The Host Unknown Podcast - Episode 22 - It's Twirly
Episode Date: September 5, 2020The now world famous Jav and Thom take Andy to task for not being as famous as them and not appearing on the recent InfoSecurity Magazine front cover. Next week's Little People will be by Andy.This we...ek we have:Tweet of the Weekhttps://twitter.com/WBLooneyTunes/status/1301375017515712513Billy Big Balls Industry Newshttps://www.infosecurity-magazine.com/news/covid19-spam-emails-analyzed/https://www.infosecurity-magazine.com/news/fake-login-detections/https://www.infosecurity-magazine.com/news/tls-certificates-398/https://www.infosecurity-magazine.com/news/dhs-biometric-collection-rules/Rant of the WeekThe Little PeopleThe spectacularly lovely, furry and moist James McQuiggan Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
You know, I've got to that point now where actually even during like presentations or like when I'm doing, even if I'm doing a live presentation.
You just don't care.
I just don't care anymore.
It's like because, and I don't get it because like, you know, it's like my family keep on interrupting, like the kids will come and bang on the door or something.
And I'm like, yeah, whatever.
I said, give me a second, sorry.
Like, go away.
Get off my lawn.
Yeah.
Well, that's what the lockdown has taught us,
that we all have personal lives and annoying children.
Some of our own as well.
Yeah.
LAUGHTER you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening uh welcome to the host unknown podcast
episode 22 uh the um the uh it's twirly episode because jav asked us to do it extra early this morning
I still turned up late
Yeah, I was going to say, I guess I turned up late
Good morning, Jav
You evil people
No, I did want it early
And look, we're starting recording
half hour earlier than what we would have otherwise
So that's fine
But we started an hour earlier than we we would have otherwise so that's but we started an hour
earlier than we normally do yes that's right the maths isn't adding up for me
yeah never never was your strong point was it anyway what what what's so urgent that you gotta
you gotta start us off an hour early oh i'm off to see my friend of the show, Quentin Taylor, today.
Oh, really?
Yeah.
We're having a socially distanced video editing sort of class or something.
Well, I'm only going because I'm trying to see if I can get some free Canon cameras and lenses off him.
Oh, well, yeah, get some stuff for me as well.
And also a little people, eh?
How's that?
Yeah, well, he's already done little people.
He done it way back when.
He did the first one, actually, didn't he?
But to be fair, that was five years ago.
Yeah.
No, no, that was, it was April.
It just felt like five years ago.
Oh, okay.
So he wasn't the first one then.
No, the first one was Jill.
We had Jill and someone else, didn't we?
Oh no, but yeah, Jill was the first little people
Who did we have as the Billy Big Balls?
Brian Honan, I think
Yeah, that's right
Gosh
Oh, you've met Brian
Still hurts
Oh my god So how are you andy
muscle memory
it is all your fault i was just about to to take a drink when you came across to me.
I wasn't expecting that.
I thought maybe you'd talk to Jeff first.
No, busy week.
I know I briefly mentioned to you guys I had this fantastic new feature on Zoom.
Or rather, it's not a feature of Zoom, but dealing with a Spanish company over some quite intense sessions on a couple of days
and um we had interpreters and what they do is they take over the channels and one of them will
you know turn the uh english into spanish the other turns the spanish into english um so you
see people talking like you'll see the guys talking but hear the lady's voice who's doing
the interpreting and it's just absolutely fantastic it's almost real time the way you know the speed they work at
um you know i think both days at the end we sort of you know we had to say a special thank you to
the interpreters because they were absolutely fantastic about some very complex topics as well
well interpreters are really unknown for that aren't they i mean because yeah it's not just
knowing the other language it's actually been able to process it and yeah translate it and put it in different
terms if yeah and do the tones as well the way people were speaking and you know doing just the
little things like when they're talking amongst themselves even the things like well no just stop
sharing your screen just put on you know so and so can you share your screen instead you know she
was interpreting all of that stuff as well,
but in the tones that they were doing, it was just absolutely fantastic.
Does she do voices?
Does she do what?
Voices, like, you know, no, stop doing that.
Why are you doing that?
Please don't.
Sadly not, but I'll confess, I did get caught a couple of times
when people were asking me questions,
but I'd actually switched to Spanish because I was so intrigued
as to what it was sounding like on the other channel
with the interpreter.
Because they kept swapping throughout the day, you know,
between whoever was doing the English to Spanish and vice versa.
So I kept switching my language.
I'm sitting there not knowing what's going on,
but then hearing Andy
Andy and I was like oh back to English and I quickly on internal chat what was the question
and it's like um yeah absolutely fantastic so that was uh exciting for me anyway I know
yeah I'm just reminded of those old like Hong Kong films or something like were they even like
were they even like translating the laughter and the chewing sounds
when they eat?
Time to die, motherfucker.
Yeah, it was a bit like that, but obviously a lot more professional
because, you know, in an office setting.
I'll tell you what you weren't doing this week.
Okay. There's something you weren't doing this week. Okay.
There's something Andy wasn't doing,
but Tom and I have had to turn off all notifications
on our phones because of it.
Because we were on the cover of a magazine.
I heard this, and do you know where I heard this?
I got this subtle text.
What, from Jav?
From Jav saying,
Hey, Andy, can you record a little people segment for me this week?
The question is, how does it feel not to be included on the InfoSecurity magazine cover?
Which hurts.
You have to admit.
I mean, that's throwing shade and there's just outright bullying.
In the workplace as well.
I think we should get the host unknown HR involved.
Wait, host unknown HR, isn't that 20 quid extra?
Yeah.
Host unknown HR.
Oh, God.
That's horrible.
But I charge at least 50.
How does it feel to be the Murdoch of the team?
Do you know what?
So I see these things and it's like,
how do you guys actually have the time to just be around?
To take a photo and send it?
Yeah, it takes so long.
How does it feel to be the drummer from Bross?
Luke was a very popular person, I'll have you know.
Matt and Luke were the front men,
and then it was Ken on drums.
No, Ken.
Ken.
It's definitely Ken.
No, Luke was the drummer.
Matt was the front man.
Luke was the drummer.
Craig was the bass guitarist.
You see, you're already identifying
as being the drummer of rocks it's
great so i have i have no issues with that i've never been one for the limelight and um so you
know like when we often have to switch the time that we record at and nine times out of ten it's
because i can't make it and the reason i can't make it is because i'm the person that they call
when people need to get shit done.
Whereas you guys can just be,
yeah,
I can be there.
I'm free all the time.
You know,
what you guys do,
it's great and it's good FaceTime,
but it's not actually moving the dial on the stuff that actually needs to
happen.
I don't know,
but when you get to our level.
I'm that guy behind the scenes.
It's,
you know,
I've always been the workhorse, you know, and I'm, I'm not about that, that fame but when you know i'm that guy behind the scenes that's you know i've always been the workhorse you know and i'm i'm not about that that fame life you know yeah but when you get
to our level you can just delegate far more easily and um so with uh obviously the magazine's been
very popular for the environment right now because uh uh you know everyone's going to keep them so
does your vanity project um you know offset the uh the
carbon footprint of these magazine covers that the shiny stuff i look great on it the shiny stuff
that can't be uh you know recycled i've got i've got it framed already mate did you did you ask for a re-copy as well so it could be blown up? Yeah.
Oh, dear.
Yes, I can get it blown up and sent to you for your birthday.
Oh, have you not already done it?
Oh.
I was expecting it to arrive in the post already.
So, obviously, I saw the front cover.
I have no idea what the story was about.
Yeah, I've not actually received a copy of the magazine yet,
so I don't know what was written. Neither have I.
I've just seen the front cover.
It might as well have been,
these are the most hated people in InfoSec, but I don't care.
Yeah, especially since it looks like the intro to The Muppets.
These are the Muppets of InfoSec.
Looking at one or two of them, I would agree.
I do think that one was the best shot of the lot,
Tom. Yeah, it was a close run
with Clive Room and
what's his
face? Oh
God, I can picture him.
Brains
hurting me. What were they doing? Pouring
champagne into each other's glass
or something
well
he had a beer
beer in one hand
and poured wine in the other
he used to work at the DWP
and I know him really well
and I can't remember his name
not DWP
Ed Tucker you mean
yeah Ed Tucker
god
Ed if you're listening
friends of the show
sorry about that mate
got my mind on other things
yeah so I thought that was quite a good one as well.
What other things do you have your minds on, Tom?
Oh, just important things tonight, you know,
but I'm not talking about that.
Oh, really?
Sharp, sharp.
Yeah, sharp, sharp.
Right, moving on.
What have we got for you this week?
We haven't covered, Jeff, you... Oh, chat. Right, moving on. What have we got for you this week? We haven't covered...
Jeff, you...
Oh, sorry.
You went completely nuclear.
You removed TikTok from your phone
and then briefly dabbled back into it.
I understand.
Oh, I see.
Oh, he went cold turkey.
No, no, no.
I installed it a couple of weeks ago
after your constant promotion of it.
You lost a few days.
It was like going to Vegas for the first time.
You know, it's something you have to dive into.
I believe in fully immersing yourself in an experience
to understand the nuance of it.
I love this justification.
And I'm like a method actor. You know, just assume the role of it um and justification and i'm like a method actor you know just
assume the role of andy just for a few days and a bit of a prick to work with at the time yeah
and uh yeah i i've been there done that and now it's off my phone, and that's it. End of story.
Been there, done that.
Went back to it.
Been there, done that.
Went back to it again.
Been there, done that.
No, no, no, no.
But, yeah.
So I've just been quite brutal with my phone lately.
There's no Twitter.
There's no LinkedIn.
I left Facebook years ago. There's no social. There's no LinkedIn. I left Facebook years ago.
There's no social media to talk of.
So my phone is actually quite boring at the moment,
but it's actually good because it's giving me back a lot of control
of my time and my attention.
So I'm happy.
How in the heck have you left Facebook?
Don't start that.
Are you sure about that?
Yes. Hmm. don't don't start that are you sure about that yes okay we can come back to that one let's revisit that statement next week shall we
i hate you guys oh this could be fun i hate you guys so much this could be fun anyway yes moving
on thank you for that little roast of Jav. Oh, little rolls.
We might as well change this to the Let's Roast Jav podcast
because that's all that seems to be happening these days.
It's always about Jav, isn't it?
I don't know.
Let's move on for the third time.
Shall we try and move on without it all being about you, Jav?
Let's move on.
What?
Let's move on without it all being about you, Jeff.
Let's move on.
What?
Anyway, this week we have, it will come as no surprise,
Tweets of the Week, Billy Big Balls, Rant of the Week.
We may even have a Little People.
What do you reckon?
Possibly.
It better be a good one is all I can say.
We need a really good one.
Oh, now you're adding in stipulations. First you were
just happy to just get eight little
people and now it's got to be good. It's got
to be this long. It's got to be this
topic. Well, yeah, we don't
want dull stuff, do we?
We don't have dull people on the
Host Unknown show.
And
obviously industry news. Let's
hope our InfoSec Stig has um you know pulled
his or her finger out and got the job done so uh shall we move on i think we shall uh and also
who's having building work done in the background uh that would be my neighbors um so yeah this uh
whole week and last week as well but they weren weren't so noisy last Friday. It was an absolute nightmare.
There's two of my neighbours who live opposite each other
are both getting new driveways.
Oh, my God.
So we've had, you know, they've had gardens removed
to make way for the driveways as well.
So there's been digging, drilling.
Are they two different companies or is it?
Funny, they actually use the same company.
Yes.
What they're doing, they're taking the digger,
driving it across the road,
and then digging up the other side of the road.
They've got a twofer or something.
Yeah, but I mean, it's the same.
Last year, we got our driveway done,
and the company that did that did seven other drives in the road
at the same time.
Yeah.
Only five people actually wanted their drives done yeah well yeah
we weren't actually planning it the guy caught me uh just as i got back uh from a long trip and uh
we've been talking about getting it done anyway and uh he actually gave me a really good price
um just because they had all their vans on our road anyway so you know the the uh diggers and
stuff was here so they didn't have to they They just brought it in one night, left it in a different person's front drive
every night of the week.
Whether they were having their drive done or not.
Exactly, yeah.
Anyway, so I was just wondering where the noise was coming from.
But let's move on to this week's Tweet of the Week.
So this one is me, this this one caught my eye and um part of it
is um probably because the name stands out uh the name of the account is wb looney tunes um and it
has the looney tunes logo and it is a blue tick verified account uh sort of implying it is
part of the Warner Brothers group and so I understand that um there was a very big basketball
game going on in the US this week uh which went right down to the wire and someone made a comment basically saying buckle up motherfuckers it is
looney tunes in here tonight and i'm guessing this account obviously searches for the phase
looney tunes and what they did they quote tweeted it um and the looney tunes account actually said
my boss will probably tell me to delete this in the morning but yes what he said
and uh so they've quoted this tweet which just says buckle up motherfuckers it is looney tunes
in here tonight and then you know people are like is this real and then someone someone's reply
saying just tell him that's 2020 baby and the uh looney tunes account actually says yeah that's a good
subject line for my apology email you know but uh this uh just comes back to the um
you know like corporate accounts uh and sort of how people represent the brand
and there's that fine line that uh people have between you know being very sterile
or sort of been engaging and
i you know i think we've touched on it before i think wendy's burgers and um you know tesco is
particularly good at this type of thing um you know sort of a bit of banter with people
but it's also a fine line to go into sort of deeply inappropriate or yes just completely
actually you know brands damaging yeah and i guess that's where you know looking
through the history of this account um part of me questions whether it is actually affiliated with
warner brothers um so i mean i would i would guess that they would have pulled this down or
you know had this removed um if they if it wasn't a um you know official account because it's using
their logo um but again it's using their logo.
But again, it's also Bluetick verified.
I know that's not something to take on merit.
Anybody can get a Bluetick.
Anyone can get a Bluetick.
Even Graham Cooley, friend of the show, has got one.
Exactly.
I mean, he states that he is an Acme intern with password problems. An Acme intern with password problems.
An Acme intern with password problems.
Yes.
But just looking through his history,
he often does...
He doesn't really represent the brand.
Let's put it that way.
He or she.
Or they.
We don't know how many people are on this.
So I guess, you know, two lessons.
One, don't believe everything you see.
There's a main, you know, there's that guy who replies from customer service accounts.
Oh, yes. You know, he does hysterical.
Yeah, so, you know, he could be one of these.
How, you know, quite a lot of followers.
It's been around since 2016.
So, you know, to me, either brand management's not going on
from Warner Brothers, or, you know, it doesn't say it's a parody account,
or else they're just letting this intern run free.
And, yeah, to me, this was a funny tweet.
I obviously had a proper InfoSec one about, you know, OSint tools as well.
But I actually just really like this one.
I actually just went onto the account
and the tweet is still up there
and the person's reply said,
all right, I didn't get fired.
Either way, it doesn't matter whether it's real or not.
It's still good, good, clean fun,
apart from the motherfucker part.
Yeah.
Which I like. So so you know is is there
an infosec angle on this i'm not sure uh brand management uh yeah i guess there's that one
giving interns the keys to the castle i think if you look at infosec brands on on twitter they
they're probably some of the worst managed ones um most of the corporate ones
are very very sterile they're just very scared to say anything or they anything they say is very
self-promoting and individual stuff again it's it's um well it used to be really good back in my day. And, yeah, I think actually Andy was one of the first dozen or so people
I actually followed on Twitter.
I don't know how or why.
But Andy probably remembers.
This is like going back to 06, 07 or something like that.
And there was – I think from those days,
I think you and Stephen Bonner are the only two people that are still,
well, you've left.
I think, okay, Stephen Bonner's the only person that still tweets that,
who I still follow.
But do you remember there was like Wibble and there was Nathan.
Yes.
Oh, there was that girl as well.
The privacy professor's still around Professor Harold
Oh yes
I couldn't remember that I followed her for that long
But Steve Bonner used to
Update Twitter via text message
Yes that's how it was
Blimey
That was when you replied
You'd send a text and it would
Send it to Twitter
Wow I think I only joined Twitter in 2010 You'd send a text and it would send it to Twitter. Wow.
I think I only joined Twitter in 2010, 2011.
I can't remember now.
A lot later than most.
I was on it for a while without actually having an account
because I didn't want to be seen to be jumping on the bandwagon
with everyone else, but it just got too good.
It did. It wasiktok of its time oh excellent anyway thank you andy for this week's
tweet of the week
i tell you what those jingles are getting better every year
the timings but I just remembered.
So talk about this Acme stuff.
So at work, and this is how I realise I'm now feeling like what it must be for you, Tom,
when you deal with people at work.
So one of the guys in my team, I did an example of something,
and I sent it to him, and I put in Acme Inc. as the company.
Yeah. And he actually thought that was a real company and it was like so you know where's the salesforce record for acme and
i'm like looking i'm like no acme inc and he's looking at me like i'm crazy he's like
but what's the company i'm like no you never heard of acme and he's looking he's like no
and this this guy's only in his like you know late 20s or something and he you never heard of Acme? And he's looking, he's like, no. And this guy's only in his late 20s or something,
and he's not aware of Acme.
And it's heartbreaking.
I remember chatting to some IT folks just a few years ago,
and there was a couple of women in their early 20s.
And then we started talking about music and I said about Pink Floyd
and they went, who?
I was like, you don't know who Pink Floyd is.
Oh, my God.
At which point we just played Pink Floyd for the rest of the afternoon.
And they hated it.
But, yeah, just all these assumptions that you make
that are based upon, you know, you and your experiences
versus somebody who is, what, a generation younger,
completely different.
Then again, my son is a massive, he's 17,
he's a massive Pink Floyd fan.
So, you know, who knows?
But then again, he had to listen to it for years.
So I grew up with a lot of Johnny Cash and country music.
Do you know what?
One of the best songs ever is a cover that Johnny Cash did
of a Trent Reznor song called Hurt.
You've got to listen to that one.
That is just amazing.
Amazing.
Anyway, we've veered off somewhat.
We digress.
But, yeah, check out Pink Floyd, somewhat. We digress, but yeah.
Yeah, check out Pink Floyd, Johnny Cash, David Bowie, obviously.
God, 2020 couldn't get any worse unless Bowie ends up dead. I mean, God, can you imagine what kind of world we'd live in then?
So, yeah, very good.
Very good.
I think we're going to move straight on. Looking at the I think we're going to move
straight on looking at the
we're going to move straight on to
Jav and
Jav you've got some good stuff for us
this week haven't you? Yes
and it's security related as well
oh in which case I'll definitely do the jingle then
so Jav you can talk to us about
Billy Big Balls of the Week.
So this is a great story.
I read it and I never condone crime,
but I just like, I was like,
had to just tip my hat to this one.
And it's the Oklahoma City Police Department
posted this online.
And I think this is from March, well, according to the date, it's from March, but I only saw it this week, so that's why I'm Police Department posted this online. And I think this is from March.
Well, according to the date, it's from March.
But I only saw it this week, so that's why I'm bringing it up this week.
But there's a theft in a convenience store.
And that's not unusual.
But the way this worked, it was some clever social engineering went on.
A guy walked into the the
shop he convinced the store clerk that he was there to take over the shift for her so he was
even wearing a shirt with the store's logo on it so he went behind the the the thing he let his
that his quote-unquote colleague finish her shift and walk out.
In the meantime, he was checking out customers for several minutes,
like, you know, selling them stuff and what have you.
So he knew what he was doing.
So when he was sure that his colleague had left and no one was in the store,
he locked up and stole all the money, cigars, lottery tickets and fled.
So specifically money, cigars and lottery tickets.
I love that.
Not having any cigarettes or chewing tobacco or anything like that.
Yeah.
So they're looking for, you know, a rich cigar smoking,
lottery ticket scratching.
Yeah.
Who's probably better at the job than most of the store clerks
who who has um ninja training on on the tilt yeah and i thought this is brilliant this is like the
the real life manifestation of a kind of like a business email compromise or something like that
hey we got the infosec and this happens all the time it's it's
like did she did she hover over her you know his face for a while to verify that he was who he said
he was well that's a little bit inappropriate yeah oh you know what i mean it's a family show
yes it's a family show motherfuckers
actually warner brothers could sponsor this but we'll go on to that in a bit
oh yeah good shout yeah all right so uh but but i think it it's so it's such a great example people
just won't um challenge challenge something that especially if they're not expecting it.
So especially if you're working in a store, someone gives you like a 50-pound note or, you know, a high-value thing.
They'll put it underneath the light or they'll use the pen on it to make sure it's not a counterfeit note if it feels a bit dodgy or what have you.
if it feels a bit dodgy or what have you.
Or if you look under 16, they'll challenge you for ID if you want to buy alcohol or cigarettes
or whatever the age limit is for those items.
Or under 45 if you're in the US.
Yeah, unless you're buying a gun, of course.
Oh, yeah.
But something like this, it's something that's so unexpected.
And this is what makes social engineering so effective.
People just aren't expecting it.
And if you walk in and you say with confidence,
hey, I'm here to relieve you of your shift,
or here's an email.
Cigars, lottery tickets, and cash.
Yeah, exactly.
And I love the fact how there was no violence involved.
He didn't pull a gun.
There was, you know, nothing.
It was just like smooth in and out and, you know, job done.
A very ballsy move, one might say.
Absolutely.
A very big, ballsy move.
Yeah.
And it's that thing, isn't it?
You go in there with such confidence in it, you think, well,
it can't possibly not be real because nobody would come in
and just pretend.
Exactly.
Reminds me of some consultancies.
Well, hey, the best consultants always pretend, allegedly.
But, yeah, you've also got to think about the motivations
of the other person as well.
He's probably on minimum wage, probably has been working for the last 12 hours
and put up with a whole load of crap from some really – a whole series of customers.
And when somebody comes in and says, hey, Bob says it's all right, you know, I'm taking over.
You've got to think that –
The Calvary's here.
Yeah, exactly, exactly.
And the first thing you do is you want to get out, you know,
and especially when all the signs are correct,
wearing a shirt, knows what to do, you know,
knows how to handle the tills because they've had, you know,
proper training or whatever, I don't know.
But, yeah, you're right.
You've got to admire it to a certain extent, haven't you?
Yeah, absolutely.
And when you look at phishing emails, there's certain times of the day
and days of the week that you're more likely to get someone.
So if you send one late on a Friday or late on a Thursday,
people are more likely to fall for it because they're tired
and they just want, you know,
they just want to get out the office. So, oh, here's another email. Let me quickly sort this out.
Yeah. Similarly on some of the voice sort of like scams where people are phoning up,
they found that if you're a female and if they play sounds of a crying baby in the background.
Oh, that's right. Yeah.
It's far more effective because people are like,
oh, this woman sounds stressed out as it is.
I'll help her change her password.
Yeah.
Yeah, exactly.
No, no, very good.
Very good.
That was a good one.
Thank you very much for that, Jav, for this week's.
Billy Big Balls of the Week. if only we had a crying baby in the background instead of some kind of jackhammer and some
grinding of bricks and stuff Is that your new dog, Andy?
Oh, no, my dog is very well trained.
How is the dog selling in?
Absolutely fantastic.
It's absolutely amazing.
I didn't even realise he would just be such a perfect fit.
Oh, nice.
He doesn't come upstairs.
He'll actually wait at the bottom of the stairs
yeah he won't come oh there we go
very good i like the way you can multitask searching for sound effects and talking you
know relatively relatively well but knowing how how quickly you have memes on standby,
I'm sure you've got a folder of
sound effects to fool the
missus on a Friday night.
That was Jav, who pulled
up those sounds very quickly.
Ventriloquism. It's called teamwork,
Tom.
Fair enough. I'm obviously not on that WhatsApp
chat. The art of misdirection is... it's called teamwork tom okay okay fair enough i'm obviously not on that whatsapp chat the art
of misdirection is yeah so so andy what what were those words that you used to to make the dog go
so do you know what i won't uh tell you because um wondering how you know how it how it works
the other day well not wondering how it works i know exactly how it works but the other day
obviously you reward the dog but for good behavior and stuff so went out into the garden how it works the other day, well, not wondering how it works. I know exactly how it works, but the other day, uh,
obviously you reward the dog,
but for good behavior and stuff.
So went out into the garden,
uh,
the other morning,
um,
you know,
so about 7am went out and he,
you know,
to let him do some business and he stopped,
he had like,
do you meet with other dogs and sort of sit around a table?
Yes.
Smoking cigars.
You know,
we're going to take care of business negotiations yeah um so he
he was doing like a wee and so i said like good boy you know like good encouragement
and then i said the magic words to sort of associate them with what he did and then he
looked at me and went up the garden and then sat down and did the other business which uh which uh you know i think he
was gonna wait until we went out for a walk to do but uh because i said the words yeah um he thought
that you know he was doing something but because i said the words he had to do the other thing
so um yeah he just did it on command so i was like damn man it's so much easier when you do it
not in our garden we're gonna have to work out what words trigger
you Jav
just words coming out of your mouth
Tom or enough
words that make you
basically poo yourself live
on the podcast
TikTok
it goes cold and shaky when you use those words.
Oh dear.
So I reckon it's time for a sponsored slot.
Yeah.
Warner Brothers.
Yeah, Warner Brothers.
Warner Brothers, here we go.
Host unknown.
Sponsored by Warner Brothers.
If you see the police, Warner Brothers.
That's all, folks.
And if they don't like the swearing, we can obviously use it.
Meep, meep.
Every time we need to block it out.
Oh, dear.
Yeah, absolutely.
So, Andy, what have we got next?
So, this is the part of the show that just rolls off the tongue.
Our reliable sources over at the InfoSec PA Newswire have been very busy
bringing us the latest and greatest security news from around the globe.
Wow.
Fantastic.
Genius.
It's natural.
That sounds natural, right?
It does.
It does.
Absolutely. So, yeah. I won't work on it. I won sounds natural right it does it does absolutely so yeah
I won't work on it
I won't work on it
let's see
let's concentrate elsewhere
let's
let's see how busy
this
our infosec
stick has been
this week
industry news
30 plus hashtag covid19 spam emails analysed every minute Fake login page detections top 50,000 in 2020
TLS certificates now have 398 day lifespans
Industry news
Homeland security to propose
biometric collection rules
Industry news
And that was this week's
Industry news
Do you know what? Every week you're going to be the last one
to deliver something, Jav You know that? Every week you're going to be the last one to deliver something, Jav.
You know that, don't you?
Oh, good.
Whatever makes you happy.
Everything you said you hated about podcasts,
in jokes, you know, running gags.
Exactly.
If this is the first time that you are listening to the Host Unknown podcast, I can only sincerely apologize for wasting your time. You've made it to about just over a half hour now. So do yourself a favor. Just stop listening now. Unsubscribe. Never come back. You'll save yourself a lot of heartache in the future.
Run.
a lot of heartache in the future.
Run.
So this goes back to, I don't know which episode it was,
where the topic of the story was that people will complete the stories in their head just by hearing the first part of it,
that you don't actually need to complete the whole sentence
in order for people to understand what it was.
Wasn't Jav trying to make a point about something
or something like that?
So we tried to re-enter. i made it up in my head anyway yeah yeah i can't even remember it
and i'm damn fine if i can listen to that that is exactly what the story was yes
uh but it is the gift that's going to keep on giving so uh every every week so uh any any stories there uh jump out at you folks uh tls
certificates now having a 398 day lifespan what was the what was the original lifespan
do you know what we used to have a policy of two years um internally and i guess this comes down to risk appetite.
It's sort of really what,
like if someone compromises a certificate
and they've got it,
why is two years, you know,
better than three years, for example?
Obviously, you know, you get a year less,
but you just need to be able to revoke those certificates.
You'd revoke it the
same way and it should be a pretty mechanical process to to renew anyway right so two years
you know or in this case one year and a month so 13 months roughly isn't it something like
oh two months uh one month yeah but it's that's about 13 months isn't it 398 days
uh
yes
yeah
but in the old
days certificates
used to last for
sort of 10 years
yeah
yeah
good times
which is why
everybody forgot
to renew them
yeah
so
yeah interesting
one
you just click
through the
warning anyway
you get a certificate
error on a website
you want to go to you just click accept yeah exactly i know yeah although although things
like firefox and safari they they make you really want to you know oh are you sure you have to click
advanced and then accept rather than just accept yeah yeah that's right that's right if you proceed, you could be at risk. All right. Easy, Tiger.
Oh, dear.
Yeah.
So, huge if true, I think they say, don't they?
Yeah. Yeah.
You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
than a security vendor's briefing.
I think we need to move swiftly on before you two start chatting to each other
about how we're already 40 minutes in
and we're not at the right point yet.
I mean, when have I ever gone over an hour,
apart from once or twice?
But yeah, I think let's move on this.
I'll start that again. Let's move on to this week's rant of the week which is mine thank you very much although uh i stole it from
something that you tweeted sorry you um messaged us about this morning jav quite apt yeah exactly
i thought i would give you credit where credit was due because we're talking about
plagiarism uh so so um friend of the show uh lisa forte forte fort if you're listening lisa
please let us know um i should know because we've listened to you on um on uh smashing security on Smashing Security podcast, sponsors of the show, no less.
But it was talking about, you know, in answer to the question,
what is the worst plagiarism case you have been victim of
or witnessed in InfoSec?
And she said, a woman literally got on stage and used my talk and title.
I was in the audience.
She copied most of my bio and description,
but had forgotten to remove,
worked for one of the UK police cybercrime units. the audience she copied most of my bio and description but had forgotten to remove worked
for one of the uk police cyber crime units um and then went on to say i was you know i'm thinking
i'm being punked ashton kutcher must be around here somewhere so um and this this uh took on
i wouldn't say slew but a whole bunch of other responses. One person said, someone higher up in the company took my and my colleagues' months of hard work on a tool dev project and submitted a SANS gold paper without crediting us.
And then other stories came through about work that they'd been tasked to do as part of their day job and then having that work used in a report elsewhere, etc.
But I think it brings up a good point. One, you know, plagiarism their day job and then having that work used in a report elsewhere, et cetera. But I think it brings up a good point.
One, you know, plagiarism as we sort of know it.
Plagiarism is rife in Host Unknown.
So I did this talk about sharks and toothbrushes.
Yeah, for anybody who doesn't know that,
Andy's talking about a talk that I ripped off from him many, many years ago.
To be fair, I stole the idea from Jeff.
To be fair, I only got the idea because I saw it on Tom's banner on his website. It's a people with a shark and a toothbrush next to it.
Oh, and a coconut.
Yeah, and a lipstick.
And a chimpanzee.
Anyway, but I think, you know, in like, for instance, Lisa's case,
someone getting on stage and using your talk and, you know, virtually cut and paste, that's quite obviously plagiarism.
And it should absolutely be called out.
I'm surprised Lisa didn't name and shame at the time or even now.
Although, of course, some people have deeper legal pockets than others.
So, of course, some people have deeper legal pockets than others.
But there are other cases in there where people were saying, you know,
work they had done as part of their day job was used by the company,
blah, blah, blah.
That's not plagiarism, actually.
In my humble opinion, and in fact, I think host's unknown opinion,
because frankly, any work you do whilst you're in the employment of a company belongs to that company and they can do whatever they want to it.
It might be good practice to have your name on there as a contributor and all that sort
of thing.
But, you know, frankly, they can do whatever they want with it.
So it's, yeah, absolutely.
Absolutely.
So that, but there is, there is some nuance in there. Cause, um,
you know, looking at, at, at some of the messages as well, somebody was saying that
their boss asked them to produce some, you know, reports and some data on something and
had it done in a way that they wouldn't ordinarily have done it because their boss then used that,
that report to give to their boss, uh, to show that they'd understood
a particular technical problem.
And they used that report that they had created for them
without credit.
That seems, well, technically and legally not plagiarism,
but it seems like an asshole move, to be blunt,
especially when you're trying to show that you understand
something and yet you're just ripping off somebody's work
without any kind of credit.
But if he understood it well enough to explain to someone else
how to present it, does he not then understand it?
Well, it depends.
There's only so much you can get over it.
There's some shades of grey here.
Yeah, there are some shades of gray yeah yeah there are some shades of gray so but yeah i think some of the stories that came out were
clearly plagiarism some of them were not at all they were just clearly and i think what we have
is that obviously i think that there are some of those clear-cut cases but there are so many other
things it's like you know whenever you tell a joke, are you going to say, I heard this from, you know,
Jamie Taylor when I was 10 years old in the playground
and therefore I'm crediting him.
And so we get a lot of that on social media
where people will tweet something or retweet
and it's an anecdote or it's just something small
and then people will say, oh, I heard about that
in so-and-so's talk or in their book.
So I guess it depends on the context.
So there is a guy, I don't know how to pronounce his name, Senoel.
What's his name?
Khalil Senoel.
Yeah.
I mean, his content is literally just a Reddit feed, you know,
with zero credit on a lot of these gags.
But, I mean, to me that bothers me because, obviously, I see it on Reddit, you know, with zero credit on a lot of these gags. But, I mean, to me, that bothers me because, obviously,
I see it on Reddit, you know, the day before.
Then the next day, you know, he was tweeting about it.
I don't know if he's still around.
I heard he got arrested a while ago for something.
Plagiarism?
Plagiarism, yeah, exactly.
A Reddit police call.
Yeah.
But, yeah, and to me, that bothers me because it's very easy just to credit
the originals.
Like if you're going to do it to that level, you know,
and sort of pass it off as your own, I think that's the difference,
is that he didn't just sort of quote it.
He's actually passed it off as his own.
Yeah, yeah.
Because actually I've just checked his account and he doesn't talk
about security much, but his pinned tweet is still a tweet from 2017
where it's like, coffee shop, people next to me are loud and rude.
They found the perfect name for their new business
and I bought the domain name.
Yeah, and that story's been doing the rounds for ages.
Yeah, it has been doing the rounds.
But when he was called out on it, he was like, yeah, no,
this is exactly what I did.
And there was articles written about it.
And he was like, but he never disclosed what the company name was
or domain name is or anything like that.
Yeah.
It's like the time I woke up in a bathtub full of ice with my kidneys missing.
Yeah.
And just a sign that said, call 911.
Yeah.
Yeah.
Which is interesting because you're in nottingham
yeah yeah yeah i know crazy and i just uh obtained a copy of the marcus nyman cookie recipe
which was uh apparently worth 300 at the time um but uh yeah it was given to me for free uh on
email and it was a lucky day because it was just after bill gates was going to give me a million dollars for forwarding an email um which i'd received just that day um no i mean there's a lot of shit that goes around
on social media andy we're talking about plagiarism not about what happens to you in real life oh
right okay yeah yeah but it's it's like on our whatsapp feed we obviously we we share a lot of memes and you know
um other pictures with you know big text on it and stuff like that but it's obviously shared
from other sources yeah and we don't block out the original sources no or or if or if we do just
because the way you know i i screenshot and you know chop out all the extraneous stuff but it's
quite obvious as well well one it's in aaneous stuff, but it's quite obvious.
Well, one, it's in a private group anyway,
but it's quite obvious that I haven't come up with it
because I'm not that funny.
True.
So, yeah, it's an interesting one, this.
I'm definitely with Lisa on Lisa's side on this and plagiarism.
Oh, yeah.
I think that's just a clear cut.
There's no two ways about it.
Yeah,
absolutely.
I mean,
I've,
I've seen a couple of people have used slides that I've created,
um,
in the past.
Um,
on one case,
somebody actually said,
do you mind if I,
you know,
use your example,
use this,
but that they made absolutely no mention of my name
during the actual presentation,
which I don't know, I gave them permission to do it,
but you'd think there'd be a little bit of acknowledgement.
It's a bit like, Jav, the Langford Malik,
or as you call it, the Malik Langford risk model.
You know, it's kind of like, it would be so easy
for either one of us to just say, this is our risk model you know it's kind of like it would be so easy for either one of us to just
say this is our risk model right but and for anyone who knows me um that you'll know that
as the agnes risk model yeah but but you know what i mean it'd be so easy for us to just you
know call it our risk model but it's it's um there's there's something you know i don't want to say
honorable because you're far from that but it's something far more honorable in actually being
clear about where it's come from right yeah and remember in sort of 2010 onwards i think people
were um there's a big kerfuffle in the industry about not crediting uh you know original sources uh yeah for stuff and
a lot of it came down to the x um those comics xkcd comics where people were doing and uh you
know occasionally there was stuff like oh just uh you know credit where you got it from or ask
permission and stuff like that you know put the link in etc um and i thought you know back then
i thought that's really good you know this is an
industry that sort of self-regulates and um you know sort of calls each other out but um no and
straight up after that it was just you know yeah people vying for attention just rip off ideas
pass them off as your own but there is there there is a difficulty isn't it because you you might
hear something you know so there's there is a quote that i've used in in some talks which is um you know people aren't the weakest link in security they're
the only link in security which i quite like uh i cannot for the life of me find where that quote
has come from uh done a fair amount of searching and you know it's probably one of those things
that has now sort of entered into the you know into, into the vernacular of InfoSec, right?
Yeah.
They probably couldn't even find it.
So at the moment it's, you know, attribution unknown.
But to what extent, how much effort do you actually put in
to find, you know, where you got something from?
And actually, if it's a short statement or a few words,
is that plagiarism or is that you know
quoting or you know yeah there's that saying isn't it if you steal from one it's plagiarism
if you steal from many it's research so yeah i feel seen no you're right it's it is and and i
think that that's the thing it's and with quotes with quotes like that, I think it's somewhat easier to give it a pass because when someone makes a statement like that, they're trying to get this thought into the heads of the masses.
So, you know, I see that as a compliment to whoever started that, that now different people are saying this.
You know, it's like the saying logs or it didn't happen yeah yeah who came up with that i have no idea but it's it's someone thought of that and said look if there's no logs it you know just
provide the evidence and so even if they're not quoted i'd say mission accomplished for them well
done because they've now got so many people talking about this and understanding that that is important.
The other side in InfoSec is really the GitHub kind of repository, like the coding side, where people take code and open source code and they'll put it into their own projects.
Cut and paste, right?
Okay.
But it gets really tricky when those end up in commercial products as well.
And so there's a whole bunch of things that go on.
Also, like sometimes researchers independently come up with similar conclusions
or they do similar research.
And sometimes it's not plagiarism but it sometimes feels like that
and you know it's it's it's a really um because just because you you're the first one to talk
about or come up with a an angle on something it doesn't mean that you automatically own all rights
about that yeah yeah so so if i if charlie miller so for example um and and his colleague
were the first you know the most famous people to first uh hack a car it doesn't mean that anyone
else in the future who hacks any kind of vehicle has to credit them or is stealing from them or
what have you there's also a lot of you know. So I think there's a lot of that that goes on in InfoSec as well,
where people feel that because they were the first to do something
or they're the name in something,
that they then own all rights to that discussion in total.
Yeah, exactly.
Any kind of security research or bug bounties or anything like that, right?
It becomes farcical. Yeah. research or bug bounties or anything like that right it just it
becomes farcical
yeah
yeah good
well blimey I think we really did
that rant of the week a bit of justice
I can even hear the builders over
the road shouting about it as well
they're taking their anger out on the pavement
so apparently
another company did a driveway the same way they do their driveways.
So they're really happy about it.
So by putting bricks on sand.
Yeah.
Is that?
Bastards.
In a flat manner.
Yeah, in a flat manner.
This isn't your manner.
This is my flat manner. Right. So your manner. This is my flat manner.
Right.
So, yes.
Excellent.
Thank you very much.
That was this week's...
Rant of the Week.
Okay.
We come to the latter stages of the show.
We're down at the dregs of the barrel.
We're down to the dregs,
where we could either finish here
or we could invest some time in listening to the little people.
So, Jav, tell me, what have you got?
Roll the intro.
And then I'll do that.
The little people.
Tell me to roll the intro and stop talking.
Try that again, shall we?
Go on.
The little people. Oh oh shut up yes okay
the little people right good points well made with such a big build-up like that i think that
there's a lot of pressure on this little person coming up not one but three intros. James McQuiggan is a longtime friend of mine
and also a colleague now of mine.
For many years.
I met him first at IC Square Congress many years ago,
the first one I went to, so we kept in touch after that.
Anyway, other than working in security,
he's also a professor at one of his local colleges and teaches cyber
security there. So I thought, hey, you speak to students, they do degrees, and some of them want
to work in cyber security. So is there a skills gap? Do they all find high paying jobs straight
off the bat? Or is there something more to it? As a cybersecurity professional,
I find it extremely self-satisfying to give back to the community as a local professor.
Now, I've got several students who have graduated and feel they've made a mistake entering the field,
not because there's supposed to be a three and a half million person shortage for cybersecurity
jobs, but honestly, the lack of proper entry-level positions for
these graduates who have a two or four-year degree with various certifications. There's a
plethora of jobs out there, but honestly, don't see a lot of those entry-level positions.
My idea is think about creating a cybersecurity in training, a CIT within an organization,
where you bring on board entry-level hires without the quote-unquote real-world
experience, but have a degree or an entry-level cert. Run them through various positions in your
cybersecurity divisions like a SOC, incident response, tech writing, or hey, even security
awareness. Hey, you're not recording this, are you? Oh, for crying out loud, you said you weren't
recording this. The Little People.
Good point, so I'm eight.
Especially the third one.
Third point. Third point was very good, yeah.
Yeah.
Do you reckon we lost many listeners during that?
Both of them. Yeah. We're sorry, Mrs. Lankford. Please, fascinating. And is he a professor?
Does that mean he's got a doctorate,
or is he a professor just because he happens to be a university teacher?
Yeah, I mean, I used to go by professor as well.
You've gone through many, many phases, Andy.
Yeah.
Many names on credit cards.
I went to professor after being a doctor for a long time.
It was a natural progression.
No, he's not a doctor.
He's just a professor because he teaches at the local university.
So professor like as in Harry Potter professor.
Yeah, as in like teacher.
Yeah, teacher.
Okay.
Yeah, yeah.
Got you.
Got you.
Fascinating.
Fascinating.
Got you.
Fascinating.
Anyway, I think we draw to a natural
end at that point.
Have we missed anything? Any jingles we haven't
played? I don't think so.
If we have,
we'll make it up next week with two jingles.
We will.
We will.
Excellent. Thank you. Thank you, folks.
I hope you enjoyed it.
Let us know any feedback, et cetera.
We'll have links to all the stuff we've talked about in the show notes.
And, yes, we will speak to you next week.
So, Jav, thank you very much.
I don't care. Don't thank me.
You guys just do nothing but throw abuse at me for the whole hour every week. I don't even know why I bother showing up most weeks. Well, I don't actually, to be honest.
You're welcome. And Andy, thank you.
Stay secure, my friends.
Stay secure.
Host Unknown, the podcast, was written, performed and produced by Andrew Agnes, Javad Malik and Tom Langford.
Copyright 2015, or something like that.
Insert legal agreement here as applicable and binding
in your country of residence.
We thank you.
Andy, you're also a sir, aren't you?
I am.
Do you also have a lordship as well?
No, I never.
Do you know, I did contemplate buying, you know,
like back in the day you could buy a piece of land in Scotland and then claim the title of Lord.
No, but I never went with that.
But I do know a Lord.
Lord ****** of ****** or something like that. Yeah, funny.
So he was actually a guy that came in to audit us many years ago.
We took him to a strip club during during the audit i just completely compromised him uh as an auditor um which
i shouldn't have said his name yeah just like yeah obviously uh yeah you're never
gonna find him it's a very unique name uh so maybe yeah uh yeah uh, scrub that part.
Yeah, yeah, it definitely won't be on the end of your podcast.
Don't worry.