The Host Unknown Podcast - Episode 21 - Wireless Access Protocol
Episode Date: August 28, 2020Marital advice, PETA safe hobbies, Aimee Laycock and Cardi B's WAP. We are nothing if not varied.The Little People (Part 1)Aimee Laycock talks about ResearchTweet of the Weekhttps://www.wired.com/stor...y/how-four-brothers-allegedly-fleeced-19-million-amazon/Billy Big Ballshttps://www.zdnet.com/article/russian-arrested-for-trying-to-recruit-an-insider-and-hack-a-nevada-company/Industry Newshttps://www.infosecurity-magazine.com/news/palo-alto-crypsis/https://www.infosecurity-magazine.com/news/tls-vpn-flaws-tester/https://www.infosecurity-magazine.com/news/bt-security-vendor-partners/Rant of the Weekhttps://www.linkedin.com/posts/brianbrackenborough_im-more-sympathetic-than-ive-ever-been-activity-6704317848841420801-lYr-/The Little People (Part 2)Aimee Laycock is still talking about Research. Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
way to kill the vibe Tom
way to kill the vibe
come on
you know just hit the jingle I think
save us all
put us all out of our misery
let's spread this misery
spread this misery
to exactly another
106 people
you're listening to the Host Unknown Podcast.
Hello, hello, hello. Welcome to episode 21, I think it is, of the Host Unknown Podcast.
Hello, gentlemen. Hello, Jav. How are you? Holy moly, 21.
Wow.
I know.
If we were a podcast in America, we'd be legally allowed to drink.
Well, the podcast would be.
Yeah.
Stretching that analogy to breaking point, I think.
Yeah.
But yes, welcome.
Thank you for actually rocking up at 29 minutes past the hour to kick us off.
Glad you could join us today, Geoff.
Yeah, exactly. Did you set your alarm for an hour earlier or something?
No, no, no. I just didn't sleep last night.
So it's technically still Thursday for you.
It is.
He's going to sleep after this podcast. He just needed some material to help him nod off, right?
Yeah, that's right.
And Andy, how the devil are you?
Not too bad.
Can't complain this week.
Got a new family member.
Oh, really?
Yeah.
Congratulations.
Was it your birthday nine months ago?
It was.
Not quite nine months ago, no.
But no, we've uh a nice little dog called
rusty who is the uh the most well-behaved dog i have ever met in my life carefully trained though
obviously very carefully trained yeah but um absolutely fantastic even uh toilets on demand
what yeah so this is um that could be handy it is so i'll put this in context
is um uh so my daughter's partially sighted and this is a guide dog um and i mean i just never
thought about this stuff before so it's like a process we're about to go through to uh you know
to assess suitability and you know learn how to look after them that kind of stuff um but obviously
you know you probably never think about it but you know if blind to look after them that kind of stuff um but obviously you probably never think
about it but you know if blind people are out walking with their dog and the dog needs to use
a toilet how does a blind person know that it's done some business it needs cleaning up
so yeah what you're thinking of another problem as well how do they find where that where it is
to clean it up exactly well there's that as well, which is why, you know,
you learn the schedules and then you literally say two magic words
when they're out and the spot where they're trained to go.
Well, you see, yeah, this is that thing where I'm kind of thinking,
do I tell people because otherwise, you know,
they'll come in and just sort of say it or whatever
and the dog will get confused and like, you know they'll come in and just sort of say it or whatever and the dog
will get confused and like you know so um i will leave it uh i will not say it for now so so is
this the is this the same two words that they teach every dog or is it a unique password for
every dog password and does it does is it more than eight characters long it's interchangeable
yeah password reuse this is the problem with the guide dog industry Is it more than eight characters long? It's interchangeable. Past word reused.
This is the problem with the guide dog industry.
Can you reset it when everybody finds out?
Exactly.
So, yeah, no, it's, yeah, it's just amazing,
just like the intelligence of these beasts.
And, you know, even when walking him, he needs to be held on a short leash,
which is, you know, to me, counterintuitive to, like, growing up with dogs
where you give them the freedom.
But he's used to being held close by,
and he'll always be on your left-hand side as well.
He doesn't like being in any other position.
It's just fascinating.
Absolutely.
You know, it's a double bonus.
One great pupper, but also a very educational journey for myself.
So can you basically let him off the leash and let him go wild around a field for a little while?
Yes, you can.
And then he trots back and sits by your left-hand side?
Yeah, in fact, I can either call him or blow on a whistle three toots and he will return.
Wow. Yeah. return. Wow.
Yeah.
Awesome.
Awesome.
Your daughter must be loving it.
Oh, absolutely.
Yeah.
She's not slept for,
she's been like Jeff downloading TikTok for the first time.
Oh, that's brilliant. That's brilliant. Yeah all that's the fun part of the week i guess
yeah yeah and the other side the work part i saw you you you said you were going to send out the
show notes first thing this morning which you did which did but that was at two o'clock this morning
after you finished work so yeah a bit of a crazy week still. Yeah, it's auditors, man. And I'll tell you where this one's gone horribly wrong,
not that anyone cares.
So the contract for this was signed very late,
and there's been long negotiations going on with the client.
And we've been through a lot of stuff already,
mostly around security.
And then we had to go through this audit prior to some work being approved.
And it turns out this isn't even a security audit.
This is a business integrity and uh process audit which um you know so more sas 70 than iso 27 exactly that so it's isa 3402 without actually calling
it that yeah so it's uh you know when i'm when we actually got the list of controls and i was on
the hook for it i'm you know i'm looking down it i'm like this is not my bag you know there's none
of this is uh anything i'm comfortable with uh being on the hook for so uh it's taking time
we're working through it but uh yeah it's taking time yeah jeff how many uh tiktok videos have you
watched this week i'm not even going to ask about work given that you uh uh you've just discovered tiktok so it's all tiktok right
so actually i took a few days off work this week and uh took the family just to watch tiktok
set the family up on holiday i'm gonna need to study this
settled yourself into the armchair and
plugged in your tv into your phone a year of little faith no we went up to the peak district
for a few days it was very nice it was very nice um there's uh there's there's some really nice
picturesque places up there you can go for nice lovely, which we done one day. Saw some reservoirs, some dams built in the early 1900s and everything.
It was great.
And the next day it was just pouring down with rain.
So we couldn't do anything.
So what's the phone coverage like up there?
Can you get 4G for your TikToks?
In the Peak District where we went, no.
There was absolutely...
So when you're out walking or
driving around on those country lanes it was absolutely zero coverage so um uh i it was one
of those feelings like if we break down here or if someone falls uh breaks a leg you know
you can't even call anyone yeah um yeah how am i gonna be able to watch tiktok while i wait for the ambulance i know
i know you you know and you and you see one of those trails and you see the wife walking
close to the edge and you think you know just one one little trick one little trick that's all
you just look over your shoulder to see who's around right exactly well this this took a turn okay okay so so in the in this week's episode of marriage counseling we've right can we just say
if an accident does occur this is this is not premeditated anything right this is just purely
this is inadmissible yes just. Yes. Pure banter.
This confession has been taken under duress.
No, no, no.
This is just pure banter.
I would never do anything like that.
I've seen strangers on a train,
and I know about the whole crisscross method.
So, you know, you have a...
Is a crisscross a magician?
No.
Who?
I don't know.
I thought they were the group that sang Make You Jump.
What?
I don't know what I did.
Like a 90s rap group.
I'm talking about Criss Cross.
Like, you have an alibi, but it doesn't matter.
Forget it.
Is this the equivalent of Jav trying to explain the offside rule?
He gets halfway through it and says, oh, it doesn't matter.
You know it when you see it.
Oh, dear.
Or actually, it's more like me trying to explain the offside rule,
but there you go.
How was your week, Tom?
How's your coffee machine treating you?
Oh, beautifully.
It's wonderful.
Wonderful.
I was able to, you know, make a coffee, go sit down,
but I also then prepared it for the
next coffee and set it so that it would deliver it in exactly 45 minutes all right you don't have
you don't have your uh hoover um you know your little floor sweeper to uh pick it up and bring
it to you know oh that would be the next one that would be the next one actually when you said hoover
i thought you're going to talk about my washing machine i found out that's connected as well really i didn't realize when i bought it but
yeah i can i can remotely set um kick off uh washes and stuff like that so you just use the
washing machine as a um washing basket instead right yeah yeah do you Hey, that's not a bad idea, actually.
Oh, dear. So, yeah, you can set it up and whatever program you want
and how dry you want the clothes at the end and all that sort of stuff.
And then say, oh, it can go off at 2 o'clock in the morning
so it's ready first thing or whatever.
So I was really impressed.
What's the password to connect to it?
My usual. Is it changeable? That's the question. Yeah, it's a... What's the password to connect to it? My usual.
Is it changeable?
That's the question.
Yeah, that's right.
Yeah, it's currently set to whites.
And then it's going to go to mixed cottons is the next one.
Of course, with it being Tom, it would be whites, wouldn't it?
It would, it would, yeah.
Oh, you had to go there i'm just messing with you i just felt like you know
i had to oh i like to start the day with a dig somewhere just you know yeah let me work it out
i'll be honest with you when i started with whites i thought oh shit i best not say yourself
yeah that's right that's right i'm gonna go'm going to start talking about my darks washing.
Oh, God.
I'm never going to dig myself out of that one,
hence the mixed cottons and synthetics.
Yeah.
I thought you were going to talk about your password for a second there.
Then I realised you'd left out the P-0-W-E-R.
P-0-W-E-R?
Power?
What?
Oh!
Oh, I see.
Ouch!
Oh, dear.
We really are on the cutting edge of political correctness podcasting here.
I think we really need to move on.
Yeah, definitely.
Abandoned thread.
Yeah, exactly. Exactly this this thread's going down
and let's let's uh move on before apple uh ban us or something so um let's see what the show
notes tell us we've got coming up this week oh the usual features coming up today we have a tweet of
the week uh billy big balls rant will we have a little people today jav will we have a tweet of the week. Billy Big Ball's rant, will we have a little people today?
Jav, will we have a little people today?
It's like football.
It's a game of two halves.
Let's find out later in the show.
It's a game of two halves.
Oh, interesting.
Interesting.
I'm feigning surprise,
but given I've got the show notes here,
I know exactly where this is going.
So,
I tell you what,
in that case, since it's a game of two halves,
in this first half, should we start with the little people?
Shall we?
Yes, the answer is yes.
Right, okay, thank you. I thought it was a rhetorical
question.
Yes, so did I.
Come on.
If we say no, would you stop that segment tom
well no then i then i'd then i'd feel pretty um pretty good about myself for ignoring you
so anyway i think it's time now for the little people people so i know last week you guys were talking about the culture report
yes and uh how great it was and how how well researched it was and how there's a proper
methodology to it so i reached out to one of the authors um and long long-term culture
uh well the driver behind the company who we all know is not kai
the one who actually does the work the one who actually does the work it's amy
yeah friend of the show and friend of the show amy laycock friend of the show
so i reached out to her and i said, well, you know, this is a fantastic
report, the culture report. And much like the Verizon report, it's really well researched,
clear methodology, assumptions listed and everything. So I said, well, what are your
thoughts about other reports that the industry publishes, which they call research? And I'm
making air quotes as I say the word research.
So let's see what she had to say about that.
Because you all love a good statistic, right?
Oh, no, I love this industry.
I think it's one of my favorite things about this industry
is just how research hungry we are.
You know, obviously, information is what drives a lot of our conversations
and it's what
informs our decisions it helps make the right call so we want to make sure that we've got the
most accurate reliable up-to-date information at our disposal and um and i love our community for
that we're just so um bunch of really you know curious individuals um but yeah so when i guess
i guess like the thing that annoys me that you
asked me what grinds my gears and the thing that gets me is it's just that word research i've
become quite i think we can become quite protected of that word um and you know it has something to
do with the fact that we're working on security culture now for what four or five years um and
you know what i'm talking about right because you you know you've done an
analysis and stuff before and anyone who's done like a phd or whatever will understand what i'm
talking about when you spend so long on something and you um you work really hard to make sure that
you follow all the best practices and the scientific methodology behind things and you're
you know constantly re-evaluating and revising
your work um to ensure that it is accurate that it is reliable that it is valid that you know if
it's a social scientific study for example that you know you've eliminated or at least reduced
the absolute best of anyone's ability any kind of biases from sampling bias to, you know,
social desirable responding and all that sort of thing.
And then you have somebody that like put something out that says like 78% of security professionals
say that X is their biggest concern in cybersecurity.
Wow. And it becomes this huge report. And you're like, well, hang on a second.
The little people so fascinating for a true very long i think we have to cut it in half there right yes we do so
we will find out the thrilling conclusion to amy's little people rant later in the show
indeed indeed you did tell her it was supposed to be 60 seconds, right?
I did, yeah.
I'm just checking.
I'm just checking, looking at the entirety of the length.
I mean, we're going to have to break this down
into like four or five podcasts pretty much.
That's all right.
That's my work sorted out for the next four weeks.
Amy, well done. No, it's very true. I weeks. Amy, well done.
No, it's very true.
I think good points, well made, to be honest with you.
Like for part two.
Yes, like for part two.
Yeah.
Please don't switch off the podcast yet.
We really need to get through part two.
So, excellent.
Nice one, Jav.
Thanks for lining that one up. So, excellent. Nice one, Jav.
Thanks for lining that one up.
It's always good to have these views on the stuff that we read all the time because I think it's very true.
We get so many clickbait articles about, you know,
78% of CISOs say X, you know, and all that sort of stuff.
And as she said, you've got to question where that comes from.
Can I just ask, didn't you guys do a poll on Twitter and LinkedIn
and use the basis of those answers for an RSA talk?
We absolutely did.
We absolutely called it out for what it was as well.
Yeah, yeah, we did.
We did.
And in fairness, you're absolutely right, Andy,
but in fairness, we did say this is who we asked,
how we asked it, and the limitations of said process.
You gave it some legitimacy.
We caveated it to the arson back, basically,
to say this is what is the case but maybe not we could be wrong but
we're probably right but we're not but who knows so you know so basically more detailed than most
vendors right well exactly and the perfect rsa talk yeah well also in in fairness to us, we were more like facilitating a discussion.
So these were used as discussion points, and they were meant to be provocative to get people to air their own opinions and discuss it in their own thought.
If someone else does it, it's clickbait.
But if you do it, it's provocative to do a discussion, right?
Just help me understand this
yes absolutely i think you hit the nail on the head there andy it is it is um it's like i i play
um every now and then i'll play a modern warfare online and my daughter's really good at it so she
so we take turns sometimes like we just like and i'm i'm the one always raging and really good at it. So we take turns sometimes.
And I'm the one always raging and swearing at it,
and I'm always like, oh, you camper, you camper,
just sitting there in a corner with a sniper rifle.
And when I do it, she's like, aren't you camping?
I said, no, I'm being strategic.
That sounds about right.
Oh, dear.
That reminds me of the old multiplayer deathmatch games.
I remember that. Yeah, Half-Life and the Quake.
Well, Doom, Quake.
I think every network, every company network around that time had Quake.
Suffered.
Yeah.
Guaranteed there were crack copies on the network that everyone was playing
out of hours and i i think the the state of a network depended on whether you had a doom 1.0
or 1.1 because there was a patch that actually stopped packet storms um you know given that
every single movement and bullet fired was a network event
on something run on coax do you know what i mean it's like you know you know you talk about that
those stuff being installed on the corporate network and i was at a bank and um like most
banks they they used a rack f mainframe for the all the back end crunching and what have you
and there was like
this internal audit done and they found this weird like data set there and no one could
find it it wasn't on the on the on the tree that i can't remember what it was it was like
they had this like diagram that that explained how all the resources were laid out and everything
yeah and there's this weird data set there and it had uh and uh the owner was one of
the guys in our team and uh so so they went to him and said like you own this data set and it's like
yeah and uh he he legit said oh that's our fantasy football league it's it's where we store all the
data and because it's like auditable and people can't change their stuff afterwards nice it's proper secure there and and he said um yeah i did actually raise a request for this and
it was approved by the head of it who was actually part of the fantasy fantastic and and the auditor
said what andy well that's compliant right yeah? Yeah. No, it said, where's the ticket?
Jesus.
Line these things up for you and you miss them completely.
Yeah, I'm not even going to go into that and explain that I'm in audit hell at the moment.
I just want my life back.
Well, you can if you raise a ticket.
Just think of what great material is going to come out at the end of this audit
that you can give me and Tom and we can use it in talks in the future.
Yeah, absolutely.
The stuff you can't talk about, Andy, we will happily tell the world about.
Of course.
Just, yeah, blow out those names.
Exactly.
I mean, it works for sharks and toothbrushes.
Why can't it work for this?
Yeah.
I'll add it to my audit box talk.
Yeah.
Oh, dear.
Although I still claim I talked about an audit box before I met Andy.
You did.
And I think that is actually what drove me to speak to you
because this was
I was the other side of that table
I was like hey
these auditors do know what they're doing
yeah
and Andy's sitting there in the talk
like listening to you
and him and Mike are turning to each other
going red in the face
and it's like
all of a sudden you hear the beat drop
run
and then they get
up and like we've been made they're on to us let's roll for those for those listeners that might not
know an audit box is the thing you have literally a box normally a cardboard box or any other boxes
will suffice of materials for when you are audited. They are not reflective of your actual operating
environment. They are reflective of what is required to pass an audit. Such tricks such as
putting a coffee mug stain on a document or something like that to make it look like it's
being used are not uncommon. Ask Andy. So think of it like this.
When you set up an online profile,
you always showcase your good side.
You'll take a photo in the right lighting.
You'll take it in that corner of the room
that is not messy like the rest of the room.
You'll make out like you've got a good job
and you'll be creative with your words and everything.
And that's pretty much what an audit box is like.
You'll tighten your belly girdle to the highest settings, apparently.
Then you open up Photoshop, make some adjustments,
you know, all the usual stuff.
PDF it, put it back in.
So it can't be undone.
Time stomp, change properties of the document
in case you need to email it
yep exactly exactly so yes yeah very good very good right time to move on i reckon
uh i think we're going to move on to this week's tweet of the week
and this one is one that i've got and it. And it's a story that I enjoy.
So I don't have Mo's original tweet.
So basically this guy, he will tweet stuff out
and then he'll just send us the link to the tweet
rather than the actual link in the article via WhatsApp.
I'm sure this is some sort of traffic drive,
much like you do, Jav, with newsletters and things like that, where you send us a hidden link
or like a bit.ly link in WhatsApp.
So who sent this?
So this is a friend of mine called Mo Raja.
Oh, right.
And I can't find his original tweet, but the actual link,
because I still had this open.
I enjoy this type of stuff.
So I love fraudulent
um activity or like the intelligence behind fortune activity you know i'm not a uh a purveyor
of fortune activity but i do admire uh people who find ways to game the system as it were and this
story is about how four brothers and i'll'll say allegedly, fleece $19 million from Amazon.
So if you bear in mind, you know, the world's richest man, Mr. Bezos, who makes, I can't remember what number I heard the other day,
but, you know, he makes in an hour more than most people would earn in, year or two. What is that? What is that I heard? If you earned $10,000 a day since human beings moved into Europe
from the Africas, you still wouldn't have as much money
as Jeff Bezos has today.
That's just obscene.
I can't even imagine that type of money.
It would kill me, absolutely kill me.
You'd be dead in a week exactly i'd be found uh floating on a yacht um somewhere in the middle of uh floating on a yacht
uh well that's impressive i would be that bloated floating in the pool in the yacht yeah
with uh yeah i won't even go i won't even finish that uh analogy to put the picture in people's minds.
However, so over the course of two years, there were four brothers.
So this has gone on for like two years.
So it's quite a long haul game.
They swindled Amazon out of at least $19 million that they're aware of.
And so the Department of justice is sort of you
know prosecuting these four brothers at the moment and how they have done this trick is using their
wholesale business and something that's called over shipping so amazon leaves it up to you to
create a unique identifier for every product, which they call an Amazon Standard Identification Number.
And then, you know, that's what goes in Amazon's listing in the catalog.
And then, you know, Amazon will order stuff,
and then you ship them this stuff with the ASIN,
and then invoice Amazon for what they've got.
And obviously, everything's just scanned.
They say, yes, we received this, we received that.
However, the people who sell the products can actually the
vendors can change this number um because they need to make sure that you know all the product
descriptions are okay so you know it's within their power to change these numbers when they
ship stuff so what these guys were doing is uh you know amazon sort of ordered um large quantities of
say disinfectant spray for 94 dollars um and so you know they order like 12 canisters
94 and so these guys ship 7 000 toothbrushes with the asin for the disinfectant spray and so they
then bill amazon for 7 000 uh boxes of uh you know what they believe is disinfectant spray
which is over half a million dollars worth of toothbrushes.
And there's all these things like that where Amazon order one bottle
of designer perfume for like $300,
and these guys send 927 plastic beard trimmers
and bill them at $289.79 each.
And so it's just crazy that for two years,
this managed to go on and there is no way Amazon actually reconciled.
And I get it because, you know, it's easy for us to say,
but if you think of the volume to Amazon shipping globally,
you know, there's always going to be a margin of error.
They probably account for like a 2% write-off for everything.
It's probably 0.02% given the figures involved.
Well, yeah.
It's probably tiny, but big, big bucks.
Yeah, and obviously they're not detecting it.
So basically these brothers for two years had been shipping just random items
with the ASINs of you know more expensive goods
and then invoicing amazon for them and then obviously you know electronically amazon says
yes we receive these goods we received you know 900 units of this good with this barcode therefore
you know pay them the half a million dollars it's yeah it tallies up they don't they don't
sort of rationalize the value compared to the product.
All they pay is based on the product and the ASIN, as it were.
Yeah, absolutely.
And I guess one of the things that really screwed these guys
was their WhatsApp group chat was retained and captured.
Oh, really?
Yeah.
I have a vested interest in this conversation now.
And I know we often talk about
purging, you know,
switching platforms and all that kind of stuff.
Yeah, so these guys...
We've got to wait for Jav to have another crisis
first. Yes, true that, yeah.
SKFU.
So, yeah, one of the guys um you know actually point blank in the group said um you know i'm in the mood to fuck amazon today right before making a big uh you know a big order
um of uh a big shipment of uh non-relevant items um wow so yeah they've kind of been done for the whole
shebang not just uh ford conspiracy commit fraud um you know counterfeit goods but for poor taste
on whatsapp as well and for poor taste on whatsapp yeah but the most heinous of crimes yeah and and
but to me this is just fantastic because it's um fantastic because it's such a great scam
that they got away with for so long.
I mean, you're always going to get caught.
Yeah, always.
It doesn't last forever.
No, you've got to do it one-off or claim it's a genuine accident,
but the sustained ongoing.
It goes to show that every large company really needs a Frank Abagnale on the payroll
to look at ways that you can screw things over.
I remember having a chat years ago with companies to work for
with the two finance admins, and they explained in great detail
how they could have siphoned off huge amounts of
money from the company and it never being found out and all the reasons why, because they,
you know, they're virtually checking each other's work. Now I need to say,
as far as I'm aware, neither of them, they're honest as the day is long, you know, there was,
but it was an interesting thought exercise because they had, they were literally coming up with ideas and then testing those ideas,
and then if it didn't work, they'd go back a step and try a different way
until they had this pure sequence of events that meant we could shave off
a couple of million bucks and nobody will notice.
Nice.
Essentially tabletop exercises, right?
Yeah, yeah, yeah, yeah.
Yeah, exactly.
Exactly. But, you know, useful for spotting these things as well.
Yeah. Do you remember the kind of like the reverse of this in the 90s when e-commerce was beginning to take off?
And a lot of the shopping carts had the vulnerability in it where you could put things into your shopping cart on a website and say it adds up to £100 or something,
and you could go in, you could view the source code,
and you can change it and force a page to reload,
and it would accept your inputted value.
So you could change it to be worth £10 or even minus £100,
so it would show up as a refund.
So when you go to checkout, that's all you'd get charged.
Oh, wow.
That was a common sort of shopping cart vulnerability
before everything got standardized.
But you're right.
And if you can't get a Frank Abagnale,
then get a Kevin Mitnick with Kevin Mitnick Security Awareness Training
in your organization today provided by KnowBe4.
And that was this week's Tweet of the Week.
Tweet of the Week. Tweet of the Week.
We didn't cut him off quick enough, Andy.
No, no.
Fixed it in post.
Yeah, fixed it in post, that's it.
No, the Amazon story reminds me of something I read the other day
about something called inventory commingling.
And it was about the fact that Amazon is suffering
from more and more counterfeit goods being supplied on their site.
And the reason for it is whilst Amazon have their own stock of stuff,
their own inventory of stuff,
they also allow third-party sellers to ship their products
to Amazon warehouses so that Amazon fulfills.
So you'll see that.
Yeah, fulfilled by Amazon.
Not by such and such, fulfilled by Amazon.
FBA.
Yeah.
The problem with this, though, is that Amazon do not distinguish
between their inventory and a supplier's inventory.
So let's say toothpaste, for instance.
Amazon might have a box of a thousand tubes of
toothpaste. If a third party says, I want you to sell my toothpaste on here as well, it's brand
XX, it's the same brand as you're selling, but I want you to sell it. They supply a counterfeit
product. What happens is their hundred tubes of toothpaste arrive at the warehouse
and they are quite literally emptied into the box of normal, proper goods.
And so you cannot tell the difference between the Amazon real goods
and the third party's counterfeit goods. So that means that out of a box of 1,100,
when that seller sells a thing, a toothpaste, there's a very good chance they're going to be
shipping a proper product. And on the rare occasion that a counterfeit product is shipped, then they just
take the hit and refund, et cetera. But then Amazon will sell, as a result, counterfeit products
unknowingly. Andy, do you have any idea what Tom just said? I do. And it's, yeah, it just sort of,
but I guess what's the solution with that? Well, you separate the inventory. inventory well it's a bit like you know it's the volume
game though and it's okay if you're doing like a you know a couple of thousands but uh in the
millions they're probably shipping by it so yeah yeah yeah it's always down to down to that that
acceptable rate you know it's probably not point not something whatever but but it's scary because
this can also include you know well toothpaste which you put in
your mouth and ingest and tablets and multivitamins and face creams and all that sort of stuff you
know stuff that can you know harm your harm your business but harm your business harm you how's
this any different from what big consultancies do they they what they they promise you something
and then they they send and then with the inventory
co-mingling they send you a junior auditor fresh out of college with a checklist you discuss your
requirements with a partner and then uh yeah get the graduates show up on your partner delivered Yeah, exactly. Fulfilled by... But fulfilled by, yeah, three-letter consultancy.
Oh, dear.
So, yeah, fascinating stuff.
But my goodness, you know, when you're working with numbers this large,
these sorts of things just become rife.
So, yeah, pretty scary.
Pretty scary.
Yep.
You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
I was thinking maybe Amazon could sponsor us.
I'm sure Bezos, he's worth 200 billion now.
Yeah.
Yeah, let's go after some of the big guns, shall we?
Yeah.
Okay, so Amazon, if you'll listen in, this could be you.
Host unknown.
Sponsored by Amazon.
Amazon, Jeff Bezos.
Oh, well, so we've used that jingle up.
We're going to have to find something else to put in the space,
in the show notes later on.
Right, Jeff, shall we go on to Billy Big Balls?
Yes, let's do it.
Okay, Jeff, it's now time for this week's...
Billy Big Balls of the Week.
Right, so the FBI arrested a Russian racist.
What?
Okay, no, no, no.
Although it is always the Russian.
It is always the Russian.
It's not Dolph Lundgren from Rocky IV, though.
It's Igor Igorevich Kričević.
We'll take your word for it.
No one's going to challenge you on it.
We can see you practice that one, Geoff.
Igor. Okay, so they arrested this guy called Igor,
who flew from Russia to Nevada to try and recruit an employee of a
Nevada-based company to plant malware inside the firm and they they promised to pay him as much as
one million dollars well they actually started off offering him half a million and then he said no no i want a million right and um you
gotta shoot your shot yep yeah um they they but the the bad guys i think they they were thinking
that if they can install the malware whatever it was maybe ransomware or something like that they
they could extort around four million from from victim company. Igor, the Russian, first made contact with the employee via a WhatsApp message.
Uh-oh.
Through a mutual acquaintance.
Anyway, he flew from Russia to meet the guy, and then he said,
hey, I work for a group that specializes in exporting companies.
And he actually said to him, look, we've done this many times before.
You as an employee will remain completely protected.
So he works for the IRS, basically.
Yeah, whatever.
I have no idea.
But he says, you will remain protected.
He says, if you don't like one of your co-workers,
we can teach you how to plant the malware.
So it looks like they done it.
And they said,
yeah,
we'll pay you like three Bitcoin or cash,
whatever it was.
The,
the employee then,
you know,
he,
he listened and then he went to the feds snitch.
And,
you know, the feds caught our boy Igor before he fled the country.
So he's unfortunate.
Well, whatever.
He's in custody now and he's been interrogated and what have you.
But I think it's a pretty ballsy, in this day and age,
when everything's done from a keyboard and you can go through proxies
and you can, like, be whoever you want.
For someone to actually get on a plane from Russia to fly into the heart
of the great Satan, USA, and meet face-to-face with an employee
and say, I will pay you money, you put Malware in company.
He said he was from Russia, not Pakistan.
He was one of them.
Screw you, Tom.
Screw you.
You know you've won when that's Jav's response.
It is.
It's like putting customer service right to the forefront
of your criminal enterprise.
I like it.
Yeah. I would actually honestly believe that this would have a higher success rate than uh most remote
uh remote um exploits absolutely yeah you know this this eagle they probably sent him over because
he's he's the one that least looks like a big russian bear. Probably a nice jolly chap who likes, you know, to drink a little vodka every now and then.
And, yeah, wow.
So this, I can't believe this guy just immediately snitched.
It's like, wow, he didn't even consider?
I mean.
Well, he negotiated.
He went out from half a million to a million.
Well, that was just to make sure they were serious.
Yeah, yeah.
But what do you think?
What was the chance, if he went through this,
do you think the Russians would have actually paid him?
Do you know what?
On balance, and it is pretty much, you know, it is quite balanced,
but I think they probably would because they would have made
significantly more than a million,
and they would have been able to reuse the tactic, if you see what I mean.
Because if they didn't pay, then he would have gone to the feds.
Would he?
Because I think then you're really screwed.
Because you're like, I made the deal with the Russians.
I put the malware, screwed my employer, and they haven't paid me.
Help me.
No, no, no.
I was coerced into doing this, blah, blah, blah.
You know, I was obviously coerced because I've not received any money.
Check all my accounts and my bitcoins and stuff like that.
You know, no money's come into me.
They threatened me, et cetera.
You know, so I think it's in their interest to do it.
And let's face it, the criminals are generally more business-minded than most businesses
are.
Yeah.
I don't know.
I'm really sceptical.
I don't think they would have paid.
But hey-ho, let's move on.
Well, that's just you, Jav.
That's just you.
That reflects badly on you.
And then people wonder why so many old white men fall for these scams.
What do you mean fall for these scams?
How do you think I've been able to afford this flat?
Yeah.
He didn't fall for it.
He's been fully involved in it.
Yeah, that's right.
Less falling, more supported.
Oh, well.
All right, lovely.
Thank you, Jav, for this week's...
Billy Big Balls of the Week.
Oh, dear.
Right, what have we got next, Andy?
So our reliable sources over at the InfoSec PA Newswire have not been busy at all this week.
Still not been busy.
After a disappointing week last week, I note that three stories get dropped in over the last couple of days.
Literally one a day for the last three days.
Just in time for today.
You're literally one a day for the last three days, just in time for today.
So I'm guessing that he or she has been on holiday and maybe just got back.
I want to talk to, you know, I'm talking to InfoSig Stig's manager at the moment. Yeah, okay.
Directly to InfoSig Stig's manager.
So it's, you know, we like to feel that we're supporting your employee
by, you know, using these news articles to broaden your reach, et cetera. The quid pro quo is that we
get two each a week, right? That's, it's, there's nothing much to it. You know, six, six pieces of
news. That's, you know, one and a bit for a working day. I think you need to reel this person in and have a chat to them
about their output.
I mean, the quality's there.
Quality's good.
Just the volume isn't.
So InfoStick Manager, InfoSec Stigs Manager, have a word.
Really does just roll off the tongue, doesn't it?
Yeah.
We need to have a meeting
and revisit this feature.
Yes.
I think we do.
Yeah.
I think we,
should we have it,
you know,
just before we go live
next week?
Yes.
Or maybe at the start
of the show.
Who knows?
Depends how much time
we've got.
Hey,
you know,
we'll,
we'll open the veil
on the inner workings
of the Host Unknown podcast.
Anyway, there's time now for this week's...
Industry News.
Palo Alto networks to acquire Cripsys Group.
Industry News.
TLS and VPN floors offer most pen tester access.
Industry News.
BT Security announces vendor partners to simplify and strengthen access. Industry news. BT Security announces vendor partners
to simplify and strengthen protection.
Industry news.
And that was this week's...
Industry news.
That's the gag that's just going to keep on giving.
That's what she said.
What?
It doesn't make sense.
The TLS
and VPN flaws, Tom, have you
learned from your Pentester Academy
or your Quest
training simulation? Do you agree with that
assessment?
Yes.
So the VPN,
you know the TLS and VPN use like the the wireless um access protocol
is that is that cardi b's one
because i know back in the day she was an mcse and uh you know once an mcse always an mcse so
talking about you know wap and all that sort of stuff because I remember
the days of WAP don't you on the old Nokia phones exactly that yeah and it's kind of you know I
really like the retro feel of of the song she's done about WAP I think it's you know I haven't
seen the video but I've I've heard there's a lot of you know um you know it's generated a lot of
interest yeah yeah it's generated a lot of, uh, interest. Yeah. Yeah. It's generated a lot
of interest in commentary. And it's probably down through the use of the old Nokia phones.
Let's face it. Everybody loves a Nokia phone, the traditional Nokia phones, not the windows ones.
But, uh, yeah, yeah. Fascinating. Huge. If true, he says, reading off the show notes.
Huge if true, he says, reading off the show notes.
Oh, dear.
Well, given that Amazon is so big, I think we need to have another go at trying to get them on board as a sponsor, don't you?
Absolutely, yeah, and I think they're definitely going to sign up
knowing that we talk about Cardi B and all that kind of stuff.
Yeah, yeah, and out-of-date mobile data protocols.
Anyway.
Host Unknown, sponsored by...
Amazon.
Jeff Bezos and Amazon.
Do you know what?
When we first said those jingles made,
never knew they would be so flexible.
No, they just fit in everything, don't they?
They do, they do.
Really good, really good.
Anyway, I think we should move on.
We're rapidly approaching the last 10 minutes of the show.
I think we should move on to uh this week's rant of the week
which is me and once again i'm going to be talking about um sales tactics it's been not like the
third this is the third time in a row we spoke about mr taylor lehman of athena group uh week
before last and last week because uh of the um the the Big Balls movie made of actually fessing up
and owning up to his poorly worded statement about salespeople.
This one comes from friend of the show, Brian Brackenbra,
who is the CISO at a major UK television broadcaster. And he says in his
story, well, in his story, in his LinkedIn message, he says, I'm more sympathetic than I've
ever been towards sales calls at the moment. The industry is suffering badly due to COVID and everybody needs to make a living. I'll take the call and hear you out. Brian, you keep saying that,
but you need to take my calls, remember. But if I tell you four times that we already have a
solution in place and that it's doing its job and that we aren't looking to replace it,
don't get shirty with me. Save yourself some time and don't expect me to tell you
my security plans either.
Fair play, actually.
Relatable.
Fair play.
Relatable.
Yeah, absolutely.
I remember these all the time.
It's like, you know, trying to politely say no thank you
and actually sometimes you have to be really blunt.
No thank you.
Do not call me again.
I will set the hounds onto you.
But also this whole, well, tell me about your security plans.
No.
Isn't the clue in the word security plans?
So he got a lot of likes and good comments,
unlike Taylor's initial um uh statement
on on linkedin but um but the best one i thought was from mike willis which said uh brian b when's
the best time to get in touch yeah i always love it when someone's really angry about something
you just poke them to see if you can just tip them over the edge. I can never resist that.
Whenever someone just explodes in front of you and I'm just like,
I think they've got a bit more.
You know, it's like those posts that someone on Facebook goes,
oh, my boyfriend just cheated on me, broke up with me or something.
And someone comments like, oh, so you're single now.
Do you want to go out?
Yeah, that's right.
up with me or something and someone comments like oh so you're single now do you want to go out yeah that's right but you know what i have had um in the last basically in the last sort of six
weeks or so is um just cold callers putting in um sending calendar invites uh to join that's
become a much more popular thing when should we we schedule, you know? But they actually just send it, you know,
let me know if this time's not convenient.
And it's annoying because I don't see the initial email
when it comes in, but I see in my calendar,
I've got this like tentative meeting.
And you think, oh my God, I've got a meeting.
Yeah, so frustrating.
Yeah.
Yeah, yeah.
But I think, you know, in this case, well,
we all know Brian and Brian brian brian's a good
laugh actually he um friend of the show if there's ever a time for a serious comment brian
will make a a non-serious comment which actually is is something i actually quite like um so um
and uh i think he does make a good point. You know, I think it's important that we,
sales is part of our entire ecosystem at the end of the day, you know,
unless you have no products and no people, and in fact,
no business in which to support, then you won't need sales.
But actually, if you have any of those things things and let's face it, you know, we are all in some
kind of business that, um, you know, needs people and needs tools and whatever, whatever those
tools might be, sales is going to be a part of that. And actually if you don't help support that,
that's going to be problematic. Um, but that said, there is that balance i think um and and as you say andy the dropping in
of speculative meetings which really just muddy the waters and if you're a busy person can actually
be quite well very frustrating from memory yeah um and and the whole tell us your security plans
you're like oh hang on you phone me i don't know who the hell you are, you know.
So, yeah, let me tell you my plans, you know.
Do you know what?
Meanwhile, Igor's making notes at the other end of the phone, you know.
So back in the day, we used to share, myself and like the rest of the team,
we'd actually share our own office together.
And we'd all have our own whiteboards.
We had one big whiteboard in the middle.
We would have our own whiteboards as well.
And when we got sort of sales calls, you know,
we would actually change their caller ID on the system as well.
So we knew who it was when they came in.
But what we'd do is just spend time bouncing them around each other.
And I know it's a cool thing to do, but we would literally say,
oh, you need to speak to Steve.
He's the head of wireless.
You know, he's not back till next week.
And, you know, then literally you send the details
and Steve would put it up on his whiteboard.
It's like, okay, this call, right?
It's like, okay, I'm head of wireless.
And he'd be like, oh no, you need to speak to Mike.
That's his area.
Cause this is related to NT4 and all of our estate is NT4.
And honestly,
he's on holiday this week.
And it would just be a case of stringing,
seeing how long you could string
them out for, which is a cruel
game and I get why they are.
I never had you down for being cruel, Andy.
Really?
Really? How long have you known Andy
for? Do you punch puppies in your spare time as well?
No,
I,
I still,
I've managed to wean myself off punching puppies by,
um,
clubbing baby seals.
So,
uh,
so once a year I get out to the Nordics and,
uh,
we go seal clubbing.
That's a joke,
by the way, people.
Yeah, and we're laughing because it's a joke,
not because we find seal clubbing funny.
Or punching puppies.
Yeah, so if Petter wants to sponsor the show, you can.
Hey, here we go.
Talking to people who kill puppies.
Host unknown.
Sponsored by.
Petter. Petored by Petter.
We'll save the stories of Petter killing puppies for another show.
Yes, indeed.
Let's not end on a downer.
Yeah, absolutely. Anyway, that was this.
What was it?
Oh, it's the rant of the week.
That's right. So that was it was the rant of the week. That's right.
So that was this week's rant of the week.
Well, blimey, we've made it through another show.
No, we haven't.
Oh, no, we got the little people, haven't we?
We still have.
The conclusion.
Let's get that conclusion.
People have been putting up with us just so they can hear.
The thrilling conclusion to Amy's rant about research in the industry.
Indeed.
The Little People.
First of all, cite your source.
They usually do.
But share with us the methodology behind that number.
Where did that number actually come from? Because if it was, if you've been raking through a whole bunch of data, um, you know, recent breaches or whatever it is to get that figure, um, then explain to us how you've done that and where because I mean, I can do a Twitter poll and ask, what's
your biggest concern right now, X, Y, or Z?
And probably, and not that I have that many followers, but my followers are more likely
to say that security culture is a big concern for them, whereas somebody else is going to
get, their 78% of people might say it's ransomware.
And I'm not saying that one is right and one is wrong.
I'm just saying that that's of consideration when you make a poll so um yeah do a twitter poll fine
great but call it what it is um because to my mind that's that's not research i mean can you
imagine if when we published that 2020 security culture report that instead of like pages and pages of science,
it just said,
um,
yeah.
So we polled 120 odd thousand,
uh,
uh,
people on Twitter.
And this is what they had to say.
And it wouldn't quite be the same thing with it.
Anyway,
you've gone really,
really quiet.
I thought you were going to laugh at me.
You're not recording this. are you, Javad?
The Little People.
Are you sure you told her it was 60 seconds?
I mean, really good points.
Really good points, especially the third point.
But very valid.
Very valid.
But, you know, maybe we should have had her on as a guest or something.
Was that what you said?
This is an audition for a guest spot.
No, I thought we agreed that guest spots are only paid for.
Oh, that's true.
That's true.
Except Carole.
Carole can come on any time she wants.
And so can Jeff Bezos.
And so can Jeff Bezos, yeah.
Well, no, Jeff Bezos can afford it.
But Graham, friends of the show, Graham, if you want to come on,
show us the money.
Oh, dear.
No, very good.
Thank you, Jav.
I'm not sure if in your mind you think that that three and a half minutes
means you can have a rest for the next two and a half weeks as a result.
But I'm looking forward to next week's little people, I have to say.
So am I.
All right, folks, time to wrap up.
Jav, thank you very much indeed for your time today, sir.
You're welcome.
Any other, any parting shots for our audience?
No, because like, you know, the audience knows that I'm the gent here.
I don't
take cheap shots or anything like that and i'm i'm constantly putting up by the abuse that you
two dish out but you know this is just the world we live in good i'm glad we see eye to eye on that
andy thank you sir stay secure my friends stay secure host unknown the podcast was written performed and produced by andrew agnes javad malik and
tom langford copyright 2015 or something like that insert legal agreements here
as applicable and binding in your country of residence. We thank you.
Jav, Memsab, I hope we hit the right tone there
of making you seem like the victim
because we don't want, you know, anybody, any of your fans to think...
I can hear TikTok in the background.
No, no, no.
I'm just playing the WAP video.
I just want to see the video because you go.
It actually looks like this is not about the wireless access protocol.
No, it doesn't.
Not at all.
Isn't it?
No.
I don't think that's what Cardi B was talking about.
Wow.
Well, then they should strip her of her MCSE in that case.
I have not feel this cheated since I paid my assist AMS.
Damn.