The Host Unknown Podcast - Episode 201 - The Difficult 201st Podcast
Episode Date: September 9, 2024This week in InfoSec (13:08) With content liberated from the “today in infosec” twitter account and further afield3rd September 2014: Twitter launched its bug bounty program via the HackerOne ...platform, stating it would award at least $140 for vulnerabilities found in http://x.com/ or its Android or iOS apps.$140? 140 was the max tweet length. $1.6 million has been paid out since inception.https://twitter.com/XSecurity/status/507220774336225280https://x.com/todayininfosec/status/183140868660414060230th August 2014: A user of the message board 4chan posted leaked nude photos of Jennifer Lawrence, Kate Upton, Kirsten Dunst, and other celebrities. Several years later 4 people were sentenced for crimes related to the hacking of Apple iCloud accounts of dozens of targeted individuals.Apple knew of iCloud API weakness months before celeb photo leak brokehttps://x.com/todayininfosec/status/1830016468328575386 Rant of the Week (19:09)'Error' causes Alexa to endorse Kamala Harris, refuse to discuss TrumpIt would be perfectly reasonable to expect Amazon's digital assistant Alexa to decline to state opinions about the 2024 presidential race, but up until recently, that assumption would have been incorrect.When asked to give reasons to vote for former President Donald Trump, Alexa demurred, according to a video from Fox Business. "I cannot provide responses that endorse any political party or its leader," Alexa responded. When asked the same about Vice President Kamala Harris, the Amazon AI was more than willing to endorse the Democratic candidate. "There are many reasons to vote for Kamala Harris," Alexa said. Among the reasons given was that Harris has a "comprehensive plan to address racial injustice," that she promises a "tough on crime approach," and that her record on criminal justice and immigration reform make her a "compelling candidate." Billy Big Balls of the Week (26:45)Examples of Google Employees Trying to Avoid Creating Evidence in Antitrust CaseIn its antitrust case against Google, the Federal Government filed a list of chats it had obtained that show Google employees explicitly asking each other to turn off a chat history feature to discuss sensitive subjects, showing repeatedly that Google workers understood they should try to avoid creating a paper trail of some of their activities. The filing came following a hearing in which judge Leonie Brinkema ripped Google for “destroyed” evidence while considering a filing from the Department of Justice asking the court to find “adverse interference” against Google, which would allow the court to assume it purposefully destroyed evidence. Previous filings, including in the Epic Games v Google lawsuit and this current antitrust case, have also shown Google employees purposefully turning history off.The chats show 22 instances in which one Google employee told another Google employee to turn chat history off. In total, the court has dozens of specific employees who have told others to turn history off in DMs or broader group chats and channels. The document includes exchanges like this (each exchange includes different employees)ANDMusician charged with $10M streaming royalties fraud using AI and botsNorth Carolina musician Michael Smith was indicted for collecting over $10 million in royalty payments from Spotify, Amazon Music, Apple Music, and YouTube Music using AI-generated songs streamed by thousands of bots in a massive streaming fraud scheme.According to court documents, Smith fraudulently inflated music streams on digital platforms between 2017 and 2024 with the assistance of an unnamed music promoter and the Chief Executive Officer of an AI music company.He acquired hundreds of thousands of songs generated through artificial intelligence (AI) from a coconspirator and uploaded them to these streaming platforms. He then used automated bots to stream the AI-generated tracks billions of times. Industry News (36:21)South Korea Police Investigates Telegram Over Deepfake PornIrish Wildlife Park Warns Customers to Cancel Credit Cards Following BreachTfL Claims Cyber-Incident is Not Impacting ServicesThree Plead Guilty to Running MFA Bypass SiteCivil Rights Groups Call For Spyware ControlsClearview AI Fined €30.5m by Dutch Watchdog Over Illegal Data CollectionRussian Blamed For Mass Disinformation Campaign Ahead of US ElectionOnlyFans Hackers Targeted With Infostealer MalwareUK Signs Council of Europe AI Convention Tweet of the Week (42:50)https://twitter.com/0xdade/status/1831387831677415923 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Just at the right moment he said,
Ten points to Gryffindor!
You actually make that sound really good.
You're the right age as well.
Well, yes, yeah.
I read that first book on the train into London Paddington.
How old were you? Were you allowed on the train on your own then?
I was working at PwC, would you believe?
Oh, right. Oh, yeah, of course you were.
A lot older than us when that book
came out.
Well, you know,
not that old.
You're listening to the Host Unknown Podcast.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us. And welcome, welcome dear listener, welcome one and all to episode...
205!
201 of the Host Unknown podcast.
I'm doing that every week now.
Now I've found that jingle.
I'm doing that every week.
And you can crash it every time.
It's almost like we planned it.
Episode 201, yes.
Episode 205, unbelievable.
It's unbelievable.
Absolutely unbelievable.
We've hit the bicentennial.
Is that bicentennial?
I don't know is that is that 200 years or is that 50 years
is that biannual isn't it you two are like celsius and fahrenheit you talk about the same thing but
in different ways in a minute just be clear i'm celsius because i make sense andy's the weird one he's on fahrenheit
come on given that you can trace every single episode number back to number one in the podcast
yes i think andy's the weird one and as i've said many many times before if we have recorded an
episode it counts whether you published it or not no we recorded those episodes no there's only
there's only one episode that hasn't been published and we're just waiting for a famous person to die
that's all no no no do you remember that episode when uh only one we got through the whole thing
and then uh realized that you hadn't you hadn't pressed the record button so we re-recorded it
the next day so they we actually have literally in the show notes every single week is
part of the show notes by default check to make sure tom has pressed record does does do you know
what you can see for yourselves as well here jesus but do you know does a podcast is a podcast
actually a podcast if it's not recorded or is it just three middle-aged men just prattling on you know for ostensibly just
to stop themselves from getting bored during a pandemic to be fair i wasn't middle-aged when we
started the podcast you guys were but i wasn't i was when we started this conversation and now i'm
old bloody hell to be fair though like even when publish it, it doesn't really make a difference because us three are the only ones that ever heard it.
OK, occasionally, Tom, your mother listens to it,
but that's about it.
And gives us money occasionally.
Yes, yes.
Now, Graham, Graham Cooley, in fairness,
he gave us money once, didn't he?
Him and Carole.
Yeah, they sponsored the...
Wasn't that to take something derogatory down
about smashing security off the website?
Well, that worked, didn't it?
Yeah, absolutely.
If I was Graham, I'd ask for my money back.
But I think he already has and we've just ignored him so far.
Anyway, Jeff, how are you talking about money grabbing liars?
How are you?
Wow.
Wow. Wow.
I was struggling there.
I was struggling.
Just because I'm a corporate spokesperson doesn't mean I'm a money-grabbing liar.
You mean like I will be soon.
Ooh.
Ooh, what's this?
What's this all about?
Yeah.
Well, maybe we'll see in a few months. Oh, you tease. I am a tease. Hey, what's this? What's this all about? Yeah. Well, maybe we'll see in a few months.
Oh, you tease.
I am a tease.
Hey, come on.
It's like those Instagram reels that go,
and follow for part two.
Oh, they started doing that on Instagram as well.
They've been doing that on TikTok for years.
Hey, you know, it's like a bait and switch.
I've got to keep people interested.
When they hear the actual news, they won't be interested at all.
But anyway, yes, you corporate shill.
What have you been up to this week?
Nothing.
It's been an uneventful week, to be honest.
I've been in PowerPoint hell for the most of it.
Next week, it's ramping up all the security awareness month.
I know. I tried to call in a favor from you and you're like no sorry bro i'm busy
i literally i'm like off the books mate what can you do for you like yeah maybe january
pretty much pretty unless you pay him yeah then all of a sudden wide open availability
i've got like some we're talking about his calendar or wide open availability. I've got like some...
Are we talking about his calendar or his legs?
Next week, I've got to go up to Manchester of all places.
Sorry to hear that.
For an event in Old Trafford, actually.
Sorry to hear that.
Then I'm in Leeds the week after.
Then there's the Gartner event.
Then there's like...
Isn't there another InfoSec event as well coming
up not InfoSec but a cyber security event yeah there's loads of them coming up yeah it's uh
so yeah I've just been in PowerPoint hell oh uh interesting thing happened there was a mix-up with
my daughter's my eldest one's uh new college and uh the bus came picked her up took her to college
and then we got a phone call from
the college saying oh she's not really enrolled here so you got to take her back so now he said
can you keep her till five is that all right yeah so now we're trying to work out what happened why
why it fell through the cracks and uh holy moly yeah but she's so happy she was like i'm so happy
i don't want to go college i don't oh mate what's she studying there
nothing just like it's uh so she's got special needs so she's like um just life skills kind of
thing oh okay it's like you know it's just like they do they try they do some physio they do some
like you know speech language therapy they they try to make them uh as independent as possible
try to give them some some life, like here's how you cook,
here's how you clean, here's how money works.
But that's what mum and dad are for.
Yeah, yeah.
Rapidly ageing mum and dad who won't be here forever.
Well, I didn't want to say anything, Jan,
but you do look a little bit rougher around the edges.
Oh, honestly.
You're looking a bit white.
Your beard's a lot whiter than it was when we first met.
Even my doctor's worried about me. He's been. You're looking a bit white. Your beard's a lot whiter than it was when we first met.
Even my doctor's, like,
worried about me.
He's been sending me for more and more tests.
Oh, you had your liver tested,
didn't you?
Yeah.
It's like...
Did you have it done
with onions and gravy?
Was it nice?
What?
Yeah.
No, it was like
non-alcoholic liver disease.
I don't know what this is.
There's an acronym for it.
You've got a fatty liver. Yeah. You've got a fatty liver.
Yeah, I've got a fatty liver.
But without the alcohol.
But without the alcohol.
How is that fair?
Because at least with the alcohol,
you've A, had a good time,
until you didn't, obviously,
but B, got a reason for it.
What do you do?
N-A-F-L-D is the NHS.
Non-alcoholic fatty liver disease not a fucking long distance till
death yeah so you're at increased risk of naffled naffled yeah if you're obese or overweight
particularly if you have a lot of fat around your waist. Yeah, around the organs. In an apple-ripe body shape, have type 2 diabetes,
are insulin resistant, have high blood pressure.
Oh, no, I don't have that.
High cholesterol.
Don't have that.
Or over the age of 50.
So, phew, I've got many years till I hit that one.
No, my blood pressure is good if you just join us welcome to the old man's health and fitness podcast uh but yes anyway
talking of uh sick people andy how are you very good how sick are you? Go on.
Do you know what?
I can't.
Do you know what?
200 episodes ago, I would have said it without hesitation.
You would.
In fact, I think you did about the whiskey joke, right?
Yeah, no.
I've got so much more to lose these days.
Who are you?
Who are you?
Oh, dear. Oh, dear. Yeah, no. Can can't complain not too much going on um not been i've not been in powerpoint hell i've been in contract review hell this week lots of contracts and um frustrating
ones and you know what sometimes you deal with clients and the way they phrase things you want
to go back and say what are you talking about yeah what are you trying to what do you want yeah so actually what i'll actually
give you there's one client who is um arguing a point in a contract saying that uh they're getting
all very clever and technical that cvss vulnerabilities with a high complexity must be remediated within 48 hours.
But vulnerabilities with a low complexity
must be remediated within seven days.
And so I modified the document.
I said, actually, you got it the wrong way around.
Like the low complexity ones are the biggest risk.
They rejected all my changes and said,
we do not accept modifications to our
vulnerability remediation and i'm like you need to understand right yeah low complexity means there's
like no barriers to this exploit occurring yeah but yeah no they're not having it and also surely
it would be a cvs score cvs score yeah got the score, but then the second part of it is,
how does that score apply?
So it's, yeah, they're trying to get into the weeds, but...
They're trying to be clever.
They are, but it's just, like, yeah, they don't want correcting.
Wow.
So it's like, cool.
We're not going to fix high complexity.
I don't know how you're so chilled out and smiling on this podcast when you have to deal with so many numpties every week and then end it on this
podcast to be fair like with you guys it's uh what i deal with during the week is like a walk
it's like a holiday and then i come on here and then people at work are like man i don't know how
you're so chilled after dealing with those two numpties every week. Well, it's good to know that we lower the bar accordingly.
A bar so low that it's a tripping hazard in hell.
Indeed. Indeed.
And talking of tripping hazards in hell, Tom, how are you doing?
What?
Cutting at straws?
Yeah, definitely.
Very good. Thank straws Very good, thank you
It's been an interesting week
As I hinted at
My employment may be changing in the next few weeks
Next few weeks, next few months
Because European protection
Or UK employment protection
Means long notice periods
Which is good
So that's
I've been having to make announcements
to various people and teams and all that sort of thing.
So that was quite challenging
because I haven't been there that long, I have to say.
But what else has been going on?
Getting ready for my daughter to go to university,
which is going to be a little bit of a wrench.
Last one to go.
So yes, so busy buying you know
potato peelers and you know mixing bowls and trip to ikea yeah well the trip to ikea was done
without me thankfully um uh but i didn't know so i went and bought a bunch of stuff and so she's got
two of a lot of things now co-parenting no communication with the
co-parenting precisely but you know what my stuff's better yours better yeah that's the important thing
doesn't matter she's got two of them matters that yours is better exactly
mine's from tk maxx it's joseph joseph stuff i mean come on. So, yeah, got that to look forward to.
But talking of cut price goods, shall we see what we've got coming up for you this week?
This week in InfoSec is a reminder of the simpler days of 140.
Rant of the week is a politically insensitive wiretap. Billy Big Balls is a story about one of the world's largest data brokers activating the Enron protocol.
Industry News is the latest and greatest security news stories from around the world.
And Tweet of the Week is about risks in context.
So let's move on to our favourite part of the show, shall we?
It's the part of the show that we like to call...
This Week in InfoSec.
It is that part of the show where we take a trip down InfoSec memory lane
with content liberated from the Today in Infosec twitter account or further afield and this week have i got these dates right
god it is it's september already isn't it okay our first story so i don't know what was going
on there i just got confused uh fortunately i can do the maths on this one, so you don't need to insert the calculator sounds post-edit, Tom.
It's happening.
Our first story takes us back a mere...
10 years to the 3rd of September 2014
when Twitter launched its Bug Bounty program
by the H one platform stating it would award
at least 140 for vulnerabilities found in twitter or its android or ios apps 140 i hear you ask
at the time 140 was the maximum tweet length that you could have. And since its inception, $1.6 million has been paid out.
So this was actually happier times when Twitter limited
rambling to 140 characters.
You didn't get like big stories of just complete and utter garbage.
Yeah, people just got to the point.
It was just good times.
Yeah, yeah.
Although Threads has gone a little bit that way.
There's lots of multi-part stories on there.
But I have to say, they're really quite funny stories, most of them.
Threads is a lot nicer to peruse, to be honest with you.
Right, I've got a Threads account.
The first day I got it i used it and
not been back since yeah yeah good to know uh alas our second story takes us back a mere 10 years
again so around about the same time uh on the 30th of august 2014 a user of the message board 4chan
posted leaked nude photos of jennifer lawrence k Upton, Kirsten Dunst and other celebrities.
Then several years later, four people were sentenced for crimes related to the hacking of Apple iCloud accounts of dozens of targeted individuals.
And you may recall, so this was the 30th of August 2014.
And you may recall, so this was the 30th of August 2014.
And then the 31st of August, the day later on the 2014,
became known as the Fappening, which was obviously a big event on Reddit where they sort of collated everything and pulled it all together.
But what was actually interesting about this whole story,
and I think we've talked about this before and everything that was wrong with it,
this whole story and i think we've talked about this before and like you know everything that was wrong with it um but it actually turns out that apple may have missed the memo on a major iCloud
vulnerability before it made headlines because a london-based security researcher called ibrahim
ballett tried to warn apple um in march of 2014 about flaw in their system which allowed passwords to be brute forced over
20,000 times
without triggering
a lockout.
And so
Balich actually
reached out to
Apple both
through email
and through
their bug
reporting system
and Apple
replied and
said thanks
but no thanks
saying the
hack would
take too
long to be
a real threat.
What?
Yeah.
So yeah
obviously then months later celebrity ike
their accounts were breached uh and the rest is history well i posted a story in the link in the
show notes to um well yeah well i guess apple were thinking that a month is too long well on average
but but it was the the people in question and as you said, we covered this and it's obviously undeniably appalling, et cetera.
But the people in question did not have to factor on, did they?
It was just purely.
No, it wasn't.
But also back in 2014, you could actually ask, you know, when you want to do your account recovery,
you could do things like, you know, what's your pet's name?
What's your pet's name what's your dog's name and so you've got people like paris hilton who are very yeah in the public life gentleman everyone
knows who their dog is yeah and so it's okay i know the answer to this one um so you know even
then the questions weren't great either uh you just needed to know someone's um contact details
and i think another thing was that they couldn't enable 2fa because they were sharing their credentials with fpa with agents or something oh that's right yeah which which
which it was a problem with twitter as well and all of those sorts of social accounts wasn't it
yeah but i think in 2040 i don't even know if apple supported mfa for icloud in 2014 i think they did but it was through sms off the top of my head it was it wasn't through a
like a push as it were um because i remember at one point because itunes i think had it but at
one point i got a couple of accounts and one had to be a text message and the other one was a push. It was a mess for a while, but they did get it sorted out.
Not smart either way, on either side.
This week in InfoServe.
If you work hard, research stories with diligence
and deliver well-edited, award-winning, studio-quality content
for high- sponsors then you too can be usurped by three idiots who know how to think
on their feet you're listening to the award-winning host unknown podcast
right let's move on to this next story which is going to be interesting for anybody who's
playing this out loud and happens to have
some amazon devices in the house listen up rent of the week it's time to mother rage
so those of you who've got alexa devices in your house um you order toilet rolls confirm that's right no tape bags um so you will know
that uh they're actually when it comes to i think they call it skills and they could the skills they
have they're actually pretty damn good and alexa is probably one of the sort of better um
assistants ai assistants out there.
It can be quite conversational.
It can give you news updates.
It interacts with virtually everything out there.
So when it comes to, and I hate to say it,
the current election in America,
given that it's owned by a massive tech giant and given that the
said massive tech giant, Amazon, wants to sell more Alexa devices and doesn't want to alienate
51% or 49% of their prospective buyers, you'd think it would make sense that Alexa would not, well, would decline to state opinions about
the presidential race. But up until recently, you'd have been incorrect on that. So when asked
to give reasons to vote for former President Donald Trump, Alexa demurred, which is an interesting word to use.
But it said that I cannot provide responses that endorse any political party or its leader.
When asked the same question about Vice President Kamala Harris, though, Alexa was more than willing to endorse the Democratic candidate.
Alexa went on to say there are many reasons to vote for Kamala Harris, Alexa said.
Among the reasons given was that Harris has a comprehensive plan to address racial injustice,
that she promises a tough on crime approach and that her record on criminal justice and immigration reform make her a compelling candidate now on the face of it i'm not seeing
anything wrong here because frankly there are no compelling reasons to vote for trump and
it would absolutely make sense to not have amazon in dawson but uh as we we as you can probably guess that's the mistake was
actually on the latter's response or the response to the latter rather than the
former an Amazon spokesperson actually told the register where the stories from
that this was an error that was quickly fixed it didn't give any additional
details about why the disparity was present,
but it did say that it has teams dedicated to continuously auditing its systems
to detect content that violates its policies and preventing similar situations.
Chances are this was just a little glitch in the AI in the back end,
and it probably picked up on some sentiment analysis
and had nothing to say on one candidate and plenty to say on the other.
Of course, however, and this is probably where the rant part comes in,
there's not been a necessarily sane response from our kindred folks on the right-hand side of the aisle
in the US. The difference in Alexa's responses went over poorly with Trump supporters.
Of course it did.
Yeah. Do you know what? Some labelled it as a commie. They labelled an AI assistant made by Amazon a commie,
with some leaders in the tech industry, can't imagine who,
touting her potential as a pro-tech president,
and others diving headfirst into the misinformation circus
that's being driven by new tools like AI.
Not particularly clever.
So who knows?
I mean, maybe someone just forgot to flip a switch.
But I mean, come on, people.
If you get your opinions and your information purely from the little hockey puck you keep in your house
then you probably deserve to be as angry as you obviously are uh and you need to we need to get
out more and broaden your horizons somewhat um but yes uh i mean outrageous yes Jav please disagree with me so all I'm saying is that if you have
AI which is a collection of like almost you know I'd say I was going to say but you know for for
for for effect you can even the world's knowledge is collected in one place and anyone regardless of age race social background can query this
resource and it will give them that isn't that what communism's all about so
uh yeah well no not really because communism doesn't work that way.
Communism is about contributing to the greater good.
So you're admitting it does work, but just not in that way.
Well, it's like democracy is the worst of all forms of government out there, but it's the only one that works.
Well, that's because they killed every other form of government out there we won't go there well yeah i think you know little uh
poopy pants putin might have something to say about that but yeah but uh but you know what i
i don't know this is such a small minor thing that people more than that is like you look at
elon musk's tweets on x oh dear god and he is like fully endorsing
trump and he is fully throwing kamala under the bus which is also spreading a lot of misinformation
he is oh massively yeah massively um even with his like um reposts and sort of like interesting it's like god damn you know you're an you're you must be
off your tits on methadone or you know methamphetamine at three o'clock in the morning
to think that that's interesting which then tells all of your fucking you know toxic bro
buddies that you think you're good for it. Anyway, outrageous.
Calm down.
Before you do get blood pressure.
Well, yes, I know.
I am going a bit red in the face at this.
It does...
The whole...
Right, forget it.
Rant of the Week.
Feeling overloaded with actionable information?
Fed up receiving well-researched, factual security content?
Yes!
Ask your doctor if the Host Unknown podcast is right for you.
Always read the label.
Never double dose on episodes.
Side effects may include nausea, eye rolling,
and involuntary swearing in anger.
Okie dokie, Jav.
Over to you, sir.
Bring it on, go.
Okie dokie, Jav.
Over to you, sir.
So I am spoilt for choices this week.
I'm torn between two stories.
But I'll try to... I'll go through the first one.
And then if we have time, I might say the other one.
But there's an antitrust case against google um going on
google meta all these companies they seem forever embroiled microsoft always always intro embroiled
in some regulator wanting to penalize them for privacy violations selling data antitrust whatever but the um the federal
government filed a list of chats it obtained that show google employees explicitly asking each other
to turn off a chat history feature to discuss sensitive subjects and what they're saying is that
it showed that google workers repeatedly understood they should try and avoid creating a paper trail of some of their activities.
And so, you know, people are calling it kind of like the Enron or they're doing an Enron there.
Honestly, I've got a completely different take on this.
I think it's a bit.
No.
But my take is different it's a bit like
why we use whatsapp to communicate with each other and not our corporate emails
there's certain stuff you don't want on your corporate thing i mean like that's exactly the
same yeah but you know they're they're implying there's some sort of sinister sort of like
plot going on there have you read our chats and all i want to do is share pictures of dick van
dyke with you i mean that's all it is okay so i'm looking at this article and some of the
extracts of what they've got and like employee one you might want to turn your chat history off
before we talk about this um for sure thank you um employer please keep your history off okay um
do you know if our pings are privileged or discoverable
oh we should turn history off. End of chat.
But please turn off history.
Entering there.
What is the history status of this group?
Is it okay for me to keep history on in here?
I need to keep some info for memory purposes.
Unfortunately, I'm not supportive of turning history on.
I'm not supportive of turning history on yeah i'm not surprised i mean if you're in a in an environment at work where you're not prepared to
have it i mean what's the saying that we have is um dance like nobody's watching
write emails like it's going to be read in a deposition yeah yeah exactly oh I love this who's in charge
with creating this room I feel super uncomfortable us continuing on this on the record on the record
dear god I'm going to create a new room and kill this one sorry I copied everyone into a new room
let's stop using this one geez okay so sounds dodgy as hell these are just some extracts but i maintain that a lot
of it is probably like they want to talk about who's going drinking tonight you know where they
want to meet up and they don't want it on on record that's all it is i think it's
No, OK. It's a take. It's a take. Yeah. It's a hot take.
You know, I'm just thinking like, you know, one day maybe one of these people want to employ me or something in the future or something.
And you can say I'm supportive of switching off group chat. Yes, exactly. History. History. Sorry. Yes. So, OK, let me quickly just touch on the next one,
because this is a real Billy Big Ball move,
exploiting a massive loophole.
So a musician charged with $10 million in which they collected in royalty payments
from Spotify, Amazon Music, Apple Music and YouTube Music.
So they use AI generated songs and then stream them by thousands of bots.
So they uploaded a bunch of automatically AI generated crap.
Yeah.
And then streamed it using the same probably the same AI to listen to it.
Yeah, yeah.
To generate listens.
I mean, to generate $10 million, you need an awful lot of downloads.
Yeah, massive amount.
Surely this would have flagged at the $100,000 mark or something like that, right? Was it Snoop Dogg said he...
They say his royalties off Spotify was something like $4,000
or wasn't it something like that?
Really?
Yeah, he made no money at all off it.
And he is a successful recording artist.
He is.
Why are you getting news about Snoop Dogg that me and Jav are not?
I'm down with the kids.
You know... You're probably the same age as Snoop actually aren't you yeah probably yeah puff daddy or p diddy yeah sampled a police song on um every birthday yeah i'll be missing you
he sampled that but he he didn't get permission beforehand so now he has to pay two thousand
dollars a day to sting for the rest of his life um and uh and sting was went on record and said
like that's put my kids through college or something like that one song is my kids through
college so royalties is big business and it's big game so you I would imagine there would have been people looking at this. This is exactly the sort of how you game the system, surely.
Exactly.
I mean, what this guy's done is definitely morally and ethically wrong.
Whether it is...
Is it, though?
Is it illegal?
Well, I don't know about the terms and conditions.
Well, exactly. it illegal well i don't know about the terms and conditions yeah well exactly do you remember back in the day there used to be those google ad click yeah software you could get and as long as you
click them you get like a penny every time someone clicked yeah yeah and so it's just like a newer
version of that yeah it's just done at scale so are they are they are they pissed off because
they didn't have a clause
in the contract that said they couldn't do this because like i said if he hit a hundred thousand
dollars you think that would flag something that would say hey just make sure this music's real
no do you know so he operated 52 cloud service accounts each cloud service account had 20 bots. So he had 1,040 bots in total.
And he could stream approximately 636 songs per day.
636 songs?
Per day.
That doesn't seem high.
Per bot.
Per bot.
Okay.
Yeah.
With an average royalty rate of half a cent per stream.
So the calculator's daily earnings would reach $3,307.20. Yeah, with an average royalty rate of half a cent per stream.
So they calculated daily earnings would reach $3,307.20.
So monthly earnings of $99,216.
What about traffic analysis?
I mean, surely that... Hang on, these albums are being streamed to all the same people
at the same time all day, 24 hours a day.
Do you know, if you rotate it around 1 thousand bots it's fairly yeah that's a good selection yeah but he made 10 million
over 1.2 million a year he was earning so he's doing this for 10 years yeah Yeah. He started in 2017. Wow. Actually, yeah, he's done it a lot.
I would love to know the legality of this according to the contract or whatever.
Well, if you want to talk about legality, he's facing charges of wire fraud, wire fraud conspiracy, money laundering conspiracy, which each carry a maximum sentence of 20 years in prison.
That's in the US.
But what if you're in the UK?
I mean, with a prison so full, overflow.
According to the latest news, you'd end up in Estonia.
So Estonia's crime rate is so low,
they've got empty prisons.
It's an upgrade from...
Where were they sending everyone from? to sell spaces from Rwanda Rwanda
I guess basically we're near sourcing our prisons
yeah
wow
that was a good story
Jeff
you should have led with the second one definitely
I will next time
Billy Big Balls
of the week
The Host Unknown Podcast
Orally delivering
the warm and fuzzy
feeling you get
when you pee yourself
Well with that
double dip
of Billy Big Balls
we're probably
up against time
a little bit
Al
and speaking of time
Andy what time is it
it is that time
of the show
where we head over
to our news sources
over at the InfoSec
PA Newswire
who have been very busy
bringing us the latest
and greatest security news
from around the globe
Industry News
South Korea police investigates telegram over deep fake porn industry news irish wildlife park
warns customers to cancel credit cards following breach industry news tfl claims cyber incident is not impacting services. Industry News. Three plead guilty to
running MFA bypass site. Industry News. Civil rights groups call for spyware controls. Industry
News. Clearview AI fined 30.5 million euros by Dutch watchdog over illegal data collection. Industry news.
Russian blamed for mass disinformation campaign ahead of US election.
Industry news.
Only fans hackers targeted with info stealer malware.
Industry news.
UK signs Council of Europe AI convention.
Industry News.
And that was this week's...
Industry News.
Wow.
Huge if true.
Huge if true.
Huge.
I laughed at the TFL claims cyber incident is not impacting services.
No, they're just shit as always and no one can tell the difference.
They're always bad.
Always bad. That's always bad that's cold that's good i was reading um i think on reddit there were people you know that that were talking about this and there were people actually well claimed to have worked
claimed to have worked at tfl saying their first they knew that something if it was going on is
that all the wi-fi was switched off at like 10 in the morning. Coming into the office was like, no, people working from home
were told to stay working at home.
Wow.
But, yeah.
That's a problem if you're a driver, isn't it?
Yeah.
Yeah, nightmare.
Absolute nightmare.
The old remote control of those trains.
The lag on that, if you get a low ping or a high ping,
the lag is going to kill you, literally.
That's why there's so many delays.
But, yeah, no, it was a, yeah, an interesting one.
Did I?
Yeah.
I like their word saying that there's no evidence that any customer data
has been compromised.
Because, you know, this was like the first thing they said.
Yeah.
And the fact that they didn't have any more information at the time like they were investigating but you know there's
no that's such a great thing to say because customer data has likely been impacted right
you just haven't found the evidence yet but you're just putting that out there now that
oh yeah no no nothing to see here we're just uh uh we just thought we'd notify you there's an ongoing cyber
incident but uh you know no evidence that anything's gone wrong it's like well that's weird
because like you know the uk's got a uh gdpr requires you to notify individuals within 72 hours
if an incident has impacted their personal data so you're just preemptively sending out a warning
that uh you know they're dealing with an incident
uh to maybe tick a box that they met their requirements under uh who knows i'm not i
it's a cynical take i'm just you know it's an interesting one i like how the uh turns have
tabled on uh only fans hackers yeah targeted with an info stealer malware that, according to the story,
it's been distributed via a checker tool used by hackers to validate stolen credentials.
Yeah, baby.
I wonder who wrote this.
I wonder if it's like, you know, the GCHQ or the NSA or something.
That would be hilarious.
I mean, who'd have thought?
Hackers turning on hackers.
There's just no...
Yeah, there's no honour amongst thieves anymore.
Not like in my day.
No, exactly.
You know, their mothers loved them.
They were lovely people, you know, unless you crossed them,
in which case, oh, you was in trouble.
You'd get your Friends Re friend reunited account hacked yeah that's pretty uh what's this one uh so clear views uh obviously been fined again by dutch
watchdog uh so i love that like clearview this this ai data collection come facial recognition
collection company yeah by another eu um information commissioner uh so 30 million euros
over illegal data collection facial recognition um and literally clearview just turn around and
say now we don't agree to it we don't have to to follow GDPR. That's what they've done all across Europe. Weren't they the ones that were fined by the Estonian?
They've been fined by many people.
Yeah.
And they're just saying that we're still not doing this.
We're still.
Yeah.
Fuck.
That's outrageous, isn't it?
I mean, what can you do?
Mind you, has anybody gone to the Clearview offices?
Are they like fully automated?
Not a human anywhere.
Is this the thin wedge of AI taking over the world
where they're just pushing their luck slightly?
Let's break a soft law like GDPR.
Let's break a, you know,
and then let's see how far we can push that and so on.
This is the Skynet Lite.
It is Skynet Lite, yeah.
It is.
It is.
Anything else?
I guess the big one that the UK signed Council of Europe AI Convention.
This is governing the use of AI usage.
Yeah.
Let's see. This is governing the use of AI usage. Yeah. Tech human rights.
Let's see.
Let's see.
Well, when the UK finds Clearview, we'll see how useful that was, shall we?
Yeah.
Right.
Let's move on.
That was this week's...
Industry News.
Industry News. All right, Andy, take us home, please, with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
This week's Tweet of the Week comes from Dade, 0xDade on Twitter.
And he says,
A lot of y'all worrying about this YubiKey vulnerability when your employees are still logging into critical services from their home computers without MFA.
That is so true.
So true.
So what is this?
What is this?
He has.
Oh, sorry.
He has added the Kermit sipping tea.
Sipping Lipton's tea.
Sipping Lipton's tea. Thatipping Lipton's tea, yeah.
That's none of my business.
So what is the YubiKey vulnerability?
I've not heard of this, or at least not this one.
So there's a vulnerability in it,
but it's very difficult to exploit.
You have to have physical access.
They basically screw around with the physical hardware.
You can tell that your YubiKey is being messed with.
The point of a YubiKey is that it's a second factor that you just press.
It's just a button you press.
There's no fingerprint or anything like that.
So if you've got physical access to the key,
you don't need to do anything fancy.
Exactly, exactly.
So the Verge actually wrote a good piece
on that and they actually said in the headline
that there's a vulnerability
but it's very difficult to exploit
yeah
so it's a high
complexity vulnerability so we've got
what four weeks to resolve it
something like that
just to be clear.
That was this week's
Tweet of the Week.
Well, we flew
through that one. That was
very easy.
I should be able to edit that
at least by Tuesday, I would have thought.
So it'll be
posted by Friday next week? Yeah, Friday next
week. Absolutely.
Absolutely.
All you need to do now, Andy,
is to pop your LinkedIn post up before this one goes live.
We'll be sorted.
Yeah.
Celebrating our 200 episodes.
I know.
In Celsius.
Something in Celsius.
In our metric system.
Right.
Okay.
Well, Andy, thank you so much for your wisdom charisma and um uh contributions this week stay secure my friend and jav thanks for turning up or be yeah whatever
stay secure you've been listening to the host Podcast. If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash smashing security.
I've got an idea.
Yeah.
I'm going to just say stay secure, my friends, and put it on Spotify as a track.
That way, any time you two steal my line,
I'm going to get royalties for it.
In 10 years, I would have made 10 million, I'm sure.
It's cute you think that.
Yeah, it is.
Yeah, you've got all of the naivety of...
I'm trying to think of something very very naive
i had something for this i know i did