll check on smashing now
they do a bit more research i think there's uh about five states now that have data privacy laws
yeah maybe more than that as well i think yeah um it's not just 10 it's more like 15 i mean
good job there's at least five states yeah yeah that's right that's right yeah but there's a lot
of conversations now with kids as well right so a lot of states are talking about it in terms of trying to control,
you know, if data breaches happen in a certain place
and, you know, what should be the punishment for that,
that sort of thing.
Yeah.
In fact, California is almost always the first state to enact.
At the forefront.
Yeah, at the forefront of this.
And then other states follow
suit.
The damn liberals.
The what, sorry? The damn liberals.
The damn...
Yeah, that's right.
That's right.
Excellent, Andy. Thank you for...
This week in
InfoServe
we're not lazy when it comes to researching stories
we're just energy efficient
like and subscribe
to the Host Unknown podcast
for more ESG adjacent tips
I don't even know what that means
neither did we neither did we.
Neither did we.
Andy had to expect energy something something.
Environmental social governance.
Yeah, well, of course.
Of course.
Yeah, I'd never heard it.
I've heard of CSR, but anyway, who knows.
But as they do say, if you want something done quickly and efficiently,
ask a lazy person to do it.
It's a shame it doesn't apply in this
podcast because we've been at this for hours and we're still only just starting so let's move on
shall we to listen up rent of the week it's time to mother rage so nickelodeon uh which if you are
from north america you will know immediately and if you are from North America, you will know immediately.
And if you are from anywhere else in the world, well, you probably still know immediately as well,
because the American culture seems to permeate throughout the world.
But Nickelodeon is a kids animation, well, no, actually a kids TV show company that has branched out into movies etc. The makers of the
Spongebob series. Yeah that's
right.
That's right.
Well amongst many
others. Many many many others.
So at the
end of June
so only just a
week or so ago a rumour emerged
about a major leak from Nickelodeon's animation department.
Proof of the alleged data leak
started circulating on social media,
showing an extensive collection
of reportedly 500 gigabytes
in documents and media files.
And Nickelodeon have confirmed this, that there has been data leaked from an alleged
breach of the company. It was legitimate. But some of that data appears to be decades
old, decades old. The data breach supposedly occurred in January this year. So that's six
months. And they've kept this very very quiet
and allegedly ended in with Nickelodeon blocking the unauthorized access two months later which
for some people may sound like a long time but you know it can take it can take up to that amount
of time to to mobilize yourself and not only mobilize but implement the technology or yeah move it back
like even being aware that it's happening yeah yeah but i i know it can take two months to put
you know systems and procedures and and tech in place all the while you what you don't want to
do is to spook the attacker especially if you want some i was gonna say retribution that's not what i
meant is it um attribution there you go retribution is That's not what I meant, is it? Attribution. There you go.
Retribution is actually the name of a Nickelodeon kid show about revenge.
But it took them two months, but no reliable evidence.
So basically, nobody knows anything about this.
The files were leaked on a private Discord server,
and many of them being reposted elsewhere.
Turns out that most of these files, virtually all of these files,
are either audio or video files going back decades and decades.
It doesn't look like there was any personal data.
It's purely just um
intellectual property intellectual property copyrighted information etc um it's it's really
it's really not uh even going to cause them that much damage given the age of some of this stuff
as well uh even though it is obviously illegal to redistribute
the copyright-protected intellectual property.
So the investigation is still ongoing.
They say that it doesn't include user or employee data,
and it's just limited to just production services.
Can anybody here say inside job?
I mean, really?
Is somebody that desperate to spend that amount of time and effort
hacking into Nickelodeon to get a 15-year-old show out?
And let's face it, gig of gig of production quality um uh shows that's probably
like i don't know a few seasons of of like maybe 10 shows there's not a lot going on here at all
is there really i don't know i i feel like someone got lucky and landed on a forgotten
area of old junk that they never moved over and secured yeah and is making a big song
and dance on it and no one probably gives a shit there's a sharepoint 2000 server yeah
yeah you know and in fact the rant of this week the rant of the week this week is probably more
about why are we even talking about this but um no i i can see a point here though i think anyone who has like legacy systems and
updates slowly and bits and bobs will forget stuff if they're not really really diligent about kind
of you know writing down the whole architecture pre and post and that's a lot of companies and
as you're saying you weren't you can't get technical on this, Carol. It's just brilliant.
It's exactly what we wanted the organ grinder for.
But it's true.
I mean, this is decades old stuff.
This should be archived off somewhere, taken onto an offline backup
or something like that.
Or, frankly, maybe they just don't care about it.
But do you know the episodes um what's you know like the
episodes of doctor who that go missing and stuff like that because yes you know bbc like maybe
this is just someone taking an off-site backup like maybe someone works there and they're like
look you know this doesn't look good you know it's a single server they're not replacing it
it's terrible the drives are failing so i'll just store it on my discord server yeah they've
crowdsourced
the backup and rotation right yeah make sure these episodes of spongebob stand if we give
everybody these the copies of this then then we can get it from everywhere yeah it's very true
that is very true but uh yeah it's it does but it does seem to be, though, that Nickelodeon are playing a little bit fast and loose with their digital assets,
which doesn't bode well for the rest of their environment, let's be honest.
But the other thing I know, a lot of recently, is more and more stuff's been leaked on Discord.
Yes, that's right.
I do have some Discord channels that I follow.
I don't understand Discord.
I'm not really in that whole environment.
Let's get the latest files that are out there.
I attended a conference via a Discord channel.
I say a conference.
I think I left after about an hour because I could not work out what the hell was going on.
You're on that part where it says log in.
Yeah.
Do you know what? I managed to get past that and then it was like, well, now what?
Where do I go?
What is this?
How does this work?
It is so unintuitive.
I think you have to have quite a plastic brain,
i.e. be aged under 22 to be able to use Discord.
Okay, boomer.
Yeah, I know. Seriously, I think that's them primary security mechanism um you know and rate limiting mechanism as well because it just
stops people over a certain age going in because i don't understand what the hell's going on
really it was it was it was like i i'd been sort of let out of the old folks' home.
I was wandering around, you know, the village fate,
pointing and smiling at the sparkly things,
wondering what the hell is going on.
A.K.A. a regular Wednesday.
Yeah, that's right. Last weekend.
So, anyway, come on, Nickelodeon, let's get this shit sorted out.
I mean, you know, what we don't want to be seeing is in six months time that something else got lost and
actually it's a bit more personal and given it's uh you there's lots of probably lots of kids on
your database which sounds worse than it actually is but you've got to be very very careful about
this stuff rent of the week you're listening to the award-winning host unknown podcast
officially more entertaining than smashing security
well that was an unfortunate one to choose wasn't it
officially more entertaining smashing Security until three weeks ago.
Right, Carol, your time to shine.
Let's move you on, shall we, to, oh, I've got to find it.
Here we go, this week's.
Look at the size of that thing.
Carol's Colossus Cajones. Yes.
You guys.
All right.
So my story is about some research that was done,
but the research is done quite interestingly.
So the conclusion is,
is that a study shows that 25% of kids app potentially violate COPPA.
Now we know what COPPA is, don't we? It's the US federal children's
privacy law. Started in California, I believe. Yeah, there you go. And it requires that we ask
online users their age and currently trust that they're being truthful. Now, currently,
there's some noise about changing that and getting parental consent and all that kind of stuff.
But the idea is that COPPA imposes certain requirements on operators of websites or online services or apps to children under 13 age and on operators of other websites.
So in short, in short, it's there to help the kids and protect the kids.
And it seems as though one in four apps that target children may be
collecting data without their parents consent now uh you guys have kids what are your thoughts about
the apps like i people often like oh parents are in control like do you have any idea what apps are
on your kids phones really do you look at them closely well i think i do so my daughter's younger anyway so i do have control
but i do certainly agree so when my nieces were younger they're in their 20s now and i remember
at the time you know particularly when they were first getting their email addresses and stuff like
that literally no control over it's not just the apps it's i think it's more about how they interact
with people once they have those apps because that's the other the apps it's i think it's more about how they interact with people once they have
those apps because that's the other thing is you know remember one of my niece you know she had an
instagram account for her it was all about getting as many followers as possible um which a lot of
people in her school at the time were into as well and i was like you realize this is an open profile
i'm sort of trying to explain all that stuff yeah you know she looks at me she's like and it's like oh god why why do i sound like such an old man but yeah no it's yeah you've got
double-edged sword you've just got no control yeah i think i think i i know um i'm going to
bring apple into this i know that we implemented the Apple controls on our kids' phones when they were younger.
But it was even then it was it was more to sort of teach them the principles of, you know, we need to be open and talk about stuff.
Well, we took them off before they they turned, I think, even 16, to be honest with you, because, frankly, we were extremely lucky that they were, you know,
they had far more emotional intelligence than I ever did at that age.
And that they knew what was what.
And they, you know, they came to us when they needed to, you know,
when somebody was behaving oddly towards them on a social media site or whatever,
and they dealt with it.
So, yeah, it was, we were quite fortunate.
But I know many, many people out there do not have that kind of luxury
with their kids, right?
Well, it's interesting because the way these guys did the research, right,
this is from Comparatech, is by actually looking at the T's and C's
and the privacy information within them.
So they haven't actually claimed to have like played with the apps and really dug into how they work,
more just looking at what they are claiming inside the paperwork. And according to them,
the paperwork is not up to date with COPPA standards. So that's kind of interesting.
And it got me thinking i wonder whether parents okay just
tell me what you guys think here's it's just a brain fart okay but if parents cut and paste
terms and conditions of a game or something into a chat gpt or a you know a language model
and say can you summarize this in five bullet points, you know, in terms of privacy,
would that be a way for them to understand better?
Because it won't be as buried.
No.
Well, I've got my own issues with chat GPT.
The fact that it bullshits a lot?
Yeah, but a lot.
Like I asked it to put stuff in chronological order,
like which I thought was very simple.
And three times it took to get it right.
Was this chat GPT or number four chibiti because the four is supposed to be the king right
right yeah but i mean i really lost a lot you know i was like jeez i can't trust anything with that
but i don't to me that's still too many steps do you mean it's like you've got to do something you
get these terms position paste them somewhere else and yeah be honest lots of people aren't going to do that
especially if they sign up from a phone yeah it's not that easy to copy and paste from one app to a
website and it's uh i don't know the killer for me as well is i mean i don't have kids right but
um watching parents that i know are financially uh you know doing fine so it's
not a fine i know and just worrying about whether the thing is free or not and as long as it's free
downloaded go go play yeah and they don't kind of ever consider the ads that are being targeted
to them the information that's being hoovered up yeah yeah it's hard that for me just because the
industry i'm in but you know sometimes the new new normal is the way things are, right?
That's not to say that we should be blindly going into it.
But to your point, Andy, about your nieces saying, yeah, it's public,
it's kind of like that's almost like how it is now, right?
Yeah.
It sounds very, well, it sounds like very fatalistic,
but to a certain extent, you know, are we the ones that are.
Are we out of touch?
Yeah, exactly.
No, it's not, it's not us that's out of touch.
It's everybody else, you know.
It's weird.
It is.
The one thing to see, and I don't know if you guys are aware of the site but
mozilla have and that's the people behind firefox have a kind of dedicated portal called privacy not
included have you guys ever checked that out i did i think you included that as a pick of the week
one i have yeah yeah yeah and i've met uh, I've certainly chatted with the people that work on it. They're great. And they effectively do the same thing where they read the T's and C's to find out what information is being hoovered out. And it's a clever way to do it because that's where you're liable, right?
because they cover all sorts of stuff.
So mental health apps, entertainment, wearables, smart home things, right?
And they have reviews of each one, and they kind of give it a creepy factor, right?
So you can kind of go, give me the creepiest stuff you've got so I can avoid it.
And it's really, it's just a great site.
I think they've done a really good job.
That's my pick of the week.
Do, do. We've got um jingle for that somewhere tom i went yeah you what the one you sent me like nine minutes ago no no there's a uh we actually
have a sticky pickle of the week sorry oh that's even better just Just enough to avoid, you know, any sort of litigation.
Yeah, exactly.
Well, let's see what this one is that you've just sent me
nine minutes ago as we end.
Oh, it's the one you actually played.
I didn't realise you had it preloaded.
Well, I only had one.
I couldn't.
So maybe this outro one will be better as a result.
Anyway, everything you need to know, folks,
about how we play this uh this podcast uh fast
loose and without a care in the world carol's colossus cojones
so dramatic so dramatic i love it see we spend money on our uh
yeah none of this free stuff that you do.
You're welcome, by the way.
Sorry, what?
You're welcome.
I'm really happy to be here.
Right then.
Oh, yeah, we've got to do another jingle, haven't I?
Hang on.
Let's see what we've got here.
Oh, here, we've got to do another jingle, haven't I? Hang on. Let's see what we've got here. Oh, here we go.
People who prefer other security podcasts are statistically more likely to eject USB devices safely.
For those who live life dangerously,
you're in good company
with the award-winning Host Unknown podcast.
Up until three weeks ago.
Right, Andy,
we are rapidly running out of time.
We are just casually
walking down the street of this podcast
this week and talking
to time, Andy. What time is it?
It is that time of the show
where we head over to our news sources over at the
InfoSec PA Newswire who have been very
busy bringing us the latest and greatest security news from around the globe.
Industry News
Croydon Council hit with enforcement notice for FOI fail.
Industry News
Report reveals companies unprepared for darknet data leaks.
Industry News Report reveals companies unprepared for darknet data leaks Industry news Security experts raise major concerns with online safety bill
Industry news
European Commission to tweak GDPR for cross-border cases
Industry news
UK citizens wary of NHS AI use, citing privacy concerns.
Industry News.
Nagoya Port
faces disruption after ransomware
attack. Industry
News. Suspicious
email reports up a third
as NCSE hails
active defence. Industry
News. Police arrest
suspected operator cyber crime kin king industry
news human error the leading cause of cloud data breaches industry news and that was this week's Industry News Huge if true
Huge
Huge
Andy did you get the feeling
we were trying to up the energy
compared to
Carole there
I think Carole's doing
I think she might be painting again
This is AI Carole
She's phoning it in i feel like i'm under a
microscope here it's not even it's just gone 10 a.m
shush no no it's just gone 8 a.m because people we work for listen to this show
sorry yes you're absolutely right.
Oh, dear.
What's that?
So it's not a cybercrime kin.
It is a king, is it?
I believe it's a king. I think I may have cut and pasted it.
Oh, king pin.
It's actually king pin.
Blimey.
Oh, really?
Yeah, I really cut that off. Do you know what? Their new site is difficult to copy stuffy. Oh, really? Yeah, I really cut that off.
Do you know what?
Their new site is difficult to copy stuff from.
Is it really?
Yeah.
It's almost like it's in retaliation to something.
You literally have to go into the article and get it.
You can't just pull it off their headlines anymore.
Oh.
I know.
So much effort.
It's all gone to crap since Eleanor left.
Yeah.
I'm just thinking
we haven't included anything about
threads
we have not
hands up who has a threads account
me
I could have one I don't know how I've downloaded
it do you want to walk me through putting up the account
alright grandma
I have a grandma when it comes to social everyone knows that so do you have
instagram i do oh it says log in with instagram yeah if you hit that button it just copies
everything across sorry you're a grandma when it comes to the social networks sorry what's
the name of the company you run i run a tiny little company, you know.
With the word social in there.
And what you have to import, oh, it's importing your stuff.
Okay, I see, I see.
Profile. And then obviously when it says access to all photos, contacts.
Microphone.
Just say yes.
It's meta, so it's all good.
Yeah, your data's safer.
It's not that dangerous Facebook company.
It's this new, cool, meta, future-looking company that wants to do good.
Apparently run by a lizard who licks his own eyeballs.
So what have you thought about Threads so far then?
So I've literally just logged into it yesterday
and it looked like twitter used to look like it's in terms of it's so simple it's just text
um you know you can like people's tweets or threads they're called right um yeah but also
i think i was kind of excited that a couple of people that followed me were like og people i used to follow on twitter if that makes sense around the time so it's like
oh this is good but now i've also got people i used to go to school with which i think of
obviously i don't know if there's some sort of cross-pollination with facebook
um because i certainly didn't have them on instagram. So, yeah, I'm kind of... But it's difficult because it's not like you can choose your handle.
It's like it automatically takes your Instagram handle.
Do you know, that's annoying for me, I have to say,
because my Instagram is my photography side of things.
Right, yeah, so I have different names on different social networks
and, yeah, it kind of makes it difficult.
Yeah, that's right.
I'm just down so
now i've got it installed now you're right it does look a lot like twitter because twitter have uh
are a little upset aren't they yeah well maybe they shouldn't have fired all those engineers
yeah yeah interesting though i wonder if they've got a leg to stand on and the thing is i've got
i've got things on here like it's been
open for two days and there's people celebrating yay i've got a hundred thousand followers i know
what how do you manage that yeah but i think they had uh they might have had big accounts from
you know yeah yeah very true but what do we like is it a twitter killer like this this isn't the first time we've
heard the word twitter killer right it's mastodon was supposed to do this look yeah
did it that was the thing no but blue sky is um you know the original twitter founders um
i forget his name jack jack created blue sky oh jack. Yeah, and they've got, what, 50,000 people using it?
50,000.
And this hit, what, 10 million in seven hours?
It hit 30 million yesterday.
Yeah, it was 10 million in the first seven hours.
Yeah, so it's a genuine contender.
It is, it is.
Well, Rick Ferguson, friends of the show, Rick Ferguson,
he has actually said he's deleted, Mastodon, his Blue Skies,
his Twitters, all that sort of thing, and moving on to threads
because he says, this is it, this is the one.
Yeah.
And if Rick Ferguson says it, come on.
Any man who has hair like that has to be right.
Does he still have hair like that?
Yeah, just not on my head.
Oh, God. Oh, God.
How very 70s of you.
Lots of people have...
But a lot of people are saying how Mastodon's the way forward,
like when Musk took over Twitter,
it's like, everyone get a Mastodon.
But what Threads is doing
is that they are looking to integrate into the Fediverse
so that you can communicate between Threads and Mastodon, for instance.
Right.
Okay.
I don't know what a Fediverse is.
It's Mastodon at the moment and a bunch of other stuff.
But basically, as I understand it, it's federated.
It allows you to communicate across platforms, whereas Twitter is a closed house.
Yeah. And even more so, I didn't know that Threads was launching.
And I don't know whether it's because I wasn't paying attention or if it was just quiet.
But what was funny is that at the weekend, obviously, Musk just out of nowhere decided to rate limit what you could see on Twitter,
saying that too many people are just scraping their data
for free and then like the next day google sort of these to de-search them or took them off their
searches so it's because they're not paying their bills are they yeah and so there's all this stuff
so you know musk is sort of playing hardball with twitter and then the following week uh threads
launches and it's like yeah it's it's what twitter used to be um and i think you know they can make a lot more money from their other ventures to keep it going
yeah that's right so they can take a hit on this that's right yeah i've just been thinking about
what i should my first thread should be how about very disappointingly on the host unknown podcast right now?
Do I tag you?
You can tag me.
It's going to be like TL photography or something like that instead of.
Yeah.
Well, it's Tom Langford dot photography.
Yeah.
They'll work it out.
I'm sure.
I'm sure. I'm on the stories this week well i mean let's face it thread is the big story really yeah uh i mean human error the leading
cause of cloud data breaches come on no shit journalism school of the bleeding obvious i was
thinking that you guys could say that during when you're doing all the titles, right?
Because I was thinking all these things.
I was like, duh.
Yeah, yeah, yeah, that's right.
No, but we do take it seriously, Karol.
So we try to at least get through this with, you know, a modicum of professionalism.
UK citizens wary of NHS AI
use. I think
we're more wary of the NHS
crumbling more than the AI
use. If AI means it's
going to keep going for another 25 years, we're all
for it.
Who knows? Anyway,
that was
this week's
Industry News. Anyway, that was this week's...
Industry News.
If good security content were bottled like ketchup,
this podcast would be the watery juice which comes out when you don't shake properly.
In a niche of our own,
you're listening to the award-winning
Host Unknown podcast.
of our own.
You're listening to the award-winning Host Unknown podcast.
I'm starting to regret us putting award-winning
in front of Host Unknown this time.
Yeah, you have to go fix that.
You can't take it away.
No, you can't.
Well, until three weeks ago, you couldn't.
Right.
And it's time to take us home with this week's
Tweet of the Week.
And we always play that one twice. Tweet of the Week.
This week's Tweet of the Week comes from Jason Kint, who has posted a list of, I don't know what to say, just conditions.
Observations. Observations. And he says, misleads about metrics, inflates video opportunity,
misleads about metrics inflates video opportunity covers up data breach empowers foreign interference aids in genocide blocks free and plural press hides damning harms research abuses users privacy
copies competition launches new app where can i download it and uh i actually felt the same i was like sign me the fuck up
hey this looks like a bandwagon and i should be on it yeah exactly uh so i'm not even that
big on social media um you know i don't interact much but i did feel the need to
do you know that's not what you said when we first met. Do you know, you tell this story a lot
and it's like...
I don't recall this at all.
We were walking down a corridor.
It was hilarious.
Anyway.
Yeah, my handle's Suggesta.
You might have heard of me.
Yeah, I don't think I'd ever say that.
Can I just make sure I understand?
So this tweet is basically saying threads? Is that what it's saying? Yes. Yeah, or meta't think I'd ever say that. Can I just make sure I understand? So this tweet is basically saying threads?
Is that what it's saying?
Yes.
Yeah, or meta.
Meta threads.
Okay, just making sure I was on the same page
because I'm slower.
Morning.
It's true, though.
It's like, oh, my God.
Do you know what I was thinking
as I was signing up last night?
Well, never let your principles
be a millstone around your neck,
which basically means fuck your principles if it means you can get some shit done yeah but i just
kind of get it's like well i've had facebook installed my phone before i've got instagram
installed my phone anyway it's like yeah well yeah i'm sure that's not gonna steal any more data
well exactly you can only steal it once facebook Although you can sell it multiple times, in fact.
Yeah, I must admit, a little part of me did die a little when I signed up.
I did, yeah, I died a little, but then I did get a little bit excited
when I saw what it looked like and how it worked.
I was like, ooh, it is like old school.
Yeah. That little bit old school. Yeah.
That little bit of nostalgia.
Yeah, very true.
Very true.
Thank you, Andy, for...
Tweet of the Week.
Well, we made it.
We made it through.
We were carefully...
Bowled over the line.
Exactly.
We carefully handled our way through it
under the wonderful guidance of Carole.
Thank you, Carole, for joining us this week.
Yes, well, thanks for showing up almost on time.
All right, all right.
Blimey, you two were early.
I was on time when I arrived.
And Andy, thank you, sir.
Stay secure, my friend.
Stay secure.
You've been listening to
the Host Unknown Podcast.
If you enjoyed what you heard,
comment and subscribe.
If you hated it,
please leave your best insults
on our Reddit channel.
The worst episode ever.
R slash Smashing Security.
Have you ever had any complaints come up on that reddit channel crawl i don't know i don't read reddit i used to i was addicted to reddit for such a long time and then my brother was like
giving me crap about it and i said okay i'm deleting it and i felt the pain for about two
hours and then that was it only two hours yeah
wow and i spent a lot of time it was a time suck for me yeah i'm that's me now yeah i don't get it
just take it off your phone for a day just see if you can do a day because actually you just don't
i just didn't want to go back yeah i couldn't do that if i managed i I blame Andy for getting me into Reddit and now he's trying to get me
into TikTok.
No. You have to.
Do you remember when Jav was totally
against it and then one night
he literally stayed up till four in the morning
just on TikTok.
You are now officially the bad influence
of the host I know.