The Host Unknown Podcast - Episode 164 - The Two Weeks Late Episode
Episode Date: August 25, 2023This week in InfoSec (14:00)With content liberated from the “today in infosec” twitter account and further afield18th August 2003: The Nachi worm began infecting Windows computers with the goal of... REMOVING the Blaster worm and patching the vulnerability exploited by both worms. Worm aims to eradicate Blasterhttps://twitter.com/todayininfosec/status/169261657352405025926th August 2008: It was reported that a laptop on the International Space Station was infected by removable media containing the http://W32.Gammima.AG worm. Space. Where you don't want to be dealing with malware.Malware detected at the International Space Stationhttps://twitter.com/todayininfosec/status/1298690676448735232 Rant of the Week (19:02)Cellebrite asks cops to keep its phone hacking tech ‘hush hush’For years, cops and other government authorities all over the world have been using phone hacking technology provided by Cellebrite to unlock phones and obtain the data within. And the company has been keen on keeping the use of its technology “hush hush.”As part of the deal with government agencies, Cellebrite asks users to keep its tech — and the fact that they used it — secret, TechCrunch has learned. This request concerns legal experts who argue that powerful technology like the one Cellebrite builds and sells, and how it gets used by law enforcement agencies, ought to be public and scrutinized.[That was this weeks Rant of the week] Billy Big Balls of the Week (28:35)Two teens were among those behind the Lapsus$ cyber-crime spree, jury findsTwo teenage members of the chaotic Lapsus$ cyber-crime gang helped compromise computer systems of Uber and Nvidia, and also blackmailed Grand Theft Auto maker Rockstar Games among other high-profile victims, a jury has decided.At Southwark Crown Court in London, England, on Wednesday, Arion Kurtaj, 18, and a 17-year-old male who because of his age cannot be identified for legal reasons were found to have committed various crimes. Kurtaj was held in custody while the other was released on bail; both await sentencing.This was an unusual case in that the jury was told not to find Kurtaj, who is autistic, guilty or not guilty as psychiatrists had earlier assessed that he was unfit to stand trial. Instead, the panel was asked to decided whether or not he did the things he was accused of.The two teens, along with other Lapsus$ members, also broke into and attempted to extort telecoms giant BT, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta during their crime spree between 2021 and 2022. Industry News (36:23)UK’s AI Safety Summit Scheduled For Early NovemberPolice Insider Tipped Off Criminal Friend About EncroChat BustTesla: Insiders Responsible For Major Data BreachCyber-Attack on Australian Utility Firm Energy One Spreads to UK SystemsExperian Pays $650,000 to Settle Spam ClaimsWinRAR Vulnerability Affects Traders WorldwideSensitive Data of 10 Million at Risk After French Employment Agency BreachData of 2.6 Million Duolingo Users Leaked on Hacking ForumFBI Flags $40M Crypto Cash-Out Plot By North Korean Hackers Tweet of the Week (47:47)https://twitter.com/securityweekly/status/1694705119793746015 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So apologies, I've not managed to catch up on last week's numbers
How did the show go?
I was going to ask you
Because I've not been here for two weeks
How was the last two week's shows?
I thought you and Graham were running the show
Me and Graham? I'd been off for two weeks
I was on holiday
Amateurs, amateurs, amateurs
Alright Geoff, how did it go then?
You're listening to the Host Unknown Podcast.
Hello, hello, hello, good morning, good afternoon, good evening
from wherever you are joining us and welcome.
Welcome, dear listener, welcome one all, to episode 164.
168.
Of the Host Unknown podcast.
Back after a little two-week unannounced sojourn.
So all of your messages.
A hiatus, if you will.
Indeed.
Isn't that what happens when a little thing pops out of your stomach
when a bit of your organ?
A hernia. hiatus hernia
I don't know
anyway so for those of you
who are contacting us suggesting
that I may have forgotten
to press publish
you were absolutely right
well
I forgot we also forgot to press record
as well for two weeks
but we've had our summer holidays now.
So, well, apart from Andy.
Some of us have.
Yeah, Andy's having his next week.
So actually it's just me and Jav next week.
And I'm looking at Jav right now and he's looking a bit shifty.
He is, isn't he?
He's not going to be here next Friday.
I know he's not.
I know he's not.
Have I ever let you guys down?
So many times.
So many times.
Look, if neither of you are here next week,
I'm getting Graham and Carole on and calling this
the Smashing Security Behind the Scenes podcast.
Wow.
We are the Smackdown to their raw what is that another recipe oh man come on
god come on why don't you quit being such a jabroni tom and just get with the jabroni
isn't that a type of beer right just download tiktok and we'll send you some links oh my god no no i i i see what it does
i saw i saw how how jav's life just exploded in front of him when i told him that my daughter's
videos get more views and likes than his so i don't want to go down that that road that road
i was genuinely happy for your daughter. Yeah, well, yeah, obviously.
Oh, if only we did that on video.
What?
It was the equivalent of Ali G giving the popo the Vs
underneath the window of his car.
Oh, dear.
Anyway, Jav, talking of poo-poo, how has your week been?
Poo-poo is the right word.
I can't remember.
I can't believe it's Friday already.
Oh, I know.
The week has kind of like shot by.
Because I was off the week before.
I was in lovely Switzerland.
Yes, you were.
And it was a great time.
Looking at cuckoo clocks and he checked on your accounts.
Yeah.
Also checking on his accounts while he was there.
Yeah, yeah.
Setting up some new bank accounts and, you know,
making sure that everything was...
Running away fund.
Yes.
No, it was good stayed up near davos
where which is famous for the i think the world economic forum have their
yeah conference there um so it was very very out in the sticks so it was very peaceful
uh there was the mountain that was staying on it had like at night time there was
like literally zero pollution of any kind no air pollution no light pollution and and when the
lights went off in the evening you look up and you could see like the milky way and so many stars
it was something that like it's like it was like you look up and you almost think this is some FX that someone's just put up.
It just didn't look real.
Coming from London, you had sensory overload.
I paid to go to Switzerland, not the planetarium.
Yeah, it was so gorgeous.
And just the stillness and the calmness that was there every evening.
Like my wife and kids were like, this place is dead.
And I'm like, isn't it brilliant?
Oh, dear.
Yeah, for once the exterior matched my interior and I was at peace.
Really?
It was dead.
I thought you were the black hole of that centre of the universe.
Let's not be talking about my black hole now.
Okay.
I'm talking of black holes.
Talking of gravity wells, Andy.
What were you going to say? Talking of the centre of your universe. No, no, no. Talking about the world. talking of talking of gravity wells Andy hey thought you were
going to say
talking of the
centre of your
universe
no no no
talking about
the white dwarf
the only thing
funnier than that
is Jav
dissing my height
the shortest
member out of the three of us funny than that is Jav dissing my height. The shortest member
out of the three of us.
Oh dear.
My week has been
busy.
That's all I can say. Everyone's on leave.
It's that time of year when everyone's
taking their annual leave.
Some of you Americans probably aren't familiar with this.
Well, annual leave.
What country are you at?
On holiday, mate.
Holiday.
Holiday.
All right.
Okay.
It's all right.
Really?
PTO.
Paid time off.
PTO.
For goodness sake.
It's so American again.
When did we start taking vacations in the UK?
I don't get it.
So we know what we mean, but we have to translate it for our cousins.
That's the issue.
It's not.
It's just us helping, like, to save this explanation.
That's why we use that terminology.
We all know what's going on.
Simplified English.
Yeah.
Simple English, yeah.
Yeah.
simplified english yeah simple english yeah yeah so uh yeah no it's just been um yeah pretty okay i'm pretty glad i'm going away just as the weather's
getting sunnier yeah it's getting warm again i stayed here for all that rain and uh just so it
gets warm i'm gonna piss off so where you going i'm off to paris oh Where are you going? I'm off to Paris. Ooh, ooh la la.
Yeah.
Disneyland or the Louvre?
I shall be at the Disneyland area.
Good, because the Louvre is dull as hell.
Yeah, no, I've done that many times before.
But, you know, in fact, this holiday,
or this holiday, a couple of weeks ago,
I went to a musical.
I got a bit cultured. And weeks ago, I went to a musical. I got a bit cultured.
And, yeah, went out to a musical.
SpongeBob the musical.
Oh, seriously?
Nice.
Absolutely fantastic.
And, yeah, one thing I didn't mention, though, at the time,
when I was sitting there with my missus,
one of the girls in it is someone I recognise from TikTok.
She was one of the girls in it is um someone i recognize from tiktok she was uh one of the the girls do you remember during the the dark times during the pandemic when the now um prime minister of this laughable country uh sort of recommended that people in
the arts practically learned a new profession and oh yes you know ballet dancers can become
cyber security yeah
yeah yeah yeah yeah so there's actually a girl that did a response to that or young lady i should
say not go and you know she was really passionate about it about how you know she'd spent all her
time at um you know these performing arts schools which are not cheap you know her entire life
revolved around performing and then the the chancer at the
time just turns around says oh well you know you're not getting furloughed give that give
up that dream and now take your time to learn a new a new skill um so very passionate and that's
what she um sort of really became famous for as well as her tiktok when she was working at tesco's
and um you know so i bet that new skill set her up
very well for the future
well exactly right
but no
absolutely fantastic
performances
from all of the actors
and actresses
and
yeah
highly recommend
if you want a bit
they've got those two
levels of jokes
you know ones for the kids
and some for the adults
as well so
yeah
I was a bit concerned
at a two and a half hour show
but um yeah absolutely fantastic completely engaged in the theater the time just flies
yeah well especially they do half-time intervals so you can yeah half-time yeah showing your class
there darling yeah well same cost right right? Yeah. It's true.
Yeah, but it's just you get ice cream at the interval at the theatre
instead of a beer, right?
A beer or a meat pie.
No, ice cream and a gin and tonic, darling.
Yeah.
Yeah, exactly.
And even started some football chants midway through, like, you know,
Squidward's rubbish and he knows it.
He's rubbish and he knows it he's rubbish and he knows it
there's someone
who's never been
to a football game
there
SpongeBobby's
a
s**t
SpongeBobby's
a s**t
oh
oh dear
anyway
talking a
s**t
how are you
doing
I set myself
up there
I set myself
up there yeah set myself up there
yeah it's very good
I also went to the theatre
very cultured show
it was Spitting Image
the musical
so you remember
Spitting Image
I do
yeah
it was really good actually
that was the very first
record that I ever purchased
with my own money
was the Chicken Song by Speedy.
Really?
Oh, once again, you're showing your class, Andy.
Well, you know, different times back then, because remember what the B-side for that
was?
No.
I've never met a nice South African is what it was called.
Really?
Yeah.
It was about Nelson Mandela.
Oh, the end part was about Nelson Mandela. The end part was about Nelson Mandela.
It was like the stuff that used to happen back in the 80s.
The good old days, eh?
As Tom calls them.
It was a really good show, though.
It was very good.
Marred only by the fact that at the restaurant beforehand,
we were sat outside and my son had his phone stolen ah out his pocket or on
the table off the table by a quick a beggar came over with a sign covered yeah covered the table
yeah classic yeah exactly we legged it we legged it after him tracing him on you know find my and then the signal stopped obviously uh but because
this is a security show what was really interesting we put you know did the fine mind put the details
in saying lost phone contact you know contact this number uh within an hour and a half i got my first
text from apple saying that my phone has been found and to log in here and
to put my details oh wow and i tell you what i came this close to doing it because you're in
that emotional state of mind that says i want to know where this phone is yeah you know it's been
found and you go to the website it's very very genuine. And they sent that three times, three different methods.
Wow.
And three different websites.
So you think this is just like an opportunistic thief.
They just want the hardware, the phone itself.
Completely organised.
Completely organised.
That is scary.
It appeared in a hotel in Tottenham for about 12 hours of course
police can't do anything right yeah because it's not accurate enough to tell you you know what room
or anything like that uh and it's been offline since but yeah it was um and now i'm messing
around with insurance saying we want the police report well i've got a crime reference number from when i dialed 999 yeah no we want the report well how do i get the report do you know what i mean
it's really annoying don't worry in in a few weeks your son's be getting uh messages from
someone in india saying hello i've just bought this phone for like $100. Can you tell me what your iCloud password is?
Yeah, exactly, exactly.
So, yeah, and he'd only had it seven months as well.
But hey-ho, but hey-ho.
But yeah, I tell you what, it really is,
they're on top of it so quickly
that you get taken in by that whole scam, you know.
So, but talking of scams let's see what we've got coming up for you today this week in infosec talks about space viruses
rant of the week says don't mention the tech we said it once but i think we've got away with it
billy big balls reveals the identities of sophisticated hackers industry news brings
the latest greatest security news stories
from around the world.
And Tweets of the Week asks you to think of the pain you cause your family.
So let's move on, shall we, to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec
It is that part of the show where we take a trip down InfoSec memory lane with content
liberated from the Today in InfoSec Twitter account and further afield.
And today our first story takes us back a mere 20 years to the 18th of August 2003,
when the Natchi worm began infecting Windows computers with the goal of removing the blaster
worm and patching the vulnerability exploited by both worms. So obviously, we all know that Natchi was also known as Welchia,
and it was a self-replicating computer worm that emerged in 2003.
So a programmer called Jeffrey Parson modified the original Blaster Worms
code to target the vulnerable Microsoft Windows operating systems.
And the main purpose was to find vulnerable systems
and patch them by downloading and installing
the security update from the Microsoft website.
However, the worm's aggressive behavior
actually caused unintended consequences
as it generated a significant amount of network traffic
while scanning these systems and downloading patches.
So it actually led to massive network congestion
and caused more disruption to normal operations.
So it's good intentions.
Good intentions, good intentions.
But this is very similar to the impact of the Morris worm,
like from the late 70s, right?
So everything old is new
it well i say new this is 20 years ago right but these things keep happening every sort of 20 years
and so we're just not learning but um good intentions bad execution let's let's ask our
resident antivirus expert graham cluley about uh about that yes graham give us a bit more info
okay great oh you're looking at me About that. Yes. Graham, give us a bit more info. Graham?
Oh, you're looking at me, are you?
Oh, sorry.
Special guest.
Sorry.
Sorry, bad habit.
I forgot Graham's not here this week.
Although he's probably going to be here next week by the sound of it.
Our second story takes us back a mere 15 years to the 26th of August 2008
when it was reported that a laptop on the International Space Station
was infected by a removable media containing the Gamena worm.
That's right.
Space is where you don't want to be dealing with malware.
I mean, it's even beyond air-gapped.
It's no air-gapped.
Right?
So, obviously, NASA downplayed the news.
They called the virus a nuisance that was on non-critical space station laptops
used for things like email and nutritional experiments.
But, obviously, there was time where...
Did they find they weren't very nutritious?
Yeah, exactly.
But they had to spend all this time
trying to figure out how the virus
actually made it on board in the first place
to prevent it occurring again in the future.
But it's kind of like Independence Day
where Will Smith sort of just flies up
and luckily he manages to have,
like the aliens use USB.
No, it's Jeff Goldblum. The aliens use Mac.
They used to use Mac.
Oh, actually, yeah.
Because it was on a Mac.
Yeah, USB.
Yeah, but they had a USB-A socket
that they managed to plug into.
You know, there's a theory about that,
why that worked.
Oh.
It's actually,
I think whether it's from the book,
I don't know whether it was a
book or where someone said it afterwards but human computing technology was derived from area 51 where
the aliens first landed so everything human is compatible with theirs because it's like this
it's the same operating system or same origin same group for it
so i can that work i can believe that well i can't believe that he he managed to plug it in
the correct way first the first time that does not happen with usb yeah it's always three times
it's three times yeah three times absolutely
oh dear
very good
thank you Andy
this week
in InfoServe
if you work hard
research stories
with diligence
and deliver
well edited
award winning
studio quality content
for high paying sponsors
then you too
can be usurped by three idiots who
know how to think on their feet you're listening to the award-winning host unknown podcast
god we haven't listened to that one for a while have we i like that one brings back memories yeah
very good right okay it's time for listen up rent of the week it's time for... Listen up! Rant of the week.
It sounds like mother f***ing rage.
So I should probably have the article up in front of me,
but I think just principally, just principally here.
So Celebrite asks cops to keep its phone hacking tech hush-hush.
So Celebrite is known for producing a piece of hardware,
a bit of software on it,
that allows certain law enforcement agencies
to take a locked phone, be it an Android, an iPhone, whatever,
plug it into it and break the passcode and the encryption
to allow them to read the contents of it.
That's the Cliff Notes.
Obviously, there's a little bit more to it than that.
And the little piece of kit that I'm looking at,
it's got a screen on it,
presumably allows you to interact with the device
in multiple different ways
to perform different attacks on it, et cetera.
Celebrite have said, well, in fact, in the past,
Celebrite have had a bit of a sketchy history, haven't they,
as to who they sell this to.
So we only sell this to friendly law enforcement agencies,
blah, blah, blah.
But it's cropped up everywhere from Iran to Saudi Arabia to everywhere where there's oppressive regimes who like to sort of do away with people or sort of get a bit of dirt on them.
Objection, Your Honour.
Allegedly.
Allegedly.
Thank you.
God, you can tell he works with illegal people now, don't you?
Yeah.
Allegedly, thank you.
God, you can tell he works with illegal people now, don't you?
Yeah.
In fact, he was telling me that I anal before.
You know, quite incredible, which we knew about him anyway.
But, sorry, now I've got this image in my head of Andy as not a lawyer.
So Dave had a little bit of a sketchy reputation of having,
you know, selling this stuff basically to whoever wants to buy it rather than just to the good guys, whoever the good guys were.
Now what they're saying is it's asking its users,
basically it's, you know, all of these enforcement agencies to keep its tech and the fact that they used it secret.
The request concerns legal experts who argue that a powerful technology like this that Celerbrite builds and sells
and how it gets used by law enforcement
agencies needs to be public and scrutinized, you know, not, you know,
we need to know how the chain of custody. Yeah, exactly. Exactly. And it,
and it rings it also sort of echoes a little bit when law enforcement agencies
in the U S were using a device called a stingray.
If you remember that and it's like a, it device called a stingray. If you remember that.
And it's called a stingray because it kind of looks like a stingray shape
of the fish and it's placed up against a wall
and it effectively looks through the walls and can see objects inside.
Understandably quite a useful piece of equipment
if you're entering into certain situations and all that sort of thing. that was all hush hushed and the you know agencies were saying
that they weren't using them and they weren't being used for you know for uh nefarious purposes
when actually they were etc etc and that's exactly why we need to to know about this stuff
the thing that gets me about it uh is is the way that the um it was put across in a leaked training video for law enforcement
customers that was obtained by the agency TechCrunch.
A senior Celebrite employee tells customers that ultimately you've extracted the data.
It's the data that solves the crime.
How you got in.
Let's try to keep that as hush hush as
possible now firstly firstly surely you know um uh evidence obtained through illicit means
you know etc is inadmissible in court that's the whole thing you know about entrapment and breaking
you know entering the properties without a warrant or due due cause or whatever all that sort of stuff but he also goes on and i love this because
this is where you can tell the video becomes that kind of the the guy leans in and looks
looks at the camera and you know and sort of says it's between you and me this is we don't really
want any techniques to leak in court through disclosure practices or, you know, ultimately in testimony
when you're sitting in the stand producing all this evidence
and discussing how you got into the phone.
The employee who we're not naming says in the video.
Really, really important.
Not exactly the most, you know, formal request.
It really almost sounds like there's just a, hey, guys, this is just between you and us, right? You know, it sounds really dodgy.
So I think, and we've seen this before, time and time and time again, very often in these
rants around how governments are, you know, either encouraged or often do, you know, hide certain, I wouldn't say illicit, but dodgy practices.
And it's argued that, well, if you've got nothing to hide, you've got no worries.
But what about later on when there are sort of, you know, governments turn into oppressive regimes, et cetera, et cetera?
I find it very, very odd that a company like Celebrite,
which is probably staffed by a lot of
people who are passionate about security as well is acting and behaving in this way so yeah celebrate
for my money this is a really bad move um and it's you know i think celebrates days are numbered as a
result of this bold prediction indeed Yeah, but let's see.
Hey, got to put your money out there.
What is the rant exactly about that a company
that deals with criminals doesn't want, you know,
potential alleged criminals, sorry, Andy, you know,
in trying to help...
It's the government.
I think we can all agree that the government...
Wants to keep stuff a bit off the record.
Yeah, that's the rant.
They want to keep stuff off the record when it should be in public.
See, but by that thing, you're going to be like, oh, I think now the army shouldn't fly spy planes or something, the Air Force,
because, like, you know, you know, you shouldn't fly Blackbirds because we need to have... They don't fly blackbirds.
...on radars and what have you.
And, you know, there shouldn't be secret satellites up in orbit because, you know, we have a right to know
and transparency is king and everything.
I just don't see where you're going with this, Tom.
I think it's a slippery slope.
I think that's the point. It's a slippery slope.
I think your argument's a slippery slope. That's the problem.
So this does affect the average person on the street.
If you walk in in the US and you get arrested,
they can take your phone and against your will,
they can unlock it and then just say in court it was unlocked
because what's being suggested is they don't disclose
the fact that they're using this technology to forcibly unlock your phone see then the issue is
is is bigger than celebrate the issue isn't about what technology they're using the issue is holding
law enforcement accountable yes to a standard.
And celebrate.
And we all know that in America.
In America.
Yeah, yeah.
All bets are off in America, let's face it.
You know.
Yeah.
But, you know, if you go to the US, as you often do,
and you get picked up on the street because you look, you know,
a little bit suspicious, you're shuffling along,
you're brown and you've got a beard and you know and you're in florida where obviously you
don't belong and they they take your phone and then they find something on there that's incriminating
about you or vaguely incriminating or you know it could even be a conversation between you, me and Andy, which, well, let's face it, is probably incriminating.
And they decide to use that as the reason for holding on to you and the reason for detaining you further, etc.
And then say, oh, well, the phone was open when we got it.
We didn't we didn't access that phone illegally.
didn't access that phone illegally that's it's like a cop breaking into into your house through the back window like like and then finding a small stash of that i reiterate that's a point that's a
that's a problem for dishonest police officers which is what the real issue is here whether
it's celebrate or whether it's the nso group providing... But Celebrite are encouraging this behaviour.
Celebrite, as a publicly listed company, need to up their game and need to raise their standards and prove to us
that they are in security for the right reasons,
to raise the bar for everybody,
and not purely just to encourage law enforcement
to carry out poor practices.
Well, you know, and anyway, to your example.
I've got one last thing to say to you.
Rant of the week.
That's the best part about being in charge of these things.
Right.
Recording from the UK.
You're listening to the Host Unknown podcast.
All right, Jav, now it's your turn.
It's time for...
Billy Big Balls of the Week.
Yes.
Thank you, Jav.
Billy Big Ball balls of the week
okay somebody's like a kid
this is like giving the kid like access to all the buttons
it's only taken 164 episodes to realize i could have done that
anyway we we we've all heard over the years of the dangerous lethal gang known as lapsus dollar
um highly sophisticatedly sophisticated Nation state
Nation state
You know who knows
Organised criminals
Mercenaries
People with a dark past
Bodies in the basement
You know
Drills through the kneecaps
That kind of stuff
Bloody hell Jav
This got dark quick
And finally We've unmasked two members of
of the group and you you're probably thinking there's probably some black helicopters over
some i'm glad you qualified that with helicopters i was gonna say we can't go there jav
you probably think there's some black choppers that night, you know,
SEAL Team 6 repelled down, smashed in.
There's a gunfight.
You know, they managed to grab them.
No, actually, they caught two of the members in the UK.
And one of them's 18-year-rian cortage and a 17 year old friend who because of his age
cannot be identified for legal reasons and let's face it when they did all of this stuff they were
like 15 and 14 probably probably yeah and can you imagine being like 15 14 going out committing these crimes like you know breaking into like
uber nvidia you know rockstar games and then looking at the bbc or the other news sites saying
oh it's the russians it's the chinese it's the iranians it's like, you know, some highly sophisticated gang.
Like, you just, that would just like, even if they were 12,
they went through puberty overnight, I swear.
That's why this is a Billy Big Ball story.
Yeah, exactly.
Do you know what?
I'm amazed they weren't caught sooner because how could you not tell
everybody on the playground at school, right?
Yeah, yeah.
So, you know, it's really – it's a really thing.
And there's something about this case is that it's taken –
it started at Southwark Crown Court and...
Southern.
Can I wear? Sorry.
Yes. You know what?
The screen is far away and I just started saying South
and then I realised it's not South,
but then I just rolled with it, OK?
So just...
I hoped we wouldn't notice.
Don't draw attention to it. Don't draw attention to it don't draw attention
to it yeah yeah so so where was it sorry in london they were caught in london
um it was unusual because the jury was told not to find Kurtage,
who is apparently autistic, not to find him guilty or not guilty,
as psychiatrists had early assessed that he was unfit to stand trial.
Instead, the panel was asked to decide whether or not he did the things
he was accused of, which I find is very different i mean i'm no legal person
i mean andy's closer to the legal team than i am but he's more i anal yeah yeah he is he is
but you know um instead of saying are they guilty or not guilty you're saying
decide whether they did or didn't do the things they're accused of. I'm sure there's some legality there that differentiates between, like,
you can do it but not be guilty or not do it.
I don't know.
Well, you're not responsible for your actions, I think is what they're saying,
is that he didn't realise that he was doing something illegal.
I don't know.
Well, I mean, the 3.1 million ransom demands after you know
i think that's i would have suggested then you exactly what they were doing okay yeah i mean
it's a it's a tough ask to argue that one right yeah but isn't that a ballsy ballsy like defense
to put up there though yeah absolute god i'm bloody agreeing with you
but yes absolutely if he if he didn't really know he would have asked for like you know i don't know
a bag of sherbert swizzlers or something surely do you know there's actually there is a good comment
on this article which someone says if a couple of 16 year olds can access e-service alongside other multinational
global tech companies and help themselves to the secure data surely someone else should be in the
dock with them yes yeah yes yes well although in fairness in fact the other side of the coin is
well maybe not fair you can see You can see Tom's brain.
First he agreed, and then he's like, shit, that would mean me.
That could be me.
They could be very talented hackers.
Their age is not always.
I mean, let's face it, they could have been Ocean State.
Let's face it.
They could have been nation state, let's face it.
You can see those prosecutors going,
damn, we almost had him on record.
That would have been our case solved.
Oh, dear.
Man.
Was it BT, Microsoft, Samsung, Vodafone, Revolut?
Okta.
Okta.
Yeah.
Between 2021 and 2022.
So, yeah, he would have been, well, 16 and 15,
depending on which month they were born.
Their birthdays were obviously, but 16 and 15.
Wow.
Wow.
So, yeah, good.
I like that one, Jav.
Although I like the fact that the big balls is the defence,
not the fact that they were criminals.
Billy Big Balls of the Week.
Feeling overloaded with actionable information fed up receiving well-researched factual security content
ask your doctor if the host unknown podcast is right for you always read the label never
double dose on episodes side effects may include nausea eye rolling and involuntary swearing in
anger god let's face it when was the last time you were able to see your doctor and ask for Close on episodes. Side effects may include nausea, eye rolling and involuntary swearing in anger.
Come on, let's face it. When was the last time you were able to see your doctor
and ask for something?
And talking of times when you were able to do something,
Andy, what time is it?
It is that time of the show
where we head over to our news sources
over at the InfoSec PA Newswire
who have been very busy bringing us
the latest and greatest security news
from around the globe.
Industry News. UK's AI Safety Summit scheduled for early November.
Industry News. Police insider tipped off criminal friend about EncroChat bust.
Industry News. Tesla insiders responsible for major data breach.
Tesla insiders responsible for major data breach.
Industry news.
Cyber attack on Australian utility firm Energy One spreads to UK systems.
Industry news.
Experian pays $650,000 to settle spam claims.
Industry news.
WinRAR vulnerability affects traders worldwide. Industry news. WinRAR vulnerability affects traders worldwide.
Industry news.
Sensitive data of 10 million at risk after French employment agency breach.
Industry news.
Data of 2.6 million Duolingo users linked on hacking forums.
Industry news.
FBI flags $40 million crypto cash-out plot by North Korean hackers.
Industry news.
And that was this week's...
Industry news.
Wow.
Huge if true.
Huge.
So I've got to...
This UK's AI Safety Summit scheduled for early November.
I wonder if they've got like an AI calendar scheduling thing.
And what it's going to do is reschedule for another two months in advance
every single time just to avoid having the summit happen.
That would be the dullest but most accurate start of AI taking over the world in a movie.
Yes.
Yes.
Yeah, I'm just looking for it.
It doesn't really tell us much about what's going to happen,
where it's going to be.
No, because the AI is keeping all of that data secret.
It's just saying, oh, we're going to do it in November.
We're going to do it in November and then moving it back.
December, December.
Oh, no, February, February 24 definitely february 24 keep your keep it oh due
to reasons beyond our control march 24 simple that's how it's going to get going keep going
so experian have been fined $650,000.
So a day's profit then?
Yeah, three hours worth of work.
But this is, the complaint asserts,
Experian sent its account holders millions of commercial emails promoting additional Experian services.
These emails asked the consumer to confirm
whether a card that experience associated with the user account was theirs,
offered a service aimed at boosting the user's credit score
and advertise a free scan of the dark web.
I'm looking at this and thinking, well, okay.
Someone gets an email.
It's like, what's the big deal?
But it's spam though, isn't it?
Unsolicited.
So Experian have had breaches in the past and like Krebs has called them out and everything
and it's slap on the wrist.
But you sent someone an email that for all intents and purposes, it's some useful stuff in it like the free scan of the dog whatever what have you
and i'm like well you know improve your credit score and and they get fined i i don't know it's
just a bit it's all a bit like because the laws for spam are stronger than the laws for breaches
um so i'm just looking at the answer an experienced spokesperson confirmed Because the laws for spam are stronger than the laws for breaches.
So I'm just looking at the answer.
An experienced spokesperson confirmed that the emails were not sent to European customers,
which avoids a messy GDPR showdown.
Well, in which case it would have been 4% of turnover, right?
No. been four percent of uh turnover right uh no so uh i will say that uh they did release a statement
saying although we disagree with the ftc's allegations the agreement allows us to move
forward and continue to focus on serving consumers the best way possible we disagree with this but
we're paying it anyway yes we disagree with this so vehemently we're not going to do anything else about it except
pay the fine that they've imposed on us but you know what it gets to the stage where it's actually
cheaper to pay like you know when oh yeah yeah yeah like the cost of people being involved in
this type of stuff and like you know just drafting that letter it's like but what what gets me is
that this this all that call me cynic but you know this all sounds very calculated now the fact that they
deliberately left out european customers they knew the the fine whatever it would be if if court
would be less than a million and that's like change for them do you know what i could probably
add some color to that one in that in the u.s services for the automotive industry are far greater than they are in the UK.
So if it is about data they hold on cars in the US, they don't hold that same data in the UK.
So it would be a very different demographic that received updates on that.
But also what it's saying is they knew perfectly well that what they were doing was illegal.
Allegedly.
Allegedly, that's one way of looking at it.
Hey, you know, they clearly disagree with the FTC's allegations.
We can afford, we'll make more money out of sending this illegal email than we would get
fined unless we send it to the EU.
Yes.
Pretty much it.
It's going to sting sting it will sting that that's a big hefty fine
and uh they only made 1.1 billion profit last year so
what would be really interesting was how much money they make off of that actual email if they
made say a million they're up 350 000000, right? Exactly. All about the maths.
Profit is profit is profit.
It's all about the what, sorry, Andy?
All about the maths.
Yeah, maths.
Blimey, two weeks away
and he still remembers. So our jazz turned into
an elephant.
And he's remembering
a lot of stuff as well.
If only our listeners could see you flipping the bird at me.
What? No, no, no.
What I was saying is India sent a rocket to the moon.
That's what I was pointing out.
A rocket to...
It's a shame that India managed to get a rocket to the moon
before Andy's cryptocurrency went to the moon.
They also got the lander to the moon when Russia's just crashed as well.
It tells you something about...
I think that's an indicator of a country that's technologically
on the upward ascent versus a country that's on the downward ascent.
To be fair, a lot of Russian tech seems to be falling out of the sky
in recent days.
Obviously, big problems in manufacturing.
That stuff is completely unpredictable.
No one could have seen it coming.
Although you had the joke,
I can't remember which comedian it was,
but he's like,
the Indians are going to the moon.
It's like space, you know, mission control.
How far away are you?
Just 10 minutes away, boss.
Just 10 minutes.
And like half hour later, where are you?
Just five minutes away.
I'm just nearly there, boss.
I'm just nearly there.
Sorry, I've got to say, this is a real nerd fact because i i used to love planes as a kid and i
still do actually but you remember the mig-25 foxback the big aircraft it was designed to
intercept the sr-71 which flew at mac three ah yeah and it was in world war one
it's a cold war so this this aircraft could go you know and carry munitions which of course
the sr-71 couldn't um and um carry munitions it was designed to intercept it it could fly at
mac 3.2 which is massively fast and um you know western intelligence agencies were really worried
about this and you know how the hell was this, you know, such a stunning aircraft?
It kind of prompted, you remember the Clint Eastwood film, was it Foxback?
The MiG-31 and, you know, and how the Russian technology is well ahead, etc.
Well, a MiG-25 pilot, he defected and landed in Western countries and they took the thing apart.
Basically, the aircraft was cobbled together to say the least and every time it went at sort of max speeds the engines
partially melted and the whole engine had to be swapped out and a new one put in because what the
russians did which is classic you know r technology of we've just got to make it work like the space program,
was they took the engines out of an intercontinental ballistic missile,
got two of them, slapped it in the aircraft,
and basically they're only supposed to be used once,
so it doesn't matter if bits melt on the way down, right?
So, yeah, this was the most inefficient,
matter of bits melt on the way down right so uh so yeah this was the most inefficient really you know really um poorly designed aircraft which had all western intelligence agencies just on the edge
of their seats how could they have done this how could they make this work incredible you know you
say that you say that's russian classic russian, but that is the very same strategy used by pretty much
every cybersecurity startup out there today.
Yeah.
Cobble things together.
It doesn't matter if it melts.
Minimal viable product.
Exactly.
Get that MVP out the door and let the investors see something.
That's right.
See, there was a security angle to it.
There was indeed. There was indeed.
There was indeed.
And traders still use WinRAR?
I was just about to say that.
Talking of cobbled together things.
WinRAR, what?
I mean, they're going to say PKZip next.
Or in fact, didn't PKZip become WinRAR?
Or are they two separate products?
They were two separate products.
Okay, okay, okay.
I'm just surprised.
They're probably still using it with their like, you got...
30-day trial.
Yeah, 30-day trial.
You're like 20,000 days over your trial period.
Yeah, how are we still using WinRAR?
How are products like that still?
Wow.
Profitable, yeah.
Well, they obviously are, yeah.
Wow.
Well, on that somewhat compressed bombshell, that was this week's.
Industry News.
You're listening to the host unknown podcast bubblegum for the brain.
All right, Andy,
you can take us back to the end of the show now with,
Oh God, I've lost it. Where are we? Oh, here we go.
You can take us to the end of the show now with... Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week comes from Paul Asadorian,
who is Security Weekly on X.
That just doesn't work, does it?
It doesn't scan, does it?
No.
And he has posted an image and it says,
you're choosing to hurt your family by being the only Android user.
This is where both Andy and I look at Jav.
Exactly.
And it's waiting for that realisation to hit him.
Yeah.
Come on, dude.
Really.
So I'll tell you, like, I've got the Android, the Samsung Fold, Z Fold 4.
The suitcase.
Yeah.
And it's really good.
It's a nice piece of kit.
Got to say.
It's so nice. For the last month, can you see it's not folding out perfectly flat?
So I've booked in an appointment with the Samsung store
to go see if they can fix it.
But, you know, it works fine.
Do they have like a genius bar or is it a genial bar?
Yeah, it's something like the equivalent, yeah.
A scientist bar.
Yeah, they call it the the the slightly above
above intelligence hangout location but uh yeah no unlike most of the users
yeah yeah but otherwise like other than this particular hardware and you know it's the hinge
on a foldable phone so the technology is still
being developed and what have you but i was a bit surprised and we tell me a motorola developed
flip phones back in the 90s yeah it was but it's been around for 30 years hinges have been around
for a lot longer than 30 years yeah yeah yeah on On phones, I mean. Next, Andy's going to say, like,
it's been 20 years since the wheel's been invented, Tom.
I'll tell you what,
you boys are going to love what I've done with bread these days.
I'm sorry, we've run out of bread.
You'll have to have toast.
Do you know what, Andy? Do you know what I'm thinking about, Javs,abs that particular problem that wouldn't have happened
if it was an apple that they wouldn't have released it wasn't ready there's just no
they're just using you as a beta test it's a very expensive beta test it doesn't matter
actually apple's beta testers you realize that android users always like oh we had this like
18 months ago.
Yeah.
It's like, yeah, because Apple released it to you guys to iron out all the bugs.
Exactly.
They leaked it.
They leaked it on purpose.
Okay.
Okay.
Okay.
It's like CentOS to Red Hat.
You get the community edition and we get the fully supported enterprise.
I'm loving how you bring this back on brand, Andy.
Brilliant.
I'll come clean to you guys as to why I have an android your missus doesn't know how to use it your missus knows how to use an apple but she doesn't know how to use an android absolutely 100
how do you unlock this thing security through obscurity
exactly that's it that's what i'm going for How do you unlock this thing? Security through obscurity. Exactly.
That's it.
That's what I'm going for.
Oh, man.
Very good.
Very good.
Thank you, Andy, for this week's... Tweet of the Week.
Right.
We've come to the end of the show god that do you know what as i think you as you
said this morning just before we went live tom's in one of those moods because i was this morning
i was i was you know half awake i was not happy that's really cheered me up this episode i have
to say really cheered me up i feel i feel up and ready for the rest of my day starting in 10 minutes
at nine o'clock and it's a long weekend and it's a long weekend yeah double thumbs up double thumbs
up if you can't see any of this because we're not recording the video but i've worked out my camera does special effects. Such a fanboy.
So, yes, I thoroughly enjoyed it.
Jeff, thank you very much, sir.
You know, is it too late to go back to one of the stories
and just crack a joke?
Go on.
So, you know, one of the stories,
data of 2.6 million Duolingo users was leaked.
Oh, yeah.
And the users ended up saying, oh, my God.
And then they said, oh, Zotty M.
Or Energenico.
Or Muj Boze.
Oh, dear.
Very good.
Very good.
Thank you, Jav.
You're welcome.
Thank you, Andy.
Stay secure, my friend.
Stay secure.
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash smashing security.
So would any of you have a quid you could lend me?
What for? Well, there's a few bargains out there at the moment.
So I heard Wilco's looking for a buyer.
And so Sentinel One.
Well, I'm not going to give you the money for Sentinel One.
Certainly not.
Wilco's maybe. No, I'd actually maintain to give you the money for Sentinel-1. Certainly not. Wilco's, maybe.
No, I'd actually maintain my dignity by selling Wilco's,
whereas not Sentinel-1.