The Host Unknown Podcast - Episode 32 - Let's Just Eat Some Haribo!
Episode Date: November 13, 2020Haribo feature heavily this week, with Andy and Jav fighting over how much and how they should be delivered.This Week in InfoSec(Liberated from the “today in infosec” twitter account):5th Novemb...er 1993: The Bugtraq mailing list was created by Scott Chasin.In 1995 it became the property of SecurityFocus, in 2002 Symantec acquired SecurityFocus, and the last message was posted to the list on February 25th, 2020, with no explanation from Symantec. https://en.m.wikipedia.org/wiki/Bugtraqhttps://twitter.com/todayininfosec/status/1324497907245109248?s=2013th November 2012: John McAfee went into hiding because his neighbor Gregory Faull was found dead from a gunshot the day before. Belize police wanted McAfee to come in for questioning, but McAfee stated the police were “out to get him”.https://www.theguardian.com/world/2012/nov/14/john-mcafee-hiding-businessman-murderhttps://twitter.com/todayininfosec/status/1326993312247656451?s=20 Billy Big BallsChris Nikic becomes first person with Down's syndrome to finish an Ironman triathlonhttps://www.bbc.co.uk/sport/triathlon/54869998Please consider donating here:https://www.charityextra.com/noahsarkmoments Rant of the WeekRansomware Group Turns to Facebook Adshttps://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-adsMark Zuckerberg defends not suspending Steve Bannon from Facebook https://www.theguardian.com/technology/2020/nov/12/mark-zuckerberg-steve-bannon-facebook-fauci-ban Industry NewsHas the Rise of Identity Seen the Death of Anonymity?Price Dropped on Hacked Educational RDP DetailsMalicious Use of SSL Increases as Attackers Deploy Hidden Attacks#EdgeLive: DDoS Attacks Are Evolving into Extortion-Led RDoS Campaigns#EdgeLive: Stopping API Attacks with Bot MitigationTop Ten: Things Learned from the (ISC)2 Workforce Study#EdgeLive: Phishing Attacks Now Targeting Enterprise SpecificsPSD2 Faces Further Delays as UK Lags Behind European ComplianceRecommendations Accepted in Advancement for EU Data Protection Transfers Tweet of the Weekhttps://twitter.com/phil_branigan1/status/1324761080762163203?s=20But also a story brought to our attention by @mat: Google Photos is ending unlimited storage and people are not happyhttps://mashable.com/article/google-photos-ends-unlimited-free-storage/?europe=truehttps://twitter.com/mat/status/1326593729860231168?s=20 The Little PeopleThe marvellously moustachioed Christian Toon Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
so just to just to prove that this really is happening in real time not only can you hear
um somebody team player javad malik team player javad malik is is typing in the background about
a breaking story uh something about north face was it yeah north faces uh reset the passwords of
yeah all their users following a credential stuffing attack.
So he's decided that he hasn't got time to start the podcast with us
because he has to answer this press inquiry.
I mean, Mr Malik, do you have a comment on this?
No, no comment, no comment.
Oh, he's back.
You know what?
I just saw the little red light blinking in the corner,
and I was like, these guys have started recording without me, haven't they?
Yeah, absolutely.
This is how much Mr Malik cares about you, dear listener.
You're listening to the Host Unknown Podcast.
to the Host Unknown Podcast.
So, hello, good morning, good afternoon, good evening from wherever you are.
It's worth pointing out that if Jav joins us right now, it shows that he doesn't care about the media inquiries because he's literally spent 30 seconds banging out some detritus.
And if he comes back in sort of like three
or four minutes then he doesn't care about you dear listener by the way oh i love you both equally
i can multitask he spent 30 seconds banging out cystitis did you say
some detritus we just have different vocabularies that's all that yeah apparently so
apparently so i mean well obviously we do because you think an mp4 is uh perfectly valid as an audio
format i mean nothing wrong with using mp4s for audio there is anyway see this is where this is where listeners we we find out this is why
tom has so many gadgets in his house because he only buys one gadget for one job
he's the type of person you oh you open his kitchen drawers and he's got a separate peel
this this is for peeling the potatoes this is for peeling the the the apples this is for taking the
skin off the pineapple this is what this this is for that and the apples this is for taking the skin off the
pineapple this is what this this is for that and it's like you've just literally talked about three
different tools there hey you can use a potato peeler to peel your apples as well you can but
if you if you get a proper peeler which you stick the apple on you turn handle it it peels and cores
it at the same time and if you get the
tool that takes the skin off a pineapple you can do it really quickly and efficiently well like a
knife yeah no even quicker than that because then then you've got to chop it up after this thing
it's all done for you i mean for god's sake so so this is why tom despite having a a a desktop
computer a laptop computer, an iPad,
he still went out and bought a Remarkable because he thought,
oh, that would be better for me to write my notes.
So how are you finding it?
That's three laptops to you.
The Remarkable is actually quite remarkable.
It's lovely.
It's a lovely bit of kit, I have to say.
It's like a Kindle on steroids uh it's brilliant so yeah liking it a lot i have to say uh anyway anyway uh i've got to get through
my first part of the of the show notes which is andy how are you not too bad thanks i uh yeah
nothing to complain about i uh am in desperate need of CPEs as we approach the end of the year.
Right.
You can have some of mine.
Excellent.
Thank you very much.
I've not done too much.
So I joined a couple of events this week, which I alerted you to, Tom.
Mr. Malik has been off promoting his podcast.
Has he?
Yes. Which he? Yes.
Which one?
Well, exactly.
There's not one mention of the Host Unknown podcast
when he had a captive audience at the Africa CyberSec event.
That's a whole continent we could have just taken over.
I know.
But, I mean, I...
Yeah, how very English of you, Tom.
I was going to say, yeah, that came tom i was gonna say yeah that came out a little
bit wrong i came out a little bit i was channeling my inner great great great grandfather there
revert to type um yeah apologies man i was protecting them you see perspective you know
i mean i tried to call him but uh he wouldn't pick up you know I was looking at him on screen
and I was thinking Jeff pick up your phone pick up your phone it's me so Jeff how are you um have
you had a busy week not promoting the host unknown podcast I have had a busy week yeah it's uh can't
believe it's Friday already I don't know where the days go. I think the days are short as well.
It's like you get up, you have some breakfast, you start work,
write a few emails, and before you know it, it's dark.
It's 9.30 in the morning.
Yeah.
Exactly.
I know.
I know.
I think there's only something like 40 days till Christmas
or something like that, which is a little bit.
Exactly.
Exactly.
Although I've got my first Christmas present is being delivered this afternoon.
So that's.
Is it a present you purchased for yourself?
No, that one's not arriving for another couple of weeks,
which is really annoying.
So this one's for my mother.
So don't say what it is.
I know you guys know what it is, but don't say anything I know you guys
know what it is but don't say
anything because she doesn't know what it is
the AD3000 right
did you say the AD?
oh dear god
the Active Directory book right?
mum I'm sorry
I move on before Andy says something Well, the Active Directory book, right? Mum, I'm sorry.
I'll move on before Andy says something I'm going to regret.
So what have we got today?
Our usual features.
This week in InfoSec, Tweet of the Week, Billy Big Balls,
Round to the Week.
We may, may even have a little people today if I can just convert the audio file from mp4 to mp3 um do we have any uh smutty or security this week who knows do we uh maybe
i mean i can chuck out a couple and uh you know we can can... Yeah, and when you've done that, can you do some smut to your security?
Oh, dear. Dreadful. Dreadful.
Well, let's move on without further ado, shall we?
Let's, yeah.
I told you I'm going to have to organise this soundboard.
I can't see anything on here.
What are we doing?
And by organising sound soundboards you mean buy a
bigger ipad right yeah like i said mine's not coming till christmas time another couple of weeks
this week in infosec InfoSec.
We definitely need to use that music more often.
Oh, it's fantastic.
It's like royalty free as well, isn't it?
It is.
It is.
Absolutely.
Really catchy.
Anyway, over to you, Andy.
Okay, so this is content liberated from the Today in InfoSec Twitter account.
It's where we take a stroll down memory lane to remember our roots and uh what's happened in the past can i just ask why do you
always laugh when you say liberated from is that because you know actually we just stole it uh well
yeah i mean it always gives me a chain of the five finger discount you know the
the various phrases we had used to do things.
I had a colleague that used to use the word tax.
Tax?
You know, tax things from people's desks.
Where did you get that calculator from?
Wallets, cameras, phones.
It was more office stationery or office consuming.
One day we came came in he had
this uh this huge chair um that was specially purchased for someone with back problems so it
was uh especially designed it's like you're not gonna get away with that one yeah that's right
i think that person might come hobbling around the corner yeah
did you also have like an EpiPen in his drawer?
Yeah, he said that his friend really wanted him to have it.
That's right.
As he was lay dying, he pressed it into his hands,
looking him directly in the eyes.
Yeah, so he's kept it for, obviously very important to him.
Excuse me.
Anyway, so liberated from the Today and InfoSec Twitter account.
I'm going to do a quick honourable mention.
I don't want to make this a big thing, but as I was thinking about it,
it actually is a big thing.
Back in November 1994, computer scientist and cryptographer
Philip Zimmerman,
who you may know as the author of the Pretty Good Privacy or PGP program,
he was detained at Dallas International Airport following a trip to Europe.
And then he was interviewed by customs. And they questioned him about the exportation of PGP.
Now, obviously, PGP is now one of the most widely used encryption,
email encryption methods in the world.
So why would he be interrogated about it?
Well, back then, cryptographic software was categorized as ammunition.
That's right.
And so he was obviously investigated for allegedly violating the
arms control act and all he had done was made the software available via ftp which was obviously
exportable or sorry obviously accessible from people all over the world and that counted as
exporting it from um from the us which um you know i mean that's 26 years ago yeah but that
gave rise to all sorts of stories like you know somebody was due to be you know an illegal
immigrant was due to be deported so somebody tattooed the cryptographic key on their arm or
something yeah on their arms yeah yeah so therefore he couldn't be deported which i'm not sure is
entirely true but it does
make for a good story yeah and there are a lot of those sort of anecdotes about the loopholes where
you could attach it to um a firework uh and then launch because you're allowed to launch it
so you could attach the source code to a firework and you know explode it across the border sort of
thing um but yeah i mean he ultimately he made a book or, you know,
just put the source code in a book because then it avoided the whole digital.
Did the other book have the key?
The other side of it, yeah.
The key.
Yeah.
Sorry, hang on.
There we go.
There we go.
But, yeah, I thought, no, not that big a, you know,
you can't let it pass without, you know, mentioning it.
Because it was a, you know, major event in InfoSec history.
Up there with the time, like, BT is trying to copyright to Hyperlinks.
But I think also we can copy that when the time comes.
Didn't we talk about that a few weeks back?
We discussed it after the show.
Oh, did we?
Yeah.
They all merge into one sort of big thing after a while.
Yeah.
But anyway, today's story I have opted for 5th November 1993.
Remember, remember the 5th of November?
27 years ago, the Bug Track mailing list was created by Scott Chasen.
years ago, the BugTrack mailing list was created by Scott Chasen. And you may recall the BugTrack mailing list. It was the mailing list dedicated to computer security, where discussions about
vulnerabilities or vendor-related announcements, you know, exploits and how to fix them,
or vendor-related announcements, you know, exploits and how to fix them,
were published.
Our email back then in the late 90s was the way we got information.
You know, it was considered a high-volume mailing list with as many as 776 posts in a single month.
Wow.
Yeah.
Now, if you consider that is probably daily average email for people
um well certainly i know i probably get around that per day um so yeah i mean this was how
vulnerabilities were discussed in the early days um but you know what was brilliant about this was
um when a left one went on holiday um you know, because the posts were moderated, the list actually went quiet
because the person who was supposed to be moderating content just forgot.
And so, you know, they had like a whole week of, you know, no content,
which is almost like the cyber equivalent of failing to, you know,
water your neighbor's plants when they go on holiday.
Yeah, I think that's, you know water your neighbor's plants when they go on holiday but yeah i think that's uh you know uh bug track certainly uh folklore history now um you know within the
infestek arena uh but it's it's not running now though is it no so it actually got shut down uh
so it's changed hands a few times so security focus um when they had it is obviously really i think at its peak
um semantic i believe acquired it um and they just stopped uh approving list uh post to it
and that was funny enough actually only this year i believe february this year but there was no
explanation either was it it just suddenly stopped stopped overnight that's it you'd think some
insider would would say something.
Yeah, but you know what it is?
This is something that was given to someone else
outside of the desk job.
And over the years, that person sort of passed it on to other people.
Maybe that person left.
Well, exactly, yeah.
Left Symantec, and the person who was supposed to take it on
hasn't been told yet.
Exactly, and people don't even know they've still got it.
So if you're listening, Symantec, you might want you know dave from accounts a little nudge yeah and say hey
like just click accept or approve and all those buttons exactly that's uh but yeah no it's uh
yeah very useful tool back then and it was uh you know very big but you think back then how
valuable it was and then um you know now it's just But you think back then how valuable it was, and then, you know, now it's...
It's nothing.
Nothing.
Yeah, literally a side note in history.
Yeah.
So the second story I wanted to talk about was from just eight years ago,
13th November, and this is when John McAfee went into hiding
because his neighbour,
Gregory Full, was found dead from a gunshot.
This was the start of the, I want to say, downfall of John McAfee.
I mean, some people might say he kind of rose in notoriety even more
and probably gave some great unpaid for, maybe evenelcome pr for mcafee but this this is when
you talk about the video with the uh sort of this is charlie sheen moment yes charlie
women and lots of talcum powder right yeah yeah how to uninstall mcafee from your laptop yeah
yeah yeah brilliant yeah so and you're right this was um so i mean anything you read about Oh, McAfee from your laptop. Yeah. Yeah. Brilliant.
Yeah.
And you're right.
This was something, anything you read about him, it's, I mean,
it's fair to say that, you know, he's only rowing with one oar in the water.
The cheese fell off his cracker a long time ago. So it did actually seem to start earlier that year in April 2012,
time ago um so it did actually seem to start earlier that year in uh april 2012 uh when the police actually raided his uh property in belize um where they were looking for unlicensed drug
manufacturing uh yeah and so like he'd later then claim that uh you know when the police raided his
property they seized his assets and then his house just burned down under mysterious circumstances
which you know i wouldn't put it past him that you know he probably did something to just you
know maybe hide something that was there um but yeah then later that year was the november when
uh you know police started looking for him as a person of interest um you know in the in connection
to the murder of his neighbor just follow the sort of clouds of white dust in the
air but yeah so he then so he i think his side of the story is that the police mistook his neighbor
for him and they killed him so he's like convinced the police were trying to kill him um you know
that's when he actually first went on the run and obviously that you know the police the prime
minister said like you know this guy is paranoid he's like just completely crazy um and so yeah he left belize and then if you
remember i mean this was fantastic at the time um but vice magazine was sort of uh you know
interviewing him while he was on the run you know he sort of did stuff where he you know he
buried himself in the ground and covered his head with a cardboard box
and, you know, really dressed up as a homeless person
and was like, you know, monitoring people, copying him.
But Vice magazine actually gave away his location.
And this caused a lot of discussion at the time
because one of the journalists posted a picture of him,
but he still had the Exif metadata on the picture.
And so, yeah, it's sort of, you know,
he discovered that he was in Guatemala by this point.
And, yeah, and then he sort of started blogging while he was on the run.
And then, you know, the car crash really just continued after that.
You know, he attempted political asylum in Guatemala.
He was arrested for illegally entering Guatemala.
And then, you know, he faked a couple of heart attacks
while he was in detention.
That sounds like an episode of Family Guy or something.
You know, if in doubt, fall over and pretend you've got a heart attack.
Yeah.
Or community. Yeah, but i mean it's i mean
he's still going on um you know and his history has just been scattered all over the past but
you're right i think to finally mo this really was the start of that year where uh a life of um
but it wasn't that long after this that he was at InfoSec Europe.
Yes, we did. Doing a keynote.
It's like I always wondered what were they thinking?
But, you know, I think that was such a, I mean, you know,
it's such a disappointment in some ways because everyone wanted the car crash,
you know, which just, you know,
he came there to promote whatever new company he was starting up at the time.
It was a Bitcoin thing, yeah.
Yeah, which was a shame because, you know, we wanted to see the allegations of...
Well, I didn't see him talk because I was at the InfoSecurity Blogger Awards because that was on at the same time, as I recall.
Did we not come down afterwards?
No, I did not see him talk at all i know i know some people who did go and see him but yeah i saw him
well that's because you weren't invited to the blogger awards yeah i still turned up
like a bad smell and we had uh the uh fake imitation um oh yes unknown total landscaping that's right yeah
i'll have to dig that photo out and put it into the show notes that's it that's it but you know
total landscaping is going to become the name for anything that's slightly fake now you know
john mcafee is actually um i i met him a few years back and and he agreed to a little interview with me as well
and what have you, but it was just a bit of a chat.
But he's actually really nice when you meet him.
Like, he's very welcoming.
He seemed high at the time, but he's welcoming.
He's a nice person.
He's incredibly active for his age.
I think he's in his 70s. And you know what cocaine does to the body, Jeff. Yeah, he's a nice person, he's incredibly active for his age. I think he's in his 70s.
And you know what cocaine does to the body, Geoff.
Yeah, that's right.
I mean, look at the Rolling Stones.
I've no idea.
What does it do to the body?
I need to get some of that stuff.
But, yeah, no, he's actually like, you know.
And so I think there's the showman part of him
which is really just there.
He wants to create this legacy.
I think it's this part of him where, like, just becoming a tech entrepreneur
and what have you isn't enough.
He wants a Hollywood movie made about his life,
and he wants Johnny Depp to play him.
And that's how he sees it. I don't think Johnny Depp to play him and that that's how he sees it yeah
I don't think Johnny Depp's available at the moment I think he's got his own issues going on
yeah exactly yeah but one thing he did say really interesting you say that he got some
wanted or unwanted publicity for the security company McAfee and one thing he said to me he
goes like I said is there any tip you he said to me, he goes like,
I said, is there any tip you have
for entrepreneurs or anything?
He goes, don't name your company after yourself.
He goes, because even once you've left it,
someone trips up in the driveway,
they want to sue you.
That's probably the sanest thing he's ever said.
Oh dear.
Nice one.
Thank you,
Andy.
Some good stories,
a little trip down memory lane.
This week in InfoServe.
Okay.
So should we move to uh let's see um the show notes have been updated as we speak
um to the billy big balls uh which i believe is me uh is you so uh let's go for
billy bigs of the Week So, Billy Big Balls of the Week has got absolutely nothing to do with information security or cyber security.
Hooray!
Blimey, having Carole on last week has really rubbed off on you, hasn't it?
It better not be a security story.
Yeah, well, you know, but when has that ever stopped us?
But this, I thought, was... I saw this and this warmed my heart to no degree.
So I thought I have to mention this.
So Chris Nickick becomes the first person with Down syndrome to finish an Ironman triathlon.
I saw this.
21 years old.
And for those not familiar with a triathlon,'s it's you you have to swim cycle and run
so there's about 2.54 miles swimming over 100 miles of cycling and then 26.2 miles running
at the end of it and he done it in 16 hours 46 minutes just 14 minutes under the official cutoff time to do it.
And I think it's just so wonderful.
Like, you know, this is a complete Billy Big Balls move.
Yeah.
You know, and, you know, it's so inspirational as well, like in the way that, you know,
And, you know, it's so inspirational as well, like in the way that, you know, you see, you know, the adversity someone like him has had to overcome or how much further he's had to push himself to achieve that. InfoSec and I see people complaining about stuff about their six-figure salaries and
sitting working from home and their biggest complaint is that there's too many Zoom meetings
and I count myself among those people who complain about Zoom meetings and all that kind of stuff and
you know it kind of like puts things in perspective. It's all about perspective isn't it yeah.
Apparently Chris ran this for all of all of us who have to suffer through a lot of
zoom meetings yes so we should we should thank chris for his you know his charity here yeah
yeah you say this is this is for you this is for you i yeah absolutely i i'm i've got nothing to
say except if i if i went on a two and a half mile swim, I'd be dead. Yeah, let alone doing 100 miles of cycling and then 26 miles of running.
I don't think we could do it between us.
16 hours between the three of us, we still wouldn't do it.
No, I mean, I've done a 50 mile cycle ride and it felt like my body was being cut in half by the seat.
So maybe 100 miles if I could split it over a couple of weeks
yeah but i mean i could do it if it was like on one of those electric bikes or something
if it was in one of those what do you call them motorbikes
taxis i could do it in a taxi yeah oh man but um but yeah
whenever I
sorry go on
no go on
go on
and then I'll
I was going to say
whenever I hear about
a triathlon
it always reminds me
of the Alcatraz
triathlon
which is
which is
dig swim run
I thought we were
playing smutty
or security there
hang on
oh no
smutty or security Oh, no.
Smutty or security?
Actually, it was neither.
That's a quality jingle, that one. I tell you, straight off a 60s radio, that.
So did it actually come out that slow, or did you actually slow it down no that is it
that is how it came out that's how slow you talk andy we have to speed you up in the podcast
yeah the timing that jav and i have to do is just so tough proper proper bbb moves
you gotta be on it.
You know, it's like any time we meet up to do a video,
for the listeners, it's like those mannequin challenges.
Andy's moving at a completely different pace to everyone else.
Normally with his hand in a bag of heroin.
Yeah.
But before we wrap that up, seeing as we spoke about that wonderful gentleman,
if you're feeling charitable, there's a charity that's very close to my heart.
It's called Noah's Ark.
They're a children's hospice, and they're doing a fundraiser for 23rd of November. They're trying to raise 1.2 million in 24 hours.
So we'll put a link in the show notes.
There's a little video there showing the work they do and how they do it.
And if you're feeling charitable, give them a few
and they'll double your donation.
So it's all good stuff
charity mate
yeah we don't like to talk about it though
excellent thank you very much
Jav
Billy Big Balls of the week
right
yeah it was a nice little break
from the ordinary
stuff that we regularly do I think it was a nice little break from the ordinary stuff
that we regularly do.
I think that was a good little story to bring out.
We're going to really jump around now because we still haven't worked out
who we could have sponsor this week's show,
but I'm sure that will become apparent,
especially after I do this week's show but i'm sure that will become apparent uh especially uh
after i do this week's rant of the week okay this week's uh rant of the week is uh the second time
i'm recording this because i fluffed it up the first time and uh trying to get a lesson from
smashing security and their heavily edited show um so this fake fake show fake show fake show
fake show absolutely absolutely everybody knows
just ask them everybody's talking about it so this is about a ransomware group turning to facebook
ads of all things um so friend of the show brian krebs has reported that that on the evening of Monday, November the 9th,
an ad campaign was apparently taken out by the Ragnar Locker team on Facebook.
The ad was designed to turn the screws to the Italian beverage vendor Campari Group,
which acknowledged on November 3rd that its computer systems had been sidelined
by a malware attack. So this is the equivalent, I guess, of Stanley Kubrick putting a full page ad
in the New York Times to get one of his films banned or whatever. This is the ransom, this is
a hacker group putting an ad on Facebook to say to the Campari group,
you better pay up.
By the way, everybody now knows that you've been hacked,
which is really shocking on a number of levels.
One, the fact that a criminal organization felt the need to put in an ad on Facebook.
And two, most importantly, Facebook actually accepted the ad.
I mean, what the hell?
Money's money though, right?
Yeah.
Yeah, exactly.
I tell you what, let's start advertising for a getaway driver,
shall we, on Facebook.
You know, need money, full driving licence.
Well, you do have a lot of armchair experts on Facebook.
Well, yeah, yeah.
Actually, I'm sat on a stool at the moment.
But I can't believe, and there's a link to this in the show notes
to Krebs on Security, who I think
would be a very good sponsor of the show, by the way.
Well, actually, judging by the story, I think
the Ragnar Lokup team would be a good sponsor
of the show.
Because money is money.
Exactly.
We already qualified that. Good work, Andy.
Yeah, exactly.
See, you line them up and we'll
knock them down. But yeah,
absolutely shocking. But it gets worse than that. It gets worse. So Bill Russo has tweeted, if you thought disinformation on Facebook was a problem during our election, just wait until you see how it is shredding the fabric of our democracy in the days after. Look at what has just happened in the past week.
Basically, Steve Bannon has gone on record as asking for the beheading of Democrats,
was it, or certain Democrats, including on Facebook.
He's been banned from Twitter.
I think he's correct.
Mark Zuckerberg went on the record to defend not suspending Steve Bannon
because he hasn't basically had enough strikes to be banned from Facebook.
So presumably what that is effectively saying is it's OK to call for the beheading of certain political groups, except maybe when they're Islamists or something like that.
It did bring up a very interesting discourse afterwards, which said, why don't we set up a Facebook group calling for the beheading of Zuckerberg?
And I bet you it will get shut down pretty quick.
And then someone else said, yeah, but if you behead Zuckerberg, it will just grow back.
So, yeah, appalling, appalling.
It is.
Facebook is my least favorite company in the world.
Not even least favourite.
It's one of the worst companies in the world,
mainly because it operates under a facade of respectability,
but is, frankly, quite the reverse.
That's right.
That's right.
I think the problem with this, again,
the thing that's missing from this story isn't the fact
that Zuckerberg said that Bannon hasn't violated enough policies.
So in saying that, he's making it into a this is the only case kind of issue.
Yes.
Whereas it's a systemic corruption within the entire organization, within how the platform operates that needs to be rooted out and revamped.
And that's the real issue there.
Yeah.
Yeah, and things like it, you know, it virtue signals over things like,
you know, banning pictures of breastfeeding mothers
and things like that.
Anything with a female nipple is not allowed, et cetera.
Free the nipple.
BBC did.
Sorry?
Free the nipple. Free the nipple. BBC did. Sorry? Free the nipple.
Free the nipple, absolutely.
Of all nipples, not just one particular, I was going to say brand of nipple.
That's not quite the right thing, is it?
Get your mind out of corporate mode, Tom.
Yeah, exactly.
But the BBC did some investigative journalism
into paedophilia rings on Facebook,
and they sent Facebook, this was in the news just a few weeks back,
they sent Facebook evidence of these paedophile rings
operating on Facebook.
Facebook said, we're going to need more information,
we're going to need more proof before this.
So BBC sent them, I think it was either 12 or 14 images
that they had found on these Facebook pages.
What did Facebook do?
They went and investigated as a result of those.
No, they didn't.
They didn't investigate as a result of that.
They reported the BBC to the police for the distribution
of child pornography.
Just, just.
My God.
Sweep it under the carpet, move it to.
Yeah.
Is Facebook the new Catholic church?
Discuss.
Controversial.
Fuck.
I don't know.
It boils my blood so much that I'm just going to do this.
Rant of the week.
So while Tom is now off getting some blood pressure medication, Andy,
why don't you take us on to the next story?
So this is about – well, it's not about.
It's from our reliable sources over at the infosec pa newswire
who has been very busy bringing us the latest and greatest security news from around the globe
industry news
is facebook the new catholic? Discuss. Industry News
Has the rise of identity seen the death of anonymity?
Industry News
Twice dropped on hacked educational RDP details.
Industry News
Malicious use of SSL increases as attackers deploy hidden attacks.
Industry News as attackers deploy hidden attacks. Industry news. Hashtag Edge Live.
DDoS attacks are evolving into extortion-led RDoS campaigns.
Industry news.
Hashtag Edge Live.
Stopping API attacks with bot mitigation.
Industry news.
Top 10 things learned from the ISE Squared Workforce Study.
Industry news.
Hashtag Edge Live.
Phishing attacks now targeting enterprise specifics.
Industry News.
PSD2 faces further delays as UK lags behind European compliance.
Industry News.
Recommendations accepted and advancements for EU data protection transfers.
And that was this week's
Industry News.
Huge if true.
Huge if true.
Did you know the one
that strikes me,
the DDoS attacks
revolving into extortionate
RDoS campaigns?
Those sound like characters
from Star Wars.
Yes, they do.
What is an RDoS attack anyway?
I have absolutely no idea.
So you've got a distributed Denali service attack to a relative?
Don't know.
Don't know.
And also, is the Stig on steroids this week?
I have no idea.
I think last week it was a slow week and we called them
out. We called them out. I think that's
what it was. I think the boss has cracked the whip a little
bit.
Yeah. Unless it's just a
spelling mistake, you know.
I'm trying.
It's where cyber
criminals send a message threatening to carry
out a DDoS attack or
infect an organisation's operational systems
with forms of ransomware.
So it's a ransomware
denial? Ransom DDoS.
So it's
R-DDoS, not R-DoS.
Yeah.
It says R-DDoS.
It's a pirate account.
That is just lazy, honestly.
Some of these words are like June 2017.
Look at an article.
What is RDoS?
Ransom DDoS.
It's just one of those that hasn't really stuck.
Hasn't entered the vernacular at all, has it?
Yeah.
You know, what I thought was really funny is the PSD2 faces further delay
as the UK lags behind European compliance.
And I thought that's the whole purpose of Brexit.
Extreme news.
Sorry, as soon as you read that headline, I need to know.
I thought, isn't that what Brexit was about?
So that we don't need to lag behind and make up our own compliance and say we're way ahead of it.
Yeah, yeah.
When actually we're stuck in the dark ages. So the funny thing about that was I think it was Spain actually had a delay
over the rest of Europe anyway for when this came into force.
I know there's like a nine-month delay compared to the rest of Europe.
So to me, it's already behind.
It's like PCI.
You know, when PCI first came out,
no one was compliant with it.
And I think this is a similar sort of thing with PSD2,
is that, you know, it comes out
and very few people actually fully understand it
and are compliant with it.
So for the readers, for the listeners out there, Andy,
what is PSD2?
It's a Photoshoposhop file extension um
you know i'll be i'll be very honest i got really payment services directive
i got really confused when i saw it i thought it was referring to the high speed train network or something it was like that's hsd2 isn't it exactly gone completely off reservation there yeah but uh one i did like
was um price dropped on hacks educational rdp details um it's like hackers are having a black
friday sale um and you know getting in early like all good retailers are.
They sort of extend it, you know, over the whole month of November rather than just around that Thanksgiving weekend.
Well, they have very business orientated operating models.
Let's face it, you know, it's the ecosystem which they work in or the financial ecosystem in which they work in is incredibly mature, which is scary.
But, yeah.
It's not just mature.
It's very pure.
It's a one trick pony, but they really hone it really well.
Like, how do we make money?
And everything's focused on it.
There's none of this, like, let's have an offside.
Ethics, morals.
Yeah.
No, no, but I'm sure they don't waste time on all this stuff.
Let's have a stand-up meeting.
Let's have a town hall.
Let's roll out something, you know, a transformation program.
No.
Exactly.
Agree with me or it's a bullet to the knee.
Yeah.
That just rolls off the tongue.
It does. It does. Excellent. Thank you very much.
I think we can move on now.
We are going to go to...
God, these notes are all over the bloody place.
Here we go. Right. Yes, let's go on to this week's Tweet of the Week.
So I had this one.
I was debating between two tweets.
We've got 15 minutes.
You can do both.
Yeah, I opted for both anyway.
Phil Branigan on Twitter posted the best tweet,
which I've seen all week.
posted the best tweet which i've seen all week um it says is this luck or a new apple podcast iphone 12 feature i've never never before had all my favorite security podcasts delivered
at exactly the same time and um what he's got is a screenshot clearly showing his favorite security podcasts, of which the Host Unknown podcast is clearly the top security podcast
within that list.
So Phil Branigan.
In fairness, because other podcasts do exist.
Oh, other podcasts do exist.
So we also have the other three.
We've got a really good one called Sticky Pickles,
of which I did actually download. Actually, I like Sticky Pickles, of which I did actually jam a load.
Actually, I like Sticky Pickles.
I'm listening to that.
That makes me laugh.
I did all six episodes last week following Coral's appearance on the show.
They are hilarious.
Yeah.
They also have the Cyber Wire Daily
and the Host Unknown Total Landscaping podcast as well.
Yeah, I know that one.
It's like the fake Host Unknown.
That's the one.
What are they called?
Oh, what's it?
Smurf, Smurf, Smurf, Smurf.
No, that's a vulnerability.
Smutty?
Smutty Security.
Smutty Security.
Yeah, that sounds about right.
I thought there wasn't a G in there.
Yeah.
So, Phil Brannigan, thank you very much for that one.
Second story we have, brought to our attention by Atmat on Twitter.
Obviously, he got in early, got a good name.
This is about Google Photos ending unlimited storage and people are not happy
so he essentially said google photos has been one of my favorite software tools for many years
uh you know since it was part of plus i completely understand the teeth gnashing
but i'd rather pay for it than have the company monetize it in other ways um and so as google only just worked out that
well using a free service means that he's he doesn't own those photos at all anymore yeah
i think this is one of those uh you know horses already bolted moments um you know thinking that
now's a good time to start paying for storage but um if you ever wondered how you're
getting all of that stuff for free um i mean obviously the famous saying if you're not paying
for the product you are the product um yeah yeah i don't know but this is like drug dealer territory
you give someone something for free for years and years getting dependent on it and then you say ah
time to pay now i think that's what people are more um
that's what's caused the reaction to people that because they've got used to it being free
i think if it was like from the outset you say hey pay or we're going to monetize your data it's a
different sort of thing um but but i think that's gone yeah no i i but i completely agree i think it's it's the right move by google i think
you know why you know the there's no uh financial benefit to the company in providing this for free
and if even if it's just a nominal fee that they charge uh people are there they'll stay there
uh it's a lot easier to stay with the provider if they're completely embedded in that ecosystem. And, you know, Google can make some money off it as well.
But even if you're paying, it wouldn't surprise me
if they're going to monetize them anyway.
Yeah.
I think this, yeah, so I've not read the terms and conditions.
So, and this is one of those things, you know,
I've not read the details, but let me tell you what I think
of the headline.
Hold on um you rang
this is where you get true in-depth analysis of the headline exactly but i mean this could
just be another revenue stream and the thing is that people are completely up in arms about it
saying you know they've got hundreds of uh sorry thousands of photos on there, tens of thousands of photos,
you know, gigs and gigs and gigs.
And you're still getting 15 gigs for free.
And it's $2 to go, $2 per month for an extra 100 gig of storage.
Like, you know, to me, that is cheap.
That is nothing.
Token payment.
It is a token payment. But, you know, even if like 10% of their users did that,
they're still laughing.
But, you know.
And do you know what?
The thing that gets me is that people don't realise
they're handing over the rights for Google to use their photos.
Yeah.
And they probably still are when they pay for it
because that's how Google operates.
Their whole financial model is based upon the monetization
of every single piece of data.
So, ladies and gentlemen, boys and girls, Tom hates Google.
He hates Facebook.
There's only space in his heart for Apple.
Apple.
And even they've pissed me off today as well.
What have Apple done for you?
So I tried to download Big Sur last night.
Big Sur, for anybody who doesn't know, is not the name of my dom,
but is actually the latest operating system from Apple.
And their services got completely shafted.
So not only did you get this really unhelpful message
that we cannot carry out the upgrade at this time,
when you tried to open any application, they just hung.
They failed.
They didn't even hit the screen, as it were.
And it turns out it's because the Mac is making some kind of call
to an Apple service somewhere and was
getting nothing back guys on holiday,
right?
Yeah,
basically,
basically.
And somebody quite rightly said,
uh,
and I think they were getting nothing back cause they obviously had an issue
somewhere.
And then the huge amount of,
um,
download requests for big sir and all that sort of stuff.
Um,
but somebody rightly said,
if Netflix can scale for the release of a new film and all that sort of stuff. But somebody rightly said, if Netflix can scale for the release
of a new film and all that sort of thing, predictably scale,
surely Apple can predictably scale as well.
And I must admit, I hate to sound like an arse,
but it just felt like, what the hell?
I'm paying into this sort of ecosphere quite reasonable sums,
I have to say, because I've been paying for photo storage
for a number of years now, of a whole £8 a month, I think it is,
and a bunch of other stuff.
But it just seemed like you screwed this up big time
after all of those big, bloody announcements that they made,
three in the last
couple of months and it all just fell apart at the last hurdle it was very disappointing
but you know um i think you know every company is you know we always look at apple
as this huge company i mean they've only got what like a trillion dollars in the bank or something
you know they've yeah i mean they've got to save for a rainy day. But I have no doubt that they are extremely efficient in terms of, you know,
sort of downsizing teams, you know, as many global corporates are.
Oh, yeah, of course.
So, you know, to me, it wouldn't surprise me if they're saying,
look, we've got this new product to deploy,
but people aren't likely to buy it this year.
You know, there's a pandemic going on, you know, records, unemployment.
It's not too different from the iphone 11 like you know we're only going to get this core group of people we're not going to get the other sales etc therefore you know we don't need um you know
you know the products we're releasing this year are comparable with other products that are cheaper
um you know we don't need the same size teams that we've had in previous years.
And then, you know, what you get is different teams.
You know, don't follow processes like that.
But this was not a sole product.
This was an upgrade.
This was a free operating system upgrade.
Yeah, but I mean, free at what cost?
Nothing.
Free as in nothing.
To us, as the consumer.
But internally, what resource have they dedicated to
it is where i'm going in terms of yeah but you you were arguing that they weren't investing it
because they weren't going to make as much money out of it yeah the people like people's side it
wouldn't surprise me if they got rid of a whole load of people that would normally support again
i'm just making stuff up uh based on even reading the headline, but hearing the headline.
I know, I know.
I've got a snap judgment, and I will say,
I bet they got rid of a load of people.
Yeah.
This is just amazing.
This is just like the sheer speculation.
You don't come here for facts, people.
It's the specificity.
It's how specific you got around, like, well, this is the economy. This is the environment. This is what specific you got around like well this is the economy this is
the environment this is what they're doing they're very efficient in this so therefore they have
reduced i see things let me make up some i see things these things just happen i see things play
out i've seen it so so you know mr cso uh former c Oh, yeah. You know, it's like the question I ask is like,
this is the first version of a very new OS.
Maybe you should be waiting to install it on your machines, you know?
No, no, no.
Do some regression testing, that kind of stuff.
Wait for the second release.
It will come the following week
I'm a part of the beta program
so I can get the alphas and the betas of the software
and I gave that up
because that did screw me up a couple of times
but release versions I'm cool with
yeah well
but you still want it working 100% right
well 60%
of the time it works every time
right excellent
thank you very much
for that Andy
for this week's
tweet of the week
we still haven't had
a sponsor for this week's show
who's it
oh Ragnar Lok
shall we do them
yeah
yeah okay let's do them
host unknown
sponsored by
Ragnar Ragnar.
Ransomware people.
Criminals, because money is money.
We do take cash as well in brand envelopes.
I think it's time for that part of the show.
Jav.
Yes, aren't you going to play the... Yes, I'm going to of the show. Jav. Yes.
Are you going to play the...
Yes, I'm going to play the jingle.
I just thought I would get you primed and ready.
The Little People.
So, we don't actually have a little person this week.
I'm sorry.
He's quite tall.
Yeah, he's quite tall.
Sorry.
Hang on.
Hang on.
There we go.
So, yes, we do have a little person for this week.
It is a good friend of the show, CISO, Mr. Christian Toon,
who I got in touch with
and I was like, you know
what actually
so I know Tom
you're in really grumpy old mood
old man mood today
Yeah, I am a bit
Yeah, yeah
So I thought
let's carry on that theme and let's ask
Christian,
respected CISO, what actually grinds his gears?
And he was quite open about it.
The Little People.
Hey, thanks, Geoff.
Listen, before I give you the answer, though,
I feel a bit awkward bringing this up.
I never got confirmation for that appearance fee you promised.
You said you'd speak to Andy about shipping that 5k Haribo box and Tom about getting one of those
witty t-shirts that eSports signed and sent over. Listen, Jav, as the sole founder of Host Unknown,
I'm really relying on you mate to come through if that's okay okay right let's do this so what makes my blood
boil right got to be careful i don't go full grumpy old man on my response here but i think
for me it's got to be the self-serving egotistical numpties in our profession i mean come on you can
clearly see they've got their own interests at heart. The way they operate as organisational or industry hand grenades and behave in a world that feels that they owe them
a favour. Their draconian views and they're just not nice people. It really gets me. For me,
security leadership's about bringing the best of the team together to deliver on what's needed.
And it's really hard when you've
got to work with these characters they don't want change they believe the right way is their way
because they've been doing it for the last 20 years or that they go out the way to bully or shame
criticize other people for not doing their job or for trying to better the industry it's tough
I mean it's a good job you're not recording this, dude.
Otherwise, I'd be able to have to tell you some stories
and these people, man, just so you can avoid them.
Hang on, wait.
You're not recording, are you?
The Little People.
So I take umbrage at two points there.
Good points well made, though.
Well, firstly,
Javi's not the sole founder.
I am. It's on my LinkedIn profile.
It must be true.
And secondly, I have never been accused of sporting
a t-shirt. I've not sported anything
in my life. You only have to look at me
to know that. Otherwise,
very good points well made.
Yeah, and Andy,
you're shipping off
the Haribo.
There is no way
I'm shipping 5k
of Haribo
to anyone.
What,
you're going to
just eat it?
It's all mine.
Yeah.
Ship it to me
and I'll forward it on.
I'll make sure
it reaches Christian
in...
Right,
I'm going to make sure
it's not Halal
the stuff I send you. Yeah, it's right right because otherwise javel just eat exactly you're like one of those
people are like let's dip our bullets in pig's blood
oh my let's get our haribo and pig's blood, boy. That'll stop them Muslims.
Oh, my days.
What the hell?
Honestly.
So between Andy's blatant Islamophobia and Tom's wanting to recolonize Africa today,
I think we've had a decent show.
re-colonize Africa today.
I think we've had a decent show.
Yeah, but let's not forget your absolute depraved statement
that you're the sole founder of Host Unknown.
Obviously, you're not.
Yeah.
Oh, dear.
That was good.
That was good.
You've got to love Christian.
Although I was chatting to him yesterday
and he's got his really dodgy moustache for Movember.
I mean, it makes him look like he was born in the 1930s,
and he flies spitfires.
It's terrible.
Have you seen him any other month of the year?
Because you may have just offended him.
Do you know what?
Funny enough, I think the last time I saw him was in November last year.
That's very true, actually.
Very true.
Oh, dear.
Excellent.
Well, I think we've come to the end of it.
We really have.
Gentlemen, thank you so much for your time.
Jav, thank you very much, sir.
You're welcome.
And Andy, thank you. Stay, sir You're welcome And Andy, thank you
Stay secure, my friends
Stay secure by Andrew Agnes, Javad Malik and Tom Langford. Copyright 2015.
Or something like that.
Insert legal agreement here as applicable and binding
in your country of residence.
We thank you.
I think we got away with that one.
Yeah.
I don't think anyone listened to it carefully.
No, they're just filling the gaps.
Just pop around, switch it on, go do some shopping, come back, it finishes.
They think they've listened to the whole thing whole thing and if you do have any halal
here at haribos you can send them