The Host Unknown Podcast - Episode 27 - Normal Service is Resumed
Episode Date: October 9, 2020Your regular features and even more, such as vegan sweets, Host Unknown imposters, Jav appears in the press with the same quote for different stories, and HMRC incompetence.Vegan sweetshttps://www.the...jealouslife.com/products/tropical-wonderWill the real Host Unknown please stand up? This Week in Infosec5th October 1991: The Linux kernel was released by Linus Torvalds."This is a program for hackers by a hacker." -Linus Benedict TorvaldsFor those keeping score at home, he said "hacker[s]" 4 times in his post to the comp.os.minix newsgroup.https://twitter.com/todayininfosec/status/1313239418682179585?s=204th October 2005: The Samy worm, the first self-propagating cross-site scripting worm, was released onto the-then-mega-popular MySpace by Samy Kamkar.https://twitter.com/todayininfosec/status/1312752236712333312?s=204th October 2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress one person in the IT department was at fault.https://twitter.com/todayininfosec/status/1312589059559170050?s=20 Tweet of the Week Billy Big balls of the Weekhttps://twitter.com/repshalala/status/1313187148540137474?s=21 Industry NewsFormer Australian PM Talks Importance of Cyber AwarenessHMRC Hit by Multiple Phishing and Spam EmailsEndpoint Security Primary Pain Point in 2020 Food Delivery Service Chowbus Experiences Data Breach Boards Increase Investment in Cybersecurity in Face of Threats and Regulatory Fines Rant of the Weekhttps://www.verdict.co.uk/excel-coronavirus-test-data/It has emerged that almost 16,000 cases were delayed in being transferred to the test-and-trace system because the government was using an Excel spreadsheet to store the data, with an individual column for each case.This reportedly caused problems because the maximum number of columns on an Excel spreadsheet is 16,384, meaning the sheet exceeded its maximum size and so failed to update, preventing the coronavirus test data from updating.Notably, if rows had been used instead, the problem would have been avoided, as Excel supports up to 1,048,576, although many experts are arguing that the software is wholly unsuited to the purpose at all.“If indeed the government was using Excel to track Covid cases, it is a wholly inappropriate use of the tool,” said Javvad Malik, security awareness advocate at KnowBe4.“Excel is a very good spreadsheet, but it has its limitations and in no way ever intended to be used as a database.” Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
but I'll actually deal with it.
I am out of pick and mix.
I'm taking the last bites now.
Uh-oh.
Is that you getting a notification
that Amazon are at the door with some replacement?
I wish.
That's Jav or you.
That is me, yeah.
Yeah.
Okay.
Yeah, typical.
I should have known that after last week's episode.
You know, I just...
You're listening to the Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening and welcome wherever you may be.
This is episode 27. I've neglected to say that the last few weeks, but episode 27 of the Hosted Unknown podcast.
Hello, Jav. How are you?
I'm good, thanks. I'm good. Well, I'm half good because I had the flu jab this morning and like one of my arms is absolutely numb and throbbing with pain.
But I'm sure that once it connects to all the 5G networks,
the chip inside, I'll feel a lot better.
Once the handshake has been completed.
Yeah, exactly.
I think you'll be all right.
And Andy, how are you?
Low sugar levels, obviously.
Well, I was just saying before the show,
I am out of before the show,
I am out of pick and mix, my preferred choice. But I do realise that Epicurean,
which is a distributor to shops and stuff,
did deliver a box of plant-based jelly sweets,
which I'm going to give a try.
Isn't that called broccoli?
No, so these are some sort of jelly sweets,
which I thought I'd give a try as I was getting stuff,
like cash and carry anyway.
So I've got 20 boxes downstairs.
Oh, sorry, 20 packets downstairs.
No, you've got 20 boxes within which one of which is 20 packets.
It's two boxes, 10 packets in each box.
It's like those Marks and Spencer's veggie Percy's.
Exactly.
It's that type of thing.
Yeah, but they're fruit flavoured.
So I thought I'd give them a try.
But you know what it's like when you've got that minimum order of 85 quid
to get free delivery.
That's a lot a lot of one lot of uh 199 bags you know it's um in america nothing is really as healthy i suppose is a weird way to call it but talk about it when you talk about
sweets but i once got these vegan friendly jelly sweets jelly sweets in a store in America,
and they were the most vile things ever.
You just put them in your mouth, and they almost glued my mouth shut.
And I thought I was going to lose all my fillings.
It was just horrible.
I just sat there chewing on one for ages, and I was like,
I'm sure this is not chewing gum.
No, it was freak jellies.
Oh, my God.
That sounds horrible.
Yeah.
But anyone that spends time in the US and buys their candy
will attest that it is more miss than hit.
Yeah.
There is some.
You know which ones to go for in the end.
Yeah.
Do you know what I mean?
Almond Snickers.
Yeah.
Almond Snickers.
Now, you turn me on to those.
I have to say, after you demanded I bring back a suitcase of them
every time I went there.
And the Almond M&Ms as well.
They're like the only two things that I can do.
Well, the almond stuff overall.
And they also do a lot more white chocolate.
So like white chocolate Twixies and Kit Kats and stuff like that,
which actually are really nice.
Although I see that the white Tw twixes have come over here a
lot more recently but um but yeah then like the i was gonna say the native american chocolate that's
probably the wrong way of putting it but the that's buffalo balls isn't it yeah that's right
but um but the you know the traditional american chocolate like hershey's and stuff
is not chocolate not even chocolate yeah no do you know i did find out there's there is
an acid that is used in the making of that chocolate and if you're not used to it um it's uh
it's what makes the chocolate smell like vomit to people who don't eat that chocolate very often
and it is the same acid that is in the stomach hence why when you smell a bar of this chocolate, you know, for those, for the uninitiated,
it actually smells that bad.
I'm one of them, I have to say.
So Hershey's chocolate is...
It does smell like vomit, yeah.
Yeah, it does.
It does.
But it's because it's got that same acid in it.
That was on a Reddit today I learnt.
So today you learnt.
Indeed, yeah.
So that was... Because you know the other thing about the chocolate out there
Is you know Hershey's have the licence
To redistribute Cadbury's
Or as we know it as Cadbury's
But they change the formula totally
So it's not the same ingredients
There's so much wrong with the US
I mean yeah
Let's start with the chocolate
If we're going to fix one thing about the US. I mean, yeah, let's start with the chocolate, okay? Yeah. If we're going to fix
one thing about the US,
make it the chocolate.
Next week,
we'll move on
to the so-called cheese
that they have in America.
I was going to say,
let's, you know,
does that include
the chocolate orange
that we need to talk about?
Oh, dear.
So, as a famous podcaster friends of the show might say chums chums chums
love you graham um so apparently there is another host unknown out there
i found this on youtube does that mean we've made it when there
are knockoffs out there apparently so apparently so so this host unknown is an actual band as
opposed to you know three fat middle-aged men miming along to some tunes that don't scan properly
um but this is an actual band formerlyly known as Fake Plastic Trees
I'm sorry, you're implying we're not a band
No, no, no
Anyway
Show me a boy band in the last 20 years
That doesn't lip sync
Boney M
Milli Vanilli
Wait a second
Wait a second What Wait a second.
What do you mean lip sync?
You guys lip sync?
No, I don't lip sync.
I just read off the cue cards.
With your eyes darting left and right to read them.
Oh, my God.
That's me just checking for my exit.
I still remember many years ago, you guys taking the piss me just checking for my exit. I still remember many years ago,
you guys taking the piss out of me for singing along.
Oh, sing louder, sing louder.
Oh, how can you forget the words?
But not only were you not singing,
your lips were hardly moving.
Yeah.
Yeah, that's why they could just use random shots of you.
It didn't make any difference. Anyway, he's one of those speaking of fake plastic he's got one of those faces where he'd be
accused of having botox despite not having any
no that's not that's not filler. It's Haribo. Oh, dear. So anyway, fake plastic trees became Host Unknown.
They rebranded themselves Host Unknown,
and that was earlier this year, February 2019.
And where do we stand legally?
Well, this is what I think we should ask our viewership.
Should we send a cease and desist,
or should we actually try and
go into like an aggressive acquisition i mean i i don't know where we go so i mean let's face it
they've got 11 followers wow okay are we ready for a battle of that size? I'll just say, the number is 11 to 1.
Hang on.
Yeah.
Exactly, because Jav's just going to fold straight away.
We know that.
Off is the direction in which you should go.
I haven't even listened to their music.
We need to listen to their music.
In fact, I think next week we'll try and get a track of theirs on or something.
Well, that's not giving too much extra views.
We should issue YouTube copyright takedown notices
saying that we are host unknown.
Yeah.
Check the age of our account.
Yeah. Yeah. Exactly. Shit happens to us all the time like that like taking down videos and then them suddenly appearing again uh under a different copyright
i noticed though yeah you know there's there's a scam that went on like it was or someone not
scam they're basically taking advantage of this loophole where um if someone issues a copyright
strike against you you have certain amount of time in which you can contest it or something
and otherwise it goes to you and you start getting the monetization of the video the revenue and so
there were people who were actively scanning the news to find out whenever a singer would die
and as soon as they kicked the bucket,
they would issue a copyright against all of their videos.
And for that period of time,
for that period of time before the inheritance and everything gets sorted out
or settled, then it becomes really difficult for them to reclaim it.
So they were making quite a bit of money that way.
Jeez, I hope that loophole was closed.
It's YouTube we're talking about.
No, in YouTube, probably not.
Yeah, exactly.
Second only in evilness to Facebook.
We're just going out.
We're just getting aggressive this week.
We're getting aggressive early.
Although they do a lovely job of hosting our videos.
So just in case you're listening, Mr yankee youtube whatever your name is so what
have we got for you this week we have uh this week in infosec our brand new segment uh and then our
usual features uh tweets of the week billy big balls rant of the week pretty sure we still don't
have a little people um not sure what's going on there.
Your sources are letting you down, Jav.
They are.
They are.
So I'm going to go to turn things up from next week
and you will start seeing a flood of Little People.
Well, not a flood all in one show, but you'll see a regular.
You're going to open the door of your basement or something.
All the pun-look posts will be falling out.
Yes.
Singing about Augustus Gloop.
Yeah, exactly.
Oh, dear me.
Okay, well, let's get on with this week's...
This week in infosec
so this week in infosec is brought to you with content liberated from the today in infosec twitter account um so a mere if i did my math 29 years ago uh on the 5th of october in
1991 the linux kernel was released by linus torvalds um yeah was it 29 years apparently
29 years ago and uh you know in his statement he said, this is a program for hackers by a hacker.
And this was obviously back then the news was delivered.
It wasn't via a tweet, surprisingly.
You know, he didn't broadcast it on Snapchat.
It was to the comp.os.minix news group.
So whichever your favorite news reader of choice was back then
uh mine was agent uh mine was angela rippon that was uh where the news yeah there we go
that's i can't believe you didn't even reach for the button as you were saying it i completely
missed it so i think we can agree that was a big moment in, I guess, IT.
For all, you know, finally bringing still to this day.
I think, you know, the man is quite active on Twitter and, you know,
talks with people and actively engages the community.
What surprises me about that was it was only, it was like the early 90s
or mid maybe 95 or something like that. It was like the early 90s or mid, maybe 95 or something like that.
It was everywhere.
Yeah.
It was, you know, you couldn't move in a computer section in a bookshop
without the fattest book on Linux.
You could always get hold of a copy of Linux somewhere and install it
and then go, what do I do with that now?
You know.
Yeah, you had to write your own drivers
for everything back then as well yeah yeah exactly but it literally was everywhere it went it went
you know i won't say enterprise level but it went massive really quickly yeah i remember um
a couple of the def cons there were um there's a guy called he went by the name Jinx, and he always had the stool Jinx Hackware,
which sold badges or T-shirts and all that kind of stuff.
And very popular on those stools around DEF CON were the badges,
which said the manual said install Windows 95 or greater.
So I installed Linux.
And that was quite common for the community back then.
Yeah, exactly.
But I mean, in terms of practicality,
it really wasn't as user-friendly as it is today.
I thought it was an absolute nightmare.
I mean, those scenes in The Matrix
where they're looking at those dripping screens
and they're tapping, tapping.
That's them installing a browser.
Yeah, exactly.
I mean, it's easy.
The fact is, but that said, there's such a community.
So, I mean, I've got three Raspberry Pis running in my house,
all running on Raspbian, which is a subset of Linux
or whatever the term is.
And even I've done some, you've done a little bit of command line stuff
and all that sort of stuff in them because they're so well supported.
But they're very, very lightweight.
Obviously, Raspbian is designed to be lightweight.
And yet at the other end of the scale, you've got companies like IBM
renting out server farms, hosting Linux for proper enterprise class computing.
Yeah.
It's life-changing industry.
Fascinating.
So the second one I had this week from the same Today in InfoSec Twitter account
was the 4th of October 2005.
And this was a funny one known as the Sammy worm,
which was the first self-propagating cross-site scripting worm,
which was released onto the then mega popular MySpace by a guy called Sammy Kamkar.
So if you recall 15 years ago, it seems like an eternity ago we had this thing called myspace where i think just
about everyone was going on to um you know i didn't have an account you didn't have any
musicians they first started going on there and everyone had the blinks and the music that auto
played and it did go a bit more mainstream though after that it did and there are
still people who have old myspace accounts uh a couple of footballers funny enough uh sort of
famously pictures of them when they were younger but no they don't actively use it they just forgot
they had them oh i was gonna say yeah but this was, so the worm that this guy created,
it basically designed it to,
you know,
self propagate across my space.
And so every time,
you know,
it was relatively harmless,
but every time he opened it,
it would say,
but most of all,
Sammy is my hero.
And then it would send him a friend request.
And then if you viewed his profile page,
it would then,
you know, replicate would then you know replicate
again um you know and add itself to your page and so every time someone viewed your page it would
then spread um but absolutely fantastic just 15 years ago this very popular network and this guy
was uh reliving the spirit of robert morris i think and just sort of really spreading that joy of self-replicating viruses, which we all love.
Yeah, yeah, love them.
Yeah.
Love them.
We're living in the age of one at the moment.
Yes.
So I know that was two, and we typically only stick to two on this,
but I do want to give an honourable mention.
And as a friend of mine would uh say for shithousery of
the highest order and this was a mere three years ago so think you know we're talking about we've
gone 29 years ago 15 years ago just three years ago what was happening this week um well after he
retired as a result of the data breach equifax the former ceo richard f smith told members of
congress that one person in the it department was at fault for that breach yeah son of a all
one people he basically blamed an unnamed individual uh in the department who had failed
to heed security warnings and did not ensure the implementation of software fixes
that would have prevented the breach.
It's the language that was used.
Yeah.
Nothing to do with the pressure of the job,
the desire to get things done on time,
the fact that procedures are regularly overlooked.
Different gateways to make sure controls are in place,
following up.
No, it was all Dave's fault.
This is like saying the nukes were launched
because the T-boy tripped over and hit the button.
Yeah.
And it's like, well, shouldn't you have made the button a bit more,
like, you know, two people, keys, you know, that kind of thing.
But no.
But it was the T-wallaller at the end of the day.
Yeah, yeah.
Exactly.
Dave, the T-Waller.
Dave, Dave the T-Waller and the guy in IT.
God, Dave's unlucky.
Oh, dear.
Anyway, thank you, Andy.
Yeah, that was fascinating.
That was absolutely fascinating.
Thank you.
Thank you for that.
This week in InfoSword.
Right, we need...
What do we do?
Yeah, we need to get those jingles updated.
Definitely.
Because I feel like I'm going back 10 years
when I'm going to play the next one.
Do you know what I mean?
What are we going on to first anyway?
Tweet of the Week.
Do you want to do Tweet of the Week?
Tweet of the Week.
Yeah.
All right.
All right.
So sorry, folks.
I know this is like so last year, but yeah, let's go to this week's.
Tweet of the Week.
Oh, I didn't think I was doing this one.
I don't even understand it.
Oh, crap.
Did you guys just set me up here?
Okay, I can take this one, Tom, if you want.
Yeah, you take this one.
I find this just very confusing.
I saw this as a tweet.
It's a screenshot from Reddit that was posted on Twitter. So this is kind of like, not a tweet, but I screenshot from from the credit that was posted on twitter so this is kind of
like not a tweet but i saw it on twitter so we call it a tweet of the week and we can call it
whatever we want it's our show yeah that's right that's the beauty of having your own show and no
bosses except for the duchess of ladywell yes absolutely mrs langford we love you so um this is someone having a rant against hacker one
the one of the popular bug bounty platforms and it's not unusual for people to get a bit upset
with hacker one or bug crowd or what have you and sometimes they feel that they've got such a great
bug but it's deemed out of scope or information only.
And no doubt there are things that can be ironed out.
But this particular gripe starts and it pulls no punches like this.
HackerOne is a complete and total scam.
Okay.
Okay. They work with James Kettle to distribute BERT proxy,
which has been completely backdoored to relay all high-value discovered vulnerabilities to Port Swigger,
at which point you are then competing against the clock with a very small team of security professionals
and the participating security teams who have access to Burt Proxy's discovered
vulnerability feed. And then he goes on to say how he spent a month working on Uber's mobile
endpoint, finding a vulnerability only to find other people had submitted it before them.
So the only conclusion he came to is he's using Burp Suite to do his recon and to find vulnerabilities.
And because Burp Suite is backdoored, all of his data is going to Portsfigure.
And their team of security experts are looking at all of his findings and then submitting them to HackerOne before he does.
And him and HackerOne and Portsfigure are in cahoots.
And it's so convoluted, I can't even say it with a straight face.
Do you actually have evidence for this?
Because, you know, being like a pen tester, he could check.
You don't write this much if you've got evidence, Tom.
Let's be honest.
Exactly.
I mean, you know, this is slander or libel.
I can't remember one or the other, right?
Yeah.
One's verbal, one's written.
I think slander's verbal, libel's written.
Is that correct?
I don't think so.
Anyway, so this is libelous in the fact that it's saying that, you know,
burp suite is illegally, for want of a better term,
burp suite is illegally for want of a better term use um stealing people's research effectively and giving it to port swigger right then you need some kind of evidence and it's not like he has
to employ a specialist to work out his data being transmitted to port swigger from the back end of
burp suite because surely using the tool, he would find that out.
Well, exactly.
I mean, if only you had a tool like Burp Suite
that you could install to monitor this type of data transmission.
What's that one?
Shark something.
Wireshark.
Wireshark.
Even Wireshark could find that out, right?
What's that Shark something?
Yeah, it's a true security official here.
Stick a shark on the network yeah absolutely absolutely you know on the network with wires
yeah well it's been a long day what can i say
so so i think look you know people have gripes and that's true and our hacker or hacker one our bug bounty platform's perfect
probably not vulnerability disclosure is not an easy thing but if you're gonna spend your life
trying to be a professional or whatever you then you know you gotta admit that there are millions
of people out there who are always going to be researching similar things to you a lot of them
are going to be better than you some of them are just going to get luckier this is the game and you've got to learn how to play it
coming out with things like this are not going to make you any friends likely get you banned from a
lot of these platforms and then you know you'll be going back to being a chaiwala did they post
this anonymously i don't know how linkedin works i mean sorry reddit works I don't know how LinkedIn works. I mean, sorry, Reddit works.
I don't know whether it's...
You can create throw our accounts.
I might not know anything about BurpSquid,
but I know about Reddit.
Yeah, it's his active account.
You can probably...
It depends whether he's...
See, the thing is, a lot of these people like...
On one hand, they like that anonymity
for past time but then when they do something leet they want that recognition so they tend to
go public with it at that point you can see the whole history and everything so um yeah i don't
know i mean you guys know i probably vent to you guys if i ever think something is wrong with the world. If I ever sound like I need a tinfoil hat,
I guess, you know, to stop me before I go public.
Yeah.
And we have.
Yes, many times.
Many times, many times.
Many times.
You know, like before you claimed
that your ISP hates Zencastr publicly.
My ISP absolutely hates Zencastr. I'm not even,
you know, this is... For those who don't know, Zencastr is what we're recording on right now.
And it took Andy 35 minutes to connect. And he blamed his ISP, of which he has two.
I do have two ISPs. And... It didn't work on either of them.
No, it is working on one of them not my preferred
connection i'm using my backup connection it took you half an hour to decide to go to the
other connection uh well no not only the other connection but also switch machines as well
because you know this machine does uh sometimes have issues with that there really is no such
thing as paranoia andy they really are out to get you. This is why
nobody likes security professionals.
They complicate stuff
to the nth degree.
Although I must say, speaking
of that, I have been...
I was about to say,
didn't you send a video
of us switching on lights?
Just before we do that,
just before we go there,
that was this week's...
Tweet of the Week.
So, Jav, tell us about your working environment
and how you might have improved it.
After taking the piss out of Tom's need to ask Alexa
to close his curtains.
I don't have Alexa.
How dare you?
Sorry, Siri.
I have Siri.
Jeez.
Only a Muppet would use Alexa.
Well, she happens to be very obedient.
Oh, oh, oh, oh.
Are you using Alexa, Jack?
I am indeed.
Figures.
Yeah.
Alexa, switch off the lights lights I've got headphones on mate
do you think I'm amateur hour yes because you use Alexa
well you know it's so anyway do go on what what have you done Jeff oh nothing I just like well I
I thought there's some value in what you had doing.
I mean, obviously, I wouldn't go as far as to like, you know, automate my bedroom blinds,
which are just literally like an arm's reach away from me.
But I did at least three.
I do have like my office is set up so that there are certain lights positioned for where
I'm filming or when I'm on a, doing a webinar or something like that. So I thought it'd just be easy and convenient to
connect them to my smart speaker spying device. So that when I tell it to turn on the lights,
it turns on all the lights, everything's framed properly and I'm good to record. And that's about
it. But it is an awful lot of complication because it's a rabbit hole.
You fall down, you say, hey, I could automate this,
and I could automate that.
And it actually reminded me about six months ago, a year ago,
I got this product called Hazel, which works on the Mac,
which does a bit of workflow automation for you. And it actually works really well with Automator. That's on the Mac, which does a bit of workflow automation for you.
And it actually works really well with Automator that's on the Mac.
So it can kick off Automator if you meet something.
Never understood that.
Yeah, which is why Hazel is a lot easier.
It builds the front end and then Automator can kick off whatever you want in the back end.
And Hazel works really well with If This Then That,
which works with everything including my
smart speaker so i can daisy chain them all so if i come in and i'm and i and there's something that
doesn't natively work it's really good for on the computer things so i can give a command to my
speaker and my computer will then go it can open tabs for certain researchers research projects i'm
working on okay it can play music from my iTunes library.
It can do all sorts of cool stuff.
So it's a rabbit hole that I've started going deeper back into now,
thanks to your showroom of all things smart connected.
And I've got a few more things on order,
one being one of those IR universal remotes,
which connects to the Wi-Fi and it's all smart.
Oh, which one?
I can't remember.
The Logitech?
No, not the Logitech.
It's Logitech Harmony Ultra.
You know, Jeff doesn't really go for the branded stuff.
He'll go for the…
No, that's true.
I'll go for the cheap stuff with the five-star reviews.
It's a-goss.
A-goss.
No, argoss.
It's A-I-G-O-S-S.
I'd be interested to see what the integration is like with that,
I have to say.
Yeah, because basically then I can turn my air con on and off,
I can turn my TV, on and off i can turn my tv my sound system everything but but from a security point of view i could also use
this newfound love of automation to say hey what's my threat intel for today and it can go and pull
out these sources with connect with their apis pull them in and create me a dashboard in real
time say you forgot your wife's birthday. Yeah.
That sounds like some good threat intelligence to me.
Something like that.
Yeah, that is the biggest.
I'm really looking forward to seeing this because, unlike me,
you'll be shouting this from the rooftops and publishing videos all about it.
I only sent you two a little video clip today.
Well, it's on youtube now you've already got
your idea for uh your continued cyber security awareness videos right yeah exactly exactly
hey they're getting good good engagement don't don't knock them indeed right shall we move on
let's move on to uh this week. Billy Big Balls of the Week.
This will be one that I take, shall I?
I know we switch stuff around.
Oh, whatever.
Go for it.
So this is – oh, were you going to do this?
I don't care as long as it's one that I understand.
Well, Tom will be back in three episodes' time.
Well, Tom will be back in three episodes' time.
So this is all started from a guy who worked at ABC News.
You may or may not have heard of some kind of outbreak going on in the US at the moment for something called COVID-19.
Oh, I thought it was Tango. Yeah, so there is some cases which have been appearing in the White House,
let's say it that way.
I think I heard something, they've got more cases than New Zealand
and Australia combined just in the White House alone.
I think it was, wasn't it, Australia, New Zealand, Vietnam,
and Cambodia or something like that.
Multiple countries.
Four or five countries, yeah.
So this guy if you've maybe seen news basically said that he'd learned
that Chad Gilmartin, who's a member of the White House press shop,
has also tested positive.
And he says, you know, sources tell us he came back positive
over the weekend.
And so Mr. Sean Spicer, ex-friend of Trump,
hard to say which way he leans politically.
You know, he's not that vocal.
It's not the leaning, it's the way he dresses that's important.
Yeah.
So he posted, you know, he saw this news from ABC
and he sort of retweeted it and said, you know,
it's one thing to report an additional staffer in the White House
who's tested positive, but revealing their name is a violation of HIPAA and uh the best thing was a response to that there's
you know a lady called uh Donna Shalala uh quoted that and she said uh representative
representative Donna Shalala she says that is not how hippa works i should know
i wrote it and this is i mean i love it when uh you have these events where uh you know people
are just you just can't get more authoritative than that you know and it is um i actually
this is uh similar to the this sort of Billy Big Balls, listening to Reddit.
I know it's a strange thing, Sue, but, you know, people actually take Reddit topics,
transcribe it to audio, and then you can listen to the audio.
And, yeah, there's loads of YouTube channels of, like, Updo Reddit is one that, you know,
I listen to a lot.
Where it's just, if you put in your headphones in the evening,
you're taking the dog for a walk, you can just listen to Reddit content.
It's crazy.
It's not the best voice.
It's that voice that they use on Smashing Security,
that does the intro and sort of tells you.
I thought you were going to say from the anonymous videos.
I vote for this man's wife as well.
Yeah, exactly.
That one, yeah.
And they do the, sometimes you get used to, you know,
dollar sign, 15K.
Jeez.
But yeah, it's all these sort of Billy Big Ball stories
that have been coming out of there.
And I think this one absolutely fits in with this, you know,
at what time is someone really just sort of like being able to do a mic drop
and walk off.
So there's two things to this.
One is Sean Spicer doesn't even know how to spell HIPAA.
No.
Because he spells it with two P's and one A rather than one P and two A's.
Yeah. And secondly, quoting regulation to get back at someone
or to get out of actually doing something is a guaranteed way
of showing that you do not understand what that regulation actually is.
Because remember Sarbanes-Oxley, if you're an American company.
Yeah, socks.
So I worked for a company that had to comply to that,
and it's quite a heavy requirement, I must admit.
You know, you spend a lot of time and effort on it.
But then it got to the point where, oh, can I get so-and-so done?
No, sorry.
Why not?
Socks.
You know, it's like, bullshit, no.
That is not true.
Show me what.
No, sorry, Sarbanes-Oxleyy can't do it and and it's the same
with any kind of regulation or standard i've even heard it oh no iso 27001 says we can't do it
yes you can i know that you can it and it's it's just a dreadful way or a dreadfully ignorant way of either slamming someone or just avoiding work.
And it really annoys me.
Yeah.
And I used to hear something like this is so good.
Yeah.
I used to hear a lot with,
um,
sorry,
can't do that.
Date protection.
Sorry.
Can't tell you that date protection.
Yeah.
It's got nothing to do with that.
Yeah.
Yeah.
GDPR mate.
Can't do that.
Can't feel me. Can't film me.
Can't film me.
It's data protection, mate.
I don't give you my permission.
You can't film me without my permission in a public space.
Copy and paste this onto your Facebook status,
and that way Mark Zuckerberg cannot use your information.
Yeah.
Oh, but you see, this is the best thing.
You don't even need to do self-replicating worms anymore.
You literally just tell people to copy and paste and they'll do it yeah yeah yeah it's like on kickstarter whenever a project fails people copy and paste the i invoke kickstarters terms and
conditions whereby such and such and every time you get like 17 of these around somebody then it
pops up this doesn't work.
Please stop copying a bit.
This has got nothing to do.
And then more people come and do it and more and more and more.
And it's like,
this doesn't work.
It's got nothing to,
you know,
it's like,
Oh man,
you know,
get some,
some kind of knowledge in the first place.
Just make yourself aware of what's going on.
You know,
anyway,
it's more, more like a rant of the week for me.
Dear me.
But Republican Donna Shalala,
mic drop.
Representative.
Oops.
Representative Donna Shalala,
please take a mic drop.
You are this week's... Get some basic knowledge.
You are this week's Billy Big basic knowledge you are this week's
Billy Big Balls
Billy Big Balls
of the week
like it
so you know
you actually mentioned
Kickstarter there
I have never
purchased anything
off Kickstarter
but Indiegogo
I have
and I had something
delivered
a week ago or oh yeah I mean that they're as good and as bad
as each other of course yeah yeah i don't know i guess i just uh everything i've been interested in
has been on indiegogo you can sell stuff that you've already produced if you see what i mean
so people will often start on kickstarter get some seed funding, start making the product, and then go on to Indiegogo
to sell the product as well whilst they're still building it, as it were.
Right, okay.
So the rules are slightly different.
But anyway, you bought something.
I did.
How exciting.
It wasn't a while ago, but they finally came last week.
I got stuff from six years ago i don't think i'm
gonna get it so these are uh translator earbuds so imagine like the apple ipods uh or airpods
that you know the wireless earpieces that you wear um and then imagine something sort of uh
that jav would buy as an equivalent alternative to the apple one so something a bit cheap yeah a bit chunkier and a bit cheaper um yeah it is those normally
have a blue light on them or something green lights these ones do oh man that's cheap blue
light blue light is a sign of quality but uh so the whole thing is based around this app called Time Kettle, and it will translate 120-odd different languages, I think they say.
So they've got a 30-hour battery life.
I've not had to charge them since I got them.
Oh, 93 languages, seven of which you can download offline,
so you don't need to be connected.
Please tell me one of them is Klingon.
Sadly not.
No, these are actually – well, Well actually I've not read the full list
But they did seem to be
You know, sort of
Other
Well known languages that you may see
You don't want to say real languages
I was very close
I love Star Trek
Because you can get a degree
In Klingon
The rest of the world call it Welsh You know what I mean love star trek you know yeah but because you can get a degree in klingon yeah i mean okay right
the rest of the world call it welsh you know i mean it's like let's not let's not oversell it
okay but i mean the plan was that you know this thing will translate in real time whilst people
are speaking in a different dialect um and it's a shame i'm not traveling anywhere at the moment because it is an actual
babel fish it is yeah but yeah from from hitchhiker's guide to the galaxy almost like a
universal translator that they use in star trek yeah yeah yeah so doesn't doesn't google's pixel
earbuds also have translation built in like the google translate built into them i don't know i
never stumbled across a google ad with uh pixel translate in it no i think i think that you can
i think that was one of the original features i think like um oh no was it google or was it
samsung i can't remember i think it was Google with their Pixel phone.
They came out with Buds a couple of years ago.
I think this was when Apple came out with it. And one of the features they were touting there was that it's integrated
with Google Translate.
So it uses that back end to translate.
But I've never sort of used them.
I've never heard of anyone using it.
But on my phone, I've got Google Translate the app,
and that works really well.
You can just pass the phone or put it down,
and basically you talk through it, and that's pretty good.
Same as the iPhone.
Actually, you can do that as well.
iOS 14 can do loads of languages, can't it?
Yeah, that's right.
That's right.
So now it's come built into the phone but i actually paid for
this uh you know a while ago and i can have it in my ear yeah exactly exactly and that's cool i think
i i'd be really interested if you could get these almost covert and super real time so it actually
doesn't impede it's not like a big clunky thing you've got in your ear.
It's super real-time, like telling you what they're going to say in advance.
Yeah, exactly.
As opposed to real-time.
I mean, they say real-time, but they say it and then it goes in
and then it translates as a bit of a lag.
It's not quite spy stuff.
it's not quite spy stuff so this one is uh 95 accuracy between 0.5 and three seconds it takes to uh translate have you tried it yet uh not not with um anyone that speaks a foreign
language no and and does it give you tips on how to look thoughtful or considering during that three
seconds no so i mean these things are massive.
You know, they may as well be worn over the ear,
especially with the bright green light that flashes.
I walk down the road at night listening to,
I use them as earphones as well,
just in case I come across, you know,
some foreign gangsters that are going to mug me
and they start speaking in their native language
and I just need to scroll through,
figure out which language it is and see what they're saying they're so big and bright they can be used as temporary traffic yeah they are like beacons as i go down it's uh
could you try again who was that naming that you
who is that that sounds like is that? That sounds like Siri
Yeah, that's me actually
I don't know
Hey Siri, open the curtains
Oh, if only you knew
Why are all the curtains open?
Oh, brilliant
Oh, now you're doing it
It looks like you haven't set up any HomeKit accessories.
Hey, Siri, reboot.
I've got my headphones on as well, Geoff.
So I've got to say, this feels really as professional as usual, right,
this particular podcast.
Literally, in the last 10 minutes,
I've had an email from our friends of the show,
Carole Theriault and Graham Cooley, inviting me back on the show.
What?
All right.
Yeah.
Don't know.
Don't know.
Maybe they're going to give me a hard time about that jingle.
Just make sure there's no lawyers also.
Is it definitely to go on the show and not a meeting?
Like, you know.
Yeah.
Exactly.
And also, I don't know which jingle we're talking about.
No idea.
The Billy Big Balls one.
So, Andy, given that you've told us that you can speak in multiple languages.
No, I can listen in multiple languages.
Why don't you...
Yeah, what have we got next?
Because I think this is your usual section.
What have we got next?
So is this the part where we hand over to our reliable sources
over at the InfoSec PA Newswire,
who have been very busy bringing us the latest
and greatest security news from around the globe.
Industry News.
Former Australian PM talks importance of cyber awareness.
Industry News.
HMRC hit by multiple phishing and spam emails.
Good.
Industry News
Endpoint security, primary pain point in 2020.
Industry News
Food delivery service Chowbus experiences data breach.
Industry News
Boards increase investment in cybersecurity in face of threats and...
Industry News And that's increased investment in cybersecurity in face of threats and... Industry News.
And that was this week's...
Industry News.
Huge if true.
So I am actually with Jav on this one with HMRC because, you know,
I've had my issues with them in the past.
So I called them the other day because i'm still
under investigation for god knows what um and if you can't if you don't even know why you're under
investigation that's probably telling you something well exactly and not just that well so i called
them like get to the bottom of it i've tried calling them before always stuck on hold for too
long um and so they're also taking more money you know than they used to
anyway um so i come i was like look you know you're taking a lot of money from me like via paye
and so we went through the whole thing like long story short i apparently have been on the wrong
tax code for over a year so all of the last five yeah exactly so they're saying when you do your when you complete
your self-assessment this year you're going to have a huge tax bill at the end of it
and i'm like what like how do you mess up payee well i spoke to an accountant about this and um
apparently all uh nearly all i think uh, PAYE software that organizations use,
are only accurate up until you're earning $100,000 or something like that. After that,
it doesn't automatically update or fix what the salary is. And this is especially troublesome
for people who are under a hundred
thousand but then they get a bonus that takes them over a hundred thousand a year and so
nearly everyone who that's why you if you're over a hundred thousand uh you have to do self-assessment
because they know that the the system screws it up for you. Ah, I never knew that.
I never knew that.
So now we know that Andy definitely is in the higher bracket range
because he didn't deny any of that.
So, Andy, would you mind sponsoring the show next week?
Yeah, that's right.
Absolutely.
Absolutely.
In fact, just sponsor yourself and get a new machine.
Nothing wrong with a check in this house, I tell you.
There's nothing wrong with a tech in this house.
Get a host unknown computer that works on Zencastr
and any ISP you choose.
How about we just switch from Zencastr?
Why? What's wrong with it?
It doesn't work with my ISP or computers.
It does.
Oh, man.
As I said to Jeff, you need to bring me in for an afternoon
and I'll sort your kit.
I can't afford your prices, Tom.
This is a typical IT department versus the users.
Wrong play, playing out in real life.
The users are saying this doesn't work and IT is saying it does work.
You're just stupid.
You don't know how to make it work. Yeah, know andy's stupid it works for me yeah therefore the problem
mine's what well it is at your end that's the point
it's the part between the computer screen and the chair that's the problem
part between the computer screen and the chair that's the problem layer eight are you saying yeah exactly i i never like saying users are stupid i i think that's so derogatory but andy
you are fucking stupid we used to in this case i will make an exception yeah so do you guys always
used to use the old uh youT error or, you know,
pebcac, that type of stuff?
Yeah.
What are those?
What's ID10?
ID10T.
So when you spell it out, it spells out idiot.
Like if you use it, obviously you've got the pebcac.
And the other one we used to use was computer user non-technical,
which is very common for salespeople.
Oh, dear.
The only one Tom was a familiar one was the 8008 7355.
Turn the calculator upside down, right?
Exactly.
Oh, great days.
Great memories.
It doesn't work with an iPhone.
It's really disappointing.
For the younger generation,
calculators were like undocking the calculator app off your phone.
It used to be a physical thing.
Yeah.
My dad had one of the very first calculators sold in the UK
back in the late 60s, early 70s.
Early adopter.
Yeah, sorry?
Early adopter.
Yeah, well, he had a TV in his car as well.
What?
Yeah, yeah.
I mean, I was telling Jav last week,
it was about, what, a foot and a half long
and something like a six inch or a four inch square screen,
you know, because it was obviously CRT,
but it was in the car, powered off the car.
Brilliant.
Why? Because he could.
And I completely subscribe to that attitude,
to be perfectly honest with you.
Having been to your place, I know you live that every day.
Yeah, exactly. Exactly.
Right, we need to move on very quickly i think uh let's move on to this
week's rant of the week okay this is a story about the uk track and trace system uh where
actually it looked for something like was it a week a week and a half, that numbers were actually falling when it came to coronavirus infections and things like that in the UK, which is brilliant.
Great news.
Seems like something's happened.
Great news.
Then it emerged that 16,000 cases were delayed in being transferred to the system because,
well, it says the government, but because the third-party contractor, the private company
that had built the system was using Excel to store the data
with an individual column for each case, multiple rows, et cetera, et cetera. So after the maximum number of columns in a spreadsheet exceeded 16,384,
everything got dropped after that.
And so it failed to update, preventing the coronavirus test data from updating.
Which, now, if they'd done it the other way around,
if they'd used rows instead of columns,
and we all know this from when we've been on Excel,
you build something, you think, no, that's the wrong way around,
you have to completely redo it.
But it would have been avoided as Excel supports up to over a million rows.
But also, and it's not in the show notes, Andy,
but I heard they were using the.xls format
rather than the.xlsx format as well,
which is simply unforgivable given that.xls format came out in what, 90s?
given that.xls format came out in, what, 90s?
And the.xlsx format came out in, was it 2007?
It's been a while. Something like that.
Yeah.
It's not like it came out last year.
Yeah.
And the.xlsx format would have been able to cope
with a higher number of columns as well. So Excel is a brilliant tool,
without a shadow of a doubt. Companies would collapse without the use of Excel,
but there are certain cases. My initial thought is, you know, enterprise class cases where you
don't, you should not be using Excel.
You should be using either a bespoke system or some kind of database
or something like that.
And the use of Excel, in my humble opinion and not knowing the full story,
is unforgivable in this instance.
Really, really can't be used.
And I bet the username on the Excel was still Microsoft Office user as well.
Click to activate, yeah.
Yeah, exactly, exactly.
No, I completely agree.
Absolutely shocking.
And we spent millions and millions, or is it billions?
I can't remember.
It's a lot of taxpayer money on this for what on the face of it
appears to be utter incompetence and negligence of the highest extreme
just for profits.
So, meh.
Yeah.
No, you're right.
You're right.
I completely agree.
And we spoke about Saulbain's Oxley earlier. And Solbain's Oxley actually has one of their points is about end user developed applications or end user computing.
for major decisions or something that's fundamental to your reporting,
then, well, try not to, but if you have to, which a lot of banks still do,
I mean, a lot of trading floors they've built out these Frankensteins,
but then have controls in place and have checks in place,
have your assurance controls in place.
I assume it's not an easy job getting the disparate data from all of these different health care like like gps might report them you have these uh testing remote
stations set up you have hospitals they're all reporting it i mean i i assume they would just
might have been sending a CSV file.
But it's almost like what we need is something that sits in between that,
almost like in the middle.
Almost like a cloud that they could upload it to.
Not like a firmware or a hardware, but like something in the middle where that allows disparate sources to be collated.
the middleware that allows disparate sources to be collated. You know, maybe we should, hey, you know,
I think maybe we could make some money out of that.
Yes.
TO2 security now proudly developed.
Absolutely.
Absolutely.
Stick two fingers up to Excel.
But, yeah, it just annoys me.
And also, it is a security issue as well, because let's face it,
it smacks completely into the integrity side of data
and availability, for that matter.
The data you're putting into Excel, there are limitations
as to what you can pull out.
So if you're assuming that when you do an automatic import
of your Excel table, it's got all of the data in there that you thought
you'd put in and it doesn't, then you've lost the integrity of your data.
Well, that's it.
I mean, the thing is, when you look at it, what's the purpose of collecting this data?
It's so that you can present the data as like, how many cases are there?
Where are they?
Well, so you can save people's
lives yeah yeah but that's pretty much it that that's what that's the key thing but that you
and if you haven't checked through and said that does it actually do what it's meant to do then
like you said um tom it's incompetence of the highest order yeah and at what point do you think
they realize you think it was like the third day in a row that the cases were 16,384?
And they realised that Boris was still in power.
It couldn't possibly be dropping numbers.
Maybe the intern who was opening the spreadsheet used to open it and walk away for a cup of tea.
It was the third day he said to someone, why is this note or this pop up?
Are we showing up saying
cannot display all the data because it exceeds the number of columns?
You'll never believe the coincidence.
We've had 16,384 cases every day for the last three days.
Amazing.
Oh, dear.
Anyway, that was this week's...
Rant of the Week. So i'll just add to that so i know you
mentioned uh i missed out in the show notes that it didn't uh highlight the fact it was
you know yeah an old version of excel i will just point out i was uh essentially rickrolled
into this one so this is a link that was in the group chat and I saw the headline.
So I had previously, you know, I heard the story.
So I guessed what it was about.
What I did not realize was that this particular article was from media whore Javad Malik.
Oh, yes.
There was a quote.
Yeah.
So this this obviously came out at the time because you know as soon as the story
breaks jab you know what he's like he's got to be on the scene uh so he obviously didn't have
all the information just stuck with this is your roving reporter yeah stuck with the safe quotes
and uh is that siri again yeah it is i don't even know what i said to activate it you're probably sitting on the button or something siri close the curtains yeah but but you know what it's you you missed the other one that in
in this week's industry news the hmrc hit by multiple phishing and scam emails was that you
as well i was quoted in that one as well so i have been busy this week. Oh, man. Funny enough, that also says,
if indeed the government was using Excel to track
HMRC cases, COVID cases, whatever,
it is the wholly inappropriate use of the tool,
said Javad Malik, security awareness...
Advocate at KnowBe4.
Evangelist at KnowBe4.
Excel is a very good spreadsheet,
but it's not a very good spreadsheet.
It's a good tool that uses spreadsheets.
I don't know.
Who writes your copy?
But it has its limitations, much like me,
and in no way ever intended to be used as a database,
except by 90% of the world.
Ah, excellent.
Well, Blimey, we've hit the mark almost bang on this week.
We've got no time for even any of the backup topics.
All the little people.
I had a banger off the little people actually up my sleeve.
Did you?
It's no good there because I need it on my iPad so we can play it.
Anyway, anyway, Mr. Javad of the Malics,
thank you very much for your time, effort, contributions
today
you're more than welcome
and Mr Andrew of Agnes
thank you very much sir
stay secure my friends
stay secure
stay secure
Host Unknown the podcast was written, performed and produced by Andrew Agnes, Juvad Malik and Tom Langford.
Copyright 2015, or something like that.
Insert legal agreement here as applicable and binding in your country of residence.
We thank you.
Well, that flew by.
It did.
You know, when we have less actual content,
we speak for a lot longer.
I don't know. Content was pretty good.
We just need some more accurate show notes, that's all.
Yeah, and you just need to check your links before posting them, Andy,
and stop bitching about it afterwards.
Well, in my defence, I would normally be doing this at night time
rather than during the day.
Like we're recording a day early today.
Are you like a vampire or something? I am more productive at night time rather than during the day like we're recording a day early today what are you like a vampire
or something I am more productive at
night time right okay that's what she
said