The Host Unknown Podcast - Episode 206 The Sole Founder Episode
Episode Date: October 25, 2024How does Thom also do the episode notes? This week in infosec was about a EULARant of the weekhttps://securityaffairs.com/170125/laws-and-regulations/sec-fined-4-companies-misleading-disclosures-im...pact-solarwinds-attack.htmlBilly Big Ballshttps://www.theregister.com/2024/10/24/anthropic_claude_model_can_use_computers/Some news articles from infosecurity-magazine.com Tweet of the week https://x.com/thomas_violence/status/1849627627474293148 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
This will either be epic or an absolute failure.
Well, can't be worse than the absolute car wrecks we've had before, so...
Let's go.
Hello, hello, hello. Good morning, good afternoon, good evening and welcome. Welcome one and all.
Welcome dear listener to episode 206 of the Host Unknown podcast. Thank you for that intro AI Tom.
So dear listeners, it is me, the sole founder, Javad Malik of Host Unknown. And today I am doing this solo.
Well, with a bit of help from some wizardry and AI
to fill in the roles of Tom and Andy,
because for those of you who don't know,
Andy is the third one who no one really knows.
But anyway, we are doing this.
And today Tom said that it's his son's graduation, which is true because
I spoke to his son yesterday and he did tell me today is his graduation.
The thing is Tom only told us on Wednesday evening, he said, oh, I just remembered it's
my son's graduation.
It's not like a big event that you would put into your calendar beforehand.
Can you record on a Thursday morning between the hours of very specific 9.32 and
10.15 or something like that? We were like, no. And Andy has had an, what do we call it?
An incident adjacent, adjacent incident, and he's deep in legal consultations at the moment.
And he said he couldn't make it either. So
being my podcast that I started off many years ago I thought well who needs those
two buffoons when I can do a perfectly adequate job off it myself. So I have got
an action-packed show for you coming up today. Today in InfoSec brings you a reminder to
always read your end-user license agreement. Rant of the Week is a
cautionary tale about what happens when you let PR do your incident response.
Billy Big Balls talks about the rise of the machines. Industry News brings you
the latest and greatest stories from around the world and tweet of the week will leave
you searching in pain.
Okay so let's move on shall we to our favourite part of the show, it's the part of the show
that we like to call...
This Week in Infosec
It is that part of the show where we take a trip down Infosec memory lane with content liberated from the TodayInInfosec Twitter account.
And our first story takes us back a mere 22 years to 2002, when the worm-like friend greet propagated by emailing all outlook contacts from each
computer where it was installed.
But there was a twist.
The software presented a EULA, End User License Agreement, stating it would do just that.
So I guess you could say they gave fair warning, right? And 22 years on
and people still don't read their EULAs, they still don't read the the terms and
conditions and they just tick through on whatever they want. So while it's been
more than two decades, nothing's really changed.
Excellent! All right, well, before we segue too far,
that was this week's.
This week in InfoServe.
If you work hard, research stories with diligence,
and deliver well-edited, award-winning studio quality
content for high-paying sponsors,
then you too can be usurped by three idiots who know how to think on their feet. Okay, let's quickly move on because we're all rapidly running out of energy here. It's
time for... Listen up! Rent of the week.
It's time to motherf***ing rage!
Now, this story is about the SEC fining four companies and these companies have been fined
for misleading disclosures about the impact of the SolarWinds attack.
So the company's name were Unisys, Avaya, Checkpoint and Mimecast.
I suppose it goes to show that if you rely on too much hand waving PR and
basically lying and downplaying the incident, then eventually you might get caught out.
According to the SEC's orders, these four companies were breached in 2020 and 2021,
and that the threat actor behind the SolarWinds Orion hat had accessed their systems without authorization, but negligently
minimized its cybersecurity incident in its public disclosures.
And this is the key here, they negligently minimized the cybersecurity incident in its
public disclosures.
And the SEC says that the order against Unisys finds the company described its risk Avaya downplayed file access,
Checkpoint used vague language while describing the impact of the incident
and Mimecast minimised the nature of stolen data.
And this I think is so dangerous.
It's such a bad precedent and it's frankly really, really annoying that companies would go to these lengths.
On one hand, we talk about as an industry, then there's a dire need for transparency.
There's a dire need for accountability and honestly, trust.
I would trust a company a lot more if they had a big breach and they came and said,
look, we really messed up here, but here's what was impacted. Here's what we're going to do about it. Here's why we think it
won't happen again. And that feels a lot more honest than someone, if a company downplays it
and you lost terabytes of customer information and you just end up saying, oh no, it was just a
test environment that was accessed, only a few things taken.
It's just annoying. So I'm really really glad the SEC have gotten to the bottom of this
and penalized them quite well. You know there's civil penalties so Unisys has to pay the most
at four million dollars Avaya will pay1 million and both Checkpoint Mumcires
will pay $995,000 each in civil penalties. It's a good story, but it just makes you think
like how many other organizations are there out there? And at a time when a lot of the
industry we're talking about CSIS being held personally liable for breaches
and that kind of stuff.
And of course we don't want to go down too much that route, but where is the CSO in all
of this?
And what say do they have in these matters?
And these are actually issues where I would like to see them being held a bit more accountable.
I'm not saying persecuted because probably the board approves it.
Legal approves the wording and everything, but they should really have a saying and say,
look, you know, this is actually incorrect and we're not going to put our names to it.
So that was a ramp and being delivered by me, I'm not going to disagree with me.
Rant of the week.
Feeling overloaded with actionable information.
Fed up receiving well researched factual security content.
Ask your doctor if the host unknown podcast is right for you.
Always read the label, never double dose on episodes.
Side effects may include nausea, eye rolling and involuntary swearing in anger.
All right, Jav, over to you, matey.
Thank you, Tom, recorded from a few weeks ago.
The Billy Big Balls of this week is not a criminal.
So if Tom you're listening to this at some later point or Andy, you can tell Tom as you
listen to this while you walk your dog.
Anthropic has launched its latest Claude model.
And this is unlike the models you're probably used to interacting with so far.
So this one you install on your actual computer, your workstation, laptop, whatever, and then
you just tell it what you want from the pop-up or the window and it will interact with your
whole computer as if it was someone sitting at your computer.
So if you say, I'm just pulling out examples, but from what I understand and from the video
I've seen, you say, oh, I want to update my LinkedIn profile.
It will go, it will open browser.
It will go to LinkedIn.
It will go to your LinkedIn.
It will then look through your photos on your desktop and find a good headshot.
It will then read your stuff online and it will and find a good headshot. It will then read
your stuff online and it will pull together a nice bio for you and it will go and update
LinkedIn for you. I saw the video example where they asked it to create a website and
generate the HTML. So it went online, generated the HTML, populated it, started a server locally, all sorts of things went on and it generated
a website in a couple of minutes really.
And I think it's amazing, but I also think it's such a Billy Big Balls move because Anthropen
actually says, you know, don't give it access to personal information or sensitive information,
maybe run it in a VM in an isolated environment,
maybe don't let it go off on its own.
I think, wow, this is literally like giving someone an untrained attack dog,
or giving a machine gun in the hands of a kid and just saying,
look, just be careful,
don't point that end towards people. It is just frightening but it is such a ballsy move
because they know exactly what they're doing this is like you're letting the
genie out of the bottle and people are gonna do some strange stuff with it. I
saw someone they they configured it and it ended up launching an attack against
itself like a DOS attack or something and it just sort of basically bricked itself or
crashed itself. I'm sure it won't be long until people start using it to launch attacks
against others and then saying it wasn't me, Gov. I was just trying to do one thing. Someone
else said that they saw an example where it actually got distracted while doing a task and started looking up some other stuff online. It's just like totally unhinged,
like inviting your crazy, crazy mental institute level crazy relative over for Thanksgiving
or Christmas dinner or heat dinner or Diwali or whatever thing you celebrate. And you know
it's going to be a disaster but it's also
going to be entertaining there might be some wisdom in it and just for that I think it is
a completely Billy Big Ballsy move. The host unknown podcast, orally delivering the warm and fuzzy feeling you get when you
pee yourself.
Indeed, indeed.
And talking of time for some serious waste products, what time is it, Andy? It is our time of the show where we head over to our news sources over at the InfoSec
PA News Y who have been very busy bringing us the latest and greatest security news from
around the globe.
Industry News
Change healthcare breach affects 100 million Americans. INDUSTRIE News.
Ukraine warns of maths-fishing campaign targeting citizens' data.
INDUSTRIE News.
Irish data protection watchdog fines LinkedIn $336 million.
INDUSTRIE News.
Mac OS-focused ransomware attempts leverage Lockbit brand.
INDUSTRIE News
Lazarus Group exploits Google Chrome floor in new campaign
INDUSTRIE News
Penn State settles for 1.25 million over cyber security violations
INDUSTRIE News
And that was this week's
INDUSTRIE News And that was this week's... Industry News
Huge if true.
Huge, absolutely huge and I don't think I can do justice to any of these stories by
talking about them to myself.
So pop over to your favourite news site and look into them.
Alright let's move on.
That was this week's.
Industry News.
You're listening to the double award-winning
Host Unknown podcast.
Ha ha ha ha ha ha ha.
All right, Andy, take us home with this week's Tweet of the Week.
And we always play that one twice.
And this week's Tweet of the Week is from Thomas underscore violence and retweeted to
us by friend of the show Miko.
And the tweet says, it's very cool that YouTube is the largest collection of video footage ever
assembled and it's borderline impossible to search rocking up to the library of Alexandria
and the guy keeps showing you the same three scrolls and standing in your way.
If you try to look at anything else.
I think that is so true.
It is just unbelievable how much knowledge there is there,
but you just get shown the same stuff time and time again.
And then it gives you the irrelevant people also watched
or here's what you watched a year ago and to think that YouTube was
bought, Andy's not here, he's our historian, maybe 20 years ago by Google and most of you kids
probably know Google as an advertising company, but it actually started out as a cutting edge
search engine. So look into that as you way
excellent thank you Jav for this week's
the tweet of the week
well we've hit the end of the show we've kept it well we've kept it quite tight
really this week not bad it's a little gift for everybody in a special soul
founder episode because let's face it you don't really have time to listen to us dawdle on like this all
the time. Andy thank you very much. Stay secure my friends. And Jav thank you.
You're welcome thank you AI and previous clips generated Tom and Andy. This has been an absolute pleasure.
This has been my favorite episode to date and I'm sure the people will agree.
And without any of you now to steal my lines, I'd like to say stay
secure my friends and see you next week.
You've been listening to the host unknown podcast. If you enjoyed what you heard, comment and subscribe. see you next week.
Okay. So hit stop record and that was so much hard. God oh no oh my god I had to
come up with the show notes that Andy normally comes up with. Tom normally does
all the jingles and the editing and now I've got flipping upload this this thing
but I never let those
those two muppets know how much I rely on them need them love them but shit is
still recording