The Host Unknown Podcast - Episode 24 - Andy Has a Broken Microphone
Episode Date: September 18, 2020It's definitely episode 24 and don't let anyone tell you otherwise.This week in Infosec17th Sept 2003: Court documents were unsealed which showed that Melissa virus author David Smith began working wi...th the FBI within weeks of his 1999 arresthttp://web.archive.org/web/20030922234951/http://ap.tbo.com/ap/breaking/MGA2Q265QKD.html18th Sept 2014: Apple announced that the iOS 8 operating system (used on iPhone and iPad) would encrypt data by default for the first time. A day later Google made a similar announcement pertaining to Android.Tweet of the WeekThis weeks Tweet of the Week is from the second best Infosec Podcast after we discovered they crowdsource their content (which is why it’s probably better than ours):https://twitter.com/SmashinSecurity/status/1305801947149225986?s=20Billy Big Balls of the WeekBest security blog post you'll ever read - better than 90% of blackhat / defcon talks “When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number”https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagramIndustry NewsZero Trust Adoption Increases During Lockdown#GartnerSEC: Professionals Survived #COVID19 as Businesses Relied on Security#GartnerSEC: Top Projects for 2020 Include Authentication, Risk Management and Cloud#GartnerSEC: Five Steps to Ensuring Board Engagement#GartnerSEC: #COVID19 Created New Roles, More Data Collection and Flexible Businesses#GartnerSEC: Rewrite Recruitment Strategies to Fit New Roles and Career PathsOutbound Email Errors Cause 93% Increase in Breaches#GartnerSEC: Top Trends for Risk and Security Include Cloud, Automation and Privacy#GartnerSEC: How Midsized Enterprises Can Recover from RansomwareDDoS Attacks Hit 1 Tbps in 2020Universities Face Increase in Ransomware Attacks as Students ReturnRant of the WeekFirst rule of twitter - rather than just praise someone and applaud them for good work... make it all about you Novi Sad, Serbian Gangster (not for the faint of heart... unpleasantness abounds) https://newsbeezer.com/serbiaeng/the-novi-sad-attacker-is-the-director-of-the-company-that-founded-the-maxbet-bookmakers/ Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I just realised I had a mute in myself.
Yeah, we know.
Thanks for involving us in your family activity.
My wife was only calling to ask if I'd had breakfast
or whether she should make me something.
Mate, it's two o'clock in the afternoon. What are you talking about?
Ten o'clock in the morning.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening.
Or is it just before or after breakfast for Jav? We're not sure yet.
Welcome to the Host Unknown podcast. It's episode 23, no less.
Host Unknown would like to point out that this is actually episode 24.
Say again, episode 24.
Hello Jav, how are you? I'm very good, thanks. Have you had breakfast?
Yes, I've got a nice coffee in front of me and also when I went to make my coffee
I made myself a peanut butter sandwich with with some chopped banana what are you six
that's a well that's a very protein rich uh breakfast you got yourself there jeff it is
it is and it's a lot cheaper than the posh um posh food you're eating these days tom
what my posh slim fast for the modern man exactly yeah so yeah when you mention the word heel
like i don't know anyone that's eaten it or you know mix it with water whatever you do with it
but i always see it advertised on reddit constantly yeah is that where you got it
yes that's exactly where i saw it and looked into it and i i thought about it quite a lot because
actually my problem is oh god here we go this is gonna be like a health and beauty podcast
your problem is you like the taste of food right one of my many problems yes one of my many many
problems is i i love eating absolutely love eating but unfortunately yeah well there is you know when
when your body doesn't love you eating you know and so what i thought i give these things a world
because it's actually kind of everything you need in one sort of thing and you know it's i don't
know i've been using it for about three months now and it's it's nice yeah yeah and um well
ever since i moved into my flat
actually because i you know i i didn't want to um i didn't want to do it in front of other people
but um uh but yeah i mix it in with some oat milk and some fresh fruit and with it in my blender
it's great it's really nice and it's God. That whole statement was so middle class.
I can't...
It was.
It was.
What?
Oat milk.
Shovel in the bullet.
Folks, don't let anyone tell you
targeted advertising doesn't work.
These ads were following Tom around on Reddit for months
and then he finally caved in and bought some Huel.
Look, I used to drive to Waitrose in my Pius to pick up my stuff, but now I just get those
nice people from Ocadu to do that. Anyway, Andy, how are you, sir?
Anyway, Andy, how are you, sir?
Good. I am happy in myself eating stuff that probably isn't good for me, but I know will make me happy.
Even if it is empty love.
Empty love.
That's the first time I've heard those kinds of personal services delivered as empty love.
Yeah, no, life's too short to restrict yourself.
Yeah.
It reminds me of those honest adverts.
It's like, you know, for a Volvo, the advert is, you know,
it's boxy but good.
You know, you're going into a telephone box, kids,
if you don't know what a telephone box is, ask your parent,
and seeing a little contact card for empty love.
Oh, dear.
Anyway, so what have we got coming up today?
We've obviously got Tweets of the Week, Billy Big Balls, Rants of the Week.
Pretty sure we don't have a Little People of the Week,
but according to the show notes, we've got a new feature.
Oh, do we?
Well, this week in InfoSec.
Oh, I did.
Yeah, so that was just a little bit of filler.
Yeah, because we can never quite fill the full hour can we yeah so i you know i know we didn't have a jingle or anything lined up for this but
yeah remind uh remind the listeners where we come from uh so i think there's sometimes
you know there are some other shows, other podcasts which are on where they kind of obviously link stuff back to an InfoSec topic.
You know, whereas I think that, you know, and that's very much, you know, what you'd expect from the Red Tops and those kind of papers.
The Financial Times, you know what you're looking for.
You don't need it explained to you.
And so I thought maybe we should just make it a bit more obvious,
some of the InfoSec content.
All you're saying is some of our competitors are a little bit more
in your face, a little bit more, you know, for the common man,
woman or child.
Yeah.
I mean, you know, the circulation of the sun and the daily mirror is far higher than the
financial times.
Don't get me wrong.
At least other podcasts.
Listenership is far higher than ours.
Exactly.
But you know,
the people that do listen,
they know what they're looking for.
We go for quality.
So speaking of competitors and other podcasts and quality you guys know of
security weekly the podcast i still many people still refer to as paul.com yes okay yeah i didn't
know it's called security weekly i thought that was something different but i do know paul.com
yeah so it's uh paul asadurian uh set it up and what have you anyway
a couple of weeks uh 10 days ago they got acquired by cyber by cyber risk alliance
so so a podcast that somebody does just you know like us for the love of it got paid money
well how do they do that they didn't just do it for the love of it if you've
ever heard uh they they actually have lots of sponsors that pay their money to do it and they
have paid paid sponsor slots and what have you uh so the um the uh who would call themselves out for
money the cra they own sc media inf InfoSec World Conference, Cybersecurity Collaboration Forums, and Cybersecurity Collaborative.
So it's kind of like this big umbrella.
They do events and they do media and stuff,
and I think they probably saw that they had a gap in the podcasting space
and they acquired Security Weekly.
So congratulations to all the guys who sold their souls.
Why would they go after Security Weekly instead of smashing security?
Probably an American thing, isn't it?
They can't understand the accents.
Yeah, and there's too much of the uh of the going on as well
mutley effect oh i love that i i think it's brilliant i think it's brilliant
oh dear so anyway back to you andy and your uh this this week in infosec your This This Week in InfoSec. Ta-da!
Yeah, oh, is this me?
Okay, all right.
This was... Well, I don't know.
I mean, hey, go for it.
Well, so I was just thinking, you know, topically,
you know, what was happening in the world of InfoSec
in this week.
And in 2003, on the 17th of September 2003,
court documents
were unsealed, which
showed that the Melissa Virus author
David Smith had
begun working with the FBI just within
weeks of his 1999
arrest. And so what
happened was they obviously, you know,
after they caught him, they arrested him.
They just flipped him. Turned him.
Turned him. He turned him. They turned him.
He turned snitch very quickly.
Reminds me of that fella from Anonymous.
What was his name?
Sabu.
Sabu, yeah.
He was basically with the FBI the entire time.
Yeah.
It's almost like these guys, they're walking along, they see a traffic warden by their car,
and they're like, oh, flip, oh, flip. I'm too pretty to go to jail.
Whereas obviously, you would withstand any kind of police interrogation.
Any kind of legal threat.
I was going to say, the second a solicitor wrote you a note.
You have to do a post-it note.
Oh, dear.
You guys are such arseholes, honestly.
Oh, we take that as a badge of honour.
Oh, dear.
And also, I think, you know, in this time, it's actually only 2014.
This day, 18th September 2014, Apple announced that the iOS 8 operating system,
which was used on the iPhones and iPads, would actually encrypt data by default for the very first time.
Was it as late as that?
It was.
I'm really surprised.
We just assumed that. Yeah, but I always thought beforehand it was on.
Was there a switch for it before?
I don't know.
I think by the...
Yeah, the way they say by default,
I think there was optional prior to that.
I mean, there's this misconception...
Well, I say misconception.
There's still this sort of view
that encryption slows stuff down.
Oh, not anymore.
That used to be the case.
You know, you put encryption on and your battery would run out
in half the time and everything would slow down.
But not anymore.
It's because there's dedicated hardware to it now,
whereas before it was all in software most of the time.
So, yeah.
And the interesting thing to note with that was later, you know,
24 hours later,
Google also made the announcement that similar control to be on Android.
And it's probably the last time that Apple actually did something before Google did.
Really?
And also with Google, as I recall from having an Android device that I was messing around with a few years back,
it doesn't pertain to external storage it's you have to enable that manually right so when you
shove in an sd card so they're or micro sd the big thing about you can expand storage and all
that sort of thing you think everything's encrypted and it's not. So, yeah.
Well, the only reason you're using an SD card to start with is either to download movies onto your phone so you can watch them all
or to export photos from your phone onto your desktop.
I don't want people to know what kind of movies I'm watching.
Excellent.
Well, I think we're going to have to try and come up with a jingle for that.
In fact, if any listeners would try And come up with a jingle for that In fact if any listeners
Would like to come up
For a jingle
For this week in InfoSec
We will gladly take it for free
And thank you
Live on
On podcast
So
If you are listening
Sorry say again
Get that guy from Fiverr
To do it again
Yeah
Yeah but he costs
10 quid every time
That's the problem.
So anyway, I think we could move on straight away to this week's Tweet of the Week.
And this one is me.
And it's from the second best infosec podcast um which they were quite i'm surprised by this
actually in fact shocked disappointed is probably a word i'd use somewhat upset um but also i'm
i'm slightly uh giddy with excitement about um The second best InfoSec podcast out there,
the wonderful Smashing Security,
friends of the show, Carole and Graham,
we always thought, and in fact, when you listen to it,
we thought the content that comes from it,
it comes from their hearts, and in fact, when you listen to it, we thought the content that comes from it, it comes from their hearts,
from their passion and the fact that they're always on the ball.
They're feeling the very pulse of the InfoSec industry.
Like the lawnmower man of InfoSec.
Yeah, yeah.
I'm struggling with that analogy, i'm going okay i didn't think
this one
that was a dreadful film wasn't it um and uh quite what it had to do with the stephen king film i
don't know anyway um and that you know and the guests they bring on also do a similar thing.
They come with their own stories, very unique, et cetera.
Turns out we were wrong.
They crowdsource their content.
There was a tweet this week that basically said,
got any good stories?
Let us know and we'll put them on our podcast.
I'm shocked.
I'm shocked.
It's like they don't even care anymore.
So, yeah, I'm amazed.
I'm amazed.
So, obviously, I sent them two or three good stories,
but, you know, we'll see if they rock up.
I'm going to quote Steve Jobs here to say, like, stories but you know we'll see we'll see if they rock up i'm gonna quote um steve jobs here
to say like uh rest his soul so uh some people say give the customer what they want
but that's not my approach our job is to figure out what they uh what they're going to want before
they do i think henry ford once said if i'd ask a customer what they wanted they would have said a faster horse people don't know what they want until you show them show it to them that's why
i never rely on market research our task is to read things that are not yet on the page
and i think that's what differentiates us from the second best and all the other podcasts if
you crowdsource it people are just telling you what they already know or they heard about yeah we're telling them stuff about hugh that they
have no idea what it's about yeah but but now they know what those bloody annoying adverts in reddit
are exactly yeah yeah and what kind of idiots buy it yes exactly are you going to be doing one of those before and after photos
this is this is tom in six months he lost his glasses
and most of his head hair again oh dear fascinating fascinating i'm surprised you
had that steve jobs quote up and ready to quote from, actually, Jeff.
It's almost like you'd known about this.
No.
Is it one of those inspirational quotes you've got written on your wall?
Next to live, love and laugh.
Yeah.
And, you know, just it goes along with my no regrets tattoo.
No regrets.
Anyway, Carole and Graham, we love you.
You know we do.
We're just very, very disappointed.
Tweet of the week.
You know what I think may have happened is that, obviously,
Carole is the brains behind that show.
Well, obviously.
Have you met Graham?
Maybe she went out and said, you know, can you just take care of some content?
You know, just find like one article that we can run with.
I'm really busy this week, Graham.
Exactly.
I'm doing the heavy lifting all the time.
Yeah.
This one week, can you make this happen?
Yeah, and this is exactly what happens.
Yeah, exactly.
I don't know.
I don't know.
I don't know if you listened to the podcast that came out yesterday,
the latest Machine Security one.
I haven't yet.
Have you?
I have, yeah.
It definitely went in a different direction to what I was expecting.
Did it?
Yeah, Graham's kind of obsessed with this new Paris Hilton documentary.
And I kind of missed the start.
Really?
But, yeah, so.
How do you miss the start of a podcast that you listen to in your own time?
Oh, my dog was, yeah, my dog was playing up.
So, actually, my dog was playing up. So actually my headphones fell out
as I was using my old school headphones so I could.
All right.
And did Graham say the two magic words
and your dog decided it needed to go?
Yeah.
But no, talking about how Paris Hilton,
you know, all of her voices and, you know,
the sort of the bimbo act is actually that. And she's actually a very smart, you know, all of her voices and, you know, the sort of the bimbo act is actually that.
And she's actually a very smart, you know, person behind it.
Right.
Sounds like really interesting, this new documentary that's on.
But obviously, I was thinking of a very different type of documentary with Paris Hilton called In Paris.
Yes.
Oh, classic.
It's so classic. in paris yes classic classic but uh yeah and there's a part of that in there where um so i've
heard uh you know i've read reviews of this um so you know how like she may act uh in all of her i
think that show she did with her best friend you know like rich girls uh whatever but there were you are in that previous video where
she's in the middle of something but in mid flow her phone rings and she stops to answer it
and that is what i formed my opinion of paris hilton was her attitude to just you know stop
whatever you're doing just answer your phone to phone to see what your mates are up to.
It was just shocking, absolutely shocking.
It's funny, it reminds me of when I first went to India,
so talking end of 2004 and end of 2001.
I'm very interested in the link here.
Well, I was in this hotel no and um um so in india obviously mobile
phones everywhere same as everyone else you know everywhere else but voicemail was quite an
expensive add-on and so very few people actually had voicemail and so therefore it was much more
common to answer a answer the phone answer the phone, answer the mobile
phone in the middle of a meeting or in the middle of a conversation because the people just wouldn't
leave a message because they couldn't, you know, and it could be important, et cetera.
And one of my American colleagues, it used to wind him up a treat because he'd be literally
talking face to face
with somebody and their phone would ring and they just basically half turn
and answer the phone.
And it got to the point where he lost it with this,
I think he was either a director or a VP.
And this guy was only a senior manager, but, you know,
just sort of turned off and Brian but, you know, just sort of turned off. And Brian basically, you know, held the finger up to him and said,
don't, as he went to answer his phone.
Because he just found it so offensive.
Without understanding the actual reasoning and the background and, you know,
and the fact that it was actually an acceptable
thing to do um i don't know how much i think that's sort of changed somewhat now um but yeah
it's i think it's really quite fascinating that the difference that well the cultural and the
behavioral differences over something that is actually quite common throughout the mobile phone
concept.
So yeah,
fascinating,
fascinating.
Yeah.
I keep switching off my voicemail.
I just hate it.
Like it did pay.
If I miss a call,
you know,
if I'm on another call and then I just see that voicemail icon come up and it
just pains me.
I think,
why would you do that?
You know,
I ended up leaving like four or five messages at a time.
And then when I get to listen to them, it's like, oh, spoken to them, delete.
Oh, spoken to them, delete.
Yeah, yeah.
The worst thing is these days, because of the lockdown,
a lot of people are working from home.
And so it comes from private numbers.
So because they route it through their corporate or what have you,
their systems are set up. So, so many times it's like an appointment or something like that. And
I've got no idea. And if it's an unknown number, especially if you're in the middle of something
else or whatever, you're like, it's probably someone trying to sell me something or, you know,
just some scam, like, oh, you were involved in a car accident. So I just ignore it. And then it's
like later, it's like, like oh it was really important i
should have taken that then but the person's dead now so your doctor calling about your test results
yeah you're listening to the host unknown podcast more fun than a security vendor's briefing
i tell you what those show notes are so useful for telling me when i've got to press those buttons than a security vendor's briefing.
I tell you what, those show notes are so useful for telling me when I've got to press those buttons.
Do you know what we didn't do was actually check the levels
before we went into this.
Is that too loud?
That was actually quite loud, yeah.
Okay, okay.
I'll turn it down one notch.
Yeah, let's get it.
It is bleeding already.
It's too late.
Okay, let's hang on. They're now deaf down one notch. Tears are bleeding already. It's too late. Okay.
Hang on.
They're now deaf. You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
Is that better?
Yeah, it's better.
Okay.
So when I listen to our podcast, if I'm listening to it just through the speakers, it's normally fine.
But when it's on the headphones and and the jingles come on sometimes
it's like whoa okay you're telling me this now when we're live and recording yeah i think i think
we operate on radical transparency here at host no we do fail fast fail often i think is the
is it and keep failing keep failing isn't that the agile methodology often, I think. Keep failing. Keep failing.
Isn't that the agile methodology?
Something like that.
One day we'll get it right.
One day we'll get it right.
We should ask Gene Kim to write us a book.
It'll be quite a short book with one page with the word bollocks in it.
I don't think I've ever heard Dean can swear.
Let me try and get him to swear for us next week.
Oh, we should.
How about you get a whole bunch of swear words or even sort of faux swear words,
and then we'll have a Dean swears segment,
and it will just be the one word that he says.
I think that would be perfect.
I mean, who wouldn't want to
take part in that? Exactly.
Right, let's
move swiftly
on to this week's
Billy Big Balls
of the Week.
See, that's too quiet
now, isn't it? It's fine.
It's fine this side, yeah.
Anyway, crack on, Jav so i i got up one morning a
few days ago and i saw this blog post and i i was meant to get on the treadmill in the morning and
get some of my steps in apparently it will help me not die so quickly but for the next 20 minutes
i was reading this blog post with tears in my eyes, laughing hysterically and thinking, this is the most entertaining blog post I've read in my life.
It is better than most Black Hat or DEF CON talks or any big conference talks I've ever seen.
And I think you'll ever see as well.
It's an Australian blogger who I've not heard of before.
His name is Alex, and his website is mango.pdf.zone.
And the blog post is like,
do not get arrested challenge 2020.
When you browse Instagram and find former Australian Prime Minister
Tony Abbott's passport number.
And it's just so well, okay, technically,
if you just look at the high cliff notes,
there's probably nothing that will surprise people
that are versed in the art of open source intelligence or what have you.
But, you know, Tony Abbott basically posted a picture of his boarding pass.
So from that that he got
the the reference number and you know went on to the Qantas website found a vulnerability
that allowed him to extrapolate a lot of information and then he went around but it's just
the the craftsmanship in building the story and the way it's presented that made it so, so, so brilliant. And the best
thing I love is how it started off where in a group chat, one of his friends sent him a picture
of his boarding pass from Instagram and said, Alex, can you hack this man? This is just like, you know, the stuff that Andy sends us all the time, except we're too lazy to follow it up with anything.
And with less nudity.
Yes, with less nudity.
Well, actually, yeah, to be honest, I have in the past said to Andy, Andy, this person here, can you get me a dossier on them?
Andy, Andy, this person here, can you get me a dossier on them? And he has produced them to great detail,
but that's something we cannot go into detail with here or anywhere else.
Personal service that Andy provides only for his closest and bestest friends.
Yeah.
But there are some absolute gems in this.
It's just the flippant nature.
So there's things like, you know, people post pictures of their boarding passes all the time,
not knowing that it can be sometimes used to get their passport number and stuff.
They just post it like, OMG, going on holiday, unaware that they're posting cringe.
Meanwhile, some hacker is rubbing their hands to being all yum, yum, yum,
identity fraud in their dark web Discord because this happens a lot.
So, you know, I think the one thing that I,
the one sentence that I think sums up like hacking perfectly is where he goes, i clicked around and scrolled at considerable
length but still didn't find any government secrets some people might give up here but i
the icarus of computers was simply too dumb to know when to stop
sort of that that writing style he's got is absolutely fantastic i i think it is down to
the storytelling isn't it yeah and it's very difficult now as you say you know this would
have been a fantastic you know sort of black hat defcon talk um but you know obviously in the
current situation where that's not happening it's very difficult to i guess keep people engaged
where everyone's writing in a blog post.
But, yeah, this article is actually fantastic when you shared that one.
It is. And, you know, he's broken it down to acts and, you know,
the do not get arrested challenge. And he's got these checkboxes like figure out whether I have done a crime.
Notify someone, Toby Abbott, that this has happened,
get permission to publish this blog, tell Qantas about the security issues so they can fix it.
And, you know, it's so funny, but it's also so insightful into, it's not just about, oh,
I found a vulnerability, let's report it and walk away, or let's report it once and then start complaining about it on
social media because he does go on to say it takes almost six months for him to to do it and uh i
you know i will post the link in the show notes but go ahead and read it because i don't want to
spoil it i don't want to ruin how it ends when he starts phoning around not only Qantas, but also tries to report it to the Australian Secret Service,
whoever's in charge of the security and what have you.
So it's a fantastic story, well worth setting aside some time
with a cup of tea and reading it.
It reminds me, because the storytelling element is so strong,
it reminds me of when we were at 44Con a number of years ago
and one of the closing keynotes was somebody talking
about how they did a text to Twitter utility
so that somebody who had been arrested
without any kind of proper due course
or anything like that, or whatever it's called, due process,
so that they could continue their sort of social media tweeting,
et cetera, but from the prison phone.
Technically, you two were there as well, but technically
it was a very, very clever and a great story, but it was told
with such utter lack of passion that it was a dreadful presentation as a result and people were
leaving as a result. And all it would have taken was a little bit more, you know, style and panache, if I could say that,
to actually turn what, you know, what was a brilliant piece of tech hacking into a great
presentation. Because let's face it, and you'll realize this when you read this particular story,
this is not a brilliant piece of tech hacking. You know, this is accessible by anybody.
You don't have to know anything about technology or hacking
or whatever to actually understand this.
But the story, and you will want to read it all the way
through to the end, you will learn something
and you will be entertained.
And you'll remember it as a result.
I can't remember that closing keynote result I can't remember that closing keynote
I can't remember that either
it was about Weave, do you remember that
troll guy Weave
oh yes
he was in prison
and his friend
of his
let's not speak him off to death
let's move on.
I tell you what, though.
It does remind me.
I was in my mind when you started off saying it.
I thought you were going to reference Paper Ghost,
Chris Boyd's awesome talk at SchoolCon.
Oh, yeah, yeah.
So that was Mark Kraninamtab or something like that.
It was a weird title.
But if you can find it, let's try to find it i'm sure it's recorded but
that was what a master class in fantastic storytelling and again not amazing technical
hacks but you know obviously it was very well um executed there was a lot of planning there was a
lot of you know logistics and all that sort of thing but
actually the the story and the and the um the payback at the end was amazing it was and and
you know this is the thing it's the industry has moved beyond standalone technical exploitations
that's not where the the uh the fun is i mean it maybe a few years ago
you know 10 years ago that that was the thing i found a new way to bypass windows nt or whatever
and and that was cool now it's not so much that a because there's there are fewer of those around
and and what have you but it's really about okay a lot of talks are or should be answering the so
what. So what if you can hack into this, this IoT connected fridge? So it's more about how do you
take all these different vulnerabilities, whether it be a technical hack, whether it be some process
that you can abuse, whether it can be some people you can manipulate,
and layer them together like pieces of Lego to make something that's really, really complex and interesting.
I think that's where the real skill is these days.
Yeah, absolutely.
Absolutely.
So anybody doing a presentation
In the foreseeable future
Story
Tell us a damn story
Don't tell us what you did, tell us a story
And then tell us what you did
Billy Big Balls of the Week
Excellent
I really enjoyed that article
When I read it when you yeah
very good and it was definitely needed so i think this week we did have some um
quite troubling content didn't we it was uh which again it was just a fantastic storyteller
uh yeah that went to 10 parts uh you know on 10 different posts on Reddit, which, you know, I followed through, you know, I'd seen in the past.
I never, you know, because it's such a long story.
But, you know, I was just engrossed reading it.
Yeah.
And it's just, yeah, shocking.
And then plot twist.
Yeah.
So that was kind of depressing.
And then there was, you know, another proposal for Billy Big Bulls,
the Serbian gangster who was. Oh, God. depressing and then there was uh you know another proposal for a billy big balls of the uh the
serbian gangster uh who's oh god oh that was awful novi sad where you know he he actually
you know beat this guy up and not only did he beat him up and this is all you know
video recorded you know that there's a video to accompany this without sound i'm glad to say
yeah well yeah it's from CCTV footage.
So not only did he just beat this guy up,
continued to pummel him while he was on the floor.
And unconscious.
I was unconscious, yeah.
He actually just broke both his arms.
Yeah.
You know, but yeah, pretty graphic.
But, you know, that was the story going without a lot of false reasons
as to why he was doing that spreading alongside that story.
Yeah, I don't believe everything.
Well, that is true.
I mean, I think the big thing from that was when that video was originally shared and it's horrific.
It's it's you know, it stayed with me for days.
And, you know, and and I know it did with you, Jeff.
Andy, I know you're not that sensitive, but it's horrific
video, but the original caption was
man tries to
meet 13-year-old girl for
sex, but meets her uncle instead.
And then you see this guy
beating this man up and breaking his arms,
etc. It's horrific,
but then you think, huh,
well, you know, okay, fair enough you know yeah over the top
you can understand why he may have had that reaction absolutely absolutely you know but
then you hear it's actually serbian gangsters getting upset at each other and deciding to
teach him a lesson it it really shows you the power that um the the uh the high level narrative can have on your interpretation of
something yeah um you know i hate to say the word fake news because you know some orange twat in
america keeps you know using it wrongly but but um you know it just goes to show how easily
manipulated we can be by just a few words yeah alternative facts uh alternative facts i was gonna say yeah
yeah yeah no that's and i think this is where where you you see it more and more uh on social
media now where you can see the same image or same little clip and there'll be two widely
different interpretations and it's it's so deliberate now but the thing is that whichever way you're more inclined to go you
you know you're going to settle on those and it takes a lot of effort to like take a step back
and try to think about it rationally and try to dig into some of the reasons behind it so it's it's
it's an ugly place yeah absolutely let's move on to something a little bit more cheerful andy shall we
oh let's do it uh so what do we got oh so do you know what our um reliable sources over the
infosec pa newswire have i can see your cursor moving over the google docs
very busy this week bringing us the latest and greatest security news
from around the globe.
And I hope you're ready for this marathon.
Yeah.
We've got to be in it for the long haul here.
Industry news.
Zero trust adoption increases during lockdown.
Industry news.
Hashtag GartnerSec.
Professionals survived hashtag COVID-19
as businesses relied on security.
Industry news.
Hashtag GartnerSec.
Top projects for 2020 include authentication,
risk management and cloud.
Industry news.
Hashtag GartnerSec.
Five steps to ensuring board engagement. Industry news. Hashtag GartnerSec. Five steps to ensuring board engagement.
Industry news. Hashtag GartnerSec. Hashtag COVID-19 created new roles,
more data collection and flexible businesses. Industry news. Hashtag GartnerSec. Rewrite
recruitment strategies to fit new roles and career paths. Industry news. Hashtag GartnerSec. Rewrite recruitment strategies to fix new roles and career paths.
Industry news.
Oh, no hashtag GartnerSec.
Outbound email errors cause 93% in breaches.
Industry news.
Hashtag GartnerSec.
Top trends for risk and security include cloud, automation and privacy.
Industry news.
Hashtag GartnerSec. How mid-sized enterprises can recover from ransomware.
Industry news.
DDoS attacks hit one terabit per second in 2020.
Industry news.
Universities face increase
in ransomware attacks
as students return. Industry
news. Oh, you beat it.
And that was this week's
industry
news. How's the audience
going to fill in the gaps? I don't know.
I don't know.
I think
I have this sneaking suspicion
that our InfoSec stick might have been at a Gartner security event
this last week.
I'd support.
I mean, I hope he wasn't there in person.
He, she, or it wasn't there in person.
He, she, it, they.
Oh, God.
Yes.
You know what I mean?
I know.
Wow.
What a huge if true.
Yes.
I can't believe how many stories that is. I know. Wow. What a huge if true. Yes. I can't believe how many stories that is.
I know.
It's a lot.
Hold on.
Let me just click through and see how long these stories are,
how in detail they are.
Yeah.
Yeah, because we've done a lot of analysis and looked at these
and read them in detail to make sure we bring you the very best.
So how long are they?
Well, they're decent.
Well, maybe they just took the abstract from the talk
and just pasted it and topped and tailed it.
I don't know.
That's what I would do.
Well, yeah.
Well, that's why you're not our InfoSec Stig, Geoff.
Exactly.
Or am I?
We're professionals.
We have professionals to be our – or professional being our InfoSecStick. I hope you know that. Oh dear. Yes. So, um, I think we should move on. We, we, we're, we're, uh,
cracking through it this week. Uh, I have to say we didn't need that extra content to pad out the uh the full hour
so uh yeah let's move on to then this week's rant of the week
okay so this one's actually gonna be me and do you know what i don't know whether it's because I'm kind of going sort of Benjamin Button in my, I guess, social media usage.
As you know, I do tend to spend more time on TikTok than I do any other social media channels.
And it is a platform, as I'm sure Jav would agree, when he sort of hit it hard in his method acting days,
I'm sure Jav would agree when he sort of hit it hard in his method acting days,
you know, where he sort of dedicated a couple of days with no sleep to, you know, really get a feel for the platform.
But it is a platform that self-regulates very well, I think.
Similar in some ways to Reddit, but I think I have more faith
because I know, you know, a lot of these are the you know younger people like the next generation um you know so i can sort of say
well you know i actually feel good about the future uh in terms of the you know the people
that are coming through and will be guiding the the moral compass of you know what's acceptable
and what's not um but one thing i do like is that they will hold people, you know, to account if someone steals content.
Now, for those unfamiliar with TikTok, obviously, it's about, you know, you can lip sync, you can reuse other people's sound.
You know, it's about making your own interpretations of something that exists.
But the purpose of using someone else's sound, it's like the equivalent of a retweet.
You know, you can actually see that
original source uh yeah if you read to retweet with comment you know you can see who originally
came up with that and you know you're sort of adding to it um and so you know if someone purely
rips off content you know they get called out very quickly um you know it's it's fantastic the
way they sort of self-regulate um but there's something else that, you know, you will get berated for.
And it's, you know, what we call like clout chasing, which, so Tom, I know this is probably a term unfamiliar to you.
This is, you know, how young people speak these days.
He's thinking about the rascal chasing money.
Are you thinking about the Rask Clark chasing money?
Cloud chasing is someone who tries to feed off the popularity of others,
you know, to benefit themselves.
Bathing in reflected glory.
Yes.
You know, I mean, there's a meme that, you know,
we stand here amongst my achievements, not yours.
It's very similar to that.
And, you know, you see it a lot in InfoSec especially, right,
you know, where everyone sort of has to get in their credentials. It's like this industry where people are just so insistent
to make sure their credentials are at the top of the pile.
You know, like one topic comes up, someone comes in,
hey, you know, it reminds me of the time I did this.
It reminds me of the time I did that.
And, you know, these are people that don't need to chase clout either.
And part of this may be just my misunderstanding of self-promotion
because, you know, there's one thing I absolutely suck at.
It's self-promotion.
It's just not something that uh you
know i'm comfortable with or something that i ever actively pursue um and then you wonder why
you don't get invited onto the front cover of info security i say jav could teach you something
about that yeah i'm sure yeah believe i know I've got some teachers if I need it, but it's just not something that's in my desire.
And there was, you know, this excellent story that you actually spoke about,
Jeb, the Billy Big Balls of the Week we featured from, you know,
mango.pdf.zone about hacking, you know,
Tony Abbott's passport number just from his boarding pass
and um i mean there were some people clout chasing off the back of that you know very popular posts
that sort of came in um and there was one which was surprising was a friend of the show mr troy
hunt uh who is a very popular person um who you know it is sort of like oh this reminds me of uh you know a talk which i
gave uh you know back in 2014 you know it's like six years ago um but it's that sort of just
inserting your own content you know in terms of making someone else's story about yourself
but it's it's also like saying well i was there six years ago yeah and it's i mean to me it's also like saying, well, I was there six years ago. Yeah.
And to me, it's just I'm just not like that. I don't like that type of thing.
If you relate it to someone else's story,
like if you're giving kudos to someone else, say, hey,
it reminds me of X, Y, Z.
Yeah, that's brilliant.
So when you said, you know what, this reminds me of,
and I thought you were going to reference one of your talks,
I was thinking, oh, this isn't going to go good.
But when you reference, you know, 44, Conor and Chris Boyd.
But, you know, I think if it's, you know,
when you're giving praise to others, I absolutely love that.
When you're self-promoting, I actually hate that.
It's not very classy, is it?
No.
Yeah, like I say.
Mind you, Troy is Australian, so class and Australian.
Oh, this is true.
Yeah, it's true, mate.
Love you, Troy.
Yeah, clout chasing for me.
Not a fan of it.
Don't like it.
Don't need to do it.
Yeah, I must admit, I agree.
And I think, you know, as you say, Troy Hunt, friend of the show.
Troy, we're a bit disappointed in this, I have to say. We thought better of you. So perhaps in the next tweet of yours or something, you could perhaps say something like, I really want to put out Mango PDF's story out there again. What a fabulous story or something like that.
Or if you want, you could say how it reminds you of the sharks and toothbrushes analogy.
That's also acceptable as well.
So Andy, in terms of clout chasing,
if say InfoSec parody Rap Group were to make a video based on the CISSP
just because it's going to give them lots of traffic, is that…
CISSP, right?
CISSP, yeah.
Is that a thing or is that…
No, parody is perfectly acceptable.
That is fair use for the benefits of humour.
So as long as it's humour, I'm all good with that.
And there's self-awareness in there as well, right?
Yes.
What do you mean self-awareness?
What?
All the self-awareness of a dog licking its bum all in public.
What?
What do you mean by parody, eh?
Actually, I think there is a way that troy hunt could make amends here and what would that be i think troy could sponsor an episode or or episodes of the host unknown
podcast and we'd very happily tell everybody about, you know,
have I been pwned and all that sort of stuff.
But I think, you know, the best way that Troy could make amends
is by giving us some cold hard cash.
This is fantastic.
You know, Granddad Tom lecturing someone on the internet.
It's like, you made a mistake in my opinion,
and therefore, to make amends, give me some money therefore to make amends give me some money
uh i think you mean give us some money you know i never get to see any of it i don't
hold that's because you don't pay for any of it
uh excuse me excuse me when when you went to renew the domain and you couldn't because it
was assigned to a different card oh yeah the one you stole
the domain i didn't steal the domain i accidentally redirected my
and also talking about not seeing any of the money, I don't recall seeing any of Andy's accounts at all recently
about the cash that he's holding.
Do you know what?
I think my microphone's breaking up now,
and my headphones as well.
Actually, yeah, you are sounding a bit rubbish.
I think you need to dip into the fun to sort out your audio quality.
I'm only down 50 left.
You owe it to both of our listeners.
What can I get for under a tenner?
Because that's all that's left.
Two cups and a bit of string.
That's cans.
Anyway, so Troy Hunt,
we know you're listening
because we know you're a massive fan
of Host Unknown.
Make amends.
Make it up to us.
Tweet about Mango PDF.
And this could be you.
Host Unknown.
Sponsored by...
Have I been hired?
Oh, okay.
Well, I'm glad we're so on message on this at the moment.
Oh, dear.
That was very, very good.
Very good and very true here.
Let's stop being dicks, as they say, and start bigging each other up.
Let's elevate each other.
Yeah.
After berating someone for the last 10 minutes,
let's stop being dicks, folks.
Let's lift each other up.
Yeah, obviously it doesn't count if it's about us.
No, no.
I was talking about you two.
Oh, dear.
Well, we're drawing to the end of the show,
but we have to do this last tweet.
You didn't play out the, that was this week's Rant of the Week.
Oh, I didn't, did I?
No.
I tell you what, Graham will be laughing his ass off at this
because he always takes the mickey out of us.
Anyway, thank you, Andy.
That was this week's...
Rant of the Week.
Yeah, so you don't have these mistakes if you fix everything in post.
But, you know...
Yeah, what's the fun in that?
Exactly.
So, yeah, we have to do this.
It was one of our backup topics, which I'm guessing...
For a couple of weeks as well.
For a couple of weeks. It's such a good good one and we've got a few minutes left so andy please please tell us about
this particular i mean this came from one of you guys didn't it originally oh yeah maybe i sent it
yeah i think this is your glory
it's yours and the elephants yeah exactly go for it because i think you know the subject
matter is more your area certainly not mine right so i've got nothing to lose right whereas
this one's uh about milwaukee county zoo and this is one of the reviews which is written for it
um one star review it's a one star review because there's one thing we know
that especially about americans is they love to give reviews um particularly one star reviews if
they don't get what they want um you know the slightest inconvenience will result in a one star
review um so this one is i mean it's just know, you're left sitting there scratching your head. So the lady, Marie Kelly, says, OK, so first off, me and my family love to visit all different types of zoos, elephants being my all-time favourite.
When we took my daughter to see the elephants, I was mortified by the absolute lack of care and concern.
Elephant had the largest erection I have ever seen.
That's what she said.
She did.
She began asking me what that was,
and she's only three!
Explanation mark, explanation mark, explanation mark.
Absolute sign of insanity, that.
Exactly.
If the staff took care of these poor animals and relieved them then maybe
my three-year-old wouldn't be asking about gigantic elephant erections explanation
please let me say the next part please let me say the next part
so somebody retweeted that with the comment, being angry at the zoo for, checks notes,
not wanking off the elephants.
I mean, having that on your CV anyway
would just guarantee you a job in any company I was at.
This is where social media checks come into play in that
process you think okay we got a live one here
i just i it's it sums it up perfectly though doesn't it absolutely thumbs it up oh dear very good very good right well
we started off strong we we started off with like today in infosec and we ended with uh
rubbing off giant elephants so yeah via some broken arms via some broken arms and they're talking about being addicted to Troy Hunt.
Love you, Troy.
So, you know, there is actually a link between a lot of these stories.
And I guess readers of Reddit would be aware of a story of a guy that breaks his arms.
And there's a content of being wanked off as well, which I guess I'll just leave it here for this week.
We can come back to it next week if you don't find that.
Yeah, you know the story.
I'll send you the link and you'll know what that story is straight away.
Okay.
I'm intrigued myself, so I'm looking forward to next week's episode,
I have to say.
Oh, we're going to talk about that person that died because of ransomware?
Oh, no.
That's too depressing.
Yeah, we can't end on
a low note. And also
false, fake news.
Okay.
Anyway, gentlemen, thank
you so much for your time today.
Thank you to our listeners.
We hope you enjoyed our inane ramblings.
Have a great weekend.
Recorded and delivered in real time, almost.
So, Andy, thank you very much, sir.
Stay secure, my friends.
Thank you.
And thank you, Jav.
I do not condone the actions or content of these two gentlemen so thank you for joining
these two and uh i will fully support any complaints you have troy and jav will be here
in next week's episode as normal stay secure Host Unknown, the podcast, was written, performed and produced by Andrew Agnes, Javad Malik and Tom Langford.
Copyright 2015 or something like that.
Insert legal agreements here as applicable and binding in your country of residence.
We thank you.
Do you think Troy's going to tweet about us?
He's going to destroy us now.
He probably is.
He's going to say something and then we're going to have like a million people like saying like, boycott this, cancel this show.
We don't have any listeners anyway.
There's going to be crowds of people with pitchforks
headed by Scott Helm charging towards Host Unknown.
Yeah, the Host Unknown headquarters in Chippenham.
Oh no.
Hopefully it's not the day when you two will be here.