The Host Unknown Podcast - Episode 161 - The Receding Hairline and Glasses Episode
Episode Date: July 23, 2023This week in InfoSec (09:59)With content liberated from the “Today in infosec” Twitter account and further afield18th July 2011: LulzSec hacked the Sun newspaper's website, redirecting visitors to... a hoax article claiming Rupert Murdoch died after ingesting palladium. Hacked Sun site greatly exaggerates Murdoch's deathhttps://twitter.com/todayininfosec/status/1681469966527213568 14th July 2000: #Wireshark was releasedWireshark Is 25: The email that started it all and the lessons learned along the way Rant of the Week (16:49)French Assembly passes bill allowing police to remotely activate phone cameras and microphones for surveillanceFrench law enforcement may soon have far-reaching authority to snoop on alleged criminals. Lawmakers in France's National Assembly have passed a bill that lets police surveil suspects by remotely activating cameras, microphones and GPS location systems on phones and other devices. A judge will have to approve use of the powers, and the recently amended bill forbids use against journalists, lawyers and other "sensitive professions," according to Le Monde. The measure is also meant to limit use to serious cases, and only for a maximum of six months. Geolocation would be limited to crimes that are punishable by at least five years in prison.An earlier version of the bill passed the Senate, but the amendment will require that legislative body's approval before it can become law.Civil liberties advocates are alarmed. The digital rights group La Quadrature du Net previously pointed out the potential for abuse. As the bill isn't clear about what constitutes a serious crime, there are fears the French government might use this to target environmental activists and others who aren't grave threats. The organization also notes that worrying security policies have a habit of expanding to less serious crimes. Genetic registration was only used for sex offenders at first, La Quadrature says, but is now being used for most crimes. Billy Big Balls of the Week (26:37)OBITUARY Kevin David Mitnickhttps://www.dignitymemorial.com/obituaries/las-vegas-nv/kevin-mitnick-11371668Kevin David Mitnick, 59, died peacefully on Sunday, July 16, 2023, after valiantly battling pancreatic cancer for more than a year. Kevin is survived by his beloved wife, Kimberley Mitnick, who remained by his side throughout their 14-month ordeal. Kimberley is pregnant with their first child. Kevin was ecstatic about this new chapter in his and Kimberley's life together, which has now been sadly cut short.When his desire to push boundaries led him too far astray, he landed in juvenile detention and eventually served a couple of stints in prison. His time on the FBI's Most Wanted List was well documented in his New York Times bestselling book, The Ghost in the Wires: My Adventures as the World's Most Wanted Hacker, and his other titles: The Art of Deception, The Art of Intrusion, both co-authored with William Simon, and The Art of Invisibility with Robert Vamosi.Kevin emerged from his final prison term, which he deemed a 'vacation,' in January 2000. He was a changed individual, and began constructing a new career, as a White Hat hacker and security consultant. He became a highly sought-after global public speaker, a writer, and established the successful Mitnick Security Consulting. In November 2011, he became the Chief Hacking Officer and part owner of security awareness training company KnowBe4, founded by close friend and business partner Stu Sjouwerman. Industry News (36:23)IT Security Pro Jailed for Attempted ExtortionSuspected Scareware Fraudster Arrested After Decade on the RunNCA: Nation States Using Cybercrime Groups as ProxiesScam Job Offers Target Uni StudentsIndustry Experts Urge CISA to Update Secure by Design GuidanceBiden-Harris Administration Unveils Smart Device Cyber ProgramEstee Lauder Breached by Two Ransomware GroupsOld Roblox Data Leak Resurfaces, 4000 Users' Personal Information ExposedMicrosoft Strengthens Cloud Logging Against Nation-State Threats Tweet of the Week (44:05)https://twitter.com/mattjay/status/1681710314381770752 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So we've got cameras on for the first time.
I know, I know.
But we're not supposed to talk about it because it's an insider joke, apparently.
Well, I don't know if it's a joke, but there was an observation that we are all wearing glasses and we have receiving hairlines.
Exactly.
And all the glasses are very similar to the point that we were thinking about going to AliExpress, having them made up, having them as official merch made up.
Host unknown, branded.
Yeah.
Calvary and strength.
You heard.
you can go all the way from the uh javad i i really don't want to wear these but i have to every now and then through to the where are we what's going on strength of langford's
you know you you never know you joke but this is how many uh success stories start people doing
something completely different pivot onto something else as a joke and all of a sudden we are the
premier designer
glasses
brand in the world
for the infosec industry
yeah
you heard it here first folks
come to our stand at B-Side
yeah
you're listening to the
host unknown podcast Yeah. You're listening to the Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening from wherever you are joining us.
And welcome.
Welcome one and all to episode 165.
You're getting earlier every time. Every time. You just think you can get in front of me.
I'm helping you out. I'm helping you out.
Episode 161 of the Host Unknown podcast. Welcome, dear listener. Welcome one and all.
And gentlemen, welcome yourselves. Jav, Andy, how are we?
Good. Can't complain.
Excellent, Jav.
I can complain.
Would you like me to complain?
You get a few minutes every week to complain.
That's what this part of the show is.
This is where we hear about your neighbourhood watch,
your back alley, for now, for now,
and anything else in between.
You know, I only come on this podcast
because it's cheaper than therapy.
week you know i only come on this podcast because it's cheaper than therapy so cheaper in money wise but maybe not emotionally no no no and it doesn't help me whatsoever
and to be honest people only listen to this podcast because it helps them feel better about
themselves yeah that's right that's exactly it that's it we We're doing a public service right here.
Like there's someone on a bridge about to jump off and they heard the podcast say,
wow, I've got it easy compared to these losers.
No, what it is, he's on the bridge and there's a huge if true.
Oh dear.
And welcome to the podcast that jokes about suicide.
Yeah, yeah. But you can joke about that, can't you?
Well, not that you've actually successfully committed suicide.
I can't even get that right.
Loser!
I mean, I wouldn't recommend it it's bloody dangerous i nearly killed myself
yeah but yeah yeah oh dear so um so yeah no i just noticed because we got the the videos on i say i
seeing that um i'm having my coffee from a a spider-man mug uh Tom's wearing a Doctor Strange t-shirt.
And I'm trying to think how Andy's repping
the Marvel Universe.
And I think it's just from his poor
kingpin from
Wish.com or kingpin
after going on a
crash diet.
But you know, kingpin, I used to
use that as my profile picture
at my last company on WebEx.
And very few people picked up on it.
No, and it was a very good likeness.
I think, you know, when you were like, what is it?
Anti-kidnap size.
Yeah, kidnap resistant.
Kidnap resistant.
When he had to set his camera to widescreen.
Yeah.
So how's your We been, Jav, anyway?
Oh, it's been a busy week.
It's been a busy week.
I think just before the summer holidays,
everyone's desperate to try and get their marketing activities ramped up
because August is going to be dead for most people.
So there's been like a ton of webinars and everything like that going on
and what have you.
But it's been a good week.
I can't really – well, no, like I going on and what have you but but it's been a good week i can't really well no like i said i can complain but i won't i'll spare you the complaining this week how's that very good very good and andy what about you without the word busy
uh productive it's uh outside of work productive inside outside of work I actually managed to get my
company accounts done oh which I I noticed that like looking through the last few years accounts
I've always paid a fine for uh filing late and um yeah this year I I they're due by the end of this
month and um I've gotten across my accountant well now it's on him
to file them right well exactly but i've done my bit yeah yeah because normally it's you're like
months behind aren't you yeah and they i do they double the fine every year and i'm like i don't
like the pattern i don't like where this is going because this year it doesn't uh yeah it doesn't
look good but there's an exponential growth in there, which you're not too happy with.
Yeah, exactly.
And to be fair, he actually hassled me to file them early this year.
But hey, that's his job, so I'm not going to give him credit for that.
You did send us a picture of all those unopened bank statements.
Yeah, I did.
So, you know, plausible deniability.
I've not traded at all
you know in the last 12 months so there's nothing to to do but i had to realize i've got a lot of
costs which i attribute to that business which um which which you shouldn't be saying publicly
uh i'm just kidding mr hmrc caught you listening it Yeah, the podcast is listed under comedy, I think.
How was your week anyway, Doctor Strange?
Yeah, very good.
I've been working from home this week, so that's been nice.
So you got the cleaning done?
Yeah, got the cleaning done.
I did, I cleaned the kitchen sink and everything.
Got the cleaning done I did, I cleaned the kitchen sink and everything
And let's see
All caught up on
Secret Invasion
And Marvel
Star Trek Strange New Worlds
Been catching up on that
Watched a couple of films
What's Strange New Worlds on?
So Star Trek, it's on Paramount Plus
Have you subscribed to that?
Just for Strange New Worlds, yes.
Wow.
I refuse to subscribe to that.
I think there's too many streaming channels now.
Yes.
Yeah, there is.
That's why I drew the line when they moved stuff to Paramount.
Yeah, well, I subscribe for the period of time it takes me to watch it.
So there's a guy not too far from where I live.
You can subscribe to one of his boxes and it gives you all the channels.
Just kidding!
Yes!
You say that,
I'm actually just making my way
through season three of Picard.
Oh, it's so good, isn't it?
It is so good. It is like the best Picard
season.
Yeah.
And they've got all the... They've done it right where they've mixed in nostalgia
with the old characters,
but with a really solid plot.
No, no spoilers, no spoilers.
And it is just my favourite Star Trek spin-off
for a long, long time.
I like the new captain of the...
Oh, he reminds me of you, Tom.
Well, the stickler for the rules and the pain in the arse.
Yes, exactly.
He's really good. I like him a lot.
I like him a lot.
It's like Tom circa 2008, I think.
Like, you know, it's...
It's like, why are you sending me this on WhatsApp?
This is a family phone.
I have my photo gallery synchronized with my Apple TV.
Yeah, that was on you, man.
Yeah, not anymore.
Well, actually, it doesn't matter anymore.
You know, what can I say?
And your kids are growing up a bit more now.
Yes, exactly.
They don't need to see your more now. Yes, exactly.
They don't need to see your backsides.
No, no.
But it reminds me of the time you went to the museum, Andy,
and you were on the train on the way back and you were showing your wife and I think your sister or something,
like, the photos.
Yeah, stuff that comes up.
Something inappropriate.
But I said, look, that's why you never go through my phone, right? That's on you. If you go through my phone and see stuff you don said that's that's why you never go through my
phone like that's on you if you go through my phone and see stuff you don't like that's on you
put it out there from the beginning right well talking about things that we don't like
seeing let's see what we've got up got coming up for you in the show this week. This week in InfoSec,
Reminisce is about reporting the death of a media mogul.
Rant of the Week is a government abuse
that is less ooh-la-la and more sacra-blur.
Who came up with these titles?
Billy Big Balls is about a reformed criminal.
Industry News brings us the latest and greatest
discursive news stories from around the world.
And Tweets of the Week helps to make you feel better about yourself.
So let's move on to our favourite part of the show.
The part of the show that we often and regularly and every week call...
This Week in InfoSec.
This week in InfoSec.
It is that part of the show.
We take a trip down InfoSec memory lane with content liberated from the Today on InfoSec Twitter account and further afield.
And today, our first story comes a mere 12 years ago from the 18th of July 2011 when LulzSec hacked the Sun newspaper's website,
redirecting visitors to a hoax article claiming Rupert Murdoch died
after ingesting palladium.
So this is, yeah, I mean, do you remember LulzSec, right?
Doing it for the lulz?
I don't think we've had a group like
that since it's all been like ransomware and like they're the ones with the top hat and the monocle
yeah exactly uh you know i mean even when lolz set were out you know i know i was complaining
that they weren't as good as evil angelica and you know they're a bit too modern but now i kind
of miss lolz set when you compare them to today hitting hard it is but uh they posted this article about um
they'll basically edited the website and they had a good photo of chemicals found in a house and you
know they've done the article saying like you know rupert murdoch controversial media mogul
reportedly found dead in his garden uh and then they'd gone through the whole thing you know you
know officers on the scene report a broken glass a box of vintage wine and what seems to be a family album strewn across
the floor containing images from days gone by um yeah some containing hand-painted portraits of
murdoch in his early days done in a top hat and monocle there's a good little nod to their own um you know self-referencing um but yeah we just don't see
these type of hacks anymore i don't want to say it's you know the harmless fun because someone
obviously there's always someone who you know gets hurt by even if it is rupert murdoch and
let's face it we're not overly concerned about that but you know there isn't there isn't this
kind of
harmless stuff going on anymore is there at the moment it's all it's all about money it's all
very serious yeah it's all commercial but i mean to be honest no one goes to the sun for news well
if you want to feel old like you know the the lols that had their run they got busted they got caught
they served their time.
They're out of serving their time.
And now they're legit security professionals now.
They're on the speaking circuit and everything, aren't they?
And we're going to be talking about that in a little while as well, aren't we?
Oh, brilliant.
But our second story takes us back 25 years to the time when Wireshark was released.
Hang on, we did this last year.
And we did do this last year.
But as Jeff pointed out, that was only 24 years ago.
This is 25.
This is the quarter century.
This is the big one.
And we've actually got the email that started it all on its journey.
And it was from Gerald Combs,
or Combs, who sent it.
Subject, announce,
Ethereal 0.2.0.
Ethereal is a network analyzer
that lets you capture and interactively browse
the contents of ethernet frames.
Packet data can be read from a file
or live from a local network interface.
More information, including the source distribution,
can be found at ethereal.zing.org.
Comments and patches are welcome.
It's brilliant.
So they changed their name in 2006.
But as a network packet analyzer,
I think it's still probably the de facto one.
It's one you go to, right?
There's no commercial version that's really worth looking at.
Well, not unless you're really going deep.
Yeah, but there was...
So remember the old DEF CON?
Well, it still goes on, I'm sure, DEF CON.
They do the whole Capture the Flag competitions.
And I remember there used to be...
I think it was Schmoo Group used to capture all the network traffic
during Capture the Flag
and then make all the data available for download so you can actually see how people hack boxes and you
know what the the other guys were doing to sort of defend their boxes uh at the same time obviously
you know three days worth of network traffic particularly back then not you know you can order
you know 2000 dvds worth of network traffic if you're really
that interested um but yeah it's it's amazing 25 years old and still going strong and it was
released it's free right it was that that freebie in fact many people are doing good on the internet
yeah many products like that would have been commercialized long yeah i mean the whole
whole foundations are laid on tools like this that people spun up for free and what have you.
And, you know, this is why there's that meme like about how the Internet works.
And like right at the bottom of the key point, this is a really thin strut.
And it's like some open source thing that, you know, Bob's been maintaining open source for the last 30 years in Canada or something.
Yeah.
But I tell you something really weird.
I had this moment of like
absolute realization you know where you don't realize how time is so I I clicked on uh Gerald
Combs website to read the thing and then there's a link there saying I'll read my tweet so I've
gone to his Twitter account and in my mind I don't know why I was thinking there's going to be a
really young person running the account and then it just clicked no he
released the tool 25 years ago he must have been at least 25 or 30 when he released it he's 50 plus
he's our age yeah yeah whoa whoa whoa whoa come on come on my age starts with a three
age starts with a three yeah you're you're 30 17 aren't you yes i will not hear any other any other brilliant excellent thank you andy for this week's
this week in infrasound
we're not lazy when it comes to researching stories.
No.
We're just energy efficient.
Like and subscribe to the Host Unknown podcast
for more ESG adjacent tips.
I realise that we've never actually,
we've never seen each other when we've recorded
apart from when we used to sit in the same room together.
Which we only did once.
Yeah, but it's funny to see Tom look like a proper radio DJ
as he leans over to press jingles and stuff.
Going, fuck, fuck, fuck, fuck, fuck.
Yeah.
Right.
Talking of some real professional work
We've got a doozy for you on this one
On this week's
Listen up!
Rant of the week
It's time for mother f***ing rage
So what do you think of
What comes to mind when you think of France
Recent events notwithstanding
Of course
Riots
Recent events notwithstanding, of course. Riots. No, recent
events notwithstanding.
Riots.
Decapitating
monarchs.
Yeah.
But quite a relaxed
culture.
They don't like doing more than
35 hours a week
work. Strong employment rights.
Strong employment rights.
Lazy croissants, cheese, champagne, and something else that came to mind.
Black and white porn.
I don't know.
No, definitely not that.
Late night Channel 4.
With the red dot in the corner yeah
kids look it up if you don't know what the hell we're talking about channel four red dot
worth a look um yeah so it's kind of you know it's a it's a relaxed country yes they like to
you know mix it up a little bit every now and then with a bit of rioting etc but hey you know
that's protest against you know um against uh stuff that might affect their 35 hour week or 30 hour week or whatever it is.
But, you know, what we don't think of, certainly when it comes to the French government,
is almost like a totalitarian sort of form of government, which is, you know,
uh uh sort of form of government which is you know snooping and uh getting up in everybody's business all that sort of stuff well the french assembly has recently passed a bill
that allows police to remotely activate phone cameras and microphones for surveillance
wow that's not going to uh going to be abused at all.
So yes, there's lots of caveats here.
So let's get a little bit deeper.
So they may soon, it's still going through the process,
but they may soon have the ability to snoop on alleged criminals.
This bill lets police surveil suspects by remotely activating cameras,
microphones, GPS location systems on phones and other devices, whatever that may be. I'm assuming
iPads, laptops, etc. A judge will have to approve the use of the powers and the recently amended
bill forbids use against journalists, lawyers and other sensitive professions, according to the newspaper Le Monde.
The measure is also meant to limit use to serious crimes and only for a maximum of six months.
Geolocation would be limited to crimes that are punishable by at least five years in prison.
An earlier version of the bill passed the Senate, but the amendment will require that the legislative body's approval before it can become law.
So it's not quite in place, but let's just break this down a little bit.
So firstly, there's there's a technical side.
So in order to access a phone's microphone and camera and GPS location, one you need to you know break into a phone right you know
presumably that requires uh you know either physical access or access via a back door by the
manufacturer so do they already have that yeah maybe they pre-installed pegasus on every phone
in france before it goes into front or before they can even sell it. But certainly, you know, that may happen
with Android. Less likely with something
like Apple, who have historically
been, I know, I know, but they've
historically been, you know, refused
to unlock devices, for instance.
A number of cases in the US where they've
refused local law enforcement requests
to unencrypt or
break a device.
They even actually said yesterday that um you know the the
uk is trying to push through that um backdoor to encryption and apple have said that they would
remove iMessage and FaceTime from apple devices if that's right if the government mandate that
how is a single man supposed to get a date
if all his texts arrive in green text?
Oh, God.
That's, I mean,
won't somebody think of the middle-aged single men?
Anyway, so, but you're right.
So there's a big fight going on here.
But there's a practicality to this anyway.
So maybe that's going to involve, you know,
how devices are hobbled
before they even enter france to be sold etc but what about people who are bringing in their own
devices from outside or countries that don't have these laws anyway but then you've got this
well thin end of the wedge frankly so yes i said it's for serious crimes they can only do certain
things for certain periods of time etc etc., etc. And journalists have been carved out and forbidden from being subjected to this.
But it's going to be abused.
There's no doubt about it.
It's going to be abused.
And someone somewhere is, you know, some police officer is going to use it to surveil on someone, you know, an ex-partner or someone they're stalking or something like that.
And we've seen these abuses of power virtually in every country and in every sort of form of law enforcement.
And, you know, they'll be punished, big, big hoo-ha about it.
But then it's going to continue to happen, continue, continue.
But then it's going to continue to happen, continue, continue. And then suddenly, oh, well, we need it, especially, you know, yes, it's a journalist, but it's a journalist who's working for what we suspect is working for, you know, same principle with, you know, the loss of encryption and backdoors and things like that.
At some point, it's going to break down.
So reading this and, you know, civil, sorry,
civil liberties advocates are quite rightly alarmed by this.
So there's a French digital rights group,
Le Quadrateur du Net,
previously pointed out the potential for abuse.
As the bill isn't clear about what constitutes a serious crime,
so there's absolutely no clarity on that,
there are fears that the French government might use this
to target environmental activists, for instance,
and others who aren't grave threats,
but who just happen to be, you know, flavour of the month for the government that is in power at the time as well.
And let's face it, maybe this government wouldn't consider doing these sorts of things, but the next government might.
The organisation also notes the worrying security policies have a habit of expanding to less serious crimes,
who we just mentioned. Genetic registration was only used for sex offenders at first,
the quadrature says, but is now being used for most crimes. So this is the very definition of
a slippery slope. And the fact that it's happening just so close to home,
you expect this, I would have expected this in, I don't know,
Syria, Turkey, Russia, China, whatever.
Even possibly in America, I would have expected this.
But do you think that the government just sort of said,
look, they're already rioting.
What are they going to do, riot more?
Yeah, exactly.
You can't riot twice. We might as well slip in all the stuff that's really well it's it's like you know releasing bad news on a on a big news day right yeah it's it's
that kind of thing so yeah i i'm just shocked and i know when i shared the story with you guys, it was like, what the fuck? It was absolutely incredible.
When who shared the story?
Who was it?
Oh, it was you, wasn't it, Geoff?
No, no, my story, I shared it.
Come on, stick with the script, man.
Stick with the script.
Sorry, sorry, sorry, sorry.
No, but, you know i this is just like the uh our anti-terror bill that went in what 2001 or
something ripper investigatory yeah it just like same thing it's just now everything anything you
want done ah it's part of the part of anti-terror legislation and what have you or children yeah yeah yeah yeah yeah that's the
excuse fighting terrorists or protecting children yeah never mind the middle-aged single men no
but uh but this is like i suppose the french government they just got
they've waved they waved their white flag to every external threat there is.
And so they just turn their focus inwards and say, okay, what can we do?
Let's just like attack our own people.
Oh my goodness. That's bringing all those stereotypes, shall we?
We'd talk about the Spanish Navy that have got, you know,
glass bottoms on their ships. They can look at the last Spanish Navy,
blah, blah, blah, blah.
have got glass bottoms on their ships,
they can look at the last Spanish Navy, blah, blah, blah.
And on that note, that was this week's... Rant of the Week.
You're listening to the host unknown podcast,
Bubblegum for the brain.
All right, Jav. unknown podcast bubblegum for the brain all right jav uh you got a big one this week in fact you got a yeah absolutely a very big billy big balls it's uh over to you for it
yes indeed this is probably the biggest of billy Billy's that I've ever covered on this section.
And it's a bit of a sad one, but it's a moment of celebration as well, I think, and a moment of appreciation.
So a few days ago, Kevin Mitnick, age 59, passed away.
He did have pancreatic cancer for more than a year.
So, you know, he was battling that.
And then, unfortunately, he lost that battle.
But for those of you who may be living under a rock
with their fingers in their ears on Mars,
who might not know.
Or if you're a younger generation.
Yeah, or if you're a younger generation.
But I think anyone that joined in the mid-90s, early 2000s in the industry, whether you liked
him or didn't like him or disagreed with some of his approaches or whatever, you cannot
deny the impact that Kevin Mitnick had on the industry
um i remember it was about 2001 i was so i was only a couple of years in my career and at that
time i was i still like it's a job and i went to one of these uh user groups it was run by uh
stephen bonner uh friend of the show stephen bonner, if you remember him. Deputy ICO these days.
Deputy ICO, I know, yeah.
Wow.
But he had a book.
It was The Art of Deception, written by Kevin Metnick.
And he was saying, oh, I'm reading this book at the moment.
It's a really good book if you want to pick it up.
So I went and picked it up.
And that really opened my eyes.
I was like like this is absolutely
amazing because at that time I'd never been to any conferences I didn't I mean in the UK we really
didn't have any any conferences or anything like that so um it was like really early on and I
thought this is just so cool it was so well written and it was it was one of those clever
cleverly marketed books it was like this is a work of fiction.
Like, these are theoretical scenarios.
And, you know, it's all from his life.
It's all from his life.
And, you know, so he was like a big inspiration for me in that way that, oh, this industry can be fun.
And there's lots of cool stuff that you can do outside of just like monitoring, you know, Windows logs and trying to find like
if someone made a change without raising a change ticket or an incident for it beforehand. So it
really opened my eyes. And like most people, like, you know, he brought a lot of things to the
forefront. I mean, I think equally, his exploits were only matched by his marketing and promotional prowess.
So he was able to really put on a show.
He was a really good entertainer and educator.
So he paved the way for many that followed.
He obviously did his stints after he was placed on the FBI's most wanted list.
stints uh you know after he was a place on the fbi's most wanted list and then there was the infamous free kevin movement where even people who had no idea who he was or what he did they
just jumped on the bandwagon with like let's free kevin and uh so so he was like that that that face
of of the industry um few like he he published a book after he's written three or four books and i can't remember i think
it might have been the ghost in the wires and at that time that was the autobiography effect yeah
and at that time i was uh more frequent in doing my my videos my youtube videos and uh my daughter
was very young at the time and she used to accompany me and me and her done this like this review of his book in a very tongue-in-cheek manner and uh it it was quite funny i as as as i
like to say mainly because i was exploiting the cuteness of my young young child at the time
that's that's what we make them for just to be exploited yeah exactly oh yeah uh and uh that year then i was at black
hat and he was there doing a book signing and as i was walking past i was looking at him and he
looked up saw me he goes hey you're the one that done that video and he's all like got off and like
said hey how much he enjoyed it and what have you and i thought oh wow that's cool uh and then like
yeah yeah then about four years ago i i landed my current job
where i'm at no before of which uh kevin was like a co-founder and the core product is named after
him like kmsat is is what is the core product which is stands for kevin mitnick security awareness
training and uh so i went to clearwater florida for my induction and everything and i bumped into
him there again and he was like holy shit what are you what are you doing it's all like you're
following me around kind of thing uh he was such a great storyteller he you know one of his favorite
exploits he says like when he was young uh and he's spoken about this many times is uh
uh he was able to to compromise the mcdonald's ordering speaker like so where you walk up where
you drive up in the drive-thru and you say like hey i'd like so he's able to compromise it and so
he was in in the bushes across the way across the road from it. And people would drive up and they'd say, hello,
welcome to the Daylights.
I'm going to have a big back.
And he'd be like something like,
could I recommend the salad for you today?
Or things like that.
So, you know, there's tons of like harmless pranks he used to do.
He was just like more of a prankster at heart.
He never really done it for the money.
It's like we were talking about lulz sec.
It's, you know, not for the money.
It's mainly for the lulz and for the knowledge and what have you.
He had this other story where he said he found that he got a universal remote
and walked down the street and looked through people's windows.
If they're watching TV, he'd change the channel or turn the volume up or down and turn the tv off and what have you and people
would start getting increasingly frustrated uh so he he was like a the original i i think one of the
original billy big balls in our industry and uh he contributed a lot to it and uh i think his legacy will will definitely live on uh for a long time it was a
controversial figure because i know a lot of people i you know i know in the industry and
and respect as well have no truck with him whatsoever because you know he's a criminal
he went to prison for his crimes and now he's off profiting from it and that is wrong etc etc so you know just and i'm not
trying to sort of balance this out as it were but i guess what i'm saying is that con that controversy
actually helped his success there's no doubt about that you know because there's only one thing worse
than being talked about and that's not being talked about right you know but i think ultimately um he came back to the industry
to do good and he came back to actually improve things and you know yeah this story's got
everything that that uh we always clash about it's got a criminal it's someone you look up to
it's a you know all that sort of stuff someone you're lording but frankly i think he's this is a great example of a billy big balls i think he yeah he made an impact and he improved the industry as a result of what
he did but he was also one of those original um as jeff mentioned you know he was one of the
original characters that did you know get caught go to prison come back make you know make a career
out of it but you've got to bear in mind back then it was so new like in 95 when he was arrested he was barred from ever using a computer again yeah or
any other electronic device including modems or pocket organizers at the time as the you know the
the court can you imagine like the birth of the internet going mainstream? You're told you can never use a computer again.
It was just such a disproportionate...
Well, they didn't know how to handle it.
There weren't laws for this.
No, they just knew something had...
They had exploited something
and therefore they'd broken the law somehow.
They just didn't know how
and therefore kind of made it up.
But there were so much trumped-up charges.
He was put into solitary for like 18 months yeah because the lawyers convinced the judge that if he had
access to a phone he could whistle the code yeah that's right to launch missiles
absolutely bizarre yeah exactly so yeah no No, very good. Very good.
He was a bit of a legend.
And, yeah.
Rest in peace.
Yes.
Thank you.
Billy Big Balls of the Week. People who prefer other security podcasts
are statistically more likely to eject USB devices safely.
For those who live life dangerously,
you're in good company
with the award-winning Host Unknown podcast.
And I've still got those awards
that I was asked to pick up on my shelf just next to me.
Smashing, you might get them at some point.
And talking of at some point in the future, Andy,
what time is it?
It is that time of the show when we head over to our news sources
over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news
from around the globe.
Industry News.
IT security pro jailed for attempted extortion.
Industry News.
Suspected scareware fraudster arrested after decade on the run.
Industry News.
NCA, nation states using cybercrime groups as proxies
Industry News
Scam job offers target uni students
Industry News
Industry experts urge CISA to update secure by design guidance
Industry News
Biden-Harris administration unveils smart device cyber programme
Industry News Estee Lauder breached by two ransomware groups Harris administration unveils smart device cyber program. Industry news.
Estee Lauder breached by two ransomware groups.
Industry news.
Old Roblox data leaks resurfaces.
4,000 users personal information exposed.
Industry news.
Microsoft strengthens cloud logging against nation state threats.
Industry News.
And that was this week's...
Industry News.
Huge if true.
Huge if true.
Now, I'm intrigued by the Estee Lauder story
because Jav started bouncing around in his chair when we...
Well, I think that was the signal for a spit roast.
Yes.
They got it from both ends is what he was implying.
Oh, I see.
Not he's quoted in that story.
No.
Oh, is he?
No, I'm not.
Oh, I'm disappointed.
I'm disappointed.
You never can tell.
I provide quotes for so many, I can't remember.
He outsources his quotes to chat GPT.
No, no, never, never, ever, ever.
Is that both your fingers crossed on both hands?
And toes.
But I suppose they were attacked by two groups
because they're worth it.
Oh, very good. But I suppose they were attacked by two groups because they're worth it.
Oh, very good.
So it's focused on, I'm just trying to see, so Klopp Ransomware Group was one of them.
Klopp.
And Alpha Black Cat were the other.
So, I mean, do you think these guys sort of bumped into each other in
the systems and sort of said you know after you no no after you they they divided yeah
spider-man spider-man pointing at each other um yeah wow
god what are the chances you trip over the same company when you're hacking?
We got here first.
I was interested.
This suspected scareware fraudster arrested after a decade on the run.
So this is a suspected scammer who used scareware to trick hundreds of thousands of global victims
and handing over money was arrested by Spanish police.
So it's Ukrainian national.
So this goes back to stuff that he did between 2006 and 2011.
So he had five years' worth of work before he obviously took retirement.
And in 15 years, we're going to run a story on him
about how he came out of prison, founded a company,
and he's a Billy Big Balls, but I'm going to pick up Jav on it because he was a criminal.
Yeah, so in terms of...
It doesn't actually say how much he...
OK, it's claimed.
So he basically sold fake software.
Yeah.
And then...
Or fake antivirus software.
No, OK, so victims' machines were infected with malware.
So he was selling the cafe.
So he infected a machine with malware,
and then they claimed they could clean it
by paying $129 for fake antivirus software.
It's claimed he made $70 million over a five-year period.
Wow.
Nice.
Which is good.
And then, you know, if he moved to Spain,
he's not spending that much.
Probably worth it.
Do you know, if you do the maths, you're probably thinking,
you know, maybe worth it.
I don't know.
When he gets charged,
I don't think he could spend much time in prison.
No, and he's probably buried half the money
under a swimming pool out there or something like that.
Yeah.
Yeah.
That's an example of a risk,
acceptable risk, I think.
Yeah.
On balance.
Is that speaking as someone who reports into a lawyer?
Pleading the fifth.
I'm sorry, sir.
This is the UK High Court.
I was looking at this Biden-Harris smart device program,
and it's a voluntary certification and label initiative for smart devices,
so it's pretty much useless.
Yeah.
Although, in fairness, as a consumer, if you're aware of it, and if you see that somebody has taken part in that program,
it would be a good indication that you should buy those
products and not someone no the only the two indications are is it cheaper and is it available
on prime and that's yeah yeah okay so it's the third consideration then so do you know okay so
do you actually know what the initiative includes no No. No, because we've read the headline.
Yeah, no, I clicked on the article. It includes following NIST guidelines for strong default passwords,
software updates, and incident detection capabilities,
as well as proactive pen testing and vulnerability assessments.
And so basically all the things you should be doing anyway well yeah which uh to make this
voluntary i think is pretty terrible you know it's uh it's like i saw this post on linkedin and
they were talking about how companies sometimes offer their perks and say like 28 days paid
holiday maternity cover flexible working one day
a week and say this is the bare minimum you're required to do this my lord this is not a perk
of the job this is what you have to do my lord and that's what these sound like as well it's just
like these are the bare minimum you should be doing if you're creating didn't the uk release
some guidelines on this but it's mandatory in order to sell products in the UK?
Yeah, we were part of that working group, weren't we, Tom?
Well, we went for the dinner.
No, we went for the whole day.
We went for the day where we...
No, it did carry on after that.
Yes, yes, it did.
There was like 20 weeks of meetings we didn't attend.
No, it doesn't.
No, no, but we were part of that working group.
That's the story, Tom. Don't ruin it. That's right, yeah no no but we were part of that working group that's the story tom don't ruin it yes we were yes we were that's what goes on linkedin and on your cv i was part of the
influential working group that informed government policy and so what was your
main contribution for the working group well i ordered the wine at the dinner
you paired the wine excellently exactly yeah
oh dear right let's move on shall we that was this week's
industry news
if good security content were bottled like ketchup,
this podcast would be the watery juice
which comes out when you don't shake properly.
In a niche of our own,
you're listening to the award-winning
Host Unknown podcast.
Right, Andy, take us home, please.
This week's... Tweet of the the week and we always play that one
twice tweet of the week and this week's tweet of the week comes from Matt Johansson and he poses a
question to the twitterati and he says hey infosec twitter what's the biggest most expensive mistake
you've ever made and I like this because you know there's some things
that i know occurred in my past where i'm like actually how the hell did i stay employed after
that uh one um a very famous well it used to be famous transactional website in the uk i forgot
to uh re-register the domain uh or renew the domain registration and um woke up one morning
had a whole shitload of alerts
on my blackberry um saying you know the website was down but you know we could
um you know access it rdp into everything uh you know couldn't figure i just forgot to renew the
domain uh with network solutions and so yeah so you fixed it so i fixed it. Yeah. And another time I, whatever I was doing, I was playing about with, I was testing something
and I switched all the data sources for the actual web service to a development server
for payments.
So we weren't actually taking payments for the space of like four hours.
And so people were getting access to all the data.
So, you know, the web logic on the front end was saying the accounts were valid, but on the back end payment system, it's still on dev.
So we weren't getting any money, but everyone was getting the product.
Yeah, so I'd hold my hands up to that.
But just seeing what some people have done, it's a great thread.
Like there's one guy who said he accidentally unplugged the servers for a huge company, realized what he'd done.
The plug was in
reception he said yeah i know uh so he left the building immediately changed coats put his glasses
on came back 30 minutes later and apologized for being late just denied all knowledge my man
and uh yeah another guy said that you, he didn't test backups before tearing down decommissioned EMC SAN.
He said very expensive rebuild.
But, yeah, just the whole story.
I mean, we've all done stuff like that.
I remember, it was a smaller one,
but I remember at a company, Exchange Servers, Exchange 4,
I think it was, something like that.
And we had a lever, so I was going through the, the you know the jml process and make sure i get it right and was removing the user um i backed up
the the the uh from the exchange server i backed up his data um and i think and there was there's
two guys with very similar names and then i deleted the account of the wrong person completely deleted the the um the mail account
and this guy was on the other side of the floor to me and he you could see him going
and so and so i wandered over to him and said richard richard richard
something's gone wrong your your mail account i don't know what's happened it's it's completely
disappeared don't know how i'm going to restore it right now from last night's backup
you're going to lose your stuff from this morning but it should come down eventually but
oh thank you thank you so oh thank you i'm right in the middle of a bid and blah blah blah
fecking hero yeah yeah you know you know to make you feel a bit better there was a
there's one of our security leads at a bank and they they were in charge of implementing this new
identity management tool for across the entire bank so across all the domains and everything
and what have you and when it went live what they found is that say like tom langford leaves it's
meant to look for one tom langford but if there's anyone else called tom langford in the organization
no matter which subdivision they're in it's like ah there's Tom let's delete him let's delete him let's delete him so like
all of a sudden like if you had a common name like if you're like John Smith or something
you'd be getting like deleted every week so so they they quietly after two years and like several million in implementing that,
they quietly just like turned it off.
And then like a few months later, that security consultant was no longer working there.
No one knows why.
He went to pursue other opportunities.
Oh, my goodness.
Oh, my goodness.
But on that tweet, actually, on that tweet thread, I've seen something from Andrew Hay.
And this is more of a personal mistake, he said.
He said, I left a considerable amount of money,
and in brackets he said millions,
on the table after the OpenDNS acquisition to leave
became the CISO of a startup that raised 94 million
from the biggest Bay Area VCs that pivoted me out of a job within the year and
then fire sold itself oh that's that's um andrew hey we know right that's um friend of the show
friends of the show yeah he's a rugby coach he's the one that recruited me for my job at 451 in
the sense that he was leaving and he told Wendy, I'll help you hire my replacement.
And then he sold it to me like, this is a brilliant job.
I pretty much work only three hours a day.
Because he left to go to OpenDNS, I think, didn't he?
Yeah, I think so, yeah.
He's been to quite a few places.
I think he's at Lara's for the last few years.
Right, right.
Gosh, yeah.
Oh, I hate those kind of things. Anyway um not as cheery as we'd hoped but
there you go uh that was this week's tweet of the week so we have collided with the brick wall and
the end of the road uh gentlemen thank you so much for your time today Jav thank you for your attendance contribution
good wit humour
and beautiful smile
damn good looks that's the one
that's the one
and Andy thanks mate
you're on
mute Andy we haven't been
able to hear you for a while
stay secure my friend
stay secure my friends stay secure you've been listening to
the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please
leave your best insults on our reddit channel worst episode ever r slash smashing security
so i've been looking at my front door ring camera
because a delivery has just arrived for me.
And rather than leave so you guys can badmouth me
like you did last week when I left at the same time,
I thought I'd stick it out and I'll just keep an eye on outside
to make sure that no one else comes and nicks my parcel.
You leave, you pay the price.
Yeah.
We didn't badmouth you. Nothing we wouldn't say to your face. Yes. We did bad, Matthew.
Nothing we wouldn't say to your face.
Yeah, that's fair.