The Host Unknown Podcast - Episode 209 - The Javvad Is In Big Trouble Episode

Starting point is 00:00:00 Laser eye surgery. Okay the amount of people that say they are thinking about laser eye surgery but they don't actually go through with it it's quite high. Well I don't care. It's not the start of a joke it's just everyone says they think oh I'd quite like that I'd like that. No just do it man just do it all right go to Turkey get your hair done at the same time hello hello hello good morning good afternoon good evening from wherever you are joining us and welcome welcome one and all welcome dear listener welcome everybody welcome you two to episode 209. 213. Yes indeed welcome gentlemen how are we both? Well, falling apart if you're judging by the pre-roll.

Starting point is 00:01:11 Jav, how are you? How's your week been? It's been good. It's been a busy week. Yes, Dale's in Amsterdam for a flying visit to... In the dam? The dam, yeah. So I can tell... Like most places, it's great. You get to see the inside of the airport, the Uber, the conference centre and the hotel. And that's pretty much it. I met a friend of the show, Steve Fernnell there. He's like a professor at University of Plymouth.

Starting point is 00:01:41 When you say he's like a present, like a professor, does that mean he's not? I think he's a professor, or he's a lecturer, or a doctor, I don't know. Some type of respect follows you around. Yes, exactly. But we were just sat there talking, and he was talking about like, you know, we were talking about travel and you know, the joys of not being at a status or being at a status and which airport is easier to go to and security lines and everything. And after all, I said it's so nice to talk to someone who gets it. Like, you know, friends and I mean, family who don't travel, they always think what a glamorous lifestyle. You're in Amsterdam one day, you're in New York the next day you're

Starting point is 00:02:24 there. But I said when you speak to people New York the next day, you're there. But I said, when you speak to people who travel for a living, everyone gets it. It's quite dull most of the times. And lonely. Yes, very lonely. I disagree. I used to enjoy traveling.

Starting point is 00:02:41 Oh yeah, enjoy it, but it's dull and it's repetitive and it's hard work. I mean not hard work that's wrong. Oh it's definitely hard. It can be hard. It can be. I mean it's a young man's game. Eating in the lounge, having all that drink and then getting on a plane and eating again and having all those drinks served you. Because it's free! drink and then getting on a plane and eating again and having all those drinks served to you. Because it's free! Yeah, you're right it is hard because the toilets are small on a plane. Yeah, I can get why some people would struggle. No, the most difficult thing for me is really just with the kids. They're at that age where

Starting point is 00:03:21 all their needs are such that you know, traveling for long periods, they just, Although their needs are such that, you know, traveling for long periods, you have to plan so much in advance and catch up when you're back. It's honestly, if I was young and single, I would just knock it off an airplane at all and I think I'd just be like, yeah, take me wherever. I'm old and single and my responsibilities have massively diminished and so I'm looking forward to a whole bunch of travel again actually. So I just have to wait another 42 years until I'm your age Tom to start enjoying life again. Absolutely and and talking of scurrilous lies Andy how have you been this week? Good it's been a busy week. Am I the only one that puts a shift in? This is the problem with you non-workers. You're never actually fulfilling your hours. I think that's the problem that you guys sort of act

Starting point is 00:04:19 like a lot of the Gen Z's that come in, do you know what I mean? It's like, I see the finger, see? Doesn't take any constructive criticism, this one. Such a snowflake, such a snowflake. Such a snowflake. God, in my day, you'd get this bad. Constructive criticism, that he's just lazy. Yes, exactly. That's really up there in that sort of,

Starting point is 00:04:39 here's how you could be better, be less lazy. I understand now why people like Musk end up buying a whole platform like Twitter just to get back at his naysayers and like, you know, how that path down that villain route begins. I mean, it starts right here. Jav, is this your villain origin story? Because Andy said a rude thing. You know Magneto and Charles Xavier used to be best friends. I'm guessing Andy is Charles Xavier in this. He is the bald one and I will

Starting point is 00:05:15 put him in a wheelchair soon if he carries on at this rate. So rather than get your hair implanted you just buy a helmet instead. Is that what your plan is? Much cheaper, much cheaper. I've done the maths on this. Oh dear. We're talking to people with big domes. Thomas, how are you sir? I'm very good. I am very good. I am now just a week away from finishing my current job and then a week off then on to the new job. So the clock is ticking. Where is the new job? Where is the new job? Oh have I not said that yet? I thought I did. No no Dan told Dan Raywood told everyone. Oh yeah given that Dan's told everyone yeah that's fair enough. You can't tell him

Starting point is 00:06:03 anything in confidence, can you? It's like, you know, dreadful, dreadful. Friend of the show, Dan, you know, no doubt about that. But blimey, blimey. Yeah, I am moving to Rapid 7. So unless something happens in the next two weeks, I will be there. What do they do?

Starting point is 00:06:22 Oh, you know, security stuff. Really? Are they fast? Are there seven of you? Are you now like the seventh member? Or are they going to be called Rapid Eight when they go? Yeah, exactly, Rapid Eight. But you know what it's like, you know, last in first out, so... Oh, OK, gotcha. Depends on how long it's going to be Rapid Eight for, I don't know. Do they still have Metasploit?

Starting point is 00:06:44 Yes, yes they do. They do. So and there's a bunch of people there that we know who work there. So it's going to be good. I'm looking forward to it. I am looking forward to it. It's going to be in Reading an awful lot. So all of our listeners in Reading, just give me a shout. You know, I don't know why you'd want to. Is it actually Reading or is it really in Slough but they're too ashamed to say it's in Slough so they just call it Reading? No, it's actually in Reading. You get off at Reading train station, it's about a five minute walk away. So, you know, it's actually Reading. Five minute walk to the bus stop to Slough.

Starting point is 00:07:18 Yeah, yeah, yeah. There's no driving to slough. Ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah, ah David Brent there. Oh my goodness. Spot the whatever gen you are. X. Are you a gen X? We've done this before haven't we? We're the X-Men. Yeah. So yes, got that happening which I'm very much looking forward to, obviously. And talking of things to look forward to, shall we see what's coming up this week? This week in InfoSec is about Microsoft's futurists being a bit too futurey. Rant of the week is time to move it, move it. Buddy Big Balls is the revenge of super-grand.

Starting point is 00:08:03 Industry News is the latest and greatest security news stories from around the globe and Tweet of the Week is about the revenge of the auditor. So moving on let's get straight into our favorite part of the show it's the part show that we like to call... part of the show it's the part show that we like to call... This Week in Infosec It is that part of the show where we take a trip down Infosec memory lane with content liberated from the Today in InfoseSec Twitter account and further afield. And today our first story takes us back a mere 12 years to the 12th of November 2012 when John McAfee went into hiding because his neighbor Gregory Fall was

Starting point is 00:08:57 found dead from a gunshot. Police wanted him to come in for questioning but he fled to Guatemala where he was then arrested. He was never charged though he lost a 25 million dollar wrongful death suit. How does that work? So this was obviously back in November 2012. John McAfee, obviously the famous founder of McAfee Antivirus Software, originally became a person of interest in Belize following the murder of his neighbor, aforementioned Gregory Fault, who was found dead from a gunshot wound on the day before

Starting point is 00:09:31 November 11th. So fearing for his safety and suspecting potential... So November 10th. No, so this was... He went on the run on the 12th. It was the 11th he was found dead. So yeah, he did fear for his safety and he said he suspected potential harm from the authorities. So McCarthy actually evaded police questioning by hiding including where he buried himself in sand with a cardboard box over his head and believes's prime minister went so far as to describe him as extremely paranoid and even bonkers. But yeah, he did flee Belize. He crossed into Guatemala where he sought political asylum, but he was actually arrested for illegal entry into Guatemala when he went there, and he faced deportation back to Belize, but instead during his detention,

Starting point is 00:10:25 he reportedly faked heart attacks to delay the proceedings, which allowed his legal team to file the necessary appeals. So ultimately he was actually deported back to the US in December 2012, but it was in 2018 that a Florida court found him liable in a wrongful death lawsuit related to his death and he was ordered to pay 25 million dollars to the guy's estate. So he was never arrested, never charged but still found liable.

Starting point is 00:10:55 You know you're not paranoid if they're really out to get you. Yeah exactly. Yeah I just, it's mad, I mean the guy was off his tits at the best of times, right? Yeah. Yeah. Even more so when he was taking drugs. Yeah. Yes.

Starting point is 00:11:10 But honestly, the prime minister of Belize, or president coming on saying, oh, he's paranoid. He's like, you know, what harm could the authorities over here cause you? Like, look at the track record of authorities in Belize. Yeah. Very true. you like look at the track record of authorities in Belize and yeah very true and alas our second story takes us back a mere 24 years ago thank you when Bill Gates demonstrated a functional prototype of a tablet PC and at the time

Starting point is 00:11:44 Microsoft claimed that the tablet PC will represent the next major evolution in PC design and functionality. Did people believe him? No, they did not. The tablet PC initiative didn't actually take off. And it wasn't until Apple introduced the iPad in 2010, 10 whole years, a decade later, that tablet computing was

Starting point is 00:12:07 widely adopted. I find it absolutely fascinating because there are some fundamental differences between the Microsoft approach and the Apple approach, but the principles are the same, right? Principles are something you hold in your hand and tap on with a stylus or your finger or whatever. Compared to laptops at the time as well, this was revolutionary. Yeah, absolutely, but it, but it, the user interface and the user experience were two very different things. And I think, yeah, people often say Apple is late to the game on a lot of things and they're absolutely right because like folding screens and all that sort of stuff. Yeah. Because they won't do it until they know it's gonna be absolutely

Starting point is 00:12:55 right. Yeah, so I mean people did say that you know there's a couple of reasons why they think that Microsoft failed with the tablet and you know first of all they're saying that they just tried to make you know Windows and operating system just to adapt Windows so it was designed for like keyboard and mouse and they just stuck that on a tablet where you didn't have a keyboard and mouse but then also the whole sort of experience of making it seem like a pencil and paper yeah onto a computer as obviously Apple, you know the iPads, all touch screens as well for that and then yeah the other thing that was just considered quite big and heavy even though it

Starting point is 00:13:33 was small for its day, yeah the stylus was prone to getting lost as well. You know it's one of those things like when you look at, if you want to bring a product to market, there's two ways. You either find out what you're good at making and convince people to buy it, or you find out what people want and then you go and make it for them. In tech, a lot of times it's let's make what we're good at and then give people a reason to buy it, let's market it. And I think it's that marketing side that Apple just overtook everyone else. The fact that they launched the iPhone

Starting point is 00:14:14 a few years earlier, get people used to the interface, launch it in a really clever way. It's not just a, you know what, it's like three things we're launching, isn't it? It's like a portable phone and an iPhone, internet device and your music library. It's all one device. It's an iPhone. And that was revolutionary and that built up the hype and that actually set the market up ready for these touchscreen devices, a usable interface and the iPad then

Starting point is 00:14:44 naturally slotted into that ecosystem with its bigger form factor. And I think that's the genius there that Apple had. Because the iPad was ready before the iPhone was. Yeah, it was. But they swapped it round for exactly that reason. Did not know that. Yeah, absolutely fascinating stuff. Oh, we could talk for hours in this. Well, I could, I don't know that. Yeah. Absolutely fascinating stuff.

Starting point is 00:15:05 Oh, we could talk for hours in this. Well, I could. I don't know about you two. Anyway, thank you, Andy. That was this week's... This week in InfoSode. If good security content were bottled like ketchup, this podcast would be the watery juice which comes out when you don't shake properly. In a niche of our own, you're listening to the award winning, Host Unknown Podcast. Alright, time now for... Listen up!

Starting point is 00:15:42 Rent of the week. It's time to motherf***ing rage! Alright, so this wasn't this time last year was it? But it was last year sometime that we had the move it breach. I like the move it move it. Exactly, exactly. And this was down to, I think it was payroll vendors were the main target, weren't they? In this instance? It wasn't the payroll, it was anyone that used the file transfer software. Oh, the movie file, but it was a lot of payroll vendors were sort of bought into it.

Starting point is 00:16:17 A lot of payroll vendors did do it. Because I actually had to find out what the f**k move it was, because it certainly wasn't a drop box or box or anything like that. It was a bit more niche but nonetheless. But very enterprise heavy. It's like expensive. It's up there with, you know, you buy it with your Oracle licenses and your Salesforce license. So overpriced. Right. Got it. So and therefore you'd think, you know, fairly school, but bottom line was there was vulnerability in it and it was taken advantage of lots of companies around the world was scrambling to claim to their clients that they didn't have move it or they were patched and there was nothing wrong with it with them, etc, etc. Now there was a lot of data was exfiltrated and some of that data belonged to Amazon,

Starting point is 00:17:10 who you know unsurprisingly were a user of Move It. And there is a threat actor who has posted 2.8 million lines of Amazon employee data last week and Post-This made it available, published it, it's there to download, anybody can find it if they want to. This individual who goes by the online moniker of Namthri Lathrius or Nameless in elite speak, has claimed in a series of posts to have obtained data from 25 organisations whose data was compromised via last year's movie exploit. However, he has then gone on to the record and on a post on the dark web to say he was doing it out of the goodness of his heart and that actually he's an ethical hacker as a result of this. Now forgive me if I'm wrong and I very often am at least when I'm talking

Starting point is 00:18:20 with you two. Isn't an ethical hacker someone who contacts people first before showing exploits, who doesn't release data, who doesn't do anything that can cause harm, either emotional or physical or financial, to individuals or organizations, rather than someone who just posts 25 million lines of data, which contains not only contact information, but sensitive details about roles, department assignments, potentially opening doors to massive social engineering attacks and things like that. He says he's not a hacker. If something requires a username and password, even a default password, I will not try and use it.

Starting point is 00:19:06 Except I did. I track all the ransom group sites and have my own tools that find AWS and other sites open buckets. He wrote on Monday. I download everything I can from ransom group tour sites and from open cloud services. Once I have it, I then clean the data and remove duplicates from the source and sometimes remove fields and columns where the data is useless. So basically you're rinsing the data to make it easier for criminals to use and read and leverage.

Starting point is 00:19:39 Utterly, utterly bizarre. Now I totally get that there are hackers out there who do these things and then try and encourage companies to do better, but the the rinsing of this data, or the laundering of this data effectively, and making it easier for criminals to use and then publishing it does not make you an ethical hacker. Guy or this person is utterly utterly deranged. So as we sit here on the eve of Mike Tyson

Starting point is 00:20:13 versus Jake Paul boxing match you've probably seen them training and there's different types of training that they go through. Some of it is just like shadow boxing, some of it is where someone's holding up pads and they're punching the pads. Some of it is where the people are wearing like head gear and stuff and they're sparring with light contact. And some of the training is also like full contact going at it with each other.

Starting point is 00:20:38 All of these are form of training. This is kind of like ethical hacking, but without any of the head guard, without anything in place. And once you get hit in the face, this is kind of like ethical hacking but without any of the head guard without anything in place and once you get hit in the face you learn very quickly to keep your hands up yeah so so you're saying this is the difference between training and actually doing something the mental gymnastics you're going through to justify this one yeah like you you know, Jeff, normally I've got your back on this thing, right.

Starting point is 00:21:06 But, you know, like if it, if it walks like a duck and quacks like a duck, yeah, it probably hacks like a duck as well. So the point here is, and this is the nameless said later on, like companies and governments are like, have a responsibility to make damn sure they are encrypting PII data. Do we agree on that? Yeah. Yeah. Yeah. Too many companies blame third party vendors, yet they themselves are transferring encrypted, unencrypted data to these third parties. So there is a responsibility of these companies to do so and sometimes... So he's doing the thing that he's accusing them of not doing?

Starting point is 00:21:49 Well he's like just holding a mirror up and showing them... No he's not! He's not holding a mirror up. I don't agree with the tactics. He's not holding a mirror up, he's actually conducting illegal activities. I do not endorse the illegal activities listeners. I do not. Not in this section, you might do in the next one though. But I'm saying sometimes we've seen far too often how many weeks do we go by? Every week there's some company, oh we just lost 50 million records, we lost 10 million records. Oh but credit card records. Oh, but credit card data was protected.

Starting point is 00:22:25 Everyone's PIA is out there. And regardless of how many regulations you stick out, what have you, maybe, I'm just saying maybe, vigilante justice is something that will finally hurt companies where they need to be hurt. So he's a vigilante then? Yeah, I won't say he's an ethical activist. Which is an illegal activity?

Starting point is 00:22:46 And doesn't make you ethical? It doesn't make you ethical, but it doesn't make you wrong. So you agree with me? It's like the A-Team. Which is a fictional series. They were soldiers of fortune. They were soldiers of Saturday night TV is what they were. He even went on and said that this breach is just a tiny portion of the data they have, with more set to be leaked over the coming days.

Starting point is 00:23:14 So they're not paying the ransom then? Did he ask for the ransom in baguettes? He's just going through the motions to understand how these payments work. He's just testing the payment systems as to whether, you know, whether companies understand how they're supposed to... Don't you back him up! Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha I held both of you in such mediocre regard and now that's just coming, that's just crumbling in front of me. You wouldn't be the only one. feeling you get when you pee yourself. Alright then Jav, let's see have you got any criminals to defend this week? I'm not

Starting point is 00:24:09 sure let's find out shall we? Unfortunately for you I'm not defending any criminals. I am defending wasting criminals time because O2, you know, the the phono operator part of Virgin Media has said it has built an AI, a human-like AI which sounds like, the name is Daisy and she sounds like, yeah, the name is Daisy, and she sounds like your grandmother, basically, or in Tom's case, his mother. Is this where we go back and edit that out? Yes! You could see the regret as soon as you said it.

Starting point is 00:25:04 Yes, yes, you could, couldn't you? Couldn't you? Absolutely. Mum, I'm sorry for Jav, but you know, this is what you get when you work with amateurs and children. Oh dear. So, Daisy, it's like a grandmother It's an AI granny that has the number has been seeded out to a lot of these forums where scammers share the the numbers and O2 has been working with The youtuber Jim Browning. I don't know if you've ever seen his Scambaiter the scambaiter. Yeah

Starting point is 00:25:43 So he he he does a lot of these videos where he records like the scam calls coming in and then sometimes he reverse hack into them. Yeah. He'll get into their CCTV cameras. I know it's a criminal act Tom before you tell me off for like supporting a criminal under undertaking vigilante justice but obviously in this case you're going to say no but he's doing it for the right reason and look exactly yeah it's absolutely fine but but he's worked with them and they've created this software that basically wastes the criminals time so they will phone up and you know Daisy is indistinguishable from a real person which a lot of these AI programs now are. You speak to them, they can hold a proper conversation with you.

Starting point is 00:26:28 And, you know, so for several weeks, the AI has already frustrated scam callers with meandering stories about her family and talked at length about her passion for knitting, according to Odri. And I think this is just probably the best use case of AI I have seen so far. It's not about blocking scammers from calling, but it's about letting them call you and then keeping you on the line for like hours at a time or, you know, cumulative, like many hours. And all the time that Daisy is keeping a scammer on the phone for that's time that they're not attacking someone else so I think is

Starting point is 00:27:09 absolutely brilliant hats off to O2 proper ballsy move and I applaud it I got to agree and presumably as well they can scale Daisy there can be lots of daisies out there answering these calls not just one at a time yes so you know potentially the the number of scammer hours being wasted is quite significant exactly exactly brilliant love it no Andy hasn't got anything to say on this. Nice one, Jav. I think, love it. Billy Big Balls of the Week. In 2021 you voted us the most entertaining cyber security content

Starting point is 00:28:03 amongst our peers. In 2022 you crowned us the best cyber security podcast in Europe. You are listening to the double award-winning Host Unknown podcast. How'd you like them apples? And talking about wasting unwitting victims time, Andy, what time is it? It is that time of the show where we head over to our news sources over at the Infosec PA Newswire who have been very busy bringing us the latest and greatest security news from around the globe. Industry News Amazon Move It leaker claims to be ethical hacker.

Starting point is 00:28:46 Bank of England U-turns on vulnerability disclosure rules. Massive telecom hack exposes US officials to Chinese espionage. Microsoft PowerPage's misconfiguration leads to data exposure IN THE STREAM NEWS Sitting ducks DNS attacks put global domains at risk IN THE STREAM NEWS O2's AI granny outsmarts scam callers with knitting tells IN THE STREAM NEWS

Starting point is 00:29:23 Ransomware groups use cloud services for data exfiltration. In the stream news, Bitfinex hacker gelled for five years over a billion dollar crypto heist. In the stream news, Palo Alto Networks confirms New Zero Day being exploited by threat actors. In the stream news, and that was this week's. Zero Day being exploited by threat actors. Industry News And that was this week's Industry News Huge, huge, huge, huge. So do those DNS attacks also look like a duck and walk like a duck?

Starting point is 00:30:01 Absolutely, that's exactly what I'm thinking. Yep. And sit like a duck in fact. Sit like a duck. Absolutely, that's exactly what I'm thinking. Yeah, and sit like a duck in fact. Sit like a duck. So I'm just reading this story about the Bank of England U-turns on vulnerability disclosure rules. Yeah, what's this about? So the UK's financial regulators have scrapped plans to mandate that critical third party organizations

Starting point is 00:30:22 disclose new software vulnerabilities to them. The decision was taken in response to feedback, which are designed to enhance the operational resilience of the UK financial systems. Respondents were particularly concerned about the potential requirements or expectations to disclose unremediated vulnerabilities into regulators in firms, say, providing systemic third party. I think it's just like a bit too far, isn't it? Bit of overreach. Really? I mean, that's the whole point of critical national

Starting point is 00:30:58 infrastructure is that you've got to be careful with it. You've got to know what the risks are. Yeah, but so we're, I don't know. I get what you're saying, that the two sides of the coin for that is, you know, certainly when, you know, the amount of contracts you see where clients say, oh, you must tell us about vulnerabilities

Starting point is 00:31:16 within four hours or, and it's like, and what are you going to do with that information? Yeah, yeah. But you have zero ability to impact the way you interact with this service. Yeah, true. And when you have that information. But you have zero ability to impact the way you interact with this service. And when you have that information, I don't know how it's controlled. I don't know what you're doing with it. I don't know where it sits. I don't know who else has access to it. Yeah, I kind of see that. But conversely, knowing how seriously your vendor or your vendor is

Starting point is 00:31:44 actually taking this stuff and are they on their game, on top of their game, rather than just hiding behind some ISO certificate somewhere or some SOC 2 report that's, obviously, they've just panicked the month before and fixed everything just in time for the SOC report. It's knowing that they are constantly probing, testing, discovering and addressing vulnerabilities

Starting point is 00:32:10 is also a good thing. Yeah, maybe if they've got something like Rapid 7, that would prove that they are doing ongoing assurance. Am I right, Tom? Indeed, indeed. And also it'd be good to know if they've got a good quality training program in place, right? That's right. You know, like for instance Know Before Do.

Starting point is 00:32:30 Good shout, good shout. See, we do get along sometimes. And you know if you guys ever get kidnapped, right, you can... Give me a shout, right? Yeah. Sorry, not directly, go through your insurers. Because Andy wants to get popcorn out. I can see Andy already like, if we get kidnapped, his burner phone's getting snapped. That's the only number we have. He's like, that's it, SIM card snapped, that's it.

Starting point is 00:32:57 Who are you? New phone, who dis? New phone, who dis? We are flaming dragon. We have got your friends Thomas Langford. I watched that film again the other day or about three weeks ago. So good. It is so funny. So good. What else have we got?

Starting point is 00:33:23 Ransomware groups use cloud services for data exfiltration. That's like saying cars use motorways to travel between cities. Exactly. Honestly, this is like a report from the Department of the Bleeding Obvious, sponsored by, according to Sentinel One. Well there you go. Oh, there we go. I didn't even read that.

Starting point is 00:33:52 But this is just like, because cloud services are whitelisted. You don't have to go through anything like, you know, I mean, if you try to like exaltrate using Moveit it for example, that's probably going to be blocked So or raise these flags, but if you're just using AWS bucket or something then you know, yeah Not gonna set off any alarm bells Yeah, you got proper casbe's set up. Yeah Yeah, yeah what Andy said I'm just looking at this massive telecom hack exposing US officials to Chinese espionage.

Starting point is 00:34:34 When are US officials not the target of Chinese espionage? Well, it's constant, it's permanent, isn't it? Yeah. I mean, these are the guys that want to ban TikTok, right? Yeah. Have at them. Yeah. Is this actually? All the guys who were actually running all of their political campaigns on TikTok. Yes. Or is this actually just massive telecom hack exposes US officials of Chinese espionage because the telecoms received a letter from TikTok saying, you can't block us anymore, therefore TikTok is allowed through and therefore US officials are now subject to Chinese espionage in the form of tick tock

Starting point is 00:35:14 And you know what had they been regulated by the Bank of England under their proposed laws? They would have had to have told the officials that they were vulnerable See, they just don't know what they're doing over there. They don't. All makes sense. Right let's move on shall we. That was this week's. Industry News. If you work hard, research stories with diligence and deliver well edited, award winning studio quality content for high paying sponsors.

Starting point is 00:35:47 Then you too, can be usurped by three idiots who know how to think on their feet. You're listening to the award winning host unknown podcast. Since we were talking of the A-Team just a little bit earlier. Right Andy, why don't you take us home with this week's Tweet of the Week. And we always play that one twice. Tweet of the Week. And this week's Tweet of the Week. I don't know who it comes from because that information was not captured when this was

Starting point is 00:36:15 inserted into the document. But it is someone who was at some NextIT security event in Amsterdam and they have said, or she, he or she she I don't know they early contender for quote of the day comes from Jerome Prince on a panel and he says Compliance is the perfect level of security if your only threat is the auditor Very good saying Nice That's from Jeroen Prins.

Starting point is 00:36:47 Yes. All credit to Jeroen Prins for bringing this to the masses. I think he's the CISO at the Dutch NCSE or something. Right. So yeah, he was very good on that panel. It was a good panel. Oh, were you there? Yeah, yeah, yeah. I was there at that event yesterday. I think you heard about this. Oh, were you there? Yeah, yeah, yeah, yeah. I was there for that event yesterday.

Starting point is 00:37:05 I think you heard about this. I did recall the tag that Jav used for this particular, the hashtag that Jav used for this particular conference, which was nextitsecurity, which is an interesting way of putting it, Jav. That's what the official hashtag was, so I just used it. Maybe I didn't capitalize where I needed to, but you know. Almost like you did it on purpose. Tags aren't case sensitive. No, no, no. Just ask Susan Boyle, right?

Starting point is 00:37:40 I'm not familiar with that. You know Susan Boyle the singer? Her marketing team released an album. It was hashtag Susan Album Party. But everybody read it as Susan Anal Bum Party. Susan Anal Bum Party. Dear me, you guys, you're just not in the zeitgeist, are you? That took me back. I had to think about

Starting point is 00:38:08 what we're talking like. Yeah. That was only a couple of years ago. Don't make me start, Tom. Yesterday, I was in the airport on the way back and I was walking down, there's like the gates D1, D2, D3 and I get to D12 and I take a picture of it and I send it to these two muppets

Starting point is 00:38:24 saying you oh, you know, quoting a line from D12 like, you know, how come we don't even talk no more about that one? And Andy replies with another lyric from one of their other songs like Purple Pills or something. And Tom's like, what are you two talking about? I have no idea what you're talking about. Yeah, exactly. What is it, your favourite dating skippal or something? As soon as I saw the D12 I knew that like you were just, you're only hitting half the audience with that one.

Starting point is 00:38:56 What is it? Langford 311 knows nothing. It's just like... It wasn't, just because my childhood wasn't all about these, you know, rough hip hop rap chappies and wrestling. Wrestling. Anyway, I did also share the real wrestling with you yesterday as well, didn't I? With Big Daddy and Giant Haystacks. I remember that. Remember watching those with Dickie Davis on was it World of Sport or something? Saturday afternoon. Yeah. Now that's wrestling. When you were saying just the other day I just picked up Suzanne Boyle, August 2008. That was helping with the third series of...

Starting point is 00:39:45 a couple years ago? how many years ago was that? a couple years ago, it's fine a mere 16 years what, was that when the hashtag came out? because i'm pretty sure hashtags didn't exist then the hashtag would have been, uh, her first album was launched I think I see 2011? 2012. Is it 2012? I'm guessing. 2009 actually. What? Yeah her debut album I dreamed a dream 2009.

Starting point is 00:40:18 I'm sure hashtags didn't exist then. Of course they did Twitter was out in like 2007. Yeah, but it wasn't popular Yeah, it was you That's when I met Andy on on Twitter officer say so Jester Well, I thought so back in the day Jav used to be one of these anonymous people as well that wouldn't like you know Give out his real name or anything But then where he goes the one who no one still knows as well that wouldn't like you know give out his real name or anything but then where he got the one who no one still knows who he is yeah you didn't you

Starting point is 00:40:51 didn't have like a proper icon or anything it was like you know same anonymous I was like okay I met someone that like thinks the same way as I do is like yeah little did you realize how easy it was to dox. Oh yeah, all he had to do was get a cease and desist letter from the people that claimed the copyright for the word Infosec or something. He melted like a... he was so flustered he couldn't think of an alternate handle so he just said his real name. No, I replaced the A's with Fours. Exactly, replaced the A's with Fours so no one would know. The Roti 13 of encryption. The Roti 13? You've been racist. So you know what's on my mind for dinner don't you? Yes please Moe, chicken danseck and a roti please.

Starting point is 00:41:50 It did for me what glasses do for Clark Kent, it just made it completely anonymous. Oh man, we're going to have to move on now. Gentlemen, thank you very, very much for your contributions today. It's always a pleasure, always a pleasure, except when it isn't, but today it was not one of those days, so always a pleasure. Thank you so much, Jav. Thank you for your time today. Yeah, thank you and best love in regards

Starting point is 00:42:30 to the Duchess of Ladywell. You mean apologies? Yes, that's what I meant. Okay, yeah, yeah, yeah. And Andy, thank you, sir. Stay secure, my friends. Stay secure. You've been listening to The Host Unknown Podcast. If you enjoyed what you heard, Stay secure. Cool, I actually remembered, you know, I said I was just being busy this week. I actually

Starting point is 00:43:05 went to the US Embassy this week, had an event there. Oh yeah, you did, didn't you? Yeah, it was actually, it was pretty cool, I'd never been there before. And they let you in and out? Yeah, I know, right? They realised I was of zero value to them once I got there. I actually done an event there like many years ago. Same yeah. I went in and out and like you know they asked me do you have any guns or anything and they let me in. And they gave you some. You just opened your coat and you said just these.

Starting point is 00:43:36 Matrix style, like with your big duffle bag going through the detector. Yeah it's an impressive building until you get up to the sort of small public spaces which you're allowed in and it just looks like an office block inside. Oh absolutely and then did you go to the cafe and stuff for food? No. Okay, we had food up there as well. They couldn't afford it after they paid my fee to speak. Oh, okay. So the lifts were broken when we were leaving, so there was a delay for people getting out, and obviously with lots of other paranoid security people, I started the rumour that

Starting point is 00:44:16 they hadn't quite finished cloning everyone's phones that they had confiscated. And you could see people definitely getting worried about that one. Wow.

The Host Unknown Podcast - Episode 209 - The Javvad Is In Big Trouble Episode

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.