The Host Unknown Podcast - Episode 177 - The Are We Doing This Episode
Episode Date: December 8, 2023This week in InfoSec (07:51)With content liberated from the “today in infosec” twitter account and further afield5th December 2011: Fyodor reported that CNET's http://Download.com had been wrappi...ng its Nmap downloads in a trojan installer...in order to monetize spyware and adware. CNET quickly stopped, then resumed within days, it affected other downloads, and was a debacle.Download.com Caught Adding Malware to Nmap & Other Softwarehttps://twitter.com/todayininfosec/status/17320738939120478604th December 2013: Troy Hunt launched the site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed. Today? Billions of compromised records from hundreds of breaches. Search your email addresses for free.https://twitter.com/todayininfosec/status/1731673318560801228 Rant of the Week (13:29)It's ba-ack... UK watchdog publishes age verification proposalsThe UK's communications regulator has laid out guidance on how online services might perform age checks as part of the Online Safety Act.The range of proposals from Ofcom are likely to send privacy activists running for the hills. These include credit card checks, facial age estimation, and photo ID matching.The checks are all in the name of protecting children from the grot that festoons large swathes of the world wide web. However, service providers will likely be stuck between a rock and a hard place in implementing the guidance without also falling foul of privacy regulations. For example, Ofcom notes the following age checks as potentially "highly effective":Open banking, where a bank confirms a user is over 18 without sharing any other personal information.Mobile network operator (MNO) age check, where the responsibility is shunted onto an MNO content restriction filter that can only be removed if the device user can prove to the MNO that they are over 18.Photo ID matching, where an image of the user is compared to an uploaded document used as proof of age to verify that they are the same person.Credit card checks, where a credit card account is checked for validity – in the UK, credit card holders must be over 18.Digital identity wallets and, our favorite, facial age estimation, where the features of a user's face are analyzed to estimate the user's age.It doesn't take a genius to imagine how a determined teenager might circumvent many of these restrictions, nor the potential privacy nightmare inherent in many of them if an adult is forced to share this level of info when accessing age-restricted sites. Billy Big Balls of the Week (23:12)WhatsApp's New Secret Code Feature Lets Users Protect Private Chats with PasswordMeta-owned WhatsApp has launched a new Secret Code feature to help users protect sensitive conversations with a custom password on the messaging platform.The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else."Secret Code builds on another feature called Chat Lock that WhatsApp announced in May, which moves chats to a separate folder of their own such that they can be accessed only upon providing their device password or biometrics.By setting a unique password for these locked chats that are different from the password used to unlock the phone, the aim is to give users an additional layer of privacy, WhatsApp noted."You'll have the option to hide the Locked Chats folder from your chatlist so that they can only be discovered by typing your secret code in the search bar," it added.The development comes weeks after WhatsApp introduced a "Protect IP Address in Calls" feature that masks users' IP addresses to other parties by relaying the calls through its servers.Industry NewsSellafield Accused of Covering Up Major Cyber BreachesPorn Age Checks Threaten Security and Privacy, Report WarnsUS Federal Agencies Miss Deadline for Incident Response RequirementsDisney+ Cyber Scheme Exposes New Impersonation Attack TacticsPolice Arrest 1000 Suspected Money MulesDeutsche Wohnen Ruling Set to Drive Up GDPR FinesCambridge Hospitals Admit Two Excel-Based Data BreachesGovernments Spying on Apple and Google Users, Says SenatorLiability Fears Damaging CISO Role, Says Former Uber CISO Tweet of the Week https://twitter.com/MalwareJake/status/1732463774949310547 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I've been here for over an hour waiting for you two.
You better have a good excuse.
Oh, really?
It's only like six o'clock, so come on.
Yeah, since five.
Five o'clock I've been here.
To be honest, I was actually going to bed at five o'clock.
I just needed to get my head down for a short period of time.
You're listening to the Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all to episode 171.
Indeed.
And yes, welcome dear listener to another episode.
This is probably going to be our penultimate one before Christmas.
I think we're going to have a little bit of time off, haven't we? A couple of weeks?
Sure.
Yeah.
Why not?
All that hard work throughout the year yeah exactly what what i call a normal schedule
like show up for two take three off you know
yeah so i'm gonna state it now next week will be our last one before the christmas break
um i'm sure that's i'm still sure we're putting in more uh more episodes and smashing
but uh of course yeah exactly christmas break don't know something like that uh but yes so uh
welcome jav how are you you've been at black hat all week haven't you we saw the photos
yeah well two days not all week but yeah two days I was at Black Hat. It was as an event.
Oh, who was it?
Someone said to me, Black Hat Europe, prices of Black Hat USA,
but the food's like Blackpool.
So because the food was a bit suspect.
But what do you mean the food?
I mean the food as in the stalls there?
No, no.
If you have like a full pass,
they provide lunch and breakfast in the big hall.
So you go there.
Oh, I see.
So was it like ropey croissants in the morning?
It was just some pastries in the morning.
That's cheap, man. you get that at free events
yeah yeah and this is just like it's only a 2k badge so come on what are you complaining about
yeah that's how much the full pass costs but if you get the just a booth hall pass it's free i
think if you raised in in time but uh but no got to meet a whole bunch of people uh got to meet matt summers
the original uh besides london london yeah yeah uh you know dive monkey which is tomorrow
which is tomorrow besides london if we so probably three days ago by the time you
yeah by the time you listen to this podcast exactly Yeah, exactly. Well, I mean, I was off to a bad start
with the delay we had this morning, right?
Yeah, I met Iggy.
There was Scott Helm, friend of the show.
He was there.
He was telling me about some new research he's been doing,
which is really cool,
but unfortunately I can't speak about it on air.
With Troy?
No, this is on his own.
Oh, OK, OK.
Yeah. Friends of the show,ic was there eric cron eric crone yeah you two were hawking your book yes we had like uh 50 copies of our book
50 ways to thrive and survive and you came home with 60. No. And certainly less money in his wallet.
We were there doing book signings.
Some people obviously wanted the resale value,
so they didn't ask us to sign.
They said, I'll just take the book.
Yeah, I think unsigned copies are probably going to be rarer
than signed copies, right?
Yes, yes.
So, no, it was a good it was a good uh uh it was a good show
i i enjoyed it oh good i'm talking about disappointing breakfasts andy what about you
how have you been i think it's been gallivanting out and in bed at you know five o'clock or whatever all right you know you know
i'm not a big drinker these days no no actually yeah when i went out yesterday
um or last night this morning it was uh yeah pretty spaced actually i have to say i am not
i seriously need some sleep but straight after this I actually have a meeting that I need to attend.
Is that with HR?
Yeah, HR are putting a meeting.
Yeah, it's really weird.
Why would they schedule a meeting the night after a Christmas party?
Was it a pre-emptive booked meeting with HR?
It just went in this morning.
So weird.
But yeah, other than that, it was a good night.
We had a casino going.
I did all right originally on the roulette table
and then I got a bit
overconfident
went back and lost
the whole thing in two goes
was it actual money
or was that pretend
no
it was a company
provided vouchers
exchange for
tokens
right
but I did manage to
sort of like
you know
multiply my original pot
my original
stake by 5
over the course of like 30 minutes
and then lost it
on about 2 minutes
I was just convinced it was all going to land on black
weren't we talking about this just last week
about the most depressing thing
seeing somebody just
over a course of time
putting all of their winnings back into a slot machine.
So you decided to test that theory?
Well, I guess you guys must have put it in my head
because that was not playing on my mind.
It's one of those subliminal messages.
No, no, that's all Wesley Snipes.
It's a Passenger 57.
Always bet on black.
Yeah.
Oh, dear.
But talking of betting on black,
Tom, how are you doing?
Yeah, tenuous, but not bad.
More than tenuous.
That was very good.
Inside joke, folks.
Yeah, very good.
Very good.
We've got B-Sides tomorrow,
which I'm looking forward to.
I'm going up to London tonight.
I'm going to be staying with Duchess of Ladywell.
So that'll be nice.
See you, Jav.
But Andy, you're off abroad tomorrow.
I am.
Unfortunately, I'm leaving these cold climates.
I'm heading back to Mauritius.
Oh, man.
It was supposed to be
our annual get together
so yeah
very much looking forward
to that
I've got a rookie
speaking tomorrow
who I have yet
to speak to
we've swapped emails
so standard
standard
standard
and you will
abandon them
what time
10am or 11am
no they're on at 11.20
so I
there's something
you'll arrive by midday then?
Yeah, exactly.
Okay, yeah.
Exactly.
But yeah, so yeah,
I'm looking forward to that immensely.
So yeah, talking about
what we've got to look forward to,
shall we see what we've got
coming up for you this week?
This week in Infosec
reminds us of CNET's own goal.
Rant of the Week is asking you to think of the children yet again.
Billy Big Balls is a minor step to save us from being prematurely cancelled.
Industry News is the latest and greatest news stories from around the world.
And Tweet of the Week is our first prediction for 2024.
the week is our first prediction for 2024 so let's move on shall we to our favorite parts of the show part of the show that we like to call this week in infosec
it is that part of the show we take a trip down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account and further afield.
When on the 5th of December 2011,
Firedoll reported that CNET's download.com had been wrapping its Nmap downloads in a Trojan installer
in order to monetise spyware and adware.
So CNET quickly stopped and then resumed within days
and it affected other downloads.
It was a complete debacle.
I can't believe they deliberately did this yeah so obviously back
then i don't even know if it's still that common these days you just assume all of these sites
sort of contain malware these days but um so cnet used to run download.com it's a big software
repository yeah drivers and applications yeah all of that stuff but so it turned out that cnet had
actually been adding this sort of spyware and adware
to software packages they distributed, which included the Nmap security scanner.
That's outrageous.
Yeah, and this is despite their own sort of no adware policy.
And they continued the practice.
They did actually remove the anti-adware slash anti-spyware promise
from their page wow wow after they got called out but so it was there before it was there before
while they were still while they were doing it yeah cheeky bastards so they um after the
chrism they did remove the rogue installers from some software, but continued to sort of use it and apparently had plans to expand.
In their most popular software.
Yeah, the one that everyone wants.
So, yeah, it was at the time this sort of launched.
I think FileHippo was one of the beneficiaries of this and Softpedia sort of go there to get your stuff.
But yeah, I don't know why it started in 2011 where their
general manager just decided to start bundling third-party um adware uh with third-party
installers that's one of those things where what's the worst that could happen really should have been
listened to yeah they used to have the uh was it safe trusted and spyware free is what it is saying the site
wow yeah it's it's a bit like once upon a time um for those who are old enough will remember
google used to say do no evil yeah and they took that out of there wasn't it yeah now look at it
yeah but alas our second story takes us back a mere 10 years it seems just like yesterday when mr troy hunt
launched the site have i been pwned uh and at launch passwords from adobe stratfor gawker yahoo
voices and sony pictures were indexed as of today there are billions of compromised records from
hundreds of breaches and you can still search your email address for free
on the site it's a good service and in fact there's a isn't there a paid for service where
you can connect it to your ad to so that you can ensure the passwords that people that definitely
came about a while back yeah so i guess yeah there's lots of services that offer that now as
well so yeah i remember talking to our CIO back in the day,
and he was like,
I want to put this to some random guy in Australia
that we're supposed to trust.
I'm not doing that.
And it's, you know, it's...
But he's big on Twitter.
Yeah, exactly.
He's friends with Scott Helm.
It's got to be all right.
No, but then if it was just some random guy but had registered a
company in boston and then was running it out of that then it's all good yeah yeah that's right
ultimately you're always trusting some random entity or person or what have you yeah that's
right that's right until they're until they're actually bought out by Microsoft or something, and then it's like, oh, well, I was in it from the beginning.
Excellent.
Thank you, Andy, for this week's...
This week in InfoSword.
If good security content were bottled like ketchup,
this podcast would be the watery juice
which comes out when
you don't shake properly in a niche of our own you're listening to the award-winning host unknown
podcast ah another one of my favorite jingles there in case you can't uh tell we we still haven't got
our jingle machine working i i'm not sure we we forgot to put 50p in the meter for it or something.
Yeah.
Someone actually commented on Twitter,
the news segment intro was so tight.
Without any of those trademark awkward pauses,
the podcast was precisely 5.8008 seconds shorter than usual.
I demand a refund.
Thank you, Roy Tate. Sorry, 5 point... what was it?
8008. So boobs backwards? Yes. Right, okay, right.
Right, okay. Okay, let's move on, shall we, on that note to another boob.
It's me and time for Rent of the Week.
Listen up!
Rent of the Week.
It's time for Mother F***ing Rage.
So we know this has been going round and round and round.
The UK government for the last, well, ever since the Conservatives have been in, really, have been pushing for age verification on the internet and pushing online services will
perform those age checks as part of the Online Safety Act. I think this is a story as old as
backdoors to encryption with the government,
because once somebody think of the children,
which seems to be the basic cry of every hand-wringing conservative
and greybeard out there, it's come back.
There are now a range of proposals from Ofcom, government body, that are likely to send privacy activists like us three, which is bizarre.
Because if we're worried about it, then it's got to be bad, right? Running for the hills. include credit card checks, facial age estimation and photo ID managing. So the idea is that we need to protect children from all of the filth that is awash amongst the worldwide web.
Service providers will be stuck between a rock and a hard place in implementing the guidance
without also failing foul of privacy regulations.
Although, let's face it, the real privacy regulations are EU-based.
And, well, we put pay to that, didn't we?
But it's true.
We've got our country back.
We've got our country back, yeah.
We don't have an NHS as a result, but we've got our country back.
But we're going to stop the boats.
Yeah, exactly.
We're going to redirect them to Rwanda in a newly legal format.
Oh, well, yeah, a made up legal format.
And I saw the tweet yesterday from number 10, the prime minister himself.
And it was like, yes, we are like, you know, this is an emergency sort of like measure put in place to to get past all that.
This is how democracies work. And everyone was pointing out that this is actually how dictatorships work.
Yes, democracies work by voting on things.
Yeah. And and you know what? That's I saw that and saw this story.
And I thought, well, how long before they put in place emergency measures to protect the children?
And then, you know, there's nothing we could do about it.
Yeah, well, let's look at some of the measures that they're looking at or proposing.
So things like open banking, which we've all benefited from in all honesty.
Open banking has been a fantastic move. It means that when you transfer money, it arrives within seconds.
You can connect services together.
You know, you can manage your payments very easily, etc.
So it's a good thing.
So can I just point out that the actual benefit of open banking is that the banks can then get more access to your data based on what you're doing with other institutions.
Oh, yeah, but that's what you get is a yeah but whilst what you're getting is a by-product the actual original
reason is to um to to gather that data tom is just way too trusting he'll believe anything
and like you know i will i will i will i i mean i keep believing that you two are good people.
Fools.
Fools.
So, open banking where the bank would confirm that a user is over 18 without sharing any other personal information that they've obviously gathered
based on what Andy's just said.
Mobile network operators where the responsibility is pushed onto the mobile providers,
who can check it against a content restriction filter that can only be removed if the device can prove that they're over 18.
Photo ID matching, where an image of the user is compared to an uploaded document.
I mean, it's not very good if you have facial hair you know um or inter intermittent facial hair i mean
i'm in the middle of my christmas beard at the moment so you know i look very different to how
i did six weeks ago so whenever these sites get hacked there's going to be like a photo of your
passport plus a picture of you like naked from the top down like doing your your real-time verification before you can proceed
to uh yeah yeah exactly top down what top down you mean or or bottom up i'm not sure oh yeah
either way nipples down uh credit card checks where your credit card account is checked for validity or digital identity wallets, which include facial age estimation.
My goodness.
Well, obviously that puts me in my 70s.
Jav, I think, is...
Well, that puts him in his...
Or at least his 50s or 60s.
And Andy, you'll never get access to porn again.
Yeah.
It's a good trend on TikTok actually a while back,
like guess your age and people were doing the thing
and it would come up with what your guess is your age to be.
So we've been giving this information out to the Chinese already.
This is true.
A proper dictatorship.
It's people that know how to do it properly.
Exactly.
They don't half-ass it.
Guess my childhood pet's name.
Guess my mother's maiden name.
Yeah.
Guess which primary school I went to.
Guess what my first car was.
See, we like the strong, hard dictators,
not the soft, limpy dictators that we have over here.
Yeah, exactly.
The limpy what?
Test my password strengthpy test my password
strength yeah it gets my password straight so bottom line here is it doesn't take a genius
to imagine how well frankly any determined teenager is going to get access through this
stuff they're going to use their you know parents or guardians credit cards they're going to um
there's going to be services out there that are going to
be provided outside of you know outside of the uk which will provide this kind of information
it's going to be all sorts of ways of spoofing this and the actual potential harm to to privacy
that's inherent in us all is shocking so i just again you know ranty here this is this is the uk
government trying to be all sort of paternalistic and care for us when actually it is just about
reducing access and and increasing risk and reducing our ability to keep our private lives
private they just want to track you everywhere it's a way that's it well even more than your
phone does right even more than you yeah but now like your banks are going to know that every time
you know your balance drops below like a thousand pounds you tend to seek solace in big meals.com
they're going to put all this data together yeah me and yeah you know China's the bad one
actually at Black Hat TikTok
had a stand
they weren't selling or giving away
anything they were literally just there to talk
to anyone that was interested about their
privacy and their security controls
that's a big move that is
anyone that actually wanted to discuss it
so I went there and I had a chat to them
it was really fascinating because they're talking about local data centres Anyone that actually wanted to discuss it rather than... Yeah, yeah. So I went there and I had a chat to them.
It was really fascinating because they're talking about local data centres
that are opening in Europe,
the controls they have in place to prevent data being moved
and which conditions they allow data to be moved out.
Because, like, you know, you want a global experience,
but you want to prevent anonymity at an individual level.
They have thresholds at which data gets aggregated together
where it's impossible to reverse and identify the individual user.
And they have a partnership with NCC Group
who have access to their source code and everything,
and they check for all of their privacy settings
to make sure they work as featured.
And if they find something, they don't have to go to TikTok.
They can go directly to the regulators
and disclose that this is their findings.
Wow.
And you believe them?
I mean, you know what, me and Andy...
They try to be as transparent as possible on everything.
Yeah, yeah, yeah.
And then I actually said to him that...
I explained to him that we do a podcast
and two of us have big TikTok fans.
We've been using it fine.
The third one joined and got somewhere
and literally banned.
And I said, please tell me you do sentiment analysis.
You realise he was a hater.
And he neither confirmed nor denied.
Oh, so you didn't help to get me unbanned
he said there's sometimes
he goes there should be
an appeals process there somewhere
he said no appeals
ok well he just knows you too well
you're a dick
they don't want you on the platform
well I'm glad I'm seeing my mum tonight
because she's going to tell you what for
after having a go at me
brilliant thank you I'm going to see my mum tonight because she's going to tell you what for after having a go at me.
Brilliant. Thank you. Thank you all. That was this week's Rant of the Week.
Sketchy presenters, weak analysis of content and consistently average delivery.
Like and subscribe now okay jav let's uh let's move on shall we to
to your uh colossal cojones it's time for
right so this is um one of our favorite companies meta. If you want to sponsor us, Meta, Zuckerberg, just
give us a call. But WhatsApp
now has a new secret
code feature
that lets users protect
private chats with a
password. Oh, thank God.
Yes, exactly.
So...
I bet Bojo's thinking, why couldn't
they have done this a few years ago
and then just claim you've forgotten the password
so it's called secret code
and so if you're having sensitive conversations
say like us three speaking to each other
we can have an additional way to protect the chats
and make them hard to find
and access if someone has your phone.
So it builds on a feature called Chatlock, which was already there,
but now you can add a unique password to it,
and you'll have the option to hide the Lock Chats folder in your chat list
so they can only be discovered by typing in your secret
code in the search bar so this so this is quite handy so you know like how it is like amongst
friends uh people will sometimes have that one friend that sends them inappropriate memes or
jokes or what have you or in my case two So, no, you've got two acquaintances
who sometimes send you some things that are...
Two fairly adequate people.
Yes, yes.
But with this, you can hide that chat
so that when you pass the phone to your kid
to have a look, play some games,
or, you know, you're showing your partner
a funny conversation between someone else or the family.
And then they go back and say, oh, you got a new message from Andy.
And then you click on it and then you don't want them to be.
Or worse still, you've you've airplayed it to the to the TV and everyone's everyone's watching it.
So I think it's it's a really good good feature
because and and this is something i think has been lacking in a lot of um tech for a long time is that
all tech is built with the assumption that only one user is going to use it yeah and one user is going to own it and it's you
know so building that split sort of usage model or having a bit of privacy because everyone has
stuff they want to keep private either for personal reason or even corporate reason i mean that's the
whole reason why mdm and all that kind of thing was a big uh you know started because corporates
say like you can use your own device but let's put it in a
secure container so that if anyone else grabs your phone they can't access it and we all have things
like that like you know tom doesn't want all his medical records being accessible by anyone who
borrows his phone just to take a photo so i think it's let's face it there's not a usb stick big
enough to put all those on no no i no, I'm sure there isn't.
And half of them aren't even digital.
Yeah, written in a fountain pen.
In Aramaic.
Yeah.
So I think it's a great feature and kind of a Billy Big Balls feature.
Well, I say Billy Big Balls.
It's a Billy feature that I think more companies should.
I like the fact that it's not like click here to put in secret password to get the hidden chats.
Yeah.
Because people are going to be like, you know.
Oh, so you've got a hidden chat.
Yeah, exactly.
Yes.
Yes. Exactly. So that's what I like about it. Because people are going to be like, you know, let me see the hidden chat. Yeah, exactly. Yes, yes, exactly.
So that's what I like about it.
So this is Meta in a rare case of doing something right.
I know.
And I think that is the Billy Big Balls that surprises.
So there we go.
There we go.
Wow.
I mean, I would never expect Meta to do something like that.
I mean, I guess, you know, maybe the WhatsApp group is a little,
it does feel a little bit different to, say, Insta and Facebook and all that sort of thing anyway.
And definitely its roots have come from a little bit, you know,
it was originally all about, you know, private chats off the main messages, etc.
and out of Facebook, blah, blah, blah.
But yeah, it's interesting how they're really
pushing that on whatsapp but on facebook it's still very much everything you type in here belongs to
us yeah well i i'm not sure anything in this feature doesn't still belong to whatsapp it's
just that your friends and family or border patrol can't access them immediately or it's not
obvious that you have like you know secret chats going on with tom about you know bad bad thing
andy so you know yeah well obviously we do obviously yeah clearly well the effort of
keeping that secret that's right you include me on them
you deliberately add me
to that group
every time I leave.
Well, the amount of times
you've typed Andy,
oh, sorry, wrong chat.
Brilliant.
Thank you, Jev,
for this week's
Billy Big Balls
of the Week.
Merry Christmas.
Merry Christmas.
You're listening to the Host Unknown podcast at Christmas.
Happy whatever doesn't offend you.
It's the most wonderful time of the year.
Okay, we haven't got time to dilly-dally here.
So, Andy, what time is it?
It's that time of the show where we head over to our news sources
over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news from around the globe.
Industry News.
Sellafield accused of covering up major cyber breaches industry news porn age checks threatened security and privacy report warns industry news u.s federal agencies missed deadline for instant
response requirements industry news disney plus cyber scheme exposes new impersonation Industry news.
Industry news.
Industry news.
Industry news. Industry news. Cambridge hospitals admit two
Excel-based data breaches.
Industry news.
Government spying on Apple
and Google users, Senator says.
Industry news.
Liability fears damaging CISO
role, says former Uber
CISO. Industry news.
And that
was this week's Industry News And that was this week's
Industry News
Huge if true
Is that like the CISO from the company Uber?
Or is he like
An Uber CISO
Yeah
The
The CISO
Joe Sullivan
End level boss type CISO
Joe Sullivan
Who was Uber CISO at the time. End-level boss type CISO. Joe Sullivan, who was Uber's CISO at the time
when they disguised a ransomware payment as a bug bounty.
As a head test.
Yeah, as a bug bounty, yeah.
And all that kind of stuff.
And then lied about it.
Yeah.
He was the keynote at Black Hat Europe.
Was it basically, don't do what I did?
You know what?
I didn't go there. I met
Tim there, friend of the show, Tim.
Oh, yeah. And he said
he went there and he goes
it started off really good. First five, ten minutes
were good. He goes it was like a Netflix show.
First ten minutes were good and then he goes
he walked out after 15 minutes because it was
just getting so dry and boring and dull
and he was just trying to say like, oh, don't do this job.
It's really bad.
And it's like, well, if you weren't, like, doing illegal shit, maybe you wouldn't have got done for doing illegal shit.
If it wasn't illegal, it was certainly immoral for the customer.
You know, unethical.
You know, and that's almost as bad.
I think we've gone full circle.
So back in the glory days of the security industry,
like all hacking, there was people who were black hats
that then moved into being white hats
and legitimate security professionals.
Now we're seeing the reverse happen.
You're seeing, like, white hats starting up.
And, like, through malice or incompetence, and sometimes both,
they're becoming black hats.
Yeah, exactly.
Exactly.
This new Disney Plus show sounds really dull.
Yeah.
So this was a story about brand impersonation,
but not a standard sort of like generic blast
out to everyone they sort of targeted very you know lots of people they actually sent it from
the real disney plus address and they used the actual disney templates there was no spelling
mistakes in it it was like a as if it did come from Disney, but it included basically a PDF saying that your charge didn't go through.
But yeah, I think the whole thing was that there's no sort of bounce back on it.
It went through and people would, if they had Disney Plus accounts
and thought that maybe their payment didn't go through,
they would have replied to this.
And I've actually got a couple
of these not the disney plus ones i've had some where um you know it sort of said your payment
didn't go through yeah and i've looked at it and it's from the actual company that sends you know
the reply address is no reply at you know and it's um yeah that company. But, yeah. Yeah, well. I saw one that basically put an S on the,
it was something like customers,
or customer services rather than customer service,
at whatever.
So if you did reply, it would have bounced back,
but it would have bounced back from the actual company
or something like that.
Yeah.
And it was, they seem to be sort of sharpening
their tools a little bit.
Yeah.
Yeah.
It's, there's, I was speaking to someone at Black Hat and they were saying how they became a Microsoft partner or reseller or something like that years ago.
And it goes, once they got through all the verification process, they got an email.
It was like from Microsoft.
Congratulations! Exclamation mark. You have been successful in becoming a partner please provide us with your bank details and we will enroll you on our payment system and everything and bloody
blah uh and he says it turns out it was the actual microsoft email that's what they send out to new partners oh my god brilliant not good at all let's see what else
you got here uh government spying on apple and google users well given that that's probably
about three quarters of the entire world's population um that's unsurprising right that's
this week's no shit sherlock story yeah yeah i think so yeah uh
porn age checks threatened security and privacy reports yeah we know that one that's uh cellar
field accused of covering up major cyber breach that was apparently back in 2012 or something
uh 2013 i don't know yeah 2015, their sleeper malware was first detected.
So, yeah. Oh, no, yeah. 2012, you're right.
Yeah, let's trust the sober one, not the one who's still sobering up.
Yeah.
That's not good when your nuclear power station has breaches
and, you know, they're not sort of open with it
yeah well do you know what it's actually um and i will plug them because i know they need the
listeners uh smashing security this week did a good um or what's that guy's name great grey
ham clully grey ham clully yeah he did he did a good uh segment on the nuclear power reactors
and how they sort of...
I won't spoil it.
Go and listen to that show.
After this one.
After this one.
Yeah.
So, yeah.
A bit worrying.
Indeed.
Indeed.
Anyway, excellent.
I think that does us.
That was...
Industry News.
Attention.
This is a message for all other InfoSec podcasts.
Busted.
We caught you listening again.
This is the Host Unknown podcast.
And another top jingle there from us.
Okay, Andy, why don't you take us home with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week comes from Jake Williams,
Malware Jake, who says...
He actually chucks in two predictions.
He says,
My number one cybersecurity prediction for 2024
is that we won't solve cybersecurity in 2024.
Yes.
Yes.
We've got another year out of this, boys.
Yeah.
My number two prediction is that we'll see lots of data breaches caused by companies leaning into AI technologies they fundamentally misunderstand.
That's not very funny. No, it's not. That's not very funny.
No, it's not, but it is...
That's really depressing.
It's going to happen.
It's going to happen.
See, who was I speaking to?
Casey John Ellis, founder of Bug Crowd.
He was at Black Hat.
Yeah.
And, you know, that's me just casually dropping names
like that to everyone, you know?
Yeah, that was after I just, you know,
finished a voice call with Satya Nadella.
You bloody bastard.
Yeah, exactly.
No, you bastard.
I use Mac, you use Windows.
Oh, man.
If that's not going to get me cancelled then i don't know why
um but uh he was saying that he said that ai today is a bit like the web was in the late 1990s
it's like everyone's registering a domain name a dot com and you know there's this big bubble
no one really understands what they're doing but they're're just like, it's got to be done, it's got to be done.
And there's got to be a lot of F-ups along the way
before there's a bit of a crash and then people understand,
oh, this is what it's all about.
Yeah, yeah, absolutely.
Absolutely.
Excellent.
Thank you for
Well that brings us to the end of the show again
Exactly, again
8.0085 seconds shorter than last year
Last week, oh my goodness
So yes, very very good thank you
uh jeff thank you very much for uh joining in and arriving only 45 minutes late yeah you're
welcome see i'm the reliable one out of the two for a change which is quite scary and andy thank you for joining just an hour late stay secure my friends stay secure
my lawyers will be in touch you've been listening to the host unknown podcast if you enjoyed what
you heard comment and subscribe if you hated it please leave your best insults on our reddit
channel worst episode ever r slash smashing security
so when we talk at any point or we just like that you don't have to wait for the jingle to end you
know oh no see it's it's just uh this is like do you know andy uh you you probably know like during COVID
WWE was doing shows
in front of like an empty stadium
this is what it feels like
without the jingles