The Host Unknown Podcast - Episode 16 - I'm So Sorry Mum
Episode Date: July 25, 2020It's a day late, it was Thom's fault, but the episode is all the better for it (probably).This episode is bought to you by Thom's mum (I am so sorry Mum, they made me do it...).Tweet of the weekDaniel... Cuthbert's hair talks sense on the latest static testing tools.https://twitter.com/dcuthbert/status/1286226224172404738?s=20Billy Big Balls of the WeekJav drives traffic to his content through the news of the new Meow Bot worm.https://www.forbes.com/sites/daveywinder/2020/07/22/not-all-internet-cats-are-cute-meow-bot-is-a-database-destroyer/#264687e930e2Rant of the WeekAndy unknowingly drives traffic to Jav's content on an awful breach response.https://www.computerweekly.com/news/252486556/A-question-of-trust-University-and-supplier-on-the-hook-for-data-breachThe Little PeopleJav has a surprise for us in the little people. Not.This weeks show also features Thom's amazing Mother, Sheila Langford. Love you Mum! xxx Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
why has Andy named himself after a
Elton John song
well I don't know
I don't know
or a day of the week who knows
dear listeners if you can work out
what Andy has named himself on this
recording you are more than welcome
to write in
write in
you're listening to the host unknown
podcast you're listening to the host unknown podcast
hello hello good morning good afternoon good evening and welcome to actually take two of this
week's host unknown podcast uh we have um we have jav on the line actually quite amazingly but no um no andy he's
he's run away jav how are you he's run away from the to join the circus hasn't he
well they need bearded ladies so yeah i'm very good thank you i am uh a bit upset that i'm having
to wake up early on a Saturday to do this
because somebody screwed up yesterday, but it's okay.
Who's that? That's outrageous.
I hope he's hanging his head in shame as he's not here to defend himself.
Yes.
Something like that anyway.
Yeah.
I know it's Saturday morning, folks.
We had a little technical issue to do with not pressing record
and then finding out 45 minutes later.
Oh, right. Okay. So you kicked off again without me.
And you realised that karma stung you yesterday.
You decided to treat me like you treat Jav on my own show.
And what happened? Nothing happened.
Nothing happened. happened yeah exactly well it's okay we've got your show notes andy that say tom presses record javan andy check tom presses record
sorry sorry i had to dumb it down a bit but you know i can't take any chances anymore
the ability to press a button is too much so yeah it's funny just just before um angelo
chatting i said you know when you go through that kind of seminal moment in your head over and over
it's like you know what i definitely went to click it i definitely clicked something obviously
didn't click it right missed or something because you know but you know such is life such is life but that said
the first 20 minutes were crap yesterday so actually we get of course i wasn't in it so you
know we get a chance to uh repent for our sins yeah anyway good morning andy um thank you for
joining us of course i wouldn't uh wouldn't be anywhere else. Yeah, thank you for doing a jav
on us this morning.
You're welcome.
I think that's what
we're going to call it.
No.
It wasn't pure jav,
it was like jav light,
you know.
Yeah,
javette.
You know,
one day both of you
are going to like,
die because you're old
or you're unhealthy.
Well, yes. That's normally how it or you're unhealthy. Well, yes.
What happens when you're unhealthy?
Actually, I hope I die because I'm old or fairly unhealthy.
Not viciously in a stabbing or something, but thanks.
Jav, that's really cheered me up.
But then I will do this all on my own
and I will never ever make the mistake
of bringing along any hangers-on ever again
that's because you're going to outlive us and nobody will want to hang on to you anyway yeah
without us jeff you don't have friends this is the no this is true this is true you you have
your family and people who... Family and fans.
That's what I've got.
Who you claim are your fans.
Oh, my goodness.
So, let's have a look at the show notes.
What have we got today?
Oh, so you've actually done the full intro and everything?
Well, it depends what you say in the intro.
You played the jingles?
Yes.
Yeah.
Oh, right.
It's like that. Okay, right okay good to know where we stand just uh just like we said you went you you went
full jab on us i tried stopping him andy but he was like no these are the rules
oh dear oh so if i look at the show notes and I say, you know, what's coming up today, like it's a surprise,
especially as it says usual features.
We've got Tweets of the Week, Billy Big Balls, Rant of the Week,
and have we got a little people for you today?
Jav, have we got a little people for them today?
Let's not ruin the surprise.
It's like saying something is, you know,
a dessert is a banana surprise and the surprise is there's no banana, right?
You know, this is the little people surprise.
Oh, dear me.
So busy weeks for you folks.
I mean, apart from having to record podcasts twice
yeah it's uh definitely been busy for me but it's always busy nowadays you know this is um
i have said this i think this is the new normal um i know it's a phrase we hate it's a phrase we
hate on this show uh but yes it's just unbelievable unbelievably crazy
uh work-wise and i'm not entirely sure why
because business is good well this is a part i mean yeah you hear about businesses going bust
and you know people really struggling people being laid off um not so much in our industry
have people been laid off so you know the resource is
the same um a lot of our clients are struggling yeah well i think our industry has you know
problems in sort of sales and marketing and stuff like that all the you know what people might
consider non-core jobs if you sort of mean yeah so i guess uh part of role, I face up a lot to the sales people of other organisations.
You know, we support income and revenue.
And it just seems we just seem to have a lot of requests, you know, a lot of requests for information, requests for proposals.
It's, you know, if I compare this time now to, you know, this time last year, I would say we're much busier at the moment, which is unusual.
Well, maybe in a recession, and if you're an M&A,
in a recession, companies are selling themselves off cheap.
Yeah, that would be, I guess, the belief.
But yeah, people are certainly holding out for high prices.
What about you, Geoff?
Yes, also busy.
A lot of the busyness is actually down to having about three hours worth of standing Zoom meetings every day,
which are because everyone's remote.
And I'm used to working from home.
So I'm actually actually I was actually happier
without them but because now everybody in the world's working remote everything is nothing can
be an email nothing could be a phone call everything's like oh let's have a zoom meeting
and it becomes really draining and not only does that it just takes out about three hours of the
day as well but um but yes is it actually a zoom meeting or is it just a video conference i'm using zoom as a
synonym for a video call so it's like zoom and google basically yeah exactly zoom has become
the new google in the vernacular which is quite quite incredible actually for what is a fairly
new platform exactly exactly but um yeah they they just need to get their ticker sorted out on the stock exchange
because it's not zoom well hey let's face it the zoom that the other zoom that you mentioned a
number of weeks ago that's that that's the sound recording company they did very well
yeah that's right i've got i've got some of their kits so long may they prosper
and how's the how's your week uh being mr. Langford? Good. I'm starting a new piece of work.
Had a couple of client meetings, finishing off another piece of work. So yeah, things are
looking okay, actually, certainly for the next few months. Got a few more leads to follow up.
I also pretty much finished moving into the new place.
I've set up a nice little corner desk with sound dampening material on the walls and stuff like this
so that this sounds absolutely beautiful and amazing.
So, yeah, getting there, getting used to cooking for one, basically.
Getting used to cooking for one, basically.
Well, I think
judging by some of the pictures you've posted,
I wouldn't entirely call that
cooking as I would
lightly preparing food.
Oh, you mean
the medium
rare to rare meat that I'm
heavily on the rare side.
Yeah, I think it was
Hello Steak. This is a bit of heat
um don't need to worry about that i'll keep you safe yeah yeah it's almost as if tom like through
his years of traveling he's got used to heating up food using the hotel hair dryer iron that's all
he's interested in well what can i say If there are any vets listening out there,
trust me, you could probably bring my dinner back to life
with a bit of effort.
One thing I wanted to bring up,
because I understand that we have a very special listener of the show.
Oh, yes.
Uh-oh.
And it is Mrs. Langford Sr.
I understand.
We can't hear you.
Good morning, Mrs. Langford.
Big fan of your work.
Oh, you are.
Thank you.
Thank you.
Given that that would be me.
I taught him everything he know about sharks and toothbrushes
that's right that's right folks how dare you hijack my sound effects
oh yes it's true my my my mother does listen to the podcast hello mum you're right it's nice
chatting to you yesterday.
I'll give you another call over the weekend, yeah?
Look after yourself.
Love you.
Bye.
So, Mrs. Langford, absolutely humbled that you're listening to this show.
And, you know, through your life, you've invested in lots of things that have, like, really turned out poorly for you.
Not saying any names.
But, you know, if there's one
sure thing you want to invest in,
we can do you a good deal
and it will be an awesome
return. Tom, hit the jiggle.
This is where you want me to press
that button? Yes.
Host Unknown, sponsored by
Mrs. Lankford.
Insight Mania.
That could be you.
Oh, my goodness.
Yeah.
Yeah, Mum, if you want to give me some pocket money to pay for the show.
Yeah.
Right.
Moving swiftly on.
Because I don't think I could take this anymore because I don't know what you guys are going to say next.
And that's never a good position to be in. But moving. Okay. So there was a tweet by the wonderfully hirsute Daniel Cuthbert.
He has hair that would, in my opinion, put Trey Ford and Joe Petit to shame.
Bold statement.
I know.
No, no.
Bold or bald?
I'm not sure
but yeah, wonderfully
haired Daniel Cuthbert
and here's his tweet and it's a long thread
so bear with me, I'm not going to read it all
I'm going to
just read a couple of lines and then give you
some of my own personal analysis on it
so the tweet
goes, there's something truly
special happening in the static analysis world.
Now, if that doesn't set it up, I don't know what does.
Now, this is a world that is full of dinosaurs, tools that are monolithic and expensive and really don't work well in pipelines, no matter what the account managers tell you.
yes some might plug in but often that's via clunky connectors or you having to fork your repo so the sast dast can scan and then report back hello 2010 bad romance by lady gaga is a
great track which it is by the way um so anyway for those of you don't want to spend hundreds of
thousands on dinosaurs two players came in shook up the world uh lgtm.com is now part of the github family and semgrep now semgrep is an open source tool for
lightweight static analysis that uses familiar syntax and they both take the approach of scanning for defects in a more modern CI-CD way.
So to set the scene, you might have a huge code base
that you want to quickly scan for a few issues.
You don't want to use a GUI or fork or fanny around
with some clunky tools or anything like that.
You want to use a command line, right?
You want to get into the pipeline as soon as possible.
So Semgrep lets you build up the packs where packs are
individual checks. And you can just run a single check, for example, deserialization.
And we all know that Java and deserialization are high school lovers. They're both together.
They're sloppy, messy, and just gross to watch. But you could just use a simple command line.
So symgrep dash dash config, et cetera, et cetera.
Pattern's pretty simple.
But you can also make your own custom packs.
You know, you can make those custom packs,
get them ready to run in various different ways,
or you can add it to actions,
which is what we kind of want, right?
So we don't want to throw the kitchen sink at every bloody commit
as that's just lazy and 2010 and Lady Gaga won't approve.
So, yeah, I think it is a seminal moment in the static analysis world.
And thank you to Semgrep and LGTM
for actually bringing these tools to those that need it.
That's surprisingly interesting and well presented, Tom.
And I agree.
I think if this is as you've described,
I think this is a huge step in moving away from that kind of like oh we scan for
oh wasp top 10 that we've been you know subjected to for years and years um so you know i think you
know if if if anyone any of our listeners mrs langford senior if you do some code scanning
and want to see how you can um contribute go over to Semgrip and see it.
And I think for all the other SAS DAS tools,
when are you going to start adopting the ASVS?
This is something you've been promising for years.
Which part of this is the DAS? I miss that.
What do you mean, which part of this is the DAS?
So you're addressing the SAS component, the static analysis part.
Where's the dynamic analysis part being addressed?
Well, in the custom packages that you're making.
So, I mean, I'm not against progress, as you know.
I'm very tool heavy. I will use any tool available to me um and i am
lucky enough to have that freedom uh on a per project basis uh mostly tiktok right mostly
tiktok yeah and then obviously have the cost written off as part of a you know an acquisition
cost um yeah you can only work with what you've got in front of you. And, you know, I guess your use cases for this one,
I think definitely, you know, use cases pipeline,
you know, continuous integration
where it's going to be built into an ongoing process.
However, if you're doing one-off scans
in a time pressured, you know, context,
there's still very much a place for SAST
to give you a picture,
a point-in-time picture of what an application looks like.
Absolutely, absolutely.
So, yeah, thank you.
I think, well, that was this week's...
But I still take exception with the fact that you said,
Dan, for his wonderful hair he
no trey was the original hair of infosec he is still mr hair of infosec for me so um well his
twitter his hair's twitter account has got more followers than him hasn't it i don't know i haven't
seen whether it's still active he actually has a separate Twitter account for his hair.
Yeah. Yeah, that's right.
Oh, man, I don't even know where my hair is these days.
I don't know if it's got a Twitter account.
It's in the plug hole, I think.
It's slid down your back.
Yeah, that's what my daughter used to say about me.
She used to think all my hair fell out and landed on my chest.
Anyway, do you reckon we got away with that tweet of the week?
I don't think anyone will question that you have absolutely no idea what you're talking about.
I have not a clue. Not a clue.
And Daniel, if you're listening, you may have recognised some of those words I said.
You may have recognised some of those words I said.
I think that's a sign of desperation when you need a tweet of the week and you really have no idea what to do.
It was a heavy hitting opening.
It was.
The thing was, I was gripped and then I was lost.
A sentence later, I was lost. But I know there are many people out there
who are very much into this sort of thing.
And in fact, okay, I'm going to lay it on the table.
I'm looking to skill up in some of these areas
so that I can offer some admittedly very basic services,
probably at the Cyber essentials plus level um for you
know for you know small and micro businesses um so you know if anybody out there is willing to
teach me um i'm i'm very happy to um you know exchanging you know for money or undercooked meat or something like that, you know. This is fantastic.
This is, so building upon his empire where he's already offering testing services,
now Tom is in exchange for a laptop.
Now Tom is reading tweets that he, Tom is reading tweets he doesn't understand.
This is akin to his childhood fascination
of watching foreign films with the
subtitles off.
It made me fluent in absolutely
no languages.
Never stop learning though.
Never stop learning.
Never stop learning that I have no idea
what's going on.
Indeed.
I'm willing to sell my
soul and move over to the dark side
of the testing and then
I can start talking about
the test in the
OS Pop 10
you should stick to something
that's simple
and something you can stick with
especially at this age and you should learn
from like Major Tom.
He just walked up and down his garden,
raised millions for the NHS and he got a knighthood.
I thought you were talking about the fella in the spaceship
from the David Bowie show.
Yeah.
Stop there for a minute.
No.
Oh, man.
Right, let's move on before I get insulted even more.
What have we got? Oh, yes. Here we go.
Billy Big Balls of the Week.
And this is me. And do we have a corker for you?
Does anyone remember Charles Bronson?
Of course. Oh, yes.
Yes, yes, yes. So some of our listeners might know,
but he was the ultimate vigilante action hero man
from back in the day with Death Wish.
Don't watch the new or the remake Bruce Willis one.
That's absolutely diabolical.
But vigilante justice is what we're talking about today.
And that comes in the guise of the meow bot the
so let's put it a bit in context in a world where where web database going in the background
sorry no not mine i'll apologize that's actually my work oh my god he turns up late
he's got background noise i turned down my personal phone.
I was not expecting my work phone to...
I was not expecting to get messages on my work phone.
Come on, you were just saying about how stupidly busy you are.
Yes, indeed.
I'm turning it down now, so...
And then you have the audacity to ruin Jav's section.
Right, anyway, as we are, I'm reading through this now
in the background so I can...
Andy, never go full Jav. You just went full Jav. section right anyway as we are i'm reading through this now as uh in the background so i can andy
never go full jav you just do go on jab okay
in a world you cut off mid flow it's so difficult to start again
it's all right i'm a professional i can do this i'm used to working with you two and doing take after take after take on music videos.
So don't worry.
I can get this.
Right.
Do you know the annoying thing about this?
It's telling me that it's noticed I'm using an ad blocker.
So I'm going to have to go to a different machine to read.
Oh, what?
You're actually looking at the story?
I am, yeah.
Just so I can criticize Jeff.
Oh, right.
Oh, okay. i need to look for
things to pick holes in his uh okay so yeah picture world so what makes it so special yeah
in a world where organizations are leaving their their web databases exposed to the to the world
on a daily basis almost uh every day almost you hear off a story of someone said oops we left
this publicly exposed and there were like seven million records hundred million records whatever
in it and this has happened to all sorts of companies even government departments uh even
bleep black labs um exactly that that kind of thing yeah so um there have been some researchers that been trying to
search these the internet for these and try to identify who owns the databases and let them know
so that they can go fix it sometimes they've gone and fixed it with a thank you other times they've
not responded at all and on a few rare occasions, they've
threatened to sue the researchers for daring to look at their open exposed database.
I hope those researchers fought back and pushed back and just did not take it at all.
I hope so too.
Because to fold in front of them, you know, just like that would be outrageous.
It would be. And just... Show a lack of them, you know, just like that would be outrageous. It would be.
And just.
So lack of spine, right?
Oh my goodness, man.
Lack of moral fortitude and, you know, just,
just regular human decency, but you know, anyway, do go on Geoff.
So.
It looks like someone stayed up one night,
had some pizza,
watched Death Witch and thought, I am Charles Bronson.
I'm going to go full vigilante and released Meowbot, which goes,
I know the name just doesn't give it that macho feeling,
which gives me the feeling it must be a lady that's probably done it.
And she's probably seen some other film.
A lady? it must be a lady that's probably done it and she's probably seen some some other you say that with such um well surprise almost no no no no surprise at all um anyway
the the the particular brand of gender neutral um internet justice is the meowbot goes out
internet justice is the meow bot goes out,
finds these databases that are exposed without any security,
and automates a script that overwrites the entire database with random numerical strings and appended with meow.
Nice.
So there's no warning.
There's no ransomware.
There's no chance of like, hey, sort this out or I'm going to do it.
It just goes in two to the chest, one to the head and out of there.
It's called a Mozambique, by the way.
Yes.
Two to the chest, one to the head.
In fact, it's actually two to the head, one to the chest is Mozambique.
Sorry, I got that the wrong way around.
Is it?
No, it's two to the chest and one to the head. The two
to the chest are to slow down or put
them down and then when they're down, then
you put one to the head. That's very true.
Yeah, I was thinking of the Sollyhole.
What?
Do go on.
So is this
this almost sounds like do you remember well i say remember back in the day
obviously before my time but uh you know i remember uh the uh robert morris worm do you
remember his original intention was to go around and highlight security flaws you know he wasn't
intending to cause damage um you know sort of go out across
the internet and find uh you know unpatched systems um whereas this is kind of a bit more
aggressive it's more of the you know the enforcer knocking on the door saying hey like you're gonna
learn today son uh it's uh it sounds very wormy-like behaviour.
Yeah, well, I think it does qualify as a big ball because in the sense that it's potentially actually
in the interests of the public,
not necessarily the companies themselves.
I mean, like every vigilante, right?
But not necessarily the companies themselves
because they'll be losing either intellectual property
or stuff they actually own, their own actual data, as it were.
But the people whose data is exposed are actually benefiting from this.
is exposed are actually benefiting from this
so it's
very
as long as copies aren't taken
and there is no subsequent ransom
later on in a year's
time or whatever
this is potentially the classic
vigilante public service
which is
really an interesting
concept
that's harsh but I actually Yeah. Which is really, it's an interesting concept.
That's harsh, you know.
But I, actually, I'm not against it.
No, absolutely.
What we need is some commentary from somebody we know and trust on this.
Yes.
I am.
Funny you should say that so as I read this Jeb I notice in the article that a public figure someone may go to for like expert you know opinion a guy called Javad Malik
who is a security awareness advocate okay now we know why he's picked this as a story
I'm wondering why you selected the Forbes article for this one.
He's reusing content again.
No, no, no, no, because this is written by David Winder,
and he's an awesome journalist.
And although many people, I've heard many a theory on Reddit
that he might be our InfoSec Stig,
but we cannot say anything hey
davy wink wink is that on our dedicated reddit subject yeah yeah well there's loads of reddit
pages dedicated to hosts unknown well you can get us on um r slash smashing security if you want to
discuss this is true this is true of the show In fact, the first person that goes on there and asks,
is this the host unknown subreddit,
we'll have on here as a guest.
There.
We don't want to.
We're against environmental waste.
You know, there's no point in creating a separate channel.
No, absolutely.
Absolutely.
Not when there's a perfectly good one going to waste already.
Exactly.
So Mrs. Lankford Senior, please go to reddit.com. No, don. Absolutely. Not when there's a perfectly good one going to waste already. Exactly. So Mrs. Lankford Senior, please go to reddit.com.
No, no, don't, Mum.
Don't, don't, don't.
You don't want to be on this show with these people.
Oh, no.
Oh, dear.
Yeah.
No, good story.
I like that one.
I like that one.
I like the fact, I must must admit when i first read the
um url not all intercats are internet cats are cute meow blah blah database destroyer i thought
it was going around deleting pictures of cats and i was just you know if there was a worm that did
that would national productivity wouldn't it, would international productivity go through the roof?
I'm just, you know, because we're just not looking at cats anymore.
I think that would be hilarious.
Anyway, thank you, Jav, for this week's...
Billy Big Balls of the Week.
I liked it. So I know you kind of maybe dropped a hint
that Davey was the InfoSec Stig behind the PA Newswire.
I think we know that he's not really.
I think the real InfoSec Stig would be quite offended
by that statement.
Yes.
Davey bloody winder.
The actual InfoSec Stig that scowls the world for the best stories
for us to bring to you in a bite-sized format.
Easily digestible.
Indeed.
I'm guessing this is the point where I press this.
Industry news.
Russian APT crew actively targets COVID-19 vaccine developers.
Industry news.
DPOs encouraged to act now on invalid privacy shield.
Industry news.
Data protection associations introduce survey and representation concepts.
Industry News.
ISC attributes cyber attacks and election interference to Russia.
Industry News.
FTC details hashtag COVID-19 scams and fraud cases to Senate.
Industry news.
CETOs.
Cyber insurance fails to cover modern threats and remote work...
Industry news.
It's OK, the listeners will put it together in there.
Yeah, yeah, they'll work it out.
It's better early than late.
I hate you guys.
And that was this week's...
Industry News.
Moving swiftly on.
I think now would be a good time to talk about sponsorship from people other than my mother.
So, any companies that we've mentioned this week so far
that we could be talking about?
Bleetblab.
Bleetblab.
We're still here.
We're still willing to take your money.
How about Daniel Cuthbert?
Because, I mean, I reckon to keep his hair like that,
he must be earning a lot of money for hair care products.
We could get some SAST or DAST vendors to sponsor.
Ah, yeah, lgtm.com.
Checkmarks, Veracode, come and give us your side of the story.
Yeah, okay, here we go, here we go.
Let's just throw them all in.
Post a note.
Sponsored by...
L'Oreal.
Checkmarks, Veracode, Daniel Cuthbert. Thomas. Thomas. Thomas. unknown sponsored by l'oreal anyway sponsors that could be you you could join a very very elite list of sponsors of host unknown
so actually that that um was it the first story?
No, the second story, actually, the one I read out about
the invalid privacy shield.
I find that really fascinating because this is kind of like
the second go-around on EU-US protection.
And it's after, what, five years?
Was it 2015 that Safe Harbor was found found to be invalid someone figured out it
wasn't any good yeah yeah yeah exactly so let's put in this much better thing and then suddenly
they realize that five years later it's not any good now obviously things change over time you
know and you know industry changes etc so you'd imagine that the the legislation regulation
would evolve with that but it doesn't seem to happen this way it seems like after five years
it's like oh fuck it it's broken let's throw it all out let's put companies you know international
businesses right in the firing line whereby yesterday they were complying with regulation
and law and today they're no longer complying,
even though they're doing exactly the same thing.
And I just find it fascinating that they're getting it wrong
so regularly, it seems, and so badly.
So what are they exactly getting wrong?
Do you know why it's invalid?
I don't.
If I'm perfectly honest, I haven't looked into it.
I mean, that's why I bring it up, because, you know, we should be discussing this.
So, I mean, ordinarily, I'd jump on the bandwagon to discuss this and say, well, you know, we
shouldn't have the US getting their grubby fingers all over the European data, and we
need to have better privacy shield equivalents.
But, you know, after several weeks of doing this this podcast
and listening to and you know going off on with you on my crusades about how privacy is so important
and um i've reflected on a lot of what andy's been saying and uh you must have had some alone time
or you need to you need to reinstall twitter on your phone because you're
obviously that's it um and you know what i've got to say i think i think andy's right in in a lot of
things what what hang on is this the point where i go no no no seriously or is it the point i think there's so many times where
like i've i've just got outraged because oh privacy without fully thinking through the fact
that it's it's more of an emotional decision than than a practical one and and you know we gave him
so such a hard time over like tiktok or or that and then when
i was off and you know graham and graham and carol on and like you know it was the same thing and
actually if you go back and listen to them andy's talking sense and we're all sounding like those
extremists like frothing at the mouth saying no no no tinfoil hat wearing people and he's a fatalist is what it is no i just remove emotion for my
decision making that's the uh yeah ultimately what am i getting to at the end of it and
i mean yeah if you look at something like facebook right where you know i will go on i've got lots of
old school friends on there um again you know i'm not a big facebook user um but you know if i log
in every now and then you know someone sends you a big facebook user but you know if i log in every now and then you
know someone sends you a link it automatically opens and you go in and also we all know you
have to maintain your own account because if you delete it someone else may create an account in
your name um and you know yeah which episode was that yeah falsely represent you uh however you
know if i scroll through facebook despite the whole Cambridge Analytica, despite the fact it listens to you through your microphone, despite everything that Zuckerberg does to capture your data, it still serves me content I'm not interested in. funny video right wing bullshit god knows what else you know us content specific to like
i'll send a nowhere alabama um yeah if i open tiktok it is generally hit hit hit hit hit like
all the content that i want it's already learned what i like and will continue to serve me that, you know, the, the state will assign you,
you know,
your own state agent,
you know,
to watch over you and make sure that he's given you the same content.
As opposed to the NSA guy,
who's like,
who's,
who's interests are very divergent from exactly.
I think what it is,
the NSA is sort of,
maybe it's one agent per,
you know, 30 people or something,
whereas, you know, China can afford to have one agent per person.
A one-to-one relationship.
Yeah, exactly. Much better.
With your handler. Is that right?
Is that the term for it, Andy? Handler?
We'll say handler, yeah.
No, you're absolutely right.
I think it boils down to the fundamental business model.
I mean, Facebook and Twitter and all these ones,
you make connections with people
and then the people you're connected with
kind of like force the information into your feed.
So if you're friends with someone
and you connect with them,
if they're into some weird stuff,
then they're going to post that and that's going to end up on your feed
and then you're going to find out all about you.
Whereas TikTok is completely the opposite.
You don't connect with people.
It's just through your interactions from the moment you install the app
and you start using it, through your interactions,
the algorithm gets clever and it just figures out the things
that you're interested in.
And that's why it's just hit after hit after hit.
But they're serving a different purpose.
One is connecting people to people
and the other is connecting people to content.
So actually, it's not surprising that you get hit after hit after hit.
No.
So, I mean, I think, you know,
that whole connecting to people model is overrated.
I think it should be.
Yeah, people don't like it.
You know, just if you're after the good content, then just do it.
And if that gives you hit after hit after hit, that's just a win-win in my perspective,
which also happens to be the name of my Chinese handler.
Oh, no.
It's the last five,
more than five minutes just
been leading up to that.
You went through this whole thing
just to set yourself up for that game.
Oh, my God.
I mean, hats off to you, Javad.
I have to say that was
as set-ups go,
that was a pretty impressive.
You had us.
You had us.
Jeez.
Win-win.
If you're listening, I'm so sorry.
Oh, dear.
Oh, my God.
Right.
Okay.
I'm sorry.
We're now having to move on.
Rant of the week.
Andy, please bring us back.
Bring us back.
Yeah, I don't know if I can top this one.
However, as you know, I don't often rant,
or there's not too much that makes my blood boil.
However, this one has angered me.
It's a company called Blackboard, and that's spelled b-a-u-d at the end
and this is a company who and i know that uh you know both yourselves are fans of uh how companies
respond to um security incidents uh particularly breaches you know definitely most important you
know i think we're all yeah exactly i think we're all uh you know understandable that you know you
can't prevent everything uh however um you know how you respond to that speaks volumes for your practices and yourself as a company.
So there was an incident in May of 2020.
And I heard about this from a friend who works in the charity sector.
His company was impacted by this.
this from a friend who works in the charity sector his company was impacted by this and so this company called Blackboard you know they provide
third-party services to companies a lot of which are charities and they
essentially had a ransomware attack and they sent this email and I remember so
you know I sent this to you guys uh you know a couple of
weeks ago um and their whole approach to it was like hey look you know this stuff happened
uh you know if if you guys want to speak to the ICO or do whatever you want to do that's on you
you know they they literally just shifted the entire responsibility um you know onto the
clients that have been impacted you know they hadn't actually
contacted the ico themselves um and they're a u.s based company so you know they they had this
incident in may they didn't tell anyone until earlier this month um you know yeah it's been
quite a while um so you know may they got impacted july is when they announced it and this has been
on the bbc has also covered it you know institutions that they got impacted. July is when they announced it. And this has been on the BBC has also covered it.
You know, institutions that were affected include a lot of universities, you know, University of York, Oxford, Brooks, Loughborough, Leeds, University of Reading, etc.
You know, some charities include Human Rights Watch, Young Minds.
Lots of these are the UK basedbased ones. And now these universities and charities are contacting their customers saying,
look, we're really sorry, but your data may have been compromised.
And so Blackboard, they still refer to their incident in a printed statement, obviously.
In May of 2020, we discovered
and stopped a ransomware attack. Prior to our locking the cybercriminal out, the cybercriminal
removed a copy of a subset of data from our self-hosted environment. And so straight away,
you're saying, okay, well, data's been taken here, right? And I guess what's out there publicly is one thing, but then there is new information which has come out, which has gone directly to companies impacted.
And I guess the thing about this, what's making me rant about this is the approach that the company's taken.
So they have essentially said, look, it's okay, guys.
We've been all over this.
Okay. We used a third party negotiation company who is an expert in dealing with ransomware
threats. We were in regular contact with a cyber criminal from the time we shut them out the system.
So we know that this was only a ransomware attack. And thanks to the good work of the
Blackboard security team, a shutdown was avoided.
And so they said, yes, yes, yes, data was copied.
But, you know, we actually paid the ransomware and the cyber criminal promised to delete that data.
What?
Yes.
And so they're claiming this is a success.
This is a success because they're saying, look, you know,
why would we believe that the cyber criminal kept their word?
And he says, well, quite simply, because their future business depends
on future targets believing that they will keep their word.
So their whole justification is saying, look, there's nothing to worry about here
because, you know, we're dealing with people who do this a lot
and we know they would have kept their word.
Just outstanding. Like, you know, to actually use this without even saying, look, sorry, we messed up.
You know, there's a vulnerability. We patched it. Lessons learned.
They've said, hey, look, this could happen to anyone. We got ahead of it.
We actually paid the ransom. Not everyone would have done this for you guys.
And a third party to negotiate.
And a third party.
Was that you, Tom, out of interest?
I noticed you were.
No, no, no.
You know how this should be read.
You need to have one of those American marching band music
playing in the background and have those American accents
like the NSA agent reading this out.
And that's where it would land.
You know, thanks to the good work of Blackboard security team,
a shutdown was avoided.
Ew.
Does that work?
Not really.
Not really, no.
I'm thinking something far more patriotic.
So I actually see here a link's been inserted from Computer Weekly,
where again, media whore Javad Malik has commented.
It's like a DDoS.
Javad, security awareness advocate I know before,
otherwise known as the journalistic DDoS.
So how many of these things do you get asked to quote on jav um i get quote asked to quote on
about half a dozen a day blimey so okay so next week's challenge andy's to find a story that jav
hasn't quoted could be harder than we think. That's how many I send quotes on.
I don't get picked up on all of them
bastards.
So that's
not a difficult challenge.
So where do you stand on this then, Geoff?
To save me reading your article,
do you believe the cyber
criminal has a strong incentive to keep their word?
Hell no.
Hell no.
I mean, you know, no i mean you know oh well you know that lolzx 79 cats whores well we don't like them because they go back on their word well what's
to stop lolzx um whatever i said before from changing their name do you know what i mean
so oh well this new bunch we can trust this new bunch i mean it's
exactly i mean what's the stop them splitting out the client data and then selling them out
separately and then it's really i mean how can you prove oh here's some university of york data
we're not telling you whether it's from the blackboard breach or whether it's something
that we breached them separately and then it's just muddied the water so much. Attribution is so difficult. Yeah. It's, yeah, utter, utter bullshit.
But yeah, Blackboard Security,
if you want to come on the show and sponsor us,
then we'll give you a chance to deliver your side of the story.
That will escort, indeed.
You know, Blackboard Security?
Host unknown.
Sponsored by...
Blackboard Security.
Yay!
Wow, we're going to have loads of sponsors at this, right?
Loads of people
crossing us off their potential sponsorship
board.
But Mrs. Langford Senior,
I'm sure you still love us.
Indeed. Indeed.
Of course she does. Okay, thank you
Andy for this week's...
Rant of the Week.
By the way, gents, I hope you've noticed
that that traditional lag between me finishing a sentence
and the jingle starting has massively decreased.
It has. Have you been exercising or practising?
Both. massively decreased it has have you been uh exercising or practicing um both in terms of you know lifting your finger and pressing the button exercising we know you struggle with
after uh the debacle with manual labor I've been practicing
I've been practicing
my little fingers
my little fingers
my fingers don't require any further exercise
oh dear
well I take
you know what
we're 10 minutes from the end of the show
roughly
or from the traditional end of the show
do you know what
do you know what's left it's i think little people yeah yeah i think absolutely so so jeff it's time for
the little people
good points well made especially like the third point is this is this you saying you still don't
have a little people well maybe i can get one for you at some point before you finish edit
and then you can insert it in post yeah you you know how little editing i do you can have to get
it to me in like the next 20 minutes. You know what? It's just
been very difficult. So there's one
person who was more than happy
to provide one, but
his PR team
sort of shut him down.
It's like
they're scared of us. And then there was another
person... They just don't want to be associated
with Hogan, I know.
One or the other. Can't think of one.
There's someone else,
and they've been just very, very busy this week.
They've almost been as busy as Andy.
So.
I was going to say, is it Andy that you've asked?
No, no, it was Adrian we asked.
Ah, okay.
So.
And there's another genuine friend of the show
who said he'll get something to me,
but he didn't give me a time and then he hasn't given anything to me yet.
But that one, I'm sure, will be brilliant.
Has friend of the show Graham Cluley let us down?
No, it's not Graham Cluley.
It is, you know, I'm not going to ruin it.
It's going to be a big reveal.
That's a very Trump-esque statement going on there.
Yeah. Now, Andy,
let me message you.
I'll tell you who it is.
You can just share your opinion.
Let me bring up... Okay, okay. So
by that statement alone,
I'm worried.
Andy, let me message you.
Hey, this is perfect for a podcast, you know.
Yeah.
Come with us while we listen to Javad send Andy a secret message.
What could it be?
It's something that Tom's not going to like.
Well, I just don't understand how it's taking so long.
It's like, you know.
Oh, wow. Okay. All right. I just don't understand how it's taking so long. It's like, you know... Oh, wow, okay. Right, I gotcha.
Oh, shit.
Tom, this may be something from your past.
There was one night you were very drunk
in a...
I thought she got deported, Jack.
I didn't realise.
I know.
Now, come on.
You're bringing things up from those days in my life.
Thank you.
Mrs. Lankford Senior, please switch off listening now.
Okay, so, folks, that was this week's...
The Little People.
Or not, as is the case.
Or maybe not.
Yeah, exactly.
So, a good week this week, I think.
Certainly better than that crap we recorded or not recorded yesterday.
So, Andy, you say in your notes that you'll try to do a summary of things
like Carole did when she was on the show.
Do you know what this yeah this part i uh i did my my my writing that's my contribution editor um who goes by the name of javad malik only, yeah, so he screws up everything on the show notes.
When I left it shared, he decided to delete the previous
and as if he's got some sort of template going on.
And, yeah, it's kind of difficult.
I was like, you know, where did we get to last week?
What were the news stories from the PA Newswire
that we got to last week?
Yeah.
Yeah, no, I think, you know, when someone's trying to help
and they're just really not, you know, like when your kids are young
and they're, like, cleaning with crayons on the window
and you're like, I know you're trying to help, but, you know,
it's just, let me take care of this one.
Tom, did you clean with crayons on the window?
Maybe we could ask Mrs Langford Senior when she's on the show.
God.
Okay, so let's do a wrap-up then.
So we talked very knowledgeably about Daniel Cuthbert.
Well, Daniel Cuthbert and the static and dynamic testing new tools.
We had Jav's Meowbot Billy Big Balls.
We had some wonderful industry news.
We had Jav's massive, massive build-up to a one-line gag.
And we, what else did we have?
The Rant.
Oh, we had The Rant.
The Rant Ransomware. And we didn't else did we have? The Rant. Oh, we had The Rant. The Rant Ransomware.
The Rant Ransomware.
And we didn't have The Little People.
So is that it?
Have we wrapped that up?
That is such a comprehensive roundup.
It's like, you know, back in the day,
reading the Radio Times or a summary of the show.
Yeah.
I don't need a TV.
I've got the TV Guide.
Exactly. absolutely gripping
well hey next week uh one of you guys can do that
so we'll see whether our infosex dig actually uh covers the ransomware attack that's brought garmin
uh down oh really garmin yeah so they had to, they need to do
like a big out, oh, go on, Jeff, tell us
which company you've already
provided a statement to on this one.
Oh, if you go to Computer Weekly,
you can see the storyboard.
Let me just put it in the...
Oh, man, I was actually kidding.
There it is, it's in the show notes.
No, we'll do that next week.
We'll do that next week.
I mean, this is perfect for podcasts.
Here, let me cut and paste something into the show notes
that only three of us can see.
Brilliant.
Excellent.
So, Javad, thank you so much for being on time this week.
Really appreciate it. You're welcome. Both times this week I was on time this week. Really appreciate it.
You're welcome.
Both times this week I was on time, unlike some people.
Indeed.
Indeed.
Andy.
I'm just going to say this.
Every article I'm reading of Joe, he always does this whole
could be uniquely damaging or could or potentially?
I noticed this is how you weasel out of that.
Litigation.
Yes, exactly.
There's a lot of corporate ass covering going on here.
And no, very much sitting on the fence.
And sorry, Your Honour, but that's how you interpret it.
What I meant was.
Look, I'll tell you.
OK, let's take a peek behind the curtain.
I want to end the show.
No wonder it runs to an hour.
This is important stuff, yeah,
and it's the least I could do for not having a little people.
What, hear more of your own voice?
Yes.
It works like this. i'm sitting at home
trying to decide watching tiktok on one of my kids phones and i'll get an email through saying
so-and-so company's got ransomware you're an expert give us your thoughts so-and-so journalist
is writing a story and that's the first i've even heard of the story yeah let alone have any insight
so so i'm like a stack of you know set phrases that you just cut i'm starting to see a few
yeah so i go to my mechanical turk
it it kind of like does a bit of basic googling to say was it ransomware if ransomware else data breach
else whatever like you know okay say well it could be really bad
uh sound authoritative uh right click find a synonym for some of the words so you switch it
around a bit and you send it off and as long as you do that within a time frame like half hour
or hour of the request coming in,
it normally makes it into the story.
It's all about being first.
That's why I'm on YouTube always commenting first.
I think there is disappointment
when you look behind the magician's curtain, isn't there?
Oh, dear. think there is disappointment when you look behind the magician's curtain isn't it there's uh oh dear on that lovely note jav thank you very much sir thank you and andy thank you stay secure my friends stay secure stop it stop it Host Unknown, the podcast, was written, performed and produced
by Andrew Agnes, Javad Malik and Tom Langford.
Copyright 2015, or something like that.
Insert legal agreement here as applicable and binding
in your country of residence.
We thank you.
Andy, your suggestion for Tweet of the Week was far more better because Tom could have read that
and it would have been within his level of expertise.
Which one's that?
It's at the bottom with the alternate
content, which I suggest.
Do you know, I had to read that like five or six times
to understand it. What's Winnie the Pooh's mama's name?
Poonani.
Poonani.
You see, there you go.
But surely
it should be grandmother, because's poo nanny this is
what it's logical it'd be poo mama so this is a whole text exchange like this guy like he posted
he's like man my sister's gonna kill me and that's where you know she started off i'm gonna knock
your fucking head out yeah he's like oh she's like why the fuck would you tell these kids winnie the pooh's mama's name is poo nanny
that's brilliant she'll still be grandmother definitely grandmother
it's nanny wasted i think there's just a generational gap going on here