The Host Unknown Podcast - Episode 178 - The Last Of Us Episode
Episode Date: December 16, 2023This week in InfoSec (12:55)With content liberated from the “Today in infosec” Twitter account and further afield11th December 2010: The hacker group Gnosis released the source code for Gawker's ...website and 1.3 million of its users' password hashes.After a jury found Gawker's parent company liable in a lawsuit filed by Hulk Hogan and awarded him $140 million, Gawker shut down in 2016. https://twitter.com/todayininfosec/status/173421717017376390714th December 2009: RockYou admitted that 32 million users' passwords (stored as plain text) and email addresses were compromised via a SQL injection vulnerability. RockYou's customer notification said "it was important to notify you of this immediately"...10 days after they became aware.https://twitter.com/todayininfosec/status/1735357287147995514 Not really infosec https://x.com/depthsofwiki/status/1735147763447595024?s=20 but 14th Dec 2008 was the infamous Bush shoeing incident. Where Bush ducked the shoes thrown by Al-Zaidi while the Iraqi PM Nouri Al-Maliki tried to parry it. Rant of the Week (22:10)UK government woefully unprepared for 'catastrophic' ransomware attackThe UK has failed to address the threat posed by ransomware, leaving the country at the mercy of a catastrophic ransomware attack that the Joint Committee on National Security Strategy (JCNSS) yesterday warned could occur "at any moment."The Parliamentary Select Committee reached this conclusion in a scathing report released December 13 that accused the government of failing to take ransomware seriously, and of providing "next-to-no support" to victims of ransomware attacks."There is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking," the report concluded. "There will be no excuse for this approach when a major crisis occurs, and it will rightly be seen as a strategic failure."Recent examples of ransomware infections at UK government institutions and critical private infrastructure are not hard to find.Manchester Police, Royal Mail and the British Library have all fallen victim to ransomware attacks since September 2023.In July 2023, the Barts Health NHS Trust hospital group was hit by the BlackCat ransomware gang. The NHS had already been taught a lesson about the vicious power of ransomware in 2017 when multiple Brit hospitals stopped taking new patients, other than in emergencies, after being hobbled by WannaCry.Third-party providers of NHS software systems have been hit as well, taking systems offline and forcing care providers to revert to pen and paper.In short, the situation with ransomware in the UK is already bad, and the JCNSS has predicted things will likely get worse. Billy Big Balls of the Week (29:54)Polish Hackers Repaired Trains the Manufacturer Artificially Bricked.After breaking trains simply because an independent repair shop had worked on them, NEWAG is now demanding that trains fixed by hackers be removed from service.They did DRM to a train. In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it. The fallout from the situation is currently roiling Polish infrastructure circles and the repair world, with the manufacturer of those trains denying bricking the trains despite ample evidence to the contrary. The manufacturer is also now demanding that the repaired trains immediately be removed from service because they have been “hacked,” and thus might now be unsafe, a claim they also cannot substantiate. Industry News (38:38)EU Reaches Agreement on AI Act Amid Three-Day NegotiationsEuropol Raises Alarm on Criminal Misuse of Bluetooth TrackersWidespread Security Flaws Blamed for Northern Ireland Police Data BreachUK Ministry of Defence Fined For Afghan Data BreachUK at High Risk of Catastrophic Ransomware Attack, Government Ill-PreparedMITRE Launches Critical Infrastructure Threat Model FrameworkMicrosoft Targets Prolific Outlook Fraudster Storm-1152Vulnerabilities Now Top Initial Access Route For RansomwareCozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign Tweet of the Week (46:06) https://x.com/WorkRetireDie/status/1732108681087508947?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Always.
I think it's the first time I've seen Andy eat
this year.
Normally we get seen
pictures of his food.
Oh yeah, the before picture.
Definitely not the during.
I'll tell you what.
It's because I left
without eating this morning.
And it's
one o'clock. because I left without eating this morning and it's um...
What time is it? One o'clock.
You sound a bit distant. Yeah.
Are you like a long... are you not close to your microphone?
It's an iPad.
Yeah.
So where's your microphone?
It's a built-in one.
Did we not just go through this?
Yeah, I thought Andy was going to say, like,
yeah, I'm, like, 6,500 miles away from my microphone.
Oh.
I didn't know we'd started recording, man.
Jesus.
Oh, for fuck's sake.
That's why he's, like, so he's so laid back about it all.
Andy, you sound like you're far away from your microphone.
I am.
Well, can you get closer?
I'm like 6,500 miles away from my microphone.
Back in the fatherland
you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us
and welcome welcome one and all welcome dear listener to episode 178.
182.
Of the Host Unknown podcast and we've got Andy miles away from his microphone,
so it's obviously a very good one if it's picking him up at all.
Andy, where the hell are you?
I am in sunny Mauritius, coming to you live from the fatherland.
Oh my goodness, so this is why we had to do it even earlier this week.
Yeah.
Absolutely.
I've sacrificed so much sleep just to be here.
I know.
And this is the very definition of Andy actually phoning it in.
Yes.
I'm aware the
quality is not great,
but to be honest, there's no point
in me bringing Kit out here because the infrastructure
that I'm working off is not great either.
Yeah.
You can't
So, not only is this
the last show of the year, it's also
the potato quality
show of the year. Well, uh the potato quality show of the year well to be
honest i mean we always tell you it's the last show of the year but then me and jab always do
a christmas special so yeah do you know what if i could believe that you two could organize it i
i might actually fall for that
oh dear talking of disorganization, Jav, how are you?
I'm good, I'm good. You know what, before we started recording there was a couple of things on my mind that I thought, oh that's interesting, I can tell you about it.
And now it's completely slipped my mind, so clearly it wasn't that interesting.
So the age and dementia is catching up on you then?
It is, it is. My colleague, Eric, is over from the States.
Yes.
Still.
And so last week we were at B-Sides London.
Yeah, we missed you, Andy.
Yeah.
Yeah.
The first one I've ever missed.
Wow.
So it was a really good...
They had a new venue and it was bigger than before.
It was huge. It felt like it was twice the size didn't it yeah i think there was about 2 000 people there maybe more so you had
like talks on one floor you had um so on the ground floor you had the the vendor area networking area
then on the first floor you had the workshops and the second floor
you had all the all the talking tracks and every floor you went to it was packed there was loads
of people there um tom and i were mentors again for the rookie track rookie tracks always awesome
for those of you don't know you actually met with your mentors when they spoke?
Rookies.
Rookies.
Rookies, sir.
Every year it's our first year, apparently.
Yeah, yeah.
Hey, at least we give something back, Andy.
Exactly. We give something of substance back rather than just throwing cash at it.
Hey, they do a lot of good without cash.
Yeah. throwing cash at it hey they do a lot a lot of good with that cash yeah a lot of substance tom absolutely tom was like i sent three emails he didn't respond so now we're working on our slides
now as i saw him this that morning at b-side yeah yeah that that that boy will go far in the professional speaking circuit because
he was writing his slides that morning he literally rocked up um just in time for his
talk did his talk and then uh and then walked out i mean it was like it was just like all the
professionals do oh dude no it's very good wasn't it it was it was it was an excellent b-sides it
came together really well it was it was it was really good i wasn't it? It was an excellent B-side. It came together really well.
It was. It was. It was really good.
I enjoyed it a lot.
And actually, my daughter joined us there as well.
And she was so impressed.
She said that she wants to put her hat in the ring
to do a Rookie Talk next year.
And even worse, even worse yeah even better she said uh tom would you be my mentor
no i hope she gets a decent mentor
well out out of the two worst, I think she picked the better one.
But like you said, Jav, it's like teaching a family member to drive.
You really can't do it, right?
You've got to have someone else tell you when you're screwing up or doing something bad, you know.
That's it.
Oh, shut up, Dad.
I know what I'm doing.
Exactly, exactly.
And speaking of shutting up, Andy. And not knowing what i'm doing yeah i thought you
about to say screwing up um yeah do you know what i i had a a bad start to the week i'll be honest
it didn't go to plan i was uh pretty annoyed frustrated in a foreign country obviously in my
in my home country uh so i went to the government
office to get my passport sorted uh you know dutifully queued up for three and a half hours
as you do with a ticket had all of my paperwork and then the person decided they just didn't like
me and there's nothing you can do in a situation like that. So he said, I need a police certificate to go to attest to my character.
And I said, well, as the guidance says, if you were born outside the country, you don't need it.
I said, I don't have one.
And he said, well, the guidance also said anything else that the officer requests.
And then he circled it.
And I was like, where am I supposed to get a police certificate from?
I said, the police here don't know me.
He said, go back to where you're staying.
Go to the local police station.
Get a certificate.
I said, the police there don't know where I'm staying.
He said, but they'll know the address.
I said, it's not even my address.
It's a rental.
And the guy was like like i've told you what
you need to do and he wrote on the front police certificate missing signed and dated it denied
and handed it back to me wow amazing did you get your police certificate uh no because at that
point in time there was no point because i wouldn't have been able to get back to where i'm staying and then back into the city within the five days i needed to turn it around um so it was
a write-off uh at that point and so it was a pretty shit week after that uh until this morning i had
breakfast with my cousin and um yeah it was kind of good that she told me that I've got more land that I didn't know about.
And, you know, while I've got a man working on the other land at the moment, chopping down trees,
I want him to give a quote for the other piece of land.
And, yeah, potentially even more land that my grandfather owned.
There's some discrepancies with the paperwork on.
Yeah, so it actually turned out to be quite positive so we started a bit crap but it's getting
better good luck claiming any of that land without a character certificate from the police yeah
exactly and also i knew there was a reason why i liked you and i always felt you were part of the
landed gentry yeah with with a serfdom working on your land
so did your granddad actually own that land or was it like kind of like the south africans he
just went there and said oh i like that land that's mine now no my grandfather say south african
yeah well yeah not to name anyone.
You know, I can't say.
You know who we're talking about.
It's a South African.
Yeah.
He did actually buy the land.
He was native Mauritian.
So, yeah.
And then it's a bit like the English going into Wales
and buying cottages, isn't it? You're just, a bit like the english going into wales and buying cottages isn't it
you're just you know you're the foreigner going in and just taking up all the land and you're
just going to fill it with airbnbs wales is practically england's car park there's nothing
else productive to be honest it's pretty much just a sheep factory that's like yeah well well to to both of our welsh listeners i'm i'm
so sorry i'm so sorry but uh
i was gonna say did you know do you know it was it was that invented the first sort of condom from the sheep's intestine?
Really? I didn't know that.
Yeah.
Yeah.
But it was the English who perfected it by taking it out of the sheep, you know, afterwards.
Let's move on.
Yeah, let's move on.
Speaking of taking stuff out the
intestines um tom how's your week been it's been very good i've literally only got a couple of days
left before the christmas break so of course everybody wants everything right now um so yeah
um just trying to sort of get everything closed down.
But, yeah, it's been fun.
It's been a good week.
I've been busy most evenings, actually.
But I've also, I have resigned as chairman of the ISC Squares
Thames Valley chapter.
Oh, no.
I know.
They're gutted.
They're bereft.
And I have you know, it's now called isc2 they officially changed it that's bizarre how can i i don't know didn't you just win an award tom
for your chapter oh i don't think so oh oh no no that no, no, that's right. It was the email I sent, wasn't it?
Yes.
Somebody saying that our chapter has won an award for, I don't know,
something sales in the security space.
Utterly, one of those, you know, obviously cut and paste things,
but so poorly done, so poorly done.
And all I had to do was pay the princely sum of five grand
and I could get a full page advert, blah, blah, blah, blah, blah.
Ridiculous.
No quality control at all.
Right.
And talking of which, of no quality control,
let's see what we've got coming up for you this week.
This week in InfoSec makes a tenuous wrestling link to a security story.
Rant of the Week is a warning the UK government is ill-prepared for what's coming.
Billy Big Balls is a train wreck. Nothing new there.
Industry News is the latest and greatest news stories from around the world.
And Tweet of the Week is some seasonal holiday advice.
Okay, let's go on to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec.
I love it. As I'm sitting there there Jav starts yawning Tom takes off his
headphones and walks off it's brilliant
our favourite part of the show they say
what did you say sorry I missed that
it's that part of the show
we take a trip down InfoSec memory
lane with content liberated from the today InfoSec Twitter account and further afield.
And today's Step Back Down Memory Lane will start, I'm trying to do the maths here, 13 years ago to the 11th of December 2010, 2010 when the hacker group Gnosis released the source code for Gawker's website and 1.3 million
of its users password hashes and interestingly after a jury found Gawker's parent company liable
in a lawsuit filed by Hulk Hogan they awarded him 140 million dollars Gawker then shut down in 2016
um so if you recall I can't believe it's actually this long ago Gawker then shut down in 2016. So if you recall, I can't believe it's actually
this long ago, Gawker was a media company. They operated several websites, including the flagship
Gawker.com. Founded in 2003, primarily focused on celebrity and media industry gossip, as well as,
you know, a bit of news and commentary on other topics. But in 2012, Gawker published a sex tape featuring Terry Bollea,
better known by his professional wrestling stage name, Hulk Hogan.
And the video was made without Hogan's consent.
And he sued Gawker for the invasion of privacy, defamation and emotional distress.
And it was actually a lawsuit that brought significant attention
to issues of privacy media
ethics and freedom of the press and in 2016 a florida jury awarded the immortal hulk hogan
115 million in damages which was later increased to 140 million dollars
and that judgment led gawker to file for bankruptcy.
Awesome.
Well, good.
That sounds like revenge porn to me.
Pretty much.
But do you know what? Back then there was very little ethics or guidance about this sort of stuff.
Do you remember like the red tops they used to do sort of like
the daily sport in particular would sort of have pretend mock,
you know, almost Photoshop pictures of celebrities.
Yeah.
Yeah.
Yeah.
Yeah.
It was like,
you know,
there's lots of tapes that were leaked back then.
You had the,
obviously Pamela Anderson's one.
And then you had Paris Hilton's and then you had that.
Oh,
I can't remember that,
that TV presenter in the UK
with Abby Titmuss and some other...
Abby Titmuss and John Leslie.
John Leslie, that's one.
And, you know, like you said, there was so much of this going around
and there was no protections available for so many of these people.
Apart from sheep's intestines.
Moving swiftly on to our second story,
which takes us back a mere 14 years
to the 14th of December 2009,
when RockU admitted that 32 million users' passwords
stored as plain text and email addresses
were compromised by a sequel injection vulnerability
uh rock you's customer notification said it was important to notify you of this
immediately which arrived 10 days after they first discovered it
surely in 2009 it was still known to not store passwords in plain text right
dude today it's still known not to store passwords in
plain text and the only reason people don't is because they're using an app that forces it
by default well obviously we know today but i'm saying back in 2009 we even knew then
a lot of apps if you think 2009 you know people becoming aware of well os but obviously been
around for a number of years but it was only sort of later that you know that sort aware of well oasp had obviously been around for a number of years but
it was only sort of later that you know that sort of era is when sequel injection really started
you know getting rising to prominence so i don't we still had a lot of sequel injection attacks
after this even today we still see it right oh god sequel injection and cross-site scripting is still in the OWASP top 10. Exactly.
So, yeah, it's not unusual.
Who the hell are RockU anyway?
Well, they used to be big back in the day.
So there were social media.
Well, they had 32 million users, apparently.
Yeah, so they're an application development company,
big in the mid-naughties, founded in 2005.
They used to create widgets and applications for social networking platforms like MySpace and Facebook.
Like games, slideshows and other interactive content that you could add to your profiles. of profiles um but one of the most well-known products was the super wall uh which was an
application that allowed it um users to post multimedia content on their friends facebook
walls um so obviously they did experience rapid growth during those early days of uh social media
with facebook and yeah yeah but it's um yeah it's the they face challenges with, you know, predominantly security issues.
And after that notable sort of data breach,
they just kind of evolved and shifted,
hit financial difficulties,
sold off some of its assets.
And then, you know,
the gravy train stopped coming in Silicon Valley.
And yeah, they moved on.
Wow.
Not good.
We got one more, haven't we? Yes we yes one more i added that in it's not really a a security story but a mere
15 15 years ago not so easy is is it? Oh, come on.
Oh, come on. On the 14th of December 2008
was the infamous
Bush shoeing incident.
So this is when he
went to Iraq and he was holding like a
conference alongside
Iraqi PM Nouri
al-Maliki.
No relation.
It's my Italian cousin. Iraqi PM Nouri al-Maliki. No relation. No, no relation.
It's my Italian cousin.
Maliki.
And there was a disgruntled person, Al Zaidi, in the audience,
and he took off his shoe and threw it as hard as he could at Bush,
which he ducked.
Maliki tried to do the humane thing and tried to parry it.
There's a photo of him with his hand out trying to catch it.
So then he took off his other shoe and threw that and he missed again.
So, you know, no prizes at the carnival he's ever won.
But I think it was a very, you know, at the time,
it was quite shocking.
And, like, you know, there's lots of memes that went around
about, like, people having to remove their shoes from future
press briefings and what have you.
But to be fair, Bruce did actually duck the first one.
He asked for an old guy.
He did.
Reactions were pretty good.
His reactions were pretty good.
It's a thing of having something thrown at your head,
isn't it? It's instinctive.
It's his fighter pilot
training came back.
I'm just thinking, if
you threw something at Trump's head, do you think
that his reactions would be
as swift?
No, it's alright, because
there would be Proud Boys
in the way that would jump in front and take the shoe to their heads.
Me or Team Six.
Yeah.
Although it does make me question, every time we meet Jav
and you sort of throw your shoes at me,
I always thought you were gifting them to me.
So I do now, I'm wondering what to do with this this
cupboard full of your shoes um it's when he goes by on his bike and sort of like yeah drive by
shoeing yeah i found the cheap way was to go to the mosque and just collect shoes from there
i mean they're just they're just lying there. It's like they're free.
But it's only at a particular time,
between 2 and 3 p.m. on a Friday.
Fridays is the best day to go.
It is.
Brilliant.
Thank you for...
This week in InfoSoul.
30% nostalgic.
30% ranty.
30% ballsy.
And 30% terrible at maths.
You're listening to the award-winning
Post Unknown Podcast.
All right, so let's do uh the next 30 percent which is this week's
listen up rent of the week it's time to mother rage so headline from well well from this this
week's no shit sherlock i think to be with you, UK government woefully unprepared for, inverted commas, catastrophic ransomware attack.
So many things in there just ring true.
It's woefully unprepared really does sum up our government anyway.
So the UK has failed to address the threat posed by ransomware, leaving the country at the mercy of a catastrophic ransomware attack
that the Joint Committee on National Security Strategy, the aptly shortened JCNSS, yesterday warned could occur at any moment. So it seems that this very officially named group, presumably quite important
to know what they're talking about, have basically said if the UK government was held to ransom,
i.e. any of the sort of major public bodies, etc., through malware, ransomware and encryption of data, etc.,
that basically we wouldn't know how to respond.
As a country, we would not know how to respond.
We would not be able to deal with it,
which is actually really quite scary when you come to think of it,
given the fact that many companies are literally paralysed,
larger companies who may not even have the same kind of
national level of resources have been crippled. If we look at Sony for a number of weeks,
and this is going back and, you know, 10 years, I think now, isn't it? Something like that,
five, 10 years. They were out of action for weeks and weeks. Maersk, the, you know,
and weeks. Maersk, the international shipping company, they were crippled.
But you'd like to think that the money that we are obliged to hand over, and we gladly hand over in the form of taxes, in the support of our country, in the support of our services, etc.,
is not being spent in the
right way it's being spent on you know well crappy ppe contracts and uh you know lying in the pockets
of their mates rather than actually preparing us for some you know major national level uh threats
um there's been there's even been recent examples of this that show you know how how hard uk government
institutes of institutions sorry have been have been hit um so for instance manchester police
royal mail the british library recently although maybe not quite so critical um The NHS has been hit a number of times by WannaCry. NHS software systems
have been hit elsewhere, taking systems offline and forcing care providers to revert to pen and
paper. It's just, it's not a great, great picture all round. There hasn't been any comment from the
UK government apart from
you know probably hang on we're at lunch at the moment leave a message and we'll get right back
to you i it it's it's really it's shocking it's absolutely in fact it's not shocking it's exactly
what you'd expect from the government at the moment but um you know something like this is it obviously is a is a a threat of the current times and is not being taken seriously
and instead we're just you know running money away running water there i'm mixing my metaphors here, running, just throwing cash out the window
rather than actually invest it in the right areas. So yeah, pretty straightforward rant,
UK government, ransomware, get your act together. Rishi, you might want to, you know, maybe focus
something on this rather than chartering planes to Rwanda.
Maybe even get some of these immigrants to come in
and build a system that might help stop this sort of thing.
So rather than just trying to focus on the brain drain of the UK
and make that worse, perhaps just bring in a few people who could help maybe i don't know
just you know asking for a friend jav i tell you what the most shocking thing about this rant is
is i actually agree with you yes yeah and the second and the second thing that i never thought
i'd heard you say is that you're you actually advocated the non-deporting
and actually welcoming of migrants into this country.
I know we joke about a lot of stuff.
I know we joke about a lot of this stuff.
You know, I'm old and very right-wing.
I'm not.
As I've got older, I'm a lefty socialist.
You're a super old left winger yeah yeah absolutely
absolutely i'm an armchair socialist because you mentioned uh companies that have been hit by
ransomware in the past obviously and you mentioned uh sony uh famously and uh with mesk do you
remember how they were literally dead in the water as a company?
Quite literally.
Everything.
Yeah, quite literally.
It wasn't... It was like the way they were covered,
because there was one server in Ghana that was off at the time.
That had the entire AD on it.
And the entire company, it was like 45,000 machines rebuilt
using that Active Directory server.
Yeah.
But it's, yeah.
It's a great, it's a case of like, you know,
just a lot of luck.
And I'm surprised, you know,
Gartner hasn't marketed themselves more heavily
as like a place to build your servers.
Your business continuity yeah yeah
you don't need a data center you just need one server under like someone's desk over there you
know why it was offline because the country had a blackout at the time there was no power
even better even better wow see this is this is this should be everyone's excuse now like when someone
goes to you say we need five nines uptime and you say like you realize that's actually a liability
we are 38.6 percent uptime in ghana and that saves everyone so that means we've got a two
out two out of three chance that if we get attacked
we'll be okay yeah but you know if if someone's nondescript and they just say five nines i'm happy
to agree with it because nine point nine nine nine is still five nines it's just the decimal
points not yeah that's on you not me. Yeah, where the decimal point is.
We know you've been hanging around with lawyers lately, Andy,
but that is devious.
Oh, dear.
Right, that was this week's...
Rant of the Week.
The host unknown podcast.
Orally delivering the warm and fuzzy feeling you get
when you pee yourself
all right let's see if uh if i can return the favor to jav this week we're this week's
so this is a billy big balls from a manufacturer. So you remember a few years ago, there was the whole John Deere and their tractors debacle with their farmers, where farmers were trying to upgrade their tractors and they were trying to brick them or trying to say it's a violation of service and what have you.
If you think that's bad, then NEWAG, which I assume is an acronym because it's all in capitals, it's E-W-A-G.
Nothing to do with footballers' wives.
But it's...
Never even wanted a...
Whatever.
Yeah.
So they provide trains and they have like,
obviously like everything these days,
it's controlled by a lot of electronics and computers.
Not just coal.
Not just coal.
And the train companies,
rather than going to the manufacturer to have them serviced,
because they're like, you know, IBM prices, like eye-wateringly expensive,
they hired some independent contractors to do it for them.
And as a result, the train manufacturer decided to brick the train.
So they basically, you know, did DRM to a train.
And so the train stopped working. The Billy Big Walls move comes here in one of the coolest and
most outrageous repair stories. Three white hat hackers helped the train company
in southwest Poland unbrick a train
that had been artificially rendered inoperable
by the train's manufacturer
after an independent maintenance company worked on it.
But now, in a double Billy Big Balls move,
the trade manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it.
So not only did these absolute villains brick trains because they were butthurt that someone else serviced it, They're now trying to sue the people who fixed the train that they had.
What I can only imagine is maybe legally lawful,
according to their contract, but morally reprehensible.
The fallout from this situation is currently you know rolling in polish infrastructure circles and
the repair world with the manufacturer of those trains denying bricking the trains despite ample
evidence to the contrary yeah the manufacturer is now also demanding that the repaired trains
immediately be removed from service because they have been hacked and thus may not be unsafe.
So that to me sounds...
That now seems to me like a threat where they're like,
you either take these trains off or we're going to make them crash.
That's how I'm reading it.
But then again, I'm a bit sensationalist like that.
But wow, isn't that just like some...
It's shocking.
That's more than a pair of Billy Big Balls.
This could have been a rant up from the other side, right?
Because do you know how they knew to brick the trains in the first place?
Not because parts had been replaced,
but because the GPS on the train had been set to brick
or to send signals to brick the train
if it spent specific amounts of time at certain locations
which were known to be third-party repair yards.
Are you serious?
Yep.
Wow.
Wow.
Yep, so the manufacturer's gone around and gone and and actually worked out where
all the third-party repair yards were and said if it spends more than x many hours here brick it
because it's obviously been repaired someone at bmw is taking note yeah exactly could we could we map out all these non-official bmw garages
all the yeah ats exhaust quick fit i mean quick fit i i would be yeah fair enough i mean you
you pay you twice your money you you you know and you you get what you're given a quick fit which is
you know a slightly shoddy and overpriced service
you can't get quicker than a quick fit fitter we're the ones to trust yeah unless you until you
you rock up in your car there because you're nearby and they say no you have to book an
appointment on the earliest ones next week or something yeah exactly well you got you know
one wheel hanging off the back. This is shocking.
This is really, really poor.
And, you know, the John Deere thing has been universally condemned, hasn't it?
You know, and it's, you know, and it's, yeah, where is this going to stop?
Because we're seeing this with cars, as you say, you know,
or maybe not bricking a car but
certainly you know when we come to you know the payment of services you know for paying for your
heated seats and all that sort of thing which is a little more gray i think in some areas you know
but actually bricking an entire vehicle or you know something like this i mean even apple don't do that don't they no
but yeah i think this is this is the future we're heading we've been heading towards for a long time
the thing is this is kind of like boiling the frog it's things are happening slowly and we're
just accepting and getting used to it so it's like all the itunes
tracks that you own you can't pass them on as inheritance they're like yes you can you can
i'm sure there was a story where you couldn't i think they now have a thing set up where you can
uh add someone as your basically basically, in case of death,
this person effectively gets access to your account
and can do what they wish with it.
Oh, okay.
Okay, that must be an older thing.
So, guys, if you want me to get access to your account
and remove all that dodgy content, you know, if you die,
just so we don't
upset people. Just let me know. No, there's no need to do that. There's really good automation
links that, so what I've got is a polling thing. Every 72 hours, I have to go onto a server and
just like click and prove that I'm alive and I'm not a robot. And the day that stops happening,
it formats everything. Okay, so the day you have a a bike
accident and you're in a hospital for three days or four days you would you know you've lost i'd
much happier rebuild my life from scratch after that then then the risk of like you know there
was a proper risk assessment done and 72 hours was... Yeah, nobody needs to see that poetry you've written.
No, no.
Oh, Andy, you're on mute.
His office just implodes when it's after 72 hours, everything gone.
He's got a tame black hole underneath that's just contained enough.
Oh, dear.
Excellent.
Thank you, Javff for this week's billy big balls of the week
feeling overloaded with actionable information
fed up receiving well-researched, factual security content.
Ask your doctor if the host unknown podcast
is right for you.
Always read the label,
never double dose on episodes.
Side effects may include nausea,
eye rolling and involuntary swearing in anger.
So talking of things that we have to do
at the time of our death
Andy, what time is it?
It's that time of the show where we head over to our news sources
over the InfoSec PA Newswire who have been very busy
bringing us the latest and greatest security news from around the globe
Industry News
EU reaches agreement on AI Act amid three-day negotiations.
Industry News.
Europol raises alarm on criminal misuse of Bluetooth trackers.
Industry News.
Widespread security flaws blamed for Northern Ireland police data breach.
Industry News.
UK Ministry of Defence fined for Afghan data breach. Industry news.
UK Ministry of Defence fined for Afghan data breach.
Industry news.
UK at high risk of catastrophic ransomware attack.
Government ill-prepared.
Industry news.
Meta launches critical infrastructure threat model framework.
Industry news.
Microsoft targets prolific Outlook fraudster Storm 1152.
Industry News.
Vulnerabilities now top initial access route for ransomware.
Industry News.
Cozy Bear hackers target JetBrains TeamCity servers in global campaign.
Industry News.
And that was this week's...
Industry News.
Huge if true. Huge.
True.
I love the fact that three of these,
a full third of these are about the UK screwing up.
Yeah.
With much to the point.
Northern Ireland police data breach,
Ministry of Defence, Afghan data breach
and the story
high risk of catastrophic ransomware attack.
That's a full third of the stories
about how poor
we are.
It's only going to get worse. I can
predict by this time next year if we're
all still alive and kicking and doing this show,
it should have at least increased to 72%.
Yeah, something like that.
Something like that.
I was just looking at the EU reaching an agreement on the AI Act.
It took them three days to come along, come up with...
So basically, we should do something about this.
Yeah, we should do something about this.
Yeah, a landmark bill to regulate the use of AI systems.
So do you know what?
I saw this thing on TikTok where...
You've probably seen it, Jab, where it's like,
AI will fill in your photos, right?
So you post photos, and then it sort of zooms out,
and it's filled in what it thinks the
rest of the photo look like and yeah adobe does that no no this is like scarily good like some
of the things it's so amazing so i actually installed cap cut to um to play about with it. However, when the permissions came up for CapCut,
it wanted full access to all of my photos,
including metadata and videos and everything.
Well, Columny's shocked.
Yeah.
So I said, unfortunately, I will not proceed at this point.
But, yeah, I mean, what AI can do is fantastic.
And, you know, do we really need guidance at the moment?
Can't we just trust people to get on with it?
It's the only way I'm able to hold down three day jobs.
Yeah.
You know, nature will find it a way.
It always finds a way.
So let's just leave
the regulation.
Leave it, leave.
You know,
people will find their way.
Also, Jav,
the one you said,
meter,
isn't it mitre?
Yeah.
Yeah, whatever.
Meter, mitre,
tomato, tomato.
That last one cosy bear hackers
target Jetbrains
team city servers
in global campaign
that just sounds like
an awful lot of
random words
put together
it does
it does
it just doesn't make any sense
is right
yeah
yeah
what the hell is this
so I like this story
about Europol talking about, OK,
I like how they worded it,
on criminal misuse of Bluetooth trackers,
which is a nice way of saying, like, Apple AirTags,
have been used to geolocate illegal commodities uh with the majority of report case involving
cocaine smuggling i also think it's a bit of a non-story because you've had those little gps
locators and stuff available for tiles yeah podos and you get them everywhere they're hanging up in
robert dyess for crikey yeah but i think Apple's got a lot to answer for.
Do you know what?
My bag has been ringing all week
because I've got an AirTag.
Well, I put AirTags in my luggage
before I came out, obviously.
And one of the AirTags I grabbed wasn't mine.
It's my missus.
So it's tied to her phone.
So yeah, the first I realized when I got the notification that an air tag was tracking me and i was like oh that really is tracking me all over the place
uh and then identified it and it was um actually the one that we used to stick on the dog so i
don't know what my dog's wearing at the moment is your dog currently at um you know heathrow baggage center
yeah i'll say my dog's in rish is with me i never knew
he'd had a great time on the beach in the mornings before coming back and sitting in the house all
day a hell of a swim back though yeah
anything else here i don't think so no i mean i didn't click on the story
but the one about microsoft targeting prolific outlook forward to storm 1152 um microsoft has
gone after a prolific vietnam-based threat group it describes as the number one seller and creator of fake
accounts let me stop him right there let me stop you right there microsoft should know that
they're not going to win that war
we've seen this story before right yeah we've seen u.s personnel going to vietnam and a lot
of money was spent and they thought they had the upper hand
and it's just not a good story yeah it's not it's not but in 20 years time we're gonna have
some great films about yeah we're gonna have some Microsoft like you know, programmers and threat hunters with PTSD, like talking about this here with Flashbacks.
Oh, dear.
Very good.
Very good.
Thank you.
That was this week's Industry News.
We're not lazy when it comes to researching stories no we're just energy efficient like
and subscribe to the host unknown podcast for more esg adjacent tips
right andy take us home before you go home it It is time for this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week comes from WorkRetiredDie,
and they say,
This holiday season, let's remember what matters most.
Making sure all fonts are consistent
and logos are aligned properly on our presentations.
Details matter.
Thanks, team.
Damn right.
Damn right.
This is one of your accounts, isn't it, Andy?
Yeah.
This could not have said it better.
Yeah.
Wow.
Although work, retire, die, that does sound quite depressing.
It is depressing when you look at it, yeah.
It's a bit like, what is it, the lifespan of a fruit fly?
Born, eat, shag, die?
Yeah.
Yeah, yeah.
Is this because you're only like, what, a year away from retirement, Tom?
Officially?
Before you can claim on your government pension?
No, I think you can probably claim it now.
I think it's...
They're not allowed to...
Was it...
They changed the law.
You can't be mandatorily forced to retire now, can you?
So I think your company are just waiting for you to screw up.
Yeah, exactly.
Shouldn't be long.
It's the 12 months, you know, at least.
Yeah.
Oh, dear. Brilliant. Oh, at least. Yeah. Oh, dear.
Brilliant.
Oh, brilliant.
Excellent.
Thank you.
That was this week's...
Tweet of the Week.
Well, we've hit the end of the show nice and quickly.
We kind of breezed through that really quite promptly, didn't we?
Geoff, thank you very much, sir.
You're welcome, as always.
And Andy, thank you. much sir you're welcome as always and andy thank you stay secure my friends stay secure you've been listening to the host unknown podcast
if you enjoyed what you heard comment and subscribe if you hated it please leave your
best insults on our reddit channel worst episode ever r slash smashing security
so andy i uh are you stuck in that infinite loop like sometimes i find myself there
where whereas if i go to pakistan people over there they realize that from my accent everything
i'm not really from this so they say why don't you go back home to where you came from and i come over here and then i hear the same thing so i'm like in this perpetual loop is that
what you're stuck in is that why you're going to mauritius so often it is it actually feels like
not just that yesterday uh my other cousin was over uh well i practically i call her my auntie
she's older than me right but uh yeah she is like taking my card and she literally spends the whole like morning
pointing at things i've got saying how much did you pay for that and then when i tell her she
laughs and tells me how much she would have paid for it and it's like yeah well has she got one
i could never get the right price but then um no yeah then this morning uh as i was leaving like her husband uh so my uncle he called me aside he said
he said when you come back next month you must speak more french
i'm like yeah because i'm gonna suddenly become good at french just like that. No problem, Uncle. Oui, oui.
And you went, ooh, la, la.
Yeah.
Manana, manana.