The Host Unknown Podcast - Episode 190 - The Very Serious Episode
Episode Date: April 15, 2024This week in InfoSec (08:49)With content liberated from the “today in infosec” twitter account and further afield7th April 1969: Steve Crocker, a graduate student at UCLA and part of the team de...veloping ARPANET, writes the first “Request for Comments“. The ARPANET, a research project of the Department of Defense’s Advanced Research Projects Agency (ARPA), was the foundation of today’s modern Internet. RFC 1 defined the design of the host software for communication between ARPANET nodes. This host software would be run on Interface Message Processors or IMPs, which were the precursor to Internet routers. The “host software” defined in RFC 1 would later be known as the Network Control Protocol or NCP, which itself was the forerunner to the modern TCP/IP protocol the Internet runs on today.https://thisdayintechhistory.com/04/07/rfc-1-defines-the-building-block-of-internet-communication/7th April 2014: The Heartbleed Bug was publicly disclosed. The buffer over-read vulnerability had been discovered by Neel Mehta and later privately reported to the OpenSSL project, which patched it the next day. The vulnerability was inadvertently introduced into OpenSSL 2 years prior.https://twitter.com/todayininfosec/status/1777136463882183076 Rant of the Week (17:09)OpenTable is adding your first name to previously anonymous reviewsRestaurant reservation platform OpenTable says that all reviews on the platform will no longer be fully anonymous starting May 22nd and will now show members' profile pictures and first names.OpenTable notified members of this new policy change today in emails to members who had previously left a review on the platform, stating the change was made to provide more transparency."At OpenTable, we strive to build a community in which diners can help other diners discover new restaurants, and reviews are a big part of that," reads the OpenTable email seen by BleepingComputer."We've heard from you, our diners, that trust and transparency are important when looking at reviews.""To build on the credibility of our review program, starting May 22, 2024, OpenTable will begin displaying diner first names and profile photos on all diner reviews. This update will also apply to past reviews. Billy Big Balls of the Week (26:36)Lloyds Bank axes risk staff after executives complain they are a ‘blocker’Lloyds Banking Group plans to cut jobs in risk management after an internal review found the function was a “blocker to our strategic transformation”. The restructuring was outlined in a memo last month from Lloyds’ chief risk officer Stephen Shelley, who said two-thirds of executives believed risk management was blocking progress while “less than half our workforce believe intelligent risk-taking is encouraged”. The lender was “resetting our approach to risk and controls”, Shelley said in the memo, seen by the Financial Times, adding that “the initial focus is on non-financial risks”. Industry News (33:55)T: Famous YouTube Channels Hacked to Distribute InfostealersA: US Federal Data Privacy Law Introduced by LegislatorsJ: Foreign Interference Drives Record Surge in IP TheftT: Half of UK Businesses Hit by Cyber-Incident in Past Year, UK Government FindsA: US Claims to Have Recovered $1.4bn in COVID FraudJ: Women Experience Exclusion Twice as Often as Men in CybersecurityT: Threat Actors Game GitHub Search to Spread MalwareA: Data Breach Exposes 300k Taxi Passengers’ InformationJ: Apple Boosts Spyware Alerts For Mercenary Attacks Tweet of the Week (52:08)https://x.com/ErrataRob/status/1778536622163984590 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
today's not the day for what andy today is not the day for oj simpson jokes
but tomorrow the gloves are off
might take a stab at it yeah oh god
you're listening to the host unknown podcast Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all to episode 190.
I was chewing, I was on mute and I was getting disturbed by the fact that your camera sort of went all over the place.
It pixelated and you disappeared.
Andy, you had one job.
194!
God damn, mate, it's just so little, so late.
It's just outrageous.
They stopped me on the street.
People asked me, they're like, why aren't you on the show
every week? Why aren't you on the show? And I was like,
have you ever tried working with those two
people? Impossible.
It's late on a Friday night.
What do you want? Leave me out of it. It's just
Baldy over there.
I see Andy. Basically, Andy's going to be muting in and out because he's just munching his way through a pack of biscuits this episode.
He is. He is. Which is great. So we can take it from here, Tom. Yeah. Yeah.
Geoff, how are you? How's your week been?
Fantastic. It was Eid this week. So Ramadan Ramadan is over So I am now eating and drinking
And then I took the rest of the week off
So Thursday, Friday I had off
To recover
And I am on this podcast on my day off
Might I add for the record
Not that I'm doing this for work anyway
So it's not like I'm doing anyone a favour
You're not getting paid for this
So therefore how can this be your day off from this?
True, true.
But you know when you're not working,
you're just mentally checked out?
Yes.
So today I've rolled into this podcast like Andy does every week.
So all we can say is you've had a lot of days off work this week,
this year, sorry, because of how often you've turned up here.
And how often you're mentally
checked out yeah okay although i did get i got a text message a couple of weeks ago from uh from
hr asking from the nhs and they say like mr malik you have a NSS health check and
it was today
and yesterday they sent me a reminder
and I don't know whether they're being
dramatic now or whether
they just really don't want people missing a point
but they got the details of the appointment
and said this appointment could save
your life
that's in the text messages they sent me
so here's me thinking it's a regular
checkup to like oh my god do they know something about me that i have no idea there's like
something weird going on and did it save your life well it was just the usual telling off like
i'm the wrong height for my weight uh My cholesterol is, well, there's not enough blood in my cholesterol.
And there's too much sugar in my bloodstream or whatever.
So basically they said, like, you know, yeah, if you don't take action,
you're going to have a stroke or heart attack or something like that.
Blood pressure is too high as well.
Yeah.
So it's all the usual South Asian things.
Did you say, look, Doc, this news isn't making my blood pressure any better?
Yeah.
Yeah, that's right.
Yeah.
It's making me want to eat some chocolate biscuits.
Honestly, today, when I got back, I've had so much chocolate and sweets today just i think it's
comfort eating just like andy does so um yeah so yeah anyway speaking of comfort eating and yeah
well you're built for comfort not speed baby yeah it's been a busy week I'm trying to think
I know I've been busy
yeah
can't complain about anything
but right
now I've swallowed that chocolate biscuit
thanks for
seeing me put that in my mouth
and then deliberately coming across to me I love seeing me put that in my mouth and then deliberately
coming across to me yeah i've seen you put that chocolate biscuit in my mouth exactly it's not
unlike this this is a surprise to you at this stage of the show though in fairness yeah but
you know he could have dragged it out for another you know according to you you we've done this 193 times before.
Probably more, 194.
So we can ascertain that you're hungry and you're busy.
Yes.
Although, do you know what? I don't always eat just because I'm hungry.
Sometimes I just eat because I feel like eating.
It's just a habit.
Oh, yeah, yeah. don't always eat just because i'm hungry sometimes i just eat because i feel like eating it's just a habit oh yeah yeah you know we well i think the three of us can safely say we live to eat we don't eat to live yeah and uh exactly what one other good thing is um my wife met up with uh one of
her friends yesterday who um gave her some easter eggs she hasn't seen her since Easter. So one for myself, one for my wife,
one for the little one.
Thing is, she gave Lindor chocolate eggs
and my wife doesn't eat those.
Guess who gets them, baby?
Woo!
Yeah!
Why does she not eat Lindor?
Lindor chocolate's great.
Yeah, she's just not a fan.
But it's great for me because, you know, people buy them.
They're nice eggs and gift them over.
Yeah.
No, you've got to take advantage of that kind of stuff.
It's like three quarters of my kids are allergic to nuts.
So whenever I want something really for myself,
I just get the nut-flavoured chocolates or something.
And then avoid one of the kids.
Yeah.
Picnic.
Snickers.
Yeah.
Exactly.
Talking of nuts, Tom, how's your week?
They're fine.
Thank you very much.
Well, do you know what?
Two things this week, one of which you won't know about,
and the other one I'm amazed you haven't mentioned yet.
But first, this week was a Raspberry Pi 5 week.
I got a new Raspberry Pi 5.
It's their brand-new Raspberry Pi.
It's got an NVMe storage hat on it as well.
And I've replaced three Raspberry Pis with this one
Raspberry Pi, which is even better. So that was a fun week of, you know, building and
constructing and, you know, all that sort of stuff, remembering my Linux commands. So that was fun.
And secondly, well, my moustache. I decided to let him go. We took him up to the hills last
night. We opened the cage.
He tentatively
looked out and then sort of
scampered off. And I swear
at one point he stopped, turned around and
kind of nodded to me to say
thank you. But yes, moustache is gone.
We're now back to the old
grizzly
white stubble. Do you know know what i didn't even notice
neither did i you know surprisingly he's been looking like a pedophile for like
you know the last month or so and now like it's just like that's that's normal tom of course it is
yeah the fact was it kept on getting stuck in my nostrils
and it was intense.
If I had a nose like that, I wouldn't underline it.
And talking of things getting up your nose,
let's see what we've got coming up for you this week.
This week in InfoSec takes us back to the building blocks of the internet.
Rant of the week is an experiment in snitches get stitches.
Billy Big Balls identifies a genius way to reduce risks.
Industry news is the latest and greatest news stories from around the world.
And tweet of the week is another loss for anonymity.
So without further ado, let's move on to our favourite part of the show, shall we?
Let's move on to our favorite part of the show shall we let's move on to
this week in infosec
it is a part of the show where we take a trip down infosec memory lane with content
liberated from the today in infoseSec Twitter account and further afield.
And today's first story comes from further afield and takes us back a mere 55 years to the 7th of April 1969,
when RFC1 defined the building blocks of the internet's communication. So Steve Crocker
was a grad student at UCLA working on ARPANET and he wrote the first Requests for Comments,
also known as RFC. ARPANET was a project by the Department of Defense's ARPA and basically the
ancestor of the internet we know today. And RFC1 set out how
computers on the off-net should communicate. So back then, these computers were called
Interface Message Processors or INPs, which are basically early versions of routers.
And the instructions in RFC1 eventually became the Network Control Protocol, NCP, which was the forerunner of today's TCPIP protocol.
And that story behind RFCs is pretty interesting and well explained in RFC 1000,
but you're not going to get that level of detail here.
But in short, basically when ARPANET started, there wasn't a clear plan.
Team thought the government were going to send experts to define things.
That never happened
so they started writing down their own ideas calling them requests for comments
and they didn't want it to seem like they were taking over so they invited others to contribute
and as more rfc's were written they became the main way the arpanet team shared ideas
which then paved the way for the Internet Engineering Task Force, which is today's official internet standards.
And as of early 2023, there's been nearly 9,500 RFCs published.
Wow.
Talking of internet protocols, I've got a joke about UDP.
You won't get it.
Yeah, you won't get it.
Yeah.
That one's as old as UDP, that one.
I can't believe you actually said that live on air.
Come on.
It's funny.
It's a good joke.
So one thing that internet has done,
it has really ruined the art of joke telling
because certain things are funny when you see it emailed to you or in a written form but when
delivered orally it just doesn't hit the spot but you know what what the most important thing about jokes are timing timing oh dear
have you heard the joke anyway our second story
he says interrupting me
sloth me. Sloth! Oh dear. Alas, our second story takes us back a mere 10 years, which seems like yesterday,
to the 7th of April 2014, when the heartbleed bug was publicly disclosed.
And the buffer overread vulnerabilities had been discovered by Neil Mehta
and later privately posted to the OpenSSL project,
which patched it the next day.
And that vulnerability was inadvertently introduced into OpenSSL two years prior.
So Heartbleed was obviously a major security flaw in the OpenSSL encryption
software, which is used to secure pretty much all websites on the internet. The bug allowed
attackers to read sensitive information from the memory of servers, including usernames,
passwords, and even encryption keys without leaving a trace. And the impact of Heartbleed was significant
because it affected pretty much most of the Internet's infrastructure,
including all the popular websites, email servers, networking equipment,
exposed millions of users of personal data to potential theft and exploitation.
And obviously, after its discovery in 2014,
website owners and service providers
scrambled to patch the vulnerability and update their systems um but the effects of the bug did
linger for some time um and there are thousands of vulnerabilities out there but what made
heartbleed so special is and i do say it seemed like yesterday but there are things that merge
into one um i think it was one of the first to have its own branding to go with it.
So, you know, it had a big website, a big launch, everything.
And it came out, I believe, before Poodle and Shellshock and way before Logjam, Drown, Eternal Blue, Spectre and Meltdown.
And after that, I could find some other names, but I just don't remember those being so well marketed
as Heartbleed was and some of those others just mentioned.
That was when Vulnerabilities had a marketing budget.
Yeah.
But people remember them, right?
It's all about the messaging.
People remember them, but also it was like such a slippery slope
because when you had a lot of these things going down the same route,
it was really overhyping stuff that people, the average person,
wouldn't really understand other than get scared that,
oh my God, there's something major that's going to bring down
our organisation or something.
And so, you know, it's impressive and important
to make people aware of stuff,
but also at the same time, it's not really.
Scare mongering isn't that good.
He says working for the marketing department
of a security company.
Oh, look, he's offended.
He's offended.
Look at that face.
I know. He hates competition. Look at that face. I know.
It's like he hates competition.
That's the thing.
He wishes he thought of the heartbleed idea.
Do you know what?
He's thinking, I can't agree because I want my job.
Well, some of us do like their jobs,
and they do like to stay in them for more than 18 months at a time.
Two years?
Yes.
I'll have you know.
Excellent. Thank you, Andy, for this week's InfoSoul.
In 2021, you voted us the most entertaining
cybersecurity content amongst our peers.
In 2022, you crowned us the best cybersecurity podcast in Europe.
You are listening to the double award-winning
Host Unknown podcast.
How do you like them apples?
The bar was very low in 2022.
It was.
It was.
Do you know what those awards are back up at the moment, aren't they?
Podcast of the year.
It's the, who's it, the Eskenzi folks.
I can't remember.
Who did we win the awards with?
Them.
They're open again.
Unsung Heroes.
Unsung Heroes. No, no. That's
October. It's the...
It's...
The InfoSec Blogger Awards.
European Cyber Security
Blogger Awards.
I'm reading that from the two awards
that Smashing Security got and I picked up
for them and haven't given to them.
We're up.
Our ones are like, I've got them safe over there.
Yeah.
Yeah, for the blog that you contribute,
sorry, for the podcast you contribute so much to.
Well, exactly, yes.
Leaning in, that's what I like.
Okay, let's move on to...
Listen up!
Rent of the Week.
It's time for Mother F***ing Rage.
All righty-tighty.
Snitches get stitches.
Let's see if this is actually true.
So, you know what it's like when you want to book a table at a restaurant
and you don't want Andy to do it because he'll book one in what he thinks is just up from the
station, but he's actually about four miles away just because he just looks at the name of the
road and not the actual location of the place. You might go to a website or an app called OpenTable.
You might go to a website or an app called OpenTable.
In fact, I even have an account on OpenTable.
And it's a reservation platform.
And not only can you do restaurants, you know, pay to use them as their reservation platform,
so they don't have to build their own, but it's also a review site.
So it will prompt you for a review after you've been to your visit. it's a little bit like a you know a yelp or whatever but it's it's focused just on on restaurants and they have announced very
recently that all reviews on the platform will now no longer be fully anonymous starting May 22nd and will now show members profile pictures
and first names which is a quite a ballsy move but you know I think I think we can agree that
to a certain extent you know anonymity drives quite poor behavior from a number of people and
I think there was even a South Park episode about people trying to get free meals
by being reviewers and everybody's a reviewer.
And, you know, the whole, all of South Park collapses because reviewers were not giving,
giving enough sort of higher, higher enough number of stars, et cetera.
So they've, they've Open Table the their members this new poly policy recently
emails to members who had previously left a review on the platform stating that the change was made
to provide more transparency okay i get that a statement at open table we strive to build a
community in which diners can help other diners discover new restaurants and reviews are a
big part of that um we've heard from you i don't you love these kind of in these sort of like first
person things or second person we heard from you we hear you our diners that trust and transparency
are important when looking at reviews to build on the credibility of our review program, starting
May 22nd, 2024, OpenTable will begin displaying diner first names and profile photos on all their
diner reviews. So far, so good because, you know, trust and transparency moving forwards.
They go hand in hand, trust and transparency. The next sentence is what sends ice through my veins.
This update will also apply to past reviews. Now, this is a problem.
Interesting. Yeah, this is a problem.
How can you say that we open, we operate in trust and transparency and then post people's first names
and profile pictures when people posted reviews
when you said you wouldn't.
That's not trust.
That's transparency without trust.
It's moving the goalposts.
It is.
It is.
Absolutely.
Absolutely.
But do you know what? If you wrote it, just don't be a keyboard warrior.
Just, you know what I mean?
Well, I agree. Moving forward, I think they're absolutely right in this
because I think if you, you know, if you want to say something,
one, you should have said it in the actual restaurant for a start, you know,
but let's face it, nobody's as brave as they are behind a keyboard.
But two, it's, you know, it's probably going to promote some slightly better behaviour
because there's potential consequences, you know, to your, you know, awful review just
because the waiter forgot something or whatever.
review just because the waiter forgot something or whatever but to do it retrospectively i think actually uh i'm sure whilst there are no doubt a whole bunch of reviews in there which are callous
and wrong and all that sort of stuff but i think that's dangerous i mean that's that's gonna that's
gonna really start exposing people make it a people. Make it a bit spicy.
Make it a bit spicy.
Yeah, there you go.
There you go.
And there's been comments on... Make sure we need a glass door to do the same.
Yeah, well, yes, exactly.
Christ.
Can you imagine that they publish the full email address
of the person that did it?
Oh!
Well, and put an exclamation mark on it if the email address matches the the name of the company
they're reviewing yeah highlight it but yeah this is bad news i don't like this at all i don't like
this at all you know applying things retrospectively unless it's salary i think is never really a good idea salary I'm all for
applying changes retrospectively
not going to complain about that
but it's a bit like
if the tax man came and said
right we're changing your tax band
and by the way this is going back to
for the next previous five years
that's not the agreement
that we had in place
at the time um that these activities didn't they do that though no the hmrc did do that for
something didn't they they did for um tax avoidance yeah it's tax avoidance schemes yeah they did they
they applied rules retrospective oh sorry tax efficiency schemes. They were not illegal at the time,
but they did retrospectively apply the rules
to anyone that benefited in previous years.
Which is also wrong, because what they did was entirely legal.
Morally and ethically it was wrong,
much like leaving a shitty review for the hell of it
is morally and ethically wrong. But it's not illegal.
See, what I find is that...
So you have sites like Google,
which allow you to leave reviews of places you visited
on Google Maps and everything,
and that's all tied to your Google account,
and that shows from day one everything.
The thing is, I'm not sure whether i mean is our bad anonymous bad reviews really that much of a problem
in the industry that they need to swap it out and then i suppose also what's the worst that could
happen someone sees that someone leaves a bad review what they're going to ban them from coming
to their restaurant well if you hate the restaurant so much you'll probably you won't go to anyway someone sees that someone leaves a bad regard what they're going to ban them from coming to
their restaurant well if you hate the restaurant so much you'll probably you won't go to anyway
yeah yeah well there's not that but i think part of the issue is that some of the um you know you've
seen it like particularly in the us with like door dash and those type of things where you know
people have been messaged after the event like the door dash driver thought that the recipient
was cute looking or whatever so like contacted them separately and sort of said like you know
hey do you fancy going out for a drink sometime um but if there's a restaurant owner that you've
really pissed off and they go back you know and you're a bit of a keyboard warrior about stuff
they might turn up at your front door and say right because they you know they'll tally
it back to like the receipts that you you know what you booked under your phone number and stuff
like that yeah i i get that stuff happens but i think there's loads of avenues for that kind of
stuff to happen and that so why open another one it's going to be sheep behave why open another one? It's got to be sheet behaviour. Why open another one? Yeah. But it has also occurred to me, maybe DoorDash,
not DoorDash, sorry, OpenTable in this instance,
have made this decision for trust and transparency reasons moving forward.
And I think, yeah, fair enough.
It's a good one.
As you say, Google does it.
Maybe they found that the platform they use,
when they do now start publishing first names and photos
cannot do that without applying it retrospectively as well so maybe this is them just trying to make
a uh a good news story out of the fact that they've got a terrible platform
hadn't thought of that there is that that's a good that yeah
you know shit boss we can't we can't make this work
without exposing everybody we'll make it a feature not a bug yes i actually in which case then if
that is true then this becomes a billy big balls yeah that's right yes it does it does so yeah come on open table be honest you know either fix the
core problem or don't do something like this it's a bit crappy rant of the week
you're listening to the award-winning host Unknown podcast. It's better than tinnitus.
And talking about your Billy Big Balls, Jav,
let's see what you've got for us this week.
Billy Big Balls of the Week.
Yes, yes, yes.
So do you remember a few years ago when Trump was president and COVID was everywhere?
Good times.
And he said something like, the genius that he is,
he said something like states that have had less COVID testing have lower rates of infection.
Yes.
Yeah.
So we should just stop testing.
Yes, exactly. infection yes yeah so we should just stop testing yes exactly and clearly being the business guru
he is his words of advice probably made it into harvard or something or made it into the ears of
some uh some uh a grad at the ceo's whatsapp group yeah the ceo's whatsapp group or or McKinsey's. That's the one I was thinking of.
Who went and Lloyd's banking group has, you know, had some issues and, you know, they've struggled with their strategic transformation.
And apparently one of the reasons for that is that there are they have too many risk management people working in the bank and they are a blocker to strategic transformation so much like trump they said what if we just got
rid of the people then there will be no one around to raise risks and therefore there will be no blockers to our strategic transformation. This sounds so arse about face.
That's ridiculous.
That's the genius of it all.
That's why it's such a Billy Big Balls move.
Because you little people don't see the genius that is here.
But the job of risk managers is to highlight risks.
The job of the business leaders is to take those risks and go,
yeah, you're right, thanks, we're going to do it anyway.
But at least they know about the risks.
So what they're saying is...
Yeah, but that whole process of, yeah, thanks, you know,
is wasting so much time.
Yeah, but no...
We're losing ground.
Is that right?
Challenger banks and what have you.
What a bunch of muppets.
You know, I mean, and this isn't just cybersecurity risk.
This is like all risks.
All risks.
And the banks like, yeah, I mean, like people like Lloyds
and other financial institutions, obviously there's no risk
they need to be worried about, no like possibilities of fraud or insider you know trading or any of that it's all good man this is actually
a good move visionary executive board yeah i heard a stat of a few few years ago that lloyds was the
most attacked bank over the internet in the in the uk was number one. It was one that everybody was always after.
Well, why are you quoting external sources when I will quote Stephen Shelley, who's the
chief risk officer, who said, two-third of executives believed risk management was blocking
progress, while less than half of our workforce believe intelligent risk
taking is encouraged so it's clearly like they've got these people who are like oh this is a risk
why is it it doesn't comply with policy so what happens our reputational risk therefore it's a
medium you know that kind of you can just see those kinds of conversations happening.
So, you know, good on them.
Okay, fair enough. Get rid of a lot of them.
Fair enough.
In which case, change their risk department.
Don't remove it.
You know, it's...
Sometimes you've got to burn it to the ground and rebuild.
Yeah.
There's nothing in this story about them rehiring. There's nothing in this story about them rehiring.
There's nothing in this story about rehiring.
No, you're actually...
So what they said, one person familiar with the restructuring
said about 175 permanent roles were in jeopardy
as a result of the changes, 150 of them in risk divisions.
The person added that the bank also planned to create 130 jobs focused on specialist risk and technical expertise.
So once again, Tom, you are wrong.
You were just going by the headline, making assumptions and making a fool of yourself, as always, in front of the world. But they didn't say we're getting rid of the risk functions
and replacing them with more qualified or better risk functions.
They're saying it's a specialist risk.
These are just flowery words written by communications people
to try and hide the fact that they've got incompetent management.
So they're getting rid of 175 people
and creating 130 new jobs.
Yeah.
So they're getting rid of some.
Yeah.
We know people are frustrated
by time-consuming processes
and ingrained ways of working that impede our ability to be competitive and leave us lagging behind our peers.
The memo continued. This is all the quiet parts said out loud about every security and risk function around the world.
But that's not the fault of risk. That's the fault of management.
But that's not the fault of risk.
That's the fault of management.
The lender, which has about 60,000 staff,
has reviewed thousands of middle management positions across its business in an effort to increase its focus
on digital services.
So, you know, they are looking at those middle managers
who are a significant portion of FAT.
Yeah. Having been a FAT middle manager who are a significant portion of fat. Yeah.
Having been a fat middle manager, I can actually concur with that.
Yeah.
See, that's the only reason why you're against this,
because which division do you work in?
Do you interface with risk?
And am I the fat?
Yeah.
And he's got nothing to worry about.
His whole company has the word risk in its name.
Yeah, his whole company needs to be fired and rehired.
So I think it's a definite Billy Big Balls move.
You can't convince me otherwise.
Great job.
I hope to see more companies taking these kinds of approaches in the future.
I'm looking forward to covering the demise of Lloyds Bank.
Thanks, Jeff.
Billy Big Balls of the Week.
You're listening to the double award-winning Host Unknown podcast.
All right.
It's only a matter of time before we do see the demise of Lloyds, I'm sure.
And it's only a matter of time before we see all the people from Lloyds
who've just been fired turning up on LinkedIn.
And talking of time, Andy, what time is it?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news from around the globe.
Industry News.
Famous YouTube channels hacked to distribute info stealers.
Industry news.
US federal data privacy law introduced by legislators.
Industry news.
Foreign interference drives record surge in IP theft.
Industry news.
Half of UK businesses hit by a cyber incident in past year, UK government finds
US claims to have recovered $1.4 billion in COVID fraud
Industry news
Women experience exclusion twice as often as men in cyber security
Industry news Exclusion twice as often as men in cyber security.
Industry news.
Threat actors gain GitHub search to spread malware.
Industry news.
Data breach exposes 300,000 taxi passengers information.
Industry news.
Apple boosts spyware alerts for mercenary attacks.
Industry News.
And that was this week's... Industry News.
Huge if true.
Huge if true.
Huge if true.
Is InfoStealers a new film?
Is that what's being released on YouTube?
Yeah, I think this might be a sequel, though,
because I've heard of it before.
Might be a remake.
You know, they reboot everything.
Talking of which, I'm watching Fallout at the moment on Amazon.
That's brilliant.
Is it?
What's that?
Based on a game.
Based on the video game?
Yeah.
Oh, OK.
Very, very good.
again.
Yeah.
Oh,
okay.
Very,
very good.
Right,
US claims to have
recovered
1.4
billion in
COVID
fraud.
Perhaps
they can
come over
here then
and get
Michelle
Moan's
yacht.
Yes.
US
federal
data
protection
law has
been
drafted
by two
US
lawmakers,
a bipartisan data protection law has been drafted by two US lawmakers. A bipartisan data protection law.
It's federal as well.
They've dubbed the draft bill the American Privacy Rights Act.
APRA.
Wow.
National law aims to give US citizens greater control over their personal data,
limiting the ability of big tech firms to process, transfer and sell such information.
That would be great if nothing else,
because we don't have to track state by state what we're doing.
It's never going to happen, though.
You don't think there's going to be a federal data privacy law?
I think there will.
I think it would be so toothless because basically
all the big tech companies are different branches of the government.
They're never going to pass it.
This is true.
I had my hopes up there for a minute as well.
Yeah.
So which one of, so Tom, you're our diversity champion.
our diversity champion what do you think of this report from uh the state of inclusion benchmark in cyber security assessment which has been published by the women in cyber security
in partnership with di form firm aleria and they said women lack uh you know fall behind men in
all categories of respect career and growth growth, access and participation, and recognition,
with respect being the highest one,
which is a really shocking sort of like disparity.
It's not good, is it?
And if you look at the chart, not that charts say anything,
but the respect is significantly higher than any of them.
And let's face it, security is middle-aged white man as as a man in in leadership in security
what are you doing to redress the balance if anything well when i hire i'll let you know but
uh but yeah but this is an example this is a great example of demographic.
Tom got in trouble last time he tried to hire and said he wants women only.
That was a joke, by the way, all you recruiters out there.
Yeah, funny, I'm reading a book on diversity at the moment. And, you know, the distinction between, in this case, sort of demographic diversity and cognitive diversity
is quite interesting.
And how it's not, this is, whilst this is an extremely important element
of the diversity challenge, it's not just this.
It's also about ways of thinking and doing things as well,
which is another element of the diversity
thing but but we know this because you know women are significantly underrepresented in the um in
the cyber security industry i'm just reading the uh detail of this so this is a... Oh, I wouldn't go that far. Well, no. So it was for professionals under the age of 30.
So there could be an issue with experience
in terms of, you know,
companies going for middle-aged white men
because they want experienced people in those roles.
Potentially.
It depends whether it's compared against as well.
But yeah.
And that is the thing,
without having been able to look too deeply
into the methodology of the survey
and all that sort of stuff.
But it certainly passes the sniff test
from the perspective of,
yeah, this sounds about right
in the way we treat things like this
in our industry.
Yeah.
No, I think, like, obviously, like, I was poking fun at you
when I was directing it towards you initially,
and I don't want anyone to think otherwise who's listening.
That voice in your ear is our lawyer jav
and i stand corrected that anything and everything
no no i think allegedly when you look at it when you look at it yes there's a diversity issue
yeah across all the all the sectors whether it be race whether it be um gender
whether it be um cognitive ability neurodiversity uh physical disabilities all that kind of thing
there's a lack yeah but do i think things are getting better and and then i think back to like
20 odd years ago when you used to go to infoSec and you think about like all the people that were buying were like mainly men.
It was a soft booth base, let's face it.
And it was like booth bays were provocatively dressed, you know, all that kind of thing.
Good times.
But now you look at it.
See Tom shaking his head.
You know,
I think we need to acknowledge that there has been some progress made in this thing.
Even last year's B-Sides London,
you go there,
there was a lot more there.
Even people hiring were like a lot more open about like,
oh,
you don't need a degree.
You can be this background,
that background,
whatever.
And,
and so I think there's,
there has been changes.
Obviously no change is ever going to be fast enough.
It's going to be generational.
It's going to be a generational change.
That's the thing.
Because by its very nature, over time,
there's only going to be a certain number of people of an age
or of an interest, et cetera, to make that move.
And I think one of the problems is that we often get given the challenge of,
we need to address this, and then a year later, why haven't we addressed this?
And actually, potentially, an awful lot of groundwork has been done.
That doesn't mean that at this point we need to stop doing that groundwork
and stop putting the effort in.
As an industry, we need to continue to
do it because it's it's proven over and over again that these you know both cognitive and
demographic diversity uh within the workplace absolutely and significantly influences performance
positively compared to very homogenous environments there's no question of
that whatsoever so we've got to do it nothing else because we're going to pull in a larger you know
we're going to pull in a far pull from a far larger pool of talented people um it just statistically
makes sense you know if nothing else um but it is going to take time because that that resource pool is only going
to grow over a longer period of time it's not like suddenly women are going oh i can work in infosec
and all start applying for the jobs because that's not what they've come from etc so so yeah i
completely i i i agree here and i actually think had lloy I actually think had Lloyd's hired more women,
they would have had better risk management.
Do you know what?
They probably would have.
It would be really interesting to see what the demographic breakdown
of the Lloyd's sort of risk function is.
It would be really interesting to see.
See, who says we're not about the hard-hitting facts and asking the tough questions we can take serious stuff on you know not sure i'm sitting
here smiling because i am the diversity hire in my company i'm like the only male on the leadership
team that's right yeah you are I've been to your workplace.
There was only one other fella in the
office with you.
Yeah.
Yeah.
And yet you still have the, on average.
Yeah.
Yeah, exactly.
I hit so many boxes. I'm like,
this is what you get with me, baby.
I'm like, any box you need,
I can tick.
Yeah.
And yet,
still on your floor,
you have the lowest
average testosterone level
compared to your peers.
Yeah, probably true.
Probably true.
Right, let's see. let's do one more shall we
okay uh well i'm looking everyone's clicking for the same one yeah yeah no i i saw this report
apple had sent out uh over 90 countries i think they sent um notifications out to people saying you're being targeted by nation
state or some well not nation state what was the term they use you've been targeted by mercenary
attacks which i think is such a great term to use because this is all like those nso group types
you know i think it's like another israeli firm that that was behind this one where it's almost
like zero click type of pegasus yeah yeah um you know zero click um you know takeover of phones and
what have you um and i think this is where apple is like this is why we introduced that you know
lockdown feature where like yeah you know it it makes your phone a lot more safer than what you think it is.
But I think the mercenary word is really interesting
because it's like there's tools out there and it's like it's for hire.
Anyone who has the money can just pay it and get you owned.
Which is true.
Which is true.
But so this story, reading this one reading this one it says like you know apple boost spyware alerts for mercenary attacks and it talks about how it's
revising the documentation and stuff like that and now there's alternative reports i was reading
and they were saying that they change this after pressure from the indian government
when they say you were targeted by state-sponsored attacks because apparently India were allegedly using this on people and they
wanted to crush the that sort of narrative as Modi goes for a third term
in office so they were behind and that was our reg that launched that story so
that was behind that they were behind Apple using it. And that was El Reg that launched that story. So they were behind Apple changing the term from nation state to mercenary.
That is the gist of the El Reg story.
Interesting.
Is that the Indian government put the pressure on Apple.
And yet I think mercenary is a very effective term.
It is, yeah.
It sort of ticks all boxes.
But they moved it away from state-sponsored attacks.
Yeah, it's interesting, isn't it?
So this is something that lines up completely with what Modi has been doing.
He's very active.
He comes across as a non-tech person, but he's very, very aware of image
and how it's portrayed and everything. And he's got a lot of his people in
positions of powers like the ceo of google and you know microsoft and all that kind of allegedly
allegedly um his people you know people talk about china and everyone is like actually working for
the chinese government i think india is a place we need to worry about next that's the silent attack
you know attack you know
but you know what the funny thing is like imagine if china is that imagine china are actually the
good guys and they're sending people all over the world to protect them from the uk governments the
european the american governments the indian governments and china's like trying to be the
world police like that whole you know movie team america world police it's the wrong way around
that should be like you know team china world police they're here to save us all they are the
good guys right well they are the good guys you know your your your terrorists are just
a freedom you know or a freedom fighter is a terrorist with a marketing budget and if the ccp would like to sponsor this show yes just just pop up that pop up the
message on my phone you've already got access i've got exactly
insert gag about win-win like
you know now you got me thinking this is like you know this isn't just conspiracy theory this is
this is fact there's so many things like you know it's like the great firewall of china isn't to
keep you out it's to keep them in it's like
who says we can't do a serious podcast every once in a while?
This is the problem.
It's too late on a Friday.
Yeah.
Yeah.
All right.
Well, let's end this seriousness and move on to some frivolity, shall we?
But one second.
One second.
One second.
Oh, my goodness.
Go on.
Yeah.
No, no, no, no.
Go on.
So, because the marketer in me is now interested,
if you got a notification from someone,
what would you rather hear?
You're being targeted by a nation state
or you're being targeted by mercenaries?
Sorry, a state-sponsored actor, I think,
were the previous words.
OK.
State-sponsored actor or mercenary.
I'd say...
For the kudos, I'd rather be attacked by mercenaries. What, as opposed to state-sponsored actor or mercenary um for the kudos i'd rather be attacked by mercenaries
what as opposed to state-sponsored that's there's kudos in state spot there is a state out there
that wants me down they've sent cyber assassins after me not just somebody's got some cash and
they don't like the look of my you know they don't like the fact that I posted this poor review of their restaurant and therefore they can pay for someone to take me down.
This is a state, an actual state wants me. cobra rooms and cobra meetings and said that agnes we want him out we want him off the table
all sanctions you know if you're caught we will deny you ever exist go for it well what if it's
like a small like you know what if it's like estonia do you mean there's just like oh come
on it's just estonia what if it's luxembourg or Belgium or any of the small ones?
Christ, that's even better.
You've pissed off people who cannot get pissed off.
Yeah, from Canada.
And they've mobilised.
They have mobilised themselves to the point where they want to take you down.
They want to cut you off at the knees.
Unify the nation.
Yeah, absolutely. You've pissed off a state so boring
that they can barely
make it into a, you know,
a rough planet travel
guide. You've pissed them off so
much that they actually want to
commit an act of
cyber terrorism
against you. Now that
is koojoss.
That is. That is.
That is. I just hope by the end
of the week, Modi will be sitting there
in his cobra room.
Well, you know, whatever the equivalent
is. A cobra is probably one of his gods.
But, you know, he will be sitting there
saying that Agnes bastard,
I want him dead. Like, you know, that's
it. That's all I want to see.
I want him taken off the internet.
I'm going to cyber bomb him back to the cyber stone age.
He's going to beg.
He's going to put him in dial-up.
He's going to beg for a Commodore 64.
Right.
And that was this week's
Industry News.
This is the award-winning
Host Unknown podcast.
Guaranteed to be a solid
five out of ten
at least once a month
or twice.
Your money back
and you can take that
to the bank.
All right, Andy. It's time for this week's
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
This week's Tweet of the Week comes from a rutter Rob,
Rob Graham on Twitter.
And it is in response to Twitter making an announcement
that if you are a premium user, they are going to be removing
one of the current features for premium users, which is hiding your blue checkmark.
And so Rob's commentary on this is Twitter slash X is cruel. How am I going to hide the fact I'm
a douchebag now. That's great.
That's great.
I like Rob.
Friend of the show, Rob.
Definitely.
Yeah.
He's up there.
Well, let me tell Rob about his,
wait till he finds out about his top table ratings.
Open table.
Open table.
Yeah.
Yeah, that's right.
God damn it.
Do you know what?
It's funny.
Twitter now, Twitter X, whatever, yeah that's right god damn it do you know it's funny that twitter now twitter x whatever is is very much one of those things that um uh that that if a comment is made and you hear
something you look at the if they've got a blue check mark and anything ah screw it i know
yeah i'm i'm not listening to you yeah i i don't really use twitter at all anymore it's it's a shame yeah it's uh it's a shame i
i just go through it for like in the way you you fondly go drive past the the your the home that
you grew up in and see the neighborhoods all
like graffitied and damaged and everything and like you're still like ah it's okay nostalgia
i suppose yeah but we know that like all the real content's on tiktok these days right if you're not
there you're just 100 you're not getting anything i mean if you agree tom say nothing what was that okay so uh no i just said if you agree say all right so you did so yeah say nothing i'm saying nothing okay
that was this week's tweet of the week so we have stumbled i would say somewhat seriously
into the end of the show and And what a show it has been.
Well, Geoff, thank you very much for your contributions
and your attempt to defend the Lloyds risk team.
We'll see how that one goes.
You're welcome.
And Andy, thank you, sir.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
All right.
Do you think that was too serious? Why did we get so serious?
Yeah, why so serious?
What went on?
I don't know.
I don't know.
Who knows?