The Host Unknown Podcast - Episode 31 - Just Embarrassed Ourselves Really
Episode Date: November 6, 2020The fourth member of the Host Unknown trio, Carole Theriault, joins the podcast to bring an air of respectability to proceedings. Needless to say it was an uphill struggle. This weeks show brings y...ou, dear listener:Smut or SecurityDo you know the difference between your smut and your security? This Week in InfoSec (Liberated from the “today in infosec” twitter account):30th October 2001: The author of the Nimda worm released a new variant that was functionally identical, but included a comment that it should be referred to as Concept Virus, not Nimda. It didn't happen - it got named Nimda.e. That’s right bitches.https://twitter.com/todayininfosec/status/1322141461949927424?s=2030th October 2013: Adobe revealed that a breach of 2.9 million customer accounts made public 3 weeks earlier actually affected 38 million users.https://nakedsecurity.sophos.com/2013/10/30/adobe-breach-thirteen-times-worse-than-thought-38-million-users-affected/https://twitter.com/todayininfosec/status/1322306716114001920?s=2031st October 2005: Winternals researcher Mark Russinovich posted to his blog a detailed description and technical analysis of F4I's XCP software that he ascertained had been recently installed on his computer by a Sony BMG music CD.https://web.archive.org/web/20150317040653/http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspxhttps://twitter.com/todayininfosec/status/1322629012540157952?s=202nd November 1988: The Morris worm spread like wildfire and was the first worm to get wide media attention.After its author, Robert Tappan Morris, released his "experiment", it quickly spread and made many of the systems on the Internet unusable - an epoch for security...both good and bad. It was one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It also resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act.https://twitter.com/todayininfosec/status/1323248705164791814?s=20 Tweet of the WeekFlushing Away Preconceptions of Riskhttps://twitter.com/StevenShorrock/status/1323335595465318401?s=20https://www.independent.co.uk/news/uk/home-news/bacteria-toilets-flush-lid-closed-b1535481.html Double Rant of the week #1The Poilce in the US struck a deal with Amazon to violate peoples Ringshttps://www.eff.org/deeplinks/2020/11/police-will-pilot-program-live-stream-amazon-ring-camerasThe police surveillance center in Jackson, Mississippi, will be conducting a 45-day pilot program to live stream the security cameras, including Amazon Ring cameras, of participating residents.While people buy Ring cameras and put them on their front door to keep their packages safe, police use them to build comprehensive CCTV camera networks blanketing whole neighborhoods. says the EFFOnly a few months ago, Jackson stood up for its residents, becoming the first city in the southern United States to ban police use of face recognition technology. Clearly, this is a city that understands invasive surveillance technology when it sees it, and knows when police have overstepped their ability to invade privacy. Industry NewsPing Identity Acquires Symphonic to Boost API and Data Security OfferingFlorida Invests in Security Controls Ahead of #Election2020NCSC Partners with Microsoft to Support Cyber Accelerator ProgramGoogle Forms Used In Password-Stealing Spree: What You Need To Know Double Rant of the week #2Carole's Nasty Tweet (no screenshot, the nob deleted it. The Little PeopleWe were joined by Smashing Security's Terry Graham. Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I think someone was going to be asking a question.
Yes.
So...
Look, you show me up in front of Carole here.
Lines, lines, lines.
Darren, you, you, that's me.
You watch out.
You...
You can't do it, man.
You can't do it, man.
You can't do it, man.
Oh, man.
This is good, guys.
I'm really loving this.
Okay.
This is behind the kimono, to mix my metaphors of host unknown.
So, Tom, how was smashing security?
It was all right.
You know, I mean, it was a very polished affair,
but I can't help but think that most of my good stuff was edited out, to be honest with you.
Really?
Andy, that's when you come in.
Oh, wow.
So then I say, I wouldn't know.
We weren't invited, so we decided to bring Host Unknown to us.
No!
weren't invited so we decided to bring host unknown to us hit the music
you're listening to the host unknown podcast
hello hello good morning good afternoon good evening from wherever you are speaking
or listening jesus you got me at it as well now andy um i think it's nervous because we've got a lady in the room
um but um yeah so in fact ladies first um hello carol how are you i'm very well and it is a
virtual room we're not actually in the same room together because we're in lockdown even if we
weren't in lockdown i doubt we'd be in the same room together no no absolutely you i don't think these other two are actually allowed
out of their county in fairness um now carol is the uh award-winning host of many many podcasts
um there's that smashing security one that you know is okay i guess uh the second best
information security podcast um and but also and i'm a recent convert to it uh sticky pickles
oh yes my pandemic special yeah what do you think did you have a listen i thought it was filled with
filth smut and innuendo and i loved it it's funny too, though. Yeah. Oh, sorry. And humour. Absolutely. Absolutely. I mean,
in the, in the first two episodes alone, there was a cougar mum sleeping with her,
with her daughter's friends. There was a severed horse cock. There was somebody spitting into food
they cooked. I mean, it's like, geez jeez sorry are we talking about your biography tom
oh yeah you two are here as well andy how are you uh i'm all good i was gonna moan about uh
the state of my uh home decorations but i'm not going to um because you have no home decoration
it's gonna trigger me you sent the builders I have. I need to think about things.
You're in the middle of a big house, Renner?
Well, I'm really not.
It wasn't supposed to be.
I just wanted the walls painted.
Anyway, like a week later, I am without office.
I am working from the dining room table and I need to get the ceiling redone.
I've had to chuck out my old desk.
Because you cut bits off it and then decided you didn't like it with bits cut off it.
I'm a visual person, Tom.
I need to see things to understand whether it fits right in my mind.
Andy's one of the people who you work for,
and we've all worked for managers like that.
They're not very good at articulating to you what they actually want,
but when you produce something for them,
they'll tell you exactly that's not what they want.
So you forever are back at the drawing board.
So any people who have to work for Andy, we are very, very sorry.
Indeed. Indeed. And Jeff, how are you, sir?
I'm good. I'm good. I had a little leak in my bathroom ceiling.
Not me.
Sorry, after listening to Sticky Pickles, is that a euphemism?
I'll let you make your minds up.
Anyway, there was like water coming into the ceiling and it began to drip, and the plaster was cracked and everything.
So home in emergency cover, yes, I'd pay for it.
Let's use it.
So I phoned him up.
Engineer came.
And there's a loft bathroom above it,
and some of the grouting is a bit cracked.
And he's like, yeah, it's the grouting that's cracked,
and water's getting down there.
And he left.
And I was on a meeting at the time, so I wasn't there wife was just like okay um and i phoned him up i said no
it's not the grouting no one's been having a shower up there there's no water spillage up there
it's it's a continuous leak that's it and the insurance company were like no we're not sending
anyone around until you fix the grouting um so the grouting that you would then subsequently have to pull out to find the leak
I have a suggestion actually
just seal the grouting with some kind of clear sealant
like nail polish basically
just cover the grouting and go done
because then it's waterproof
Javi's made of money so he just paid for someone else
even though he had insurance
even though I had insurance it was just fireless hassle
to just find someone who was local
he came round within 10 minutes he found the source of the leak
he replaced the pipe and it was all good to go
oh really?
yeah
you should put that bill to the insurance company
anyway
welcome to the home company. Anyway, welcome to the Homeowners Monthly Podcast.
Yes, so we have got a veritable feast for you,
not least in content, but also in hosts.
Host Unknown has four hosts today.
So it's so good to have you here, Carol.
Thank you so much for coming on, especially at short notice it's a pleasure it's a pleasure absolutely uh of course it is um
so what have we got for uh for our listeners this week we have uh this week in infosec our
brand new segment uh with the awesome jingle it's actually been about five weeks, Tom. Is it? Yeah.
Yeah, well, you know, it's brand new
because we don't actually know when we're at,
how long we're going to be doing this for.
Let's be honest.
Tweets of the week, Billy Big Balls,
Rants of the Week,
and there's inklings that we might have
a little people today.
Oh, yes.
Oh, yes. Oh, yes.
And it might be very, very, very special.
Very special.
Very personal to at least one of us here today.
So, yes.
So that's going to be fun.
So I tell you what, then.
Why don't we move straight on to...
I'll tell you what, Tom.
What, what, what what what guys just about
to press the button as well timing was going to be brilliant uh well i know you've had that finger
on the button so as you know i am a visual learner uh i see things but i see them when they play out
okay and all i can say is chums chumsums, chums. Okay. So Host Unknown are the AltaVista to Smashing Security's Google.
Okay.
So, you know, we may have been first, we may have been functional,
but, you know, we really saw, you know, Smashing Security take it to the next level.
Take our ideas to the next level.
Do you know what?
I understand the formula now.
I see it.
And it is the perfect combination of smut and security.
Okay.
You have my interest.
And with this in mind, Tom, this file which I have sent you,
which you were mainly about converting, I said do not listen to it.
I can hear it.
I can see it now.
Not hear it now.
I can see it now. This is it now. I can see it now.
This is the time to play it.
Okay.
Smutty or security.
So that's a quality jingle,
right?
That is a quality jingle.
When did you do that?
I have no idea.
That was a professional job.
Was that,
was that after you asked me at 1am this morning,
can you do a jingle right now?
And I said,
no.
As I've just got a laptop in the dining room,
you know, in the dining room at that time of the night,
I didn't want to wake anyone up.
Okay, so this is a fantastic feature
and it just came to me in a vision.
Now, you may be aware of some viruses have,
or vulnerabilities have very funky names.
Oh, I've played a similar game to this.
Yeah, well, I don't doubt it.
I mean, this is cutting edge.
You haven't played anything like this, trust me.
Basically, I'm going to read out some names,
and you have to tell me if it's a virus or smut.
No, what do I call it?
Security or smut. No, what do I call it? Security or smut?
Yes!
So we will say smut or security, okay?
Smut or security.
Okay, let me go first.
Let me go first.
Okay.
Well, I was going to say you can either play in a, you know,
like a buzzer game where you shout your name as the buzzer or...
Oh, let's do that.
Yeah, we can do one.
Okay, so I'm going to read out something something and then you shout your name as a buzzer
and whoever i hear first i will go to you and you say security or smut or smutty or security
okay which one is it well that's what you have to tell me So first off, 1260. Karel.
No idea.
I heard Karel's name first.
I have no idea.
Smut.
It's not.
So 1260 was from 1990. It's actually the first virus to use polymorphic encryption.
If only there was somebody who used to work at an antivirus company,
you would know this.
Yeah.
I was in the labs.
But they're all consistent naming conventions,
so, you know, you would know.
So the next one is 68.
Corral.
I'm not playing anymore.
Okay.
Security or smutty? I'm going to say smut again. security or smutty
I'm going to say smut again
that is smut
is it
I'm sure that's one off
no that's where I go down
on you
you go down on me and I owe you one
in which case you owe me more than one okay so the next one we have is the 96
javad javad security or smutty it's smutty for sure it is smutty so this is the uh sex position formerly known as the 69
um but owing to the ongoing pandemic the cost of eating out has gone up
okay security or smutty? Blaster.
That's security.
Yeah.
Someone must have this.
Yeah, mate. That is security.
Security.
That's a worm which spread on Windows machines
by exploiting buffer overflow.
Okay.
The next one is JFK.
Tom, that's got to be smutty.
I don't know why,
there's something explosive blowing on there.
You're sort of like getting brains blown out
or something like that.
Yeah, something to do with blowing.
It's where I splatter all over her
while she screams and tries to get out the car.
Oh my God.
What has this podcast turned into?
Where are you hanging out, Andy?
This is the winning...
Play the jingle for the next section now and save us.
OK, we don't have many to go.
We don't have many to go.
What?
OK.
Wanna cry.
Wanna cry.
I think that's both
That's gotta be both
And then we have
ByteBandit
How's it spelt?
Oh very good
It's B-Y-T-E
So you know
Carole's analytical
She's not falling for these things
Okay is that it? So, you know, Carole's analytical. She's, you know, she's not falling for these things.
Okay, is that it?
Well, yeah, I think we should probably, it's only going to get worse,
so we should probably terminate it here.
That was this week's.
Smutty or security?
I think Andy's trying to show off in front of Car of Carol I think Andy should try and keep this up every week
I think you should make him stick to it
And see what he can come up with
He'll hate himself in about two months
We'll hate him in about one month
I hate myself already.
All right.
Let's move swiftly on before Andy starts up again.
I'm just going to text Graham and say that you guys have more fun than we do. This week in InfoSec.
Oh.
Quality jingle right there.
Quality jingle. Yeah. Quality jingle.
Yeah.
That's kept in the family.
So, Carole, we all unanimously decided you're going to be doing this week in InfoSec.
All right.
So, do I have to do anything special?
Just read it out?
Yeah, just read it out in your best monotone.
Okay.
That's what Andy does.
Yeah, nothing different yeah okay so on
the 30th of october 2001 the author of nimda worm released a new variant that was functionally
identical but included a comment that it should be referred to as the concept virus
not nimda it didn't happen It still got named Nimda E.
That's right, bitches.
Nice.
Okay.
Yeah, nice, Carol.
I mean, okay.
I had no idea that it was called that.
I thought it was just like reverse of admin,
and that was the chosen name.
But you know what?
I do remember actually that i was working at a bank
at the time and we got hit hit by the nimda virus sure yeah and um i was on the sec ops team
and one of the jobs we had to do was install antivirus in the first place well yeah did you
write a script to install the antivirus jab and then it not work? No, no, no, no, no. This is more of a collective.
This is where I actually understood how the security industry works.
And this is where I knew that I wanted to carve a career out in it.
This was the turning point for me.
So we got hit by the Nymda virus and we looked at firewalls.
We done the rules on them.
I think, did we have Raptors?
Or we had Checkpoint Ones and I think maybe Raptors as well.
Anyway, so we were told we had to cover 24-hour shifts,
well, like, you know, whatever, eight hours each,
and go in and check the firewall logs and make sure certain
ports were closed or they weren't being hammered or something like that i can't remember the
technicalities but all i do remember it was completely pointless uh because we just didn't
have on um on-call capabilities for the whole team someone had to physically go into the office
and every 15 minutes you would check the you know a dozen different firewalls
and then send an email to the ops team saying nothing to report and you do this every 15
minutes and this was literally one of those homer simpson the the the duck hitting the
the keyboard moments and i thought this is fantastic no one has a clue what security
does or what they're really involved.
We had no value and we're getting paid double overtime for coming at this
like overnight to do this.
And I thought, this is brilliant.
I'm sticking with this shit forever.
And I'm taking that nodding duck with me.
Yeah.
Yeah, but Nimbida was a really, really big deal at the time.
I remember I was working at Sophos and, you know,
it was all hands on deck when that one came out.
I'm not saying it wasn't a big deal.
I'm just saying that security teams had very little to do with remediating it.
Oh, no, no, I agree.
I agree.
But I think it just hit so many companies sideways, too.
I just think, you know, nothing had been like I'd ever acted that way before that.
Unless I'm misremembering.
You guys know more than I do by a thousand times i have no idea i just stuck a doc sollies um recovery disc in the floppy
drive and off we went doc sollies like you're tight all right you're that close it's just
shortened dj ds
so next next story okay am i reading this again absolutely okay so 30th of october 2013
adobe revealed that a breach of 2.9 million customer accounts made public three weeks earlier
actually affected a whopping 38 million users this was the largest breach at the time wasn't it it was huge i remember
this one and this is um if you ever use those services where you uh you know scan for compromise
of email addresses they will always if so many people had adobe accounts back then
it'll always show up and it'll flag, hey, your company's got compromised accounts. Subscribe to our service and we'll tell you all about it.
And guaranteed it's Adobe in there.
Yeah.
But the passwords were encrypted, weren't they?
And they made a big deal about that, if I remember correctly.
Rather than making a big deal about telling the truth.
Oh, totally.
Hey, people still do this today.
You know, what was the, oh, Panacea?
Is it Panacea?
No, no, no, it's not Panacea.
There's a company, there's a company in the States,
but basically like last year, lied, lied, lied, lied, lied all the way through.
Yeah, yeah.
You know?
Yeah, because nobody will find out.
Obviously, nobody's going to find out.
And if they do, it'll be fine.
We'll just blame China.
Okay, number three.
Yeah.
Okay, 31st of October, 2005.
Winternell's researcher, Mark Rusinovich,
posted to his blog a detailed description
and technical analysis of F4.1.
Is that right?
I can't read the writing.
Sure, F4.1, yeah.
F4.1, F4.1's XCP software that he ascertained
had been recently installed on his computer
by a Sony BMG Music CD.
Yeah, and so this was the story,
probably it's only 15 years ago.
Do you remember when Sony installed
digital rights management on all their CDs
to try and stop you from copying them?
Yep.
They actually rooted people's machines.
Yeah, somebody dropped a root kit inadvertently onto the CD,
didn't they?
I thought it was deliberately done.
No, I don't think so.
Oh, God, who knows now?
It's 15 years ago, like I remember.
But I thought somebody had basically inserted themselves into the supply chain.
Into the supply chain, yeah.
I think you're right, Tom. That's what I remember too.
But even so, it was a shocking dereliction of duty.
I'm amazed that Sony is still around.
I was going to say, Sony have had some bad luck.
I like their products.
I think their kit is really top-notch,
but how they've recovered from three, four, five major issues,
security issues, I'll never know.
Yeah.
I know it's amazing how some companies we just forgive repeatedly,
based on some previous brand or reputation.
They're much more resilient to,
to the market,
to these problems.
Exactly.
Exactly.
Right.
I'm calling it.
We're 20 minutes in and we've not even finished the first section.
So do you know what?
No,
we have to,
that last one,
the Robert Morris.
Yeah.
This week in InfoSec,
2nd November,
1988, 22 years ago,
the Morris worm spread like wildfire.
This better be a good one.
Well, it's not.
This is just a defining moment in InfoSec history.
It's not a good one, but it's a defining moment.
It is.
So we're going to do it.
It was the first computer worm, you know,
distributed via the internet.
First to get mainstream media attention
and the first to result in a felony conviction in the US.
Isn't this the one in a museum of computing somewhere?
It is, on a floppy disk.
On a floppy disk in like a glass box.
That is how big it is.
So everyone should know about the Morris one.
You know, you guys next time should invite Graham
onto the show because he would be able to wax
lyrical below this. He'd love a little tap dance.
Oh no, he'll see through our bullshit.
I'm like, this is way before my time.
Yeah, exactly. We'll say, oh, I think
this is what happened. He'll go, no, actually
that's not what happened at all.
And, you know, we're not going to do that.
We're not going to, you know, get some, you know,
alpha dog on the show to undermine us.
Did I just call Graham an alpha dog?
You did.
Yeah.
My God, stranger things have happened.
Anyway, thank you, folks.
That was...
This Week in InfoServe
Very good, very, very good
So, yeah, it's...
I can't believe, like, things like the Adobe thing
15 years ago
That's, um...
That doesn't seem right
No, nothing seems right
I think it's...
You know what?
I think everything can be pinned down to when they
turned on the hadron collider a few years back yeah that's right ever since then the world's
gone just like tits up well then netflix released stranger things and that's that's exactly what i
think has happened and it was in the adobe thing it was uh brian krebs that actually reported it
on it first that hackers had stolen the three
million encrypted customer credit card details and that was in october 2013 yes yeah even longer
even longer than 15 years ago it was seven years ago yeah
right i think we should move on from that little faux pas and get straight on to...
Tweet of the Week.
This is what happens when guests try to Google stuff while talking.
Do you know what?
I have this Tweet of the Week,
and this is about a story.
The title, Flushed Away.
And images show bacteria propelled from toilets when flushing
with the lid open um now the eager eyed among you may know that i did a very famous talk on
this topic um probably about seven years ago i think, flushing away preconceptions of risk.
That's right.
There were sharks and coconuts and toothbrushes and everything.
Sharks, coconuts, everything.
In fact, Tom, tell me how much you understood it.
Why don't you take this story?
Well, do you know, it's like I was there at the time when you first did it.
It's so vivid, so vivid.
But yeah, the whole thing is that when you flush a toilet with the lid up,
the contents of said toilet aerosolizes and faecal matter, urine and water spread up to 12 feet in all directions.
And, you know, covering everything in that in that space with a thin film of water, faecal matter and urine,
plus anything else that might be
in the bowl at the time. And my recollection of your talk was that because your toothbrush is in
there, what you're going to do is to change your habit of moving, of putting the lid down as a result of this talk because you don't want to be
brushing your your teeth with poo basically um but if um but generally people are more scared of
things that they shouldn't be like sharks because more people are killed by coconuts and babies and
um than sharks are uh more people are killed by bears than babies, for instance.
More babies kill more people than bears in the US.
And yet we still will happily eat our lunch at our desks,
which are filled with bacteria.
Hold on, hold on.
How do babies kill adults?
Are you suggesting that people
be afraid of babies yes no when someone gets pregnant run especially us babies by the sound
yeah absolutely yeah some bad motherfuckers but um no it's um it's to do with also the american
penchant for having um loaded firearms in handbags and uh rucksacks and babies getting hold of them and um often just pulling
the trigger accidentally you know and and stuff like that um so actually you know more people are
killed by babies than bears that's that's you know statistically it's correct but you know
that's that's that's the concept i'm talking, that Andy was talking about.
But yeah, so on the toilet seat, there's something,
it was something like, what was it?
64 harmful bacteria per square inch on the toilet seat,
which is pretty high.
But when you look at, say, your keyboard or your phone, you're talking tens of thousands harmful of harmful bacteria uh per square inch
um and but people will still you know and on their desks as well people still eat food you know and
run their hands all over their keyboards and phones and mush their phones up to their faces
and all that sort of thing um and not be worried about it but they're worried about brushing their
teeth with aerosolized poop can i ask a question yeah is there a security
angle to this yeah humans are crap at measuring risk oh it's a slow burner but it gets i just
needed yeah it's early it's early i just needed to clarify yeah so it's a it's a it's the fact
that when it comes to risk and obviously security risk, we often look in the wrong places.
It's a very disgusting way to explain your point, though.
But you're not going to forget it.
Just going to not forget that you guys disgust us.
Well, we've known that for a long time.
It doesn't matter.
Anyway, it's not me that's disgusting you.
It's Andy.
But you have articulated it very well.
Why, thank you.
Well, you see, you put it across so well in the first place, Andy.
And that was this week's.
Oh, hang on, hang on.
What about people that talk a lot of shit?
Or crash jingles.
This is live, baby.
Yeah, absolutely.
None of this, oh no, we've got this odd sound in the background.
We'll have to cut out that really good thing he said.
For their podcast.
Not that I'm bitter at all.
Anyway.
You're listening to the Host Unknown podcast.
More fun than a security vendor's briefing.
And it is.
Okay, so we've also now got a double rant of the week
because we couldn't find a decent Billy Big Balls, basically, and we found two really good rants of the week because we couldn't find a decent Billy Big Balls
basically and we found two really good rants
of the week. Shall we move
on to those? Let's.
Yeah. Let's. Okay.
So
it's time for double
rant of the
week.
That was seamless.
So the first one I'll take this first one.
The police in the US have struck a deal with Amazon to...
Here we go.
Smarty or security?
Security.
Damn, I just read the show notes
properly the police in the US
have struck a deal with Amazon to violate
people's rings
please follow the link carefully
so
in Jacksonville
Mississippi
the police there the police surveillance
centre there will be conducting
a 45 day pilot
to live stream
personal
security cameras from
Amazon Ring customers
of participating
residents, so you have to
opt in to this
so
basically for those that don't know,
the Ring camera, it's actually a pretty good piece of kit.
It attaches to your door, it's your doorbell, et cetera,
but it also records movement and all that sort of thing.
It's part of a larger suite of internet-based cameras, et cetera.
internet-based cameras, etc.
The thing is, though,
so while people buy these cameras,
and often are not, especially in America, it seems, people buy them because they often get their Amazon packages
stolen off the doorsteps.
If you go onto Reddit,
there's always someone stealing an Amazon package from there.
What it does is it negates the need for police to build comprehensive CCTV camera networks,
ranketing whole neighborhoods.
So it's less overt.
It saves the police money.
More covert.
Sorry?
It's more covert, not less covert.
No, using the ring system is less
overt oh i thought you said less covert no i said less overt okay got it oh my goodness as we were
so yeah exactly so it's less overt so that um you know you don't know if you're entering into an
area that's going to be uh covered by a camera now um given that you're entering into an area that's going to be covered by a camera.
Now, given that you have to opt into this, that's all well and good. But if your neighbors across the street opt in and you don't, your house and your movements are still being monitored.
So you're kind of you're not even able when you opt out, you're not even able to opt out of you being monitored or your property being monitored.
Yeah, go on.
No, I was just going to say, putting a ring camera to surveil a sweep of your front of the house because you get Amazon packages stolen is a bit like trying to shoot an ant with a luger.
I mean, just buy a box with a lock, right?
Give them the code, done.
That's probably more expensive than the Amazon-
Constant surveillance ring offering that you're talking about.
Yeah, because probably a box, a lockable box big enough is probably a couple hundred bucks.
And one of these will go for 70 bucks at the moment, you know?
There's got to be a running fee.
It's very little.
Really?
It's something like 10 bucks a month tops.
Oh, I guess that's how you, it's like, yeah,
it's like heroin, I guess then, right?
Just give it to them free until they're hooked.
Absolutely.
Then no one can live without surveillance.
Maybe the police could start handing out heroin at schools.
So with this story, this has come from obviously EFF.
Yeah. You know know very respectful you know they talk about um invasion of privacy and stuff um and i'm concerned
um and not because of the topic and the fact it's come from eff um i'm concerned that this
doesn't bother me i'm concerned it doesn't bother you i know what you mean i do know what you mean i've got
a ring camera by the way so do i and and so i'm also part of uh you know neighborhood watch uh
whatsapp group um and yeah whenever there's that mean you see does that mean you sit on your your
house roof with a pair of binoculars every night every every second thursday yeah i get the rotor
and uh whenever i have to do it.
However, whenever there's an incident,
so we've had a spate of catalytic converters being stolen in the area.
Really?
Yeah, because it's clean metal, apparently.
You can sell it for scrap.
It's really easy to rip off older cars, particularly Toyotas.
So, yeah, it happens more frequently than you care probably at least maybe once a month there is one what happens
to your car if that happens i was knackered you have to pay like 600 quid for a new one
and how do you know you just try and start it nothing happens yeah well i assume yeah you come
out and try and start the car and it just doesn't go.
But, you know, what happens when, you know, whenever there's an event like this, someone says, oh, you know, I had a break in last night.
So just last week, someone had their car stolen.
And literally all the neighbors posted their camera footage from that time to the WhatsApp group in terms of, right, you know, does this help?
And, you know, they add it, they add our sort of community.
It's like a guy wearing a mask, a face mask.
It is.
It's always that, yeah.
But then what they see is the cars driving off, you know,
the cars they arrive in, and they're always false plates anyway.
But I just think if the police are actually,
save us from downloading the footage and sending it to the police, you know if they can just watch it in real time um i'm i actually i'm happy
with this so yeah i think it's for go ahead please sorry no no no i was purely going to agree with
andy but go yeah i think you guys are um it makes sense that you guys are totally comfortable with it as well right i mean
you're this sounds awful but i just think if you felt if you didn't if you had distrust for the
police for whatever reason yes right you might find this way more invasive and scary than um
than you would if you're like hey yeah yeah they're on my side they've always looked after me
don't get me wrong i don't trust the pigs.
I'm just saying that this is purely in terms of ease of administration.
Oh, I see. You can go direct.
Okay.
All right.
We're not seriously saying it from a very privileged,
we're saying it from a very privileged position, right?
Exactly.
We're not going to be the ones who got stopped and searched
or get secondary screening at the airport.
Exactly.
Enter Mr. Malik. Yes yes javad yeah the only time he didn't get secondary screening was when he came with me
yeah because you took me through the business or the first class check-in lounge that's right yeah
yeah i've seen white privilege in action many times in my life. Yeah. I let you watch it.
I see man privilege.
Yeah.
Yeah.
True.
Yeah.
Well, okay.
Let's stop measuring privilege.
My privilege is less than your privilege.
So, you know, on principle, I think it's one of those things. I much rather that the people still have retained control of when they want to give it.
I have an issue with like automatically being connected to some big brother network because, you know, I actually don't have issues with the police.
But as per se, like the ones on the beat and what have you.
But the thing is that all this information normally goes to some central command and control center,
and then it's being tapped into by all sorts of agencies
with little or no oversight.
Authorized third parties, yeah.
Exactly, exactly.
But do you actually think they have the resource to watch it?
If you think of all the cameras we have in the UK,
and whenever a crime occurs...
So I had a guy like years
years ago there's a guy who rammed my car um after a little bout of road rage um and despite all the
cameras in clapham no one could ever find him or the incident and it like, we've got the biggest surveillance infrastructure
in the world, apart from maybe China, in this country,
and yet we still just don't have the resource to do anything
with that footage.
It's just the willpower.
So I think this is where people's distrust comes in,
and what I agree with is that you're sold on the premise that this is used to prevent crime and make you safer.
And in some cases it might do.
But for the majority, I think it will be used for other things other than what you think it might be used for.
And they will be driven by government agendas.
I'm with you, especially when we're kind of wanting more transparency from the police who work for the people, effectively.
So it's going to be an interesting time to have both these powers as well as wanting more transparency.
Yeah.
Because you're not going to get the live stream, right?
It's not going to be shared with everybody.
The police will have the live stream.
And they will limit who has access to view that live stream.
And they'll be able to pick and choose which live streams they choose
in order to build the story if they were up to no good.
I'm not saying all police are, but, you know.
Just 90% of them are.
It's a big power.
It's a big, powerful tool.
Yeah, yeah.
That we're handing to them on a platter.
I mean, even in The Dark Knight Rises,
you saw Alfred walk away from Bruce when he says,
you know, when he taps into all of the phones of everyone,
he goes, this is far too much power for one man to have.
I wasn't Alfred.
People will start using this.
Cops will start playing games following people you know
up and down the streets i think the important thing to take from this was that jav was wrong
it was not alfred who walked no it was lucius fox it was lucius fox yeah that's that's what
we need to take away from this all right let's um should we move up well actually what we're gonna do oh we're gonna
split the rant of the week into two okay yeah very good that means i get to play the jingle twice
exactly excellent so um yeah serious stuff blimey um i think we we have carol and jav on one side
and andy and me on the other side there.
Andy and me really can't be arsed with this.
So the white men don't care about something.
How dare you call Andy white and a man.
I'll tell you what,
I take offence with that as an African passport holder.
Yeah.
Anyway, that was this week's... Rant of the Week.
Anyway, that was this week's... Rant of the Week.
Okay.
What time is it now, Andy?
We have that time where our reliable sources
over at the InfoSec PA Newswire
have been very busy bringing us
the latest and greatest security news
from around the globe.
It's time for this week's...
Industry News.
Ping Identity acquires Symphonic
to boost API and data security offering.
Industry News.
Florida invests in security controls
ahead of hashtag election 2020.
Industry News.
NCSC partners with Microsoft to support cyber accelerator program.
Industry News.
Where's my story?
Industry News.
I don't have a story.
And that was this week's...
Industry News.
How come Carol gets a story and I don't?
Well,
you did true.
Are you trying to pit us against each other?
Javad, I'm on your side. Don't worry.
Well,
InfoSec Stig was slacking this week
after like, you know, so many
previously. I think he heard that we're
going to have an extra guest and he or she heard that we're going to have an extra extra guest and um he or she heard that we're going to have an extra guest okay tom can you
just play that jingle one more time which one the industry news one industry news google forms
using password stealing spree what you need industry news and that backup story was provided by our friend Davey Winder over at Forbes.
Industry News.
It's always going to happen, Javin, you know it.
We haven't come up with a sponsor
out of this week's stories yet, have we?
Ring, Amazon, ring.
Amazon, there you go.
Jeff Bezos.
Again. Oh, yes, yes, again. Amazon Amazon there you go Jeff Bezos again Jeff Bezos
oh yes
yes again
oh no
how about the
Mississippi Police
the Jackson
Mississippi Police
go for it
sure
yeah
okay
Host Unknown
sponsored by
Jackson
Mississippi Police
if you're listening Mr Jackson, it would be lovely if you could send us some money.
Wow.
Okay, so let's go back to our double rant of the week.
All right.
This is mine, isn't it?
Indeed.
All right. This is mine, isn't it?
Indeed.
Well, so, you know, I do this show called Smashing Security and we've done 203 episodes.
In the last episode, Tom, you were one of our guests, weren't you?
Yes.
It was a pretty good show. I don't know if you heard the edited version, but, you know, a nice slick show.
We were all a little bit on edge because of the elections, I think.
And I might have been more acerbic than normal.
However, yesterday after we published,
a tweet came in from a guy I'm just going to call Jason.
And it said, at Smashing Security, I'm sorry to say,
but as a longtime listener, I finally unsubscribed.
Why?
Of the 79 podcasts I subscribe to, this is the only one that antagonizes me.
Because of Carol.
He's only just worked that out?
No sexism involved, just can't handle it anymore sorry best wishes now what an email like so this was direct to us right it was then it was then deleted
i think it's a dm well maybe maybe not no no no it wasn't i think it was to everybody i think it
was open um i didn't see it you see because, because it got deleted. And then, of course, Graham calls me up.
He goes, did you see the tweet? Did you see the tweet? I said, no, of course I haven't.
And he goes, oh, it's been deleted. And I said, oh, OK. But he had to tell me.
He had to share with me. Did he get a screen? He was like, oh, no, no, I can't read it to you.
I can't. I can't read it to you. And then he did, of course.
But my problem with this tweet is that it doesn't give us, all it says is I antagonize,
which I totally do. But, but kind of the point. Yeah. It's a weird thing to put out there.
Well, presumably he's getting it for free. He can just turn off the radio, right?
Exactly. And also, does he need to tell you?
I don't know exactly.
He's hurting my feelings on purpose.
So what did you say this guy's name was?
I'm just going to call him Jason.
Jason, you're a knob.
Do we have an app?
Because I'm actually not a dick.
Anyway, so there you go.
So my smashing security persona has antagonized someone in Australia.
What did you say that was?
Oh, from Australia.
I think we know who that is.
We know who that person is.
I think his name begins with a C.
But I just think, you know, if you don't like someone,
if you just think actually about me, you can just walk away.
You know, it's okay. You don't need to say, you don't need to declare your innermost feelings to someone.
Well, OK, let's spin it this way.
OK. And as a person that's been on on YouTube for 11 years, I've had my fair share of negative.
It's why I actually don't have comments on anymore because I can't handle them.
Yeah, because you're a little snowflake. Yeah, and it's mostly us that tell you anyway, Jeff.
So we do what Graham did.
We call him up and tell him exactly what people are saying.
You're like Graham.
They're the ones actually posting it most of the time.
So I'm just a different handles.
But I think there's something positive to be taken away
from comments like this.
And it's kind of like the expectation reality gap
that people have in that they,
whenever they consume something,
and we say that,
oh, you listen to this podcast for free
or watch this YouTube video for free
or read my blog for free.
We're not charging you anything.
But there is an unsaid contract there,
which is give me 10 minutes, an hour of your time.
That's what we're asking our listeners to do.
And in return, we will educate, inform, entertain.
Antagonize.
Antagonize you.
And so they have this expectation of this is what I'm going to get from it.
And when it doesn't meet that
they get very deeply hurt because they're emotionally invested in it. So the only people that you hurt are the ones that actually care for you. So you know he loves me he loves you so much
but it hurts him. It was your husband. That you don't live up to his preconceived expectation
so he's had to go.
And he couldn't go quietly into the night.
He had to just air it before going.
Like a fart.
Exactly.
Exactly.
I think you give this person too much credit, Jeff.
It's obviously a dick.
Yeah, you really don't need to do this.
Didn't his mother ever tell him,
if you haven't got anything nice to say, don't say it? Yeah. Well, I think what annoys me, but I don't mind if I can't
be all things to all people. Of course I know that. And I have a pretty thick skin. I haven't
grown up with twin brothers that tortured me for about 10 years. So, but what I bugs me is that,
you know, you can't do anything with that information. It's not like there's something
specific where you can go, Oh yeah, no,, I do that and I choose to do that.
Or I do that and I didn't realize I did that.
Like say it was lip smacking or something.
You might go, oh, okay.
Or pen flicking, Tom.
Pen flicking, yeah, absolutely.
Right?
I think that's an endearing quality of mine.
It is an endearing quality.
But I just think if people are going to write these things, they should do it informatively.
Otherwise, STFU.
Yes.
Yes. Good point as well, points well shut the flip up anyway yeah so that was this week's
you've got a bit of editing to do there oh dear
exit
so
we have come to
the final segment
of the show
we're even on time
how can you believe that
I was actually thinking
we are so far
ahead of schedule
we can probably
squeeze in that story
about Google Forms
being used
and passwords
stealing
the one that's been
a backup one
for a long time
the one that I read out earlier.
Yes.
It didn't go anywhere.
You gave us the headline.
You didn't give us the content, Jav.
Yeah.
Jav, you had one job.
So what is it?
Is it a rant?
Is it a tweet?
What is it?
It's more just a good to know.
I think this is part of the news section that we should
have we we you know informally i've had it for a while but it's um stories in which jav has been
quoted this week ah yes hang on stories which jav is quoted in. There you go.
So, David Wyndham, one of the best,
one of the top few cybersecurity writers out there.
Out there with the stick, would you say?
Careful.
I said one of the top ones.
I didn't say the top one. Okay.
So, yeah, he wrote this article on Forbes
and basically people using Google
forms to fish unsuspecting victims. And researchers found over 265 forms on the internet that
were impersonating brands. So you'd basically send someone an email saying, this is Netflix, your account is due to expire, click here.
And it will take you to a Google Forms,
which is all branded like Netflix.
And it just says like, what's your username,
what's your ID and password, and click submit.
The funny thing is, underneath the button,
there is a line that says,
never submit passwords through Google Forms.
But I think it's one of those things.
People just don't pay attention.
There's over 25 brands that they found in it.
So it's AT&T, BT, Capital One.
So a lot of like your big, well-known telcos
or financial services providers.
And yet people either emailed them or they were texted the link to the form. And the
whole thing is like Google or if you use Microsoft, whatever you use, they're all going to be
whitelisted by your company. So it's not like your gateway is going to say, ah, dodgy link.
It's going to say, oh, it's going to say Google.
Let them go through, as you were, sir.
So I think that also gives people the feeling of,
oh, my antivirus hasn't flagged up anything.
My gateway hasn't flagged up anything.
There's none of those weird Chrome warnings
that have popped up.
So they just go through.
They fill it out.
And so we talk a lot about highly sophisticated attacks,
but I think it just goes to show that even just the real simple ones,
people are still making a lot of money off victims from them.
Can I ask a question on that one?
Go for it.
So there was a security company, a well-known UK-based security company
that wanted me to do a talk for them.
And they wanted me to fill in a Google form with all the PII, including password, in order to
register for the speaking gig. And I was really uncomfortable about it. Was that right of me to
do so, to be nervous? Or I was shocked, actually, they were using a Google form.
Yes, I think you are right to be uncomfortable i think i think
actually the security firm should have been told are you mad one you're asking me to speak here
you can register me yourself and and two this is a ridiculous way of getting people's information
yeah yeah and there was a security conference as well, so every other security speaker was obviously doing the same thing.
Jeez.
Wow.
Yeah.
The things we will do for, you know, for 15 minutes of fame.
For the exposure, Tom, right?
Yeah.
For the exposure, exactly.
Smutty or security.
Yeah.
I think that was good, Andy.
I think you got something there.
Yeah.
I think we'll have to get a jingle made up. We're're gonna have to find some good music to go with it he had one
anyway very good jeff thank you thank you for that um yeah is there anybody
on this podcast who hasn't contributed to a davy Winder article, I wonder.
I've got a phone call here.
Andy is too busy telling his team, go back to the drawing board.
He's a visual learner.
Until he sees the thing, he can't comment on it.
Dave, give me
a call. I'll do you an infographic.
comment on it i'll tell you i'll do i'll dave give me a call i'll do an infographic oh dear right should move on to the little people yeah we got one we have got one we have got one
i will tell you all about it jab do you want okay i'll roll the jingle uh let's do the long one
first shall we the little people so we often have uh well we often don't have a little people
because little people are quite hard to find and get hold of and reliable we actually asked graham
to come and be this week's little person and we could have all the smashing security on it but
clearly he's too big and too busy you know what he said what did he say i can't think of anything nice to say about
that woman she antagonizes me is that what he said yeah that's exactly yeah i i mean i may be
paraphrasing slightly i i admit but but but then i thought like let's go back to the roots why did
we start this section and it was really not to give people like Graham
and more of a voice it was to help the people that didn't have that much of a loud public voice maybe
who didn't have their own podcast or maybe they were working behind the scenes the people that
actually made things happen yeah and I thought of course we've missed out the most important person in Smashing Security,
the person that's been there from the beginning,
who, and apologies, Carol,
who's probably been more influential in promoting the brand than anyone else.
And I don't think anyone even knows their name.
So I'll introduce it.
This week, I was able to get Terry Cluley.
Terry Graham, you dick.
Terry Graham.
Sorry.
The Little People.
Being a professional voiceover artist in cyber is not easy.
You may have heard me on the Smashing Security podcast.
I have to maintain enthusiasm and promote a podcast
even when it's got nothing but filth.
I won't name names
because that is unprofessional of me.
But one of the people on the show
needs an asthma inhaler
because they sound like Muttley.
I quite like the other one
and I've heard the two of them
argue more often than not.
It makes me feel like I'm five
all over again,
passing messages
between my arguing parents.
I love how Host Unknown
liberates the stories
from today and infamy.
In the digital underworld, you are
known as the Great Liberators. Would you consider
liberating me from smashing security?
I think I would very much like to have three dads.
If you want more options,
I am far better at reading lines than Andy.
I don't eat as many Haribos and I'll bring some
value to you too. Hey wait,
you're not recording this, are you?
The Little People.
Wow. Right. Someone's getting fired the thing i got
from this was that somebody on smashing security needs three daddies smutty or security
nice nice god you know what? I did not know Terry.
That was Terry's natural voice.
I honestly didn't.
That's exactly how he talks.
I was on the phone to him for ages.
He's like, he was like, come on, kids, time for bed.
Yeah, I know.
Press option one for story.
Option two for movies.
Hello, wifey.
Would you like to Netflix and chill?
That's exactly how he talks, yeah.
Yeah, wow.
Wow, good points well made.
I tell you.
Unbelievable.
I'm speechless.
I'm speechless.
Unbelievable.
I'm speechless.
So, folks, we will draw a veil over this week's, well, frankly, rather shoddy performance.
But a performance nonetheless.
There will be a little bit of editing,
but not too much because we know you like it when we screw up.
editing, but not too much because we know you like it when we screw up.
So I would first of all, like to thank Carole.
Thank you so much, Carole, for coming on.
I don't think I added much value, but thank you for having me.
I loved it.
I think you did.
I think you did.
Well, if nothing else, you introduced me to horse penises and stick and pickles,
which in of itself is, well, just going to be a highlight of my week now um so thank carol thank you so much for your time um and your and the pleasure of your company
oh it was a pleasure thank you gents for having me absolute pleasure uh jav thanks mate you're
welcome you had one job but you, get the guy's name right.
But thank you nonetheless.
And Andy, thank you, sir.
Stay secure, my friends.
Stay secure.
Host Unknown, the podcast, was written, performed and produced by Andrew Agnes, Juvad Malik and Tom Langford.
Copyright 2015, or something like that.
Insert legal agreement here as applicable and binding in your country of residence.
We thank you.
Terry Cluley?
I thought you were going for surnames or something like that.
I don't know.
Jeez.
God, one job. Well, you have more than one job and you still get them all wrong.
This is why we need to write things down, you know.
Do you know what, Andy?
I can send you, your show is almost identical in format and everything.
So I can just send you our template and you can just fill that in.
Where do you think we got ours from?
I just see things and they fall into place.
It's his code like the Matrix dropping down.