The Host Unknown Podcast - Episode 35 - The Triple Unicorn
Episode Date: December 4, 2020The penultimate episode of the year, so only one more to go until you have the full set for 2020.This week in Infosec(Liberated from the “today in infosec” twitter account):3rd December 1980: The ...Australian Law Reform Commission chairman called for new laws to deal with "computer crime". He said the old definition of theft was not apt for a "fleeting, transient medium, the ephemeral flicker of a screen or information stored on a disc..."https://trove.nla.gov.au/newspaper/article/126161975https://twitter.com/todayininfosec/status/1334231500448034824?s=201st December 2012: Pepsi Cola's official website in the Philippines has been hacked by the Malaysian hacker group Cyb3rSeC.The hackers did not come across any sensitive information, but changed the appearance of the website. https://www.flashback.se/artikel/2637/pepsi-cola-hackadehttp://www.zone-h.org/mirror/id/18675231?hz=1https://www.securityfocus.com/news/389 Tweet of the Weekhttps://twitter.com/BriannaWu/status/1333150373599715329?s=19 Billy Big Ballshttps://www.vice.com/en/article/4ad3jm/watch-google-hacker-ha-26-iphones-with-zero-day-exploitWatch This Google Hacker Pwn 26 iPhones With a 'WiFi Broadcast Packet of Death'A Google security researcher found bugs that allowed him to take over nearby iPhones with a Raspberry Pi and just $100 in WiFi gear. Industry NewsExperts Call for Online Fake News to Be Addressed as #COVID19 Vaccine EmergesHow to Reduce Fake News in Online AdvertisingRemote Workers Admit Lack of Security Training#thinkcybersec: Reconsider Hiring Strategies to Meet 2021’s Digital Challenges#thinkcybersec: Don’t Presume Legacy Tech is a Negative ThingSalesforce Set to Acquire Slack for $27bnNative Cloud Security Controls Still “Not Good Enough”#WebSummit: Companies of the Future Should Focus on Data Privacy Rather than Data Collection Jav’s industry newsMicrosoft’s New Productivity Score And Workplace Tracking: Here’s The ProblemThere’s no vaccine for ransomwareRemote Workers Admit Lack of Security TrainingMicrosoft 365: Corporate Privacy Invader Masked As A Collaboration Tool?NHS Error Exposes Data on Hundreds of Patients and StaffSales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company Infosec Stig is moving on from 17th December: https://www.infosecurity-magazine.com/editorial/final-shot-farewell/ Rant of the weekhttps://www.theguardian.com/technology/2020/dec/02/microsoft-apologises-productivity-score-critics-derided-workplace-surveillanceMicrosoft has apologised for enabling a feature, “productivity score”, which critics said was tantamount to workplace surveillance.The company says it will now make changes to the service, which lets IT administrators “help their people get the most” from its products, in order to limit the amount of information about individual employees that is shared with managers. The Little PeopleIs it Leslie Show or William Lau? @lausecurity Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Right, so the pre-roll.
We haven't actually got much time to think about pre-roll, have we?
Okay, because we're a bit short.
Why don't we just pretend we got one, like the end of it or something?
Funny.
What's a good punchline?
I don't know.
Okay, so yeah, and then the salesman turns around to the managing director and says,
no, no, Ethernet. You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are
and welcome to 2020's penultimate episode of the Host Unknown podcast.
And welcome Jav and Andy. Jav, how are you?
I'm very good, thanks. How about yourself?
Yes, not too bad. I'm a little tired, if I'm honest.
A little tired, but yeah, I'm okay. I'm a little tired, if I'm honest. I'm a little tired, but, yeah, I'm okay.
Okay, Andy, what about you, sir?
Not too bad.
Can't complain.
You know, every time you open up with, you know, good morning, good afternoon, good evening,
that reminds me of a TV show called Midnight Caller.
I don't even remember that from maybe 90s, late 80s, early 90s.
Oh, yes, yes, I do.
Yeah, which is to end it with, and good night, America, wherever you are.
I thought it was, I sort of, it's a partial ripoff of Frost, David Frost.
Yes.
You know, or was it Alan Wicker?
Hello, good morning hello
oh it's gotta be frost right well one of them one of the one of the classics anyway
um but no you just gotta steal it and then make it your own right well absolutely
so how come you're so tired what's changing your rhythm oh my goodness i tell you what he's got an honest honest honest honest day's work
under his belt that's what yeah which over five days isn't bad well i got a new job haven't i
got a new job um congratulations thank you very much. Are you a key worker now?
I do believe what I do fits into that category of essential services, yes.
Yeah, absolutely, absolutely.
Tell us all about it.
Well, I'm working for this wonderful company called Sentinel One,
in case nobody had guessed up till now, started on Monday.
And I tell you what, talk about being out of your comfort zone. I've got no idea what's going on,
but it's slowly starting to form into shape. So get in there, get in there. But I spent a lot of last week closing off my contracts with TL2, who will continue to sponsor the Host Unknown podcast, I hasten to say. And then, yeah,
dropped in at the deep end with Sentinel One this week. Probably the hardest part is the shift from
Office 365 to the G Suite.
That's probably the thing that's killed me the most.
Okay, that's interesting because I know a lot of people who hate going the other way as well, people that will absolutely,
they will die before they switch from G Suite to Office 365.
I think it's what you had growing up effectively, if you see what I mean. Yeah. Because I've been using Word since version 1 or 2, something like that.
Since it replaced your version of WordPerfect.
Yeah, I was on WordPerfect 5.1, I remember.
Oh, dear.
Seriously, on an Amstrad, crikey, what was it, 1512, I think it was?
Not sure.
With two floppy drives. it's still in the museum if
you want to see it yeah absolutely it was beige is all i can say uh very very beige um so yeah
moving word perfect was was what i knew and then moved to word and never looked back and the whole
office suite so g suite i struggle with i have to say um and the fact that you have to use it
in a browser it just doesn't make sense to me geez where what's wrong with an app you know that's
that's why i like it on ipad and iphone much more because you get an app for it it makes sense i i
was like that in my previous company we went from microsoft to g suite now actually we were on g
suite and we went to microsoft and i love microsoft but most of the company hated it so we went back
to g suite what yeah um but actually now i've gotten quite used to it there's some quirks i
really don't like but it's i i think you get used to it but But what's your role there anyway, Tom?
Well, like I said, it's like a key worker role.
It's vital during these times.
And I think...
It sounds very marketing related to me.
It is in the product marketing area, yeah.
And I don't really want to kind of you know sully the you know the the
the role by putting a label on it per se you're monologuing
security advocate
see folks that is the career trajectory you start off as a consultant you become a CISO
of a global organization and then you retire become an advocate yes that's the way when you
when were you a CISO Jav I just skipped it I just went straight for the top if you remember
Tom he did a video when he played Santa's seesaw when they got hacked in the North Pole.
That's right.
And also a seesaw that accepted the risk, as I recall.
Oh, yeah.
12 inches of risks, as I recall.
Anyway, that's great news, Tom.
Congratulations.
And I think we've got a new sponsor for the show.
Well, let's hope so.
Yes, actually.
Bow to our Sentinel One paymasters.
Absolutely.
Here we go.
Host Unknown.
Sponsored by Sentinel One.
Catching.
If anybody from Sentinel One is listening,
I'm going to be hitting you up for some money.
Probation period.
Probation, yeah.
In about three months, I'll be hitting you up for some money.
No, I have to say, like many companies,
or many good companies companies the people are lovely uh and they have uh a pretty
strong uh culture a good strong culture with some core values as well which i find really important
and i was it was i was very pleasantly surprised by uh by that sort of stuff
i'm sorry what honeymoon? Honeymoon phase.
Yeah.
Shush, they're listening.
Our potential sponsors are listening.
Shut up.
Anyway, so what have we got for you this week?
Our regular features, the not-so-new This Week in InfoSec,
Tweet of the Week, Billy Big Balls, Rant of the Week, some industry news.
And do we have a little people today
well we'll just have to find out we'll just have to find out gosh it's almost like we want you to
stay to the end so um yeah why don't we go straight on to uh the first part of our show
which is called this week in infosec
so this week in infosec is uh typically the content liberated from the today in infosec
twitter account as we stroll down memory lane as
to what happened in this sector over the years um for that little hint of nostalgia um however this
almost turned into a rant of the week because you know what he's not updated it that much this week
literally one story from there this week so it's been a very quiet week in InfoSec over the years. So much so, I actually went out and found my own story on this one.
But starting off with what we did have available to us, this takes us back to 3rd of December 1980.
So a mere 40 years ago, long before I was born.
And when Tom, you were probably finishing uni about this time.
Not far off. I was born and uh when Tom you were probably finishing uni about this time the Australian Law Reform Commission chairman uh called for new laws to deal with computer crime as he said the old definition of theft was not apt for a fleeting transient medium
the ephemeral flicker of a screen or information stored on a disc
i love that phrase it is a great phrase to think this was 40 years ago he used that phrase and
you know this is uh someone who saw the um times were changing and how laws you know laws don't
change quickly you know unless you've got a president who just wants to rubber stamp things
and look after his buddies.
But otherwise, you know, there's a big, long process to go through, you know, making these laws.
And, you know, they are difficult to get right, to be all encompassing.
And yet, you know, allow some movement, you know, for that interpretation, almost like a good security policy.
You know, I'd say on that one.
But so back in 1980, if you think now that the current laws
that we have protecting against, I guess, computer misuse,
you know, in the UK, that's the Computer Misuse Act of 1990.
So that's 30 years old.
Ten years later.
Yeah, and then you've got the, you know, the US equivalent,
I think, you know, the Computer Fraud and Abuse Act 1986, sort of six years after that phrase.
Australia's been quite forward-thinking in much of this sort of legislation.
I think it's part of them being like a new country.
I mean that in the sort of best possible way.
Not in a colony kind of way.
Oh, absolutely not.
No, no, no, no, no no no but no you're very right with their
own laws you know because given given where they came from and all yeah but uh i mean yeah you're
right and just um you know taking this to a you know another one of my passions uh i think my
my first time in australia i was surprised to see that their McDonald's were at McCafe's
instead of McDonald's, and that they did a lot more on the salad-y stuff, but without
all the calorific Thousand Island dressings and stuff like that.
And their packaging was cardboard. And I'm going back to the late 80s here. Their packaging
was cardboard.
Yeah, you're right. Very forward thinking that's a whole country very
environmentally conscious as well um you think that reusable bags and things like that you know
they had that long before before we did but we digress so i guess it just really highlighting
how difficult it is for lawmakers to um you know come up with these guardrails for an ever-changing
environment that we live in um but yeah there was a uh this man 40
years ago justice kirby uh his name was um you know saw this coming and said that we should be
addressing it and so the second did justice kirby subsequently retire and set up a vacuum cleaning company which which jav didn't you buy into no i'm sure you were didn't you tell me you were a
vacuum cleaning salesman at one point no no no yeah i was far more respectable he said he sucked
there's a difference oh yeah that's right what did you you buy, Jeff? I bought into one of the dreams of reselling telephone services.
Oh, wow.
Where, you know, when BT was deregulated and everyone could get in.
Oh, right, yeah.
And there was a company that came from America.
In America, it was called Excel, and in Europe, it was called Your Excel.
In America, it was called Excel, and in Europe, it was called Your Excel.
And basically, if you signed up, you know, three people, you got a bonus,
and then, well, you had to pay like a couple hundred pounds.
Traditional MLM sort of thing.
So if they signed up people, you got money as well?
Yeah.
Right.
I'm getting the shape of this company already.
Yeah, yeah.
It was very solid structure.
You know how the pyramids of Giza have stood with... I bet you they used that analogy in their pictures, huh?
They've had Madoff Malick, yeah.
Basically, if you sign up three people and they sign up three people
and they sign up three people, by level seven, you've got 2,140 people.
This thing's burned into your brain.
You could get 2% off everyone's phone bill.
Now, average that out.
You know, you could be making about 20 grand a month.
Now, let's assume a 90% failure rate.
You'd still only get 2,000 a month.
Now, you tell me, does 2,,000 a month extra to you for doing nothing
sound appealing?
Did you try and sell this to other people?
I did, yes.
So when selling that snake oil failed, you got into security?
Yeah.
And honestly, this snake oil insecurity is far superior to any other snake oil in the world.
Trust me.
There's more gullible customers, right?
More gullible clients.
Oh, dear.
Andy, move on before we destroy this plan any further.
So the second story which I found was, this is one i had to search for myself uh looking around and
this is from the 1st of december 2012 so mere eight years ago and this one actually surprised
me uh when i found it because to me eight years ago isn't that long um you know in infosec terms
so this is pepsi Cola's official website in the Philippines
was hacked by the Malaysian hacker group CyberSec. And the hackers didn't get access to any sensitive
information. But they did change the appearance of the website. And what I loved about this was
that it's a throwback to the sort of late 90s, early noughties of how hacking used to be done.
You know, these groups didn't go in and sort of steal, you know, data and then, you know, ransom it.
And, you know, they didn't monetize at the time. It was all for fun.
You know, the good old days when you just went out, did a little bit of defacement.
Yeah, they went out and drew glasses and and a hitler mustache on on posters right
yeah it's an equivalent of that yeah and there's you know it took me back to looking um through
attrition's um old mirrors that they used to have but um they used to run a mailing list as well
which announced defacement so if you think it just wasn't you know hacks weren't as frequent as they
are now now it's just bau but back then it was like oh big deal like you know um you know that some of these defacements were really creative as well
you know some were like declarations of love there was like you know one hacker sort of saying hey
you know moxie this is for you um but they they used to include a link back to the original file
um like you know the original uh file so they didn't destroy anything they'd sort of say hey
um sysadmin if you're looking for your backup it's here like you know they the original files, they didn't destroy anything. They'd sort of say, hey, sysadmin, if you're looking for your backup, it's here.
You know, they have a link on the site.
But, yeah, it's surprising.
I mean, Silaset were very much active, you know, at least until last year.
They've got mirrors up until, you know, 2019, you know, in their sort of hall.
But it also reminds me, like, taking the nostalgic route,
there was a hacker called
evil angelica um and she was a really creative hacker i don't know if you remember um you know
some of the stuff she used to do back in the day but uh she would parody other hackers defacements
um you know just very meta very meta but also very creative and there's one
remember the um uh the miss jackson who sang uh sorry miss jackson yeah that one who sang
outcast yeah and she did one where it was like um you know she put the lyrics on the side saying
like you know i'm sorry sis admin. You know, I'm for real.
Never meant to make your server cry.
I apologize a thousand times.
She probably won a pony for that.
Well, yeah, if only the ponies recognized talent.
Well, yes.
But, yeah, so this second one, there's links in there.
It's sad. I noticed that Trishan took down their mirrors of defacements.
I hadn't been there for a while, but it was always a good trip down there.
Well, they've got to be maintained at the end of the day, haven't they?
Well, I mean, I thought even they'll just keep the archive up until 2010 or whenever,
but they didn't.
They've actually taken down all those archives.
But zone-h.org still has their
mirrors up and there's some links in the show notes to um go and see what it used to be like
the thing about these defacements is you know i get it it does it still takes a bit of skill to
to deface them but no knowing what i know most large companies totally subcontract out the building of their websites,
et cetera, to people who are extremely creative
but not necessarily security-minded.
Yeah.
And so it can't –
A lot of marketing firms and things like that.
Yeah, exactly.
And there's nothing wrong with that, you know, as such.
But they can't have been that difficult to break into.
No.
If you're sure to me.
Yeah.
I mean, some of these are really, I mean, it's literally as much as,
you know, logging directly into the Apache server.
Yeah.
With admin, admin or whatever.
Yeah, that's right.
Going to the index file and changing that.
Yeah.
Yeah, precisely.
But yeah, it's nonetheless a lovely old trip down memory lane. Thank you, precisely. But nonetheless, a lovely old trip down memory lane.
Thank you, Andy.
This week in InfoServe.
So what have we got next for you?
Oh, Tweet of the Week.
Tweet of the Week.
And actually, this week, it's me.
Tweet of the week and actually this week it's me tweet of the week
so uh this tweet of the week is from somebody called brianna woo that's at brianna woo that's
with a w and a u at the end uh and the tweet says data analyst in in inverted commas, working with Trump and Sidney Powell,
trying to trick Trump supporters into getting her 51,000 pound Mac Pro, which is roughly $68,000.
There is no conceivable reason she'd need this.
I especially like her also asking for the $8,000 monitor only professional colorists need.
Also asking for the $8,000 monitor only professional colorists need.
So looking at that tweet, this is from somebody called Sarah Eaglesfield.
She has the blue tick.
Verified.
Verified, absolutely.
So the tweet says, seeking a benefactor to get me a Mac Pro. So I'm actually able to audit the voter data I have now over 100 gig. Costs a ridiculous amount at a go slow till I upgrade. Maybe a business who no longer
use or needs to update their machine. Big ask. And then there's the Apple shopping basket with the desktop Mac Pro,
a maxed out desktop Mac Pro, I have to say, and the monitor. Brianna Wu then goes on to say,
3D professionals rendering 4K movies all day might need the $67,000 Mac Pro. A studio of several hundred devs recompiling a team version
of something like Forza constantly might need a $67,000 Mac Pro.
A data analyst studying spreadsheets does not.
It's absurd.
Now, I don't know about you.
I think Brianna Wu here is Apple gatekeeping myself.
So, Tom, just before, you know, you sound so offended as if that resembled you.
Did you take that screenshot and send it to Sentinel One and say,
this is what I need to do my job as a security advocate?
Well, I did say that the MacBook turned up and it was silver.
I mean, look at, you know, so although actually, and aside,
the silver aesthetic now fits better into my work desk.
I've completely shifted it around.
So I quite literally have a desk full of white stuff,
and this desk I'm working at now is all black
and space gray stuff awesome do you know what i when i have a desk full of white stuff it's a
completely different it means i'm about to pull an all-nighter
i'm joking well you need you need milk to keep your bones strong let's face it
um so yeah what's the problem here so okay so
it's an expensive mac but it should last a while and this is a fifty thousand dollar mac no it's a
sixty seven thousand dollar mac get it right so a fifty thousand pound mac is uh i mean that is just ridiculous. And have you seen that subreddit, Choosing Beggars?
Oh, yeah.
This is what this strikes me as.
But the sad thing is that because she's talking about what?
Is this going to help Trump or buy into that narrative?
This will help Trump.
She's a,
she's a,
she's a Trumpist.
Yeah.
Uh,
not,
doesn't mean she plays the trombone or the trumpet,
but she's a Trumpist.
It did.
And,
basically she's jumping on the bandwagon of Trump asking for money for Pete
from people to pay,
pay his debts,
even though they think they're contributing to a campaign fund of some
description.
And I think this,
this, this is riding that.
And I would put money on the fact that she's probably had it bought for her.
Yeah, I wouldn't be surprised.
Wouldn't be surprised at all.
So keep an eye out on my Twitter later on, folks,
because I tell you what, the audio files I have to deal with to edit this podcast,
especially when these two clowns send me MP4s for audio files.
Do you know what, Tom?
You're going the wrong direction.
No one really cares about that.
But if you target, say something like you've got some Brexit processing to do,
there's going to be some people who jump on to that.
Oh, man, Yeah, of course.
And like Brexit,
I don't have to deliver anything.
It'd be brilliant.
So, yes, Sarah Eaglesfield,
if you are listening,
we know you are,
let us know if you got it
and also if you got the right colour as well.
Because we'd be fascinated
and if you got any extra money sloshing around
you too could be a sponsor of the Host Unknown
podcast. So
that, folks, was
this week's
Tweet of the Week.
Very good.
Always
good when I get an Apple story.
You're listening to the Host Unknown Podcast.
More fun than a security vendor's briefing.
Let's move on, shall we?
Jav, I think you're up next for this week's...
Billy Big Balls of the Week.
I'll just crash the jingle. Oh, my God. That is a long one. I'll just crash the jingle.
Oh, my God.
That is a long one.
I will just crash that jingle.
You know, like when we said,
let's quickly check the levels before we hit the record button?
I think we're slightly off.
Those jingles are coming in a little bit loud, you know?
Okay.
I'll drop it down one, and it should normalize it in the post anyway.
Fix it in post.
Fix it in post.
That's right.
Should I go again?
No, it's all good.
Okay.
It's all good.
So from one Apple story to another,
that's what brings us to this week's Billy Big Balls.
And there is a story of a google researcher um what that google researcher
is doing poking around at iphones i'll leave that to your own imagination i bet he's got the full
support of the whole team when it comes to um you know stuff i bet they've got a whole team
dedicated to it uh That's right.
Or he's certainly got enough expenses to pay for all the kit he needed to do this.
Yeah.
Apparently, according to the headline,
he only needed $100 in Wi-Fi gear and a Raspberry Pi.
So not that much at all.
No, no, no, no. you're looking at the wrong side of
the equation here oh but oh the 26 phones that he had yeah the 26 iphones brief of concepts
yeah anyway um this is like when you're dealing with the accountant and it's like capex or opex
below the line or above the line. We can hide this one.
If I buy these for testing and then give them to my family,
does that make it Opex?
R&D.
Yes.
Anyway, Ian Beer is the name of the researcher.
Ian Beale?
Beer.
Oh, right.
I thought he was moonlighting then
okay so for six months of 2020 while locked down in the corner of my bedroom surrounded by my
lovely screaming children i've been working on a magic spell of my own it's a wormable radio
proximity exploit which allows me to gain complete control over any iPhone in my vicinity.
So let's read that again. It's a wormable radio proximity exploit, which allows me to gain
complete control over any iPhone in my vicinity. View all the photos, read all the emails,
copy all the private messages and monitor everything
happens on there in real time now if that is not a billy big balls move uh from from a hacking
perspective i do not know what is uh part of me is feeling like i he was probably saving it up for
black hat europe or something.
With the pandemic, he just had to settle with just selling the story to Vice.
But do you know what?
This is huge because he really could have sold this to nefarious underground people who I'm sure he would have contacts with or you know would be able to seek out
he already has he's he works for google oh well yeah okay fair enough yeah so and that always
makes you wonder doesn't how long they've been using this before yeah before it comes but i mean
you're great this is a great you know billy big ball story and there's a really good video um
attached to the article as well where he's got is that 26 phones just in front, you know, on the screen?
And he just shows them, like he just kills them all, you know, with one button.
It's just amazing, you know, fantastic visual to go with this story.
So the other thing that this occurred to me, that occurred to me on this story,
is that he's been working on it for the last six months.
Great.
The vulnerability that it exploits was actually patched back in July, I think it was.
Yes.
So this is a story about patch management.
Well, it is, but it's a bit more than that. And let me just talk to you about this,
because I was thinking about this very thing when I read the story a couple of days ago.
And I thought, well, yeah, it is just about patch management.
And how long do people wait with that annoying red dot on their phone to upgrade?
But then there's a few things about it.
Obviously, some people are just lazy or they don't want to be the first in case, like, you know, their phone or something tom but there are a lot never had a brick phone there are a lot of people out there
in the world who have got older phones that just either are incapable of upgrading
or um people are worried that if they upgrade they're going to it's going to slow it down
severely yeah yeah these are these are phones if our iPhones are two years plus old and there still is a very large
um number of those out there a vast majority of the world they're not privileged like us uh like
we are uh in that we can buy a new phone whenever you know once a year even if if we wanted to there
are a lot of people that can't do that.
So it actually got me thinking that, you know, this is becoming one of those things
where security is becoming one of those privileged areas where if you can afford it,
you can do it.
Yes and no.
Well, if you can't afford a new phone, you can't get – and this isn't just an iPhone issue.
This happens on Android as well. You buy cheap Androids and some of them just you can't afford a new phone you can't get and this isn't just an iphone issue this this happens on android as well you buy cheap androids and some of them just you can't upgrade them at
all they're just filled with bloatware from the it's it's absolutely exacerbated on on a platform
like android definitely yeah because their their support time frame is something like 18 months or
something ridiculous i think it's four years or or six years something like that or so many
generations because i think the original iphone se can still run on uh 14 um probably not the
best experience i totally get that but that is really an old phone that is uh yeah like i said
about five years old something like that and there are still so many people that use that
and they can't afford to upgrade from that.
And just when you look at the entire security experience,
someone buys an iPhone or they get handed down an iPhone,
and in this case, it's probably a handed down iPhone.
They're going to spend like money on getting a screen protector
on a case because they don't want to drop and break it.
And then we say to them, don't reuse passwords so then they might take out a subscription with a password manager for you know x amount per year to to help manage all their passwords we want
them to have mfa uh we we don't you know so it just i think when when you think about everything
as an industry we advise the consumer to do, and this goes beyond just phones,
but I think just in general.
I don't think we really are conscious in design or in decisions
as to how this impacts people that either don't have the resources
financially or time-wise or knowledge-wise in how to adapt to that.
Yeah, I agree with that, but I also would say that like any sort of cultural change,
like we're going through with smartphones, et cetera, there is a transition period.
It's a bit like the argument that said that broadband could not be considered a utility.
Well, until this year, actually, you actually you know this year broadband is an
absolute essential and should be covered by the same protections as you know your gas and your
electricity are and i'm and i'm not disagreeing with that i'm saying exactly that it's yeah yeah
it's a cultural change and that's why these conversations are important and they're important
to bring out and important to have and they're important to influence the people that are helping design and shape the future.
And that folks is why the host unknown podcast is here to bring you the very latest in consumer
protection news on the information security front. Uh, so yes, I think we're violently
agreeing over this, uh, completely, but, um, yeah, I, I, I found it absolutely fascinating, I have to say.
That's a hell of a hack, actually.
It's one of the more impressive, certainly more impressive
than just defacing the Pepsi-Cola website.
In the Philippines, not globally, just the Philippines.
This is one of those vintage kind of DEF CON hacks
that you just don't see many of them.
No, this would have been pwn potent to own sort of front page for...
In 10 years' time, the Host Unknown podcast is going to look back
and say, this week in InfoSec, back in 2020, remember that year?
So-and-so.
So, yeah, this is an absolute classic, I have to say.
Wow.
You have high expectations of how long we're all going to live.
Good on you, Tom.
Good on you.
Live?
I don't think we're even going to recover after Christmas
and get back onto the first episode on, what is it, January 8th or whatever.
I think you two, like last night, are just going to come up with excuses
for not to do it. Like, oh, I've got a meeting. Oh, no, I can't do it. I think you two like last night are just going to come up with excuses for why
you know
not to do it
but oh
I've got a meeting
oh no
I can't do it
9.30 tonight
no not a chance
I can't do that
no
come on
I don't know
some of us have got
brand new jobs
and we're
we're risking them
by doing the podcast
you know
anyway
that was this week's
rant of the week
Jav thank you very much was this week's rant of the week.
Jav, thank you very much for this week's... Billy Big Balls of the Week.
Andy, what time is it?
Oh, it's that time of the week where we go over to our reliable sources
over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news
from around the
globe. It's this week's Industry News. Experts call for online fake news to be addressed as
hashtag COVID-19 vaccine emerges. Industry News. How to reduce fake news in online advertising.
Industry news.
Remote workers admit lack of security training.
Industry news.
Hashtag think cybersec.
Reconsider hiring strategies to meet 2021's digital challenges.
Industry news.
Hashtag think cybersec.
Don't presume legacy tech is a negative thing. Industry news. Hashtag think cybersec. Don't presume legacy tech is a negative thing.
Industry news.
Salesforce set to acquire Slack for $27 billion.
Industry news.
Native cloud security controls still not good enough.
Industry news.
Hashtag Web Summit. Companies of the future should focus on data privacy rather than data collection. Industry news. Hashtag Web Summit. Companies of the future should focus on data privacy
rather than data collection.
Industry news.
And that was this week's...
Industry news.
Huge if true.
Blimey, Salesforce acquiring $27 billion
for a thing that sits on your desktop
and annoys the crap out of you.
Fantastic.
Bridging that gap between the sales org and the development community
and the tech stream.
I always thought the sales community could use Slack.
I think they tend to use Chatter more, in my experience anyway,
the users of Salesforce.
They don't like to talk to techies.
And then yours, Andy, about remote workers admitting lack of security training.
Interestingly enough, I did a presentation yesterday
for a conference in Greece about just that,
awareness training during times of crisis.
It was fascinating.
Would have helped if I hadn't finished the presentation
at 1am the previous morning, or that morning.
But, yeah, it went very well.
Do you know what?
The irritating thing about this story is that as you read it,
you'll see that Jav's actually quoted in it.
What?
And I picked it out.
Quoted not in just that, but in many other stories this week.
What do you mean, many other stories?
What do you mean, in many other stories?
Hold on, I'm trying to run the jingle.
Hold on.
Not that one, Tom.
Javid's Weekly Stories.
That's the one.
What do you mean, not that one?
That was the one.
I know.
I don't know why I thought it was the wrong one.
Oh, my God.
Do you want to run it again?
No.
I want everybody to know you're incompetent.
Microsoft's new productivity score and workplace tracking is the problem.
Industry news.
There's no vaccine for ransomware.
Industry news.
Remind workers to admit lack of security training.
Industry news.
Microsoft 365 corporate privacy invader masked as a collaboration tool?
Industry news.
NHS error exposes data on hundreds of patients and staff.
Industry news.
Sales of CEO email accounts may give cyber criminals access
to the crown jewels of a company.
And that was this week's Jabs Industry News.
Javid's weekly stories
smooth smooth if true
so i did see a troubling story uh because i did not realize that we had accepted
uh this uh resignation so it looks like uh the InfoSec Stig is moving roles as of 17th of December.
Uh-oh.
Could that have something to do with why we're stopping the podcast?
Well, I mean, we're stopping next week, and then a week after,
he's chucking it in.
I mean, he obviously doesn't feel like he's got anything to live for,
which is a bit sad.
It's cause and effect, right?
Yeah, exactly.
Cause and effect.
But he or she, that is.
He or she, yeah, yeah.
Mind you, this could be like the grand unveiling of the InfoSec Stig
because you click on that and you'll work out who it is.
No, no, I think we've covered our opsec is.
You'll never figure out who the Infosec Stig is.
You'll never figure it out.
Even the Infosec Stig doesn't know who the Infosec Stig is.
Exactly.
But, yeah, we will be very sad to see the infosec stick move on we do absolutely the
absolute best in whichever role they find themselves in in the future uh if they know
where they're moving they haven't divulged to us where they're moving uh so we don't know whether
they can consider continue to providing us with this but thank you so much for the stories um
we are looking for applications to for someone to take over the role
of the InfoSec Stig.
Otherwise, we'll be stuck with Jav's industry news every week,
which I am perfectly happy with.
Although, in fairness, in my new role,
we could also add Tom's industry news.
Rookie.
I can hear Andy's eyeballs
rolling in his head. Did you actually hear that?
I thought I'd muted myself
because I knew they were going to hit
the top of my skull
so hard you would hear it.
Oh God, I got sleepy
around here all of a sudden.
So the way to fix it is maybe we replace Andy with someone who is an advocate in the industry.
Then we can have the three advocates podcast.
Actually, it would be a lot easier, wouldn't it?
Yeah, then you're going to have no one doing any work.
You know, that's the problem.
We're now down to 33% capacity and you guys want to chuck in the guy that's actually doing all the work.
33% capacity and you guys want to chuck in the guy that's actually doing all the work.
You know, if you carry on like that, Andy, I'm just going to mute you, you know.
Then we'll see how successful we are.
Oh, dear. Right. Let's let's move on to, I guess, you know, Andy's little contribution to the week.
For this week's... Rant of the Week.
So this is the story which got a few people up in arms a while back.
So this story starts off with Microsoft apologising for enabling a feature
called Productivity Score, which critics said was tantamount to workplace surveillance.
Now, this workplace surveillance tool that the critics refer to it as
is one of Microsoft's productivity tools as they release.
And it's actually first released last year.
So I don't know why everyone suddenly got up in arms about it but it sort of shows a lot of
data about you know how you're spending your day uh like number of emails times that you've got
meetings like the amount of times you interact with someone um and people looked at this as a
way of giving the uh i guess IT admins or managers the ability to
drill into people's day-to-day working and sort of, you know, look at that data and sort of really
determine whether or not they're working hard enough. So Microsoft has since backtracked,
you know, they've even apologized. They said they're going to make changes to the service,
you know, they still want to help people help administrators and managers you know get the most from the products
but they're no longer going to make it so you can drill down to the individual employee level
and whilst you might be thinking that a lot of people obviously because you know the rants
coming from everyone thinks this is an abuse of privacy or you know it just micromanaging people my rant is actually
the other way is i'm a big fan of this productivity tool i do not use it on you know my team but i
actually use it to help me organize my day you know so this tool would actually tell me hey you
regularly have interactions with this person.
Do you want to set up a regular meeting?
You know, do you want to schedule a 30 minute meeting like once a week?
Or, you know, you said that you would respond.
It looks like you committed to respond to something.
You haven't done it.
You know, all this.
I find this really useful.
And I think there are far too many snowflakes that think that everything is an abuse on their liberties.
When, you know, all Microsoft's doing is providing the data.
And, you know, the abuse comes from how you use that data.
You know, and it's, you know, the old old data can be used for good.
It can be used for evil.
Just like Facebook and Cambridge Analytica.
Oh, my God.
You sound like an American.
Like, the guns don't kill people.
Like, this is my right.
I can, you know, Smith & Wesson.
They just provide the guns and the bullets.
Like, you know, it's up to people how they use it.
There is a degree of responsibility that organisations need to make.
And the thing is that, you know, these tools are as much about enabling
abuse as they are of like you know any
other form of thing and that's acknowledged it needs to be acknowledged that you know if you
think that there's some managers out there that won't use this data to abuse it then you need to
get your heads out of the cloud sunshine i don't believe that believe me i know that data is misused but why are you targeting
the tool that provides that data for you know the vast majority of people that have got good
intentions with it um rather than actually targeting the bad managers that are using it to
you know it's like firewall logs firewall logs and um you are proxy logs like the url filtering like what websites people are
going to right exactly it's one of those things where you've got the data you will look at it if
there are concerns you know or if if you believe somebody's slacking off or doing something illegal
or you know or against company policy or whatever you've got the data it doesn't mean you have to
use it and i think on the whole
i generally agree with you andy but i think that the problem is that microsoft is setting it up in
such a way that it's completely open for abuse rather than actually you have to work quite hard
to abuse it if you see what i mean um you know the where they've probably settled now is where it needs to be, which is you look at your
entire team or the data is anonymized or whatever. Because it would be useful to know what's
productivity like on a Friday afternoon. Do I lose 10% of my working week because people are just, you know,
surfing the web?
What can I do to help people do that?
Or is that acceptable?
Do I then make sure that they're fully productive the other 90% of the week and let them chill out on the Friday afternoon or whatever?
But looking at those sort of trends will actually help you help make
a team more effective.
actually help you help make a team more more effective um because i like it 1973 called it once its management practice is back tom what happened to what happened to do you mean 19
do you mean all well 1983 yeah no 1984 maybe 1984 so yeah 11 years
i forget these advocates see things in the future right maybe. 1984, sorry. 11 years out.
I forget these advocates see things in the future, right?
There's certain tasks, certain roles where you need excessive monitoring and like say in a call centre, how long you're on a call for and everything.
So excessive monitoring is okay?
Yeah.
So why is that so subjective?
Why call center?
It's not subjective.
Look, there's certain job functions where you need a certain SLA,
and a lot of them are when it's like customer facing
and it's to protect the customer and to ensure certain targets are met
and what have you.
What I'm talking about here is the general role within organizations.
A lot of them, you don't need this.
What you do is you say, here organizations. A lot of them, you don't need this.
What you do is you say, here are some tasks, get them done. And as a manager, you shouldn't really care whether it takes them an hour to do it or 10 hours to do it, if they deliver the job on time
and to the quality that's specified. But what if they're taking 60 or 80 hours to do it in a week,
and they're obviously struggling, but don't want to let you know and so therefore are going to burn out and you're going to lose a valued member of staff when
actually you could have intervened and helped out sooner yeah especially with remote workforces
exactly exactly it goes both ways um it's fine if you're you know the manager that props himself up
on the you know on the side of the cubicle and says, I'm going to have to get you to work this Sunday, you know,
holding your coffee mug.
But, you know, and that's fine.
You can see how people are working.
You can see if somebody's in the office at six in the morning and,
you know, leaves at 10 at night.
You can't do that with remote workforce.
I'm not saying that this is a surveillance activity.
This is a productivity and wellness activity.
If it's used correctly, that's the big caveat.
It is. It is a big if.
I really don't believe that it will go in the favour of most people.
Yeah, so ruin it for everyone because a couple of people can't control themselves.
It's not a couple of people it's not
it's not at all it's why are we not addressing that problem this is like to me this is like
saying um we're treating the symptom not the disease yeah like when uh you know girls are
told they've got to cover up at school because boys get excited when they show their shoulders
it's nothing you know the the the productivity tool is literally treating the symptom and not the root cause.
The root cause is you need better management managers.
You need better management.
You need data to make decisions.
That's what we're saying.
You need to treat the root cause.
You need to treat better management.
That's exactly what we're saying.
You know, if I had the mute button, I would mute you both right now.
You know what, Andy?
There we go.
That's a bit better, isn't it?
Andy?
That is a bit better, isn't it?
I'm still here.
Yeah, exactly.
Exactly.
I thought we were...
See, he's still trying to talk. He. I thought, he's still trying to talk.
He's not realised
he's still trying to talk.
You bastard.
I thought you...
Oh dear.
You actually agreed with us, Jav.
You said,
you actually agreed with us.
Oh my God.
History will prove that you were on the wrong side of this that was this week's
rant of the week
jav you can make it up to us all by telling us about your little people
little people um so i had to look look far and wide for this person.
Very good friend of the show.
He's worked in security for a long time, a Chinese man,
and a very talented photographer.
Is it Leslie Chow?
It is not Leslie Chow.
It's William Lau, which rhymes with Leslie Chow, so I suppose in Cockney, you could say it is.
And I wanted to know what challenges he had to overcome
being a Chinese person who might be suspected of working for the government
and, you know, working in industry here in the UK.
So I put that to Mr. Lau.
The Little People. working in industry here in the UK. So I put that to Mr. Lau.
The little people.
That's a very good question. As a Chinese man in InfoSec and a talented photographer,
I have indeed had a lot of challenges to overcome. First of all, I have had to soften or sometimes lose my English accent completely because many people would be disappointed when they see me.
When the voice just didn't match the look, no one took me seriously.
So then I talk like this and then people feel like they got what they pay for.
But then when I talk like this, people then ask me if I work for the China government.
They ask me many dumb questions like,
do I know how to use chopsticks or what is my
tiktok name so i had to then change to talking back like this right and speaking about photography
i don't know how but people just know i'm a photographer they just do i mean whenever i've
had team meals or other work events people always come up to me and ask me if I could take a photo of them.
But they can already see I'm busy, very busy taking photos of my own food so I can put it up on Insta.
I mean, their timing is just so bad.
Very bad time management.
In fact, talking about management, I know somebody who was a very bad manager who went to TL2.
Hold on, hold on.
He asked me, so I didn't say on, hold on. Are you recording this?
The little people. You didn't tell me we had Uncle Roger.
Well, you know, I just asked him. He answered it all truthfully. There was no coercion on my part, no guiding him or anything.
But there seems to be a trend developing with little people
who used to work for you, Tom.
I was just thinking that.
Every single little person that you find that's worked for me
seems to be the only one that's had a problem with me.
Well, you know, if 100 people say you're dead, you better lie down.
What?
I've never heard that one before.
You've not heard that one before?
No.
We've been around since the 50s, honestly.
Seriously?
Yeah, yeah.
You can Google it.
I'm sure it's there.
That's hilarious
I like that one a lot
I like that one a lot
anyway
yeah I like
that was good
I thought his third point
was excellent
I'm going to have to work out
what he said
as an aside
towards the end though
that was
that was quite fascinating
I
you know
I didn't know he could speak Chinese
you didn't know
oh dear good excellent so uh that's it i think for this week um javad
thank you very much sir you're welcome you're welcome and andy thank you
you know what i think you accidentally muted him instead of me.
Still.
Oh, well, whatever.
And stay secure.
Stay secure, my friend.
Host Unknown, the podcast,
was written, performed, and produced
by Andrew Agnes, Juvad Malik and Tom Langford.
Copyright 2015 or something like that.
Insert legal agreement here as applicable and binding in your country of residence.
We thank you.
I think if you keep Andy muted for the entire podcast next week, it would be really, really good.
Yeah.
Yeah, I don't think we'd miss much content.
I mean, he already sends out the show notes.
We could just read them out.
Exactly.
Once he's done the show notes, then you just...
Yeah, then we'll just mute him.
Yeah, exactly.
And then we'll promise him that we won't mute him the next time.
And, you know, he's like a, you know, he's like a goldfish.
He'll go once around the bowl and then he'll go, yeah, okay.
Yeah, okay.
Not a problem at all.
Dory.